About CVE-2022-24122 – Vulnerability resolved two and a half months ago. Just to understanding what is happened (29-01-2022)

Preface: If you are a Kubernetes administrator, doing the resources distribution, may be it is a daily routine job. Regarding to this vulnerability, have you resolve yet?

Background: Namespaces are one of the main features of the Linux kernel – they carry out the distinction between kernel resources. It makes sure that a process can only see the specified set of resources. Examples of resources are process IDs, hostnames, files, usernames, network access names, and inter-process communications.

Vulnerability details: kernel/ucount[.]c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.

Ref: Ordinary ucount references exist in places that also have a reference to the user namspace, but in POSIX message queues, the SysV shm code,and the SIGPENDING code there is no independent user namespace reference.

Inspection of the the user_namespace show no instance of circular references between struct ucounts and the user_namespace. So hold a reference from struct ucount to i’s user_namespace to resolve this problem.

Remediation: Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f9d87929d451d3e649699d0f1d74f71f77ad38f5

Some said “php echo call” potential risk (CVE-2022-23993) let small to medium enterprise firm headache? But now it’s fixed. (26th Jan, 2022)

Preface: If no open source software concept in our world, technology is hard to become common. Even though you concern cyber security. They can fixed it when there is vulnerability occurs.

Background: pfSense is an open source firewall and routing platform based on FreeBSD. pfSense can be installed on physical computers or virtual machines, and can act as an independent firewall and router in the network. It is equipped with a Web user interface for administrative tasks such as setting and updating, which makes it easier to use.

Vulnerability details: If you accept QNAP solution turn your NAS into a virtual router. This vulnerability found on pfSense this time remind you should stay alert. The following vulnerability was found:/usr/local/www/pkg[.]php in pfSense through 2.5.2 uses $_REQUEST[‘pkg_filter’] in a PHP echo call.
The main reason using $_REQUEST is that parameter can get transferred in $_POST or $_GET. By accessing $_REQUEST you don’t have to check both $_GET and $_POST it the value is set.
If you are passing $_GET (or $_POST) parameters to your queries, make sure that they are cast to strings first. Attacker can insert associative arrays in GET and POST requests, which could then become unwanted $-queries.

Official article, what remedies they did: Please refer to the link – Please refer to the link – https://github.com/pfsense/pfsense/commit/5d82cce0d615a76b738798577a28a15803e59aeb

OpenSUSE Backports SLE-15-SP3 watchman suffers from design flaw (26-01-2022)

Preface: What are backports in traditional Linux?
“Backporting” is the process of making new software run on something old. A version of something new that’s been modified to run on something old is called a “backport”. The Backports Project develops tools to automate the backporting process for Linux drivers. These tools form the backports suite.

Background: The idea of the Backports project is to collect openSUSE packages built for SUSE Linux Enterprise in a central repository. The policies for this repo are aligned with SUSE in order to maintain supportability of the main OS, making the packages “safe” to install and use.

The openSUSE:Backports projects are built as “Maintenance” projects. This is a special type of project which not only contains the latest build of a package, but also a history of previous releases. It’s also how the openSUSE updates projecs are managed.

Vulnerability details: A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root.

Below details is the explanation of Matthias Gerstner.

The problem here is that watchman should continue working as normal on the command line without using systemd. This means that an unprivileged watchman instance must be able to create /run/watchman/$USER-state. This is why /run/watchman is a public sticky-bit directory.

What does a sticky bit do?
The modern function of the sticky bit refers to directories, and protects directories and their content from being hijacked by non-owners;

Official announcement: Please refer to the link for details https://bugzilla.suse.com/show_bug.cgi?id=1194470

Does this concept like CVE-2022-23008? (26-01-2022)

Preface: NGINX Controller provides lightning-fast application delivery and API management for modern app teams.

Background: What is a Data Plane?

The data plane is a layer of service proxies that manage application-level network traffic. Data plane typically operate on Layer 7 (application) traffic, although they may also operate at Layer 4 (transport) traffic as well. For Example: Popular data plane proxies include Envoy Proxy, NGINX, and HAProxy.

Layer seven refers to a layer of security built into the open systems interconnect model. This is the highest level of security in the application level that supports end-user applications and processes. Defenses and attacks will be based on this area. So some experts firm will be focus layer 4 and Layer 7.

Vulnerability details: CVE-2022-23008 – Successful exploitation allows an attacker to read and/or write files on the NGINX data plane instance. The access to files is limited to the user running the NGINX process, typically the nginx user.

Does this concept like CVE-2022-23008? An attacker can trick the browser by replacing the Access-Control-Allow-Origin header.
First, the attack should be hidden using (proxy_hide_header Access-Control-Allow-Origin;) . Then we add our own before sending back the response. NGINX will not replace headers; it will append to them.
So a possible way is that an attacker can exploit a proxy.

If you are interested in the details, please refer to the attached diagram.

Vendor announcement: Final – K57735782: NGINX Controller API Management vulnerability CVE-2020-23008 – https://support.f5.com/csp/article/K57735782

CVE-2022-23852 – Prevent Expat (XML_GetBuffer) Signed integer overflow (24-01-2022)

Preface: Expat is free software. You may copy, distribute, and modify it under the terms of the License contained in the file COPYING distributed with this package. This license is the same as the MIT/X Consortium license.

Background: As a open-source XML parser, Expat can be implemented by several programming languages, such as: Python, PHP,Perl,…etc. There are four functions will be frequent in use (see below):

  • XML_ParserCreate – To create a new analyzer object.
  • XML_SetElementHandler – To define handlers for start and end tags.
  • XML_SetCharacterDataHandler – To define the handler for text.
  • XML_Parse – To pass a buffer full of documents to the analyzer

After the Web Server receives the XML data, it will give it to the XML parser. To use the Expat library, programs first register handler functions with Expat. When Expat parses an XML document, it calls the registered handlers as it finds relevant tokens in the input stream. These tokens and their associated handler calls are called events. Typically, programs register handler functions for XML element start or stop events and character events. Expat provides facilities for more sophisticated event handling such as XML Namespace declarations, processing instructions and DTD events.

Vulnerability details: CVE-2022-23852 – Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more.

Some kinds of integer overflow are undefined, and these kinds of behavior are especially problematic. According to the C99 standard, undefined behavior is “behavior, upon use of a non-portable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements.”

Ref: A signed integer is a 32-bit datum that encodes an integer in the range [-2147483648 to 2147483647]. An unsigned integer is a 32-bit datum that encodes a nonnegative integer in the range [0 to 4294967295]. The signed integer is represented in twos complement notation.

Official article: https://github.com/libexpat/libexpat/pull/550

Are you worried when jerryscript has vulnerabilities? (24th Jan, 2022)

Preface: Samsung Electronics has started the development of IoT.js on 2015, a platform for IoT applications written in JavaScript, and JerryScript, a JavaScript engine for small, embedded devices.

Background: JerryScript is an ultra-lightweight JavaScript engine for the Internet of things. It is capable of executing ECMAScript 5.1 source code on devices with less than 64 KB of memory.
JerryScript Engine can be embedded into any application, providing the way to run JavaScript in a large range of environments – from desktops to low-memory microcontrollers.

Ref: IoT devices come with severe constraints in terms of CPU performance and memory footprint. Because of that, Samsung has designed the JerryScript engine to run in less than 64KB or RAM and the entire code fits in less than 200KB of ROM.

Vulnerability details: CVE-2022-22895 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion[.]c.

Why are we interested in CVE-2022-22893? Here’s why:

Stack is a linear data structure whereas Heap is a hierarchical data structure. Stack memory will never become fragmented whereas Heap memory can become fragmented as blocks of memory are first allocated and then freed. Stack accesses local variables only while Heap allows you to access variables globally.

See whether the attached diagram give you a quick idea of the vulnerability? Also, some vulnerabilities were found in jerryscript. See below for details:

CVE-2022-22894 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache[.]c.

CVE-2022-22893 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm[.]c.

CVE-2022-22891 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc[.]c.

Remedy: Please refer to Github.

Get rid of crafted Modbus traffic to bother your defense mechansim – 21st JAN 2022

Preface: Le Rouge et le Noir – Not a bad guy is good guy. If, the vulnerability is due to an integer overflow when handling Modbus traffic. Is it an early warning?

Background: The reason Modbus was so successful was the fact that it could be so readily understood by non-programmers. Engineers who built glue machines, meters, measuring devices, and such could easily understand the concept of coils/registers and the simple commands to read and write them.

About cyber attack: Modbus over serial is immune to any common malware attacks. But what methods will increase the risk of Modbus network attacks? See below:

I. MODBUS over TCP means a MODBUS RTU packet wrapped in a TCP packet.
II. MODBUS TCP means a MODBUS TCP packet wrapped in a TCP packet.

Perhaps a common idea will said Modbus driver might be vulnerable to attack. However, above two types of TCP communications methods are increasing the possibilities of attack. For instance, an attacker could sending crafted Modbus traffic attack a IDS. (This IDS device aim to protect the back-end HMI, PLC and SCADA infrastructure).
Due to implementation of decoding a message type incorrectly exposing a buffer overrun. This is equivalent a denial of service.

One of the possible ways to enhance validation in related IDS modules. (see below):

  1. Check the crc, and if it isn’t correct ignore the request.
  2. Check the validty of the data based on the function code.
  3. Broadcast is not supported
  4. Add bytes to expected request size (2 x Index, 2 x Count)

Due to PLC, the HMI for repair or mitigation is not so flexible because it affects industrial systems and/or related operating functions.
Sometimes even IIoT manufacturers cannot provide you with a clear upgrade roadmap. Therefore, installing IDS as detection and preventive control is an effective way to implement protection. This discussion does not focus on any IDS devices. If you have any related matters, it is recommended to listen to the supplier’s opinions.

End of writing.

Regarding to ManageEngine security announcement (CVE-2021-44757), do you have doubt on their design? (19-1-2022)

Preface: Asset scan is the key function to maintain the asset management integrity. If the company structure not operating standalone. In some circumstance, the system architect will formalize a distributed architecture. However, how to scan and collecting data is a important topic. Perhaps the file size is variable because of the data content. As a result, when the file transfer go to back-end system. it will using compression technology traditionally to resolve the network bandwidth consumption. For example: ZIP file. Furthermore, software developer aim to improve the process completion time.

Background (Asset Scan in Remote AE Server): The scanned information in the Remote AE Server can be updated periodically either manually or automatically in the Central AE Server.

You can install AssetExplorer as a Central Server by choosing the server type as Central AE Server on starting the application for the first time. The application is started as the Central AE Server.

As a result, Central AE server will tracks all your newly added assets, and have a record of all the assets in the organization.

About CVE-2021-44757: An authentication bypass vulnerability that can allow a remote user to perform unauthorized actions in the server. If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary zip file on the server. 

As usual, vendor not disclose the vulnerability in details. However, referring to existing system design. It relies on compression function assistance. Perhaps the earlier version of design do not enforce the data integrity check. And therefore it provide a channel to attacker create the trouble.

Official announcement: For details, please refer to link – https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022

Oracle Releases January 2022 Critical Patch Update – Quick and easy understanding of CVE-2021-2351 (Oracle JDBC Native Network Encryption design limitation).

Preface: Even thought CVE-2021-2351 was announced on last year (21st July, 2021), however this topic still lure of my interest. As we know, web server and DB server is an important component in existing digital World. For example, Big data, IoT, automotive and mobility functions will working with front end web server. Whereby in between web server and database server relies on ODBC or JDBC form a bridge do communications to database server. In traditional attack scenario, SQL injection is very common type of attack. When incident happen, it will lost our data confidentiality.

Background: The JDBC thin client is a pure Java, Type IV driver. If you are accessing one type of database, such as Oracle, Sybase and IBM, the preferred driver type is 4.

Oracle Database provides native data network encryption and integrity to ensure that data is secure as it travels across the network. The setup offers two ways to encrypt data over the network, native network encryption and Transport Layer Security (TLS).

In order to cope with confidentiality of data in system design. Encrypting network data provides data privacy so that unauthorized parties cannot view plaintext data as it passes over the network. However, if a design weakness occurs in between devices communication? Do you think what is the exact impact to this defect?

Vulnerability details: There are two fundamental design constraints on this issue (Native Network Encryption).

  • Clients that do not support native network encryption can fall back to unencrypted connections while incompatibility is mitigated.
  • It provides no non-repudiation of the server connection (that is, no protection against a third-party attack).

When an insider threat occurs, the above 2 design limitations will increase the possibility of being attacked.

Attack scenario: If insider threat happens, cyber criminals do a sniffing in internal network since the reason of point 1 and 2 (refer to attached diagram). And therefore it can easily to do the session hijacking because there is no more protection. Since no need to get and install the SSL certificate CA in attacker machine to conduct the man-in-the-middle attack. Therefore he can easily receive a valid session token. As a result, he gain authorized access similar to existing victim user.

Workaround: Update the Oracle Database servers and clients to the patched versions. Enforce usage of a secured protocol version by setting the following options:

SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS=FALSE (server-side)
SQLNET.ALLOW_WEAK_CRYPTO=FALSE (client-side)

Or use TLS-based transport security instead of Native Network Encryption.

US National Vulnerability Database details announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-2351

About CVE-2022-0240 Do not contempt low risk vulnerability (17th Jan,2022)

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2[.]x compatible. MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration.

MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2.x compatible. Whereas, MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration. An unofficial consensus by IoT manufacturer that IoT Dumb devices are only provide resources/service. In broker cloud of IoT, most of them contains application logic design. MRuby fits this use case well despite performance issues.

Vulnerability details: Mruby is vulnerable to NULL Pointer Dereference. There is a NULL Pointer Dereference in prepare_singleton_class. Offical remedy said that add additional two lines of syntax in src/class[.]c will be remedied the vulnerability.

Refer to attached diagram, if the design criteria based on Ruby code compiler to Bytecode . Then install to virtual machine of IoT.
As a matter of fact, null pointer dereference happened in MRuby object class. Will it be impacted the program after compiler?

Perhaps below articles by apple developer will provides guidance.

Dereferencing a null pointer always results in undefined behavior and can cause crashes. If the compiler finds a pointer dereference, it treats that pointer as nonnull. As a result, the optimizer may remove null equality checks for dereferenced pointers.

But uncertainty related to above topic not found hints on internet. So, it still need to observed.

Remedy: The official announcement can be found at the following link: https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca