Category Archives: Potential Risk of CVE

Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019

Preface: Who is cookie? Is it cookie monster? Multiple VPN applications insecurely store session cookies – 11th Apr 2019

Technical background: An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Vulnerability details: The following products and versions store the cookie insecurely in memory:

  • Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
  • Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
  • Cisco AnyConnect 4.7.x and prior

Reference: https://kb.cert.org/vuls/id/192371/

My observation: A technical limitation on Clientless SSL VPN. If SSO authentication implement to clientless ssl VPN. The webbase VPN machine must keeps the cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server. And therefore VPN applications might store the authentication and/or session cookies insecurely in memory.

Hardcoded credentials concerns – MyCar mobile apps (8th Apr 2019)

Preface: MyCar add smartphone-controlled geolocation, remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit.

Vulnerability details:
MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials. For specifics details, please refer to diagram.

Reference:https://kb.cert.org/vuls/id/174715/

Samba Releases Security Updates (CVE-2019-3880 & CVE-2019-3870) – Apr 2019

Preface: Samba is an open-source software suite that runs on Unix/Linux based platforms. The design based on SMB network protocol. Samba is able to communicate with Windows clients like a native application.

Synopsis: Windows OS and Linux opensource looks contains their market. A trend shown that Linux base OS well develop in automation industry. Perhaps common printer not compatible with open source Linux. As a result, 3rd party service daemon is going to pick up this responsibility. In fact, vulnerability happens in IT world daily. It is rare that a software or hardware do not have vulnerability. And therefore Samba do not have exception.

Vulnerability details:

CVE-2019-3880 – path/symlink traversal vulnerability, For more details, refer to url.

https://www.samba.org/samba/security/CVE-2019-3880.html

CVE-2019-3870 – During the provision of a new Active Directory DC, some files in the private/ directory are created world-writable. For more details, refer to url.

https://www.samba.org/samba/security/CVE-2019-3870.html

Siemens – CVE-2019-6569 (Do not contempt this vulnerability)

Preface: Industrial Ethernet has been the network of choice in factory auto-mation for many years and offers a powerful communication basis with PROFINET-based solutions.

Vulnerability details: A vulnerability has been identified in Scalance X-200 (All versions), Scalance X-300 (All versions), Scalance XP/XC/XF-200 (All versions <V4.1). The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port into the mirrored network.

Impact: An attacker might use this behaviour to transmit malicious packets to systems in the mirrored network. The worst scanario is that it go direct to facilities like SIMATIC S7-400 advanced controller thus conducting cyber attack directly see whether can find zero-day of attack.

Siemens official announcement – refer to url: https://cert-portal.siemens.com/productcert/pdf/ssa-557804.pdf

CVE-2019-1002101: kubectl fix potential directory traversal (4th Apr 2019)

Preface: The vulnerability if not require attacker conduct scam to persuade a user. It is a extreme dangerous vulnerability.

Technical background of Kubernetes: Kubernetes (often referred to as K8s) is an open source system for automatically deploying, extending, and managing containerized applications. The system was designed by Google and donated to the Cloud Native Computing Foundation (now the Linux Foundation).

Synopsis: The container escape vulnerability in runc awaken docker users in regard to cyber security in their domain. Perhaps the vulnerability of CVE-2019-1002101 is in high severity level. But strongly believed that it is an alert. Hey administrator, staying alert! Should you have interest receive a quick understanding, please refer to attached diagram.
Kubernetes has released software updates at the following link: https://github.com/kubernetes/kubernetes/releases

Apache Releases Security Update for Apache HTTP Server – 4th April 2019

Alert: The Apache Software Foundation has released Apache HTTP Server version 2.4.39 to address multiple vulnerabilities.

  • mod_auth_digest access control bypass (CVE-2019-0217)
  • mod_ssl access control bypass (CVE-2019-0215)
  • mod_http2, possible crash on late upgrade (CVE-2019-0197)

CVE-2019-0211 bring to my attention. For the synopsis of this matter, please refer to attached diagram.

Remedy: The Apache Software Foundation has released Apache HTTP Server version 2.4.39 to address multiple vulnerabilities. See the URL for more information.

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2018-19466 – Portainer LDAP Credentials Storage Information Disclosure Vulnerability (3rd Apr 2019)

Preface: Today, the stored password is not encrypted like walking around without clothes!

Technical background: Portainer is a lightweight management UI which allows you to easily manage your different Docker environments (Docker hosts or Swarm clusters). It allows you to manage your all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the standalone Docker engine and with Docker Swarm mode.

Vulnerability: The affected software stores LDAP credentials in cleartext and performs insufficient security checks on API calls that allow the retrieval of LDAP credentials.

Remedy: Portainer has released software updates at the following url: https://github.com/portainer/portainer/releases/tag/1.20.0

CVE-2019-5729 – Splunk Python SDK Improper TLS Server Certificate Verification Vulnerability(2nd Apr 2019)

Preface: Splunk is powerful, it can extract cookie of web connections. If client connection still alive, hacker can hijack and get the connection.

Vulnerability details: A vulnerability in Splunk Python SDK could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. An attacker could exploit this vulnerability by executing a man-in-the-middle attack to bypass access restrictions on the system.

Design weakness: Due to improper verification of untrusted TLS server certificates

Remedy: Splunk has released software updates (refer url) – https://github.com/splunk/splunk-sdk-python/releases

CVE-2019-10125: aio_poll function hits vulnerability (1st Apr 2019)

Preface: Linus Benedict Torvalds, he is the principal developer of the Linux kernel, which became the kernel for many Linux distributions and operating systems.

Vulnerability details: An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.

Impact: An attacker could exploit this vulnerability by executing an application that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code and completely compromise the system.

Remedy:https://patchwork.kernel.org/patch/10828359/

CVE-2019-10063 – Security update for Flatpak, 29th Mar 2019.

Preface: Coding is the process of translating and writing codes from one language to another support operating system platform.

What is Flatpak?

If Linux user found that the new application not available in the App Stores. He can do the installation via the DEB or RPM packages. Some of them are available via PPAs (for Debian based distributions) and if nothing, one can build from the source code. Flatpak provide a 3rd way.

Vulnerability Details: The vulnerability exists because the affected software does not use the seccomp filter to prevent sandbox applications from using TIOCSTI IOCTL.

Reason:

The snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. But it didn’t! The fact is that restriction could be circumvented on 64 bit architectures because it performs a 64-bit comparison,but the system call is defined with a 32-bit command argument in the kernel.

Similar design flaw discovered in libseccomp package!

Remedy: https://github.com/flatpak/flatpak/releases

Observation: Similar design flaw might found soon in other software.