cpp-ethereum vulnerabilities do not ignore!

Preface:

The cyber attack wreak havoc today. Perhaps system applications and operation system hard to avoid vulnerability occurs because of short development cycle. Crypto currency might change the financial world. However there are more and more topics are under development.

Technology background

Ethereum is an open software platform based on blockchain technology that enables developers to build and deploy decentralized applications.

What language is Ethereum written in?

There are four official reference implementations available (see below)

Golang, C++, Python and  Java

The non-officially but fully working program language are Rust, Ruby, JavaScript and Solidity. However there are design limitation occurs on Golang which causes software developers decide not to use.

Why “Go” language not have been chosen by software program developers?

The question about generics in Go is years old, and has been discussed up and down and forth and back across the Go forums, newsgroups, and email lists. However Go is a language with an intentionally restricted feature set; one of the features that Go leaves out being user-defined generic types and functions.

In short, it looks that Go language lack of traditional program language flexibility. Perhaps Go (Golang) libraries work best for scientific computing. A comment consensus is that Go might evolve into the perfect high performance computing language for scientific use. And therefore programming developer prefer to make use of other programming language.

However cyber world similar a dangerous zone. The operation system, application and hardware are difficult to avoid their design weakness (vulnerabilities). The situation sounds like a cancer in Human body. The cancer evoluted by a normal human being cell.

There are vulnerabilities found on cpp-ethereum last year end. A status update released on 18th Jan 2018.

Should you have interest of this topic, please find below details for reference.

An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12113

An exploitable unhandled exception vulnerability exists in multiple APIs of CPP-Ethereum JSON-RPC. Specially crafted JSON requests can cause an unhandled exception resulting in denial of service.

https://nvd.nist.gov/vuln/detail/CVE-2017-12119

An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12116

An exploitable improper authorization vulnerability exists in miner_setEtherbase API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12115

An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12112

An exploitable improper authorization vulnerability exists in admin_peers API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12114

An exploitable improper authorization vulnerability exists in miner_stop API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12118

An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12117

An exploitable information leak/denial of service vulnerability exists in the libevm (Ethereum Virtual Machine) `create2` opcode handler of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read leading to memory disclosure or denial of service.

https://nvd.nist.gov/vuln/detail/CVE-2017-14457

Summary:

There were 40,135 transactions on Ethereum blockchain on 5/17/2017. On January 25, 2018 Ethereum now is a bit over $1050. Perhaps of the crypto currency value it will lure the interest of the hacker. As usual another vulnerabilities or zero day cyber attacks might happen later on. So make sure that you have remediation and mitigation procedure if your Ethereum back-end is develop by C++.

 

CVE-2018-0486 Staying alert with your single sign-on application especially IDP vulnerability

CVE-2018-0486: Shibboleth(SAML IDP) open source vulnerability is currently awaiting analysis. For more details, see below url for reference:

https://nvd.nist.gov/vuln/detail/CVE-2018-0486

During my penetration test engagement in past. I was surprised that no matter airline , financial and retail industries web online application solutions are deployed open source single-sign on resources. An incident occurred in Equifax which awaken the business world that open source application has potential inherent risk. It will jeopardize your firm reputation. It looks that a very popular SAML IdP open source has vulnerability occurs. What is your comment? Remark: You can also find the details on attached picture diagram.

Apple enforce Meltdown and Spectre vulnerabilities remediation

About Apple security updates announcement (see below url for reference)

https://support.apple.com/en-us/HT208463

About security updates announcement, the objectives is going remediate multiple vulnerabilities.As usual, apple released security update but no descriptions are available yet. Perhaps without detail information provided by vendor (Apple). However I  was speculated  that the remediation step will be focus on the following protection technique. ARM (Protection Unit (PU))

The advantages of this system are:

• Access control held entirely on-chip (no need for any off-chip tables)

• Provides four levels of access control, cache and write-buffer control

• Separate control over instruction and data caches.

The disadvantages are:

• Small number of regions

• Restrictions on region size and alignment.

As a result,  the 3rd party unmanaged apps especially game might have problem occurs!

Lawful interception – How’s your personal privacy value today?

Cloud computer platform looks like a fight carrier in the data world. Meanwhile, the data stored inside the cloud are under cloud protection. However different country implement different data protection law and data custodian policy. Perhaps development countries unaware this topics last decade. However big data upgrade his political position progressively. It looks that government enforcement unit not easy get the data in cloud farm easier. At least they must apply the key escrow or search warrant through official channel. Or you may say sometimes ask president approval can evade all the official channel. But how to monitor billion of mobile phones & computers? Perhaps it is not a secret, wikileak became a whistleblower since 2014 (see below url for reference). A strange issue draw my attention this year? There are more antivirus vendor detected finfisher malware this month (see attached detail in picture left hand corner).FinFisher customers include law enforcement and government agencies in the world. Do you think there is a new round of hostile country surveillance program being engaging at this year?

2014 – wikileaks SpyFiles 4

https://wikileaks.org/spyfiles4/index.html

2014 – Wikileaks releases FinFisher files to highlight government malware abuse (by theguardian.com)

https://www.theguardian.com/technology/2014/sep/16/wikileaks-finfisher-files-malware-surveillance

 

Smart City & IoT -Mandatory 3 principles for working with Big data

We frequently heard smartcity project and usage of big data. Such key terms for the 1st impression to people is that it is a advanced technique and techology trend in future. In fact it was not possible to say we are keen to enjoy the benefits of smart city and big data analytic but we just ignore the peripherals. How does a city approiate to do such setup on start from strach situation. For example HKSAR issued the smart City blue print mid of last year. But it got whole bunch of unkown answer waiting for queries(public or quires with industries)? Perhaps the objectives of smart city goal to ehance public safty and governance of the city. The career oppuntunities is the side products which carry by this project. If the key items of city not been resolve yet. For instance: population, immigation policy and land use. Even though you enforce this project it may far away from their original design objectives.

