Do you know the design weaknesses of Eclipse Cyclone DDS? 23-08-2021

Preface: DDS is used in the following industries.

DDS is used to share Flight data within and across Air Traffic control centers.
DDS is used to Smart Factories to provide horizontal and vertical data integration across the traditional SCADA layers.
DDS used to control the 100.000 mirrors that make up ELT’s optics.

Technical background: DDS applications cooperate by autonomously and asynchronously reading and writing data on a Data Space that provides spatial and temporal decoupling. Eclipse Cyclone DDS is an implementation of the OMG Data Distribution Service (DDS) specification. Eclipse Cyclone DDS offers unique data-sharing capabilities compared to the already existing Eclipse solutions (i.e. for messaging). You can use the code from repositories to experiment, test, build, create patches, issue pull requests, etc.

Example: cyclonedds-python – Project repository hosted on GitHub.

https://github.com/eclipse-cyclonedds/cyclonedds-python

Vulnerability details:

CVE-2020-18735 – A heap buffer overflow in [/]src[/]dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/501

CVE-2020-18734 – A stack buffer overflow in [/]ddsi[/]q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/476

CISA cyber Security Alert – About the May 2021 MS patch (21st Aug, 2021)

Preface: With Exchange Server vNext, Microsoft is phasing out the on-premise delivery model, making Exchange Server 2019 the last on-premise product version.

Point of view: Perhaps quite a lot of people will be surprised of this notification. Since more and more organizations has been migrated the mail server to office 365. The patch issued on May 2021 was applied already. But the patch management from small to medium firm not easy to managed. It is quite common that a one I.T. technical support person supporting everything. It is unbelievable but it is factual. You can see a lot of large size mailbox not being managed. Furthermore, the patch management may not do it immediately. It wait for their schedule time window to do the patch management. As a result, before they conduct patch management. Attacker may landed to their email server. Apart of lack of SIEM facility, only relies on a single firewall is hard to defense such vulnerability attack. Or you will say, will the local OS antivirus can be do the detection. The answer is that if the antivirus feature do not involve to content security filter function. Therefore the attack might have chance to do the evasion . I believe that CISA on their malware sink hole infrastructure will see the details. And this is the objective of this alert.

Ref: Apart from design weakness (vulnerability). The modern architecture is virtual machine infrastructure. It is not rare that the exchange server front-end and back-end are located in same hardware box because we are living in virtual machine world. So if such vulnerability occur in an on premise infrastructure. The risk will be rapidly increase.

Vulnerability details: Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities:
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. Details can be found in the following link (CISA official announcement) – https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell

There’s no best of both sides – CVE-2021-25218: BIND 9.16.19 and 9.17.16 triggered denial of service when applied too-strict assertion check. (19th Aug, 2021)

Preface: (BIND) is the most popular Domain Name System (DNS) server in use today. It was developed in the 1980s at the University of Berkley
and is currently in version 9.

Technical Background: For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) flag bit in the IP headers of outgoing packets. Some operating systems allow packets received via other protocols to affect PMTUD values for DNS over UDP.

Set “Don’t fragment” flag in IP header:
It is often useful to avoid fragmentation, since apart from CPU utilization for fragmentation and re-assembly, it may affect throughput (if lost fragments need re-transmission). For this reason, it is often desirable to
know the maximum transmission unit. So the ‘Path MTU discovery’ is used to find this size, by simply setting the DF bit.

Vulnerability Details: An attacker may abuse the Path MTU discovery (PMTUD) protocol to trick bind into exceeding the interface MTU. Response Rate Limiting (RRL) is not enabled by default for user defined views nor the builtin one, but it is enabled by default for the default builtin CHAOS class view, which bind uses to provide various information. From technical point of view, CH class is misused by BIND!

For details of vulnerability, please refer to link – https://kb.isc.org/v1/docs/h

As an end user, are you concerned about the CVE-2021-28372 vulnerability? 17th Aug 2021

Preface: The Kalay platform contains a major vulnerability that will allow hackers to remotely access IoT devices.

