Category Archives: Under our observation

How we focus design weakness?

Preface: Flaws that require root access are not considered security issues in existing policy. If we are not using cloud computing concept. It is acceptable. But we need cloud system!

Security focus: Turkish information security specialist found a design weakness in Windows kernel design. According to the vendor’s Bug Bounty program rules, flaws that require root access are not considered security issues and are not classified as vulnerabilities. However our the whole IT world in the trend of cloud technology. It is hard to guarantee similar type of vulnerability will be impact the public cloud farm. Perhaps it might have possibility to do a re-engineering become as a Surveillance tool.

Defect details: An PoC tool proof that it can hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler. My intention is going to urge Microsoft should be consider this technical issue. Perhaps it may become a zero-day. So I do not display related url.Should you have interested of this topic, not difficult to do a search. You will find the details.

Reference:

The ntoskrnl.exe kernel service, which is responsible for handling exceptions, system call procedures, and thread scheduling in Windows.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel.

Fundamental design concept – related to this matter:

  1. RSPx is loaded in whenever an interrupt causes the CPU to change PL to x. The TSS in long mode also holds the Interrupt Stack Table, which is a table of 7 known good stack pointers that can be used for handling interrupts.
  2. BKPT #0x3 ; Breakpoint with immediate value set to 0x3 (debugger can ; extract the immediate value by locating it using the PC- (program counter))
  3. x86_64 also has a feature which is not available on i386, the ability to automatically switch to a new stack for designated events such as double fault or NMI, which makes it easier to handle these unusual events on x86_64. This feature is called the Interrupt Stack Table (IST). There can be up to 7 IST entries per CPU. The IST code is an index into the Task State Segment (TSS). The IST entries in the TSS point to dedicated stacks; each stack can be a different size.

This topic is under our observation.

Gun and bullet – SMBV1 and Ransomware (Nov 2019)

Preface: Starting from around 2012 the use of ransomware scams has grown internationally.

Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.

Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.

Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.

For more information on headline news, please refer – https://www.bloomberg.com/news/articles/2019-11-13/a-hacker-wants-about-5-million-from-pemex-by-end-of-november

Suspected that Podman-Varlink encounter Remote Code Execution – Under observation (14th Oct 2019)

Preface: Red Hat is investing in CRI-O and Podman. Meanwhile they are involved in the Open Container Initiative Standards Organization. The goal is to contribute and introduce drive innovation in their products, such as Red Hat OpenShift and Red Hat Enterprise Linux.

Background: Podman decide to provide a simple CLI for managing pods and containers. The design goal of Varlink aims to make services accessible to both humans and machines in the simplest feasible way. They described its product is an “interface description format and protocol”. It is just such another. Podman decided to build the Podman API based on varlink so users and developers can interact with Podman programmatically.

Design Synopsis: Podman relies on a Systemd feature called socket activation. Systemd allows developers to create socket unit files that tells systemd to listen on a particular socket like the unix domain socket “/run/io.projectatomic.podman”. When a process connects to this socket, systemd will launch the command specified in the service file with the same name. The launched command then handles the socket communications.

Vulnerability details: Depend on how Podman and Varlink are deployed, they can be susceptible to local and remote attacks. There are a few API bugs in Podman itself, as well as a way to execute arbitary commands if one can hit Podman via the Remote API. Running Podman with Varlink over tcp listening either on localhost or the network interface is the most vulnerable setup. For more details, please refer to diagram.

NCSC prediction – DNS monitoring will get harder (Sep 2019)

Preface: DNS monitoring can let you predict the user behaviour. According to Cisco’s research, over 90% of attacks are done over DNS and only two-thirds of organizations monitor their DNS records.

Technical details:
Go to options->Advanced->Network->Settings->Automatic proxy configuration url and enter 8.8.8.8 All you Mozilla traffic uses Google dns now. Google Public DNS fully supports DNSSEC for Domain Name Security Extensions which works against cache poisoning attacks. Meanwhile if mobile device leave company network, DDNS given by wireless hotspot might have way to leave your monitoring. Due to above feature, the Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. For more details, please refer to URL: https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder

Previous NFS 4.1 vulnerability (CVE-2018-16884) show linux kernel design weakness.

Preface: A vulnerability in the NFS41+ subsystem of the Linux Kernel could allow an authenticated, adjacent attacker execute arbitrary code on a targeted system. The vulnerability exists because the bc_svc_process() function of the affected software uses the wrong back-channel ID. use-after-free in svc_process_common

The defect not only affected software uses the wrong back-channel ID. Furthermore it causes access freed memory because of use-after-free vulnerability in svc_process_common(). Perhaps Use-After-Free Vulnerabilities in Linux Kernel are common. Most likely causes by the following factors.

  • use an object without checking whether the pointer is valid
  • free an object without cleaning the pointer

Doubt: If all the objects in a cache are freed, the whole space of the cache is going to be recycled by the kernel.
Was the space definitely to be re-used for a cache storing the objects of the original type? No.
So it is benefit for attacker.

For NFS 4.1 matter, it was highly recommended to following Best Practices guideline. For instance, If you use NFS version 3 and NFS version 4.1, do not mix them on the same volumes/data shares. Separate the backend storage NFS network from any client traffic.

For remedy of the “use after free” vulnerability of NFS41 – Please refer to url: https://patchwork.kernel.org/patch/10733769/

it might be new path way in cyber attack. yes, it is uefi.

Preface: UEFI has slowly come to replace BIOS. Whereby Intel schedule to completely replace BIOS with UEFI on all chipsets by 2020.

Quote: Firmware is software, and is therefore vulnerable to the same threats that typically target software.

Technical details: From technical point of view, EFI Runtime services are usually located below 4GB. As a result it has a way into Linux on high memory EFI booting systems.

What is the different when malware alive into these areas?

  • Malware injected into the address space is transient, and will be cleaned up on the next boot.
  • Malware injected into the firmware flash regions is persistent, and will run on every subsequent boot

Using the follow command can display x509 v3 digital certificate and confirm thatgrubx64.efi can read (/boot/efi/EFI/fedora/)grub.cfg. Oh! It is easy to access this file when you have root privileges. But do not contempt this issue.

  • sudo tree /boot/efi
  • sudo hexdump -C /boot/efi/EFI/fedora/shim.efi | egrep -i -C 2 ‘grub|g.r.u.b’
  • sudo strings /boot/efi/EFI/fedora/grubx64.efi | grep grub.cfg

Sound interesting. Should you have interested, please refer below guide book :NIST Special Publication 800-147 BIOS Protection Guidelines https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf

China raised the security level for its vessels heading through the Strait of Malacca. Perhaps cyber security vulnerabilities causes shipping traffic jam in that place! Jul 2019

Preface: The string of attacks last month on tankers near Hormuz. It alerting to related industry and countries about bottleneck on supply chain.

Quote: The head of Indonesian Maritime Security Agency, said it’s looking into the issue. And it doesn’t see why China raised the alert status?

From technical point of view: As a matter of fact, it is not difficult to make trouble to world by cyber attack nowadays. For example, Ransomware or exploit the vulnerability on the computer system. As far as we know, on the tankers side, it install GPS and management system. Those systems are the Windows or Linux OS base of machines. If you are belongs to marine industry especially shipping company, see whether you are require to re-cofirm the patch level of your maritime bandwidth management system. Do not let those vulnerabilities causes shipping traffic jam. For more details, please see below url for reference.

Perhaps not merely the specified vulnerability. Should you interested if the Headline news. Please refer below:

https://www.bloomberg.com/news/articles/2019-07-03/china-raises-warning-for-shipping-in-malacca-strait-people-say

Status update on 8th July 2019: U.S. Coast Guard recommendation: the maritime community can help strengthen their defenses by implementing the following basic cybersecurity measures:

  • Implement network segmentation.
  • Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary.
  • Be wary of external media.
  • Install anti-virus software.
  • Keep software updated.

Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen – Jun 2019

Vulnerability Note VU#576688
Original Release Date: 2019-06-04 | Last Revised: 2019-06-04

Preface: The more the power you have, the greater the risk is being infected.

Synopsis: Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.

My observation: Observing that Microsoft re-engineering the RDP with create a channel with MS_T120 and Index 31.
But vulnerability occurs when someone send data to the system’s MS_T120 channel and reference the closed channel again.

Interim remediation step:

  • RDP is disabled if not needed.
  • SIEM firing rule – client requests with “MST-T120′ on any channel other than 31

Reference: https://kb.cert.org/vuls/id/576688/

May 2019 – Printerlogic shown weak vulnerability management

Preface: Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers.

Background: PrinterLogic’s printer and driver management platform reduces infrastructure costs by eliminating print servers and providing centralized management of every printer on the network. Sold in both on-premise and cloud configurations, PrinterLogic also offers secure pull printing, mobile printing, and improved performance in virtual desktop (VDI) environments.

Vulnerability details: For more information on the vulnerability, please visit the following URL – https://www.kb.cert.org/vuls/id/169249/

Comment on CVE-2018-5409: If compromised server connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. It may crash the target server.

CVE-2019-1002101: Vulnerabilities found in Kubernetes’ kubectl cp command (3rd May 2019)

Preface: Some supercomputers in the world, they are also using Kubernetes.

Technical background: kubectl controls the Kubernetes cluster manager.Make use of “kubectl cp” command is able to copy files and directories to and from containers.

Vulnerability details: An attacker can fool a user to use the kubectl cp command to copy and store a malicious tar file in a container. Successful exploitation may allow an attacker to overwrite or delete any file in the user’s security context.

Remedy: Kubernetes has released a software update via the following link: https://github.com/kubernetes/kubernetes/releases

Comment: This vulnerability looks has difficulties to compromise the system. However the level of risk depends on the feature of the docker services. So do not contempt the issue because it is hard to predict the level of risk.