VMware Releases Security Updates for Multiple Products – August 3, 2019

Preface: Are GPU vulnerable to hacker attacks?

Background: On virtual machines running VMware Fusion provides support for OpenGL 2.1 to support 3D accelerated desktops. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Vulnerability details:

CVE-2019-5521 – may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

CVE-2019-5684 – This vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.

Security Focus: Since no additional details provided by vendor. But believe that the possible way let hacker exploit CVE-2019-5521 design weakness is Perfect Timing Attacks (Please refer to photo). Apart from that the hacker can exploit out of bound read / write to bypass address space layout randomization (ASLR). So, be alerted!

Vendor announcement: please refer to the url – https://www.vmware.com/security/advisories/VMSA-2019-0012.html

Have you heard of the “Capital one” data leak! July 2019

Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.

Security Focus : Cyber criminal is under arrested. She is accused of breaking into a “Capital One” computer facility and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Technical guy may known that there is a design limitation occurs on AWS. The metadata service provides temporary credentials. There is no authentication and no authorization to access the service. A mis-configure firewall policy will causes untrusted source establish connection to meta service. For more details, please refer to attach diagram.

Headline News – A hacker gained access to 100 million Capital One credit card applications and accounts


CVE-2019-10142 Freescale hypervisor management driver integer overflow in ioctl – jul 2019

Preface: The Freescale hypervisor management driver provides several services to drivers and applications related to the Freescale hypervisor.

About: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a number that is too large to be stored in the space allocated for it.

Vulnerability details: The vulnerability exists due to integer overflow within the freescale hypervisor manager implementation in drivers/virt/fsl_hypervisor.c. A local guest user can send specially crafted data to the affected IOCTL , trigger integer overflow and execute arbitrary code on the target system.

Remedy: Kernel.org has released a software patch at the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c

Urgent 11-Tremendous design limitation jeopardizes RTOS industry

Prefect: Headlines new – Critical VxWorks flaws expose millions of devices to hacking.

What is VxWorks? The VxWorks RTOS comprises the core capabilities of the wind microkernel(not monolithic) along with advanced networking support, powerful file system and I/O management, and C++ and other standard run-time support.

Vulnerability details: The vulnerabilities found on Wind River VxWorks so called Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security, remotely exploit and take over Key equipment, including SCADA equipment, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones and printers, etc.

Vendor response – Please refer to url: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/


The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

The heap is memory that the programmer can use for the application in non automatic way. Programmer might build a mechanism to free up memory after use.

Mitsubishi electric fr configurator2 – When input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Jul 2019

Preface: Internet of Vehicles (IoV) growth rapidly, meanwhile they are also the potential target of the cyber attacker.

About Mitsubishi Electric FR Configurator2: From inverter startup to maintenance, FR Configurator2 allows the user to specify settings easily at the computer.

Vulnerability details:

CVE-2019-10976 – This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

CVE-2019-10972 – This vulnerability can be triggered when an attacker provides the target with a rogue project file (.frc2). Once a user opens the rogue project, CPU exhaustion occurs, which causes the software to quit responding until the application is restarted.

Our comment – The impact of these vulnerabilities depends on the source of the infection. If malicious project file (.frc2) send with large scale of scam email. Because of the software design weakness (XML parser is not sanitized while parsing the XML project). Refer to attached infographic, perhaps it will provide a way to attacker exploit malware to infect the car CPU. Because the interconnect in between Car CPU and inverter is USB. So we must stay alert of these vulnerabilities.

CVE-2019-4415 IBM Cloud Private privilege escalation Jul 2019

Preface: Refer to market statistic on 2018, the growth in cloud revenues appear to be the strongest for Microsoft and weakest for IBM.

