Category Archives: Potential Risk of CVE

Windows SharePoint Services – “To be, or not to be”

Microsoft formalized Patch Tuesday in October 2003 till today. It was focus on workstation, server and software product till today.  Any differences in the Microsoft architecture model in last decade? Perhaps your answer is the cloud platform and collaboration cloud. Yes, the cloud computing technology similar 14th and 17th centuries renaissance. Thus, a major component in existing technology world.

The point of view of IT management avoid of cloud computing in the earlier stage till today they are enjoy of this technology. As times go by, Microsoft SharePoint product widely deploys in IT environment. There is system architect build SharePoint work as data warehouse.

SharePoint design looks fine from Microsoft point of view. Furthermore both authentication and security are coexist with Active directory. It is a popular setup since it is a single sign on.

The vulnerabilities found on SharePoint in 2018 in retrospect (see below), it display that SharePoint are easy to cause remote code execution by attacker.

 

CVE Score Vulnerability Type(s)
CVE-2018-8254 An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

not yet calculated
CVE-2018-8252 An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

not yet calculated
CVE-2018-8168 A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka “Microsoft Office Remote Code Execution Vulnerability.” This affects Microsoft Word, Word, Microsoft Office, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8157, CVE-2018-8158. 9.3 Exec Code Overflow
CVE-2018-0922 Microsoft Office 2010 SP2, 2013 SP1, and 2016, Microsoft Office 2016 Click-to-Run Microsoft Office 2016 for Mac, Microsoft Office Compatibility Pack SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps 2013 SP1, Microsoft Office Word Viewer, Microsoft SharePoint Enterprise Server 2013 SP1, Microsoft SharePoint Enterprise Server 2016, Microsoft Office Compatibility Pack SP2, Microsoft Online Server 2016, Microsoft SharePoint Server 2010 SP2, Microsoft Word 2007 SP3, Microsoft Word 2010 SP2, Word 2013 and Microsoft Word 2016 allow a remote code execution vulnerability due to how objects are handled in memory, aka “Microsoft Office Memory Corruption Vulnerability”. 9.3 Exec Code Overflow Mem. Corr.
CVE-2018-0797 Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way RTF content is handled, aka “Microsoft Word Memory Corruption Vulnerability”. 9.3 Exec Code Overflow Mem. Corr.
CVE-2018-0792 Microsoft Word 2016 in Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka “Microsoft Word Remote Code Execution Vulnerability”. This CVE is unique from CVE-2018-0794. 9.3 Exec Code Overflow
CVE-2018-0789 Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2013 and Microsoft SharePoint Server 2016 allow an elevation of privilege vulnerability due to the way web requests are handled, aka “Microsoft SharePoint Elevation of Privilege Vulnerability”. This CVE is unique from CVE-2018-0790. 9

Refer to attach Share Point architecture diagram, this is a common practice model deployment integrate to Azure (IaaS) Cloud platform. If coincidentally MS Excel and Share Point has vulnerabilities occurs (similar situation display on diagram). Which item become critical in nowadays IT environment, end point, server or cloud platform?

See whether below high vulnerabilities items happened on Jun 2018 can provides hints to you in this regard.

CVE-2018-8233 | Win32k Elevation of Privilege Vulnerability – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka “Win32k Elevation of Privilege Vulnerability.” This affects Windows 10, Windows 10 Servers.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8233

CVE-2018-8251 | Media Foundation Memory Corruption Vulnerability – A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory, aka “Media Foundation Memory Corruption Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8251

CVE-2018-8252 | Microsoft SharePoint Elevation of Privilege Vulnerability – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8252

CVE-2018-8254 | Microsoft SharePoint Elevation of Privilege Vulnerability – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8254

— End —

 

 

 

 

Bitcoin exchanges must remain vigilant to low value coins

Heard that a vulnerability found on cryptocurrency (FuturXE (FXE)). The problem is that smart contact designer make a programming logic mistake. Department of Homeland Security confirm the bug this week. (CVE-2018–12025) – https://nvd.nist.gov/vuln/detail/CVE-2018-12025

The vulnerabilities and cyber attack looks never stop so far. Do you still remember virtual currency exchange Coincheck lost $400 million in NEM cryptocurrency in Jan 2018?

The hack only involved NEM, because the security breach was caused by the lack of strong security measures of Coincheck with regards to their implementation of NEM, lacking the use of mutlisignature support or a cold wallet.

