Alert ! Cisco Releases Security Updates

Cisco IOS is a monolithic operating system running directly on the hardware while IOS XE is a combination of a linux kernel and a (monolithic) application (IOSd) that runs on top of this kernel. Attacker executing code remotely using system vulnerabilities. It is common type of attack and hard to avoid.

CVE-2018-0151 – Cisco IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos

CVE-2018-0171 – Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

CVE-2018-0150 – Cisco IOS XE Software Static Credential Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

Siemens typical control system – vulnerabilities found (CVE-2018-4844 and CVE-2018-4843)

Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data. Since the server and workstation of the SCADA system capable to operate with Windows OS system. And therefore it awaken the security expert concerns. Indeed factual that SCADA system are the hacker target because SCADA system integrate to electric power facilities. The cyber security attack to power facilities are growth rapidly.  The vendor announced that vulnerabilities was found on 2 system components. For more details, please find below url for reference.

CVE-2018-4843 – https://cert-portal.siemens.com/productcert/pdf/ssa-592007.pdf

CVE-2018-4844 – https://cert-portal.siemens.com/productcert/pdf/ssa-822928.pdf

stay tuned!

Navarino Infinity web interface is affected by multiple vulnerabilities

If you are belongs to marine industry especially container shipping company, see whether you are going to do patching to your maritime bandwidth management system this week. Do not let those vulnerabilities causes shipping traffic jam. To be honest, bad guys can relies of such vulnerabilities to do a lot of bad things. For more details, please see below url for reference.

https://navarino.gr/archives/6989

Status update 2nd Aug 2018 – Hacker or criminal group will be targeting Superyacht (see hyperlink below) – https://edition.cnn.com/2018/07/03/sport/is-yacht-hacking-the-next-big-cybercrime-spt-intl/index.html

CVE-2018-5148: Mozilla Foundation Security Advisory 2018-10 Use-after-free

Hi Folks, homeland security urge computer users stay alert of web browser (FireFox) vulnerability. The design flaw could let the attacker execute a denial-of-service condition.  I review the vulnerability details. It state the following. A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. But I have different imagination of this flaw. In short, please refer below diagram for reference.

To be or not to be? But it is better to conduct the security update now. For more details, please refer below url for reference.

https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/

F5 Networks: CVE-2018-5504,CVE-2018-5502,CVE-2018-5505&CVE-2018-5503

WebSockets are vulnerable to malicious input data attacks, therefore leading to attack. Therefore it attract the cutting edge technology vendors do the development in this place. F5 one of the famous L5 to L7 cutting edge technology vendor. Perhaps vulnerabilites happen for IT world today not a fresh news. However the webSocket itself have fundamental design limitation.  The status update of CVE checklist released last night. F5 product includes in their list.

K11718033: TMM WebSocket vulnerability CVE-2018-5504

https://support.f5.com/csp/article/K11718033

K43121447: BIG-IP Client SSL vulnerability CVE-2018-5502

https://support.f5.com/csp/article/K43121447

Final – K15500: SSL acceleration card timing vulnerability CVE-2014-4024

https://support.f5.com/csp/article/K15500

K23520761: BIG-IP ASM and BIG-IP Analytics vulnerability CVE-2018-5505

https://support.f5.com/csp/article/K23520761

K54562183: BIG-IP PEM vulnerability CVE-2018-5503

https://support.f5.com/csp/article/K54562183

 

CVE-2017-18225 – See whether does it affect Cisco jabber iPhone and Android client product?

IP telephony integration to IT infrastructure is a main trend in last decade.  Following the security best practice, the IP telephony system should be isolated and far away from data network. However there are end user function requirement which causes unified communications manager integrate with Active directory services. A useful function will be activated after active directory integration. For instance a track record will be shown individual communication history. Meanwhile it will enhance the monitor and control process (SOX 403 monitoring and control). Perhaps a pin does not have two points and therefore it is hard to avoid vulnerability happen. For example, Cisco IP telephone working with Microsoft TSAPI last decade. But most recently Android and iPhone growth rapidly. IP telephony vendor will be make use of open source unintentionally. An XMPP client is any software or application that enables you to connect to an XMPP for instant messaging with other people over the Internet. Cisco official announce that there is a vulnerability found on Jabber client from November 2017 (CVE-2017-12361). 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-jabber2

The jabber design flaw has been identified this month. The issue is that vulnerability might allow local users to gain privileges by leveraging access to this account and then waiting for root to execute one of these programs. In the meantime, we do not receive announcement release by Cisco (Jabber Security Vulnerabilities CVE-2017-18225). But we keep our eyes open, see whether does it affect Cisco jabber iPhone and Android client product?

