Category Archives: Under our observation

CVE-2018-7642 – GNU Binutils 2.30

Are you aware of CVE-2018-7642? Bug found GNU Binutils 2.30 on 24th Feb 2018. However it noted to my interest that Binutils 2.30 released on 27th Jan 2018. But 3 weeks later, found a system bug causes system crash. The flaw is that it lack of check if “sym” is null. The bug was fixed on 28th Feb 2018. But I was wondering that GNU Binary Utilities, or binutils, are a set of programming tools for creating and managing binary programs, object files, libraries, profile data, and assembly source code. So if you are using GNU Binutils version 2.30, you must be staying alert! Perhaps the design flaw only encounter system crash. But it  is under my observation.

Mar 2018 – A remote attacker could exploit some of these vulnerabilities to take control of an affected Cisco system.

The IT technology vulnerability like cough, running nose,..etc. Medicine please.

Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-cpcp

Cisco Secure Access Control System Java Deserialization Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2

Cisco Web Security Appliance FTP Authentication Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-wsa

Reminder: Cisco Secure Access Control System

NOTE: This product is no longer being sold and might not be supported.

  • End-of-Life: latest Version – 5.8
  • End of Sale – 30-Aug-17
  • End of Software Maintenance – 30-Aug-18
  • End of Support – 31-Aug-20

 

Google has released Chrome version 65.0.3325.146 – use-after-free vulnerability remediation

To be honest, web browser architecture looks messy due to plug-in, Flash,etc. Google has released Chrome version 65.0.3325.146 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to obtain access to sensitive information. A design flaw looks strange. I speculate that Chrome browser shared previous Flash vulnerability.A memory write is not a necessity. The “use-after-free” type of exploits is that the threat actor duplicate the virtual function table in use. My comment similar NIST, it is strongly recommended upgrade your Chrome to version 65.0.3325.146. Otherwise it is a nightmare especially enterprise IT campus. Below url is the official announcement by Google.

https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html

 

 

Authentication Bypass Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway – CVE-2018-5314

A Cantonese mantra so called “蝦碌”. “蝦碌” means similar exclamation. Citrix product now falling into this situation. It allow remote attackers to execute a system command or read arbitrary files via SSH login prompt. From technical point of view it is similar Authentication Bypass Vulnerability.

In short, the official announcement shown below url:

https://support.citrix.com/article/CTX232199

Volkswagen Customer-Link App 1.30 CAN Message privilege escalation

Auto Pilot system has been implemented in many countries. Perhaps Auto Pilot function enabled become a hot topic. You are allow to install mobile apps on your Android phone keep track the status of your car. We are really appreciate for Controller Area Network (CAN bus) technology assistance. The vulnerability found on car automation not surprising the world. Since this is a computer technology. The design flaw found on Android App this round belongs to Volkswagen.An attacker can leverage this vulnerability to inject CAN messages. How does it work?

The messages sent seem to fall into one of three categories. One is informative. The other type of message is one requesting action of another ECU (Electronic Control Units). The final type of message is diagnostic. For details, please refer below url for reference.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1170

Is this the cost we are going to pay for automation world?

A never ending of Intel CPU design hiccups story – SgxPectre Attack

The design limitation of Intel Software Guard eXtensions (SGX) start discussion end of 2017. The security expertise focusing the topic on software development for SDK. Since the programming language are mainly written by programming language C and C++. A possibility factor predict that it will be lured for threat actors interest. And therefore a conference held last  year 2017 focus the specifics issue. Regarding to the observation of The Ohio State University observe (Department of Computer Science and Engineering), they found hack tricks which may allow to do in Intel Software Guard eXtension during SDK development. Perhaps Meltdown and Spectre incident override this issue. The security expert including myself awaken this week and starting the similar discussion. This attack so called SgxSpectre attack. No matter what will be happen in future. It tell the world that our electronic industry running too fast. It lack of business maturity model concept involvement.. Yes, we a living in a huge competition market which do not concerning long product life cycle. And the final way encounter hard to resolve issue occurs like the situation today. Technical article for your reference.

SGXPECTRE Attacks:
Leaking Enclave Secrets via Speculative Execution

http://web.cse.ohio-state.edu/%7Ezhang.834/papers/SgxPectre.pdf

Leaking Enclave Secrets via Speculative Execution

https://arxiv.org/pdf/1802.09085.pdf

ISC Releases Security Advisories for DHCP, BIND

US-CERT encourages users and administrators to review ISC Knowledge Base Article.

https://kb.isc.org/article/AA-01565/75/CVE-2018-5732

https://kb.isc.org/article/AA-01562/74/CVE-2018-5734

Perhaps it is out of end user control!

