Category Archives: Uncategorized

For my imagination only – Mona Lisa smile – Mar 2020

In order to prevent people know the information, Da Vinci use wrote backwards handwriting. Also known as mirror-writing, where the words appear as normal when seen with a mirror.

Modern people know very little about Da Vinci’s early life, and he only recorded two childhood story. This happened during Da Vinci’s expedition in the mountains. Da Vinci discovered a cave during his expedition. He was afraid that there would be some huge monster lurking in the cave, but he was driven by curiosity and wanted to know what was inside. When he walked into the cave and found a huge unknown object lying quietly in the cave, Da Vinci was shocked. Later, several non man kind emerged from the unknown object, and they imparted knowledge to Da Vinci. Before he pass away, Da Vinci spend decade to finish his Arts work. It is the famous Mona Lisa smile.

I can seen the cave in his art work. How about you?

The CVE-2020-0688 vulnerability affects Exchange Control Panel (ECP) components. Maybe it fixed it. However, because OWA is Internet-oriented, you still worry about it. 5th Mar 2020

Preface: To do the remedy of CVE-2020-0688, you need to install the security update in addition to the Cumulative Updates.

Vulnerability Background: Microsoft using the same set of cryptographic keys on every Exchange Server installation. The keys being stored in plain text in a web.config file on every server.

Details: Microsoft release the patch on 11th Feb, 2020. Less than 2 weeks later. Researchers released proof of concept (POC) exploits for this vulnerability on February 24, 2020. If you have chosen publish Exchange externally. This patch must be applied.
Attacker exploit this vulnerability is easy. The social network sometimes unintentionally leave the finger print (company email address). When attacker got the email address on hand. The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection. If victim fall to the trap (phishing mail) which lure they provide the credential. Even though it is a non privileges user.Attacker can activated this vulnerability to conduct the remote code execution.

“They will try to locate you OWA server. If your existing Exchange SRV is vulnerable. The attack channel can pass through your OWA.”

Remedy: Official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Das U-Boot Self-Referential DOS Partition Table Infinite Recursion Vulnerability Aug 2019

Vulnerability details: A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.

Introduction: Das U-Boot a popular primary bootloader, it widely used in embedded devices to fetch data from different sources and run the next stage code.In the technology and computer markets, widely used to this bootloader is Linux Kernel. Meanwhile, it is commonly used by IoT. Kindle and ARM ChromeOS devices.

Remedy: Official remediation solution is disable DOS partition default sector for 512 because it’s not very common at all to use large numbers of partitions. Meanwhile set a maximum recursion level (refer to the parameter shown on attached diagram).

Please note that Das U-Boot has other vulnerabilities found. The CVE details shown as below:
CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204

Above vulnerabilities could let attacker gain remote code execution at the U-Boot powered device when U-Boot is configured to use the network for fetching the next stage boot resources.

Official announcement on CVW-2019-13103https://lists.denx.de/pipermail/u-boot/2019-July/375512.html

CVE-2019-0228 Apache PDFBox XML Parser XML External Entity Vulnerability – 22nd Apr 2019

Preface: We are all familiar with the .doc and .pdf formats. Because this is our choice in the business world.

Synopsis: Apache PDFBox is an open source pure-Java library that can be used to create, render, print, split, merge, alter, verify and extract text and meta-data of PDF files.

Vulnerability details: A vulnerability in Apache PDFBox could allow an unauthenticated, remote attacker to conduct an XML External Entity (XXE) attack on a targeted system. Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a
crafted XFDF.

Remedy: Apache has released software updates at the following link: https://pdfbox.apache.org/download.cgi

Remediation – Cisco IOS XR-64 Software for ASR 9000 series isolation feature vulnerability (17th Apr 2019)

Preface: One of the objective for Aggregation Services aim to provision and manage a huge number of separate physical platforms. As a result, the international vendor like Cisco also doing the transformation of the physical network devices. And therefore we seen VM devices OS system image today.

Synopsis: In order to cope with cloud computing and container environment, IOS XR 64-bit operating system (OS) is able to runs on virtualized environment with underlying 64-bit Linux kernel. As a result, the cisco product services can be extended.

Vulnerability details:
A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM.

Official remedy solution: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Simple and powerful evasion technique – Threat actor will be exploit MS word document.

Preface: Preface: Threat Intelligence vendor (FireEye) alert that Global DNS Hijacking Campaign rapidly growth. This storm affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

Synopsis: More information about the impact of this cyber attack.. Please refer to below url for reference. https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

Reflection – The attack method:

Let us think that this kind of attack seems to happen in our daily lives. Perhaps sometime even though Defense mechanism not aware. Microsoft Office documents containing built-in macros is very useful and can become a Swiss army knife to hurt you. Macros are essentially bits of computer code, and historically they’ve been vehicles for malware. Should you have interest of this topic, attach diagram can provide high level overview for your reference.

Remark: Seems the SIEM endpoint event monitoring will be the effective remedy solution. However it might have involves confidential data label. So this part requires management review and separation of duties.

SamSam Ransomware variant – December 3, 2018

Preface:

The Department of Homeland Security urge the world and United state staying alert of new wave of cyber attack.

Technical details:
SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Most likely the goal of the action is interfere the society stability. It can widespread impact on political stability.

Recommendations:
1. Maintain up-to-date antivirus signatures and engines.
2. Keep operating system patches up-to-date.
3. Disable File and Printer sharing services.
4. Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
5. Enforce Awareness training.

Vulnerability in SIMATIC WinCC OA V3.14 and prior – Sep 2018

SIMATIC WinCC Open Architecture enables handling with bigger amounts of data with even smaller hardware solutions. However WinCC OA v3.14 found critical vulnerability. Do you think below detail is the root causes? A remote attackers execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678. So we must Protecting C Programs from Attacks via Invalid Pointer.

Vulnerability record in SIMATIC WinCC OA V3.14 (see below):

https://cert-portal.siemens.com/productcert/pdf/ssa-346256.pdf

 

Security advisories – Drupal Releases Security Update (August 02, 2018)

In a nutshell, a CMS function enables anyone to build a website without a prerequisite requirement. The CMS feature similar like anytime ready to run. In a nutshell, a CMS function enables anyone to build a website without a prerequisite requirement. The CMS feature similar like anytime ready to run.

The most popular CMS systems nowadays are the following:

1 WordPress – With around 18 million installations, WordPress is the most-used open source CMS worldwide.

2. Joomla – With 2.5 million installations worldwide, Joomla! is the second biggest agent in the CMS market.

3. Drupal – As of January 2017 more than 1,180,000 sites use Drupal. These include hundreds of well-known organizations including corporations, media and publishing companies, governments, non-profits, schools, and individuals.

On April 2018, a critical design flaw found on Drupal. A remote code execution  vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. Drupal users required to stay alert again! Official announcement shown as below:

https://www.drupal.org/SA-CORE-2018-005