Potential Risk of CVE, Public safety

Is the CVE process late? Esri has managed and remedy those vulnerabilities in May 2021.

Leave a comment

Preface: When smartphones and Google Maps were born. The GIS function determines these two functions in a silent manner.

Background: Geographic Information System (GIS) plays a key role in military operations. The military uses GIS in various applications, including cartography, intelligence, battlefield management, terrain analysis, remote sensing, etc.

– Use of geospatial intelligence:The role of machine learning and GEOINT in disaster response
– Open geospatial data platform and food shortage
– Interoperability of GEOINT applications and military data
– The role of data management in crisis mapping

Vulnerability details: There are vulnerabilities announcement of GIS server on 11th Jul, 2021. Whereby those vulnerability has been addressed by ESRI on May, 2021. Seems the details of two announcement are similar and believed that both are describe the same matters. In fact, designated vulnerabilities are common vulnerabilities in OWASP Top 10. However, the applicability of GIS is becoming more and more important for human life and daily use. So we should seriously consider it.

Official announcement – https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch/

2021, cyber security incident news highlight, Ransomware, Under our observation

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

Leave a comment

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Potential Risk of CVE

CVE-2021-34527 & CVE-2021-1675, no nightmare. Go to sleep well. (7th,JUl 2021)

Leave a comment

Preface: Microsoft has assigned CVE-2021-34527 to PrintNightmare. CVE-2021-1675 is similar but distinct from CVE-2021-34527.

Background: There is a vulnerability nickname PrintNightmare. PrintNightmare is not the same as CVE-2021-1675, which was fixed in the patch in June. there is currently no patch available for PrintNightmare.

Technical Details: The vulnerability numbered CVE-2021-34527 is the same RCE vulnerability in Print Spooler as CVE-2021-1675 that has attracted attention this week. Microsoft explained that it was caused by improper execution of the file by the Print Spooler service. To exploit this vulnerability, the attacker must be an authenticated user and execute RpcAddPrinterDriverEx(). Successful miners can execute arbitrary code with SYSTEM privileges.

Microsoft has addressed this issue in the updates for CVE-2021-34527. However, the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1. For this reason, please consider the workarounds before Microsoft release the patch.

Workaround: Microsoft has listed several workarounds in their advisory for CVE-2021-34527. For more details, please refer to link.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Potential Risk of CVE, Public safety

If the design defect cannot be remedied in time. Prevention and detection control is one of them. (Philips Vue PACS) [7-7-2021]

Leave a comment

Preface: In theory, if your software application design trusts multiple vendors. Repairing takes more time. Because you need to do more verification.

Technology background: Digital Imaging and Communications in Medicine (DICOM) is the standard for the communication and management of medical imaging information and related data. DICOM is most commonly used for storing and transmitting medical images enabling the integration of medical imaging devices such as scanners, servers, workstations, printers, network hardware, and picture archiving and communication systems (PACS) from multiple manufacturers. It has been widely adopted by hospitals and is making inroads into smaller applications like dentists’ and doctors’ offices.

What is Vue PACS Philips?

Philips Vue Picture Archiving and Communication System (PACS), formerly known as CARESTREAM Vue PACS, is an image-management software that provides scalable local
and wide area PACS solutions for hospitals and related institutions.

Philips Vue PACS communications are based on the Digital Imaging and Communications in Medicine (DICOM) 3.0 standard. This enables the server to communicate with any DICOM 3.0 compliant products (such as scanners, workstations, hardcopy units). The server acts as a DICOM Provider, thus other stations can retrieve and send images to and from the server.

Vulnerability details: Philips Vue PACS design require to work with Redis and Oracle. This technology utilizes an Oracle Database and its servers are stored on VA premises. DICOM image data from the modalities is stored on image cache on the PACS server attached to Storage Area Network/Network Attached Storage (SAN/NAS)-type storage technology. However it was discovered design limitation in both software. Meanwhile the software application itself also discovered different vulnerabilities.

