VMware Cloud Foundation and VMware Harbor Container Registry for PCF address remote escalation of privilege vulnerability (CVE-2019-16097) Sep 2019

Background: There are six major modules in harbor. The default components of each harbor are packaged into a docker container, so the harbor can be deployed via compose, which is divided into 8 containers and run through docker-compose ps.

Vulnerability details: A vulnerability in the POST /api/users API of Harbor may allow for a remote escalation of privilege.

The vulnerability exists due to improper access restrictions within “core/api/user.go” when processing HTTP POST requests to “/api/users” API, when Harbor is configured to use DB as authentication backend. A remote non-authenticated attacker can send a specially crafted HTTP request to the vulnerable API endpoint and create an administrative user account.

Reminder:
a. When using LDAP mode, user’s self-registration is disabled.
b. Database(db_auth) – Users are stored in the local database.
A user can register himself/herself in Harbor in this mode.

Official announcement: https://www.vmware.com/security/advisories/VMSA-2019-0015.html

Siemens – Security Advisory by Siemens ProductCERT SSA-250618: Denial-of-Service Vulnerability in SIMATIC TDC CP51M1

Preface: a motion control system includes at least three basic components — a motor, a drive, and a controller. Second, motion control systems are primarily used in discrete industries such as packaging and semiconductor manufacturing, as opposed to process industries such as chemical manufacturing and power generation.

Product background: Siemens SIMATIC TDC provides the highest degree of competence when it comes to motion control and closed-loop control technology.

Vulnerability details: A vulnerability could allow an attacker to cause a Denial-of-Service condition on the UDP communicationby sending a specially crafted UDP packet to the SIMATIC TDC CP51M1 module.

Example: UDP flood” is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and—finding none—sends back a “Destination Unreachable” packet.

Remedy: Firmware Updates for SIMATIC TDC CP51M1 OR

  • Restrict network access to affected devices
  • Restrict UDP communication to affected devices
  • Do not use UDP communication in the user program if not needed
  • Apply cell protection concept and implement defense in depth

23rd Sep 2019 – Microsoft Releases Out-of-Band Security Updates

Security focus – CVE-2019-1367: Microsoft conducted remedy for CVE-2018-8653, but a item not being fixed. Suspected that this is one of the reason let Microsoft Releases Out-of-Band Security Updates on 23th Sep 2019.

Should you have interested of this matter, please refer to attached diagram. The official announcement can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

Apart from that out of band update also covered Microsoft Defender Denial of Service Vulnerability CVE-2019-1255. Official announcements can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255

Sep 2019 Security advisory by Siemens productcert

Preface: Do you think that VPN solutions will reduce the level of network security risks?

Background: On 10th Sep, 2019, Siemens announce that a multiple vulnerabilities in SINEMA connect server. Our attention this time will be focused CVE-2019-13920 and CVE-2019-13922. Refer to attached diagram, the fundamental design of SINEMA and network switch can form VPN to prevent packet sniffing and tamper the network activities. The VPN tunnel between the device and the SINEMA RC Server is established only after successful authentication. However if the design weakness occurs on front end server. It looks that it doesn’t help!

About CVE-2019-13920 – One simple and effective way to prevent it is to generate a random string when the initial action is loaded and send it to the browser. The browser then sends this instruction, and the server validates it before approving the action. This way, malicious websites cannot post action even if they have access to a valid session in a browser.

About CVE-2019-13922 (residual risk) – If we can manage to get the hash of an administrative user since we can then authenticate with higher privileges by performing an attack known as pass the hash.

Should you have interested to know the details, please refer to the url – https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf

Deploying cutting-edge technology, it is difficult to avoid vulnerability – cve-2019-16103

Preface: The SD-WAN is a specific application of software-defined networking (SDN) technology applied to WAN connections such as broadband internet, 4G, LTE, or MPLS.The technology deployment consists of QoS and network resiliance.

Product background: EdgeConnect has following features:

  • Extend the micro-segmentation of specific application traffic from the data center to the entire WAN to help maintain security compliance requirements.
  • Tunnel Bonding
  • Identifying applications on the first packet is especially important when branches are deployed behind Network Address Translation (NAT); the correct path must be selected based on the first packet to avoid session interruption.

Vulnerability details: An administrative user with access to the enable menu of the login subshell may enter a hardcoded string to obtain a bash shell on the operation system. The spsadmin and admin accounts have root privileges. The system cli and web service works under root accounts which can be used for privilege escalation.

Observation: Perhaps this vulnerability might let people ignore. But do not contempt this issue because it shown that the user privileges not define well.

Remedy: Fixed in version 8.1.6.x – 8.1.7.x


Vmware – Storm in teacup (Sep 2019)

Preface: In 1894 Damoizeau developed a panoramic stereoscopic camera with twin-lenses, twin-spools and twin -slits.

Background information: With 3D graphics configured for RDS hosts, both applications in application pools and applications running on RDS desktops can display 3D graphics.

Vulnerability details: This vulnerability can be triggered by providing a tamper-evident pixel shader to the AMD ATIDXX64.DLL driver. An attacker can perform an attack from the VMware guest user mode, causing memory corruption on the vmware-vmx.exe process on the host. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

Reminder: Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2019-0014.html

vmware Security Focus CVE-2019-5532 and CVE-2019-5534

Introduction: Open Virtualization Format. Open Virtualization Format (OVF) is an open standard for packaging and distributing virtual appliances or, more generally, software to be run in virtual machine.

Synopsis: Open Virtualization Format provides the ability to let a virtual appliance and run it on different vendors of virtual machine. For example: Vmware.
Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534, are rated “important” by VMware. They are all belongs to OVF technology domain.

  • CVE-2019-5534 – expose login information via the virtual machine’s vAppConfig properties.
  • CVE-2019-5532 – malicious user with access to the log files have view the credentials used to deploy the OVF.

Official announcement: Please refer to the url https://www.vmware.com/security/advisories/VMSA-2019-0013.html

Perhaps more risk will be occured on “OVF” not only the vulnerabilities alert by VMware this week. The OVA files can carry malicious code to any virtual machine OS; even mere data files of a certain complexity can effectively launch exploits.

Staying alert of your hhvm (cve-2019-11925 & cve-2019-11926)

What is HHVM? HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP. The mechanism is convert PHP to bytecode. Then, bytecode translated to machine code at runtime by JIT (just-in-time) compiler.

Vulnerability details: CVE-2019-11925 and CVE2019-11926 found design weakness of the boundary check when processing JPEG APP12 block marker and M_SOFx markers form JPEG marker in the GD extension. It could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. See attached diagram for the attack process. The supplier indicates that the defect will only lead to information leakage.

Summary: JPEG file (see specification) contains 2-bytes header (SOI) followed by series of markers, some markers can be followed by data array. Each type of marker has different header format. The bytes where the image is stored follows SOF0 marker (10-bytes length).
‘exif_process_SOFn’ assumes that the JPEG header has at least 6 length. On providing a length < 6, this leads to an out of bounds heap read.

Vendor advisory: https://www.facebook.com/security/advisories/cve-2019-11925

New generation of weapon iot+lora+Drone (2019)

Preface: Traditionally, only big country can have military weapon. Computer technology especially IoT devices not only replace human power. As we seen, IoT 4.0 is going to replace routine man power resources. Perhaps IoT technology also infiltrate in military arsenal .

Details: On Sep, 2019. Drone attacks have set alight two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Refer to diagram, Drone integrate with Lora can increasing the control effective distance. If trouble maker is going to attack improtant facilties, they have more choices today. In last decade, APT cyber attack is the major channel to detroy the critical facilities. But APT attack rare to destroy the infrastructure. If enemy insists to destory the infrastructure. The setup of IoT, Lora and Drone can do it.

Can Drones be Detected by Radar? All newer radars are equipped and have the ability to locate even the smallest drones in the air. May be in future, all the critical facilities especially oil facilitiy, Power grid require to install Radar system.

Prediction: We heard APT cyber attack against critical facilities (especially power grid and oil facilities) by far. It looks that a hybrid attack (IoT+Lora+Drone) will be use in future.

cve-2019-11660 Data protector privilege escalation via omniresolve (Sep 2019)

Prefect: People prefer Veeam because the interface is easier, and Data Protector is difficult in comparison.

Product details: Data protector is a backup and disaster recovery solution for large, complex, and heterogeneous IT environments.

Vulnerability details: A potential vulnerability has been identified in Micro Focus Data Protector. The vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.

Our comment:
Above vulnerability might focus on Data protector server installed on Linux OS platform.
If authorized user exploit the power of SUID/GUID files on Linux, they can enable a file to have one of those bits, to shared the privileges. If a file has a SUID bit to run as root, it has the power to do everything that root can.

Reference: The omniresolve command reads the filesystem structures locating the physical disks (on Windows)
or volumes (on UNIX)on which a filesystem object resides. If the files reside on a logical volume which is a part of a volume group(diskgroup),all volumes in a volume group are displayed.

Status & remedy: versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40 are affected. Require update Micro Focus Data protector to 2019.08 (A.10.50) or a higher version.

antihackingonline.com