Preface: SolarWinds Orion is an IT performance monitoring platform that helps businesses manage and optimize their IT infrastructure.
Vulnerability details: SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds. However, when connection come from trusted vendor (valid signature ) which carry malware. Existing design do not have defense mechanism.
Impact: CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.
Preface: Microsoft Edge no longer uses Chakra. Microsoft will continue to provide security updates for Chakracore 1.11 until 9th March 2021 but do not intend to support it after that.
Background: Chakra, a JavaScript engine that powers Windows applications written in HTML/CSS/JS and used to power Microsoft Edge. ChakraCore supports Just-in-time (JIT) compilation of JavaScript for x86/x64/ARM, garbage collection, and a wide range of the latest JavaScript features. ChakraCore also supports the JavaScript Runtime (JSRT) APIs, which allows you to easily embed ChakraCore in your applications. To make JIT in Chakra (JavaScript Engine in Microsoft Edge) work with ACG enabled, Microsoft runs the parts of Chakra responsible for compiling code in a separate process – JIT Server. The JIT server then compiles the bytecode and writes the resulting executable code back into the calling process using shared memory.
Vulnerability details: Microsoft did not describe too much details. However the design weakness of ChakraCore not only discover this time. For the rest of the details, please refer of the attached diagram.
Preface: October 1, 2019 – A security firm has identified 11 vulnerabilities, named “URGENT/11.
Background: TCP/IP stack was developed using subset of the ‘C’ language. The open source TCP/IP stack design is widely used in embedded systems in the market. Briefly describe it as an IoT device. It runs in your business environment and in your home. In addition, Smart City is using them. Open Source implementations includes uIP,LwIP,uC/IP,tinytcp, wattcp and BSD 4.4. Furthermore, the commnerical implementations will be covered CMX-tcp-/ip, NetX, NicheStack, ARC RTCS TCP/IP, RTXC Quadnet TCP/IP, TargetTCP and uc/TCP-IP.
Traditional embedded OS memory Footprint – RAM requirements can vary widely depending on application needs but are typically as low as 12kB. It is possible, with a minimum configuration UDP application, to use less than 5kB of ROM and a few hundred bytes of RAM (plus network buffers).
Limitation: In normal circumstance, embedded OS itself do not have plenty space lets manufacture install antivirus software. Even it can install, there is difficulties to conducting virus signature update. So, it is a dead end?
Preface: If you don’t see much useful in the logs, you could try turning on verbose logging on the Kubernetes component you suspect has a problem using –v or –vmodule, to at least level 4.
Technical background: The cluster-level logging in Kubernetes is that Kubernetes has no native cluster-level logging. There are a few proven methods that can be applied cluster-wide to provide the same effective result of all the logs being collected in a standardized way and sent to a central location. The common way are :Node Logging Agent,Monitoring Kubernetes Pods & Monitoring Applications Running in Kubernetes. Perhaps it is comprehensive. Meanwhile, it encountered sensitive information leakage. Cope with technology world, Kubernetes cluster will do a lot of system integration or thin provisioning. For example: use Ceph product services. So when design weakness occurs, sensitive information will be found here. Ref: A RADOS Block Device (RBD) is software that facilitates the storage of block-based data in the open source Ceph distributed storage system.
Preface: We encourages users and administrators to review the Apache security advisory for CVE-2020-17527 and upgrade to the appropriate version, said CISA (4th Dec 2020).
Vulnerability details: With known HTTP/2 Protocol practice, HTTP headers are compressed using a combination of compression schemes (static Huffman coding and context adaptive coding). Flow control and dependency mechanisms that allow HTTP/2 clients and servers to signal how to transmit object. However, a design weakness was found in Apache Tomcat. The fault is that it allow to re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. This design limitation will causes error and closure of the HTTP/2 connection. Whereby, it is possible that information could leak between requests.
Remedy: The method was given a specific task and it should be expected to complete it and return the finished result that does not require further processing. Only return StringBuilder when you really need it. In that case also add something to the method name to indicate that you are returning something special. For more detail, please refer to diagram.
Mitigation: Upgrade to Apache Tomcat 10.0.0-M10 or later Upgrade to Apache Tomcat 9.0.40 or later Upgrade to Apache Tomcat 8.5.60 or later
Preface: The new version of Linux kernel 5.1 will add this io_uring. The main purpose of io_uring is to improve the original Linux native AIO problem. For example: – MySQL and Nginx already support local AIO. – InnoDB uses the asynchronous I/O subsystem (native AIO) on Linux to perform read-ahead and write requests for data file pages.
