Rockwell Automation RSLinx Classic cyber security alert! 20th Sep 2018

Perhaps we believe that the vulnerability of industrial automation system or SCADA merely happens on Microsoft product. As a matter of fact, Linux OS base system do not have exception. They are also vulnerable!

Below vulnerabilties details was found on Rockwell RSLinx Classic. RSLinx Classic is an inclusive communication server which provides plant-floor device connectivity for a wide variety of Rockwell Software applications such as RSLogix 5/500/5000, RSView32, FactoryTalk View Site Edition & FactoryTalk Transaction Manager. RSLinx provides connectivity for client applications using OPC or DDE. OPC is the preferred interface for data acquisition applications because it is the Defacto standard for factory communications.

References:

STACK-BASED BUFFER OVERFLOW – https://www.cvedetails.com/cve/CVE-2018-14829/

HEAP-BASED BUFFER OVERFLOW –https://www.cvedetails.com/cve/CVE-2018-14821/

UNCONTROLLED RESOURCE CONSUMPTION (‘RESOURCE EXHAUSTION’) – https://www.cvedetails.com/cve/CVE-2018-14827/

 

Apple Releases Security Update for macOS Mojave – 24th Sep 2018

The Mid-Autumn Festival is a harvest festival celebrated notably by the Chinese and Vietnamese people. Perhaps this is a specify day for celebration and traditional people will take rest and do the family dinner gathering.Cyber world operation looks does not have holiday. This is the robot life. Perhaps you and me do not want to become a robot. But we are on the way!

Apple Releases Security Update for macOS Mojave – 24thSep2018

Bluetooth – CVE-2018-5383
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

App Store – CVE-2018-4324
Impact: A malicious application may be able to determine the Apple ID of the owner of the computer

Application Firewall – CVE-2018-4353
Impact: A sandboxed process may be able to circumvent sandbox restrictions

Auto Unlock – CVE-2018-4321
Impact: A malicious application may be able to access local users AppleIDs

Crash Reporter – CVE-2018-4333
Impact: An application may be able to read restricted memory

Kernel – CVE-2018-4336, CVE-2018-4344
Impact: An application may be able to execute arbitrary code with kernel privileges

Security – CVE-2016-1777
Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm

Reference: https://support.apple.com/en-us/HT209139

Hypothesis – About the cyber attack on Port of Barcelona (Sep 2018)

We heard that the Port of Barcelona suffers an attack of hackers last week (20th Sep 2018). The logistics and transportation industry lure hackers’ interest because they can extort ransom.

There is no official or incident details announcement till today. The following details merely my personal imagination of this incident. Any resemblance to actual events or persons is entirely coincidental.

We noticed that Portic Barcelona uses WebLogic for Private PaaS in 2014. The solution aim to enhance the performance and facilitates interaction between its members through its information services to logistics agents and other customers.

What if below vulnerability occurs, do you think the scenario whether will have similarity to the incident.

ORACLE WEBLOGIC SERVER JAVA DESERIALIZATION REMOTE CODE EXECUTION VULNERABILITY (CVE-2018-2628) BYPASS

Headline News article for reference.

https://www.portseurope.com/barcelona-port-suffers-a-cyber-attack/

SAP security Patch Day – 11th Sep 2018

Nowadays, the trend of business industries are bring their application on top of Cloud services. But some of the firm has reluctant to cloud because they are concerning about data breaches, data ownership and different areas of law regulations. As a matter of fact, doing the cyber security protection on your own or without managed sercurity services looks not in the right direction. As a result , there are more project development priority to select cloud services application platform. The hottest one is the SAP.

Vendor SAP do the vulnerability managment looks fine since they are the market leader. As we know, the security patch day announced on 11th September 2018. Yes, it is above one week ago. I observe this round of patch management have 2 items awaken company CSO thinking. Even the medium piority of vulnerability items also contain potential risk. For instance CVE-2018-2454,CVE-2018-2455 and CVE-2018-2461. The first and second CVE issues (CVE-2018-2454 & CVE-2018-2455 )are lack of authorization check. In the sense that this type of indirect privileges escalation causes by insider threats. So a careless user will be jeopardize or compromised the system.The last one (CVE-2018-2461) indicate the vulnerability happend in SAP HCM. The SAP Fiori app suite for HCM makes use of SAP’s new UX strategy to help your employees, irrespective of any level, to trigger different HR needs, such as paid leave application, viewing of pay stubs. The vulnerability belongs to data privacy is also lack of authorization check. So medium severity of vulnerability sometimes will also be dangerous. Should you have interest to know more, please refer to below url.

SAP Security Patch Day – September 2018

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993

Remediation announcement – Cisco Video Surveillance Manager Appliance Default Password Vulnerability 21st Sep 2018

Does it a design flaw or it is a ………..?

While exploring her new home, a girl named Coraline discovers a secret door, behind which lies an alternate world that closely mirrors her own but,…..

Remediation announcement – Cisco Video Surveillance Manager Appliance Default Password Vulnerability – 2018 September 21 (below url for reference)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

Similar vulnerability found on Cisco products within this year, is it a coincidence? (see below):

CVE-2018-0150 – Cisco IOS XE static credential default account
CVE-2018-0222 – Digital Network Architecture Center Static Credentials Vulnerability
CVE-2018-0268 – bypass for a Kubernetes container management subsystem embedded inside Cisco’s DNA Center.
CVE-2018-0271 – An authentication bypass in the DNA Center’s API gateway.
CVE-2018-0375 – vulnerability in the Cluster Manager of Cisco Policy Suite
CVE-2018-0329 – The hardcoded credentials resides in the read-only SNMP community string in the configuration file of the SNMP daemon,
CVE-2018-15427 – Cisco Video Surveillance Manager Appliance Default Password Vulnerability

SCADA environment staying alert – Security updates for the OPC UA stacks on 12th Sep 2018

SCADA helps people automate our world. It includes water, wastewater, and storm water management,Oil and Gas,Electricity,Transit systems and traffic,Facilities,Agriculture and Manufacturing.

