Preface: The statistic by Netcraft in January 2019, Apache server coverage market reach 30.88%.
Technical background: Apache server not only contain web server service, it can config as a reserve proxy server to enhance the web infrastructure isolation level. Single sign-on authentication method growth significant in past few years. A popular web architecture model, setup Apache become reserve proxy service and thus integrate to single sign on (SAML) function.
Vulnerability detail: If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.
Preface (Attack roadmap): Asus Live Update software installed on laptops and PCs encounter cyber attack in between June and November 2018. Hacker implant a backdoor into the live update software!
Observation: ASUS, it configures the network using dynamic host configuration protocol and then makes a plain HTTP request to a remote server to check if a newer version of the UEFI BIOS firmware is available than the version currently running in the system. Thus, there’s no SSL protection nor verification that it’s actually talking to the correct remote server.
Official announcement: ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups (below URL for reference): https://www.asus.com/News/hqfgVUyZ6uyAyJe1
Preface: In order to avoid cyber attack and insider threat. The monitoring feature is a critical feature in IT world.
Background: CapMon monitors and collects information from the infrastructure and applications. The system does not require installation of extra software on other units in the network. CapMon IT monitoring has a Web based user interface, ensuring fast access to the various functionalities.
Vulnerability details: Design weakness in this software – all priviliges commands “only” grants local administrator privilege. There is a command that allows for even higher privilege escalation – namely the “CALScriptDRUN” command. The fact is that an issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides “NT AUTHORITY\SYSTEM” access to unprivileged users via the –system option.
Preface: RSA Authentication Manager delivers intelligent, transparent, behind-the-scenes authentication to enhance every secure access scenario.
Product advantage: Take full advantage of virtualization in your organization to ease deployment, administration, and on-going system management.
Vulnerability details: RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks. Hints: Please refer to attached diagram.
Remedy: Install RSA Authentication Manager version 8.4 P1 and later version.
Preface: Coinbase announced that it had acquired Neutrino, a blockchain intelligence startup on Feb 2019. This acquisition aim to analyzing data on public blockchains, Neutrino will help us prevent theft of funds from peoples’ accounts, investigate ransomware attacks, and identify bad actors.
Market status: A tremendous worries by cryptocurrency users because the Neutrino (acquired company) run by Former Spyware Developers. And the Neutrinos key staff have been involved with Hacking Team.
Recalling memories: Do you still remember Italian surveillance company exploit CVE-2013-0633. The attacks Involving DaVinci. HackingTeam sold the zero-day exploit to the parties carrying out these attacks or if they acquired the zero-day exploit that allowed them to install DaVinci from a different source. Hacking team responsible the above action.
Preface: When mobile phone was born. Some of the people had concerning about the impact of electronic device to human health. As time goes by, seems we forget about it because we need smartphone now!
Historical background: The FCC has established a policy for human exposure to radio frequency electromagnetic fields. Seems it looks fine, the specifics policy defined, right? However if you review related policy (see below url). You might have doubt? Does our existing policy synchronize with modern technology? https://www.fcc.gov/general/radio-frequency-safety-0
About vulnerability: The medical industry not specify such technology will be potentially harmful to human body. But brain cancer, salivary cancer, acoustic neuromas and two other types of cancer go up with cell phone use. It was strange that European countries are the leader to promoting healthcare. However it looks that they are also the technology supporter. Regarding to strategic project plan especially infrastructure of the country. The major elements should be included in design phase but I did not seen the renewal policy of Human Exposure to Radio Frequency Electromagnetic Fields.
Preface: Do I Really Need To Encrypt Every File on My Computer? May be answer is simple, all depends on your data classification label…..
The focus: Informed sources told that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.
What is the objective of external audit? The objective of external audit is for the auditor to express an opinion on the truth and fairness of IT operations.
Doubt? From information security point of view, developer role should not access production environment especially data. Meanwhile what is the job role for engineers? Seems the job role very messes.
Preface: Cisco has announcement yesterday that there are vulnerabilities found on IP Phone 8800 Series.
About IP Phone 8800 Series: The Cisco IP Phone 8800 Series delivers HD video and VoIP communications, and integrates with your mobile device to meet your business needs.
Vulnerability details are shown as below:
Cisco IP Phone 8800 Series Path Traversal Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipptv
Cisco IP Phone 8800 Series File Upload Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipfudos
Cisco IP Phone 8800 Series Authorization Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipab
Cisco IP Phone 7800 Series and 8800 Series Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce
Cisco IP Phone 8800 Series Cross-Site Request Forgery Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-csrf
Synopsis of 2 items of vulnerability: Perhaps Cisco did not provides the vulnerability details on CVE-2019-1716 and CVE-2019-1763. However there are hints let’s we can speculate those issues. Web applications are highly vulnerable to input validation errors. Inputting the invalid entry “!@#$%^&*()” on a vulnerable web application may cause performance issues or denial of service on a vulnerable system or invalid passwords such as “pwd’” or “1=1— ” may result in unauthorized access.
Preface: Malware detection, SIEM and predictive technology enhance the detective and preventive control in cyber security world. However the hacker still have solutions to conduct infiltration thus compromise the system. Attacker exploit integer overflow do the evasion. From technical point of view. It is difficult to detect.
Historical records of cyber attack who exploit integer overflow vulnerability:
Observation: According to my observations, there are technical limitation on software engineering, most likely the cyber criminal keen to develop a technique sound like F117. That is invisible to radar (IDS) and infrared (SIEM). Perhaps online web application shall require user input function. Even though software developer introduce pull down menu function. However it is not able to lack of name and password input. So this is the objective we highlight today. Integer overflow technique exact can provides silent attack. As a result it form a bridge let attacker execute the 2nd phase of attack. For instance in C environment, The range of unsigned char is (0 – 255). So if the input password length is 260, it will cause integer overflow . So passwd_len actually has a length of 4, so you can bypass the length limit. If buf parameter has design limitation, stuffed 260 length of data into it, it will cause stack overflow.
Preface: To speed up the deployment of your cloud computing readiness. Use the image deployment is faster than mounting an ISO and manually installing a VM.When system admin created images for an OpenStack provider, he will pre-installed cloud-init and haveged. Azure has similar feature, it is so called Azure WaLinuxAgent.
Vulnerability detail: An information disclosure vulnerability exists in the way Azure WaLinuxAgent creates swap files on resource disks. An authenticated attacker who successfully exploited this vulnerability could view data in swap that is normally hidden.
My speculation: In WALA, it uses “fallocate” instead of “dd” to create swapfile. When an ext4 filesystem is used, a local attacker can call the fallocate() function, in order to read fragments of deleted files.
