Category Archives: Under our observation

ISC Releases Security Advisories for DHCP, BIND

US-CERT encourages users and administrators to review ISC Knowledge Base Article.

https://kb.isc.org/article/AA-01565/75/CVE-2018-5732

https://kb.isc.org/article/AA-01562/74/CVE-2018-5734

Perhaps it is out of end user control!

What is ISC(Internet Systems Consortium)?

F Root System (ISC) – Enables users around the world to find top-level domains such as .com, .uk, .edu; Reliable anycast network with over 125 nodes; Hosted in local IXes, and on the Cloudflare network, managed by ISC. A vulnerability found on ISC (DHCP) and (BIND). Does it a precaution?

 

Application security awareness – Before Html5 full cover up, we must stay alert of Html4

Preface:

The bitcoin mining malware, cyber espionage program and malicious malware merely relies on iframe. Where are they from?

Understanding

Frame: The main advantage of frames is that it allows the user to view multiple documents within a single Web page. It is possible to load pages from different servers in a single frameset.

iframe: Iframes are often used to load third party content, ads and widgets. The main reason to use the iframe technique is that the iframe content can load in parallel with the main page.

embed: The <embed> tag defines a container for an external application or interactive content (a plug-in).

Object: The HTML <object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin.

Discussion topic

Above description summarize the feature of iframe, frame, embed and object. It shown the advantage of those components. However IFRAME element explicitly contains a security risk if any page on your site contains an XSS vulnerability which can be exploited.

a. Clickjacking – see below diagram for reference

A kidding way to conduct clickjacking (see below). To be honest, this scenario may let spy or secret agency to evade surveillance. So, it is not a hacking. It is a methodology.

b. Hidden iframe linking to malicious website – see below diagram for reference

c. Java script for pages with iFrame embedded (do tricks especially sharing victim CPU resources to do bitcoin mining).

Threats actor develop a page with an iframe that manipulates the document within the iframe. Their goal is for bitcoin mining.

 

  1. Create a VSTO Word document level project using Visual Studio

2. Drag a WebBrower onto document’s surface.

3. Edit ThisDocument_Startup to navigate the WebBrowser (code sample displayed below).

Code Snippet
private void ThisDocument_Startup(object sender, System.EventArgs e)

{

this.webBrowser1.Navigate(@"http://www.microsoft.com/en/us/default.aspx");

}

For more details, please refer to below diagram for reference.

Mitigation Strategy Tips, Hints and Tricks

Overview of programming language

The top seven most in-demand coding languages as we move into 2018. Some languages like Swift didn’t make the top seven because they have lower job demand.

Since there are many programming languages are available and therefore it is difficult to closing the vulnerabilities in effective way. Let’ take a overview of existing programming language utilization status.

Hints and Tricks

PHP code to prevent iframe loading on dynamic php pages

<?php
header("X-FRAME-OPTIONS: DENY");
?>

JavaScript code to prevent loading iframe on Static HTML pages

<?php
// php header to prevent iframe loading of your web page
header("X-FRAME-OPTIONS: DENY");
?>
JavaScript code to prevent loading iframe on Static HTML pages
<script type="text/javascript">

// Prevent iframe loading of your web page and redirect to iframe target.
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

Prevent iframe loading in Static HTML pages

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Iframe Blocker</title>

<script type="text/javascript">
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

</head>
<body>
<h1>Welcome</h1>

</body>
</html>

Prevent iframe loading on Python web development framework (django)

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X_FRAME_OPTIONS = 'DENY'

General principle: X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

Summary

The <iframe> scrolling attribute is not supported in HTML5. Use CSS instead. However CSS has design weakness occurs. A injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities.

 

Should you have the goal to require more, please let me know.

—- End —–

 

Tomcat – CVE-2018-1305 – Don’t ignore!

Apache and Tomcat server usage covered more than 60% in cyberworld. A common practice is that Apache server hold the static page or it is a front end (Reversed Proxy function). Tomcat server trend to become a major server component. So all your java application, configure and DB service ID will be located in this place.

This week a vulnerability found on Tomcat. The successful expose the design flaw causes exposed resources to users who were not authorised to access them. Folks, do not ignore this vulnerability. stay alert!

Should you have interest of this news. Please refer below url for reference.

https://securitytracker.com/id/1040428

SCADA manufacturer security awareness awaken – ABB

I speculate that APT attack will be proactive doing their engagement in electric Power supply industry and target manufacturer this year. Since they are all deployed SCADA system. Perhaps engage an attack in this zone as much as better than negotiating with world trade commissioner request to reduce other country quota. The SCADA manufacture awaken the severity level of cyber attack will be jeopardizing  firm reputation.

A vulnerability found in ABB SCADA system this month. The severity level not defined yet. But SCADA end user must be stayed alert. For more detail, please refer be URL for reference.

http://search-ext.abb.com/library/Download.aspx?DocumentID=1MRS257731&LanguageCode=en&DocumentPartId=&Action=Launch

The US Securities and Exchange Commission (SEC) new guidance

Big country versus Big discussion:

The US Securities and Exchange Commission (SEC) released a statement urge high-ranking executives not to trade stocks before the disclosing breaches, major vulnerabilities, and other cybersecurity related incidents.

New guidance – https://www.sec.gov/rules/interp/2018/33-10459.pdf

Meanwhile Intel release guidance this week (details of availability and schedule for microcode update). For more details, please see below url for reference.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

It is a funny cyber and economic world!

 

 

For your attention! Multiple vulnerabilities in both Drupal 7 and Drupal 8

It indeed a tragedy. A multiple vulnerabilities in both Drupal 7 and Drupal 8. Drupal is a free and open source content-management framework written in PHP and distributed under the GNU General Public License.

In short, in order to avoid unforeseen technology risk issue occurs, please read the official announcement shown as below:

https://www.drupal.org/sa-core-2018-001

Synopsis:

Comment reply form allows access to restricted content – Critical – Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass – Moderately Critical – Drupal 7

When using Drupal’s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass – Moderately Critical – Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution:

Install the latest version:

Reported By:
  • Comment reply form allows access to restricted content – Critical – Drupal 8

  • JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8)

  • Private file access bypass – Moderately Critical – Drupal 7

  • jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

  • Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

  • Settings Tray access bypass – Moderately Critical – Drupal 8

  • External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Fixed By:

————————-  End ———————————————–

Cisco Releases Security Updates for Multiple Products – 21st Feb 2018

Understanding:

The VOSS platform is integrated in Cisco HCS where it is called Cisco Unified Communications Domain Manager (UCDM). VOSS has web services application programming interfaces (APIs) available to third-party developers.Features of VOSS include Web-based Administration, Centralised Management, Collaboration Lifecycle Management, Collaboration Service Management, Business Process Layer on top Network Infrastructure and Communications Architectures Management.

The Cisco Elastic Services Controller (ESC) provides a comprehensive lifecycle management platform for NFV. It provides end-to-end capabilities to automate various tasks such as deploying, monitoring, and elastically scaling virtualized functions, and make them available as business-level service.

Security updates:

Cisco Unified Communications Domain Manager Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-ucdm

Cisco Elastic Services Controller Service Portal Authentication Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc

Cisco Elastic Services Controller Service Portal Unauthorized Access Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc1

Cisco Unified Customer Voice Portal Interactive Voice Response Connection Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-cvp

About APT37

A cyber security company (FireEye) so bold to accuse a country. As a matter of fact the APT threat actor make a mistake. It inadvertently show their location. Regarding to the details provided by FireEye. The APT 37 develop total 10 different types of malware to satisfy their goal. Regarding to my observation. I would suggest that staying alert to a backdoor function malware. His nickname is SHUTTERSPEED. The overall specification equivalent to a Trojan spyware. It so called Trojan-Spy.Win32.Agent.jkvl.

Since this spyware is not a new design and therefore window defender and antivirus have capability to kill it. However a multiple types of malware attack might have opportunities let this trojan implant to workstation.

Should you have interest to understand their full picture of attack for APT 37. Please refer below url for reference.

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

 

UK cyber security agency sticks with China’s Huawei despite US spy fears

The espionage scandal jeopardize the trustworthy reputation. However China is not the espionage program initiator. But America worries about espionage by cross counties. It is hard to tell who’s correct or who’s wrong!

UK cyber security agency sticks with China’s Huawei despite US spy fears. For more details, please refer below url for reference.

http://www.telegraph.co.uk/technology/2018/02/20/uk-cyber-security-agency-sticks-chinas-huawei-despite-us-spy/

IoT World and Smart City must staying wide-awake!

SmartCity project wide spreading implement in the world. The framework transform existing IT world domain includes Cloud computing, virtual machine, router and network infrastructure. Meanwhile it carry the design flaw so called vulnerability simultaneously. As we know, Microsoft product has famous activities patch Tuesday to do the mitigation of critical risk occurs on their product. Since IoT technology cope with smartCity project.  It is hard to avoid to evade not to chosen a product which must doing the patching in frequent way. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. A question has been queries to the world. SmartCity items involves public safety regulations. If the smartCity facilities become the main trend of the society. However the major facilities encountered denial of service through heap corruption. Do you think how worst is the situation will be?

CVE-2017-18187
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVE-2018-0488
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

CVE-2018-0487
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

Official announcement for reference.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01