CVE-2017-18225 vulnerability details shown as below:

https://security.gentoo.org/glsa/201803-07

 

 

 

Threat actor intend to stop your antivirus program – 2018

Just heard that there is a new attack method use by ransomware. The malware intend to stop and disable your workstation antivirus process. Since no antivirus protection, threat actor is free to do their task. Perhaps the defense vendor pay the focus on Ring 0 attack (kernel). Meanwhile new generation AV software implement behavioral detection analysis. So is there any space for threat actor?Yes, the ring 3 looks provides space to threat actor. They may find a way to evade the detection.

For instance:

  1. List all loaded DLL libraries in current process.
  2. Find entry-point address of every imported API function of each DLL library.
  3. Remove the injected hook JMP instruction by replacing it with the API’s original bytes.

Should you have interest to receive a high level understanding, please refer above diagram for reference.

Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions

Computer technology world vulnerability exposure can’t slow down. A design weakness on Bouncy Castle BKS-V1 keystore files found. If you are a java program developer. It is a alert signal. 

The Bouncy Castle APIs consist of the following:

  • A lightweight cryptography API for Java and C#.
  • A provider for the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA).
  • A provider for the Java Secure Socket Extension (JSSE).
  • A clean room implementation of the JCE 1.2.1.
  • A library for reading and writing encoded ASN.1 objects. Lightweight APIs for TLS (RFC 2246, RFC 4346) and DTLS (RFC 6347/ RFC 4347).

Generators for Version 1 and Version 3 X.509 certificates, Version 2 CRLs, and PKCS12 files. Generators for Version 2 X.509 attribute certificates.

Generators/Processors for the following:

  • S/MIME and CMS (PKCS7/RFC 3852)
  • OCSP (RFC 2560) – TSP (RFC 3161 & RFC 5544)
  • CMP and CRMF (RFC 4210 & RFC 4211).
  • OpenPGP (RFC 4880) – Extended Access Control (EAC)
  • Data Validation and Certification Server (DVCS)
  • RFC 3029 – DNS-based Authentication of Named Entities (DANE).
  • RFC 7030 Enrollment over Secure Transport (EST). A signed jar version suitable for JDK 1.4-1.7 and the Sun JCE.

The vulnerability note can be find here:

https://www.kb.cert.org/vuls/id/306792

 

Facebook’s Zuckerberg ‘sorry’ over Cambridge Analytica ‘breach’

 

Facebook scandal looks a hot discussion topic this week. However the scandal looks like the vendor misbehavior instead of data breach. Anyway let’s the expert figure out the truth. Perhaps this is not a news of cyber security expert since facebook not a secure platform so far. Scam email, email plishing relies on stolen data on facebook client endpoint do the ditry tricks. Heard that the UK parliament asks Mark Zuckerberg to testify in data misuse case. Oh!

Facebook’s Zuckerberg ‘sorry’ over Cambridge Analytica ‘breach’. For more details, please refer following url for reference.

http://www.bbc.com/news/world-us-canada-43494337

 

Citrix XenServer Multiple Security Updates – CVE-2016-2074,CVE-2018-7540&CVE-2018-7541

Citirix XenServer is a hypervisor platform that enables the creation and management of virtualized server infrastructure.Since modern defense machanism can effectively protected cyber attack. However if the threat actor re-engineering their attack method integrate with rare system bug. The overall suituation will become worst. Hypervisor locate in the middle in between VM and hardware. VM relies on this isolation to avoid ring-0 attack. But now solution released so I am not going to say anymore.

Be quick to read below url if you are the Citrix XenServer end user.

Citrix XenServer Multiple Security Updates

https://support.citrix.com/article/CTX232655

 

antihackingonline.com