OPC UA can be used for supervisory control, now eliminating the use of Windows-based intermediate systems to streamline the data transfer process from the field and control levels vertically to the management and enterprise levels. Recently found Buffer overflow in OPC UA applications. It allows remote attackers to trigger a stack overflow with carefully structured requests. Stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. Buffer overflows in the stack segment may allow an attacker to modify the values of automatic variables or execute arbitrary code.

Official announcement shown as below URL:

https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12086.pdf

BIND 9 flaw – krb5-subdomain and ms-subdomain update policy rules ineffective

 

What is BIND 9? BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS queries for your users.

On 2006, named.conf parser design limitation found by Anonymous Monk. He list out the following.

  • BIND::Conf_Parser – doesn’t deal with 9.x
  • BIND::Config::Parser – bails out with ‘Bad text’ on my named.conf
  • Cpanel – near to impossible to cut out something usable outside cpanel
  • Webmin – seems to deal only with bind 8.x
  • the /usr/sbin/named-checkconf utility packed with bind.9 – gives just an OK/not ok verdict upon named.conf, no way to store the underlying structure.

Announce design flaw – Sep 2018

The krb5-subdomain and ms-subdomain update policy rule types permit updates from any client authenticated with a valid Kerberos or Windows machine principal from the REALM specified in the identity field, to modify records in the zone at or below the name specified in the name field.

Remark: A Kerberos realm is a set of managed nodes that share the same Kerberos database.

CVE-2018-5741: Update policies krb5-subdomain and ms-subdomain – https://kb.isc.org/docs/cve-2018-5741

Summary:

ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies.

Reference – Vulnerabilities announced last few months

8th Aug 2018 – ISC Releases Security Advisory for BIND

June 13, 2018 – ISC Releases Security Advisory for BIND

May 18, 2018 – ISC Releases Security Advisories for BIND

 

 

 

 

Don’t underestimate – Adobe release security update – Sep 2018

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. Electronic document transform to an attacking tools are worry in cyber security world so far. The fact is that it is hard to detect such indirect attack. The simple we will know it is easy to evade the defense machanism. A malicious user can pass a `cff` font file to the application to cause a heap-based buffer overflow that can lead to an out-of-bounds write. This can cause the application to crash or overwrite values in the heap. If it overwrite chunk header, corrupt free(), but program doesn’t crash. It will be very dangerous!

Don’t underestimate! Offical URL shown as below:

https://helpx.adobe.com/security/products/acrobat/apsb18-34.html

Vulnerability in SIMATIC WinCC OA V3.14 and prior – Sep 2018

SIMATIC WinCC Open Architecture enables handling with bigger amounts of data with even smaller hardware solutions. However WinCC OA v3.14 found critical vulnerability. Do you think below detail is the root causes? A remote attackers execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678. So we must Protecting C Programs from Attacks via Invalid Pointer.

Vulnerability record in SIMATIC WinCC OA V3.14 (see below):

https://cert-portal.siemens.com/productcert/pdf/ssa-346256.pdf

 

Quick review of OpenSC vulnerabilities – Sep 2018

Basic Understanding:

What is smart card? A smart card is a security token that has an embedded chip. Smart cards are typically the same size as a driver’s license and can be made out of metal or plastic

Basicaly you can get smart card in two states: either blank or initialized. For blank cards OpenSC has code to initialize the card in PKCS#15 format.

PKCS#11 – The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.

PKCS#15 – PKCS 15 (Public Key Cryptography Standard 15) defines the standard for the storage of keys on smart cards. OpenSC implements PKCS#15 and thus stores everything in the directory 5015, creates certain files in defined formats, subdirectories and so on. Not all software implement PKCS#15. Many cards in EU and elsewhere have ID cards for their citizens with keys for digital signatures and authentication, and often those cards and not in PKCS#15 format.

OpenSC implements the standard APIs to smart cards

OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS #15 standard and the PKCS #11 API. It is possible to use the Smartcard via OpenSC with the Microsoft CNG library. CNG can be used together with CryptoAPI.

Vulnerability Details

CVE-2018-16418

A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

CVE-2018-16427

Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.

Reference: Fixed out of bounds writes

https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad

OpenSC before 0.19.0-rc1 vulnerabilities summary:

Highlight concerns

Buffer overflow – Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user’s input. There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program. Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input.

Double free errors – Double free errors occur when free() is called more than once with the same … Calling free() twice on the same value can lead to memory leak.

Endless recursion vulnerability – This weakness describes a logic error within the application, which results in an endless loop.

OpenSC-019.0 released 14th Sep 2018

Fixed multiple security problems (out of bound writes/reads, #1447):

CVE-2018-16391, CVE-2018-16392, CVE-2018-16393, CVE-2018-16418, CVE-2018-16419, CVE-2018-16420, CVE-2018-16421, CVE-2018-16422, CVE-2018-16423, CVE-2018-16424, CVE-2018-16425, CVE-2018-16426, CVE-2018-16427

URL shown as below:

https://github.com/OpenSC/OpenSC/releases

Demonstrate buffer overflow

 

antihackingonline.com