Preface: The Amazon rainforest is the lungs of the earth. Even humans are stronger than ancient people. But we rely on oxygen to survive. Amazon rainforest fire, do you think we are heading to the edge?

About webmin software: Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. AWS especially lamp stack web app, the basic function on demand to use webmin software.

Vulnerability details: A vulnerability in Webmin could allow an unauthenticated, remote attacker to execute arbitrary commands with root privileges on a targeted system. See the attached drawing for details.

Remark: This vulnerability will be occured when the changing of expired passwords function is enabled. But this function not enabled by default.

Remedy: upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart.

Preface: In 1885 Westinghouse imported a Siemens AC generator, to begin experimenting with AC networks in Pittsburgh. As of today, the business development of Siemens extend to all industry.

Product background: The Siemens SIMATIC S7-1200 & S7-1500 is the controller for open-loop and closed-loop control tasks in mechanical equipment manufacture and plant construction. Its range of use extends from the replacement of relays and contactors up to complex automation tasks in networks and within distributed structures.

Vulnerability details: Two vulnerabilities have been identified in the SIMATIC S7-1200 and the SIMATIC S7-1500 CPU families. Those vulnerabilities is that when engineer tries to upload (put) the source code on the SIMATIC. However the limitation of the design do not enforce the integrity check.So attacker exploit Man-in-the-Middle hack technique to transfer their counterfeit code and “put” his code to the device.

Official announcement: Please refer to the URL link – https://cert-portal.siemens.com/productcert/pdf/ssa-232418.pdf

Background: Google Go Language is suitable for web development especially front-end development. Quite a lot of companies using GO. For instance Facebook, Twitter, YouTube, Apple, Dropbox, Docker, Soundcloud, Mozilla Firefox, The New York Times, Github, GOV.UK and UBER.

Vulnerability details: A vulnerability in the net/url package in Golang Go could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. The affect product inlcudes version prior 12.12.7 and prior 1.11.12.

Observation: CVE-2018-12123 was addressed Hostname spoofing in URL parser for javascript protocol on Node.js.
However CVE-2019-14809 found that vulnerability occurs in the net/url package in Golang Go could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. It was because because the net/url package in the affected software mishandles parameter (mishandles malformed “hosts:) in URLs. For more details, please see attached diagram for reference.

Remedy: Golang has released software updates at the following – link: https://github.com/golang/go/releases

Preface: ALPC (Advanced/Asynchronous Local Procedure Call) is a C/S model technology developed by Microsoft to replace LPC for native RPC.

Vulnerability details: Tasks created by the Task Scheduler will create the folder and file in “c:\windows\system32\ tasks”. This function original to be designed to write the discretionary access control list of the task in this place. For some reason, it also checks if the .job file exists under c:\ windows \ tasks and tries to set the DACL

Since users belonging to the guest group, can create files in this folder, we can simply create a hard link to another file (we only need to read access). Due to the hard link, we can let the task scheduler write any DACL (see the second parameter of SchRpcSetSecurity) to the file of our choice. Therefore, any file we read is accessed as a user, and the system has write DACL permissions, we can go to full control and overwrite it.

Vendor announcement : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

Summit, launched in 2018, delivers 8 times the computational performance of Titan’s 18,688 nodes, using only 4,608 nodes. Summit still carry the flags tell the world that he keep the fast run record.

Over the past decade, Linux Clusters founded and starting the competition with mainframe computer. The most famous IBM crossbar switch encounter doubt to technical world. Does he better than Linux Clusters? Crossbar – The processors are connected with non-internally blocking crossbar switch and communicate with each other via global interleaved memory.

The record shown on the diagram, even though the supercomputer CPU core increase 4 times compare to submit. But it do not have significant growth. Perhaps you may feeling that the bottleneck given from CPU. My personal comment is that crossbar coexists CPU and I/O direct way. Linux cluster form virtual matrix hoop up. But the design limitation is the server hardware instead of CPU. We keep our eye open to see who is the winner on next round? A crossbar switch, as part of a crossbar topology, channels data or signals between two different points in a network.

Remark: The crossbar setup is a matrix where each crossbar switch runs between two points, in a design that is intended to hook up each part of an architecture to every other part.

Preface: If you are not yet ready to share your project on GitHub. You can host your own Private GitHub. It is Gogs.

Product background: The goal of Gogs is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service. So all the design concept, program code and perhaps intellectual properties all keep in this place. Since the intension is not go for public and therefore it will be installed on private cloud or a single machine.

Vulnerability details: A design defect found in source code file (routes/api/v1/api.go). The impact causes affected software does not properly perform permission checks for routes.
Since there is no preventive control and therefore an attacker could exploit this vulnerability to perform unauthorized actions on a targeted system. Should you have interested of this issue, see top right hand side of the diagram. You will find part of the enhancement features. Perhaps you will speculate what is the actual problem.

Remedy – See url https://github.com/gogs/gogs/blob/master/routes/api/v1/api.go