CVE-2022-20377 – Google Android Fingerprint keymaster_ipc[.]cpp Local Privilege Escalation (11th Aug 2022)

Preface: Pixel phones install downloaded Android updates in the background. The installed updates become active the next time that you restart your phone.

Background: Protection of the sensitive date stored on the mobile devices is a hot topic.This is the reason why it is very important for mobile app developers to take care of it. As a result, the Google development team took advantage of this solution. The Android key store was created to allow you to use asymmetric keys and symmetric keys outside your application code.
HMAC stands for Hash-based Message Authentication Code or Keyed-hash Message Authentication Code. Android use it to verify the authenticity and integrity of data transmitted. HMACs are ideal for high-performance systems like routers due to the use of hash functions which are calculated and verified quickly unlike the public key systems.

Vulnerability details: In TBD of keymaster_ipc[.]cpp, there is a possible to force gatekeeper, fingerprint, and faceauth to use a known HMAC key. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Since the details not disclosed by vendor. One of the possible cause will be caused by the following issue. HMACs uses shared key which may lead to non-repudiation. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data.
If either sender or receiver’s key is compromised then it will be easy for attackers to create unauthorized messages.

Official announcement – Please refer to the link for details – https://source.android.com/security/bulletin/pixel/2022-08-01

AMD’s delayed announcement – CVE-2021-46778 (9th Aug 2022)

Preface: Is this a possible solution? Can we disabled SMT technology as mitigating SQUIP? As far as we know, it will severely degrade the performance of AMD processors.

Background: Attacker modifies system MTR registers to change the SMM memory space from uncacheable to cacheable with type Write-back. The MTRR (Memory Type Range Registers), are registers that provide the system software with control of how accesses to memory ranges by the CPU are cached.
The attacker now can write code into the memory space that is normally reserved only for SMM functions. The CPU will execute the SMM code but it will fetch it from the cache before DRAM. If the malicious code is in cache so it is executed.

Remark: SMM code is the most privileged code executed on the CPU, the code is completely hidden from the running operating system, it cannot be modified by the kernel and even by DMA devices and the most important SMM code can access any physical memory.

Vulnerability details: A contention-based side channel vulnerability was found in hw. Some AMD CPUs using simultaneous multithreading (SMT) may allow an attacker to measure the contention level on scheduler queues, leading to potential leakage of sensitive information.

To exploit the design weakness and get access to data processed by the same CPU core, attacker need to run malicious code on that CPU core first. Is it possible to take advantage of SMM?

Official announcement – Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors. Please refer to the link for details – https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039

What’s going on lets vendor (SAP) updating vulnerability note (the vulnerability was happened on April 2018 – Note# 26226600)? 9th Aug 2022

Preface: SAP has released its August 2022 Patch Day updates. However, you will still see items you are familiar with. What’s that? As follows!
Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business ClientProduct-SAP Business Client, Versions -6.5, 7.0, 7.70 (Hot News – CVSS 10)

Background: SAP Business Client 7.70, launched together with SAP GUI for Windows 7.70. With 7.70 you can connect to your launchpad in the cloud (SAP BTP, Cloud Foundry runtime environment) and whenever there is a navigation to a transaction running in an on-premise system, the transaction will be rendered with SAP GUI for Windows, otherwise SAP GUI for HTML. Furthermore, SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser.

What rendering engine does Chrome use? Most of Chrome’s source code comes from Google’s free and open-source software project Chromium, but Chrome is licensed as proprietary freeware. WebKit was the original rendering engine, but Google eventually forked it to create the Blink engine; all Chrome variants except iOS now use Blink.

Vulnerability details: No CVE record number provided. A note with CVSS 9.8 for component BC-FES-BUS-DSK was released by SAP on 10.04.2018. The correction/advisory 2622660 was described with “Security updates for the browser control Google Chromium delivered with SAP Business Client” and affects the system type SAP GUI / Frontend.

Details of the problem are require user ID and password – https://accounts.sap.com/saml2/idp/sso .Perhaps, it is no need to open the vendor registration wall you can guess what’s going on.

SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The security note 2622660, released since April 2018. Patch action is to update customers on the vulnerabilities that SAP Business Client inherits from third party web browsers like Google Chromium. The vulnerabilities listed in the security note are found in components delivered by Google.