Background: Kalay Platform 2.0
This newly developed decentralized structure simplifies the role of the primary server to work as an intermediary transmitter,
which reduces the chances of a server being compromised or data being intercepted. Kalay 2.0 is designed using a two-factor UID
and end-to-end encryption to support multi-factor authentication and dynamic key-pairing, the new solution ensures protection
for the end-user’s data and transmission.

It will trigger the vulnerability in the following situations.

  • The device firmware that does not use AuthKey when IOTC is connected.
  • The firmware that uses the AVAPI module but the
    DTLS mechanism is not enabled.
  • The firmware that uses the RDT module or P2PTunnel.

Basically, when vendor conducted its own security review in 2018, the vulnerability was discovered and patched, that is, the SDK version 3.1.10 released at that time has been patched.

However security consulting company “Fireye” discovered that some network surveillance cameras have security vulnerabilities, and these devices are still using the old version of TUTK SDK before 3.1.4. Therefore, the CVE-2021-32934 vulnerability was announced.

Vulnerability details:

CISA encourages users and administrators to review the ICS Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01

FireEye Mandiant blog: https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html

CISA Urges Beware of BlackBerry (QNX RTOS) Vulnerabilities – 17th Aug 2021

Preface: BlackBerry OS was discontinued after the release of BlackBerry 10. BlackBerry 10 is based on QNX, a Unix-like operating system that was originally developed by QNX Software Systems until the company was acquired by BlackBerry in April 2010. It supports the application framework Qt (version 4.8) and in some later models features an Android runtime to run Android applications.

Background: The runtime library is that library that is automatically compiled in for any C program you run. The version of the library you would use depends on your compiler, platform, debugging options, and multithreading options.

The calloc() in C is a function used to allocate multiple blocks of memory having the same size. It is a dynamic memory allocation function that allocates the memory space to complex data structures such as arrays and structures and returns a void pointer to the memory.

The free() function frees the memory space pointed to by ptr, which must have been returned by a previous call to malloc(), calloc() or realloc(). Otherwise, or if free(ptr) has already been called before, undefined behavior occurs.

Vulnerability details : An integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP)version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service orexecute arbitrary code. BlackBerry is not aware of any exploitation of this vulnerability. For more details, please refer to the link below for reference.

Official announcement: https://support.blackberry.com/kb/articleDetail?articleNumber=000082334

CISA alert: https://us-cert.cisa.gov/ncas/alerts/aa21-229a

Headline News: https://www.zdnet.com/article/cisa-releases-alert-on-badalloc-vulnerability-in-blackberry-products/

CVE-2021-38197 – vulnerability encountered in “go-unarr”. Not suggest to use until it fix. (16th Aug, 2021)

Preface: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language. The design goal of the decompression library is for embedded devices, because the flash memory capacity is limited and the processing speed is slow.

Background: Package unarr is a decompression library for RAR, TAR, ZIP and 7z archives.

Vulnerability details: Vulnerability occurred in unarr, which will lead to path traversal vulnerability. What is traversal attack? A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

Use the “go unarr” tool to decompress the malicious zip file. It will decompress the malicious file simultaneously. However, if you use other tools, such as tar. The malicious folder cannot be decompressed to the destination.By triggering the path traversal vulnerability, an attacker can store any file in any privileged place (which means that remote code execution can be caused under root privileges).

Workaround: No

Affected version: unarr 0.1.1

Remedy: Not yet announcement. Therefore not suggest to use until it fixed.

A vulnerability in the XML data compression tool (Xml) jeopardizing the Schneider Control Expert software (16th Aug, 2021)

Preface: Since xml data is irregular and verbose, it can impact both query processing and data exchange.

Background: XMill is a tool for compressing XML data efficiently. It is based on a regrouping strategy that leverages the effect of highly-efficient compression techniques in compressors such as gzip (Please refer to attached diagram for details).

The architecture od XMill is based on the 3 principles:
– The XML file is parsed by a SAX parser that sends tokens to the path processor.
– Every XML token (tag, attribute, or data value) is assigned to a container.
– Tags and attributes forming the XML structure, are senf to the structure container. Data values are send to various data containers.

