Preface: In order to avoid malware attack, DNS is the 1st door for quarantine. This step not difficult, see whether the domain name which calling will be included in the black list.

What is Punycode?
Unicode that converts words that cannot be written in ASCII.

Background: There are two different scenarios for the cyber threat actor to exploit.

1. Attacker build a deceptive IDNs (Internet Domain Name) that are likely to be misled internet user.
2. Phishing Attack is Almost Impossible to Detect when encounter Puny-code vulnerability.

Synopsis: If the DNS filter mechanism is not convert the IDN domains in its Punycode form to do the verification, it make a possibility, let the blacklist domain ignore by filter.

Example: The domain “xn--eqru1b157l[.]co” is equivalent to “黑名單[.]co”. Whereby “xn--eqru1b157l” is the Puny-code.

Vulnerability details: Trend Micro Antivirus for Mac 2020 (Consumer) Bypass Web Threat Protection via Internationalized Domain Name Homograph Attack (Puny-code) Vulnerability.

Remedy: Trend Micro has released a new build of Trend Micro Antivirus for Mac Security (Consumer). Please refer to link – https://helpcenter.trendmicro.com/en-us/article/TMKA-09949

Preface: Monero price US$132.36 today – (12th Oct 2020). Monero (XMR) stands at the top of the list. This cryptocurrency’s popularity has been on the rise, primarily due to its ability to help anonymize users. Monero transactions are much more difficult to trace because they use ring signatures and stealth addresses.

Vulnerability details: monero-wallet-gui in Monero GUI 0.17.0.1 includes the . directory in an embedded RPATH (with a preference ahead of [/]usr[/]lib), which allows local users to gain privileges via a Trojan horse library in the current working directory.

Supplement: Potential risk: local privilege escalation (similar to dll hijacking on windows)
Condition: if the current directory allow user to have write and execute permission.
And therefore the vulnerability risk level will be depending on default program and .so privileges control. If the specify dynamically linked shared object libraries had granted tight access permission. So, the severity of risk will be significant drop down.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-26947

Preface: CODESYS is the leading manufacturer-independent IEC 61131-3 automation software for engineering control systems.However the design weakness jeopardize the Industrial world.

Highlights: According to the CVE announcement on 30th September 2020. A series of WAGO PLC-ETHERNET fieldbus controllers are vulnerable to cyber attack.

Vulnerability details: The authentication can be disabled for the port 11740 when it is in use for uploading PLC applications to the device. So it can let attacker to do the authentication bypass. A design flaw occured since it required application logic following IEC 61131 standards, arbitrary code could be executed directly on the device with the privileges associated with the Codesys runtime.”

Official Mitigation method:
– Restrict network access to the device.
– Do not directly connect the device to the internet.
– Disable unused TCP/UDP ports.
– Disable web-based management ports 80/443 after the configuration phase

Reference:

https://cert.vde.com/en-us/advisories/vde-2020-027

https://cert.vde.com/en-us/advisories/vde-2020-028

Preface: So far, it is difficult to detect the PendingIntent vulnerability from a tool.

Background: “PendingIntends” insecure usage can lead to server
BY exploiting vulnerable but benign applications that are in securely using PendingIntents. A malicious application without any permissions can perform many critical operations, such as sending text messages (SMS) to a premium number.

Known design weakness: A PendingIntentitself is simply a reference to a token maintained by the system describing the original data used to retrieve it. This means that even if its owning application’s process is killed, the PendingIntent itself will remain usable from other processes that have been given it.

Ref 1: An explicit intent defines a target component and thus is only delivered to the specified component.
Ref 2: Broadcast intent is broadcast to every registered component instead of only one.
Ref 3: PendingIntents – A PendingIntent is intended for another application to perform a certain action in the context of the sending application.

Vulnerability details – refer to below url:

https://nvd.nist.gov/vuln/detail/CVE-2020-26601

https://nvd.nist.gov/vuln/detail/CVE-2020-26602

https://nvd.nist.gov/vuln/detail/CVE-2020-26604

Preface: Cutting-edge technology companies like open source software. Big data analytics companies may need to pay attention.

Observation: According to our observation for advanced technology development firm. No matter they are small size or it is a enterprise firm. They do not mind to use the opensource software application. From business point of view, since they are the business unit and therefore they must have pay for license fees once vendor acknowledge. However, before their new services or products roll out to the market. The software developers are not hesitate to use open source software. And therefore the open source software vulnerability is the key factor they should be alert. Otherwise, the risk carry the impact to your services or products are unpredictable.

Techincal Background: For monitoring and administrative operations of SymmetricDS can be performed using Java Management Extensions (JMX). SymmetricDS uses MX4J to expose JMX attributes and operations that can be accessed from the built-in web console, Java’s jconsole, or an application server. By default, the web management console can be opened from the following address:
http://localhost:31416/

Vulnerability found on SymmetricDS: Symmetric DS uses mx4j to provide access to JMX over http. mx4j, by default, has no auth and available on all interfaces (0.0.0.0). Therefore, an attacker can interact with JMX: get system info, invoke MBean methods.Moreover, it’s possible to install additional MBeans from a remote host using MLet that leads to arbitrary code execution. For more details, please refer to attached picture.

Remedial Status: https://www.symmetricds.org/issues/view.php?id=4263

Preface: On a Linux system, chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file.

VULNERABILITY DETAILS: This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Antivirus for Mac. The specific flaw exists within the iTISPlugin module. By creating a symbolic link, an attacker can abuse the product to loosen permissions on a local file. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25776.

The risk rating of this flaw set to low in CVE database. However, do not contempt this low level rating of risk. And believe that in the computer software world, the similar of flaw will be appear everywhere. So, we must staying alert.

Mitigation: Install updates from vendor’s website.

Vulnerable software versions: Antivirus for Mac: 2019 (v9.x), 2020 (v10.x)

Preface: AVEVA has reached agreement to acquire OSIsoft, a pioneer and global leader in real-time industrial operational data software and services.

Background: Under normal circumstance, authorized user can navigate to the ASMX file through your browser. So, you can fill in the form with the parameters and post to the DB. If attacker finds the URL of this internet facing web portal, is there a way let hacker alter the database.

Reply: If someone else is in the same domain then he can copy the cookie in the referring page then exploit ASMX file to alter the DB.

Vulnerability details:

CVE-2020-13508 – Parameter AliasName in Alias.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13505 – Parameter psClass in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13503 – Parameter AttFilterName in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13501 – Parameter InstanceName in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13500 – Parameter ClassName in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13499 – Parameter InstancePath in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.
CVE-2020-13507 – Parameter OrigID in Alias.asmx is vulnerable to unauthenticated SQL injection attacks

Remark: Specially crafted SOAP web requests can cause SQL injections resulting in data compromise on above items.

Remedy: Waiting for official announcement.