My observation: If exisitng vulnerabilities cannot fixed immediately. It is recommended to monitoring the network connectivitiy. It is better to install a IPS to monitoring inbound and outbound network traffics in this segment. If this philips web server and DN are mistaken install to a flat LAN. Perhaps you require to install a proxy server in front of this device.

US-Cert recommendation: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01

Potential Risk of CVE

If your querying and updating RDF models using the SPARQL standards, please aware of this design weakness. (5th JUl 2021)

Leave a comment

Preface: Artificial intelligence (AI) has the potential to overcome the physical limitations of capital and labor and open up new sources of value and growth.

Background: Apache Jena is a free and open source Java framework for building semantic web and Linked Data applications. The framework is composed of different APIs interacting together to process RDF data. Apache Jena Fuseki – SPARQL server which can present RDF data and answer SPARQL queries over HTTP.

Apache Jena Fuseki is a SPARQL server. It can run as a operating system service, as a Java web application (WAR file), and as a standalone server.

RDF is a standard for data interchange that is used for representing highly interconnected data. Each RDF statement is a three-part structure consisting of resources where every resource is identified by a URI. Representing data in RDF allows information to be easily identified. And interconnected by AI systems.

Vulnerability details: A vulnerability classified as problematic has been found in Apache Jena Fuseki up to 4.0.0. Affected is an unknown code block of the component HTML Page Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability.

Remediation: Users are advised to upgrade to Apache Jena 4.1.0 or later.

Ransomware, Under our observation, Virus & Malware

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

Leave a comment

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

  • Malware tricks you into installing software, allowing scammers to access your files and track your actions.
  • Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Ransomware

The Thirty-six stratagems – Know yourself and the ransomware, never lost in cyber war. 30-06-2021

Leave a comment

Preface: The Thirty-six stratagems is a Chinese essay use to illustrate a series of stratagems used in war. It also applies to cyber warfare.

Background: Kernel-based Virtual Machine (KVM) is an open source virtualization technology built into Linux®. Specifically, KVM lets you turn Linux into a hypervisor that allows a host machine to run multiple, isolated virtual environments called guests or virtual machines (VMs).
KVM is part of Linux. VMware relied on Linux during its early history. The early version of its hypervisor, called ESX, included a Linux kernel
(the central part of an OS that manages the computer hardware). When VMware released ESXi, it replaced the Linux kernel with its own.

Security Focus: Security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.

Ransomware, menacing! Experts observe that ransomware is not limited to Windows operating system attacks. The evidence proves that they can run on Linux. Other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty
have also created Linux encryptors to target ESXi virtual machines.

Reference:

  • HelloKitty targeted a UK Healthcare organisation
  • DarkSide target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
  • GoGoogle is a malicious program designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals’ email address and the “.google” extension.
  • Mespinoza TheMespinozaransomware was first used in October 2018 at least. The first versions produced encrypted filescarrying the «.locked» extension, common to many ransomwares. Since December 2019, a new version ofMespinozais documented in open sources. This version is often calledPysabecause it produces encrypted fileswith the «.pysa» extension.

Staying alert!

Science, System

Who makes supercomputers faster and faster (CPU, fibre interconnect, parallel processing or virtual machine)? 29th June, 2021.

Leave a comment

Preface: In Japanese mythology, the Namazu (鯰) or Ōnamazu (大鯰) is a giant underground catfish who causes earthquakes. This giant not caused disaster, he is the fastest supercomputer in the world. His name is FUGAKU.

Background: Riken and Fujitsu started developing the system in 2014, working closely with ARM to design the A64FX processor. Each of these ships has 48 CPU cores based on the ARM architecture version 8.2A, making it the first such chip in the world. Furthermore, more than 94.2% of supercomputers are based on Linux. In addition, supercomputers can run Windows operating systems.

Do you think today’s supercomputers only rely on a few sets of multi-core processors and standalone operating systems?

When using two virtual machines, VMware found that the overall benchmark results using an 8 TB data set were almost as fast as native hardware, while when using 4 virtual machines, the virtualization method was actually 2% faster. If the system architecture is constructed by many virtual machines. In order to achieve parallel computing to improve efficiency. The supercomputer also apply similar concept.

Base on design goals. HPC workload manager focuses on running distributed memory jobs and supporting high throughput scenarios, and Kubernetes is mainly used to orchestrate containerized microservice applications. If the system architecture is constructed by many virtual machines. Realize parallel computing to improve efficiency. So when the above concepts are implemented on a supercomputer, the processing power will be improved.

The fastest supercomputer this month is FUGAKU. But who can guarantee that FUGAKU will always be number one?

Potential Risk of CVE

Similar or not relevant – QEMU: net: eepro100: stack overflow via infinite recursion (27-06-2021)

Leave a comment

Preface: Similar vulnerability with another CVE record was announced on Feb 2021. Perhaps Citrix waiting for other vendor response and confirmation . Whereby, supculated that this is one of the possible factor of the announcement by the Citrix on Friday (25th June, 2021).

Background: How is memory allocated when recursive functions are called? Calling a function recursively is done just like any other function. So the memory will be allocated the same way as if you are calling any regular function.

Vulnerability Details: Two security issues (CVE-2021-3416 & CVE-2021-20257) have been identified in Citrix Hypervisor 8.2 LTSR, each of which may allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues only affect Citrix Hypervisor 8.2 LTSR.

Ref: A recursive function calls itself, so the memory for a called function is allocated on top of the memory allocated for calling the function. Remember, a different copy of local variables is created for each function call.
How is memory allocated when recursive functions are called?
Each recursive call pushes a new stack frame in that manner, then pops it when it returns. If the recursion fails to reach a base case, the stack will rapidly be exhausted leading to the eponymous Stack Overflow crash.

Official announcement – https://support.citrix.com/article/CTX316325

Potential Risk of CVE

Security Focus – About the CVE-2021-21999 VMware vulnerability (23rd June 2021)

Leave a comment

Preface: An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl[.]cnf’ in an unrestricted directory which would allow code to be executed with elevated privileges,” VMware said.

Background:

VMware App Volumes provides a system to deliver applications to desktops through virtual disks. Installing App Volumes involves installing the App Volumes Manager, App Volumes agents, and related components.
The installers for VMware Tools for Windows is built into VMware Workstation as ISO image files. The new features of VMware Tools for Windows (11.2.6) including OpenSSL version has been updated to 1.1.1k.
VMware Remote Console Open-source components have been updated, including jansson 2.10, libjpeg-turbo 2.0.5, libgksu 2.0.13, openssl 1.1.1h, pcre 8.44, sqlite 3.23.3, and rsvg 2.40.21.

Vulnerability details: VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103) contain a local privilege escalation vulnerability.

One of the possibilities: The vmware-vdiskmanager (command line utility) work with libeay32.dll[.] OpenSSL default of “[/]usr[/]local[/]ssl” is used in linux, but in windows it translates to c:[\]usr[\]local[\]ssl.

If a low privilege user creates the directory structure c:[\]usr[\]local[\]ssl[\], copies an openssl.cnf file and malicious .dll library inside it will result is arbitrary code execution when the command line (vmware-vdiskmanger) is executed. Furthermore, VDDK working with some of DLLs (ssleay32.dll, libeay32.dll, diskLibPlugin.dll) because VDDK needs to maintain state information and callback functions. Therefore, the privileges escalation vulnerability will be occurred.

Official announcement (CVE-2021-21999)https://www.vmware.com/security/advisories/VMSA-2021-0013.html

Ref: There is another vulnerability on other products. VMware Carbon Black App Control update address authentication bypass (CVE-2021-21998) – https://www.vmware.com/security/advisories/VMSA-2021-0012.html

antihackingonline.com