Category Archives: Potential Risk of CVE

TCP-pipelined queries flaw, causes to bypass tcp-clients limit (CVE-2019-6477)

Preface: To improve bandwidth utilization, an introduce of layer-4 relay(s) that enable the pipelining of TCP connections.

Background: BIND 9 has evolved to be a very flexible, full-featured DNS system. On a server with TCP-pipelining capability,it is possible for one TCP client to send a large number of DNS requests over a single connection.

Vulnerability details: It was discovered that Bind incorrectly handled certain TCP-pipelined queries. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service.

Observation: Before remedy apply, such design weakness may provide a pathway to cyber criminals conduct a denial of service attack. Perhaps it is easy to start the attack then suspened the DNS services. Eventhough you have defense control but cannot avoid. The official announcement and remedy solution can be find in following url. https://kb.isc.org/docs/cve-2019-6477

Interested in this vulnerability CVE-2019-5541?

Preface: As far as I know, VMware announced CVE-2019-5541 on April 2019. But the security update just released two days ago. Perhaps this products not in profitable area. But the flaw awaken quite a lot of people to concerning the weakness in virtual machine design.

Background: VMware Workstation is for Windows/Linux while Fusion is for Intel Based Apple Computers only running Mac OS X 10.4.9 and later.

Type 1 hypervisors are commonly considered bare metal hypervisors, in that the hypervisor code itself runs directly on top of your hardware.
VMware Workstation is an example of a type 2 hypervisor. You can install it on top of an existing instance of Windows (and a number of Linux distributions).

Vulnerability details: VMware workstation and Fusion versions identified as victims to out-of-bounds write vulnerability in the e1000 virtual network adapter. The affected guest may allow to execute a malicious code on the hypervisor.

Supplement: The idea of heap buffer overflow is generally to achieve out-of-bounds write. According to the data of write, there are more specific subdivisions. For more details, please refer to attached diagram.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2019-0021.html

CVE-2019-0721, CVE-2019-1397, CVE-2019-1398, CVE-2019-1399 – Hyper-V Remote Code Execution Vulnerabilities

Preface: Virtualization in the virtualization platform. It is definitely a microsystem architecture.

Technical background: Windows Sandbox requires a Type 1 hypervisor. Therefore, to run Sandbox on a virtual machine, nested virtualization must be enabled. Nested virtualization allows running Hyper-V on a virtual machine. In addition, it allows Windows Sandbox to run on a virtual machine.

The Hyper-V vSwitch is a software-defined, layer-2, Ethernet network-traffic switch. It allows administrators to connect VMs to either physical or virtual networks. The adapter for the Hyper-V virtual switch is completely unbound from anything that the Windows Firewall has access to. Packets will pass through it without ever being inspected by the management operating system’s firewall.

Vulnerability details: An attacker could run malicious code on a guest operating system, which could cause the Windows Hyper-V host to execute arbitrary code. For the successful of the attack, hacker will run malicious code on a guest operating system. The attacker can do a escape of the VM sandbox once successful. Meanwhile the victim guest VM could cause the Windows Hyper-V host to execute arbitrary code.

Reference: Official announcement –https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1398

The arbitrary code execution (ACE) is on your wrist CVE-2019-8718

Preface: XNU is an operating system kernel developed by Apple Computer for the macOS operating system. It is part of the Darwin operating system. XNU is a hybrid kernel combining the Mach kernel .

Background: IOKit – Gain user-space access to hardware devices and drivers. The IOKit object representing a hub device on the USB bus. It is a subclass of IOUSBDevice. A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.

Impact: Attacker can sending an USB control message to a target device exploit the vulnerability which lets the application to execute arbitrary code with kernel privileges.

Current Status:
– Entry added October 29, 2019
– Proof of concept release on 11th Nov 2019

Apache solr 8.2.0 remote code execution (nov 2019)

Preface: Apache Solr is an application based on J2EE and uses Lucene libraries internally to provide user-friendly search as well as to generate the indexes.

Background: Apache Solr powers the search and navigation features of many of the world’s largest internet sites.

Vulnerability details: When an attacker can directly access the Solr console, he can make changes to the node’s configuration file by sending a POST request like /nodename/config.

