RAT targeting Nginx. Can we say that NGINX is secure than Apache? (2-12-2021)

Preface: dlopen() The function dlopen() loads the dynamic shared object (shared library) file named by the null-terminated string filename and returns an opaque “handle” for the loaded object.

Background: NGINX Plus provides a supported and tested version.Starting at $2500 per year. NGINX is an open source software. Dynamic modules add functionality to NGINX Plus such as geolocating users by IP address, resizing images and embedding NGINX JavaScript njs or Lua scripts into the NGINX Plus event‑processing model.
Modules are created both by NGINX and third‑party developers.

NGINX, at its core, is a collection of modules. Whether you are using core modules, like the http and stream modules. Or 3rd party module, like geoip or RTMP, they are using the same module framework.
With the addition of dynamic module support, modules are an even better way to add functionality to NGINX.

Details of attack: A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. For more details, please refer to the link – https://sansec.io/research/nginrat

Observation: We are also considering a special case in which libraries are loaded during execution by using dlopen() so that external function addresses can be obtained by using dlsym().

Remark: From technical point of view, the return addresses are only used with paired call/ret instructions and are not read or written by other instructions.

However, attackers can also exploit another source of code pointers, return addresses, to perform memory disclosure attacks.

CVE-2021-38575 – NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. For a bug discovered half a year ago, CVE assigned a CVE number this month.(1-12-2021)

Preface: If a network interface controller is intended to be used as a boot device for a UEFI operating system or UEFI applications, then a UEFI Driver must be implemented that produces Network Interface Identifier Protocol and UNDI, the Simple Network Protocol, or the Managed Network Protocol.

Background: Tianocore EDK II is the UEFI reference implementation by Intel. EDK is the abbreviation for EFI Development Kit and is developed by the TianoCore community.

UEFI stands for Unified Extensible Firmware Interface. It does the same job as a BIOS, but with difference. It stores all data about initialization and startup. UEFI supports drive sizes upto 9 zettabytes, whereas BIOS only supports 2.2 terabytes. UEFI provides faster boot time.

UEFI also includes TCP (the latest version of UEFI from IIRC supports booting via HTTP, similar to iPXE).

Disadvantages of UEFI?

  • 64-bit are necessary.
  • Virus and Trojan threat due to network support, since UEFI doesn’t have anti-virus software.

Vulnerability details: Certain versions of EDK II from TianoCore contain vulnerability (NetworkPkg/IScsiDxe has remotely exploitable buffer overflows). The fact is that potential integer overflow in IScsiBinToHex().

Reason: EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.

Official details: Please refer to the link – https://bugzilla.tianocore.org/show_bug.cgi?id=3356

CVE-2021-41256 The Android version of the Nextcloud news app has security issues (30-11-2021)

Preface: Nextcloud is a suite of client-server software for creating and using file hosting services. It is enterprise-ready with comprehensive support options. Being free and open-source software, anyone is allowed to install and operate it on their own private server devices.

Background: The Nextcloud News Reader App makes it possible to synchronize feeds between Android and the Nextcloud News App. In order to use this app , you will need to have a nextcloud instance running with the news app installed.

About Nextcloud 17. The main novelty of the new version of Nextcloud is that the addition of the “remote wipe” feature is very eye-catching. This allows users to delete files on mobile devices. The administrator will delete data from all devices of a given user.

Unlike Google Drive, Dropbox, Yandex.Disk and box.net services, the ownCloud and Nextcloud projects provide users with complete control over their data: the information is not tied to an external closed cloud storage system, but the user controls the device.

Vulnerability details: How to switch from the original first MainActivity to the ResultActivity we just generated? The answer is to use Intent,

In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.

Remedy: Users should upgrade to version or higher as soon as possible.

Observation: In Android, there are many specific security related issues that pertain only to certain technologies such as Activities or SQLite. If a developer does not have enough knowledge about each of the different security issues regarding each technology when designing and coding, then unexpected vulnerabilities may arise.

Repair details: please refer to the link https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85

About CVE-2021-3802, Fedora & Ubuntu already address this matter, it is a reminder (29-11-2021).

Preface: (2021-07-30) Reported to KDE and GNOME development teams – In response, patches for both kio and glib were implemented.
However, both projects rely mainly on udisks and use own code only as fallback.

Background: Ubuntu used to have Unity desktop in its default edition but it switched to GNOME desktop since version 17.10 release.
Ubuntu offers several desktop flavors and the KDE version is called Kubuntu. GNOME is the default desktop for Fedora and KDE is the default desktop for OpenSUSE. Depending on how old your Linux distribution is you might have udisks or udisks2 (fourth process) and then you have the udev daemon (second process).

One of the characteristics of Dbus, if you plug in a USB storage device. Dbus and UDisks2 will notified you device is ready.

Remark (a): udisks2 is used by KDE and GNOME nowadays at least (since years). udisks (1) is outdated/obsolete.

Remark (b): The one is udisks which deals with storage devices like USB sticks and the like. The second is udev, a daemon that deals with all kind of devices from PCI boards to the keyboard and mouse (including everything that udisks deals with).

Vulnerability details: Several user-accessible mount helpers use insecure defaults which allow ext2/3/4 file systems to cause a denial of service (kernel panic) upon mounting a crafted image.

Official announcementhttps://bugzilla.redhat.com/show_bug.cgi?id=2003649

Udisks2 hides certain devices from the user by default. You can enter the following directory for review:

Fedora – /usr/lib/udev/rules[.]d/80-udisks2[.]rules

CVE-2021-23654 – This affects all versions of package html-to-csv. The flaw let threat actor can embed or generate a malicious link or execute commands via CSV files (26-11-2021)

Preface: CSV file is a useful thing in today’s world when we are talking about machine learning, data handling, and data visualization.

Background: There are many Raw storage bucket for big data analytic. You might store it in a text format such as JavaScript Object Notation (JSON) or comma-separated values (CSV), or perhaps even Apache Avro. Most people prefer to store it in either JSON or CSV files. CSV format is about half the size of the JSON and another format file. It helps in reducing the bandwidth, and the size of the below would be very less. Therefore, csv is one of the important data types used in the field of data analysis.

Vulnerability details: When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.

Impact: This affects all versions of package html-to-csv.

Official details: Please refer to the link for details – https://security.snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784

Reference: BeautifulSoup parsing flaw – None of the parsing error is caused due to BeautifulSoup. It is because of external parser use (html5lib, lxml) since BeautifulSoup doesn’t contain any parser code. One way to resolve above parsing error is to use another parser.

Python built-in HTML parser causes two most common parse errors, HTMLParser.HTMLParserError: malformed start tag and HTMLParser.HTMLParserError: bad end tag and to resolve this, is to use another parser mainly: lxml or html5lib.

About Zoom vulnerability CVE-2021-34423 (25-11-2021)

Preface: What if you need to decide to buy remote meeting software? In front of you, Microsoft Teams, Zoom, and Cisco WebEx. What is your final decision? Or you decide to buy all, because all three items have design weakness but it is under enhancement.

Background: What is H.323 suite H.323 is a standard developed by the ITU. It specifies packet-based multimedia communications systems across networks, which might not provide any Qos guarantees. H.323 suite is family of standards that includes many other ITU standards (See attached diagram for details).

A Room Connector (Zoom) can also call out to a H.323 or SIP device to join a Zoom cloud meeting. Use this API to add a H.323/SIP device to your Zoom account.

A H.323 or SIP device can make a video call to a to join a Zoom cloud meeting.

Vulnerability details: A buffer overflow vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.

Observation 1: The vulnerability is due to a failure to properly validate certain fields in an H.323 protocol suite message. When processing the malicious message, the affected device may attempt to access an invalid memory region, resulting in a crash. An attacker who can submit an H.323 packet designed to trigger the vulnerability could cause the affected device to crash and restart.

Observation 2: Believed that Zoom products contain vulnerabilities in the processing of Session Initiation Protocol (SIP) INVITE messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) “PROTOS” Test Suite for SIP and can be repeatedly exploited to produce a denial of service.

Official announcement: https://explore.zoom.us/en/trust/security/security-bulletin/

About CVE-2021-21980 – VMware found SSRF, arbitrary file read flaws in vCenter Server (24-11-2021)

Preface: VMware Flash End of Life and Supportability (78589) – https://kb.vmware.com/s/article/78589

Background: Flex is a powerful, open source application framework that allows you to build mobile applications for iOS, Android, and BlackBerry Tablet OS devices, as well as traditional applications for browsers and desktops using the same programming model, tool, and codebase. From a platform perspective, the vSphere Web Client is based on Apache Flex, which used to be called Adobe Flex. Adobe Flex is a Flash-based platform so it requires Adobe Flash to be installed in order to run.

Ref: Flex uses MXML to define UI layout and other non-visual static aspects, ActionScript to address dynamic aspects and as code-behind, and requires Adobe AIR or Flash Player at runtime to run the application.

Vulnerability details: VMware has released important security updates to address two vulnerabilities in the vSphere Web Client (FLEX/Flash) portion of vCenter Server. CVE-2021-21980 is an arbitrary file read vulnerability in the vSphere Web Client and CVE-2021-22049 contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. An attacker with access to port 443 on vCenter Server could gain access to sensitive information or take control of a system.

The vCenter Server 7.x and Cloud Foundation 4.x release lines are not affected by these vulnerabilities as they do not use the vCenter Server vSphere Web Client (FLEX/Flash).

Official announcement: https://www.vmware.com/security/advisories/VMSA-2021-0027.html

Reminder: So far, Flash/Flex has discovered many design weaknesses. The defects display on attached diagram are not new items, but what do you think is the design defect that the supplier repaired this week, does it include related relationships, or has the supplier discovered a new defect?

CVE-2021-28706 About Xen memory management design weaknesses (24-11-2021)

Preface: Who uses Xen? Amazon Web Services alone runs ½ million virtualized Xen Project instances according to a recent study and other cloud providers such as Rackspace and hosting companies use the hypervisor at extremely large scale. Xen is a type-1 bare-metal hypervisor.

Background: A Xen host will run a number of virtual machines, VMs, or domains (the terms are synonymous on Xen). One of these is in charge of running the rest of the system, and is known as “domain 0”, or “dom0”.
Any other VM is unprivileged, and are known as a “domU” or “guest”.

A hypercall is based on the same concept as a system call. System calls are used by an application to request services from the OS and provide the interface between the application or process and the OS. Hypercalls work the same way, except the hypervisor is used.

Vulnerability details: (Official description) – When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound.

Impact: A guest may be able too allocate unbounded amounts of memory to itself. This may result in a Denial of Service (DoS) affecting the entire host.

Workaround: Setting the maximum amount of memory a guest may allocate to strictly less than 1023 GiB will avoid the vulnerability.
 Example: This should work within the DomU:

echo $((4096*1024*1024)) >/proc/xen/balloon

Should resize the memory to 4 GB.

Official article: Please refer to the link – https://xenbits.xenproject.org/xsa/advisory-385.txt

About NVIDIA GPU vulnerabilities -22nd Nov 2021

Preface: NVIDIA, the inventor of the Graphics Processing Unit (GPU) brings visual computing excellence to the embedded world. High performance meets low power with the NVIDIA Tegra processor – get ready for HD video, crisp graphics and unprecedented 3D capabilities, all in one power efficient package.

Background: GPUDirect Storage kernel driver nvidia-fs.ko is a kernel module to orchestrate IO directly from DMA/RDMA capable storage to user allocated GPU memory on NVIDIA Graphics cards. NVIDIA GPU using DMAdirect. There are DMA engines in GPUs and storage-related devices like NVMe drivers and storage controllers but generally not in CPUs. Because of this external extended resources allocation implemented in Nvidia GPU design. So when you open the resource files package (gds-nvidia-fs). You will find two types of RDMA files. The nvfs-rdma[.]c files are source files which will be compiled. The nvfs-rdma[.]h files are used to expose the API of a program to either other part of
that program or other program is you are creating a library.

Remark: Usually, GPUDirect kernel module is set to load by default by the system startup service. If it is not loaded, GPUDirect RDMA would not work, which would result in a very high latency for message communications.

The high-risk scoring items caught my attention (see below):

CVE‑2021‑23201 – NVIDIA GPU and Tegra hardware contain a vulnerability in an internal microcontroller which may allow a user with elevated privileges to generate valid microcode. This could lead to information disclosure, data corruption, or denial of service of the device.

CVE‑2021‑23217 – NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller which may allow a user with
elevated privileges to instantiate a specifically timed DMA write to corrupt code execution, which may impact confidentiality, integrity,
or availability.

As usual, vendor not convenient to elaborate the vulnerabilities reason in details. However if you are interested of this design weakness.
You can find the hints to narrow down the item then do a summary. Even if it may not be accurate. But there is no harm in doing this research.

Be my guest. Refer to diagram, the well known vulnerabilities is given by dirver (nvlddmkm[.]sys). Nvlddmkm[.]sys error is a well-known error. However I believe the vulnerability occurred this time may extend the impact to other edge. For example CPU (please refer to step 5,6 &7 display on attached diagram).

Official details and remedy: Please refer to the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5263

Vulnerabilities discovered so far in GCC c++filt v2.26.Is it all solved now? (18-11-2021)

Preface: Not limited to traditional Linux, Apple also has cplus-dem[.]c open source.


What is GCC used for? GCC stands for GNU Compiler Collections which is used to compile mainly C and C++ language. It can also be used to compile Objective C and Objective C++.

File (cplus-dem.c) lives in both GCC and libiberty. Cplus-dem[.]cis part of the libiberty library.Libiberty is free software. This file imports xmalloc and xrealloc, which are like malloc and realloc except that they generate a fatal error if there is no available memory.

In C, the malloc() function will allocate memory on the heap and return a pointer to the address of the allocated memory. Whenever malloc() is used, you will most likely hear of the free() function being used, which as the name indicates will free or deallocate the address of the memory allocation presented by the pointer returned from malloc().

How the computer tracks these allocations and frees?
Computer through a dynamic data structure known as a “linked list” (lists in which each block includes a pointers to the next block on the list).
The linked list keeps track of the free blocks of memory within the system.

Vulnerability details: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.

Official details: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188

Remediation: It has not been announced yet.