Background: Appletalk support allows your Linux machine to interwork with Apple networks. Below components conduct the specified functions.

• sysctl_net_atalk.c: sysctl interface to net AppleTalk subsystem.
• ddp.c: AppleTalk DDP protocol for Ethernet ELAP (ethertalk).
• atalk_proc.c: proc support for Appletalk

The Use-After-Free vulnerability is related to above three components. Even though you do not use ApplyTalk, attacker by sending a request that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code.

In the Linux kernel version 2.6.23, the /proc/sys/vm/mmap_min_addr tunable was introduced to prevent unprivileged users from creating new memory mappings below the minimum address. To enable it, add or amend the following entry in the /etc/sysctl.conf file: vm.mmap_min_addr = 4096

Security Focus: What is NULL pointer dereference flaws in the Linux? NULL pointer dereference flaws in the Linux kernel can often be abused by a local, unprivileged user to gain root privileges by mapping attacker-controlled data to low memory pages.

But above adjustment cannot resolve these vulnerabilities. It was because if alloc_disk fails in pcd_init_units, cd->disk will be NULL, however in pcd_detect and pcd_exit, it’s not check this before free.It may result a NULL pointer dereference.

Remedy: Kernel.org has released remedy at the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6377f787aeb945cae7abbb6474798de129e1f3ac

Preface: Quite a lot of cyber security expertise provides their explanation on vulnerability on Exim (A local or remote attacker can execute programs with root privileges). I will do a quick and dirty way to explain. Should you have interested, please refer below:

a. Connect to Exim with TLS and send an SNI that ends with backslash-null.
*unescaped-backslash bug in string_printing2()

b. We exploit the backslash-null bug in string_interpret_escape().

Hints: Brainstorm on above matter
When you do a malloc, it gives you a pointer to a block of memory in the heap
char *p=malloc(2048) – Virtual memory allocated 2048
strcpy(p,”123”) – Although only 3 bytes are used, the memory still allocates 2048 bytes of physical memory for it.
free(p) – Through the virtual address, find the physical page corresponding to it, release the physical page, and release the linear region.use this heap overflow to overwrite the header of a free malloc chunk.

c. use this heap overflow to overwrite the header of a free malloc chunk.

d. allocate this enlarged malloc chunk, and use it to overwrite large parts of the heap (the already-allocated malloc chunks) with arbitrary data:

e. Overwrite the “id” string: (by overwriting “id” with “/../../../../../../../../etc/passwd”)

Official announcement:

Download and build a fixed version:

    Tarballs: https://ftp.exim.org/pub/exim/exim4/
    Git:      https://github.com/Exim/exim.git
              - tag    exim-4.92.2
              - branch exim-4.92.2+fixes

Preface: Quite a number of people think that Mainframe computer no longer exist anymore. However they are still alive.

Background: A 3270 Emulator is a terminal emulator that duplicates the functions of an IBM 3270 mainframe computer terminal on a PC or similar microcomputer.

Vulnerability details: There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1.

Impact: TLS/SSL certificate validation flaw, leading to attackers in a MitM position being able to affect confidentiality, integrity and availability of traffic between the client and host, including credentials used.

Remedy: Upgrade to version 5.1. For more information, please visit the following URL – https://pkgs.org/download/pw3270

Preface: No matter “WAF” or a traditional Layer 3 firewall. The SSH service daemon will be installed because such service is not uncommon.

Vulnerability details: Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to craft a message to Secure Shell Daemon (SSHD) and corrupt arbitrary memory.

Additional:

In the current version of the NDcPP there is a cryptographic Security Functional Requirement (SFR) called FCS_SSH*_EXT.1.8.
If your solution involves an OpenSSH server or client, you might be surprised to find out that OpenSSH’s “RekeyLimit” option does not actually fulfill this requirement according to the Application Note. OpenSSH’s RekeyLimit’s volume limiter will rekey on data volume only when one of the incoming or outgoing meets or exceeds the defined limit. It does not check the aggregate.

From technical point of view, attacker is able to consume ssh service daemon memory resources. For instance when using OpenSSH as client, simply enter ~R (capital R!) and rekeying will take place. If they intend to increase the re-key times, the specify process will be in trouble!

Remedy: Only accept SSH connection with trust IP address and trust network.

Preface: As time goes by, youth not familiar with TV at home. Obviously the online video is the new generation of choice.

Product background: With YouPHPTube you can create your own video sharing site, YouPHPTube will help you import and encode videos from other sites like Youtube, Vimeo, etc. and you can share directly on your website.

Vulnerability details: A design weakness was found before version 7.5. The machanism doesn’t checks if someone wanna generate a new config file. So the attacker can exploit on this flaw then generate his own config file with malicious code. As a result, the visitor do not know they already connect to a compromised server.

Remedy: Be reminded that you should remove the “/var/www/YouPHPTube/install/” directory after YouPHPTube installation.

Preface: Virtual computer world like a fruit punch, anything can mix into it.

Background: OpenStack is a cloud computing software developed by NASA and Rackspace. It is licensed under the Apache license and is a free and open source software. Their customer including Shanghai Electric, China Mobile, LINE and China UnionPay .

Vulnerability details: In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.

Possible factor: One of the techincal issue might arise when Topology Change Notification (TCN) occurring repeatedly with short intervals. The switches will constantly be fast-aging their forwarding tables so flooding will be nearly constant.

Remedy status: In Progress → Fix Released (30th Aug 2019) https://review.opendev.org/678098

Preface: Because a stateless API can increase request overhead by handling large loads of incoming and outbound calls, a REST API should be designed to encourage the storage of cacheable data.

Vulnerability details: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device.

Fundamental design weakness of REST API authentication. For example:

1. Make POST request to /api/rest/issues, get it working with an API key
2. Perhaps there is no way to disable the Auth layer
3. Generating an auth key
4. Now you have an auth-token for app
5. cURL GET request (with Authentication)
6. cURL POST request (with Authentication)
7. ………

What can Cisco customers do? As follows:

Official announcement by vendor – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass

Preface: PePe the frog, he will never die. PePe could appear anywhere. May be you can see him in political world or your whatsapp communications. Even CVE vulnerability record details.

QLogic offload iSCSI driver (qedi_dbg.c) technical background – For both Windows and Linux operating systems, iSCSI boot can be configured to boot with two distinctive paths: non-offload (also known as Microsoft Open-iSCSI Initiator) and offload (QLogic offload iSCSI driver or HBA). iSCSI Offload uses the TCP Offload Engine (TOE) technology in network interface cards (NICs) to offload the processing of the TCP/IP stack to a network controller.

Vulnerability details: The vulnerability exists in the drivers/scsi/qedi/qedi_dbg.c source code file of the affected software and is due an out-of-bounds read condition in the qedi_dbg_* family of functions.

Common Functions in C/C++ memcpy()memset(). These functions are categorized into the subcategory transfer memory. With memcpy, you not only copy your own out-of-bounds area, such as some malloc block which was previously freed, but also an area from a completely different running program.

Remedy: Kernel.org has released software updates at the following link – https://www.kernel.org/