Preface: If you don’t see much useful in the logs, you could try turning on verbose logging on the Kubernetes component you suspect has a problem using –v or –vmodule, to at least level 4.

Technical background: The cluster-level logging in Kubernetes is that Kubernetes has no native cluster-level logging. There are a few proven methods that can be applied cluster-wide to provide the same effective result of all the logs being collected in a standardized way and sent to a central location. The common way are :Node Logging Agent,Monitoring Kubernetes Pods & Monitoring Applications Running in Kubernetes. Perhaps it is comprehensive. Meanwhile, it encountered sensitive information leakage. Cope with technology world, Kubernetes cluster will do a lot of system integration or thin provisioning. For example: use Ceph product services. So when design weakness occurs, sensitive information will be found here.
Ref: A RADOS Block Device (RBD) is software that facilitates the storage of block-based data in the open source Ceph distributed storage system.

Vulnerability details:

CVE-2020-8563 – https://nvd.nist.gov/vuln/detail/CVE-2020-8563

CVE-2020-8564 – https://nvd.nist.gov/vuln/detail/CVE-2020-8564

CVE-2020-8565 – https://nvd.nist.gov/vuln/detail/CVE-2020-8565

CVE-2020-8566 – https://nvd.nist.gov/vuln/detail/CVE-2020-8566

Comment: The management of log files is merged into ISMS. Therefore, the impact depends on this area.

Preface: We encourages users and administrators to review the Apache security advisory for CVE-2020-17527 and upgrade to the appropriate version, said CISA (4th Dec 2020).

Vulnerability details: With known HTTP/2 Protocol practice, HTTP headers are compressed using a combination of compression schemes (static Huffman coding and context adaptive coding). Flow control and dependency mechanisms that allow HTTP/2 clients and servers to signal how to transmit object. However, a design weakness was found in Apache Tomcat. The fault is that it allow to re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream.
This design limitation will causes error and closure of the HTTP/2 connection. Whereby, it is possible that information could leak between requests.

Remedy: The method was given a specific task and it should be expected to complete it and return the finished result that does not require further processing. Only return StringBuilder when you really need it. In that case also add something to the method name to indicate that you are returning something special. For more detail, please refer to diagram.

Mitigation:
Upgrade to Apache Tomcat 10.0.0-M10 or later
Upgrade to Apache Tomcat 9.0.40 or later
Upgrade to Apache Tomcat 8.5.60 or later

Preface: The new version of Linux kernel 5.1 will add this io_uring. The main purpose of io_uring is to improve the original Linux native AIO problem. For example:
– MySQL and Nginx already support local AIO.
– InnoDB uses the asynchronous I/O subsystem (native AIO) on Linux to perform read-ahead and write requests for data file pages.

Technical details: To put it simply, AIO hands over the corresponding callback function to the system, which is truly asynchronous. However Linux native AIO imposes the following restrictions on files opened with the O_DIRECT flag. When reading and writing files in AIO mode, the operating system’s cache of files cannot be used. The address, content size, and file offset of the buffer can only be read and written from the disk (usually 512 bytes). The advantage to use O_DIRECT will avoid making extra copies of data while transferring it and the call will return after transfer is complete.

Vulnerability details:

Files access across suid boundaries – io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request (relying on ->flush() for being notified before the files_struct can go away). Unfortunately, unshare_fd(), which is used by bprm_execve() via unshare_files(), doesn’t know about that, and assumes that if the files_struct’s refcount is 1, it is okay to keep using the old files_struct.

mm access across suid boundaries – If attacker let the suid binary write the fd number to a fixed address and then use that address instead of free_fd. It can trigger the vulnerability.

Reference: mm (pointer to struct mm_struct) refers to a address space of a process.
For example, exe_file (pointer to struct file) refers to executable file,
while arg_start and arg_end are addresses of first and last byte of argv passed to a process respectively

Status: This vulnerability is currently awaiting analysis.

Preface: The official announcement did not mentioned too much. Do you have doubt of CVE-2020-27177 (Xerox DocuShare vulnerability)?

Product details: DocuShare Scan and Print 7 (hereafter, Scan and Print) is a feature which allows you to print documents uploaded to DocuShare, or upload scanned documents to DocuShare. DocuShare security features protect content from unauthorized access and modification. These features are available to both the site administrator and users, enabling them to apply the level of protection needed for their site.

Vulnerability details: When applications use XML to transport data between browser and server, the applications almost always use a a standard API for processing the XML on the server. Vulnerabilities arise because parsers will, by default, process potentially dangerous features. DocuShare server encountered server-side request forgery (SSRF) attacks and unauthenticated external XML entity injection attacks (XXE). The overall impact could expose DocuShare users to an attack resulting in the loss of sensitive data. Meanwhile, Docushare server had server-side request forgery vulnerability occur. SSRF can cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure. The serious of impact depends on trust relationship in between both end.

Official announcement – https://securitydocs.business.xerox.com/wp-content/uploads/2020/11/cert_Security_Mini_Bulletin_XRX20W_for-DocuShare-6.61_7.0_7.5.pdf

Preface: Vulnerabilities found in products are not news. In short, a total of 3 vulnerabilities were found on the Tesla Model X this time.

