Preface: Tip – Any system that supports Single-Sign On SSO is affected by the pass the hash attack.

Background: Windows keeps hashes in LSASS memory, making it available for Single Sign On.

Vulnerability details: An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server.An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes.The security update addresses the vulnerability by correcting how SharePoint checks file content., aka ‘Microsoft SharePoint Information Disclosure Vulnerability’.

Remedy: Please refer to the official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491

Preface: Modern world favor single sing-on function, SAML & application system authentication integrate with Microsoft active directory. Everybody might know such setup contain risk, but theoretically computer aim to make human life comfortable!

Background: The Alcatel-Lucent OmniVista® 8770 Network Management System (NMS) is an all-in-one graphical management application that offers a unified view of your ALE communication network.

Vulnerability details: No CVE reference number has been assigned to these vulnerabilities yet. But it shown that programming flaws made the loopholes happen.

– 4760 suffers an unauthenticated remote code execution as SYSTEM. No special configuration is required

– 8770 and 4760 both suffer a remote administrative password disclosure. No special configuration required

– 8770 suffer an authenticated remote code execution vulnerability. When chained with the disclosure vulnerability, it becomes an unauth RCE. In this case access to the port 389 and a directory license are required

Should you have any doubt of this matter, please contact vendor to find out the details.

Preface: WordPress powers 34% of the internet in 2019, a 4% rise from the previous year. If you count only the CMS-built sites, then about 60% of them are WordPress. On Mar 2019, Expert found that a remote code execution vulnerability exists in WordPress. This is our story begin.

Synopsis: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.3.1. Perhaps from cyber security point of view, it is better to update as soon as fast.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4. This schedule remedy four different vulnerabilities. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

For more information on CVE-2019-9798, please refer to the attached infographic for reference.

The official announcement can be found at this link: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

Preface: When you are sitting on the same boat. The risks at the time of the event are equal.

Background: Open Data Protocol (OData) is an open protocol which allows the creation and consumption of queryable and interoperable RESTful APIs in a standard way. Apache Olingo is a Java library that implements the Open Data Protocol (OData). In SAP HANA DB environment, quite a lot of business application system will work with Apache Olingo.

Vulnerability details: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type “application/xml”, which trigger the deserialization of entities, can be used to trigger XXE attacks.

For security advice provided by Symantec, please refer to the link- https://www.symantec.com/security-center/vulnerabilities/writeup/111101?om_rssid=sr-advisories

Preface: When Meltdown and Spectre discovered, the tech community questioned chip security.

Security Focus: A new class of unprivileged speculative execution attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Who is he?

Side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. For instance, hacker can use WebAssembly in both Firefox and Chrome to generate machine code which he can use to perform this attacks. If you are interested in learning more, please refer to the attached picture.

Intel has released security updates to address vulnerability in multiple products. The official announcement can be found at this link – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html

HP urge the customer that it should be acted upon as soon as possible. The “HP Security Update” can be found at this link – https://support.hp.com/us-en/document/c06502052

Preface: Sometimes while designing a software, you might have a requirement to hold some data (for reprocessing at later stage) for some duration. Some software do it within the memory in which they are running while others may create a temporary file for this purpose.

Technical background: The original design of Trend Micro able transform the malicious data for short duration write to temp file. The quarantine method was strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. This has the advantage that for the execution of malicious data can be aborted absolutely. The isolation level will be better than memory. Vulnerability details: When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately. But the names of the temp files are sometimes reused. The proof-of-concept shown that the reuse file name can redirect to another file by symbolic link.

Official announcement, please refer to the link: https://success.trendmicro.com/solution/000149495

Preface: Patching is a routine job in Cloud services provider. The job is similar do bathing with your puppy.

Background: There are five virtual appliances (OVA) used for Horizon DaaS; Service Provider, Tenant, Desktop Manager, Resource Manager and Access Point.

Vulnerability details: An unauthorized user with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution. We speculate that the vulnerability details shown on attached diagram. You can disable this service in minutes. Guidance for implementation on ESXi and Horizon DaaS have also been published. For details, see below URL: https://www.vmware.com/security/advisories/VMSA-2019-0022.html

How Windows Hello for Business works? It lets Windows 10 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition.

Use cases: Client systems which joined to Kerberos based domains like Active Directory (AD) can use Windows Hello for Business authentication to replace password based authentication and still get full single-sign-on (SSO) access to the resources of the domain.

Vulnerability details: An authenticated attacker could obtain orphaned keys created on TPMs of the design vulnerability.The attacker pretend a user by using stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT).

Remark: PKINIT would provide a method to use Kerberos for authentication and get a Kerberos Ticket Granting Ticket (TGT) during the authentication so that network resources can be accessed with Kerberos/GSSAPI.

Official details: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190026

Background: XPC is a type of iOS IPC. Through XPC, an app can communicate with some system services. mediaserverd (/ usr / sbin / mediaserverd) is a daemon process launched by the root process launchd, and its description file is com.apple.mediaserverd.plist stored in / System / Library / LaunchDaemon directory, when the system starts, it will scan all plist files under this directory, start all background processes separately, probably there are more than 50 background processes are the real reason for the pseudo background in the iOS system. The decoding of audio and video involves the operation of hardware. Mediaserverd contains a large amount of code that calls the driver layer. Through xpc, users can prevent overflow attacks and improve system stability. Because the same xpc interface is cross-process, it makes it more difficult for overflow attacks to forge data.

Synopsis: Mediaserverd has various media parsing responsibilities, its reachable from various sandboxes and is able to talk to kernel drivers. Perhaps, hacker can find a valid trigger point in this place.

Status – Even though 13.1.3 IPXR, it also vulnerable. For more details, please refer to diagram.