Apple released security update (11th Oct, 2021)

Preface: For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Background: The assert macro performs a runtime check of the given condition. For example: When a buffer maximum is 8, where the value of i is less that 8 the assert passes. But once i becomes 8 the assert fails causing the program to abort.

Vulnerability details: An expert discovered that even if the screen color is reversed, this vulnerability can be triggered. A memory corruption issue was addressed with improved memory handling.

Impact: An application may be able to execute arbitrary code with kernel privileges.

Official announcement: https://support.apple.com/en-us/HT212846

Above CVE-2021-42252 (11th October, 2021)

Preface: Linux mainly uses a paging mechanism to achieve virtual memory management. The size of the memory page is PAGE_SIZE bytes instead of 4 KB. On different platforms, the page size can range from 4 KB to 64 KB.

Background: The Aspeed BMC family which is what is used on OpenPOWER machines and a number of x86 as well is typically connected to the host via an LPC (Low Pin Count) bus (among others).

The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver.

Vulnerability details: CVE-2021-42252 – An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.

Reminder: Hardware filter in the southbridge perhaps not easy to detect attacker exploit the vulnerability.

Official announcement:Please refer to the website for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b49a0e69a7b1a68c8d3f64097d06dabb770fec96

Remark: Seems no proof of concept disclosed till now. Refer to official details, it is a local attack. But this design flaw cause by memory corruption error trigger privilege escalation. Furthermore it is running on Linux. Therefore exploit the design flaw through 3rd party API then triggers the vulnerability still have possibilities.

Stay alert: Recently, an unknown trojan attack in the Linux environment, a malicious ELF file with UPX compression (11th Oct, 2021)

Preface: Antivirus software isn’t entirely useless on Linux. If you are running a Linux-based file server or mail server, you will probably need antivirus help.

Background: ELF file extension, an acronym for Executable and Linkable Format, is a common standard file extension used for executable, object code, core dumps and shared libraries. It was being chosen as the standard binary file format for Unix and Unix-based systems.

Observation and synopsis: Cyber criminal will send a email to you lure that to download a ELF binary file because of the following reason. An ELF file is an executable file meant to be used with a Nintendo Wii or Nintendo Wii emulator. It contains a video game or other Wii application. ELF files may contain official Wii applications or homebrew applications. For above reasons, you will click to downloading ELF binary files.

Perhaps, you have not installed antivirus software on the Linux platform. But you can use a simple Linux command to check whether the ELF binary file is embedded with UPX compression. Maybe this is a malicious file.

Hints: Suspicious ELF binary with UPX compression
In the source code to UPX, there’s a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d (unpack executable). Magic or strings can detect whether UPX compressed file is embedded in elf binary file. It shows which offsets are to be tested to detect if a file was packed with UPX.

Reference: For more information, see Virustotal – https://www.virustotal.com/gui/file/efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa/detection

About Apache HTTP Server 2.4.49 and 2.4.50 – CISA urges organizations to patch immediately if they haven’t already (7th Oct 2021)

Preface: the most famous UTF-8 attack was against unpatched web server.

Background: The most common users of Apache HTTP Server are from Small Businesses and the Information Technology & Services industry. Perhaps

How to Check the Apache Version?

  1. Open terminal application on your Linux, Windows/WSL or macOS desktop.
  2. Login to remote server using the ssh command.
  3. To see Apache version on a Debian/Ubuntu Linux, run: apache2 -v.
  4. For CentOS/RHEL/Fedora Linux server, type command: httpd -v.

Vulnerability details: The server didn’t correctly handle contents in the URL. So the contain contained invalid UTF-8 representation of the [/] character. Such an invalid UTF-8 escape is often referred to as an overlong sequence. Therefore it provide an opportunity to the attacker. On 6th Oct,2021, Apache released Apache HTTP 2.4.50 to fix an actively exploited path traversal vulnerability in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server. Please refer to the official website for announcements – https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013

If your IoT development is based on Zigbee,perhaps Zephyr CVE will bring to your consideration. (6th Oct 2021)

Preface: Ensure that the JSON parser does not try to write a potentially unlimited number of elements into a C array of a fixed size.

Background: Zephyr is a small real-time operating system (RTOS) for connected, resource-constrained and embedded devices (with an emphasis on microcontrollers) supporting multiple architectures and released under the Apache License 2.0. Zephyr includes a kernel, and all components and libraries, device drivers, protocol stacks, file systems, and firmware updates, needed to develop full application software. Furthermore the footprint as small as 8K.

Vulnerability details: Till now, the CVSS score not been defined yet. According to 4 different vulnerabilities registered this month. There are two different vulnerabilities related to BLE. Besides, a vulnerability related to Zigbee. The remaining one is related to JSON decoder. The flaw of JSON decoder display as below: When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. “arr_parse” then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. For the details of this vulnerability, please refer to link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

The following list shows other CVE details:

BLE:

CVE-2021-3436 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

CVE-2021-3581 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5

Zigbee:

CVE-2021-3319 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364

Fastly CDN outage, perhaps not cyber attack (4th Oct, 2021)

Preface: In addition to cyber security attacks. Cloud service providers face different technical challenges, including software and hardware levels.

Background: Fastly is a company that provides content delivery network (CDN) services, mainly providing host static content and quickly showing it to Internet users. Fastly peers with other Internet Service Providers (ISPs) and Content Networks with IPv4 and IPv6 connectivity on Autonomous System (AS) 54113 for the purpose of exchanging traffic between these networks.

Service instability Report on October 4, 2021: It is reported that during the partial paralysis of Fastly CDN, Internet websites and services using the Fastly Content delivery Network (CDN) could not be used normally for more than an hour. Some users cannot access it directly, while others have entered an unexpected version of the website.

Their design attracted my attention: Fastly cloud distributed routing agent, called Silverton, which orchestrates route configuration within Fastly POPs. Silverton peers with the BGP daemon, BIRD, which interfaces with the outside internet. BIRD supports Internet Protocol version 4 and version 6 by running separate daemons. It establishes multiple routing tables,hand uses BGP, RIP, and OSPF routing protocols, as well as statically defined routes. If one service node have problem occurred which let the service up and down frequently (reboot). OSPF will update the routing table until completed. Whereby, it cause network traffic in slow response.

Current Status: Maybe we should wait for the supplier to announce the reason.

About CVE-2021-29249, IoT vendor should stay alert! (1st Oct, 2021)

Preface: BPF is available on most Unix-like operating systems and eBPF for Linux and for Microsoft Windows. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

Background: The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic (and eBPF is an extended BPF JIT virtual machine in the Linux kernel). It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Vulnerability details: CVE-2021-29249 prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

In 32-bit architecture, the result of sizeof() is a 32-bit integer so the expression becomes the multiplication between two 32-bit integers which can potentially leads to integer overflow. As a result, bpf_map_area_alloc() allocates less memory than needed.

Remedy: Correct this by casting 1 operand to u64 (See attached picture for details).