Technical details: To put it simply, AIO hands over the corresponding callback function to the system, which is truly asynchronous. However Linux native AIO imposes the following restrictions on files opened with the O_DIRECT flag. When reading and writing files in AIO mode, the operating system’s cache of files cannot be used. The address, content size, and file offset of the buffer can only be read and written from the disk (usually 512 bytes). The advantage to use O_DIRECT will avoid making extra copies of data while transferring it and the call will return after transfer is complete.
Vulnerability details:
Files access across suid boundaries – io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request (relying on ->flush() for being notified before the files_struct can go away). Unfortunately, unshare_fd(), which is used by bprm_execve() via unshare_files(), doesn’t know about that, and assumes that if the files_struct’s refcount is 1, it is okay to keep using the old files_struct.
mm access across suid boundaries – If attacker let the suid binary write the fd number to a fixed address and then use that address instead of free_fd. It can trigger the vulnerability.
Reference: mm (pointer to struct mm_struct) refers to a address space of a process. For example, exe_file (pointer to struct file) refers to executable file, while arg_start and arg_end are addresses of first and last byte of argv passed to a process respectively
Status: This vulnerability is currently awaiting analysis.
Preface: The official announcement did not mentioned too much. Do you have doubt of CVE-2020-27177 (Xerox DocuShare vulnerability)?
Product details: DocuShare Scan and Print 7 (hereafter, Scan and Print) is a feature which allows you to print documents uploaded to DocuShare, or upload scanned documents to DocuShare. DocuShare security features protect content from unauthorized access and modification. These features are available to both the site administrator and users, enabling them to apply the level of protection needed for their site.
Vulnerability details: When applications use XML to transport data between browser and server, the applications almost always use a a standard API for processing the XML on the server. Vulnerabilities arise because parsers will, by default, process potentially dangerous features. DocuShare server encountered server-side request forgery (SSRF) attacks and unauthenticated external XML entity injection attacks (XXE). The overall impact could expose DocuShare users to an attack resulting in the loss of sensitive data. Meanwhile, Docushare server had server-side request forgery vulnerability occur. SSRF can cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure. The serious of impact depends on trust relationship in between both end.
Preface: Vulnerabilities found in products are not news. In short, a total of 3 vulnerabilities were found on the Tesla Model X this time.
Vulnerability Details: About the new discoveries found on Model X. Please refer to the url below. In addition, the attached drawings will provide you with hints.
Information Supplement for reference: A cable with vendor parts no (#1013230-00-A) or 3rd party compatible cable allows you to connect to the Model S or Model X service port and access maintenance features like firmware redeploy (used when swapping most parts), read and clear DTC’s (diagnostic trouble codes), run Autopilot camera and radar calibration, read thermals stats on the drive. The Model S and X are running a 100 Mbps, full duplex ethernet network. Some ports and services that were open on the devices were 22 (SSH), 23 (telnet),53 (open domain), 80 (HTTP), 111 (rpcbind), 2049 (NFS), 6000 (X11). Port 80 was serving up a web page with the image or media of the current song being played. The operating system is modified version of Ubuntu using an ext3 filesystem.
Preface: Vendor insists to fix the cyber security weakness of CVE-2020-27929 & CVE-2020-27930. However, this iOS upgrade action was caused the specify iPhone product encounter operation difficulties especially 6s.
Observation 1: On 5th November, 2020, apple implement security update to enhance the cyber security protection on their products. This enhancement including an remediation action to two different vulnerabilities. However quite a lot of user including myself encountered technical problem. For instance, the touch screen service on iPhone 6s suspended intermittent.
Observation 2: When I connect my iPhone 6s to my notebook. The touch screen service malfunction problem not been happen in frequent But still occur intermittent. The symptom looks that it is related to a daemon (com.apple.mtmergeprops.plist). Do you think this problem cause by missing a step to check ios device chip model (A9 or a10). Whereby causes memory mapping problem occurs.
Preface: To cope with Industrial automation and control system. The technology difference in between IT and OT are small. Perhaps they are close. For cyber security protection matters, seems they are no any difference.
Product background: Formerly known as RSLinx® Enterprise, FactoryTalk® Linx is included with most FactoryTalk software and functions as the premier data server to deliver information from Allen‑Bradley control products to the control system. While FactoryTalk Linx interfaces with PLC-5®, SLC™ 500 and Micro800™ controllers, it is optimized to communicate with Logix 5000™ controllers using EtherNet/IP. This gives the fastest data rates and capacity possible, while minimizing the impact on your automation networks and control system operation. FactoryTalk Linx delivers a solution from small applications running on a single computer with a single controller, to large distributed and even redundant data server configurations communicating with large automation systems.
Vulnerability details: A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).
Observation: Vendor do not explicitly disclose the facts of the vulnerability. But most likely the vulnerability cause by java script based ASLR bypass attack.
.jpg?width=1920&height=1080&fit=bounds)
.jpg)
