Preface: You found an error in somewhere, sometimes will be expanded your idea of thinking.

Synopsis: Ws2ifsl.sys is found in the C:\Windows\System32\drivers directory. In many cases, a driver creates a symbolic link and its name can be used as a file name for CreateFileA, but this is not the case with ws2ifsl. It only calls nt!IoCreateDevicewith the DeviceName set to ‘\Device\WS2IFSL’. IoCreateDevice creates a device object and returns a pointer to the object. The caller is responsible for deleting the object when it is no longer needed by calling IoDeleteDevice.

Vulnerability details: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.

Patch analysis: According to Microsoft patched version (10.0.18362.356). We can see the patched features:
– CreateProcessFile
– Delivery closed
– Signal cancelled
– Signal requirements
– RequestRundownRoutine
– CancelRundownRoutine

Under my observation: If a device name is not supplied (that is, DeviceName is NULL), the device object created by IoCreateDevice will not (and cannot) have a discretionary access control list (DACL) associated with it. Do you think this issue will give an oppuntunity let attacker to exploit?

Preface: Stupid Solutions to Stupid Problems: Hardcoding Your SSH Key in the system.

Vulnerability background: FortiSIEM 5.2.5 / 5.2.6 could use the hardcoded password to log in to the underlying system via Secure Shell (SSH). This means that anyone with access to any FortiSIEM image (to copy the SSH private key) can authenticate successfully via SSH to the FortiSIEM. Supervisor on port 19999/tcp as tunneluser. They will be limited to the /opt/phoenix/phscripts/bin/tunnelshell script, but if this is bypassed then full shell access can be obtained.

Impact: While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Versions 5.2.5 and 5.2.6 have been verified as vulnerable.

Preface: Maastricht University (UM) encountered serious cyber attack,” the university announced on Christmas Eve, December 24, 2019.

Synopsis: Not known the root cause but if ransomware can spread out in a quick way most likely it exploit of the Microsoft SMB Protocol.
Perhaps it is affected by RYUK Ransomware !
Other than that Maastricht University relies on Github with technology programs development. Meanwhile, it similar create a pathway let the cybercriminals fork other projects, which on Github means producing a copy of someone else’s project, to build upon the project or to use as a starting point and subsequently push a new commit with the malware to the project. Such malware can connecting to a GitHub account to obtain the exact location of its C&C servers. Then activate ransomware infection.

Observation: Has any personal information leaked? Therefore, this will be relevant to GDPR regulations.
It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack.

Headline News: Please refer to https://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/

Preface: FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a versatile software implementation that runs on any commodity hardware.

Background: FreeSWITCH listens on port 8021 by default and will accept and run commands sent to it after authenticating. By default commands are not accepted from remote hosts.

Design weakness: FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. How do hackers exploit vulnerabilities: Since the design weakness shown the default password in event_socket.conf.xml. By default commands are not accepted from remote hosts. If an attacker do python socket programming. It can use the default password and excute the command remotely.

Remedy: It is recommended to block all untrusted python socket connections with a firewall on this device until the vendor provides an official patch.

Preface: Computer technology especially software application is the soul of digital world.

Background: Pingbacks (also known as trackbacks) are a form of automated comment for a page or post, created when another WordPress blog links to that page or post. When you publish a new blog post, WordPress attempts to ‘ping‘ all the sites that were linked to in your post. i.e. Your WordPress website is informing other websites that you’ve linked to them.

Design weakness: Trackbacks and Pingbacks were meant to help inter-blog conversation when the specification was created years ago. These days almost 100% of Trackbacks and Pingbacks are spam, said Akismet. May cause more trouble!

Comments: WordPress release ver 5.3.1 on December 2019. However above concerns seem not been addressed in the moment. Heard that attacker can exploit the weakness of pingback. And work together with XML-RPC. As a result, it will consume system resources causes a denial of service. So we must staying alert!

Remedy: Refer to diagram

5.3.1 Official announcement – https://wordpress.org/support/wordpress-version/version-5-3-1/

Preface: Red Hat is investing in CRI-O and Podman. Meanwhile they are involved in the Open Container Initiative Standards Organization. The goal is to contribute and introduce drive innovation in their products, such as Red Hat OpenShift and Red Hat Enterprise Linux.

Background: Podman decide to provide a simple CLI for managing pods and containers. The design goal of Varlink aims to make services accessible to both humans and machines in the simplest feasible way. They described its product is an “interface description format and protocol”. It is just such another. Podman decided to build the Podman API based on varlink so users and developers can interact with Podman programmatically.

Design Synopsis: Podman relies on a Systemd feature called socket activation. Systemd allows developers to create socket unit files that tells systemd to listen on a particular socket like the unix domain socket “/run/io.projectatomic.podman”. When a process connects to this socket, systemd will launch the command specified in the service file with the same name. The launched command then handles the socket communications.

Vulnerability details: Depend on how Podman and Varlink are deployed, they can be susceptible to local and remote attacks. There are a few API bugs in Podman itself, as well as a way to execute arbitary commands if one can hit Podman via the Remote API. Running Podman with Varlink over tcp listening either on localhost or the network interface is the most vulnerable setup. For more details, please refer to diagram.

Preface: DNS monitoring can let you predict the user behaviour. According to Cisco’s research, over 90% of attacks are done over DNS and only two-thirds of organizations monitor their DNS records.

Technical details:
Go to options->Advanced->Network->Settings->Automatic proxy configuration url and enter 8.8.8.8 All you Mozilla traffic uses Google dns now. Google Public DNS fully supports DNSSEC for Domain Name Security Extensions which works against cache poisoning attacks. Meanwhile if mobile device leave company network, DDNS given by wireless hotspot might have way to leave your monitoring. Due to above feature, the Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. For more details, please refer to URL: https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder