Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS Vulnerability – CVE-2019-5727

NVD Published Date: 02/20/2019

Preface: SIEM can enforce your cyber security protection meanwhile it is the potential target by hacker.

Synopsis: So far Splunk did a remarkable analytic function. Furthermore SIEM product itselfs have their baseline protection feature. From technical point of view, it is not recommend apply WAF function to monitor their activities. Perhaps WAF will be provide large volume of false positive alarm thus interrupt SIEM functions. Therefore how to conduct management control in SIEM will be the major focus by cyber security expert.

Vulnerability found on Splunk: A Web Persistent Cross-Site Scripting Vulnerability occurs.

Impact: A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface.

Splunk has released a security advisory at the following link: https://www.splunk.com/view/SP-CAAAQAF

Preface: The Domain Name System (DNS) was standardized 30 years ago by IETF (RFC1034 and RFC1035). An additional standard, EDNS (RFC2671) was published in 1999 and updated in 2013 (RFC6891).

Synopsis: As time goes by, EDNS, gained importance with the wide deployment of DNSSEC, among others, which has become an essential part of the DNS protocol.
Since the nonconformity of the software code especially of the DNS software vendors.There are different workarounds on DNS software vendors. Meanwhile it is hard to avoid vulnerability occurs.

ISC Releases security updates for Bind:
CVE-2018-5744: A specially crafted packet can cause named to leak memory – https://kb.isc.org/docs/cve-2018-5744

CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys – https://kb.isc.org/docs/cve-2018-5745

CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective – https://kb.isc.org/docs/cve-2019-6465

Preface: SQLAlchemy is an open-source SQL toolkit and object-relational mapper (ORM) for the Python programming language released under the MIT License.

Who is their customer?
SQLAlchemy is used by organizations such as:
Yelp!
reddit
DropBox
The OpenStack Project
Survey Monkey

Modern programming languages are almost all object-oriented. While most object-oriented languages offer developer benefits such as componentization of code, ease of maintenance, possibility of reuse. This is the fact that they need for an OR mapper.

Vulnerability detail: SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

Remedy:
SQLAlchemy has released a software updates at the following link:

https://github.com/sqlalchemy/sqlalchemy/releases

Preface: Many companies do not plan to use the Microsoft IIS web server until MS SharePoint is born.

MS SharePoint baseline design: If you decide to use SharePoint, IIS web server will be work with you forever. Indeed that SharePoint products are popular. And such away let people forget about IIS web server weakness. Perhaps most of the design architect conduct the preventive control to avoid the risk already. They install a proxy server in front of IIS.

Doubt: If you have proxy server in front of IIS web server. Do you jeopardize by this vulnerability?
Perhaps your proxy will be reduce the risk. But for the long run. Schedule to do the patching.

Below is the official announcement by Microsoft.
ADV190005 – Guidance to adjust HTTP/2 SETTINGS frames

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190005

Preface: HyperFlex is Cisco’s hyper-converged infrastructure (HCI) platform. It enable centralized management and enhanced operation efficiency.

Vulnerability detail:
The vulnerability resides in the hxterm service of the Cisco HyperFlex software package and it can “allow an unauthenticated, local attacker to gain root access to all nodes in the cluster, said Cisco.

If the following occurs:
You may login to the HX Data Platform command line interface in the Storage Controller VM in the following ways:
From a browser, a CLI terminal (SSH) and HX Connect Web CLI page.

OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation is disabled, then on the server side, the forwarding is handled by a child of sshd that has root privileges. If an attacker who is permitted to log in as a normal user over SSH (using “ssh -L”). It can effectively connect to non-abstract unix domain sockets with root privileges.

Remedy: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-chn-root-access

Preface: CX-Supervisor is dedicated to the design and operation of PC visualization and machine control in Omron controller applications.

Technical background: Configuring CX supervisor in OPC and DDE is extremely simple if you have your DDE and OPC server with the SCADA package. CX supervisor contains a large number of predefined functions and libraries, and even very complex applications can be generated with a powerful programming language or VBScript.

Vulnerability detail: CX-Supervisor (Versions 3.42 and prior) has an vulnerability occurs. In technical aspect, we so called access of uninitialized pointer.
That is if the uninitialized pointer is used as a function call, then arbitrary functions could be invoked. If an attacker can influence the portion of uninitialized memory that is contained in the pointer, this weakness could be leveraged to execute code or perform other attacks.

What is the best practice for an pointer?
The best way is setting it to NULL if it doesn’t point to anything.

Vendor announcement (see below url). But it did not mentioned this CVE yet! http://iotsecuritynews.com/omron-cx-supervisor-update-a/

Preface: Linus Torvalds, he is the principal developer of the Linux kernel. Many Linux distributions and operating systems are based on Linus Torvalds design foundation.

Synopsis: The module (virt/kvm/kvm_main.c) enables machines with Intel VT-x extensions to run virtual machines without emulation or binary translation. The module (virt/kvm/kvm_main.c) enables machines with Intel VT-x extensions to run virtual machines without emulation or binary translation. However a vulnerability occurs in the kvm_ioctl_create_device function of the Linux Kernel.

Details: The vulnerability exists due to a race condition that causes the kvm_ioctl_create_device function.
Affected software: kvm_main.c source code file

Impact: A successful exploit could trigger a use-after-free condition vulnerability. Thus causes the targeted virtual machine crash ( DoS condition). Besides, a successful exploit could allow the attacker to gain elevated privileges on a targeted system.

Remedy action: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=cfa39381173d5f969daf43582c95ad679189cbc9

Preface: Cisco provide status update on CVE-2018-5391 on 18th Feb 2019 , it is the follow up action for Linux kernel flaw announced August last year.

Synopsis: A decade ago, we said that the vulnerabilities of Microsoft windows will be jeopardize the IT world. Perhaps this statement not suitable today because Linux and open sources application encountered risks in frequent.

Vulnerability: From technical point of view, this flaw is easy exploit by attacker. They can send a packet trigger time and calculation expensive fragment reassembly algorithms overload the CPU power.

Don’t neglect this vulnerability:
Perhaps you say that your IPS can filter such malicious attack. The specify product has been patched. So your campus will be secure. But Linux base platform of machines are common today in your IT infrastructure. What if similar of attack is a insider threat. What’s the result?

Cisco official announcement – 18th Feb 2019 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-ip-fragment