Below url is the smart city blueprint for HKSAR for your reference.

https://www.smartcity.gov.hk/blueprint/HongKongSmartCityBlueprint_e-flipbook_EN/mobile/index.html#p=30

Staying alert with CSRF and XSS vulnerabilities

Perhaps there are a lot of vulnerabilities sometimes will be ignored. Why? For instance cross-site scripting will be occurred on client or server side. If there is a cross-site scripting (XSS) vulnerability in the web application, it is not possible to prevent CSRF (cross site request forgery) since the cross site scripting will allow the attacker to grab the token and include the token with a forged request. However cross-site scripting (XSS) and CSRF are only the medium risk rating vulnerability in app scan definitions. As a result it couldn’t draw the software developers attention. OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers. A security expert found that Oneplus exploiting Magento eCommerce platform. Magento found XSS and CSRF vulnerabilities last year on May 2017. The patch released on Sep 2017. Do you think XSS and CSRF are the culprit  of this credit card data breach incident? For more details about OnePlus credit card data breach incident status update. Please refer below url for reference.

OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers

Remark: Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop.

CPU vulnerability remediation status update – especially Spectre

Intel has a quartet of lawsuits vying for the attention of its lawyers. Heard that AMD might have lawsuits. However so called install the remediation CPU patch looks amazed the windows OS user. I am using window 7 instead of windows 10. Perhaps I just did the windows update this morning. It behind my seen that CPU vulnerability still valid on my PC. The cache-misses as compared to missed-branches data collected from Spectre is possible on my PC (see attached screen-shot for reference). As far as I know, spectre vulnerability not easy to mitigate. Did you aware of your IT appliances (WAN accelerator, IDS, firewall, malware detector and SIEM system. Those devices did not install updated CPU unit. It looks there will be more difficulties to mitigate the CPU design flaw. Friendly speaking, do you want to know how does hacker exploit this flaw for their benefits? Time will tell.

For more details about AMD Gets Hit With Two Class Action Lawsuits For Spectre Vulnerabilities, Intel Hit With Four For Meltdown & Spectre. Please refer to below url for reference.

https://wccftech.com/amd-class-action-law-suits-for-spectre-vulnerabilities-intel-four-meltdown/

 

The hunt for red october – Nautilus and Neuron by Turla Group

The ncsc.gov.uk advisory urge UK citizen and business enterprise staying alert for Turla group malware. The similar of alert announced 2 months ago. Per alert subject provided by NCSC the malware changed it shape already. But the attack target remain unchanged, the malware target Microsoft products especially Exchange mail server and IIS web server. Perhaps this incident contains the similarity of APT attack. As said I can’t predict who is the perpetrator.  Let’s me echo my observation which posted 2 months ago.  The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. Meanwhile the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference).

https://www.microsoft.com/en-us/wdsi/products/scanner

Should you have interest of this incident. Please find the details in below url:

https://www.ncsc.gov.uk/alerts/turla-group-malware

Will China block access to all personal VPN services by Feb 2018?

IT guys busy all the time even though at home and therefore sometimes they might forget somethings. There are 2 big things being happen at the end of this month. Heads up that PCI-DSS version 3.1 will be obsolete at the end of the month (31st Jan 2018). The version 3.2 will be effective on 1st Feb 2018.For more details, please refer below url for reference.

PCI DSS 3.2 – Important January 31, 2018 Deadline & Clarifications

https://www.chosenpayments.com/pci-dss-3-2-important-january-31-2018-deadline-clarifications/

On the other hand, an official announcement on 2017 told that China moves to block internet VPNs from 2018. Will China block access to all personal VPN services by Feb 2018? For more details, please refer below url for reference.

Article Claims China Will Block VPNs This Week, Causing Confusion

https://www.goldenfrog.com/blog/article-claims-china-block-vpns-causing-confusion

 

The “retpoline” x86 mitigation technique for variant # 2

We heard that vendor recommend install the patch into your server, workstation and notebook within this month. In regards to meltdown and Spectre technical white paper. We known the design weakness are divided into 3 parts. This variant 2 – branch target injection flaw might the easy one to resolve in comparing the remains 2 items of vulnerabilities. That is Bounds check bypass and Rogue data cache load, memory access permission check performed after kernel memory read. Retpoline as a mitigation strategy which control indirect branches for returns, to avoid using predictions which come from the BTB (Branch Target Buffer). But Spectre vulnerability contained bounds check bypass vulnerability. In reality, security researchers comments that the vulnerabilities are difficult to exploit in practice. Perhaps big team might spend resources to re-engineering this flaw in future then transform as a APT attack tool. Since hacker is silent at this moment. At least no one exploit those vulnerability.However US Democratic looks with interest of this incident.

U.S. lawmaker asks Intel, others for briefing on chip flaws (see url below):

https://www.cnbc.com/2018/01/16/rep-jerry-mcnerney-probes-intel-arm-and-amd-on-spectre-and-meltdown.html

antihackingonline.com