Category Archives: Under our observation

Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen – Jun 2019

Vulnerability Note VU#576688
Original Release Date: 2019-06-04 | Last Revised: 2019-06-04

Preface: The more the power you have, the greater the risk is being infected.

Synopsis: Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.

My observation: Observing that Microsoft re-engineering the RDP with create a channel with MS_T120 and Index 31.
But vulnerability occurs when someone send data to the system’s MS_T120 channel and reference the closed channel again.

Interim remediation step:

  • RDP is disabled if not needed.
  • SIEM firing rule – client requests with “MST-T120′ on any channel other than 31

Reference: https://kb.cert.org/vuls/id/576688/

May 2019 – Printerlogic shown weak vulnerability management

Preface: Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers.

Background: PrinterLogic’s printer and driver management platform reduces infrastructure costs by eliminating print servers and providing centralized management of every printer on the network. Sold in both on-premise and cloud configurations, PrinterLogic also offers secure pull printing, mobile printing, and improved performance in virtual desktop (VDI) environments.

Vulnerability details: For more information on the vulnerability, please visit the following URL – https://www.kb.cert.org/vuls/id/169249/

Comment on CVE-2018-5409: If compromised server connect to a DNS server and perform DNS and DNSSEC protocol-level fuzzing. It may crash the target server.

CVE-2019-1002101: Vulnerabilities found in Kubernetes’ kubectl cp command (3rd May 2019)

Preface: Some supercomputers in the world, they are also using Kubernetes.

Technical background: kubectl controls the Kubernetes cluster manager.Make use of “kubectl cp” command is able to copy files and directories to and from containers.

Vulnerability details: An attacker can fool a user to use the kubectl cp command to copy and store a malicious tar file in a container. Successful exploitation may allow an attacker to overwrite or delete any file in the user’s security context.

Remedy: Kubernetes has released a software update via the following link: https://github.com/kubernetes/kubernetes/releases

Comment: This vulnerability looks has difficulties to compromise the system. However the level of risk depends on the feature of the docker services. So do not contempt the issue because it is hard to predict the level of risk.

2nd May 2019 – Don’t let you SAP facility become a cyber attack target

Preface: Heard that estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked.

Technical details:
When you configure sap router (saprouter) to allow remote (from the Internet) connections via the SAP GUI. The original design will add entries to the route tables for TCP port 3300, 3301, and 3303 the external application they are using (a gateway connection on these ports).

Default TCP gateway port exploit by hacker:
Since a default pathway built, so the hacker might have a channel to compromise the system. For example, send the malicious code try to conduct remote code execution. As a matter of fact, a proof of concept shown that SAP backend response with malicious code.

Remedy: If you outsource your cyber security watch guard responsibility to managed security services provider. They will create the yara rules to deny such malicious activities.
If not, you are require to create yara rules by yourself on IDS system. For more details, please refer to diagram.

Do you have any concerns on multiple vulnerabilities in WPA3 Protocol? (Arp 2019)

Preface: WPA3 protocol aim to enhance Wi-Fi security protection. Yes, it does. But something wrong with him this time.

Technology Synopsis: The very damaging DoS attack consists of clogging one peer with bogus requests with forged source IP addresses. Due to computationally intensive nature of modular exponentiation, the DH key exchange is highly vulnerable to clogging (DoS) attack.The SAE handshake of WPA3 also uses a cookie exchange procedure to mitigate clogging attacks.

Vulnerability highlights:

  1. The SAE handshake of WPA3 uses a cookie exchange procedure to mitigate clogging attacks.
    But the design of the cookie exchange mechanism has technical limitation. Since everyone will receive the (supposedly secret) cookies.
  2. An attacker with a rogue access point can force the client connecting to it to use WPA2’s 4-way handshake and, consequently, to get enough information to launch an offline dictionary attack.

Should you have interest, please refer to the following url: https://www.kb.cert.org/vuls/id/871675/

Unknown vulnerability Found Affecting Intel CPUs – 5th Mar 2019

Preface: So called Spoilter, a vulnerability given by Intel CPU design limitation. If hacker successful exploit such vulnerability. They can conduct “Rowhammer” attack for privileges escalation.

Vulnerability detail: The speculative execution function of Intel’s processors aim to increase the performance of a CPU. Meanwhile it caused Intel CPU vulnerability issues in the past. A new found technique is able to determine how virtual and physical memory is related to each other. By discovering time differences, an attacker can determine the memory layout and then know which area to attack. For more details, please refer attached diagram for reference.

Remedy: There is no mitigation plan that can completely erase this problem.

Headline news: https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

Conclusion: Perhaps “rowhammer” is hard to detect.. Be remind that a predictive defense solution will be reduce the risk. For example you have 360 degree cyber protection includes spam and DNS filter, SIEM, malware protection and managed security services. The impact cause by this vulnerabilities will be under control.

Security Focus – CVE-2019-0626 Microsoft Windows DHCP Server Remote Code Execution Vulnerability (12th Feb 2019)

Preface: This vulnerability is included in MS Patch Tue this week. However the vulnerability is more critical than others. Since threat actor can be conduct a remote code execution through social engineering.

Technical highlight: The official announcement told that attacker could exploit the vulnerability by sending a DHCP packet that submits malicious input to the affected software because a design weakness occurs in software (DHCP server) which has a flaw of handles objects in memory. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

My observation: We did not found additional details of this vulnerability. My speculation is that whether windows 2008 DHCP server has non page memory leak flaw which causes this problem. What do you think?

Official remediation: CVE-2019-0626 | Windows DHCP Server Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks – 28th Jan 2019

Preface: EWS Push Subscription, you will get notifications as long as you respond to the server and acknowledge that you received the notification.

The CERT Coordination Center (CERT/CC) announcement – 29th Jan 2019: Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

Vulnerability detail: Exchange allows any user to specify a desired URL for Push Subscription, and the server will attempt to send notifications to this URL….. For more detail, please refer to attached diagram for reference.

Remedy:

  1. Disable EWS push/pull subscriptions.
  2. Remove privileges that Exchange has on the domain object.

Technical article for reference: https://www.kb.cert.org/vuls/id/465632/

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Preface: Some organizations that use MySQL include GitHub, US Navy, NASA, Tesla, Netflix, WeChat, Facebook, Zendesk, Twitter, Zappos, YouTube,…etc

Background: Technology writer Ionut Ilascu alert that there is command in MySQL server could be use for steal the personal and web server data without a high level evasion technique.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access.

Security Issues with LOAD DATA LOCAL on web server side:
In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.

Sounds scary. Should you have interest of this topic, please refer below url: https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html