Preface: The protocols and the interfaces used by the controller to communicate with the application layer are called the Northbound interface. Protocols used for communication between the controller and forwarding nodes are called Southbound interface. Northbound communication is used to retrieve info or send instructions to the controller using APIs.

Vulnerability details: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For details, please refer official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E

Other potential impact: The application entry point to the SDN deployment is through the controller via the Northbound Interface (NBI). If the communication is done using REST APIs with lacking proper protection, PUT method can be used to alter configurations or add malicious files that can alter other devices.These attacks are related to the communication over whether the Northbound Interface (NBI) or Southbound Interface (SBI). Some attacks are related to software. For details, please refer to the attached drawings.

Preface: Perhaps you have similar feeling, everytime when you read the cyber security announcement by Oracle. The first impression is that it has too many. Read into details, some items let you know the remediation process is in long run!

Vulnerability detail: An unspecified vulnerability in the Analystics Web General component of Oracle BI Published. An easily exploitable vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. A successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2020-2950)

Observation: Since the official announcement did not describe the detail. So we do the analytic. The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSO. When you enable SSO, the Oracle Business Intelligence URL becomes protected, and you must point the online Catalog Manager to the URL instead. The URL should remain unprotected. It is configured only to accept SOAP access as used by Oracle BI Publisher, Oracle BI Add-in for Microsoft Office, and the online Catalog Manager.

Potential risk or vulnerability – Session replays are specifically against websites and other systems that generate and store sessions.

Official announcement – https://www.oracle.com/security-alerts/cpuapr2020.html

Preface: The Global Data Center Blade Server market is projected to grow at a CAGR of 8.35% during the forecast period, reaching a total market size of US$23.535 billion in 2025 from US$14.548 billion in 2019, said ResearchAndMarkets.com’s.

Vulnerability details:

• authenticated attackers to potentially enable escalation of privilege via local access due to improper buffer restrictions (CVE-2020-0600)
• unauthenticated attackers to potentially enable escalation of privilege via adjacent access because of improper conditions checks (CVE-2020-0578)

Observation: Coincidentally, Cisco Blade server has similar of symptom occured in 2015. Did they encounter the same problem?

Synopsis: As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00351.html

Preface: VMware announce that the external Platform Services Controller architecture is deprecated and will not be available in future releases.

Background: Authentication and certificate management is handled by the Platform Services Controller.

See attached diagram, the platform services controller original design place in a standalone box. It is advice to put together ( a vCenter Server with an Embedded Platform Services Controller). From cyber security protection prespective, the remedy reduce the attack surface. Before embedded design, there are lot of matters for worries. For instance, TLS. LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.
In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a “man-in-the-middle” attack.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0006.html

Preface: Technology cannot fight against coronavirus in the moment.
Easter, commemorating the resurrection of Jesus from the dead.
Wish that human can managed to fight it all. Comparing with coronavirus. The vulnerability in computer system looks easy resolve.

Security focus – Juniper Network product:

A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This issue does not affect Junos OS device with single RE or stand-alone configuration.

My observation: Refer to attach diagram, below is the information for supplement.

Fundamental
/bin/sh is an executable representing the system shell. Actually, it is usually implemented as a symbolic link pointing to the executable for whichever shell is the system shell.
Since it is a bash file so commands inside it will get executed, and if we execute the file as root, then all the commands inside it will also get executed as root. So, let’s take advantage of that and append /bin/bash -i to the file. This will execute bash as root, which in turn will open the root shell.

Official announcement of this matter (JunOS vulnerability) – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11010&cat=SIRT_1&actp=LIST

Preface: Dockerized Vesta Control Panel aka vestacp. You can download vesta source code and modify it the way you want. You are totally free to do it so to Vesta is licensed under GPL

Background: You are able to install and configure VestaCP on an Alibaba Cloud Elastic Compute Service (ECS) instance with CentOS 7

Vulnerability details: The proof of concept by Metasploit that a Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed.

Remedy – Remedy looks not release yet, it is suggested to focus in official announcement. https://forum.vestacp.com/viewforum.php?f=25

Preface: According on 2020 market statistic, FireFox market share only 9.25%. But Chrome has 68.11% coverage. However I like FireFox.

How Firefox’s memory allocator works?

Firefox uses a memory allocator called moz jemalloc. There are two properties which focus by cyber security expert so far!

[PSJ] – In essence, a chunk is broken into several runs.

– Each run holds regions of a specific size. [TSOF]

– The feature of jemalloc is that it operates in a last-in-first-out (LIFO) manner, a free followed by a garbage collection and a subsequent allocation request for the same size, most likely ends up in the freed region.

Vulnerability details: CVE-2020-6819 is a use-after-free vulnerability due to a race condition when the nsDocShell destructor is running. CVE-2020-6820 is a use-after-free vulnerability due to a race condition in the ReadableStream class, which is used to read a stream of data.

Official announcement – https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Preface: Maybe the software vendor didn’t disclose it explicitly. But you will be interested review this concept.

Background: Adobe Creative Cloud is a set of applications and services from Adobe Inc. that gives subscribers access to a collection of software used for graphic design, video editing, web development, photography, along with a set of mobile applications and also some optional cloud services. The Creative Cloud desktop application is instralled automatically when you download your first Creative Cloud product. If you have Adobe Application Manager installed, it auto-updated to the Creative Cloud desktop application.

Vulnerability Details: Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. Successful exploitation could lead to arbitrary code execution. As the software vendor did not disclose details. The vulnerability is suspected to come from the synchronization feature. See whether the diagram can provides an hints to you.

Official Announcement – https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

Preface: Make our life easy, just rename or disable it.

Background: Type 1 is a font format which came to market around 1984, together with PostScript and the Apple LaserWriter. Perhaps ATMFD.DLL was first built into Windows 2000. Through observation, this vulnerability was caught by Google project Zero in 2015. Over time, maybe someone has forgotten this. Therefore, the direct method is to disable it.

Impact: Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner. In most modern computer systems, each thread has a reserved region of memory referred to as its stack. A specially-crafted font that is capable of operating on any data on the thread stack and has all the instructions (including arithmetic, logic, condition, and other instructions) in the Type 1 / Type 2 Charstring instruction set. Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Or quick and Dirty: Right-click C:\Windows\System32\atmfd.dll Properties | Security | Advanced | Owner, take ownership. Close dialogs, go back in and give yourself Full Control.