Technology world is a challengeing zone. The key word “rest” looks do not apply to system developer, application programmer and IT expert! I re-call the vulnerability (CVE-2018-8897) to review. It ennounced by security experts for week ago. Perhaps you have full understanding. However no harm in my view point to do the review since it is important. I have time to drill down the detail and visualize my standpoint. This CVE subject mainly focus mishandling of assembler command syntax by system developer since they overlook some advice by CPU vendor. In short the issue is that if the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. So the focus will be go to virtual machine world. Yes, we are a cloud computing world in the moment. For more details, please refer below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2018-8897

Shanghai 2345 Network major business focusing Mainland China. This companyprovides Internet access platforms. It provides 2345 Website navigation that facilitates users to find their own needs of the site entrance, as well as provides weather forecasts, practical inquiries, commonly used software download, e-mail login, search engine portal, online collection, and other Internet common service; 2345 Accelerated browser, a computer software; mobile applications; and 2345 Loan King, an Internet credit platform.However there are vulnerabilties found on their Security Guard 3.7 software. Regarding to the vulnerabilities, it is better to uninstall this software. It looks strange that the official website still have ver 3.7 software available to download. Besides, it without any security alert to customer. If you visit the official website today, the latest software update issued on 20th April 2018. Nothing to do or remediation. Strange!

Official web site shown as below:

http://safe.2345.cc/log.htm

Remark: Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers.

ISC Releases Security Advisories for BIND on May 18, 2018. This alert awaken my defense thinking. I was written few articles about the electronic war and the cyber arsenal. But forgot to contains a scenario which annoucned by ISC today (Security Advisories for BIND). Regarding to to the subject (ISC Releases Security Advisories for BIND) indeed described a hacking scenario who focus to doing bad things to the world (distrubuted deniel of services to worldwide DNS services). It is not difficult to understand the way. The method is CVE-2018-5737 + CVE-2018-5736.

Such cyber attack on phase 1 is one to many distribution (Initiating a Zone Transfer), then execute vulnerability (CVE-2018-5737) . As a result the smartphone, server and workstation all can’t work because no DNS service will be available! You can find hints in attached diagram. For more details about the vulnerabilities, please refer below url for references.

CVE-2018-5737: BIND 9.12’s serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.

https://kb.isc.org/article/AA-01606/0

CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c

https://kb.isc.org/article/AA-01602/0

VMware just released a security update to address a vulnerability in NSX SD-WAN Edge by VeloCloud. I couldn’t find techincal details but vendor state that VeloCloud by VMware will be removing the web ui component service from the product in future releases. My speculation is that the existing design limitation can merge with former vulnerability (CVE-2017-4947). As a result it cause risk happens. See below hints for reference.

There are two different product editions of NSX: NSX for vSphere and NSX for Multi-Hypervisor (MH). It’s speculated they will merge down the road, but for many possible, or soon to be, users of NSX, it doesn’t matter, because they are used to support different use cases. NSX for vSphere is ideal for VMware environments, while NSX for MH is designed to integrate into cloud environments that leverage open standards, such as OpenStack.

Vulnerability Details for reference:

Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud

https://www.vmware.com/security/advisories/VMSA-2018-0011.html

CVE-2017-4947: vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2018-0006.html

Death Note is a Japanese manga series. The story describ that if someone’s name is written on it while the writer imagines that person’s face, he or she will die. The computer and smartphone devices who installed adobe acrobat reader are in the similar situation. The vulnerabilities in Adobe Acrobat and Reader and Photoshop CC causes a remote attacker could exploit some of these vulnerabilities to take control of an affected system. As a result the system has been compromised. Please be reminded that the Adobe design flaw are critical level of vulnerabilities. IT admin must be staying extra alert.

See below security updates for reference.

Security updates available for Adobe Acrobat and Reader:

https://helpx.adobe.com/security/products/acrobat/apsb18-09.html

Security updates available for Adobe Photoshop CC:

https://helpx.adobe.com/security/products/photoshop/apsb18-17.html

CVE-2018-8897 indicate that an unexpected behavior for debug exceptions. A possibility way causes a local attacker could exploit this bug to obtain sensitive information. Regarding to my observation, this issue found on 2008 by system developer accidentally. However the dangerous issue of this vulnerability is that it is difficult to detect. It is hard to imaginate the actual status when threat actor successful re-engineering this bug transform to cyber attack. In the moment, no idea what will be the next. Should you have interest about the details, please refer below url for reference.

https://www.kb.cert.org/vuls/id/631579

SIEM functions play an important role in the IT infrastructure. And therefore the security architect plan to design the SIEM not only focusing for log collection, correlation, alert and report templates. Meanwhile, a critical item must be added to the design objective. That is how to hidden your SIEM. For instance, hacker target most likely is the IT admin or CSO because they have confidental data or priviligies ID on hand. Besides, hacker also interest of the SIEM operation.

IBM Q Radar announce that a vulnerability occurs in their SIEM. Q-Radar admin must stay alert!

Since IBM do not mention what is the possible cause of this vulnerability.
Reveiw their windows log event collection method. My speculation is shown as below:
QRadar requires XPath query to communcation with windows server.
An XPath query is a log source parameter that filters specific events when the query communicates with a Windows 2008 or newer event log.
The XPath injection also leads to extracting document structure and modify the document information in addition to escalate privileges.

For more details. please see below url for reference.

CVE-2018-1418 – IBM Security QRadar SIEM privilege escalation

https://exchange.xforce.ibmcloud.com/vulnerabilities/138824

The Simple Object Access Protocol (SOAP) invoking objects on remote machine.
It is XML-based messaging thus run on top of HTTP/HTTPS.
That is the reason why firewall cannot significant block them.

An announcement issued by HUAWEI. For more details, please refer below url for reference.

Security Advisory – Six Vulnerabilities in Some Huawei Products

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180207-01-soap-en