Category Archives: Potential Risk of CVE

Exploitation of vulnerability transform to APT (Advanced Persistent threat) facility

Preface: On 4th Jan 2019 CERT/CC Reports Critical Vulnerabilities in Microsoft Windows, Server…

Report details:
The report recall vulnerabilities found on 13th Dec 2018 (see below):
CVE-2018-8626 Windows DNS Server Heap Overflow
Vulnerability – https://www.kb.cert.org/vuls/id/531281/

CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability – https://www.kb.cert.org/vuls/id/289907/

But vulnerability (CVE-2018-8611) successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox.

My observations:
Perhaps you applied the MS patch but it is hard to avoid similar evasion of technique in the moment because of the following reason.
C++ Exception Handling. An exception is a problem that arises during the execution of a program. A C++ exception is a response to an exceptional circumstance that arises while a program is running, such as an attempt to divide by zero. Exceptions provide a way to transfer control from one part of a program to another.

Suggestion: Enforce the control by SIEM or deploy MSS services.

Security Notification – Schneider EVLink Parking (Dec 2018)

Preface: Electric vehicles (EVs) have no tailpipe emissions. Replacing conventional vehicles with EVs can help improve roadside air quality and reduce greenhouse gas emissions.

Technical background: Level 2 electric car chargers deliver 10 to 60 miles of range per hour of charging. They can fully charge an electric car battery in as little as two hours, making them an ideal option for both homeowners who need fast charging and businesses who want to offer charging stations to customers.

Subject matter expert:
EVlink Parking a charging stations for shared usage or on-street developed by Schneider Electric.

Vulnerabilities found:
Schneider Electric has become aware of multiple vulnerabilities in the EVLink Parking product (see below):

  • A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.
  • A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier
  • A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier

Official announcement shown below url: https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-01-EVLink.pdf&p_Doc_Ref=SEVD-2018-354-01

Behind growth of APT attack

Preface: The objective of an APT attack is usually to monitor network activity and steal data. But the APT historical records shown that there are APT attacks intend to damage the network or organization.

APT might not easy to detect:
VM handler able to relocate and move code because of ASLR (address space layout randomization) applied. Example shown below for refernce.
For example the instruction AND has opcode 0x17 when you print.
The 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed.
However the ability of conditional opcodes, the variable part can contain the next JIT packet ID or the next relative virtual address (RVA) where code execution should continue. So it such a way increase the difficult to detect the malware behaviour.

Prevention:
In order to fight against APT activities. Try to understand their goal of action. For example, we can learn from security report. For more details, please find below URL for reference.

Kaspersky Threat predictions for 2019 – https://www.brighttalk.com/webcast/15591/340766?utm_source=kdaily&utm_medium=blog&utm_campaign=gl_Vicente-Podz_organic&utm_content=link&utm_term=gl_kdaily_organic_link_blog_Vicente-Podz

Schneider Electric Security Notification – Nov and Dec 2018

Preface: Business Insider predicts business spending on IoT solutions will hit $6 trillion by 2021.

Technical background: EcoStruxure is Schneider Electric’s IoT-enabled, plug-and-play, open, interoperable architecture and platform, in Homes, Buildings, Data Centres, Infrastructure and Industries.

Vulnerability details:
Security Notification – Embedded Web Servers for Modicon V2 : https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-327-01-Embedded-Web-Servers-Modicon-V2.pdf&p_Doc_Ref=SEVD-2018-327-01

Security Notification – Power Monitoring Expert, Energy Expert : https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-347-01+Power+Monitoring+Expert+and+Energy+Expert.pdf&p_Doc_Ref=SEVD-2018-347-01

Comment: Not only a phishing scam trigger a URL redirection vulnerability. It also causes awaken product design weakness let multiple vulnerability occurs. It is a array effect. Since modicon and PLC products contains design limitations. The total 3 layers will be compromised once attack successful implement their phishing scam.

vRealize Operations updates address a local privilege escalation vulnerability – CVE-2018-6978 (18-12-2018)

Preface: Open a command prompt and type the following commands in sequence. Download vSphere PowerCLI from the Download page of the VMware Web site and install the vSphere PowerCLI software.

Technical background:
VMware vRealize Operations will help customers derive even more value from a “Self-Driving” approach to operations management. For instance:

  • Intent-Driven Continuous Performance Optimization
  • Efficient Capacity Management
  • Intelligent Remediation

Vulnerability:
VMware vRealize Operations (vROps) could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper permissions of support scripts. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain root privileges on a vROps machine.

Remedy: https://www.vmware.com/security/advisories/VMSA-2018-0031.html

Multiple Vulnerabilities in WIBU-SYSTEMS WibuKey Network server management

Preface: Over 3,000 companies around the world to protect intellectual property and other digital content deployed WibuKey Digital Rights Management (DRM) solution.

Technical background: Keep documents safe and stay compliant, while protecting your digital assets without impacting productivity. Digital Right Management (DRM) solution is a file-based security system that prevents exposure of sensitive and confidential files by trusted insiders, business partners, customers and unauthorized people.

Vulnerabilities details: Cisco Telos security expert has discovered a vulnerability in WibuKey WIBU-SYSTEMS WibuKey.sys, which can be exploited by malicious, local users to gain escalated privileges.

Remedy solution: https://www.wibu.com/support/user/downloads-user-software.html#download-216

Microsoft Windows MsiAdvertise Product function vulnerable to privilege escalation via race condition – 20th DEC 2018

Preface: MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product.

Vulnerability details:
Due to improper validation, the affected function can be abused to force installer service into making a copy of any file as SYSTEM privileges and read its content, resulting in arbitrary file read vulnerability.
A race condition occurs when two or more threads can access shared data and they try to change it at the same time. Because the thread scheduling algorithm can swap between threads at any time, you don’t know the order in which the threads will attempt to access the shared data. As a result it create a chance to attacker to access the shared data. Perhaps the access control list might lost control in such circumstances.

Remedy: Vendor did not release the patch yet since this is a new exploit (Zero-day).

Comment: Suggest to observe Event ID 11707 or 1033 in your SIEM.

Remark: Windows logs has several different events when you install or uninstall software. The Installation events are Event ID of 11707 or 1033.

Wishing you a Merry Christmas and a safe cyber prosperous new year!

OpenSource user mode file system for Windows, software driver contains a stack-based buffer overflow – 20th Dec 2018

Preface: Dokan is a user mode file system for Windows. It allows anyone to safely and easily develop new file systems on Windows operating systems.

Technical details: When you want to create a new file system on Windows you need to develop a file system driver. Developing a device driver that works in the kernel mode on Windows requires highly technical skills. By using Dokan, you can create your own file systems very easily without writing device drivers. Dokan is similar to FUSE (Linux user mode file system) but works on Windows.

Vulnerability synopsis: A Dokan file driver contains a stack-based buffer overflow

Remedy: https://github.com/dokan-dev/dokany/releases

Wishing you a Merry Christmas and a safe cyber prosperous new year!

CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability

Preface: “I Saw Mommy Kissing Santa Claus” is a famous Christmas song.But perhaps that it is the hacker kissing your Internet Explorer web browser before christmas time. Above description has similarity because both two people are the famous guy in the world.

Detail description:
ChakraCore is the core part of Chakra, the high-performance JavaScript engine that powers Microsoft Edge and Windows IE applications written in HTML/CSS/JS. ChakraCore supports Just-in-time (JIT) compilation of JavaScript for x86/x64/ARM, garbage collection, and a wide range of the latest JavaScript features.

Vulnerability found on 20th Dec 2018:
Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system.

Workaround: Restrict access to JScript.dll execute following command syntax.
cacls %windir%\system32\jscript.dll /E /P everyone:N
cacls %windir%\syswow64\jscript.dll /E /P everyone:N

Official announcement display in below url: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653