Vulnerability details: Xmill contains four heap-based buffer overflow vulnerabilities: TALOS-2021-1290 (CVE-2021-21825), TALOS-2021-1291 (CVE-2021-21826 – CVE-2021-21828), TALOS-2021-1292 (CVE-2021-21829) and TALOS-2021-1293 (CVE-2021-21830). These could all be exploited by an adversary to gain the ability to execute code on the victim machine. Since XMill tool contains multiple vulnerabilities. Please refer to Cisco Talos official link for details – https://blog.talosintelligence.com/2021/08/vuln-spotlight-att.html

Additional details: Only a subset of these Xmill vulnerabilities directly affects Schenider’s Control Expert software:
TALOS-2021-1290, TALOS-2021-1291, TALOS-2021-1292 and TALOS-2021-1293, which all directly affect Control Expert and are based around XML decompression within the software.

Reference: EcoStruxure Control Expert is a unique software platform to increase design productivity and performance of your Modicon M340, M580 and M580 Safety, Momentum, Premium, Quantum applications.

The Qixi Festival (GMT+8, 14th Aug, 2021)

Preface: It is no doubt that coincide often appears myth stories handed down from ancient times. The coincides is related to the astronomical phenomenon.

Mythological background: Legend has it that since the Northern and Southern Dynasties, the seventh day of the lunar calendar is the day
when Altair(牛郎) and Vega(織女) meet once a year. It is commonly known as “Chinese Valentine’s Day”.
This is a love story that has been passed down through the ages.
Remark: The Northern and Southern Dynasties were a period in Chinese history. From 420 to 589 AD, it was a turbulent era.

Astronomical phenomenon synopsis: The Pleiades, also known as The Seven Sisters and Messier 45, is an open star cluster containing middle-aged, hot B-type stars in the north-west of the constellation Taurus(金牛座).
Lyra is one of the most brilliant constellations in the northern galaxy, named after the harp shaped like an ancient Greek. It is one of the 48 constellations listed by the ancient Greek astronomer Ptolemy and one of the 88 modern constellations set by the International Astronomical Union. Although Lyra is not large in size, it is not difficult to identify,
because its ruler Vega is one of the vertices of the “Summer Triangle”.

In summer, the summer triangle rises to the zenith in the mid-latitudes of the northern hemisphere. After sunset in autumn, the summer triangle can still be easily seen in the west.

Ref: Since the Tang Dynasty, the Pleiades have been regarded as seven stars. But modern astronomy says this is incorrect.

Did you celebrate this holiday today? Yep I go to Sai Kung, worship the god.

CVE-2021-34484 – Was the error that occurred a return? 12th Aug 2021

Preface: Type the following command and hit Enter. mklink /J “path to junction link” “path to target folder”. The junction link is thus created.

Background: By creating a new folder structure, changing the user’s shell folder registry key, and placing a connection point in the hierarchy,
you can open any other UsrClass[.]dat file on the system through this process.

Vulnerability details: Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability (CVE-2021-34484).

An authenticated attacker who successfully exploits this vulnerability could leverage the Windows User Profile Service (ProfSvc) to load registry hives that are associated with other user accounts and potentially run programs with elevated permissions. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Official details: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484

Cyber Security Focus SAP Security Patch Day-August 2021. About CVE-2021-33690 (August 10, 2021)

Preface: Software Development Life Cycle is the application of standard business practices to building software applications. It’s typically divided into six to eight steps: Planning, Requirements, Design, Build, Document, Test, Deploy, Maintain.

Background: The SAP NetWeaver development infrastructure combines the features and advantages of a local development environment (usually provided in a Java environment) and a server-based development environment, which can provide development teams with a consistent development environment and support software throughout its life cycle Development.

Component Build Service (CBS): Central build of the source files in the DTR based on the component model.

Vulnerability details: CVE-2021-33690 – Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)

Affected Products – SAP NetWeaver Development Infrastructure (Component Build Service), Versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

Description: SSRF lets attackers send requests from the server to other resources, both internal and external, and receive responses.

Reference: If you are interested in knowing my understanding of this matter. Please refer to the picture above. The official details can be found in the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806

antihackingonline.com