CVE-2019-0804 Azure Linux Agent Information Disclosure Vulnerability (14th Mar 2019)

Preface: To speed up the deployment of your cloud computing readiness. Use the image deployment is faster than mounting an ISO and manually installing a VM.When system admin created images for an OpenStack provider, he will pre-installed cloud-init and haveged. Azure has similar feature, it is so called Azure WaLinuxAgent.

Vulnerability detail: An information disclosure vulnerability exists in the way Azure WaLinuxAgent creates swap files on resource disks. An authenticated attacker who successfully exploited this vulnerability could view data in swap that is normally hidden.

My speculation: In WALA, it uses “fallocate” instead of “dd” to create swapfile. When an ext4 filesystem is used, a local attacker can call the fallocate() function, in order to read fragments of deleted files.

Remedy solution: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0804

12th Mar 2019 – Intel® Software Guard Extensions SDK Advisory

Preface: Space Layout Randomization (ASLR) to defend against memory corruption attacks. However, Intel Software Guard Extension (SGX), it is capability protects selected code and data from disclosure or modification. From security point of view, it provides an advance protection than before.

Vulnerability detail: Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel(R) SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access.

Synopsis: About double free vulnerability
Refer to the scenario of attach diagram, it shown that the same chunk will be returned by two different ‘mallocs’. Both the pointers will point to the same memory address. If one of them is under the control of an attacker, he/she can modify memory for the other pointer leading to various kinds of attacks (including code executions).

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00217.html

Security Focus – CVE-2019-5513 VMware Horizon update addresses Connection Server information disclosure vulnerability: 14th Mar 2019

Preface: VMware Horizon Client for Android and iPhone makes it easy to work on your VMware Horizon virtual desktop and hosted applications from your smartphone.

About security advisory annoucement by VMware: The VMware Horizon Connection Server contains an information disclosure vulnerability. Successful exploitation of this issue may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.

My observation: Refer to route path 1,2,3 and 4 (refer to diagram). Because this application can run at Layer 4, transparency is enforced. Transparency takes a higher priority than Subnet Originating Requests. Therefore, if transparency is enabled on the Virtual Service and Subnet Originating Requests is enabled globally, the Virtual Service still uses transparency. The Real Server sees traffic from this virtual service originating with the client’s source IP address (transparency).

Reference: VMware announcement – 14th Mar 2019

https://www.vmware.com/security/advisories/VMSA-2019-0003.html

https://www.vmware.com/security/advisories/VMSA-2019-0002.html

PHP EXIF exif_process_IFD_in_TIFF Method Arbitrary Code Execution Vulnerability

Preface: With the exif extension you are able to work with image meta data. PHP capable to update the date in the exif photo headers by script. The headers includes the following: Time taken,Time modified,The camera make,The camera model,..

Design objective of exif_process_IFD_in_TIFF:
Parse the TIFF header.

Vulnerability Found:
When execute test script, Memcheck by valgrind.org determined that an undefined value is being used in a dangerous way from exif_process_IFD_in_TIFF.

My speculation:
Short registration process helps to get more subscribers to your website. Login with Facebook is a quick and powerful way to integrate registration and login system on the website. PHP SDK allow accessing the Facebook API from the web appliction. But to get started with the latest version of Facebook SDK v 5.x, make sure your system meets the following requirements.
PHP version should be 5.4 or greater.
What if, servers whose originally connect to facebook which install PHP version 7.X. They are all compromised because of vulnerability. In the mean time, they will start attack to the facebook. Do you think this is the story began on 14th Mar 2019?

Remedy: Upgrade http://php.net/downloads.php

Citrix Internal Network Hacked – Press release on Mar 2019

Preface: Citrix Systems, Inc. is an American multinational software company that provides server, application and desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies.

About data breach occurred on Dec 2018:
Citrix says that the late 2018 attack appears to be distinct from the likely password-spraying attack that was the focus of the FBI’s Wednesday warning to the technology firm.

Doubt? Believe that enterprise firm should have SIEM deployment. If SIEM has in placed, could it be something wrong of their correlation rules? Or there is another reasons behind?

What do you think?

Headline news: https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/

CVE-2019-1723 Cisco Common Services Platform Collector Static Credential Vulnerability – 13th Mar 2019

Preface: The CSP-C’s basic function is to discover the network elements and collect information from those elements.Basically the design goal is to enhance the overall detective and preventive control in the IT infrastructure.

Technical highlight: To perform the Network Discovery and Data Collection operations the CSP-C needs the following credentials: SNMP Read Only community,Telnet or SSH credentials,HTTP or HTTPS credentials.Not every device needs to be accessed via CLI or SOAP; however SNMP is required for all devices.

Vulnerability detail: The affected software has a user account with a default, static password.

Vendor announcement:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv

CVE-2019-9636 (Python) urlsplit does not handle NFKC normalization

Preface: Python is used quite a lot in robotics. Apply artificial intelligence to robots using Python .

Why choose Python?
Less Code: Python can implement the same logic with as much as 1/5th code as compared to other OOPs languages.

Prebuilt Libraries: include Numpy for scientific computation, Scipy for advanced computing and Pybrain for machine learning.

Vulnerability detail – announce on 6th Mar 2019:
A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

Official announcement: https://bugs.python.org/issue36216

Highly vulnerable – Moxa customer must be vigilant!

Preface: The MoxaEDS405A/408A are entry-level 5 and 8-port managed Ethernet switches designed especially for industrial applications.

Technical background: Turbo Ring is a self-healing technology that enables fast fault recovery under 20 ms. Moxa’s Turbo Ring and Turbo Chain Ethernet technologies maximize railway network availability with ideal redundancy technology.

Security focus: CVE-2019-6563 (CVSS:10) – Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator’s password, which could lead to a full compromise of the device.

What is Predictable cookie ? For example: Cookie: JSESSIONID=USER1. A predictable cookie calculated with an MD5 hash bring our attention because MD5 produces a 128-bit hash as an output; only 3 bytes of the hash value are used in the cookie value.

Observation: Moxa products are used in the Korean subway network on 2010. Not sure whether it is still remain usage. But believe that a remedy solution has been taken if it is still in used. Otherwise it will create a cyber security risk in the operations.

Vulnerabilities details please refer to url: https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01

CVE-2019-3778 Pivotal Spring Security OAuth Open Redirector Vulnerability (critical)

Preface: OAuth has become a standard for third-party applications to communicate with the APIs of popular web sites, such as Facebook, Twitter, and Foursquare, to name a few.

Technical background: Currently, the two major versions of OAuth are 1.0(a) and 2.0. With Spring Security and its OAuth 2.0 support, the OAuth (Open Authorisation) is a standard for authorisation of resources. You can set it up to automatically propagate your access tokens from one app to the other, ensuring that everything stays secure and encrypted along the way.

Vulnerability detail: A vulnerability in Pivotal Spring Security OAuth could allow an unauthenticated, remote attacker to conduct an open redirect attack on a targeted system. A successful exploit could cause the authorization server to redirect the resource owner user-agent to an attacker-controlled URI, providing the attacker with sensitive information.

Official announcement: https://pivotal.io/security/cve-2019-3778

Status update for the announcement on 6th Mar 2019 (Cisco NX-OS Software Unauthorized Filesystem Access Vulnerability) – 11th Mar 2019.

Preface: On 6th Mar, 2019, Cisco announcement that there are vulnerabilities found on Cisco FXOS and NX-OS Software. The total 26 of the vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access.

Technical background:
Cisco NX-OS based on Wind River Linux and is inter-operable with other Cisco operating systems. The command-line interface of NX-OS is similar to that of Cisco IOS. Recent NX-OS has both Cisco-style CLI and Bash shell available.

Status update on 11th Mar 2019: The vulnerability is due to a failure to impose strict filesystem permissions on the targeted device.
For more details, please refer url: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-file-access

My speculation: Sometimes if OS platform has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level.

antihackingonline.com