Preface: PPP daemon (pppd) which is used to manage network connections between two nodes on Unix-like operating systems. The EAP extension to PPP was first defined in RFC 2284, now obsoleted by RFC 3748.

Synopsis: A 17-year-old defect in Linux system found! The impact will be included dial-up modems, DSL broadband connections, and Virtual Private Networks. The Linux system including Debian, Ubuntu, SUSE Linux, Fedora, NetBSD and Red Hat Enterprise Linux has been impacted. In the old technology world, PPP over Ethernet, defined in RFC 2516, is a method of transmitting PPP over Ethernet. It provides the ability to connect a network of PPPoE client hosts to a service provider access concentrator over a single bridging access device. Above communication protocol do the interconnect function on automation system and SCADA architecture. The impact of this issue was included different industry especially Manufacturing, Food Production, Electric and Gas Utilities & Waste Water Treatment. Even though the business equipment do not have exception. The business products including Cisco CallManager, TP-LINK products and Synology products. The OpenWrt Project is a Linux operating system targeting embedded devices. Embedded computing platforms are responsible for many of the of the lower-level mechanics that drive the IoT. It seems that the area of impact will be included of this area.

Official announcement – https://www.kb.cert.org/vuls/id/782301/

Preface: Certificates will begin being revoked at 3 PM EST. 4th Mar 2020

Security Focus: Due to design defect, Let’s Encrypt had to rush to inform users about the revocation the SSL server certification that’ll be completed in less than 24 hours. The SSL/TLS certificates will be revoke by tomorrow, March 4 (at 00:00 UTC at the earliest). Sites with revoked certificates may begin showing insecure icons in browser. Affected site publishers will have to reapply for a new certificate in order to regain secure status.

Official announcement: The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

To check if your domain is affected by this bug and needs to be renewed, you can use the tool at https://checkhost.unboundtest.com/. 

Preface: You can load a custom dll in system32 via diaghub.

Background: Starting from Windows 10, Microsoft introduced the Update Session Orchestrator service. As a regular user, you can interact with this service using COM, and start an “update scan” (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called usoclient.exe, which serves that purpose.

From an attacker’s standpoint, this service is interesting because it runs as NT AUTHORITY\System and it tries to load a non-existent DLL (windowscoredeviceinfo.dll) whenever an Update Session is created.

Vulnerability details: Cyber criminal can load a custom dll in system32 via diaghub.
So the cyber attacker can exploit diaghub.exe (3rd party tool) load the WindowsCoreDeviceInfo.dll to C:\Windows\System32.
Then use netcat (3rd party tool) and use the command nc.exe 127.0.0.1 1337 to connect to the bindshell.

Remedy CVE-2020-0668 : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668

Preface: What is the best way for web server and the servlet container do a communications?

Technical details: The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. It communication between the web server and the servlet container.

Vulnerability details: The vulnerability impact the Apache web server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE). Besides, a remote, unauthenticated attacker could exploit this vulnerability. The attacker is able to read web application files from a vulnerable server.

Remedy: If you cannot take further action in the moment.
You can choose to disable the AJP Connector directly. Please refer attached diagram. The versions of 9.0.31, 8.5.51, and 7.0.100 has remedy this vulnerability.

Preface: OPENSMTPD – plagued by numerous vulnerabilities. Most recently – CVE-2020-8794

Details: Qualys has found another critical vulnerability in OpenSMTPD.In normal circumstance, the adjacent side connects to the SMTP server and sends commands such as EHLO, MAIL FROM, RCPT TO. The SMTP server responds with a single or multiple lines of response: The client-side exploitation of this vulnerability is straightforward; wait until OpenSMTPD connects to mail server and respond with a multiline reply (a permanent error) that creates a bounce and injects the following lines into its envelope:

type: mda
mda-exec: our arbitrary shell command
dispatcher: local_mail
mda-user: root

If the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible.

Remedy: Official announcement – https://github.com/OpenSMTPD/OpenSMTPD/releases