Apache Solr integrates the “VelocityResponseWriter” plugin by default. The “params.resource.loader.enabled” option in the plugin’s initialization parameters is used to control whether the parameter resource loader is allowed to specify template in the Solr request parameter. This option default setting is false. When “params.resource.loader.enabled” is set to true, the user will be allowed to specify the loading of related resources by setting the parameters in the request, which means that the attacker can construct a threatening attack request on the server. A remote code execution will be occurred.

Current status: waiting for CVE reference number

past history, new attacks (cve-2015-0008) – 28th Oct 2019

Preface: Microsoft will be ending support for Windows 7 and Server 2008 on January 14, 2020. This means no more security patching and no more support from Microsoft.

Vulnerability details: Found design flaw on 2015. Microsoft Windows Group Policy could allow a remote attacker to take complete control of the system, caused by improper application of policy data. By social engineering attacks to convinces a privileges user with domain-configured system to connect to an attacker-controlled network, an attacker could exploit this vulnerability to execute arbitrary code and take complete control of the system.

Current status: Microsoft Windows Server 2012 suffers from a Group Policy remote code execution vulnerability.

Proof of concept release on 29th October 2019. The exploit code targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).

Perhaps this vulnerability without any significant impact to MS product in the moment. But information security expert should be take care of this issue.

samba releases security updates – Oct 2019

Samba releases security updates – Oct 2019

Preface: Samba like a middle man bridging all the races in cyber world.

Background: Samba is a free software for connecting the UNIX operating system to the SMB/CIFS network protocol of the Microsoft Windows operating system. The third edition not only accesses and shares SMB folders and printers, but also integrates into the Windows Server domain, acting as a domain control station and joining Active Directory members.

Vulnerability details:
1) Path traversal (Severity – medium) – CVE-2019-10218 https://www.samba.org/samba/security/CVE-2019-10218.html

2)Use of Obsolete Function (Severity-low) – CVE-2018-18433 https://www.samba.org/samba/security/CVE-2019-14833.html

3)NULL pointer dereference (Severity-medium) – CVE-2019-14847
https://www.samba.org/samba/security/CVE-2019-14847.html

For the details of design weakness, please refer to attached diagram.

CVE-2019-1346 A denial of service vulnerability exists when Windows improperly handles objects in memory.

Preface: Doing web browsing and open document is our daily life. Opps! But it will hit a DoS vulnerability.

Background: x64 extends x86’s 8 general-purpose registers to be 64-bit, and adds 8 new 64-bit registers. The 64-bit registers have names beginning with “r”, so for example the 64-bit extension of eax is called rax. The new registers are named r8 through r15.

Remember that rip is the instruction pointer and whatever code present at the rip is executed. If the code is invalid however, something will go wrong .

Vulnerability details: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW().

Official announcementhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1346

CVE-2019-12941 – AutoPi ( Wi-Fi/NB and 4G/LTE) devices wifi password vulnerability (Oct 2019)

Preface: Are you afraid of someone suddenly controlling your car?

Background: AutoPi is a small device that plugs into the OBD-II port of your car.

What is OBD-II port? OBD-II port of the car which gives the dongle access to the cars internal systems. AutoPi also provides a cloud service that lets you communicate with the dongle remotely over the Internet.

Vulnerability details: When user connected to the WiFi, it is also possible to SSH into the device. Both the web portal terminal and the SSH terminal grants root access, meaning that full access of the devices is given when connected through WiFi.

Since the wifi password mechanism design weakness. Attacker can use following method to receive the WPA2 authentication password. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID. So it only take few hours can be cracked. For more details, please refer to attached infographic for reference.

Should you have interested, please download the technical white paper to review. https://www.kth.se/polopoly_fs/1.931922.1571071632!/Burdzovic_Matsson_dongle_v2.pdf

CVE-2019-6475 Bind 9 vulnerability

Preface: Existing internet service require DNS lookup function. See whether artificial intelligence world will be replaced this function?

Background: There are currently 13 root servers in operation. In order to avoid DNS request in high volume could not handle immediately. And therefore when requests are made for a certain root server, the request will be routed to the nearest mirror of that root server. The mirror zone feature is most often used to serve a local copy of the root zone. Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers.

Vulnerability details: Found design flaw in BIND version 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. Found that attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server.
The attack method is that the hacker sniffs on the network.
Since DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse.
When he receive the ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection.

Impact:
An on-path attacker who manages to successfully exploit this vulnerability can replace the mirrored zone (usually the root) with data of their own choosing, effectively bypassing DNSSEC protection.

Official announcement https://kb.isc.org/docs/cve-2019-6475