Vulnerability Details: About the new discoveries found on Model X. Please refer to the url below. In addition, the attached drawings will provide you with hints.

https://www.wired.com/story/tesla-model-x-hack-bluetooth/

Information Supplement for reference: A cable with vendor parts no (#1013230-00-A) or 3rd party compatible cable allows you to connect to the Model S or Model X service port and access maintenance features like firmware redeploy (used when swapping most parts), read and clear DTC’s (diagnostic trouble codes), run Autopilot camera and radar calibration, read thermals stats on the drive. The Model S and X are running a 100 Mbps, full duplex ethernet network. Some ports and services that were open on the devices were 22 (SSH), 23 (telnet),53 (open domain), 80 (HTTP), 111 (rpcbind), 2049 (NFS), 6000 (X11). Port 80 was serving up a web page with the image or media of the current song being played. The operating system is modified version of Ubuntu using an ext3 filesystem.

Remedy: Waiting for vendor update.

Preface: To cope with Industrial automation and control system. The technology difference in between IT and OT are small. Perhaps they are close. For cyber security protection matters, seems they are no any difference.

Product background: Formerly known as RSLinx® Enterprise, FactoryTalk® Linx is included with most FactoryTalk software and functions as the premier data server
to deliver information from Allen‑Bradley control products to the control system. While FactoryTalk Linx interfaces with PLC-5®, SLC™ 500 and Micro800™ controllers, it is optimized to communicate with Logix 5000™ controllers using EtherNet/IP.
This gives the fastest data rates and capacity possible, while minimizing the impact on your automation networks and control system operation.
FactoryTalk Linx delivers a solution from small applications running on a single computer with a single controller, to large distributed and
even redundant data server configurations communicating with large automation systems.

Vulnerability details: A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).

Observation: Vendor do not explicitly disclose the facts of the vulnerability. But most likely the vulnerability cause by java script based ASLR bypass attack.

Vendor announcement and remedy: https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01

Do you doubt whether you are a victim? A quick way to confirm the vulnerability of Fortinet SSL-VPN ( CVE-2018-13379).

Preface: VPN client has design limitation causes information leakage not a news by today. However you should confirm your setup do not encounter this flaw.

Background: An unknown person left the information online. The details of such files are related to the IP address and details. However, Fortinet encountered this vulnerability a long time ago (2018). To confirm that he is not a victim. You can easily check the specific situation of the VPN firewall vulnerability status on your device. Please refer to the attached picture.

Headline News: A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs – https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/

Preface: Within this week, the impression of VMware products vulnerabilities draw attention with a lot of people. It is because the vulnerabilities was found are high risk rating. But VMware is one of the pillar of virtual machine machine world. Do not worry too much. A good product should have space for improvement.

Product background: Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and …

Vulnerability details: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. But do not contempt this design fault because attacker require admin credential. However when attacker successful execute this vulnerability. It can compromise all the back end windows domain controller and critical system. It has workaround only provided by vendor currently. The goal of the workarounds do the hardening of web server config file and enforce the access control. For example, it is recommend to use “su” function instead of root. If you have interested of the details. Please refer to diagram.

Official announcement:

VMware – https://kb.vmware.com/s/article/81731

CERT Coordination Center – https://kb.cert.org/vuls/id/724367

Preface: Use After Free scenario can occur when “the memory in question is allocated to another pointer validly at some point after it has been freed.

Background: If there is a process named vmware-vmx[.]exe in the process list then there is a virtual machine that is currently powered on. The Virtual Machine Monitor (VMM) process is in charge of managing the virtual machine memory and transfers virtual machine storage and network I/O requests to the VMkernel. All other, non-critical to performance, I/O requests are forwarded by VMM to VMX.

Vulnerability details: Use-after-free vulnerability in XHCI USB controller (CVE-2020-4004) VMware ESXi contains a use-after-free vulnerability in the XHCI USB controller. VMware ESXi contains a privilege-escalation vulnerability (CVE-2020-4005) that exists in the way certain system calls are being managed. A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue require cooperate with another vulnerability (e.g. CVE-2020-4004). If the attacker successfully exploited two different vulnerabilities. As a result, he can manipulate the entire system, including all VM guest OS.

Official announcement (workarounds): https://www.vmware.com/security/advisories/VMSA-2020-0026.html

Preface: There are two primary types of buffer overflow vulnerabilities: Stack overflow and Heap overflow.

Product background: The administrative command–line client is a program that runs on a file server, workstation, or mainframe. It is installed as part of the Tivoli Storage Manager server installation process. The administrative client can be accessed remotely. From the administrative client, you can issue any server commands.

Vulnerability details: The PoC shown that you can do the following on the IBM Tivoli Storage Manager. In the “id” field paste the Proof of concept text format file (xxx.txt) and press “ENTER.

Below example is the essential command. According to the below details, it will let you know how to execute above syntax.

Official reference: You can bypass this batch mode double quotation mark restriction for Windows clients by using the back slash () escape character. For example, on the OBJECTS parameter of the DEFINE CLIENT ACTION command, you could enter the string with the \ character preceding the double quotation marks in the command.

dsmadmc-id=admin-password=admin define clientaction test_node domain=test_dom action=restore objects=’\”C[:]\program files\test*\”’

The PoC text file details do not display on our discussion. However I would like to bring your focus to the function which appear on the file. It is the jmp esp feature. The details you can find on the picture.