Aug 2018 – Do not contempt this vulnerability (CVE-2018-5390)

The hardware vendors deploy Linux OS on demand growth. Even though your firewall appliances, malware detector, load balancer, network L2 and L3 switch and IoT devices are the Linux. The attacker found a tricks recently. If source device feeds tiny packets completely out of order. The parameter (tcp_collapse_ofo_queue()) might scan the whole rb-tree. As a result , attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. I think the specfiy vulnerability we can not contempt. The worst case is that attacker is possible to conduct denial of services on non-patch hardware appliances and IoT devices.
In the meantime, we are waiting for hardware vendor responses?

US CERT official announcement shown as below:

Linux Kernel TCP implementation vulnerable to Denial of Service

Original Release date: 06 Aug 2018 | Last revised: 06 Aug 2018

https://www.kb.cert.org/vuls/id/962459

Aug 2018 – Similar to establish new challenge in IT world, mingw-w64 design limitation!

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. ASLR function like the last line of defense of the system against cyber attack. Recently, security expert comment that the software application developer might not following guideline issue by CPU vendor. The fact is that an error occur on their software application when apply ASLR or SGX ( Software Guard Extensions – Intel). As a result, the non compliance application products will be available in the cyber world.

The actual scenario is that several tools that check for ASLR compatibility assume that the presence of the “Dynamic base” PE header is sufficient for ASLR compatibility. Because Process Explorer does not check that a relocation table is present, its indication of “ASLR” for a running process may be incorrect, and it may provides room for malware alive. I forseen that it may create the impact to the docker environment.

 

MinGW is an implementation of most of the GNU building utilities, like gcc and make on windows, while gcc is only the compiler. It looks that it has more Linux operating system includes in ASLR non compatible checklist announced by MinGW. The CPU vendor on the way to address the CPU design flaw (Meltdown and Spectre). It looks that a new form of challenge is going to join into the mistaken task force.

Should you have interest. Below hyperlink can provides the detail.

Vulnerability Note VU#307144 : mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil

 

 

Are you aware of the need to improve the security of Internet-enabled devices?

Since IoT device only contained limited free space and memory and therefore it is hard to install the defense solution. A concern of the intellectual property right and therefore vendor do not want to disclose the firmware of their products. So it lack of knowledge let 3rd party vendor developer value-add defense solution. IoT looks like a ant in cyber world. In certain point of view, they are nothing in your point of view. However careless mistake especially do not change the default admin password could took the IoT join to criminal cyber army task force. Perhaps some IoT devices do not have instruction for end user how to modify the password. As time goes by they are a potentail dark force.

The following are important steps you should consider to make your Internet of Things secure.

1. Choose the appropriate product – conside the IoT products which can change the default password.

2. Ensure you have up-to-date software install in your IoT device.

3. Consider whether continuous connectivity to the Internet is needed.

Below article is the analytic document issuded by FBI for your perusal.

Subject: Cyber Actors Use Internet of Things Devices as Proxies for Anonymity and Pursuit of Malicious Cyber Activities

https://www.ic3.gov/media/2018/180802.aspx

Security advisories – Drupal Releases Security Update (August 02, 2018)

In a nutshell, a CMS function enables anyone to build a website without a prerequisite requirement. The CMS feature similar like anytime ready to run. In a nutshell, a CMS function enables anyone to build a website without a prerequisite requirement. The CMS feature similar like anytime ready to run.

The most popular CMS systems nowadays are the following:

1 WordPress – With around 18 million installations, WordPress is the most-used open source CMS worldwide.

2. Joomla – With 2.5 million installations worldwide, Joomla! is the second biggest agent in the CMS market.

3. Drupal – As of January 2017 more than 1,180,000 sites use Drupal. These include hundreds of well-known organizations including corporations, media and publishing companies, governments, non-profits, schools, and individuals.

On April 2018, a critical design flaw found on Drupal. A remote code execution  vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. Drupal users required to stay alert again! Official announcement shown as below:

https://www.drupal.org/SA-CORE-2018-005

1st Aug 2018 – Cisco Secuirty Advisory CVE-2018-0391

Cisco Prime Collaboration Provisioning provides a scalable web-based solution to manage your company’s next-generation communication services. CiscoPrimeCollaboration Provisioning manages IPcommunication endpoints and services in an integrated IP telephony, video, voicemail and unified messaging environment
that includes Cisco Unified Communications Manager, Cisco Unified Communications  Manager Express, Cisco Unity Express, Cisco Unity Connection systems and analog gateways.

