Category Archives: Potential Risk of CVE

We may ignore the vulnerabilities that happened in the past! Jun 2019

Preface: The virtual table is created in the same SQLite database in wich the Core Data content resides. To keep this table as light as possible only object properties relevant to the search query are inserted.

Vulnerability details: A vulnerability in the rtreenode() function of SQLite3 could allow an unauthenticated, remote attacker to access sensitive information .

Bug Fixed – When opening an existing rtree, determine the node size by inspecting the root node of the r-tree structure (instead of assuming it is a function of the page-size). SQLite has released a software update at the following link: https://www.sqlite.org/download.html

CVE-2019-10981 AVEVA Security Advisory LFSEC00000136 (May 2019)

Preface: In the Ukraine hack, the utilities not only lost their visibility but also ceded control of their networks to remote attackers later linked to APT Group (Dec 2015).

About AVEVA : AVEVA Group plc is a British multinational information technology company headquartered in Cambridge, United Kingdom. It provides engineering and industrial software. Schneider Electric is now the largest shareholder with a 60% ownership interest.

Vulnerability details:

In Vijeo Citect 7.30 and 7.40 and CitectSCADA 7.30 and 7.40 versions, it could allow a malicious entity to obtain the Citect User Credentials because Citect User Credentials in memory are stored in clear text.
Remark: If the client deploy above solution and does not integrate workstation with internet function. The cyber security risk will be retained similar vendor opinion. It is a medium risk. Properly require adjust the rating if client workstation has internet web browsing function.

The official announcement is as follows: https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityAdvisory_LFSec136.pdf

Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen – Jun 2019

Vulnerability Note VU#576688
Original Release Date: 2019-06-04 | Last Revised: 2019-06-04

Preface: The more the power you have, the greater the risk is being infected.

Synopsis: Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.

My observation: Observing that Microsoft re-engineering the RDP with create a channel with MS_T120 and Index 31.
But vulnerability occurs when someone send data to the system’s MS_T120 channel and reference the closed channel again.

Interim remediation step:

  • RDP is disabled if not needed.
  • SIEM firing rule – client requests with “MST-T120′ on any channel other than 31

Reference: https://kb.cert.org/vuls/id/576688/

CVE-2019-12439 Project Atomic Bubblewrap bubblewrap.c Arbitrary Code Execution Vulnerability – MAy 2019

Preface: With sandbox technology, Security DevOps team might have easy to conduct test. Since the user can specify exactly what parts of the filesystem should be visible in the sandbox.

Technical Background: The introduction of user namespaces in the Linux kernel has opened the doors to running containers as default user logins via e.g. ssh or desktop. Bubblewrap, a computing sandbox technology. The goal of bubblewrap is to run an application in a sandbox, where it has restricted access to parts of the operating system or user data such as the home directory. Unlike sandboxes, containers are not a time-limited solution for testing whether code is malicious.

Vulnerability details: A vulnerability in Project Atomic Bubblewrap could allow a local attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to the insecure use of the /tmp directory by the bubblewrap.c source code file of the affected software.

Remedy: Vendor released software updates at the following link https://github.com/projectatomic/bubblewrap/releases

CVE-2019-0188 Apache Camel XML External Entity Injection Vulnerability – May 2019

Preface: The computing market trending on open source development and thus its growth rapidly. Believe it or not, see how many Apache server running now.

Apache Camel background: You can use MQ (message queues) to enable applications to communicate at different times and in many diverse computing environments. This is the famous vendor proprietary toys in past decade. Until opensource born in the world especially Apache Camel. It pay the role to doing similar functions, perhaps the capability of function still under development. But it is on the way and it is free.

Vulnerability details: A vulnerability in the camel-xmljson component of Apache Camel could allow an unauthenticated, remote attacker to conduct an XML external entity injection (XXE) attack on a targeted system. It was because the affected software uses an outdated vulnerable JSON-lib library.

