Preface: No matter what your reasons are, children are victims!
Human nature: Human desires are infinite. We may meet some of our needs, but new ones will soon emerge. Thus, scarcity explains the relationship between having unlimited demand and the problems within it.
Security Focus: The malware, known as WhisperGate, has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions.
Malware contained destructive goal and special evasion method:
They targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. PhysicalDrive0″, GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE
Once the malware running under Anti-Debug, it can adjust its usual code execution path or modify the code to cause a crash, preventing analysts’ attempts to decipher it. The idea is to identify the machine code of some functions for 0xCC byte which stands for INT 3 assembly instruction.
Preface: Perhaps the risk of this vulnerability is not high. However, if attackers exploit specific design weaknesses. It’s hard to say if Lamda can’t direct the attack to the backend service cloud.
Background: Alexa is able to play music, provide information, deliver news and sports scores, tell you the weather, control your smart home and even allow Prime members to order products from Amazon.
Alexa is always listening, but not constantly recording. It doesn’t send anything to the cloud server until it hears your wake word (Alexa, Echo, or Computer). Without internet, any request or question you make will fail. This is because your commands are sent to the cloud for interpretation and decision making. Not every conversation you have in front of the smart speaker is recorded every single time, the design goal only wants you to command the smart speaker to be recorded. For this reason, the company uses wake words to attract the attention of smart speakers. To do this, Amazon uses a combination of fine-tuned microphones, short-memory buffers, and neural network training.
Vulnerability details: Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an “Alexa versus Alexa (AvA)” attack.
Ref: What is Alexa in Python? What is Alexa command in the skill’s context?
The Alexa Skills Kit SDK for Python simplifies the development of the back-end cloud service for your Alexa skill. A part of the Alexa Skills Kit, the SDK reduces the amount of code you need to write to process Alexa requests and responses and to handle other common skill tasks.
You can built few basic Alexa skills, the goal of these skills related to predefined questions. These predefined skills will do information mapping to find the right answer.
Preface: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. There are three basic types of blockchain: public blockchain, consortium blockchain and private blockchain.
Background: RigoBlock is a blockchain protocol that makes it possible for anyone to set up and run a digital token pool. It is an open protocol which developers can use for building their own applications for token management.
Vulnerability details: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, “Whitehat”, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.
In RigoBlock Dragos, all versions as of 2022-02-17 and later (until a major protocol update is accomplished) contain an exposed function (CWE-749), specifically setMultipleAllowances() which was not set to onlyOwner. The setMultipleAllowances() function can be to manipulate tokens with the contract.
Ref: CWE-749: Exposed Dangerous Method or Function The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Reminder: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. If it require a major protocol upgrade to fix the design weakness. Before it fixed, you should consider not to use in the moment.
Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.
Background: Istio makes traffic management transparent to the application, moving this functionality out of the application and into the platform layer as a cloud native infrastructure. Istio complements Kubernetes, by enhancing its traffic management, observability and security for cloud native applications. Istio is an open source service mesh that layers transparently onto existing distributed applications. A service mesh often has complex operational requirements which include A/B testing, canary releases, access control, and rate limiting. These are in addition to its standard requirements of load balancing, discovering, failure recovery, end-to-end authentication, monitoring, and metrics.
Vulnerability details: The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker……. For more details, please refer to the link – https://istio.io/latest/news/security/istio-security-2022-003/
Remedy: This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.13.0 and 1.13.1. For more details, please refer to the link – https://istio.io/latest/news/releases/1.13.x/announcing-1.13.1/
Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.
Background: QProcess – Used to start external programs and to communicate with them. The QProcess class is used to start external programs and to communicate with them. To start a process, pass the name and command line arguments of the program you want to run as arguments to start().
What is QProcess in Qt? QProcess manages the output of the running process, keeping standard output and standard error data in separate internal buffers. You can select the QProcess’s current read channel by calling setReadChannel(). This is the default channel mode of QProcess.
Vulnerability details: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
Impact – Opening files might lead to the execution of malicious binaries if they are placed in the right directories.
Remedy: When passed a simple program name with no slashes, QProcess on Unix systems will now only search the current directory if “.” is one of the entries in the PATH environment variable. This bug fix restores the behavior QProcess had before Qt 5.9.
Ref: If launching an executable in the directory set by setWorkingDirectory() or inherited from the parent is intended, pass a program name starting with “./”. For more information and best practices about finding an executable, see QProcess’ documentation.
Preface: In 2017, half of the world’s top 50 supercomputers used SUSE Enterprise Linux Server. Why does Linux dominate especially in supercomputer market? Linux is a free, open source operating system (OS), released under the GNU General Public License (GPL). Anyone can inspect or modify software “Source code”. Because of Linux cluster break the traditional technology limitation. Even though system developers does not have skill to develop CPU switch (crossbar) and related technology belongs. But they can modify the Linux OS and learn by Linux cluster technique. Finally, they can build their customized super power computing system. If you do a review of the top computer in the world, you will found that more and more super power computing systems are using Linux clustering technology. Therefore the proprietary technology is not a giant anymore. As a result, computer programmers can manipulate code to change the way software (“programs” or “applications”) works.
Background: This software (rndis.c) was originally developed in conformance with Microsoft’s Remote NDIS Specification License Agreement.
RNDIS refers to Remote NDIS. The implementation of RNDIS based on USB is actually TCP/IP over USB, which is to tun TCP/IP on the USB device, making the USB device look like a network card. With fast bridge cable, USB 3.1 could deliver a point to point network much faster than 1000-Base-T.
Vulnerability details: The RNDIS_MSG_SET usb control transfer request handler – rndis_set_response calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8. The BufOffset variable is retrieved from the RNDIS message and not validated to respect buffer boundaries. Consequently by manipulating the four byte InformationBufferOffset member of rndis_set_msg_type an attacker may offset the actual buffer by up to 0xffffffff bytes. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.
Remark: The meaning of GADGET is an often small mechanical or electronic device with a practical use but often thought of as a novelty.
Ref: USB 3.1 Gen 1 and Gen 2 offer stimultaneous media rate connection of 5GB/s and 10Gb/s in each direction. As a result USB 3.1 will be faster than 1000-Base-T. Furthermore, a USB bus can have up to 127 target devices, but only one host. But Linux is flexible since you can read the source code. If you apply your imagination to design your own system. As we know, a USB bus can have up to 127 target devices, but only one host. If you apply Linux clustering concept. Form a new array to a group of array host with ethernet connectivity. So, it can be expandable.
Preface: The DOMParser interface provides the ability to parse XML or HTML source code from a string into a DOM Document . A module that parses a string as regular expression and returns the parsed value. it is the regular expression solution.
Background: The “url-parse” was created in 2014 when the WHATWG URL API was not available in Node.js and the URL interface was supported only in some browsers. As times goes by, the “url-parse” method exposes two different API interfaces nowadays. It is the url interface from Node.js and the new URL interface that is available in the latest browsers.
In version 1.0.0, url-parse module decide not relies on the RegExp based solution in favor of a pure string parsing solution which chops up the URL into smaller pieces. To parse an URL simply call the URL method with the URL that needs to be transformed into an object.
Vulnerability details: Vulnerability details: Url-parse is not able to verify broken protocol. If a specify host included in blacklist check (refer to attached diagram for details). This will allow to bypass hostname validation when hostname check equals null.
Official announcement: If the userinfo is present but empty, the parsed host is also empty, and url[.]pathname is not '/', then readd the empty userinfo to url[.]href, otherwise the original invalid URL might be transformed into a valid one with url[.]pathname as host. See the link for details – https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788
Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.
Background: NSX Data Center for vSphere provides networking and security functionality for your vSphere environment, including logical switching, logical routing, Distributed Firewall, load balancer, NAT, and VPN. NSX Data Center for vSphere is installed as a plug-in to VMware vCenter Server®.
Vulnerability details: The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation in the NSX Edge appliance component. A local user with access to NSX-Edge appliance (NSX-V) can pass specially crafted argument to unspecified shell utility and execute arbitrary OS commands as root.
One of the possibilities: An attacker can exploit a command injection in the NETCONF over SSH access (TCP port 830). the SSH configuration checks if the commands starts with scp and then, evaluates the command as a whole, resulting in a command injection instead of allowing scp command only. Attacker has a chance to identified a SUID program that can be used to gain full root privileges on the system.
Preface: The number 2,147,483,647 (or hexadecimal 7FFF,FFFF) is the maximum positive value for a 32-bit signed binary integer.
Background: TensorFlow is an end-to-end open source platform for machine learning. It has a comprehensive, flexible ecosystem of tools, libraries and community resources that lets researchers push the state-of-the-art in ML and developers easily build and deploy ML powered applications. TensorFlow and Scikit-learn, two of the most popular words from the jargon of the Machine Learning world!
Scikit-learn (sklearn) is positioned as a general-purpose machine learning library , but TensorFlow (tf) is positioned as a deep learning library .
For easy to understand on what ways of processing data with machine learning models. See below details. – Traditional machine learning: use feature engineering to artificially refine and clean the data – Deep learning: using representation learning, the machine learning model itself refines the data
Vulnerability details: Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.
Ref: For example: If below setup is customized for agriculture yield analytic and artificial intelligence irrigation system. From design point of view, input not only limit to climatic parameters were considered in predicting the crop yield, the crop yield is influenced by many other input parameters such as irrigation, fertilizer application, pesticide application etc. Since those data will be defined as user input data (crop arguments are user controlled). In this circumstances, if such parameters does not implement maximum data input limit value or verification. As a result, it can trigger an overflow maliciously.
Impact: The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
The fix will be included in TensorFlow 2.8.0. It also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.
Background: NVIDIA License System supports the following types of service instances:
Cloud License Service (CLS) instance. A CLS instance is hosted on the NVIDIA Licensing Portal.
Delegated License Service (DLS) instance. A DLS instance is hosted on-premises at a location that is accessible from your private network, such as inside your data center.
NVIDIA License System is used to serve a pool of floating licenses to NVIDIA licensed products. The NVIDIA License System is configured with licenses obtained from the NVIDIA Licensing Portal. The license server is designed to be installed at a location that is accessible from a customer’s network, and be configured with licenses obtained from the NVIDIA Licensing Portal.
Vulnerability details: NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges.
One of the possibilities: Traditional technology make use of service account concept.
Design weakness: Predefined sudo user account for a DLS virtual appliance. Purpose: This user account has the elevated privileges required to update and upgrade the Ubuntu GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance.
Remark: This account is provided to comply with the terms of the GPL/LGPL v3 license under which some libraries in the Ubuntu operating system in the DLS virtual appliance are released.