But the technical issue on authentication especially password looks can’t been resolved yet! I am not going to move the focus to conspiracy topic somethings like backdoor rumours. From technical point of view, the architecture relies on https. Refer to attached diagram, whether any similar architecture there and trigger traditional service ID issue. Since the traditional service ID on web will be store in someplace and it is hardcode.
Offical announcement shown below URL:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180801-pcp-dos

Apache OpenWhisk security alert ! Jul 2018

The world is on the way go to robotics automation skeleton. No only the factory, even though software deployment is included. Although you don’t believe this is the prelude. Not a coincidence.But we can’t evade this industries revolution.

The artificial intelligence work status depends on what type of issue encounters. The zero day (vulnerability) similar man kind tumor. The infectious diseases of computer are the malware and computer virus infection.

Go deep to the subject (Apache OpenWhisk security alert).

Function as a service (FaaS) is a category of cloud computing services that provides a platfor allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an OS and software application.

An open source project driven by IBM and Adobe, Apache OpenWhisk is a robust Functions-as-a-Service (FaaS) platform that can be deployed in the cloud or within the data center. Apache OpenWhisk now supports the PHP runtime.

There are total two items of vulnerabilities confirm on apache openwhisk product this month.

CVE-2018-11756 – https://github.com/apache/incubator-openwhisk-runtime-php/commit/6caf902f527250ee4b7b695929b628d560e0dad1

CVE-2018-11757 – https://github.com/apache/incubator-openwhisk-runtime-docker/commit/891896f25c39bc336ef6dda53f80f466ac4ca3c8

2018-07-18 – Jenkins Security Advisory

Jenkins is the leading open-source automation server. Built with Java, it provides over 1000 plugins to support automation. Is it a robot?

Basically, Jenkins is commonly used for building projects, running tests to detect bugs and other issues as soon as they are introduced, static code analysis and deployment.

For instance combining Jenkins and Docker together can bring improved speed and consistency to your automation tasks.

That is you can configure Jenkins to build Docker Images based on a Dockerfile. You can use Docker within a CI/CD pipeline, using Images as a build artefact that can be promoted to different environments and finally production. Usually, the freestyle automated job can create to accomplish a specific task in the CI pipeline, it can be compile the code, run integration tests or deploy application.

Remark:

A complete CI pipeline is made up of three major parts: Integration: Build code and run unit tests.

Delivery: Deploy your application to a staging or production environment.

If Jenkins is sick (vulnerabilities) today? Any worries about that?

An official announment state the following: https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390

 

Silent security alert – RSA archer (CVE-2018-11059 & CVE-2018-11060)

Archer Technologies provided enterprise governance, risk, and compliance management software. The product aim to reduce enterprise risks, manage and demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls. Whereby, it integrate with your internal systems equivalent as workflow management especially approval process.

REST API  relies on a stateless, client-server, cacheable communications protocol. The HTTP protocol is use in default.

Recent found vulnerabilities (CVE-2018-11059 and CVE-2018-11060) coincident working together jeopardizing your risk management and cyber security defense. A possible scenario may happens in this way. RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. Then hacker exploit CVE-2018-11060 to to elevate his privileges.

Reference hyperlink shown as below:

https://exchange.xforce.ibmcloud.com/vulnerabilities/147142

CYBER SECURITY ADVISORY – Panel Builder 800,Improper input validation vulnerability (CVE-2018-10616)

Retrospectively cyber attack encountered on Nuclear power facility in past. The SCADA system facilities vendor are working hard to hardening their device and provided cyber security advisory. An cyber security alert announced by ABB that a software engineering tool for configure Panel 800 has vulnerability occurs. ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. However the vulnerabilites indicated that theattacker could create a specially crafted file and try to trick a person using the Panel Builder 800 to open this file (see below hyperlink – technical note)

http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&Action=Launch

Perhaps the techincal limitation sometimes was happened in their fundemental design. See Alert B in attached diagram. Since panel 800 is a Intel CPU base with Windows CE OS. My concern is that It is not known whether Intel XScale or Marvell Feroceon cores are affected by these issues (Meltdown and Spectre)? But no worries, tomorrow will be a better day!

 

antihackingonline.com