Preface: In order to avoid the impact of the vulnerability. VMware do not provide the details for CVE-2020-3961.

Synopsis: This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Vulnerability details: VMware Horizon Client for Windows contains a privilege escalation vulnerability due to folder permission configuration and unsafe loading of libraries.

My observation: Perhaps the idea displayed on attached diagram may also have the way to do the same thing.

Reference: A local dll injection vulnerability has been discovered in the official Notepad++ software.The issue allows local attackers to inject code to vulnerable libraries to compromise the process or to gain higher access privileges.

Official announcement – please refer following link https://www.vmware.com/security/advisories/VMSA-2020-0013.html

Preface: Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3) on 11th Mar 2020.

Synopsis: The proof of concept code vulnerability has been made public. Attacker do the exploit is that send a specially crafted packet to a targeted SMBv3 server. (refer to attached diagram). The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.

Workarounds: Disabling SMBv3 Compression – refer to attached diagram. The solution display in the bottom .

Remedy solution by Microsoft – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

CISA urge to public – Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports. CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.

Preface: Bluetooth enabled consumer electronics such as mobile phones, cameras simplify data sharing between devices. For instance, smartphone can wirelessly connect to a headset to make hands-free calling easier or can send pictures to another.

Background: The Bluetooth market has changed dramatically in the past three to four years. Perhaps is the potential power of smarthome concept.If you are moving a lot of data or streaming media, then you should go with a Bluetooth BR/EDR solution.

Vulnerability details: An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. That is your neighbor might conduct similar type of man-in-the-middle attack from the opposite side of the wall. With reference to existing attack method. In order to conduct the attack successfully, attacker must relies on 3rd party hardware and Linux machine (refer to attached diagram). So, if you are not in frequent to use Bluetooth function. I would recommend that turn off your Bluetooth (BR/EDR) function before patch.

Official announcement – please refer to following link https://kb.cert.org/vuls/id/647177

Preface: TCP / IP design restrictions have introduced security vulnerabilities to transport protocols.

Security focus: Memory leak vulnerability in VMCI module (CVE-2020-3959) – VMware ESXi, Workstation and Fusion contain a memory leak vulnerability in the VMCI module. It lets local non-administrative user send a malformed packet to a virtual machine. Such action may be able to crash the virtual machine’s vmx process leading to a partial denial of service.

Possible root cause: Attacker send malform packets containing null value in protocol field. The Virtual Machine Communication Interface will let such a packet in as an unclassified one. Though nowadays the null value in the Protocol field is reserved for IPv6 Hop-by-Hop Option (HOPOPT), not every server can receive and correctly process such a packet. And if such packets come in large quantities, their analysis will consume a large percentage of system resources, or exhaust them entirely and cause a server failure.

Remark: According to the RFC rules, the IP packet header should contain information on its transport level protocol in the Protocol field.

Official details please find follow link: https://www.vmware.com/security/advisories/VMSA-2020-0011.html

Preface: As of April 2020, 37.4% of Android devices run Pie, making it the most popular Android version.

Vulnerability details: A critical vulnerability on Android causes privilege-escalation The impact is that it allows attackers to hijack any app on an infected phone, it is much more difficult to detect, the name so called StrandHogg 2.0. For more details, please reference to follow link. https://promon.co/strandhogg-2-0/

Closer look to vulnerability: The bug so called a “StrandHogg 2.0” vulnerability (CVE-2020-0096) found by Promon researchers. This is because the vulnerability is similar to the original StrandHogg bug discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.

Official announcement – Android Security Bulletin May 2020: https://source.android.com/security/bulletin/2020-05-01

Under our investigation – One could potentially recover developer defined permissions by examining the permission checks in application code and the filters declared in the application manifest. Stay tuned!

Preface: BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS queries for your users.

About traditional DNS attack: An example of a DoS attack is the SYN
flood, which uses a the TCP SYN packet to create half open TCP connections on the server, which lead to the server having a massive pool of half open TCP connections and not allowing for anymore connections from legitimate hosts.

Vulnerability details: The recursion refers to the process of having the DNS server itself to make queries to other DNS servers on behalf of the client who made the original request.
In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. But the original design did not have limitation. So such circumstance can potentially degrade the performance of DNS server. Official announcement shown in this url: https://kb.isc.org/docs/cve-2020-8616

Additional vulnerability: https://kb.isc.org/docs/cve-2020-8617

Preface: Don’t underestimate the vulnerabilities discovered in the past, it will cause trouble for your cloud or system.

Background: VMware vCloud Director is a management tool for private and hybrid cloud architectures. Top Industries that use VMware vCloud Director are Financial Services, Insurance Program Managers Group, & business technology services provider.

Vulnerability details: VMware officially announced on May 19, 2020. Suppliers urge customers to immediately repair or apply workarounds. The details of the vulnerability pointed out by the vendor is a code injection vulnerability in VMware Cloud Director. The product failed to properly handle the input that led to the code injection vulnerability. For more details, please refer to following url: https://www.vmware.com/security/advisories/VMSA-2020-0010.html

Our observation: With reference to the workaround provided by vendor. The hints of JAR file (org.apache.bval.bundle) and ELF Class can tell us that hacker is able to conduct the arbitrary code execution through the Class Parameter passed To the GetClass vulnerability in the Apache Commons BeanUtils library. And therefore we suggest to do the patching immediately. For more details, please refer to following url: https://kb.vmware.com/s/article/79091