Preface: Serialization in Java is a mechanism of writing the state of an object into a byte-stream. It is mainly used in Hibernate, RMI, JPA, EJB and JMS technologies. The reverse operation of serialization is called deserialization where byte-stream is converted into an object.

Product background: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. About 11 years ago. VMWare has announced the acquisition of SpringSource, a provider of Web application development and management services.

Vulnerability details: When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the “deserialization gadgets” exploit when provided data contains malicious code for execution during deserialization.

Remedy: Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown “deserialization gadgets” when configuring Kryo in code. For more details, please refer to the link – https://spring.io/blog/2020/07/22/spring-integration-4-3-23-5-1-12-5-2-8-5-3-2-available-cve-2020-5413

Preface: Computer technology enlightens the automation industry. Due to modern CNC (Computer Numeric Control) technology, tiny parts are easy to produce. Who is the hero of this industry? I believe it is CAD technology.

Background: CAD administrators use INNEO “Startup TOOLS” to manage working environments including licenses and standardized library elements and maintain their correct configuration. Users are relieved of routine tasks and can easily place many design elements instead of having to design them from scratch.
This is one of the reasons why companies rely on INNEO “Startup TOOLS” to make their work easier and more efficient.

Vulnerability details: An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

Observation: INNEO Startup TOOLS (2018 M040 13.0.70.3804) uses PHP version 5.2.13. So attacker can rely on the PHP programming to conduct the null-byte injection attack. Perhaps the intellectual property might at risk.

Remedy: The vendor has a newer version 6.x.x.x and ongoing which is the successor of the deprecated versions of 2018 and before.

Preface: A large number of mobile apps and websites allow users to upload profile pictures and other files. Therefore, handling files upload is a common requirement while building a REST API with Node.js & Express (Express-fileupload). Express-fileupload is a middleware.

Technical background: How express-fileupload works? It makes the uploaded files accessible from req[.]files property. For example, if you are uploading a file called my-profile[.]jpg, and your field name is avatar, you can access it via req[.]files[.]avatar.

Vulnerability details: CVE-2020-7699 – This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. For more details, please refer to attached diagram. Besides, you can find proof of concept details in following link. https://blog.p6.is/Real-World-JS-1/

Preface: When we read the vulnerability article, we will despise those vulnerabilities that require authentication to execute. However, this type of design flaw should be considered because it is not limited to the inside threat area.

Background: Umbraco is the #1 Microsoft open source CMS in the world
Popular Sites Using Umbraco, For example: Instagram,slideshare,flickr,zippyshare,cnblogs,wattpad,…etc.

Technical details: Umbraco is primarily written in C#. It stores all data in relational database (Microsoft SQL Server) working on Microsoft IIS. For preventive protection, IT admin will install Reverse proxy in front of IIS server.

Vulnerability: Umbraco CMS design limitation causes Remote Code Execution. In this discussion, we predict that attackers can exploit previous vulnerabilities. For example: Umbraco CMS 8.2.2 cross-site request forgery CSRF. Exploitation of this vulnerability is usually carried out through malicious social engineering, such as tricking the victim into sending a fake email or link to the server. Therefore, stealing user credentials is not only a theory. For current vulnerabilities, the web server will encounter unknown risks. For details, please refer to attached diagram.

Preface: From some perspectives, the operating system and related components are designed to provide functionality. Therefore, network security does not involve its design scope. Even if network security has been included in their design. However, product technology changes with each passing day. Therefore, we often hear information about vulnerabilities.

Why do I need a system bootloader?
The bootloader exists because there is no standardized protocol to load the first code, because it depends on the product design. Sometimes, the code can be loaded via a serial port, flash memory or even a hard disk. Locate it as a bootloader function.

Vulnerability details: The GRUB2 boot loader is vulnerable to buffer overflow, which results in arbitrary code execution during the boot process, even when Secure Boot is enabled.
An attacker could use it to plant malware known as bootkit that loads before the operating system (OS).

Hacker can modify “grub [.] cfg” because it lacks any integrity protections such as a digital signature. Since “grub [.] cfg” is a text file.

Official reference: GRUB2 bootloader is vulnerable to buffer overflow. Click on the URL for details – https://www.kb.cert.org/vuls/id/174059

Preface: To be precise, over 250,00 active sites use Magento.
Only 11,000 of those run on Magento 2, though. Many well-known international companies have chosen Magento as their e-commerce solutions, including Coca-Cola, Nike, Harpers Bazar, Fiji Water and Olympus.

Vulnerability details: Adobe has released security updates to address vulnerabilities in Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). An attacker could exploit some of these vulnerabilities to take control of an affected system.

Remedy by Magento:

• The template filter in legacy mode can be vulnerable to remote code execution (RCE). Enabling strict mode by default ensures that RCE attacks cannot be deliberately enabled.
• In order to avoid the opportunity of execute arbitrary JavaScript, Data rendering for UI data providers is now disabled by default.
• PHP could allow for arbitrary code execution (Eval class during preload causes class to be only half available)
• 2FA is enabled by default and cannot be disabled. This extra step of authentication makes it harder for malicious users to log in to the Admin without authorization.

Official announcement: For more details, please refer to the link – https://helpx.adobe.com/security/products/magento/apsb20-47.html

Preface: In the cyber world, many defense mechanisms can accomplish tasks well. However, the daily operations involves different business expectations and change management. As a result it create a lot of opportunity to the cyber criminals.

Security focus today: With reference of US CERT announcement on 8th July 2020. US Cert urge the information technology and Operational technology zones that the design weakness of UPnP may have impact to users environment. Down to the details. The Universal Plug and Play (UPnP) protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. So the impact of this design weakness shall be wide. For instance, cyber criminals can transform this design weakness as a cyber weapon to conducting the data exfiltration. Besides, it can exploit this feature bypass Proxy server and firewall.
The data stealer will make use of a compromised device as proxy, then establish a secure tunnel (SSL) to external server. Since there is no blacklist database install in this printer. So, it will led the traffic send to external without difficulties. Apart from that , SSL traffic bypass firewall content filtering. So, the data can be exfiltrated. For the details of this matters, please refer to attached diagram for reference.

Reference: Vulnerability Note VU#339275 – https://kb.cert.org/vuls/id/339275

Highlights: An attacker can use this vulnerability for:

• Bypassing DLP for exfiltrating data
• Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
• Scanning internal ports from Internet facing UPnP devices