Nvidia security focus – Rowhammer attack potential risk – July 2025 (11th July 2025)

Preface: The Rowhammer effect, a hardware vulnerability in DRAM chips, was first publicly presented and analyzed in June 2014 at the International Symposium on Computer Architecture (ISCA). This research, conducted by Yoongu Kim et al., demonstrated that repeatedly accessing a specific row in a DRAM chip can cause bit flips in nearby rows, potentially leading to security breaches.

Background: Nvidia has shifted from “copy on flip” to asynchronous copy mechanisms in their GPU architecture, particularly with the Ampere architecture and later. This change allows for more efficient handling of data transfers between memory and the GPU, reducing latency and improving overall performance, especially in scenarios with high frame rates or complex computations.

When System-Level ECC is enabled, it prevents attackers from successfully executing Rowhammer attacks by ensuring memory integrity. The memory controller detects and corrects bit flips, making it nearly impossible for an attacker to exploit them for privilege escalation or data corruption.

Technical details: Modern DRAMs, including the ones used by NVIDIA, are potentially susceptible to Rowhammer. The now decade-old Rowhammer problem has been well known for CPU memories (e.g., DDR, LPDDR). Recently, researchers at the University of Toronto demonstrated a successful Rowhammer exploitation on a NVIDIA A6000 GPU with GDDR6 memory where System-Level ECC was not enabled. In the same paper, the researchers showed that enabling System-Level ECC mitigates the Rowhammer problem. 

Official announcement: Technical details: see link – https://nvidia.custhelp.com/app/answers/detail/a_id/5671

CVE-2025-32462 – Local Privilege Escalation via chroot option (10th July 2025)

Preface: Using LDAP to manage sudoers rules is becoming a more common practice, particularly in larger organizations. It offers several advantages over traditional methods of storing sudoers in a local file, including simplified management, improved scalability, and enhanced security.

Background:

Best Practices for Using sudo.

  • Avoid Logging in as Root: Use sudo instead of su to minimize security risks.
  • Grant Minimal Permissions: Assign only the necessary privileges to prevent unauthorized access.
  • Monitor sudo Usage: Check logs for suspicious activity

This helps to minimize security risks associated with elevated privileges.

* Specific commands: Instead of ALL=(ALL:ALL), grant access to specific commands only. For example, jane ALL=(ALL:ALL) /usr/bin/apt update, /usr/bin/apt upgrade

Vulnerability details: Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

This vulnerability occurs when a sudoers file specifies a host that is neither the current host nor ALL. In such cases, sudo may incorrectly allow listed users to execute commands on unintended machines.

This is a configuration-based logic flaw rather than a memory corruption or privilege escalation bug. It does not involve CHROOT directly, but rather the host-specific rule matching in sudoers.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-32462

AMD releases details about Transient Scheduler Attack (TSA) – 9 Jul 2025

Preface: CPU transient instructions refer to instructions that are speculatively executed by a processor’s out-of-order execution engine, but which may ultimately be discarded and not reflected in the processor’s architectural state. These instructions are executed based on predictions about control flow or data dependencies, and if the prediction is incorrect, the results of these transient instructions are discarded.

Background: Transient Scheduler Attacks (TSA) are new speculative side channel attacks related to the execution timing of instructions under specific microarchitectural conditions. In some cases, an attacker may be able to use this timing information to infer data from other contexts, resulting in information leakage.

Vulnerability details:

CVE-2024-36350 – A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.

CVE-2024-36357 – A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.

CVE-2024-36348 – A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP[3] feature is enabled, potentially resulting in information leakage.

CVE-2024-36349 – A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage.

Official announcement: Please see the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html

CVE-2025-21432: Double Free in SPS-HLOS (8th July 2025)

Preface: Concise Binary Object Representation (CBOR) is a binary data serialization format loosely based on JSON authored by Carsten Bormann. The use of Concise Binary Object Representation (CBOR) in SPS HLOS (and other constrained environments) is primarily due to its ability to provide a compact, efficient, and extensible binary data format. This makes it suitable for resource-constrained devices and networks, where bandwidth and processing power are limited. 

Background: In Adreno GPUs, SPS (Shader Processors) HLOS refers to a specific architecture or organization within the GPU where Shader Processors are grouped and managed. “HLOS” likely stands for “High Level Operating System”, indicating that these SPS are managed by the system’s main operating system (like Android) rather than being directly controlled by the GPU’s internal firmware. This means the CPU and operating system handle the overall workload and scheduling for these shader processors.

Ref: CBOR data, from the perspective of a Transfer Agent (TA), refers to data formatted using the Concise Binary Object Representation (CBOR) standard, likely used for efficient and compact representation of information related to financial transactions or other assets managed by the TA. 

Vulnerability details: Memory corruption while retrieving the CBOR data from TA (Transfer Agent).

Summary:

Component – Qualcomm Adreno GPU (Graphics Driver)

Vulnerability Type – Double Free / Memory Corruption

Trigger – Occurs during CBOR data retrieval from shader memory by the Transfer Agent (TA).

Affected Subsystem: SPS-HLOS (Shader Processor System managed by High-Level OS)

Impact:

Double free condition in shared memory buffers.

Potential for arbitrary code execution or privilege escalation.

Exploitable via crafted GPU workloads or malicious apps using OpenCL/Vulkan.

Official announcement: Please see the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html

CVE-2025-21450: Improper Authentication in GPS GNSS (7th July 2025)

Preface:

GNSS – This is a global term encompassing all satellite constellations that provide positioning, navigation, and timing (PNT) services. Besides GPS, other GNSS include GLONASS (Russia), Galileo (EU), and BeiDou (China).

GPS – The Global Positioning System, developed by the US Department of Defense, is the most widely recognized and used GNSS. It was the first global satellite navigation system and has become a household term.

Background: A GPS/GNSS receiver can be considered the client in a similar way to an IoT device or smartphone, particularly when used for location-based services. GPS/GNSS receivers require cryptographic downloads, specifically key material and potentially software updates, to enable authentication and anti-spoofing features. These features ensure the integrity and authenticity of the received signals, protecting against malicious attacks like spoofing where fake signals mimic legitimate satellites.

Ref: The GPS module in the Snapdragon 8 Gen 3 is integrated within the Snapdragon X75 5G Modem-RF System. The X75 is a comprehensive modem-RF solution that includes not only 5G capabilities but also other wireless technologies like Wi-Fi, Bluetooth, and location services like GPS. This integration allows for efficient and high-performance location tracking and navigation on devices powered by the Snapdragon 8 Gen 3.

Vulnerability details: Cryptographic issue occurs due to use of insecure connection method while downloading.

Vulnerability Type: CWE-287 Improper Authentication

Official announcement: Please see the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html

CVE-2025-52496: Mbed TLSan open-source C library design weakness (6th July 2025)

Preface: What is the difference between FreeRTOS and Cmsis-RTOS?

Basically FreeRTOS is a RTOS, while CMSIS-RTOS is only a wrapper for any RTOS (like FreeRTOS, CMSIS-RTOS RTX or anything you want). CMSIS-RTOS is an API that enables consistent software layers with middleware and library components. Mbed TLS aims to provide a set of powerful and flexible cryptographic and security building blocks, mainly for embedded systems, focusing on ease of integration and security. The design objective strives to be lean,  prioritizing readability, documentation and testability, while minimizing dependencies and providing a loosely coupled architecture. This allows developers to integrate only the necessary components without the overhead of the entire library.

Background: Do multi-threaded programs use the same AES key?

Yes, multithreaded programs using AES encryption typically use the same AES key for both encryption and decryption, as AES is a symmetric encryption algorithm. Both the sender and receiver need to share the same secret key to encrypt and decrypt data. In a multithreaded context, each thread would utilize this shared key when performing encryption or decryption operations.

Vulnerability details: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-52496

CVE-2025-6073 – Industrial Controls Be Aware! (4th July 2025)

Preface: The default configuration of the ABB RMC-100’s REST interface is disabled. ABB recommends leaving the REST interface disabled when not in use, particularly when configuring MQTT functionality. The RMC-100 is not intended for access over public networks.

Background: The ABB RMC-100 is a popular and widely used remote modular controller, particularly within the oil and gas industry. It is known for its scalability and ability to manage automation, liquids and gas measurement, and asset data concentration for various facility sizes, from large production and transmission facilities to smaller systems. The RMC-100 is part of ABB’s Totalflow portfolio, which has seen over 430,000 units sold since the 1980s.

Service available in some Totalflow devices like the RMC-100. When enabled, the device REST server capabilities are enabled. The device then can be accessed by a REST client such as a web browser. The access is for the configuration of the MQTT parameters.

Uses HTTP methods (protocol) to access resources on a REST server. For example, the web browser which accesses the MQTT configuration interface on the RMC-100.

Vulnerability details: Stack-based Buffer Overflow vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to the control network, and user/password broker authentication is enabled, and CVE-2025-6074 is exploited, the attacker can overflow the buffer for username or password.

Affected Products: This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-6073

CVE-2025-46647: A vulnerability of plugin openid-connect in Apache APISIX.(3rd July 2025)

Preface: API Gateway can be helpful for ChatGPT plugin developers to expose, secure, manage, and monitor their API endpoints. This repo demonstrates how to use Apache APISIX API Gateway as a front door for communication between ChatGPT custom plugins and backend APIs. For more details, please refer to the link – https://github.com/Boburmirzo/apisix-chatgpt-gateway-plugin

Background: The primary design objective of Apache APISIX is to provide a high-performance, cloud-native API gateway that can handle a large volume of API traffic and microservices, with a focus on flexibility, scalability, and dynamic configuration management. It aims to be a unified proxy infrastructure for various scenarios like API management, service mesh, and ingress control.

The OpenID Connect (OIDC) plugin for Apache APISIX enables centralized authentication for APIs by integrating with OpenID Connect providers (like Okta, Auth0, Keycloak). It allows users to authenticate through a designated provider and then access APIs through APISIX. The plugin handles the redirection to the provider’s login page, token exchange, and passing user information to the upstream services.

Vulnerability details: A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met:

1. Use the openid-connect plugin with introspection mode

2. The auth service connected to openid-connect provides services to multiple issuers

3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer.

Remedy: This issue affects Apache APISIX: until 3.12.0. Users are recommended to upgrade to version 3.12.0 or higher.

Official announcement: For more details, please refer to the link –

https://nvd.nist.gov/vuln/detail/CVE-2025-46647

CVE-2025-0038 exposes a runtime vulnerability due to missing checks in PMU firmware. (2nd July 2025)

Preface: Users typically build custom PMU firmware tailored to their specific hardware platform and application requirements.

PMU firmware can be loaded by either FSBL or CSU BootROM (CBR). Both these flows are supported by AMD. Loading PMU firmware using FSBL has the following benefits:

– Possible quick boot time, when PMU firmware is loaded after bitstream.

– In use cases where you want two BIN files – stable and upgradable, PMU firmware can be part of the upgradable (by FSBL) image.

Background: The primary design objective of AMD’s Zynq™ UltraScale+™ devices is to provide a highly integrated platform that combines the processing power of a multi-core ARM processor with the flexibility of programmable logic (FPGA fabric). This enables a wide range of applications by offering both real-time control and processing capabilities within a single chip. The devices also prioritize low power consumption, security features, and efficient memory management.

Ref: Arm Trusted Firmware (ATF) and its role in managing the Secure Monitor and Trusted Board Boot Requirements (TBBR). These are essential for establishing a secure boot process and managing transitions between the secure and non-secure worlds in Arm-based systems like the Zynq UltraScale+.

Vulnerability details: In AMD Zynq UltraScale+ devices, the lack of address validation when executing CSU runtime services through the PMU Firmware can allow access to isolated or protected memory spaces resulting in the loss of integrity and confidentiality.

Official announcement: Please see the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8008.html

https://docs.amd.com/r/en-US/000037628/Affected-Products

CVE-2025-49521: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (1st July 2025)

Preface: Ansible Automation Platform is a broader enterprise automation platform designed to manage and automate various IT operations, including infrastructure, cloud, networking, and security. While it can be used for automating web server deployments and configurations. Besides, web hosting service providers can and often do use the Ansible Automation Platform for automating various tasks related to web hosting and infrastructure management.

Background: In Ansible, Jinja2 templating is widely used to dynamically render variables, expressions, and logic in playbooks, templates, and even hooks (like webhooks or event triggers in EDA).

You can use Jinja2 in:

•       Playbooks: For dynamic task names, conditions, and variables.

•       Templates: To generate configuration files.

•       Hooks or Webhooks: Especially in EDA, where incoming payloads can be parsed and matched using Jinja2 expressions.

When a POST request is sent to http[:][//]<EDA_HOST>[:]5000/alert with the payload:

•       The EDA controller receives the event.

•       It evaluates the condition using Jinja2.

•       If matched, it runs the playbook respond_to_critical_alert[.]yml.

Vulnerability details: A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-49521

antihackingonline.com