CVE-2024-36680: Improper neutralization of SQL parameter in Promokit[.]eu – Facebook module for PrestaShop (20-June-2024)

Preface: PrestaShop is an open source e-commerce platform that emerged in 2007. It’s still widely used today—more than 250,000 devices are powered by it. The goal of PrestaShop Facebook is to promote e-commerce sales on Facebook and Instagram social networks.

Background: E-commerce web designers need to create our modules folder in the root directory of the folder called “modules”. This folder contains all the modules in PrestaShop. Even basic modules such as the website’s shopping cart can be found in this place.

How do I install Prestashop on my local computer?

  1. XAMPP is an easy to install Apache distribution containing MariaDB, PHP, and Perl. Just download and start the installer.
  2. Go to official website of XAMPP and download it – Download XAMPP
  3. Install XAMPP at any location, we install at c drive.
  4. Create project folder in the following htdocs directory.
  5. Create project folder in the following htdocs directory
  6. Put the downloaded prestashop file in this project folder.
  7. Prestashop installation process:

Download the Prestashop.

-Create the Database.

-Upload the downloaded file to the server.

-Delete archive folder and install folder.

Vulnerability details: In the module “Facebook” (pkfacebook) <=1.0.1 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36680

CVE-2024-36977: usb: dwc3: Wait unconditionally after issuing EndXfer command (19 June 2024)

Preface: The DWC3 is Synopsys IP providing a SuperSpeed USB 3.0 controller. This Synopsys DesignWare USB3 controller IP has proved to be very popular and is in use ranging from various Arm SoCs from Samsung and TI to Qualcomm platforms. DWC3 is also used by various platforms from both Intel and AMD.

Background:

EN_ENDXFER_ON_RJCT_STRM: Enable bit for new reject stream flow. On receiving a reject stream(FFFF) on USB side, Controller updates the application SW with STREAMEVT_NOTFOUND with streamid as FFFF, On decoding this event application SW needs to apply an ENDXFER command which flushes all FIFO’s .

Until an ENDXFER is issued, Any stream packet received(on USB) will not lead to search of available streams in cache and release of ERDY. Controller writes STREAM_NOT_FOUND events until ENDXFER completion.

[ – 0: Feature disabled. No Reject status is updated to application SW.] 

[ – 1: Feature enabled, Reject status is updated on receiving a reject stream(on USB).Decoding this event application SW needs to apply an ENDXFER.]

Note: By default, this bit is set to 0.

Vulnerability details: usb: dwc3: Wait unconditionally after issuing EndXfer command Currently all controller IP/revisions except DWC3_usb3 >= 310a wait 1ms unconditionally for ENDXFER completion when IOC is not set.

Severity: Critical

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36977

CVE-2024-37079 and CVE-2024-37080: vCenter Server contains a heap-overflow vulnerability. Is this a prior incident? (18-June-2024)

Preface: The DCE/RPC protocol is the protocol for remote procedure calls. It is widely used in the modern Internet. Because the proper functioning of DCE/RPC protocols is critical to modern infrastructure and society, it is important to verify the reliability of DCE/RPC implementations.

Background: This type of vulnerability can be particularly dangerous because it could allow an attacker to write data outside of the allocated memory buffer, potentially leading to remote code execution. Such a vulnerability could provide an attacker with unauthorized control of vCenter Server, posing a significant risk to the security and integrity of the virtualized environment managed by vCenter.

Vulnerability details:

CVE-2024-37079: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CVE-2024-37080: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Official announcement: For detail, please refer to link –

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

CVE-2024-21478 – Automotive manufacturer staying alert! (18 June 2024)

Preface: For example, if your app defines a fence for headphones, it gets callbacks when the headphones are plugged in and when they’re unplugged.

Background: Automotive infotainment is an in-car system that combines entertainment such as radio and music playing with driving information, including navigation, ADAS, and vehicle settings.

The SA8255P delivers next-generation Qualcomm Snapdragon automotive infotainment SoC. Developed with SEooC targeting ASIL B use cases, the SAM8255P empowers automakers with scalable solutions that are connected, smart, and aware.

Vulnerability details: NULL Pointer Dereference in Graphics,

transient DOS when setting up a fence callback to free a KGSL memory entry object during DMA.

Affected Chipsets: QAM8255P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, SA8255P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1M.

Official announcement: For detail, please refer to link – https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html

CVE-2024-4610: Arm was recently aware of this vulnerability being exploited in the wild (17 June 2024)

Arm has released limited details about the vulnerability. Do you think the following is similar to CVE-2024-4610?

Preface: Arm was recently aware of reports of this vulnerability being exploited in the wild, but this exploit was a local attack. Perhaps, cybercriminals should help via email phishing or SMS functionality. Therefore, it attracted the attention of manufacturers.

Background: The Mali Bifrost architecture – implemented by the Mali-G3x, Mali-G5x, and Mali-G7x family of products, is the successor to the Midgard architecture and the predecessor of the Valhall architecture.

The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Bifrost family.

There are many ways to communicate with IPC, such as: Shared Memory, Message Queue, PIPE, FIFO, Unix Socket, etc. A process cannot access another process’s memory. However, the kernel has control over all processes and therefore can expose an interface that enables IPC. In Binder, this interface is the /dev/binder device, which is implemented by the Binder kernel driver.

