Potential Risk of CVE

2nd Jul 2019 – VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)

Leave a comment

Preface: ESXi is not built upon the Linux kernel, but uses an own VMware proprietary kernel (the VMkernel) and software, and it misses most of the applications and components that are commonly found in all Linux distributions.

In common Linux circumstances to avoid SACK vulnerabilities. The workaround are:

CVE-2019-11477
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11478
Workground – Disable sack:
sudo sysctl -w net.ipv4.tcp_sack=0

CVE-2019-11479
Filter command:
Sudo iptables -A INPUT -p tcp -m tcpmss –mss 1:500 -j DROP

Turn off tcp_mtu_probing:
Sysctl net.ipv4.tcp_mtu_probing

Perhaps this is VMWARE. So you must follow below solution by vendor.

https://www.vmware.com/security/advisories/VMSA-2019-0010.html

Potential Risk of CVE

cve-2019-7225 hmi hardcoded credentials vulnerability (jul 2019)

Leave a comment

Preface: As time goes by, As time goes by, the common software design mistake found on business computer world now extend to industrial area. The impact includes SCADA , PLC and graphical user interfaces software.

Design defect: On systems, a default administration account exists which is set to a simple default password which is hard-coded into the program or device.From cyber security point of view, it is not the best practices. Meanwhile it boots up the overall risk level.

Vulnerability details: Design limitation encountered on ABB HMI components: A hidden administrative accounts embedded. This credential will be used during the provisioning phase of the HMI interface. Apart from that the credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

Impact: An attacker can use these credentials to login to ABB HMI to control the operations. Those credentials are used over both HTTP(S) and FTP. Furthermore it let the attacker receive the read/write authority. As a result, it provide a pathway to implant malware into the system.

Official announcement ABB PB610 – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP635 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch

Official announcement ABB CP651 HMI – https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

2019, cyber security incident news highlight, Data privacy

Orvibo smart home devices leak billions of user records – customer must staying alert – Jul 2019

Leave a comment

Preface: If victim is not negligence. Can we give an excuse to him?

Company background: Orvibo, a Chinese smart home solutions provider.

Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world.
Does the admin using easy to guess password or………

Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.

If you are aware your personal information has been stolen by above incident. What should You do?

Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.

Headline News – https://www.dailymail.co.uk/sciencetech/article-7202675/Maker-smart-home-software-continues-leave-database-containing-users-passwords-OPEN-online.html

2019, cyber security incident news highlight, Ransomware

Not a fashion famous brand. Hermes ransomware, the predecessor to Ryuk. NCSC Releases Advisory on Ryuk Ransomware.

Leave a comment

Preface: The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.

Technical details: Ryuk was first seen in August 2018. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months.Ryuk ransomware linked to Emotet and Trickbot banking trojans.
– The objective of Emotet conduct as a dropper feature in order to delivery for other Trojans.
– Trickbot aim to browser as a attack target, the aim to do manipulation techniques to facilitate data theft.
The structure of the encrypted file is identical to the structure used in Hermes Ransomware, including the distinctive HERMES token that this malware uses to identify files that it has already encrypted.

Remark: Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

The pre-operation of Ryuk ransomware on infected computers:

  • Volume Shadow Server & Backup Kill
  • Installed lang check:
    SYSTEM\CurrentControlSet\Control\Nls\Language\
    InstallLanguage
    0419 (Russia)
    0422 (Ukrainian)
    0423 (Belarusian)
  • Arp Blaclklist check
  • GetComputerName check
  • Process kill

Advisory report for download – https://www.ncsc.gov.uk/news/ryuk-advisory

IoT, Potential Risk of CVE

IoT world hiccups – CVE-2019-12951 Mongoose parse mqtt() Function Heap-Based Buffer Overflow Vulnerability – Now fixed – Jun 2019

Preface: Smart City look like a housekeeper. The sensor is his eye.But do you have question? He is a man or she is a woman.

Background: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker).

What is MQTT? MQTT is a simple messaging protocol, designed for constrained devices with low-bandwidth. It works on the TCP/IP protocol suite.

Vulnerability details: An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.

Impact: It could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system (see attached diagram).

Reference: Example of arbitrary code

strcpy(char *dest, const char *src) – May overflow the dest buffer
strcat(char *dest, const char *src) – May overflow the dest buffer

The vendor has released a bug fix – https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb

Potential Risk of CVE

Cisco security advisory – DCNM – Jul 2019

Preface: The vendor announce that they found vulnerability on their product means they are responsible. Even though it is not a good news. But believe that it is under control.

Product background: Data Center Network Manager (DCNM) is the network management platform for all NX-OS-enabled deployments .

Vulnerability details: Authentication Bypass Vulnerability occurs due to improper session management. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. As a result it bypass credential input and receive victim login connection.

Information supplement: Why should a session be maintained? When there is a series of continuous request and response from a same client to a server, the server cannot identify from which client it is getting requests. Because HTTP is a stateless protocol. When there is a need to maintain the conversational state, session tracking is needed.

Refer to attach diagram, an hints will provide an idea to you what is happen on such design weakness.

Vendor announcement: Please refer to URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass

Additional: Arbitrary File Upload and Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex

Potential Risk of CVE

A design flaw – The CVE dictionary entry submitted on 2018 (cve-2018-10239), vendor official announcement of the first publication on May 13, 2019.

Preface: You can still find the default username and password on your computer today! Coincidentally, they share common characteristics. They have super user capabilities.

Synopsis: Infoblox delivers essential technology to enable customers to manage, control and optimize DNS, DHCP, IPAM .

Vulnerability Details: A privilege escalation vulnerability in the “support access” feature on Infoblox NIOS 6.8 through 8.4.1 could allow a locally authenticated administrator to temporarily gain additional privileges on an affected device and perform actions within the super user scope.

Enabling this feature allows Infoblox Support (Tier 3 access) to perform root level diagnostics on an appliance that is in severe distress. A special key is required to access the appliance at root level, and only Infoblox Support (Tier 3) can generate this key.

But do you think the following details need attention? Only superusers can access the CLI. To ensure security, access to the CLI is permitted through a direct console connection only. Note that activating the option Enable Remote Console Access in the Grid or Member Properties editor will result in a non-compliant system.

Use the following default user name and password to login.
admin
infoblox

Remark: Default password can be changed.

Remedy: Issue has been resolved in NIOS 8.4.2.

Cyber War, IoT, Potential Risk of CVE

Country to country APT attack mechanism not complex, believe that it exploit design flaw instead of backdoor – Jun 2019

1 Comment

Preface: It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, …

Synopsis: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker). Since the footprint is small and capable to enables any Internet-connected device to function as a web server. Whereby, the temperature, weather monitoring device and Smart City sensor will make use of it. Most nuclear reactors use water as a moderator, which can also act as a coolant. So IoT temperate is the major component in this area.

Reference: When temperature senor sense the temperature exceed safety level. It will apply graphite to slows neutrons fission.
So the logarithmic reduction of neutron energy per collision.

Vulnerability details: A vulnerability in Cesanta Mongoose could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Remedy: At the time this alert was first released, the vendor has not issued a security advisory.

2019, cyber security incident news highlight

Microsoft Exchange server 2013 and new version of product are vulnerable to NTLM relay attacks (2019)

Preface: A privilege escalation is possible from the Exchange Windows permissions (EWP) security group to compromise the entire prepared Active Directory domain.

Vulnerability details: A tool capable for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTP Listener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the target, an NTLM negociation occurs and is relayed to the target EWS server.

Hints: Do not contempt the vulnerability on workstation. It is one of the way which assists the hacker to do the privileges escalation. If the compromised workstation is the domain member. Hacker relies on NTLM vulnerability to do the priviliges escalation. That is, they remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA). For instance, the Exchange server and ADFS (Active Directory Federation Services).

Official announcement:

Apply an update – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

Disable EWS push/pull subscriptions – In an Exchange Management console, execute the following commands:

  • New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope
  • Organization -EwsMaxSubscriptions 0
  • Restart-WebAppPool -Name MSExchangeServicesAppPool

Potential Risk of CVE

Linux world worries! CVE-2019-11477 TCP SACK PANIC – Kernel vulnerability (Jun 2019)

Preface: Router, SD-WAN,Load-balancer, Firewall and IDS and virtual machine. Their operations are based on Linux operation system.

Background: A Selective Acknowledgment (SACK) mechanism, combined with a selective repeat retransmission policy, can help to overcome these limitations. The receiving TCP sends back SACK packets to the sender informing the sender of data that has been received.

Vulnerability details: The ‘tcp_gso_segs’ and ‘tcp_gso_size’ fields are used to tell device driver about segmentation offload. Linux SKB can hold up to 17 fragments.
With each fragment holding up to 32KB on x86 (64KB on PowerPC) of data.During this tranmission of data, the SKB structure can reach its maximum limit of 17 fragments and ‘tcp_gso_segs’ parameter can be exploited by hacker and do the overflow effect. As a result an vulnerability occurs.

Remedy: Login as “root”
echo “0” > /proc/sys/net/ipv4/tcp_sack
echo “net.ipv4.tcp_sack = 0” >> /etc/sysctl.conf
sysctl -p

Reference article: https://kb.cert.org/vuls/id/905115/

Status update (26th Jun 2019) – Linux SACK Panic vulnerability CVE-2019-11477 impact F5 Network. The information shows in following url. https://support.f5.com/csp/article/K78234183

antihackingonline.com