Product background: If you have one hundred servers, so it makes sense to use Puppet(open source DevOps systems management tool)for centralizing and automating the configuration management process. SaltStack itself is an open source infrastructure centralized management platform. Compared with other commercial products, its deployment and configuration are slightly more complicated.

Vulnerability details: SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. A remote attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to attached diagram. The official announcement can be found here. https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

Recommendation:

1. Upgrade SaltStack to a recommended version. It is recommended to take a snapshot backup before upgrading.

2. Set the Salt Master’s default listening ports (default 4505 and 4506) to prohibit opening to the public network, or only to trusted objects.

Take care, data center administrators.

Preface: Perhaps when you do the web scan or web penetration test. XSS will be easy to find out. However people has contempt this matter.

How to avoid XSS happen?

1. Input should filter characters especially < > & ‘ ” .

2. Whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS.

3. Sanitizing user input.

About CVE-2020-3955: For whom with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.

Remedy: VMware official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0008.html

Preface: Friendly speaking, the similar types of attack apply to all Linux base devices including firewall.

The impact of this vulnerability – If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web.

My observation: One of the possibility is that an attacker can craft a kernel message that contains ‘%’ characters between pairs of ‘[<‘ and ‘>]’ symbol markers to gain root access to the system. Perhaps if the attacker goal to do surveillance, he can delete the log events and fool the SIEM system. Since SIEM log event correlation functions relies on log event.

Official announcement – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021

Preface: The modern user friendly functions installed on firewall impact his defense function.

Background: When device provide web page input user credential, perhaps it will facing injection attack. Yes, it is. No matter, SQL injection or command injection. Especially like firewall design. It is capable support and integrate of LDAP authentication or standalone authentication mode. From security point of view, Firewall service daemon should separate with it operating system kernel. And therefore the related firewall admin ID file (shadow) do not save in etc folder. It make in separate area. In the sense that if it function can support SSL VPN services. So, it should a place to store the user credential when user setup in standalone mode. Whereby it should encounter injection attack. If the credential stores in repository. It will effect by SQL injection.

Details: By investigating physical and virtual XG Firewall units, Sophos confirmed its XG Firewall has design weakness. This attack will depending on firewall setup.

Impact: Steal data from the firewall including “usernames and hashed passwords.

Remedy: https://community.sophos.com/kb/en-us/135415

Preface: The protocols and the interfaces used by the controller to communicate with the application layer are called the Northbound interface. Protocols used for communication between the controller and forwarding nodes are called Southbound interface. Northbound communication is used to retrieve info or send instructions to the controller using APIs.

Vulnerability details: Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For details, please refer official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E

Other potential impact: The application entry point to the SDN deployment is through the controller via the Northbound Interface (NBI). If the communication is done using REST APIs with lacking proper protection, PUT method can be used to alter configurations or add malicious files that can alter other devices.These attacks are related to the communication over whether the Northbound Interface (NBI) or Southbound Interface (SBI). Some attacks are related to software. For details, please refer to the attached drawings.

Preface: Perhaps you have similar feeling, everytime when you read the cyber security announcement by Oracle. The first impression is that it has too many. Read into details, some items let you know the remediation process is in long run!

Vulnerability detail: An unspecified vulnerability in the Analystics Web General component of Oracle BI Published. An easily exploitable vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. A successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2020-2950)

Observation: Since the official announcement did not describe the detail. So we do the analytic. The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSO. When you enable SSO, the Oracle Business Intelligence URL becomes protected, and you must point the online Catalog Manager to the URL instead. The URL should remain unprotected. It is configured only to accept SOAP access as used by Oracle BI Publisher, Oracle BI Add-in for Microsoft Office, and the online Catalog Manager.

Potential risk or vulnerability – Session replays are specifically against websites and other systems that generate and store sessions.

Official announcement – https://www.oracle.com/security-alerts/cpuapr2020.html