Ref: A Mutex is a Mutually exclusive flag. It acts as a gate keeper to a section of code allowing one thread in and blocking access to all others.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-4610

CVE-2023-20597: AGESA™ firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. Release 2nd round of remedy.(13-June-2024)

Preface: June 2024 Update – After additional analysis, AMD believes that the Client AGESA™ firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. This security bulletin has been updated with new Client AGESA™ firmware versions that contain updated mitigations.

Background: The DXE drivers are responsible for initializing the processor, chipset, and platform components as well as providing software abstractions for system services, console devices, and boot devices.

Vulnerability details:

CVE-2023-20594Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
CWE-665 Improper Initialization

CVE-2023-20597 Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
CWE-665 Improper Initialization

Published Date: Sep 20, 2023
Last updated date: Jun 11, 2024

Official announcement: For detail, please refer to link –
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4007.html

CVE-2024-35253: Microsoft Azure File Sync Elevation of Privilege Vulnerability (11 Jun 2024)

Preface: That is by design. If a file is created with the name of a just-deleted file, timestamps, attributes, and security are carried forward.

Background: To immediately sync files that are changed in the Azure file share, the Invoke-AzStorageSyncChangeDetection PowerShell cmdlet can be used to manually initiate the detection of changes in the Azure file share.

This cmdlet is intended for scenarios where some type of automated process is making changes in the Azure file share or the changes are done by an administrator (like moving files and directories into the share). For end user changes, the recommendation is to install the Azure File Sync agent in an IaaS VM and have end users access the file share through the IaaS VM. This way all changes will quickly sync to other agents without the need to use the Invoke-AzStorageSyncChangeDetection cmdlet.

Vulnerability details: Microsoft Azure File Sync Elevation of Privilege Vulnerability

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-35253

Repost CVE-2024-5274: Google Chrome fixed remote code execution vulnerability (11-06-2024)

CVE Release date: May 24, 2024

Preface: Every time I start learning CVE. It helps me enrich my knowledge.  Even though it was released months ago.

Background: Around the world in 2024, over 4450 companies have started using Chrome as Site Search tool.

V8 is a JavaScript and WebAssembly engine developed by Google for its Chrome browser. Each WebAssembly module executes within a sandboxed environment separated from the host runtime using fault isolation techniques.

Ref: wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.

Vulnerability details: This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.

Official announcement: For detail, please refer to link – https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html?m=1

Regarding CVE-2024-0099 and CVE-2024-0084: Is this a renewed focus on vulnerabilities discovered in 2021? 10-June-2024

Original posted 06/06/2024

Preface: Oracle and Citrix have large customer bases and use Xen as their primary hypervisor. Red Hat, SUSE, and Canonical support KVM as a virtualization option in their Linux versions. When it comes to cloud computing, administrators face a similar decision: Citrix and Oracle offer Xen-based offerings rather than Google’s KVM.

Background: In a hypervisor command shell, such as the Citrix Hypervisor dom0 shell or the VMware ESXi host shell. You can do the following command to verify your NVIDIA virtual GPU software version.

[root@vgpu ~]# nvidia-smi

|NVIDIA-SMI 550[.]90[.]05                Driver Version: 550[.]90[.]05

NVIDIA vGPU software can be used in a variety of ways. The method we mentioned here is related to this vulnerability. In GPU pass-through mode, an entire physical GPU is directly assigned to one VM, bypassing the NVIDIA Virtual GPU Manager. In this mode of operation, the GPU is accessed exclusively by the NVIDIA driver running in the VM to which it is assigned. The GPU is not shared among VMs.

Exploiting a buffer overflow vulnerability often involves manipulating pointers to redirect program execution or inject malicious code. By overwriting the return address of a function, an attacker can divert the control flow to a different section of the program where their code is placed.

Vulnerability details:

CVE‑2024‑0099 NVIDIA vGPU software for Linux contains a vulnerability in the Virtual GPU Manager, where the guest OS could cause buffer overrun in the host. A successful exploit of this vulnerability might lead to information disclosure, data tampering, escalation of privileges, and denial of service.

CVE‑2024‑0089 NVIDIA vGPU software for Linux contains a vulnerability in the Virtual GPU Manager, where the guest OS could execute privileged operations. A successful exploit of this vulnerability might lead to information disclosure, data tampering, escalation of privileges, and denial of service.

Official announcement: For detail, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5551

CVE-2024-31335 GPU – PowerVR: Wrong order of operations in DevmemIntUnmapPMR2 may lead to temporarily dangling PTEs.AI accelerators called Neural Network Accelerator (NNA) staying alert! (7 June 2024)

Official Posted: 31st May 2024

Preface: PowerVR not limited 2D and 3D rendering, and for video encoding, decoding, associated image processing. It also develops AI accelerators called Neural Network Accelerator (NNA). The IMG Series4 is a revolutionary neural network accelerator (NNA) for the automotive industry that enables ADAS and autonomous driving.

PowerVR accelerators are not manufactured by PowerVR, but instead their IP blocks of integrated circuit designs and patents are licensed to other companies.

Remark: An IP block is a reusable unit of logic, cell, or chip layout design and can be used as building block for various chip- and logic designs. By making this technology available NXP is opening up the opportunity for chip designers to leverage our building blocks in a wide assortment of on-chip solutions.

Background: What is DDK? To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. For Android 14+, Kleaf is strongly recommended. One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: CVE-2024-31335 – GPU – PowerVR: Wrong order of operations in DevmemIntUnmapPMR2 may lead to temporarily dangling PTEs.

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.

Official announcement: For detail, please refer to link –

https://www.imaginationtech.com/gpu-driver-vulnerabilities/#may24

antihackingonline.com