On 9th of August 2022, SAP Security Patch Day saw the release of 5new Security Notes. Further, there were 2 updates to previously released Patch Day Security Notes.Please refer to the link for details – https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

CVE-2022-33719 – Improper input validation in baseband prior to SMR Aug-2022 Release 1 (5th Aug 2022)

Preface: Samsung Galaxy S22 series national version uses Qualcomm Snapdragon 8, European version uses Exynos 2200. European users will cheer as Samsung Galaxy S23 ditches Exynos chip.


Background: Android 12 is the twelfth major release and 19th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google.
Android Q is Android 10.
Android R is Android 11
Android S is Android 12

Baseband Initialization: pal_init(). .Subsequently monolith function that starts all modem subsystems and tasks
○ Activates malloc heap
○ Loads NV items
○ Starts timers
○ Initializes DSP(s) and other peripherals
○ Starts all tasks

Vulnerability details: Improper input validation in baseband prior to SMR Aug-2022 Release 1 allows attackers to cause integer overflow to heap overflow.The patch adds proper validation logic to prevent integer overflow.
The weakness was presented 08/05/2022. The advisory is available at security.samsungmobile.com. This vulnerability is handled as CVE-2022-33719 since 06/15/2022. The technical details are unknown and an exploit is not available.

Details about a summary of my observations. Please refer to the diagram

Severity: Critical
Affected versions: Selected Q(10), R(11), S(12) devices with S.LSI CP chipsets
Reported on: February 26, 2022

Official details: Please refer to the link for details – https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=08

CVE-2022-19773 A use-after-free vulnerability was found in the Linux kernel (log_replay in fs/ntfs3/fslog[.]c for NTFS logs)

Preface: The NTFS3 component is not included in the 5.15 kernel of Manjaro. The ntfs3 is a kernel module. This module will be ready for use on version 5.15.2_rt19-1.Type “modinfo ntfs3” can let you know the ntfs3 installation status.

Background: The ext4 is better on Linux based systems because it is designed and built for Linux. NTFS, on the other hand, is designed and built for Windows. KDE Partition Manager has support for a large number of file systems, the most notable ones being NTFS, FAT, F2FS, and so on. Just like every other application of KDE, the Partition Manager is released under the GNU Public License, making it completely free to use and open-source.
NTFS3 is called NTFS3 because it fully implements the latest version 3.1 of NTFS file system specification. NTFS is unlikely to change in future, thus NTFS3 naming reflects that NTFS3 implements the latest revision of NTFS.
NTFS3 is fully functional NTFS Read-Write driver. The driver works with NTFS versions up to 3.1, normal/compressed/sparse files and journal replaying. File system type to use on mount is ‘ntfs3’.

  • This driver implements NTFS read/write support for normal, sparse and compressed files.
  • Supports native journal replaying;
  • Supports extended attributes

Vulnerability details: A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem. As the vendor has not provided other details yet. So it lure my interested to speculate. For details, please refer to the chart.

Solution: Upgrading to version 5.19-rc1 eliminates this vulnerability.

Related article: Please refer to the link for details https://bugzilla.redhat.com/show_bug.cgi?id=2092542

CVE-2022-35930 – Ability to bypass attestation verification on sigstore (policy-controller) 4th Aug 2022

Preface: In simplest terms, policies define what end-users can do on the cluster and possible ways to ensure that clusters are in compliance with organization policies.Policy-enablement empowers organizations to take control of Kubernetes operation and ensure that clusters are in compliance with organization policies.

Background: The policy-controller admission controller will only validate resources in namespaces that have chosen to opt-in. This can be done by adding the label policy.sigstore.dev/include: “true” to the namespace resource (see below):
kubectl label namespace my-secure-namespace policy.sigstore.dev/include=true

Ref: An image is admitted after it has been validated against all ClusterImagePolicy that matched the digest of the image and that there was at least one valid signature or attestation obtained from the authorities provided in each of the matched ClusterImagePolicy. So each ClusterImagePolicy that matches is AND for admission, and within each ClusterImagePolicy authorities are OR.

Vulnerability details: PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (–type defaults to “custom”). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2.

Solution: Users should upgrade to version 0.2.1 to resolve this issue.

Workarounds: There are no workarounds for users unable to upgrade.

CVE-2022-37035 FRRouting Release 8.3 design weakness (4th Aug 2022)

Preface: FRRouting is a free IP protocol suite. Many companies: ISPs, SaaS, web 2.0 businesses, hyper-scale services, and Fortune 500 private clouds — use it as a fundamental part of their networks.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

BGP uses 4 messages: open, update, keepalive and notification. NOTIFICATION messages are used to signal when something is wrong with the BGP session. A NOTIFICATION will be sent when any of the following occurs: An unsupported option is sent in an OPEN message. A peer fails to send an update or keepalive.

Vulnerability details: An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.

My speculation: As soon as the real BGP speaker communicates again (keepalive), an ACK storm ensues due to the overlapping sequence numbers. Refer to diagram, the file (bgp_packet.c). The BGP_MSG_KEEPALIVE contains operations tagged “memory_order_relaxed”.
Atomic operations tagged memory_order_relaxed are not synchronization operations; they do not impose an order among concurrent memory accesses. Perhaps this is one of the possibility to encountered similar design weakness.


CWE-416: Use After Free
The memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process.

Ref: A use-after-free bug due to race conditions in 2 threads. · Issue #11698 · FRRouting/frr · GitHub – https://github.com/FRRouting/frr/issues/11698

CVE-2022-33917: In certain circumstances, some versions of the Mali GPU Kernel driver can become compromised. (2nd Aug 2022)

Preface: Mali GPU kernel drivers have a wide range of applications in the IoT and IIoT world. Even the auto industry, gaming, healthcare and artificial intelligence.

Background:The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Valhall family. Some of these components are being made available under the GPLv2 licence. The company named “ARM”. They provides access to the source packages from which loadable kernel modules can be built.
The Mali GPU kernel device driver handles the following. Access to the Mali GPU hardware, Interrupt handling and Low level memory management.

Example:
Question: In normal circumstances, when program (software driver or software application) called kmalloc and didn’t free that memory before rmmod was called on the module, what happens to that memory? Is it a memory leak and it is completely unusable until restart, or does the kernel free that memory automatically?
Answer: It won’t be freed until explicitly done. Memory allocated with kmalloc() needs to be freed using kfree(). That piece of memory stays till the system is on.

Vulnerability details: An issue was discovered in the Arm Mali GPU Kernel Driver (Valhall r29p0 through r38p0). A non-privileged user can make improper GPU processing operations to gain access to already freed memory.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
As usual, vendor not disclose the details. Perhaps we can find hints in between two different version of software drivers.
Please refer to attached image for details.

Solution: This issue is fixed in Valhall GPU Kernel Driver r39p0. Users are recommended to upgrade if they are impacted by this issue. Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Remark: The patch was release on 17th June 2022. Perhaps the risk is mitigated.

CVE-2022-35918 Streamlit vulnerability – If you work in the machine learning industry, you should consider it.
(1st Aug, 2022)

Preface: On 2017, Facebook’s artificial intelligence robots shut down after they start talking to each other in their own language. Maybe no one remembers!

Background: If you are a data scientist. You know the details of the algorithms, which libraries to use, and perform diagnostics. For the machine learning setup, perhaps you will use a opensource software technology. One of the way is creating an ML app using Flask, a commonly used web framework in Python.
Furthermore, you have another choices. Streamlit is a framework that is used by different machine learning engineers and data scientists to build UIs and powerful machine learning apps from a trained model.

  1. How to install streamlit?
    pip install streamlit
  2. Build the streamlit app
  • Create a new Python file named app.py.
  • Add our pickled model into a created folder.
  1. Import required packages.
  2. Unplick the model.
  3. Building your prediction logic.
  4. You will use material UI for styles and icons for your app
  5. Adding an image.

Vulnerability details: Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.
An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

Solution: Vendor strongly recommend users upgrade to v1.11.1 as soon as possible. Please refer to the link for details – https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc

CVE-2022-36124 – Linux kernel design flaws prior to 5.18.13 put Xen PV guest OS at risk (29-07-2022)

Preface: Uninitialized data segment, often called the “bss” segment, named after an ancient assembler operator that stood for “block started by symbol.” Data in this segment is initialized by the kernel to arithmetic 0 before the program starts executing.

Background: Xen is an open-source baremetal hypervisor that is widely used by commercial and non-commercial platforms to provide virtualization support.

Dom0 is the initial domain started by the Xen hypervisor on boot. Dom0 is an abbrevation of “Domain 0” (sometimes written as “domain zero” or the “host domain”). Dom0 is a privileged domain that starts first and manages the DomU unprivileged domains. The Xen hypervisor is not usable without Dom0.

Vulnerability details: The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. For details, please refer to attached diagram.

Instead of clearing the bss area in assembly code, use the clear_bss()function.This requires to pass the start_info address as parameter to xen_start_kernel() in order to avoid the xen_start_info being zeroed again.

Details released by NIST: Please refer to the link – https://cve.report/CVE-2022-36123

antihackingonline.com