CVE-2024-33050 – Buffer Over-read in WLAN Host Communication (10th Sep 2024)

Preface: In computer programming, transient is a property of any element in the system that is temporary. The term applies to transient applications.

Background: Within frequency, In-band discovery is used for communication between 6 GHz devices. There are three in-band discovery methods: Fast Initial Link Setup (FILS) and Unsolicited Probe Response (UPR) frames are passive in-band discovery methods. Choose one of FILS and UPR and cannot use them at the same time. The 6 GHz discovery frame is only required when 6 GHz is the only operable radio frequency band. Preferred Scan Channel (PSC) is an active in-frequency discovery method. Wireless clients will only probe PSC channels; if detecting from the RNR, non-PSCs will be scanned.

Vulnerability details: Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.

Ref: The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html

CVE-2024-42024: veeam did not disclosed the details, perhaps this story can tell (9th Sep 2024)

Preface: Veeam ONE agent is a component that enables communication with Veeam Backup & Replication servers, performs collection of logs, and sends remediation commands. It is recommended to install Veeam ONE agent to improve data collection performance in large-scale Veeam Backup & Replication infrastructures.

Background: Veeam ONE supports two deployment scenarios:

• All-in-one

The all-in-one deployment scenario is ideal if you want to consolidate the entire product functionality in one place by installing all product architectural components on a single machine. This scenario is preferable for small- to medium-scale deployments.

• Custom

The custom deployment scenario is more suitable if you want to separate client/server roles and install product architectural components on different machines. This scena rio is recommended for large-scale deployments.

Vulnerability details:  A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed.

Official announcement: Please refer to the link for details – https://www.veeam.com/kb4649

CVE-2024-7884 – Fix memory leak in CallFuture (6th Sep 2024)

Preface: The world’s first web-speed, internet-scale public blockchain. At the virtual event launching Sodium on September 30, 2022, the DFINITY Foundation will launch the Network Nervous System, an open algorithmic governance system that controlling the Internet computer. The event will also showcase in-depth technical material on advanced cryptography, consensus protocols, and token economics.

Background: Intercanister calls can be used to update information between two or more canisters.

ic-cdk : Inter-canister calls for the ICRC-1 ledger.

ledger-icrc-js : A library for interfacing with ICRC-1 ledger on the Internet Computer.

When you deploy the WebAssembly module that contains your program on the Internet Computer blockchain, the program is executed inside a conceptual computational unit called a canister. Canisters can be developed in various programming languages.

With respect to update calls, canisters are “software actors” and may only contain a single thread of execution at any time, obviating the need for concurrency primitives such as mutexes. However, when update calls block on cross-canister calls to other canisters, other update calls can be started or continued, allowing for interleaving.

Ref: In most cases, you use dfx canister subcommands after you compile a program to manage the canister lifecycle and to perform key tasks such as calling program functions. The basic syntax for running dfx canister commands is: dfx canister <subcommand> [options]

Vulnerability details: When a canister method is called via ic_cdk::call* , a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister’s heap and thus causing a memory leak. Impact Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-7884

CVE-2024-44961: Forward soft recovery errors to userspace (5th Sep 2024)

Preface: The AMD Radeon Instinct™ MI50 server accelerator designed on the world’s First 7nm FinFET technology process brings customers a full-feature set based on the industry’s newest technologies. The MI50 is AMD’s workhorse accelerator offering that is ideal for large scale deep learning. Delivering up to 26.5 TFLOPS of native half-precision (FP16) or up to 13.3 TFLOPS single-precision (FP32) peak floating point performance and INT8 support and combined with 16GB or 32GB of high-bandwidth HBM2 ECC memory, the AMD Radeon Instinct™ MI50 brings customers finely balanced performance needed for enterprise-class, mid-range compute capable of training complex neural networks for a variety of demanding deep learning applications in a cost effective design.

Background: The drm/amdgpu driver supports all AMD Radeon GPUs based on the Graphics Core Next (GCN), Radeon DNA (RDNA), and Compute DNA (CDNA) architectures.

CDNA (Compute DNA) is a compute-centered graphics processing unit (GPU) microarchitecture designed by AMD for datacenters.

AMD CDNA architecture is supported by AMD ROCm™, an open software stack that includes a broad set of programming models, tools, compilers, libraries, and runtimes for AI and HPC solution development targeting AMD Instinct accelerators.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should be forwarded to userspace, or we can get into a really bad state where apps will keep submitting hanging command buffers cascading us to a hard reset. 1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/ (cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01)

Official announcement: Please refer to the website for details – https://nvd.nist.gov/vuln/detail/CVE-2024-44961

CVE-2024-3655: Mali GPU Kernel Driver allows improper GPU memory processing operations (3rd Sep 2024).

Preface: Use after free errors sometimes have no effect and other times cause a program to crash. While it is technically feasible for the freed memory to be re-allocated and for an attacker to use this reallocation to launch a buffer overflow attack.

Background: When the GPU returns ownership of the buffer to the CPU, the driver needs to treat imported and non-imported memory differently.  The first case to consider is non-imported sub-regions at the beginning of the first page and at the end of last page. For these sub-regions: CPU cache shall be committed with a clean+invalidate, in order to keep the last CPU write. Imported region prefers the opposite treatment: this memory has been legitimately mapped and used by the GPU, hence GPU writes shall be committed to memory, while CPU cache shall be invalidated to make sure that CPU reads the correct memory content.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

Impact: This issue affects Bifrost GPU Kernel Driver: from r43p0 through r49p0; Valhall GPU Kernel Driver: from r43p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r43p0 through r49p0.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

CVE-2024-38401: Use After Free in Qualcomm IPC (3rd Sep 2024)

Preface: Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc.

Background: The Qualcomm Type 1 Hypervisor facilitates the hosting of multiple trusted execution environments for secure use cases. The figure shows the architecture of the Qualcomm Hypervisor software stack, its components, and virtual machines (VM). This figure includes an example of one guest VM using the Linux kernel.

Interprocess communication (IPC), This includes shared memory, message passing (IPC) APIs, and virtual interrupts. The ioctl function performs the generic I/O operation command on filedes . A third argument is usually present, either a single number or a pointer to a structure.

Ref: EL2 provides support for virtualization

Vulnerability details: Use After Free in Qualcomm IPC, Memory corruption while processing concurrent IOCTL calls.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html

About CVE-2024-20084 and CVE-2024-20085: MediaTek’s System-on-Chip Design weakness (2nd Sep 2024)

Preface: When an out-of-bounds read occurs, typically the product has already made a separate mistake, such as modifying an index or performing pointer arithmetic that produces an out-of-bounds address.

Background: MediaTek JPEG Decoder is the JPEG decode hardware present in MediaTek SoCs. The jpeg decoder hardware device node which should be added as subnodes to the main jpeg node.

IOMMU is the so-called SMMU, which can organize discontinuous physical memory into a continuous virtual memory (this makes sense for many drivers).

Vulnerability details:

CVE-2024-20084 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

CVE-2024-20085 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the vendor announcement for details – https://corp.mediatek.com/product-security-bulletin/September-2024

CVE‑2024-0110: Supercomputer and AI development Interlude (II)  (30th Aug 2024)

Preface: OpenAI revealed that the project cost $100 million, took 100 days, and used 25,000 NVIDIA A100 GPUs. Each server equipped with these GPUs uses approximately 6.5 kW, so an estimated 50 GWh of energy is consumed during training.

Background: Parallel processing is a method in computing of running two or more processors (CPUs) to handle separate parts of an overall task. Breaking up different parts of a task among multiple processors will help reduce the amount of time to run a program. GPUs render images more quickly than a CPU because of its parallel processing architecture, which allows it to perform multiple calculations across streams of data simultaneously. The CPU is the brain of the operation, responsible for giving instructions to the rest of the system, including the GPU(s).

NVIDIA CUDA provides a simple C/C++ based interface. The CUDA compiler leverages parallelism built into the CUDA programming model as it compiles your program into code.
CUDA is a parallel computing platform and programming interface model created by Nvidia for the development of software which is used by parallel processors. It serves as an alternative to running simulations on traditional CPUs.

Vulnerability details:

CVE-2024-0110: NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` where a user may cause an out-of-bound write by passing in a malformed ELF file. A successful exploit of this vulnerability may lead to code execution or denial of service.

CWE‑787   Code execution, denial of service (Severity –  Medium)

Ref: The integer overflow may result in an out-of-bounds write.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5564

CVE-2024-34731: last week CVEs, today story. (29th Aug 2024)

Preface: A race condition vulnerability is a software bug that allows these unexpected results to be exploited by malicious entities.

The Race condition is a privilege escalation vulnerability that manipulates the time between imposing a security control and using services in a UNIX like system. This vulnerability is a result of interferences caused by multiple sequential threads running in the system and sharing the same resources.

Background: TranscodingResourcePolicy is a component of the Android platform/frameworks/av package that manages resource policies for transcoding operations. Transcoding is the process of converting media files from one format to another.

Vulnerability details: In multiple functions of TranscodingResourcePolicy.cpp, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-34731

CVE-2024-8105: let you aware that computer industry not secure! (2024-08-26)

Preface: The key leaked in 2023, it was one of the test dummy keys that AMI was shipping since as early as May 2012, said security firm.

The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device’s firmware and boot software.

Background: The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device’s firmware and boot software.

Vulnerability details: A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-8105

https://www.supermicro.com/en/support/security_PKFAIL_Jul_2024

antihackingonline.com