What is ISC(Internet Systems Consortium)?

F Root System (ISC) – Enables users around the world to find top-level domains such as .com, .uk, .edu; Reliable anycast network with over 125 nodes; Hosted in local IXes, and on the Cloudflare network, managed by ISC. A vulnerability found on ISC (DHCP) and (BIND). Does it a precaution?

 

Application security awareness – Before Html5 full cover up, we must stay alert of Html4

Preface:

The bitcoin mining malware, cyber espionage program and malicious malware merely relies on iframe. Where are they from?

Understanding

Frame: The main advantage of frames is that it allows the user to view multiple documents within a single Web page. It is possible to load pages from different servers in a single frameset.

iframe: Iframes are often used to load third party content, ads and widgets. The main reason to use the iframe technique is that the iframe content can load in parallel with the main page.

embed: The <embed> tag defines a container for an external application or interactive content (a plug-in).

Object: The HTML <object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin.

Discussion topic

Above description summarize the feature of iframe, frame, embed and object. It shown the advantage of those components. However IFRAME element explicitly contains a security risk if any page on your site contains an XSS vulnerability which can be exploited.

a. Clickjacking – see below diagram for reference

A kidding way to conduct clickjacking (see below). To be honest, this scenario may let spy or secret agency to evade surveillance. So, it is not a hacking. It is a methodology.

b. Hidden iframe linking to malicious website – see below diagram for reference

c. Java script for pages with iFrame embedded (do tricks especially sharing victim CPU resources to do bitcoin mining).

Threats actor develop a page with an iframe that manipulates the document within the iframe. Their goal is for bitcoin mining.

 

  1. Create a VSTO Word document level project using Visual Studio

2. Drag a WebBrower onto document’s surface.

3. Edit ThisDocument_Startup to navigate the WebBrowser (code sample displayed below).

Code Snippet
private void ThisDocument_Startup(object sender, System.EventArgs e)

{

this.webBrowser1.Navigate(@"http://www.microsoft.com/en/us/default.aspx");

}

For more details, please refer to below diagram for reference.

Mitigation Strategy Tips, Hints and Tricks

Overview of programming language

The top seven most in-demand coding languages as we move into 2018. Some languages like Swift didn’t make the top seven because they have lower job demand.

Since there are many programming languages are available and therefore it is difficult to closing the vulnerabilities in effective way. Let’ take a overview of existing programming language utilization status.

Hints and Tricks

PHP code to prevent iframe loading on dynamic php pages

<?php
header("X-FRAME-OPTIONS: DENY");
?>

JavaScript code to prevent loading iframe on Static HTML pages

<?php
// php header to prevent iframe loading of your web page
header("X-FRAME-OPTIONS: DENY");
?>
JavaScript code to prevent loading iframe on Static HTML pages
<script type="text/javascript">

// Prevent iframe loading of your web page and redirect to iframe target.
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

Prevent iframe loading in Static HTML pages

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Iframe Blocker</title>

<script type="text/javascript">
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

</head>
<body>
<h1>Welcome</h1>

</body>
</html>

Prevent iframe loading on Python web development framework (django)

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X_FRAME_OPTIONS = 'DENY'

General principle: X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

Summary

The <iframe> scrolling attribute is not supported in HTML5. Use CSS instead. However CSS has design weakness occurs. A injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities.

 

Should you have the goal to require more, please let me know.

—- End —–

 

Tomcat – CVE-2018-1305 – Don’t ignore!

Apache and Tomcat server usage covered more than 60% in cyberworld. A common practice is that Apache server hold the static page or it is a front end (Reversed Proxy function). Tomcat server trend to become a major server component. So all your java application, configure and DB service ID will be located in this place.

This week a vulnerability found on Tomcat. The successful expose the design flaw causes exposed resources to users who were not authorised to access them. Folks, do not ignore this vulnerability. stay alert!

Should you have interest of this news. Please refer below url for reference.

https://securitytracker.com/id/1040428

SCADA manufacturer security awareness awaken – ABB

I speculate that APT attack will be proactive doing their engagement in electric Power supply industry and target manufacturer this year. Since they are all deployed SCADA system. Perhaps engage an attack in this zone as much as better than negotiating with world trade commissioner request to reduce other country quota. The SCADA manufacture awaken the severity level of cyber attack will be jeopardizing  firm reputation.

A vulnerability found in ABB SCADA system this month. The severity level not defined yet. But SCADA end user must be stayed alert. For more detail, please refer be URL for reference.

http://search-ext.abb.com/library/Download.aspx?DocumentID=1MRS257731&LanguageCode=en&DocumentPartId=&Action=Launch