Vulnerability details: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Remedy: For IBM Cloud Private 3.1.1 or 3.1.2:

To resolve the issue, run the following kubectl commands on the master node:

  1. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “remove”, “path”: “/groups”}]’
  2. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “add”, “path”: “/users”, “value”: [“system:serviceaccount:kube-system:default”,”system:serviceaccount:istio-system:default”, “system:serviceaccount:icp-system:default”,”system:serviceaccount:cert-manager:default”] }]’


The privileged SCC allows:

  • Users to run privileged pods
  • Pods to mount host directories as volumes
  • Pods to run as any user
  • Pods to run with any MCS label
  • Pods to use the host’s IPC namespace
  • Pods to use the host’s PID namespace
  • Pods to use any FSGroup
  • Pods to use any supplemental group
  • Pods to use any seccomp profiles
  • Pods to request any capabilities

The restricted SCC:

  • Ensures that pods cannot run as privileged.
  • Ensures that pods cannot mount host directory volumes.
  • Requires that a pod run as a user in a pre-allocated range of UIDs.
  • Requires that a pod run with a pre-allocated MCS label.
  • Allows pods to use any FSGroup.
  • Allows pods to use any supplemental group.

Supplement: CVE-2019-4439 – IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system.

Remedy – For IBM Cloud Private 3.1.2, apply patch: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520356-23797&includeSupersedes=0

CVE-2019-1579 VPN solution impacts Uber, other enterprises may be at risk Jul 2019

Preface: The IoT will make the Taxi Industry change.The business concept of Uber is the industrial leader. Perhaps their concept and ideas are advanced and therefore cyber security are their major concerns.

Vulnerability details: Palo Alto Networks PAN-SA-2019-0020 (CVE-2019-1579): Remote Code Execution vulnerability in GlobalProtect Portal/Gateway Interface, especially on SSL Web VPN Applications. Vendor do a preventive action, a survey will be conducted all Palo Alto SSL VPN over the world. See whether is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!
From our survey, Uber owns about 22 servers running the GlobalProtect around the world. For instance – vpn.awscorp.uberinternal.com.

Remark: Uber announce that the vulnerable SSL VPN solution was not the primary VPN in use by the majority of staff members. Their VPN gateway was hosted in AWS rather than embedded within core infrastructure and so the potential impacted will be in low risk.

Our comment: The vendor did not provide the vulnerability details. But do you think that attached infographic details may trigger similar attacks?

Remedy: Available Updates – PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, and PAN-OS 8.1.3 and later releases.

CVE-2019-13132 Zeromq libzmq Stack Buffer Overflow Arbitrary Code Execution Vulnerability Jul 2019

Preface: Message queues are unnecessary and cause a lot of overhead (setup such system cab be a lot of work).

Product background: Zeromq libzmq
A simple synchronous system will just receive a request from the client, perform an operation (anything from retrieving some data from the server to uploading an image) and return a response.

Vulnerability details: A vulnerability in ZeroMQ libzmq could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The problem was that a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. All versions from 4.0.0 and upwards are affected.

Reference: The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

Remedy: ZeroMQ has released a software update. For more information, see url: https://github.com/zeromq/libzmq/releases

Even though you deployed SSL, stay alert in Python Iot world (CVE-2018-18074)

Preface: The invention of the IoT sensor looks like a contingent driving a smart city. At the same time, the python programming language gives life to the Internet of Things.

Security Focus: Even though IoT devices and their back-end facilities deploy SSL certification. It cannot prevent data leakage because of programming language flaw.

Vulnerability details: The vulnerability exists because the affected software does not remove the HTTP Authorization header when performing HTTPS to HTTP redirects with the same hostname, which may allow user credentials to be transmitted in clear text. A successful exploit could allow the attacker to access sensitive information, such as user credentials and web server information. For more details, please refer to attached diagram.

Remedy: Python has released a software update, please refer to the url: https://github.com/psf/requests/releases

CVE-2019-13611 python-engineio Origin Header Cross-Site WebSocket Hijacking Vulnerability – Jul 2019

Preface: Smart apps like your friend whenever you need one. Download the app and get a ride from a friendly driver within minutes.

Product background: Engine.IO is a lightweight transport protocol that enables real-time bidirectional event-based communication between web browsers and a server. Python-engineio server can form a Eventlet asynchronous server and includes a small Flask application that serves the HTML/Javascript to the client. Flask is a Python framework for creating web applications. It accelerates development of simple web applications by providing the required functionality. There are many companies in the world that use Flask for mobile application development.

Vulnerability details: A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.

Design flaw: Cross-Origin Resource Sharing (CORS) headers are only works in XHR requests, and ignored by clients during a websocket connection.

Current status: The vendor has confirmed the vulnerability; but remedy not available yet!