Remedy: Vendor released software updates at the following link – https://camel.apache.org/download.html

Previous vulnerabilities, today’s emergency alert – 1st June 2019

Preface: If the victim of cybersecurity is a defensive device? What you can do?

Background: Leading players in the Global It Asset Management (Itam) Software Market Research Report are: HP, Cherwell Software, Oracle & Dell KACE .

Vulnerability details: The Dell Kace K1000 Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability.

Comment: As usual, vendor did not provide the vulnerability details. For SQL injection vulnerability. Seems has similarity of the previous vulnerability, see below:

Failure to properly filter the “macAddress” parameter values of the getUploadPath and getKBot SOAP methods can result in the injection of arbitrary SQL code to manipulate SQL queries.

Remedy: Apply patch (SEC2018_20180410) NOTE: KACE SMA versions 9.0.270 and later include these security fixes.

CVE-2019-5018 Sqlite3 Window Function Functionality Use-After-Free Vulnerability

Preface: Use-After-Free vulnerability similar animal ruminating.

Background: SQLite3 is a compact free database you can use easily create and use a database. It has become very popular with smart phone developers. SQLite runs many different computer systems such as Apple OS X, Linux, and Windows. Even though Airbus, they are the SQLite3 user.

Vulnerability details: A vulnerability in SQLite3 could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability is due to a use-after-free condition in the window function functionality of the affected software. A possibility may be occurred. It let the attacker to execute arbitrary code and completely compromise the system.

Remedy: At the time this alert was first published, SQLite had not released a software update.

CVE-2019-10132 – libvirt virtlockd-admin.socket & virtlogd-admin.socket systemd Privilege Escalation Vulnerability (May 2019)

Preface: Business computing architecture now go to virtualization world, perhaps it is hard to imagine in five year ago!

Technical background: The libvirt library is used to interface with different virtualization technologies. It is accessible from C, Python, Perl, Java and more. Meanwhilethe libvirt project supports KVM, QEMU, Xen, Virtuozzo, VMWare ESX, LXC & BHyve. Libvirt’s built-in API is widely used in the virtual machine monitor orchestration layer in cloud solution development.

Vulnerability details: A vulnerability in libvirt could allow an authenticated, remote attacker to escalate privileges on a targeted system. The vulnerability exists because the virtlockd-admin.socket and virtlogd-admin.socket unit files do not set the SocketMode configuration parameter in the affected software.

Workaround: Disable the virtlockd-admin.socket and virtlogd-admin.socket units in systemd. Alternative customize them to add SocketMode=0600 locally.

Remedy: libvirt has released software updates at the following link – https://github.com/libvirt/libvirt/releases

CVE-2019-0911 Microsoft Edge and Internet Explorer Scripting Engine Memory Corruption Vulnerability – May 2019

Synopsis: As time goes by, cyber criminals formulated phishing scam through email and website visit. It seems to be a main trend. In order to avoid the attack occurs, home users installing antivirus program including malware detector, virus protection and predictive control. If web browser contains vulnerability? What we can do?

Vulnerability details:
A remote code execution vulnerability exists in the way that the script engine handles memory objects in Microsoft browsers. The vulnerability could corrupt memory and an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged in with administrative user rights, an attacker who successfully exploited the vulnerability could control the affected system.

Remedy: Microsoft has released detailed information at the following link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0911

CVE 2019-11634 Citrix Workspace App before 1904 for windows has incorrect access control – 22nd May 2019

Preface: VDI (Virtual Desktop Infrastructure), one of the way make your IT operations secure.

Product overview: Citrix Workspace Suite is a collection of Citrix products that deliver secure access to desktops, data, applications and services to subscribers on any device, and on any network.

Vulnerability details: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.

Beginning August 2018, Citrix Receiver will be replaced by Citrix Workspace app. A vulnerability has been identified in Citrix Workspace app and Receiver for Windows that could result in local drive access preferences not being enforced allowing an attacker read/write access to the clients local drives which could enable code execution on the client device.

Remedy: Official announcement via following link – https://support.citrix.com/article/CTX251986