Category Archives: Public safety

IoT, Potential Risk of CVE, Public safety

Multiple high vulnerabilities in Advantech WebAccess/SCADA -CVE-2019-10989,CVE-2019-10991 & CVE-2019-10993

1 Comment

Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.

Background: Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.

Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.

CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.

CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.

Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.

Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block.
So attacker can leverage this vulnerability to execute code under the context of Administrator.

Advantech has issued an update to correct this vulnerability – https://www.us-cert.gov/ics/advisories/icsa-19-178-05

Public safety

Our Future especially Smart City is waiting for 5G mobile communication. Does your body ready for 5G signal?

Preface: When mobile phone was born. Some of the people had concerning about the impact of electronic device to human health. As time goes by, seems we forget about it because we need smartphone now!

Historical background: The FCC has established a policy for human exposure to radio frequency electromagnetic fields. Seems it looks fine, the specifics policy defined, right? However if you review related policy (see below url). You might have doubt? Does our existing policy synchronize with modern technology? https://www.fcc.gov/general/radio-frequency-safety-0

About vulnerability: The medical industry not specify such technology will be potentially harmful to human body. But brain cancer, salivary cancer, acoustic neuromas and two other types of cancer go up with cell phone use. It was strange that European countries are the leader to promoting healthcare. However it looks that they are also the technology supporter. Regarding to strategic project plan especially infrastructure of the country. The major elements should be included in design phase but I did not seen the renewal policy of Human Exposure to Radio Frequency Electromagnetic Fields.

Potential Risk of CVE, Public safety

Highly vulnerable – Moxa customer must be vigilant!

Preface: The MoxaEDS405A/408A are entry-level 5 and 8-port managed Ethernet switches designed especially for industrial applications.

Technical background: Turbo Ring is a self-healing technology that enables fast fault recovery under 20 ms. Moxa’s Turbo Ring and Turbo Chain Ethernet technologies maximize railway network availability with ideal redundancy technology.

Security focus: CVE-2019-6563 (CVSS:10) – Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator’s password, which could lead to a full compromise of the device.

What is Predictable cookie ? For example: Cookie: JSESSIONID=USER1. A predictable cookie calculated with an MD5 hash bring our attention because MD5 produces a 128-bit hash as an output; only 3 bytes of the hash value are used in the cookie value.

Observation: Moxa products are used in the Korean subway network on 2010. Not sure whether it is still remain usage. But believe that a remedy solution has been taken if it is still in used. Otherwise it will create a cyber security risk in the operations.

Vulnerabilities details please refer to url: https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01

Potential Risk of CVE, Public safety, Under our observation

Unknown vulnerability Found Affecting Intel CPUs – 5th Mar 2019

Preface: So called Spoilter, a vulnerability given by Intel CPU design limitation. If hacker successful exploit such vulnerability. They can conduct “Rowhammer” attack for privileges escalation.

Vulnerability detail: The speculative execution function of Intel’s processors aim to increase the performance of a CPU. Meanwhile it caused Intel CPU vulnerability issues in the past. A new found technique is able to determine how virtual and physical memory is related to each other. By discovering time differences, an attacker can determine the memory layout and then know which area to attack. For more details, please refer attached diagram for reference.

Remedy: There is no mitigation plan that can completely erase this problem.

Headline news: https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

Conclusion: Perhaps “rowhammer” is hard to detect.. Be remind that a predictive defense solution will be reduce the risk. For example you have 360 degree cyber protection includes spam and DNS filter, SIEM, malware protection and managed security services. The impact cause by this vulnerabilities will be under control.

IoT, Potential Risk of CVE, Public safety

Security Focus – CVE-2018-13888

Preface: This design flaw has attracted me. Perhaps the supplier has no formal remediation solution yet. But the impact of this vulnerability seems to be broad!

Vulnerability detail: There is potential for memory corruption in the RIL daemon due to the following reason.
The location of dereference of memory is outside the allocated array length in RIL.

Meaning of “dereference” (common criteria):
The dereference operator or indirection operator, sometimes denoted by “*” (i.e. an asterisk), is a unary operator (i.e. one with a single operand) found in C-like languages that include pointer variables.

Affected products: Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in versions MDM9206, MDM9607, MDM9635M, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, ZZ_QCS605.

Official announcement – Not found in the bulletins yet : https://www.qualcomm.com/company/product-security/bulletins

Public safety

Romance scams

The Valentine’s Day is coming soon and the romantic atmosphere will always on you mind. You may think you spend a lot on flowers or chocolate, but losing money in a romance scam would cost you even more.
From cyber security point of view, it is a great time for cyber criminals to conducting their action. They are not only a data theft. Their target is the Enterprise firm CEO, politician, military department staff and important persons.
Perhaps hackers can take this opportunity infiltrate to your network infrastructure.

Stay alert!

Public safety

What is the situation of Edward Snowden (whistle blower)? Do you still remember him?

Preface:
The samurai (or bushi) were the warriors of premodern Japan.Lone Wolf and Cub is a manga created by Japanese comics writer.Samurai respected justice.

Synopsis:
Justice is the legal or philosophical theory by which fairness is administered. It is the fundamental of human nature. But the concept of justice differs in every countries and culture.

Who is he?
Edward Snowden, an American contract employee at the National Security Agency, is the whistleblower behind significant revelations that surfaced in June 2013 about the US government’s top secret, extensive domestic surveillance programmes. Snowden flew to Hong Kong from Hawaii in May 2013, and supplied confidential US government documents to media outlets including the Guardian.

What’s the situation now?
He is on exile. His most recent interview in Moscow Russia on September 2018. (Refer below url)
https://www.youtube.com/watch?v=wimHE6SNddc

Why Edward Snowden should be pardoned?(Refer below url)
https://www.amnesty.org.uk/edward-snowden-nsa-whistleblower-pardon

 

Public safety, Under our observation, Virus & Malware

Unknown APT reference number ? Suspect that it targeting Advantech WebAccess/SCADA customer

1 Comment

 

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

https://www.eset.com/int/greyenergy-exposed/

So, It is possible to make people predict the attack may targeting Advantech customer.

Factor:
In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Synopsis:
Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Public safety, System, Under our observation

Reflections – New 5G network edge server design

NSA Senior Cybersecurity Advisor questions Bloomberg Businessweek’s China iCloud spy chip claim (see below url)

http://macdailynews.com/2018/10/10/nsa-senior-cybersecurity-advisor-questions-bloomberg-businessweeks-china-icloud-spy-chip-claim/

Now we take a quick discussion but do not related to conspiracy. From technical point of view, if hardware is polluted (spy feature). It is hard to imagine what the impact was?

In the SD-branch, routing, firewall, and WAN optimization are provided as virtual functions in a cloud-like NaaS model, replacing expensive hardware. As a result, the telephone company will use SD-branch to provide virtual CPE and unversal CPE services.

Meanwhile uCPE consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. So uCPE in reposible of very import role in future technology. What if there is vulnerability occurs in this place. It make the problem worst, complicated!

Supermicro Designs New Open Software-Defined Networking (SDN) Platform Optimized for 5G and Telco Applications and Launches verified Intel® Select Solution for uCPE

http://ir.supermicro.com/news-releases/news-release-details/supermicro-designs-new-open-software-defined-networking-sdn

2018, cyber security incident news highlight, Cyber War, Public safety, Under our observation

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies