Preface: The Global Data Center Blade Server market is projected to grow at a CAGR of 8.35% during the forecast period, reaching a total market size of US$23.535 billion in 2025 from US$14.548 billion in 2019, said ResearchAndMarkets.com’s.

Vulnerability details:

• authenticated attackers to potentially enable escalation of privilege via local access due to improper buffer restrictions (CVE-2020-0600)
• unauthenticated attackers to potentially enable escalation of privilege via adjacent access because of improper conditions checks (CVE-2020-0578)

Observation: Coincidentally, Cisco Blade server has similar of symptom occured in 2015. Did they encounter the same problem?

Synopsis: As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00351.html

Preface: VMware announce that the external Platform Services Controller architecture is deprecated and will not be available in future releases.

Background: Authentication and certificate management is handled by the Platform Services Controller.

See attached diagram, the platform services controller original design place in a standalone box. It is advice to put together ( a vCenter Server with an Embedded Platform Services Controller). From cyber security protection prespective, the remedy reduce the attack surface. Before embedded design, there are lot of matters for worries. For instance, TLS. LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.
In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a “man-in-the-middle” attack.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0006.html

Preface: Technology cannot fight against coronavirus in the moment.
Easter, commemorating the resurrection of Jesus from the dead.
Wish that human can managed to fight it all. Comparing with coronavirus. The vulnerability in computer system looks easy resolve.

Security focus – Juniper Network product:

A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This issue does not affect Junos OS device with single RE or stand-alone configuration.

My observation: Refer to attach diagram, below is the information for supplement.

Fundamental
/bin/sh is an executable representing the system shell. Actually, it is usually implemented as a symbolic link pointing to the executable for whichever shell is the system shell.
Since it is a bash file so commands inside it will get executed, and if we execute the file as root, then all the commands inside it will also get executed as root. So, let’s take advantage of that and append /bin/bash -i to the file. This will execute bash as root, which in turn will open the root shell.

Official announcement of this matter (JunOS vulnerability) – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11010&cat=SIRT_1&actp=LIST

Preface: Dockerized Vesta Control Panel aka vestacp. You can download vesta source code and modify it the way you want. You are totally free to do it so to Vesta is licensed under GPL

Background: You are able to install and configure VestaCP on an Alibaba Cloud Elastic Compute Service (ECS) instance with CentOS 7

Vulnerability details: The proof of concept by Metasploit that a Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed.

Remedy – Remedy looks not release yet, it is suggested to focus in official announcement. https://forum.vestacp.com/viewforum.php?f=25

Preface: According on 2020 market statistic, FireFox market share only 9.25%. But Chrome has 68.11% coverage. However I like FireFox.

How Firefox’s memory allocator works?

Firefox uses a memory allocator called moz jemalloc. There are two properties which focus by cyber security expert so far!

[PSJ] – In essence, a chunk is broken into several runs.

– Each run holds regions of a specific size. [TSOF]

– The feature of jemalloc is that it operates in a last-in-first-out (LIFO) manner, a free followed by a garbage collection and a subsequent allocation request for the same size, most likely ends up in the freed region.

Vulnerability details: CVE-2020-6819 is a use-after-free vulnerability due to a race condition when the nsDocShell destructor is running. CVE-2020-6820 is a use-after-free vulnerability due to a race condition in the ReadableStream class, which is used to read a stream of data.

Official announcement – https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Preface: Maybe the software vendor didn’t disclose it explicitly. But you will be interested review this concept.

Background: Adobe Creative Cloud is a set of applications and services from Adobe Inc. that gives subscribers access to a collection of software used for graphic design, video editing, web development, photography, along with a set of mobile applications and also some optional cloud services. The Creative Cloud desktop application is instralled automatically when you download your first Creative Cloud product. If you have Adobe Application Manager installed, it auto-updated to the Creative Cloud desktop application.

Vulnerability Details: Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. Successful exploitation could lead to arbitrary code execution. As the software vendor did not disclose details. The vulnerability is suspected to come from the synchronization feature. See whether the diagram can provides an hints to you.

Official Announcement – https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

Preface: Make our life easy, just rename or disable it.

Background: Type 1 is a font format which came to market around 1984, together with PostScript and the Apple LaserWriter. Perhaps ATMFD.DLL was first built into Windows 2000. Through observation, this vulnerability was caught by Google project Zero in 2015. Over time, maybe someone has forgotten this. Therefore, the direct method is to disable it.

Impact: Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner. In most modern computer systems, each thread has a reserved region of memory referred to as its stack. A specially-crafted font that is capable of operating on any data on the thread stack and has all the instructions (including arithmetic, logic, condition, and other instructions) in the Type 1 / Type 2 Charstring instruction set. Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Or quick and Dirty: Right-click C:\Windows\System32\atmfd.dll Properties | Security | Advanced | Owner, take ownership. Close dialogs, go back in and give yourself Full Control.

Preface: Cisco SD-WAN Solution Privilege Escalation Vulnerability. Sound dangerous but it can only conduct internally. If someone can make it happen. It can elevate privileges to root on the underlying operating system.

Details: Perhaps Cisco fans still remember that a vulnerability encountered on SDWAN on Jun 2019. I presumably there may be similarities to this matter. The official announcement said An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain root-level privileges. The details happened on June 2019 shown as below:

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9

Other than that perhaps you will be interested of other vulnerabilities found on SDWAN

Buffer overflow – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

Command Injection – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v