Potential Risk of CVE

CVE-2019-14544 Gogs Permission Checking vulnerability Aug 2019

Preface: If you are not yet ready to share your project on GitHub. You can host your own Private GitHub. It is Gogs.

Product background: The goal of Gogs is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service. So all the design concept, program code and perhaps intellectual properties all keep in this place. Since the intension is not go for public and therefore it will be installed on private cloud or a single machine.

Vulnerability details: A design defect found in source code file (routes/api/v1/api.go). The impact causes affected software does not properly perform permission checks for routes.
Since there is no preventive control and therefore an attacker could exploit this vulnerability to perform unauthorized actions on a targeted system. Should you have interested of this issue, see top right hand side of the diagram. You will find part of the enhancement features. Perhaps you will speculate what is the actual problem.

Remedy – See url https://github.com/gogs/gogs/blob/master/routes/api/v1/api.go

IoT, Potential Risk of CVE

CVE-2019-11042 PHP flaw form a way to read past the allocated buffer. This may lead to information disclosure or crash. Aug 2019

Preface: We knew Python programming language has large footprint in IoT world. Have you heard PHPoC (PHP on Chip) – a programming language and an IoT hardware platform? So, PHP programming language still have survival space.

Background: The EXIF headers tend to be present in JPEG/TIFF images generated by digital cameras. In order to read meta data generated by digital cameras , software application simply using the standard exif_read_data() function.

Vulnerability details: When PHP EXIF extension is parsing EXIF information from an image (e.g. via exif_read_data() function).
Such defect possible to supply it with data what will cause it to read past the allocated buffer and causes data leak.

Affected version: in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8

IoT, Potential Risk of CVE

How smart of the smartcity, depends on your vulnerability management (CVE-2019-14462 & CVE-2019-14463) Aug 2019

Preface: Why should we driven Artificial Intelligence like a maniac? We are mankind!

MODBUS techincal background: Modbus is a communication protocol developed by Modicon systems. In simple terms, it is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves.

Possible way – A string is properly null-terminated if a null terminator is present at or before the last element in the array. If a string lacks the terminating null character, the program may be tricked into reading or writing data outside the bounds of the array. A successful exploit could trigger an out-of-bounds read condition that the attacker could use to execute arbitrary code or cause a DoS condition.

Remedy – Official release updated to include important fixes: https://libmodbus.org/2019/stable-and-development-releases/

Data privacy, Public safety

Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks

Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.

Details: Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks (refer below url): https://www.cyber.gov.au/sites/default/files/2019-08/2019-130_-_password_spray_attacks_detection_and_mitigation_strategies.pdf
Such activities has been observed by U.S. Homeland security for long time. Consolidate their evaluation results, summary shown as below:

Part A: Commonly used ports are used when password spraying.

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

Part B: Cyber Attack Group & Commonly used malware

Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla

Malware types:
Chaos (malware)
Linux Rabbit(malware)
SpeakUp (Trojan backdoor)
Xbash (malware)
PoshC2 is an open source remote (written in powershell)
Emotet (malware)

SIEM Definition – Firing Rules criteria (see below):
1. Failed attempts over a period of time
2. Large numbers of bad usernames
3. High number of account lockouts over a defined period of time
4. Unknown “appDisplayName” – Active Directory PowerShell
5. Ratio of login success verses login failure per IP address

Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.

If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.

Potential Risk of CVE

CVE-2019-1125 Status update 6th Aug 2019

Preface: GS register is used to differentiate between usermode and kernel mode range of address, after adding the relevant logical address component. The instruction swapgs is used to swap the GS register with the MSR values, and only in privileged mode this can be done.

Vulnerability details: CVE-2019-1125 was made public today or also referred to as the “SWAPGS” vulnerability as a new variant of Spectre V1 affecting Intel and AMD chips under Windows and Linux operation system. The SWAPGS vulnerability allows attackers to gain read access to privileged memory and builds off existing Spectre fixes. But AMD confirmed that its products are not vulnerable to this attack. Red Hat said it needs to update the Linux kernel to prevent SWAPGS vulnerabilities from affecting Intel and AMD chips.

Microsoft official announcement: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1125

Red Hat official announcement: https://access.redhat.com/articles/4329821

IoT, Potential Risk of CVE, Uncategorized

Das U-Boot Self-Referential DOS Partition Table Infinite Recursion Vulnerability Aug 2019

Vulnerability details: A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.

Introduction: Das U-Boot a popular primary bootloader, it widely used in embedded devices to fetch data from different sources and run the next stage code.In the technology and computer markets, widely used to this bootloader is Linux Kernel. Meanwhile, it is commonly used by IoT. Kindle and ARM ChromeOS devices.

Remedy: Official remediation solution is disable DOS partition default sector for 512 because it’s not very common at all to use large numbers of partitions. Meanwhile set a maximum recursion level (refer to the parameter shown on attached diagram).

Please note that Das U-Boot has other vulnerabilities found. The CVE details shown as below:
CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204

Above vulnerabilities could let attacker gain remote code execution at the U-Boot powered device when U-Boot is configured to use the network for fetching the next stage boot resources.

Official announcement on CVW-2019-13103https://lists.denx.de/pipermail/u-boot/2019-July/375512.html

Potential Risk of CVE

iot devices security alert – cve-2019-14379 Aug 2019

What is Jackson Databind used for? Data Binding API is used to convert JSON to and from POJO (Plain Old Java Object) using property accessor or using annotations. It is of two type. Simple Data Binding – Converts JSON to and from Java Maps, Lists, Strings, Numbers, Booleans and null objects.

What is Ehcache? Ehcache is an open source, standards-based cache that boosts performance, offloads your database, and simplifies scalability.

Vulnerability details: A vulnerability in the FasterXML jackson-databind library could allow an unauthenticated remote attacker to execute arbitrary code on the target system. This defect exists because the SubTypeValidator.java source code file of the affected software incorrectly handles the default type when using Ehcache. An attacker could exploit this vulnerability by sending a request to submit a malicious input to the target system to execute arbitrary code.

Remedy: Update to jackson-databind release 2.9.9.2

Potential Risk of CVE

VMware Releases Security Updates for Multiple Products – August 3, 2019

Preface: Are GPU vulnerable to hacker attacks?

Background: On virtual machines running VMware Fusion provides support for OpenGL 2.1 to support 3D accelerated desktops. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Vulnerability details:

CVE-2019-5521 – may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

CVE-2019-5684 – This vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.

Security Focus: Since no additional details provided by vendor. But believe that the possible way let hacker exploit CVE-2019-5521 design weakness is Perfect Timing Attacks (Please refer to photo). Apart from that the hacker can exploit out of bound read / write to bypass address space layout randomization (ASLR). So, be alerted!

Vendor announcement: please refer to the url – https://www.vmware.com/security/advisories/VMSA-2019-0012.html

2019, cyber security incident news highlight

Have you heard of the “Capital one” data leak! July 2019

Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.

Security Focus : Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Technical guy may known that there is a design limitation occurs on AWS. The metadata service provides temporary credentials. There is no authentication and no authorization to access the service. A mis-configure firewall policy will causes untrusted source establish connection to meta service. For more details, please refer to attach diagram.

Headline News – A hacker gained access to 100 million Capital One credit card applications and accounts

https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

Potential Risk of CVE

CVE-2019-10142 Freescale hypervisor management driver integer overflow in ioctl – jul 2019

Preface: The Freescale hypervisor management driver provides several services to drivers and applications related to the Freescale hypervisor.

About: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a number that is too large to be stored in the space allocated for it.

Vulnerability details: The vulnerability exists due to integer overflow within the freescale hypervisor manager implementation in drivers/virt/fsl_hypervisor.c. A local guest user can send specially crafted data to the affected IOCTL , trigger integer overflow and execute arbitrary code on the target system.

Remedy: Kernel.org has released a software patch at the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c

antihackingonline.com