Preface: Microsoft will be ending support for Windows 7 and Server 2008 on January 14, 2020. This means no more security patching and no more support from Microsoft.

Vulnerability details: Found design flaw on 2015. Microsoft Windows Group Policy could allow a remote attacker to take complete control of the system, caused by improper application of policy data. By social engineering attacks to convinces a privileges user with domain-configured system to connect to an attacker-controlled network, an attacker could exploit this vulnerability to execute arbitrary code and take complete control of the system.

Current status: Microsoft Windows Server 2012 suffers from a Group Policy remote code execution vulnerability.

Proof of concept release on 29th October 2019. The exploit code targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).

Perhaps this vulnerability without any significant impact to MS product in the moment. But information security expert should be take care of this issue.

Samba releases security updates – Oct 2019

Preface: Samba like a middle man bridging all the races in cyber world.

Background: Samba is a free software for connecting the UNIX operating system to the SMB/CIFS network protocol of the Microsoft Windows operating system. The third edition not only accesses and shares SMB folders and printers, but also integrates into the Windows Server domain, acting as a domain control station and joining Active Directory members.

Vulnerability details:
1) Path traversal (Severity – medium) – CVE-2019-10218 https://www.samba.org/samba/security/CVE-2019-10218.html

2)Use of Obsolete Function (Severity-low) – CVE-2018-18433 https://www.samba.org/samba/security/CVE-2019-14833.html

3)NULL pointer dereference (Severity-medium) – CVE-2019-14847
https://www.samba.org/samba/security/CVE-2019-14847.html

For the details of design weakness, please refer to attached diagram.

Preface: Doing web browsing and open document is our daily life. Opps! But it will hit a DoS vulnerability.

Background: x64 extends x86’s 8 general-purpose registers to be 64-bit, and adds 8 new 64-bit registers. The 64-bit registers have names beginning with “r”, so for example the 64-bit extension of eax is called rax. The new registers are named r8 through r15.

Remember that rip is the instruction pointer and whatever code present at the rip is executed. If the code is invalid however, something will go wrong .

Vulnerability details: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW().

Official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1346

Preface: Existing internet service require DNS lookup function. See whether artificial intelligence world will be replaced this function?

Background: There are currently 13 root servers in operation. In order to avoid DNS request in high volume could not handle immediately. And therefore when requests are made for a certain root server, the request will be routed to the nearest mirror of that root server. The mirror zone feature is most often used to serve a local copy of the root zone. Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers.

Vulnerability details: Found design flaw in BIND version 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. Found that attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server.
The attack method is that the hacker sniffs on the network.
Since DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse.
When he receive the ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection.

Impact:
An on-path attacker who manages to successfully exploit this vulnerability can replace the mirrored zone (usually the root) with data of their own choosing, effectively bypassing DNSSEC protection.

Official announcement – https://kb.isc.org/docs/cve-2019-6475

Preface: It seems that humans are hard to avoid living with robots and AI, because this is our destiny.

Background: VMware Harbor Registry is an enterprise-class registry server that stores and distributes container images. The release of Harbor 1.8 revealed a number of new features, including the ability to share Harbor with other registries. The design goal of Harbor, allows you to store and manage images for use with VMware Enterprise PKS. If you are a project admin, you can create a Robot Account for automated operations. The name will become robot$ and will be used to distinguish a robot account from a normal harbor user. Furthermore, robot account that allows Harbor to be integrated and used by automated systems, such as CI/CD (Continuous Integration / Delivery & Deployment) tools.

Vulnerability details: CVE-2019-16919 – Found that the original design of Harbor do not enforcing project permissions and scope during robot account creation via the Harbor API. As a result, a broken access control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. We predicted that attacker might have way to exploit this vulnerability to conduct the session hijack. For more detail, please refer to attach diagram for reference.

Official announcement – For more details, please refer to url https://www.vmware.com/security/advisories/VMSA-2019-0016.html

Preface: Vendor vulnerability management program sometimes have doubt to public. They frequent ask, how to do the protection before patch release? Perhaps not require worry too much because zero-day vulnerabilities are go with us all the time.

Synopsis: On October 2019, Oracle has released its Critical Patch Update for October 2019 to address 219 vulnerabilities across multiple products. Perhaps FasterXML jackson-databind vulnerability bring my focus. Because this vulnerability was announced to public on August this year.

Vulnerability details: Banking finance business analyser will be familiar with OFSAA. OFSAA out of the box data models continue to be released as Erwin. But it supports Oracle SQL modeler for data model extensions.However the CVE-2019-14379 design weakness has been found on Oracle Banking Platform and Oracle Financial Services Analytical Applications Infrastructure. Data binding is useful for allowing user input to be dynamically bound to the domain model of an application (or whatever objects you use to process user input). SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

What is Fasterxml Jackson Databind?
Contains basic mapper (conversion) functionality that allows for converting between regular streaming json content and Java objects (beans or Tree Model: support for both is via ObjectMapper class, as well as convenience methods included in JsonParser. For more details of oracle security advisory details, please refer to url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Preface: vBulletin™ is the world leader in forum and community publishing software. Vbulletin messenger make use of AJAX-based chat functionality.The main benefit of developing websites using Ajax is to help web browsers retrieve more data without causing a Web page to refresh.

Vulnerability details: User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint. Vulnerability found that these input are not properly validated before being used to update users’ avatars.
Hacker relies above flaw do exploitation, inject and execute arbitrary PHP code.

Remark: Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

How attacker detect web site install vBulletin system.

• HTTP headers, including cookies
• Design will insert unique Javascript code into web pages.
• Detect meta tag within the html pages.

Remedy: patches available for the following versions of vBulletin Connect:

- 5.5.4 Patch Level 2
- 5.5.3 Patch Level 2
- 5.5.2 Patch Level 2

Preface: iTerm2 not the default Mac terminal

Vulnerability details: A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux’s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.

Technical background: iTerm2 with tmux integration since version 3.3.5. The powerful feature of Tmux is able to run tmux as the remote command argument to ssh. Meanwhile Tmux is a terminal multiplexer. Simply put, this allows you to split one terminal session into many.

Remedy: Developer take the following actions:

• Use session number everywhere rather than session name
• Do not poll tmux for the set-titles-string, status-left, and status-right and then request the values of the returned format strings.
• Hex-encode options saved in the tmux server to make them unexploitable

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability.

Preface: The Department of Homeland Security (DHS) and FDA are aware that the (URGENT/11) vulnerabilities will be effected medical device and hospital networks. They released announcement to urge specify industry to staying alert.

Vulnerability details: So called (URGENT/11) found on Wind River VxWorks on July 2019. Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security. If your IoT settings are integrated with physical LAN and 802.11 (wireless), but the IoT’s does not have internet communication capabilities. Maybe you also have a headache at the moment. See whether below suggestion can help.

• If you do not have SIEM on hand. The primitive interim remediation should do the following.
  Turn MAC Filtering on wireless router
• Turn on port protection on your network switch. If you are using low end network device which do not provide this function. Perhaps you must disable or use the seal tape to block the ethernet port not in used.

The key factor to prevent this vulnerability is enforce the network access control in your network. Do not let the strange (3rd party) plug in his computer to your network infrastructure.

If the internet connectivity function is enabled. So what we can do?
Since those vulnerabilities has CVE reference number assigned. And therefore application firewall can be quarantine the attack. Besides of that you have to apply above method to prevent the insider threat.

Reference: FDA announcement – https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities

Backstory: http://www.antihackingonline.com/potential-risk-of-cve/urgent-11-tremendous-design-limitation-jeopardizes-rtos-industry/