Linux (systemd) current status update – 7th Nov 2018

If you are the old folk. Perhaps you will familiar with (init)?
The trend is going to replace the old mechanism (init) with new one (systemd). From techincal point of view, people satisfy the techincal features of “systemd”. However they are concern that such design are all in one place (package). Even though text book mentioned in theory so called trusted kernel kernel. The overall infrastructure will be build by several components. The realistic told the world that no safe place in cyber world. If you would like to make yourself secure, it is better to get rid your electronic belongings. We all know it was not possible!

Background – What is “systemd”?
The parent of all other processes (directly or indirectly)

Which Linux brand now fully deployed with “systemd” instead of “init”?
Fedora, OpenSuSE, Arch, RHEL, CentOS, etc.

Vulnerability status:
Refer attached diagram and below URL for references.

https://access.redhat.com/security/cve/cve-2018-15686

https://access.redhat.com/security/cve/cve-2018-15687

https://access.redhat.com/security/cve/cve-2018-15686

Conclusion: POSIX defined set of standards for an operating system or a program. But “systemd” not a POSIX standard. The computing system life cycle is really short today. It cannot compare with our home old day appliances.

US-CERT urge that stay alert for the former Apache Struts design weakness (CVE-2016-1000031 – Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution)

See whether does it effect cisco products?
Since this vulnerability just happened yesterday. And therefore no response from Vendor (Cisco) in the moment.

For details about this vulnerability. Please refer below URL for reference.

http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E

Status update – Cisco 7th Nov 2018 Apache Struts Commons FileUpload Library Remote Code Execution Vulnerability Affecting Cisco Products: November 2018:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-struts-commons-fileupload

A reminder to Schneider customer – official security alert!

Preface:
DLL file is in SysWOW64 folder and someone places a counterfeit dll in a folder that has higher priority compared to SysWOW64 folder, the operating system will use the counterfeit dll file, as it has the same name as the DLL requested by the application. Once in memory, it can execute the malicious code contained in the file and may compromise your computer or networks.

Vulnerability:
A DLL hijacking vulnerability exists in Schneider Electric Software Update (SESU), all versions prior to V2.2.0, which could allow an attacker to execute arbitrary code on the targeted system when placing a specific DLL file.

Remedy:
https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-298-01+Schneider+Electric+Software+Update+%28SESU%29V1.1.pdf&p_Doc_Ref=SEVD-2018-298-01

Additional – Modicon M221:
https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-270-01+Modicon+M221.pdf&p_Doc_Ref=SEVD-2018-270-01

CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures (Fri, 2 Nov 2018)

Spectre is a vulnerability that affects modern microprocessors that perform branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. As predicted, there are more and more branch prediction processor attacks are discovered soon!

Hey guys, if you are interested to read the details, please refer to below URL for reference.
https://seclists.org/oss-sec/2018/q4/123

In short, the design weakness let the processes running in parallel on the same physical core. The malicious process can thus measure the delay in the execution of its operations for target destination (port), and determine when the victim process is using the same destination (port). If victim process is a crypto operation. This is the way which causes possibilities recover a private key.

Proof of concept (GitHub)
https://github.com/bbbrumley/portsmash

As time goes by, we seen the cyber security coverage not limit to desktop, notebook and server. Even though WiFi chip set will be involved zero day vulnerability management cycle. Texas Instrument Microcontrollers expose that CC2640 and CC2650 has vulnerable to cyber attack. If the incoming data is over a certain length and continuous execution. As a result, it will copy the overly large packet to the buffer and cause a variable and heap overflow.This memory corruption can lead to code execution on the main CPU of the device, which could have the potential to affect other devices across a network if the origin is a networked device.
This vulnerability was patched in BLE-Stack v2.2.2 released by Texas Instruments on March 28, 2018. Affected devices will require a firmware update to obtain the updated BLE-Stack. However Cisco and other hardware manufacture just announce the remedy solution this week. Sound strange! Regarding to the announcement by Cisco, the Aironet Access Points and Meraki AP are the victim of this vulnerability. Should you have interest to find out the technical details, please refer below URL for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

Background:
Libssh is a library written in C implementing the SSH protocol. It can be used to implement client and server applications.
Vulnerability found on 17th Oct 2018:

The technical details are as follows, please refer to the URL:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh

In addition, another important vulnerability announced this week is for your consideration.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-prime-upload

Reference: Libssh Server-Side State Machine Unauthorized Access Vulnerability – 17thOct2018

Libssh Server-Side State Machine Unauthorized Access Vulnerability – 17thOct2018

Just read articles recommend of my friend. It reminded me that Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software encounter Denial of Service Vulnerability.This vulnerability recorded CVE-2018-15454. A design weakness resides in the Session Initiation Protocol (SIP) inspection engine of ASA and FTD software.

The interim remedy solution shown as below:
hostname(config)# policy-map global_policy
hostname(config-pmap)# class-map inspection_default
hostname(config-pmap)# no inspect sip
hostname(config-pmap)# exit
hostname(config)# policy-map sip_policy
hostname(config-pmap)# class-map inspection_default
hostname(config-pmap)# inspect sip
hostname(config-pmap)# exit
hostname(config)# service-policy sip_policy interface [interface]

Official technical details shown as below:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

Besides there is another vulnerabilities occurs in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software simultaneously.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos

Few years ago, when your friend ask you which is the best smartphone in the world. Seems it is easy to answer. Perhaps the zero day attack and malware wreak havoc today. So it is hard to answer those question in quick!

We are now familiar with vulnerability terms especially stack-based buffer overflow, privilege escalation and lack of Input Validation. Qualcomm  Snapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc. The Snapdragon central processing unit (CPU) uses the ARM RISC instruction set.The Snapdragon 800 series is the top tier of Qualcomm’s processor. However the design weakness found on Snapdragon have plenty.  For more details, please find below url for reference.

https://www.qualcomm.com/company/product-security/bulletins

Remark: We see many people walking on the street daily. However they are insists to look at the smartphone even though cross the road. It is hard to imagine that if their phone has flaw and not able to use for 1 day. What will be happen afterwards?

Apple Releases Multiple Security Updates on product especially IOS 12.1.
Are you going to update as soon as possible or observe for a moment then action?
Can we say, we are now alive Insane technology world and suffer with vulnerability daily!

Safari 12.0.1
https://support.apple.com/en-us/HT209196

iCloud for Windows 7.8
https://support.apple.com/en-us/HT209198

iTunes 12.9.1
https://support.apple.com/en-us/HT209197

watchOS 5.1
https://support.apple.com/en-us/HT209195

iOS 12.1
https://support.apple.com/en-us/HT209192

tvOS 12.1
https://support.apple.com/en-us/HT209194

macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra –
https://support.apple.com/en-us/HT209193