UK-based Metro Bank has suffered an SS7 attack – Jan 2019

Preface: The phrase “old wine in new bottles”! Cyber security world has similar things all the time!

About SS7 design weakness:

Business impact: A U.K. bank says no customers lost money after cyber attackers attempted account takeovers by rerouting one-time passcodes, Motherboard reports. The National Cyber Security Centre (NCSC) also confirmed.
Such attacks involve tampering with Signaling System #7, the protocol used to route mobile phone calls worldwide.

Security advice: A one-time passcode may be sent over SMS, but the safer way is to use an authenticator app,
such as Authy, Cisco’s Duo or Google Authenticator, to generate the code.

Reference: https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

Docker (runc) – Malicious container escape – CVE-2019-5736 (11th Feb 2019)

Preface: runc is a CLI tool for spawning and running containers according to the OCI specification.

Vulnerability: Found vulnerability on runc affecting several open-source container management systems that leverage runc

Impact: The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level
code execution on the host. But exploit this vulnerability requires user interaction.

Remedy: Official announcement:
Redhat – https://access.redhat.com/security/vulnerabilities/runcescape
AWS – https://aws.amazon.com/security/security-bulletins/AWS-2019-002/

Understand New implemented China Cyber Law – 2019

Aim to security:
The new regulations on China’s Cybersecurity Law on November 2018 grant China cyber security agencies (the legal authority) to conduct remote testing of any Internet-related business operating in China.
Their authority is possible to copy and share any data that government officials find on the system being inspected.

MPS (The Ministry of Public Security (MPS) ) is able to execute the following authorities:

  1. Conduct on-site or remote inspection of network security defenses taken by companies operating in China.
  2. Check for prohibited content in China.
  3. Record the safety response plan during the on-site inspection.
  4. Copy any user information found on the system being inspected during a live or remote inspection.
  5. Perform a penetration test to check for vulnerabilities.
  6. Perform a remote check without notifying the company.
  7. Share any collected data with other state agencies.
  8. During the on-site inspection, two members of the PAP (Chinese People’s Armed Police Force) had the right to enforce the procedure.

Original:
對在中國運營的公司採取的網絡安全防禦進行現場或遠程檢查。
檢查中國境內禁止的“禁止內容”。
在現場檢查期間記錄安全響應計劃。
在現場或遠程檢查期間複製在被檢查系統上找到的任何用戶信息。
執行滲透測試以檢查漏洞。
在不通知公司的情況下執行遠程檢查。
與其他州政府機構共享任何收集的數據。
在現場視察期間有兩名人民武裝警察(PAP)成員執行程序的權利。

Cisco finally fixed Elastic Services Controller Service 3.0 Portal Authentication Bypass Vulnerability (CVE-2018-0121) – 8th Feb 2019

Preface: It was because of new version 4.0 introduced on Jan 2018. Cisco urge customers upgrade to 4.0 to do the remediation. The Elastic Services Controller Service Portal Authentication Bypass Vulnerability finally fixed on Feb 2019.

Product background: Cisco ESC provides a single point of control to manage all aspects of VNF lifecycle for generic Virtual Network Functions (VNFs) in a dynamic environment. ESC brings advanced capabilities like VM and Service monitoring, auto-recovery and dynamic scaling.

Speculate the technical weakness on similar design function: Perhaps the problem given by Vulnerabilities of using a REST API token based authentication! So the official announcement state that vulnerability is due to improper security restrictions that are imposed by the web-based service portal of the affected software.

Official announcements: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc

CVE-2019-6978 – GD Graphics Library gdImage*Ptr() Functions Double Free Vulnerability – Feb 2019

Preface: GD is extensively used with PHP. As of PHP 5.3, a system version of GD may be used as well, to get the additional features that were previously available only to the bundled version of GD.

Technical background: The LibGD 2.2.5 allow to written C code to load an entire image file into a buffer in memory, then ask gd to read the image from that buffer. But the programmer must responsible for allocating the buffer, apart from that a customized function must responsible for freeing the buffer with your normal memory management functions.

Vulnerability found: A vulnerability in GD Graphics Library (libgd) could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

Doubt: Similar vulnerability was found on 2017 (Double-free in gdImagePngPtr(). (CVE-2017-6362)).
LibGD 2.2.5 release announced that Double-free in gdImagePngPtr(). (CVE-2017-6362) has been fixed!

Vendor announcements: https://github.com/libgd/libgd/issues/492

Apple Releases Multiple Security Updates – 7th Feb 2019

Preface: Apple found memory vulnerability, since no additional information will be provided by vendor.
Does it relate to DUI (Dereference Under the Influence)?

What is DUI?
Attackers use the DUI vulnerability as a memory access service to mount attacks. Their aim to influence memory operations of isolated components through inputs to their public interface.

Apple Releases Multiple Security Updates:
Original release date: February 07, 2019

About the security content of iOS 12.1.4https://support.apple.com/en-us/HT209520

About the security content of macOS Mojave 10.14.3 Supplemental – Update – https://support.apple.com/en-us/HT209521

The PAN-OS management web interface Vulnerability (CVE-2019-1566) – Jan 2019

Preface: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Background: A WAF is deployed to protect a specific web application or set of web applications. Generally, the common attacks such as cross-site scripting (XSS) and SQL injection will be under WAF protection. But in reality, XSS is hard to avoid.

New vulnerability found: Palo Alto Networks PAN-OS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

The following PAN-OS versions are affected:

PAN-OS 7.1.21 and prior
PAN-OS 8.0.14 and prior
PAN-OS 8.1.5 and prior

Official announcement shown as below: https://securityadvisories.paloaltonetworks.com/Home/Detail/140

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

Avahi avahi-daemon vulnerability (CVE-2017-6519) remedy has finally been released!

Preface: Avahi is a free zero-configuration networking (zeroconf) implementation, including a system for multicast DNS/DNS-SD service discovery.

Technical background:
Multicast DNS (mDNS) is a protocol that uses packets similar to unicast DNS except sent over a multicast link to resolve hostnames.

Vulnerability found in Avahi:
The vulnerability exists because the affected software misses link-local checks, causing the multicast DNS (mDNS) protocol to respond to IPv6 unicast queries with source addresses that are not on-link.

Impact: Remote attacker to access sensitive information on a targeted system or conduct DDoS!

Remedy released finally: 22 Dec 2018
https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f

Remark: Happy Lunar New Year. Kung Hei Fat Choi!

antihackingonline.com