Category Archives: Potential Risk of CVE

CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used! Mar 2019

Preface: If your company hasn’t been performing load testing, it is hard to know the web application actual performance. Deploying JMeter will display the test results in a graph updated in real time.

Synopsis: Perhaps software developers did not imagine that JMeter design weakness will be hazardous of web server. And therefore we might found Jmeter function still activate after services launch.

Vulnerability detail: Apache JMeter Missing client auth for RMI connection when distributed test is used. And therefore attacker could exploit this vulnerability by establishing a Remote Method Invocation (RMI) connection with a jmeter-server while using the RemotejMeterEngine interface.It such a way let attacker execute arbitrary code on a targeted system.

Remedy: Apache.org has released an update at the following link: https://jmeter.apache.org/download_jmeter.cgi

Cisco confirm OCI flaw only affecting small group of items in their product line – 8th Mar 2019

Preface: Container Privilege Escalation Vulnerability Affecting Cisco Products status update

Description: IT world is safe again, Cisco you are super again! There is only 3 items of Cisco product involves into the Container Privilege Escalation Vulnerability found on last month (Feb 2019). Remedy has been proceed. Further details in below:

Network Management and Provisioning:

  • Cisco Container Platform – Fixed Release Availability: 3.1.0 (Mar 2019)

Cisco Cloud Hosted Services:

  • Cisco Cloudlock – Cisco will update affected systems in Sept 2019
  • Cisco Defense Orchestrator – Cisco updated affected systems
    On-prem: 19.8 (Available)

Official details: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc

CVE-2018-11793: Apache Mesos JSON Payload Parsing DoS Vulnerability 5th Mar 2019

Preface: Apache Mesos is an open-source project to manage computer clusters. It was developed at the University of California, Berkeley.

About Payload in Web services: Typically the term payload refers to JSON-formatted text that is either posted (via an http POST) to a web service when a user creates a resource or returned from a web service (via an http GET) when a user requests a resource (or resources).

Vulnerability detail: A vulnerability in the JSON payload parser of Apache Mesos could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition an a targeted system.

Official announcement: https://lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3E

Remedy: http://mesos.apache.org/downloads/

Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. 6th Mar 2019

Preface: The urgent announcement by Cisco might scare the customer of Cisco. It is about the vulnerabilities found on Cisco FXOS and NX-OS Software. But no worries, Cisco managed it.

Technical background:
Cisco NX-OS based on Wind River Linux and is inter-operable with other Cisco operating systems. The command-line interface of NX-OS is similar to that of Cisco IOS. Recent NX-OS has both Cisco-style CLI and Bash shell available.
Cisco NX-OS Family perform authentication based on roles. Role-based authorization limits access to switch operations by assigning users to roles.

Vulnerability details: 26 of the vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access, gain elevated privileges, execute arbitrary commands, escape the restricted shell, bypass the system image verification checks, or cause a denial of service (DoS) condition on an affected device.

For more details, please refer to url: https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-70757

Unknown vulnerability Found Affecting Intel CPUs – 5th Mar 2019

Preface: So called Spoilter, a vulnerability given by Intel CPU design limitation. If hacker successful exploit such vulnerability. They can conduct “Rowhammer” attack for privileges escalation.

Vulnerability detail: The speculative execution function of Intel’s processors aim to increase the performance of a CPU. Meanwhile it caused Intel CPU vulnerability issues in the past. A new found technique is able to determine how virtual and physical memory is related to each other. By discovering time differences, an attacker can determine the memory layout and then know which area to attack. For more details, please refer attached diagram for reference.

Remedy: There is no mitigation plan that can completely erase this problem.

Headline news: https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

Conclusion: Perhaps “rowhammer” is hard to detect.. Be remind that a predictive defense solution will be reduce the risk. For example you have 360 degree cyber protection includes spam and DNS filter, SIEM, malware protection and managed security services. The impact cause by this vulnerabilities will be under control.

Former vulnerability (CVE-2018-20033 (flexnet_publisher) ) – But enterprise firm must be vigilant! vigilant!

Preface: FlexNet Publisher (formerly known as FLEXlm) is a software license manager from Flexera Software which implements license management and is intended to be used in corporate environments to provide floating licenses to multiple end users of computer software.

Vulnerability background: The design weakness found on 2018. But the official announcement was release on 2019-01-28.

Vulnerability detail: Allow a remote attacker to corrupt the memory by allocating / deallocating memory, loading lmgrd or the vendor daemon and causing the heartbeat between lmgrd and the vendor daemon to stop.

Impact: A successful exploit could allow the attacker to cause the affected software to stop responding, or use the memory corruption to execute arbitrary code.

Official announcement: https://secuniaresearch.flexerasoftware.com/advisories/85979/

About Node.js vulnerabilities – Mar 2019

Preface: Node.js is popular in technology world. No matter crypto or distributed ledger platform, Docker development, REST API…etc can deploy by node.js.

About node.js?
Node.js is a JavaScript runtime environment that processes incoming requests in a loop, called the event loop (initialization and callbacks) and offers a Worker Pool to handle expensive tasks like file I/O. Modern kernel can handle multiple operations executing in the background. Node.js design aim to let’s kernel tells Node.js so that the appropriate callback may be added to the poll queue to eventually be executed. Perhaps such design concept provides an opportunity to hacker!

Vulnerability details (CVE-2019-5737): An attacker could exploit this vulnerability when establishing an HTTP or HTTPS connection in keep-alive mode by sending headers to the targeted system over time to keep the connection open for an extended period. As a result a denial of service condition occurred. Official announcement display in below url: https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

CVE-2019-6690: Improper Input Validation in python-gnupg

Preface: Python provides the essential programming language for smart devices and solutions for the Internet of Things and Industry 4.0.

Technical background: When you use AES128 encrypt string, if the encrypted string is too long. It will contain \r\n in it. Actually, the encryption output is an array of 8-bit bytes, not characters.
The code is Base64 encoding the encrypted data with an option to insert line breaks every 64 characters.

About python-gnupg: gnupg module enables Python to use the functionality of GNU Privacy Guard or GnuPG. With this module Python programs can create and managed keys, encrpt and decrypt data, sign and verify.

Vulnerability detail: A design weakness due to insufficient validation of user-supplied input submitted to the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods when symmetric encryption is used. Such vulnerability could allow a local attacker to control or modify sensitive information on a targeted system.

Remedy: Added checks to disallow newline-type characters in passphrases. https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112

The hospital and healthcare industry must be vigilant! vigilant! (CVE-2019-7816 – 2nd Mar 2019)

Preface: Medical software manufacturer uses Adobe ColdFusion to more securely collect electronic clinical outcome assessment (eCOA) data.Digital solutions company uses Adobe ColdFusion to help midmarket companies manage eCommerce more effectively. Some expert predicted that ColdFusion was losing the market but he is still alive.

Critical statement of this vulnerability and remedy.
This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.

Should you have interested, please refer below official announcement for reference.

https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html

CVE-2019-9020 PHP xmlrpc_decode() Function Invalid Memory Access Vulnerability – 27th Feb 2019

Preface:
xmlrpc_decode — Decodes XML into native PHP types

Vulnerability detail: The vulnerability is due to improper input validation by the xmlrpc_decode() function of the affected software.

Impact: A successful exploit could cause a heap out-of-bounds read or read-after-free condition, which could result in a complete system compromise.

Remedy: PHP has released software updates at the following link: http://php.net/downloads.php