What is the impact of CVE-2020-26892? (17-11-2020)

NATS Srv wiki – Cloud native messaging system made for developers and operators who want to spend more time doing their work and less
time worrying about how to do messaging.

End user of this product: Mastercard, Baidu, Alibaba Group, VMware, GE, Pivotal, Telia Company, netlify, htc, GE, Zephyr Project, tinder and ERICSSON

Vulnerability details: Some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.

*In systems using HMAC signatures, verificationKey will be the server’s secret signing key
*In systems using an asymmetric algorithm, verificationKey will be the public key against which the token should be verified

Security focus: If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC secret key.

  1. Targeting JWT library
  2. Choose a payload for your token
  3. Then, get the public key used on the server as a verification key (text-based PEM format).
  4. Sign your token using the PEM-formatted public key as an HMAC key
    forgedToken = sign(tokenPayload, ‘HS256’, serverRSAPublicKey)

Result: Anyone with knowledge of the public key can forge tokens that will pass verification.

Reference: https://www.openwall.com/lists/oss-security/2020/11/02/2/2

Replay Protected Memory Block (RPMB) protocol vulnerability impact may more than expected – 16th Nov 2020.

Preface: With the advent of the 5G era, starting in 2019, UFS 3.0 has gradually been adopted by flagship smartphones.
UFS 3.1 is an optimized version of 3.0.

Background: The RPMB layer aims to provide in-kernel API for Trusted Execution Environment (TEE) devices that are capable to securely compute block frame signature. In case a TEE device wish to store a replay protected data, it creates an RPMB frame with requested data and computes HMAC of the frame, then it requests the storage device via RPMB layer to store the data.

A storage device registers its RPMB (eMMC) partition or RPMB
W-LUN (UFS) with the RPMB layer providing an implementation for
rpmb_cmd_seq() handler. The interface enables sending sequence of RPMB standard frames.

Vulnerability details: The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Since the impact not explicitly confirm by vendor yet. See below url for reference.

Western Digital – https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications

Netapp – https://security.netapp.com/advisory/ntap-20201113-0005/

CERT Coordination Center – https://kb.cert.org/vuls/id/231329

Security focus – Multiple vulnerability on SAP solution manager – 11th Nov 2020

Preface: CMDB is a repository that should contain only business critical items that you want to track. It should contain a record of information that allows you to answer business critical questions and helps you to connect business processes. CMDB should contain all the items that are important for your business or a service.

About SAP solution manager: SAP solution manager explicitly assists enterprise to fulfill above objectives. If you are planning to use SAP PI module then you should install Java Stack. Java Stack is currently being on Web based front ends and Stand-alone java portal. SAP NetWeaver Process Integration (SAP PI) is SAP enterprise application integration (EAI) software, a component of the NetWeaver product group used to facilitate the exchange of information among a company’s internal software and systems and those of external parties.

SAP Solution Manager – Multiple vulnerabilities due to lack of authentication check: For vulnerability details, please refer to link below. Apart from this, attached diagram can provide a quick way to understand the whole matters.


Changes related to SAP Solution Manager – Because of the SAP update a new version of SAP Solution Manager will be required starting January 1st 2020. The enhancement shown as below:

SAP solution Manager 7.2 SPS05/SPS06 – Partial connectivity to SAP, manual effort required.

Cisco product security alert (CVE-2020-26070). It may awaken other manufacturers require to focus on similar matters. (11th Nov 2020)

Preface: Our daily life is relies on Cloud computing system. Smart City, GPRS, mapping & spatial analytics technology their backend system are located on cloud. Apart of cloud system operation and architecture. The inter network empower its life.

Background: In our digital world , networks packet processing functions are dynamically injected into the network. Each packet may carry the processing code that routers apply to the network when they perform forwarding functions. Furthermore, Ingress packets are temporarily stored in the internal dispatcher packet buffer until processed. When a feature is not supported in the CEF switching path, the punt adjacency allows a packet to be switched using the next slower switching mechanism configured on the router. Once packet processing is complete and the packet has been modified.The packet is copied from the internal packet buffer to the deep output packet buffer, where it awaits scheduling for output.

Technical highlights: The ingress processing gets executed for each packet that is received on the ingress interface (MAC). The processing should decode the packet headers and determine where the packet shall be sent. When a feature is not supported in the CEF switching path, the punt adjacency allows a packet to be switched using the next slower switching mechanism configured on the router.

Current known factors: A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. For more details. please refer to url – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cp-dos-ej8VB9QY

CVE-2020-27977 – Vendor not explicitly explain the vulnerability details, but most likely is fall into this scenario (9th Nov 2020)

Preface: Have you heard a terms, so called take Ownership of his Registry key?

Background: CapaSystems helps businesses achieve greater efficiency through Device Management and Monitoring by using CapaInstaller and PerformanceGuard. The purpose for the CapaInstaller Agent Health Check is to maintain a healthy and up to date agent on every computer/server.

Vulnerability details: A security flaw has been found in CapaInstaller, where a user with standard user privileges logged on to a computer with the CapaInstaller Agent installed could escalate their local user rights. For details, please refer to the link below.


How to prevent similar matters happen? The efficient way to block users from opening and editing the Registry on Windows 10 is by using the Local Group Policy editor. You can enable Prevent access to registry editing tools policy.

Shibboleth vulnerability cve-2020-27978 – 28th Oct 2020

Preface: This vulnerability disclosed one year ago. Perhaps the details of defect you require to know.

Background: Shibboleth is a web-based Single Sign-On infrastructure. It is based on SAML. Shibboleth does not carry out authentication itself. SAML (Security Assertion Mark-up Language) is an umbrella standard that covers federation, identity management and single sign-on (SSO).

Vulnerability details:

The Shibboleth Identity Provider supports a number of login flows that rely on servlets or JSP pages to operate, including External, RemoteUser, X509, and SPNEGO. These flows are vulnerable to a denial of service attack by a remote, unauthenticated attacker, via Java heap exhaustion due to the creation of objects in the Java Servlet container session.

Causes: The use of expressions like “new someclass()” in the webflows, e.g. in the ExternalAuthentication flows, is a denial of service vector for remote attackers because of memory exhaustion if the objects are stored anywhere that isn’t associated with the webflow conversations. The conversations are capped at 5 apparently, and get swapped out for new ones, but storing anything the container session would not be freed and would accumulate.

Remark: Java Heap space is used by java runtime to allocate memory to Objects and JRE classes. Whenever we create an object, it’s always created in the Heap space.

Official announcement: https://shibboleth.net/community/advisories/secadv_20191002.txt

Design limitation of iDS6 DSSPro Digital Signage System 6.2 – 6th Nov 2020

Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display.
Users can then manage the content with a content management system.

Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function.
Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it.
How to reduce the risk?

Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment.
If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.

  1. Avoid to use WiFi do the management. It should use a workstation in a trusted network.
  2. Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
  3. From point B to point A it should be a cable network instead of WiFi connection.

Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response,
then the cookie will time out after 4 minutes of inactivity.

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757

CVE-2020-10143 – Macrium Reflect :Vendor slogan claims that there are 12 million of devices had installed their software around the world.

Preface: Sometimes vulnerability causes by misconfiguration.

Vulnerability details: MinGW (http://www.mingw.org/) provides a complete Open Source programming tool set which is suitable for the development of native MS-Windows applications, and which do not depend on any 3rd-party C-Runtime DLLs. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment. Therefore the default prefix for program installation as well as for OPENSSLDIR should be ‘/usr/local’.
Unfortunately when similar concept implement to MS Windows environment. The /use/local will be world writable.
In additional, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own –prefix.
OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue.

By default, the OpenSSL directory is /usr/local/ssl. If you perform a config without –prefix and without –openssldir, that’s what you get by default.

Above vulnerability has been recorded on CVE database (CVE-2019-1552). One years more later software vendor (Macrium) encountered similar of design defect (CVE-2020-10143). Please refer to link – https://kb.cert.org/vuls/id/760767

Workaround: Ensure that the OPENSSLDIR path is set to a location that is only writable by the system itself.

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

If you are Incorporating Oracle Business Intelligence Results into External Portals or Applications, you should stay alert! Oct 2020

Preface: Integrating Oracle BI Presentation Services into Corporate Environments Using HTTP and JavaScript. Java made business operation perfect. Meanwhile, it make people headache!

Background: When called from within an Oracle BI Presentation Services screen, such as a dashboard or an HTML result view, the URL should begin with the following characters: saw.dll?Go

When called from another screen on the same Web server, the URL should begin with the following characters: /analytics/saw.dll?Go

Vulnerability details: Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation) – The ‘getPreviewImage’ function is used to get a preview image of a previously uploaded theme logo. By manipulating the ‘previewFilePath’ URL parameter an attacker with access to the administration interface is able to read arbitrary system files.

Official announcement: https://www.oracle.com/security-alerts/cpuoct2020.html