It looks that criminal group will be intereted of low market value cryptocurrency. For instance, CVE-2018-10468 hacker exploits useless token combine with vulnerability steal the token. Coincheck lost $400 million in NEM but the market price of each coin is in lower value.

FutureXE market price equal to zero buy still avaiable to buy on the market. I think this type of coins will be lure criminal group interest. The fact is that this type of coins willl be exploits for money laundering. Since the coin has vulnerability occured, criminal group can hiring hacker to steal the coin and waiting for bitcoin exchanges reimburse the fund to achieve the money laundering objective.

— End —

My reflections – Why do we require complete artificial intelligence into daily life?

The important thing is to never stop questioning, said Albert Einstein.

Since there is no prefect design items in the world. and therefore bug fix or so called software patch update is the acceptable method. So when I heard Apple issued the security update for Siri (speech recognition application program). As usual I will be interested of the techincal details of the security update. But my consideration this time not on cyber security. My question is that why do we require complete artifical intelligence into daily life. As we know after Apple Siri, Microsoft launched Cortana, Amazon launched Alexa. The speech recongnition was significant success (see attached diagram). The aim of this function not target smartphone only. The major goal is integrate this function into Artifical Intellgence system. The situation of today technology world similar following circumstances. That is once we accept our limits, we go beyond them. But my personal opinion is that we are on the way go to simple thinking logical model. The logical thinking steps will be replaced and transfer to another parties.  In fact that it will enhace the security and operation effeciency. Meanwhile the resources in the world is limit. For instance the existing resources in normal non AI environment can be consume for 100 years. But when we integrate our life to AI, how long will be maintain in the consuming cycle?

Apple secuirty announcement reference – https://support.apple.com/en-hk/HT208848

June 13, 2018 – ISC Releases Security Advisory for BIND

 

Operating system · Linux, NetBSD, FreeBSD, OpenBSD, macOS, Windows · Type · DNS server · License · Mozilla Public License (ISC license before 9.11). Website, www.isc.org/downloads/bind. BIND is the most widely used Domain Name System (DNS).

ISC Releases Security Advisory for BIND Published Wednesday, June 13, 2018 – A remote attacker could exploit this vulnerability to obtain sensitive information.

Offical announcement – https://kb.isc.org/article/AA-01616/0/CVE-2018-5738

June 2018 – Cisco releases security update for their products

The marketing strategy of Cisco covered full scope of Cyber security and computer world. Since provides a wide angle of functional product features are hard to avoid vulnerabilities occurs. And therefore the security update are in frequent on the way. No harm! This is the IT world.

Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Session Initiation Protocol Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-multiplatform-sip

Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Cisco AnyConnect Secure Mobility Client Certificate Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-AnyConnect-cert-bypass

The Enterprise Console in Cisco AppDynamics App iQ Platform before 4.4.3.10598 (HF4) allows SQL injection, aka the Security Advisory 2089 issue.

https://docs.appdynamics.com/display/PRO44/Release+Notes#ReleaseNotes-4.4.3.10598%28HF4%29Updates

Cisco FireSIGHT System VPN Policy Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-FireSIGHT-vpn-bypass

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ise-xss

Cisco Integrated Management Controller Supervisor and Cisco UCS Director DOM Stored Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucsdimcs

Cisco IOS XE Software Authentication, Authorization, and Accounting Login Authentication Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-aaa

Cisco Meeting Server Information Disclosure Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cms-id

Cisco Network Services Orchestrator Arbitrary Command Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-nso

Invalid Curve Attack – 2017

https://nodesecurity.io/advisories/324

https://github.com/cisco/node-jose

Cisco Prime Collaboration Provisioning Unauthorized Password Recovery Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-recovery

Cisco Prime Collaboration Provisioning Cleartext Passwords Written to World-Readable File Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cpcp-id

Cisco Prime Collaboration Provisioning SQL Injection Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-sql

Cisco Prime Collaboration Provisioning Access Control Deficiency in Batch Function Privilege Escalation Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-escalation

Cisco Prime Collaboration Provisioning Unauthenticated Remote Method Invocation Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-rmi

Cisco Prime Collaboration Provisioning Access Control Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-access

Cisco Prime Collaboration Provisioning Unauthorized Password Reset Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-reset

Cisco Prime Collaboration Provisioning Access Control Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-bypass

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucm-xss

Cisco Unified Communications Manager Cross-Frame Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cucm-xfs

Cisco Unified Computing System Role-Based Access Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucs-access

Cisco Unified IP Phone Software Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ip-phone-dos

Cisco Unity Connection Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cuc-xss

Cisco Web Security Appliance Layer 4 Traffic Monitor Security Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-wsa

Cisco WebEx Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss

Cisco WebEx Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-webex-xss1

Cisco Wide Area Application Services Software Disk Check Tool Privilege Escalation Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-waas-priv-escalation

Cisco Wide Area Application Services Software Static SNMP Credentials Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-waas-snmp

* Multiple Cisco Products Disk Utilization Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-diskdos

29th May 2018 – VMware security update – CVE-2018-6964

Found VMware Horizon Client (Linux) contains design weakness causes privilege escalation vulnerability. I speculate that the vulnerability only happened on Horizon client for Linux. And therefore it can’t bring the IT guy attention. But do not ignore this vulnerability. As we know, ESXi 6.5 could allow an autenticated VNC session to cause a heap overflow via specific set of VNC packes resulting in heap corruption. But hacker would exploit this deisgn bug. Meanwhile the environment must fulfill the requirement. VNC must be enabled. Apart from that ESXi must configured to allow VNC traffic through the build in firewall. As a matter of fact, IT operations would like to increase their fexibility. And sometimes enable this function in data center. If this is the way or you require to use VNC for remote access. Then you must stay alert.
If this is not a require function, it is recommend to disable it.

For the vulnerability details found on 29th May 2018. Techncial detials is shown as below:

VMSA-2018-0014: VMware Horizon Client update addresses a privilege escalation vulnerability – https://www.vmware.com/security/advisories/VMSA-2018-0014.html

June 2018 – Google Releases Security Update for Chrome

Content Security Policy (CSP) provides a standard HTTP header that allows website owners to declare approved sources of content that browsers should be allowed to load on that page.

Browser based XXS protection mechanism. Least privilege approach that whitelists content you trust. Nothing else will execute. Assumes that inline scripts are bad.

But………….

High CVE-2018-6148: Incorrect handling of CSP header

https://chromereleases.googleblog.com/search/label/Stable%20updates

May 2018 – Moodle security announcements

LMS (Learning Management System) become popular because it wasn’t limit learning area and time zone. Learner or student can start the tution when computer connect to internet. Such learning atomosphere are popular in the world. LMS not restricted to high school and university educations. It also covered internal training in business environment. Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Education authority can download the software onto your own web server. Moodle does not generate SCORM content. Moodle presents the content in SCORM packages to learners, and saves data from learner interactions with the SCORM package.

SCORM content can be delivered to learners via any SCORM-compliant Learning Management System (LMS) using the same version of SCORM.

The market share shown that Moodle open source growth in significant recently. However there are vulnerabilites occurs in Moodle. Now please download version 3.5 because it fixed the design bug. Bug details shown as below :

Portfolio script allows instantiation of class chosen by user – https://moodle.org/mod/forum/discuss.php?d=371204

User can shift a block from Dashboard to any page – https://moodle.org/mod/forum/discuss.php?d=371202

Users can download any file via portfolio assignment caller class – https://moodle.org/mod/forum/discuss.php?d=371200

Portfolio forum caller class allows a user to download any file – https://moodle.org/mod/forum/discuss.php?d=371201

Calculated question type allows remote code execution by Question authors – https://moodle.org/mod/forum/discuss.php?d=371199

June 06, 2018 – Cisco Releases Security Updates for Multiple Products

CVE-2018-0321 – Cisco Prime Collaboration Provisioning Unauthenticated Remote Method Invocation Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-rmi

CVE-2018-0315 – Cisco IOS XE Software Authentication, Authorization, and Accounting Login Authentication Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-aaa

CVE-2018-0353 – Cisco Web Security Appliance Layer 4 Traffic Monitor Security Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-wsa

CVE-2018-0320 – Cisco Prime Collaboration Provisioning SQL Injection Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-sql

CVE-2018-0318 – Cisco Prime Collaboration Provisioning Unauthorized Password Reset Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-reset

CVE-2018-0319 – Cisco Prime Collaboration Provisioning Unauthorized Password Recovery Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-recovery

CVE-2018-0317 – Cisco Prime Collaboration Provisioning Access Control Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-bypass

CVE-2018-0322 – Cisco Prime Collaboration Provisioning Access Control Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-access

CVE-2018-0274 – Cisco Network Services Orchestrator Arbitrary Command Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-nso

CVE-2018-0316 – Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Session Initiation Protocol Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-multiplatform-sip

CVE-2017-6779 – Multiple Cisco Products Disk Utilization Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-diskdos

CVE-2018-0263 – Cisco Meeting Server Information Disclosure Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cms-id

CVE-2018-0296 – Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd