About CVE-2022-0998: Linux Kernel’s virtio device driver design weakness (30th Mar 2022)

Preface: You use a method that takes an array of bytes. But you don’t know how big this array is, but it’s controlled by the code calling the method. Let’s assume it is 500 bytes long. Then you read an integer from somewhere else, let’s assume 1000 is read.
As a result, you attempt to read 1000 bytes into an array that can only hold 500 bytes, you perform no checking to make sure your array is it big enough, nor do you attempt to read in chunks and concatenate if it’s not big enough. So an error display in log event activtites. Whereby, the system halted.

Background: KVM (Kernel-based Virtual Machine) is a FreeBSD and Linux kernel module that allows a user space program access to the hardware virtualization features of various processors, with which QEMU is able to offer virtualization for x86, PowerPC, and S/390 guests.
Virtio is a virtualization standard for network and disk device drivers where just the guest’s device driver “knows” it is running in a virtual environment, and cooperates with the hypervisor. As a physical NIC, the virtio device supports features such as many offloadings, and can let the real host’s device do them. To send a packet, the driver sends to the device a buffer that includes metadata information such as desired offloadings for the packet, followed by the packet frame to transmit.

Vulnerability details: An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official announcement – about their troubleshooting: The added ‘c->off > size’ test in that commit will be done as an unsigned comparison on 32-bit (safe due to not being signed).
On a 64-bit platform, it will be done as a signed comparison, but in that case the comparison will be done in 64-bit, and ‘c->off’ being an
u32 it will be valid thanks to the extended range (ie both values will be positive in 64 bits).
So this was a real bug, but it was already addressed and marked for stable. For more details, please refer to the link – https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/

Reference: Primitive Type u32 – The 32-bit unsigned integer type.
size_t type is a base unsigned integer type of C/C++ language. It is the type of the result returned by size of operator. The type’s size is chosen so that it can store the maximum size of a theoretically possible array of any type. On a 32-bit system size_t will take 32 bits, on a 64-bit one 64 bits.

CVE-2022-22948 – VMware vCenter Server updates address an information disclosure vulnerability 29th Mar, 2022

Preface: Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.

Background: vSphere is a product suite. ESXi is a hypervisor installed on the physical machine. vCenter Server is a management platform for VMs. When you are working on a small virtualization environment, the vSphere client will be sufficient enough to maintain and manage virtual machines hosted on a few ESXi servers.

Vulnerability details: The vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.

Likelihood – Remediation related to this vulnerability (see below):

Switching the vCenter Server Appliance 6.x to Appliance Shell

Log in to the vCenter Server Appliance through SSH.
Run this command to change from using the BASH Shell to the Appliance Shell:

chsh -s /bin/appliancesh root

Log out from the Appliance Shell.
Log in again for the changes to take effect.

Vendor announcement : Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0009.html

CVE-2022-27950 – Design weakness in drivers/hid/hid-elo.c (impacted to ELO Touchscreen Monitor product) – 28th Mar 2022

Preface: Touchscreens provide direct navigation and accessibility through physical touch controls, eliminating the need for traditional computer mice and keyboards.

Background: Touchscreens are common in devices such as game consoles, personal computers, electronic voting machines, and point-of-sale (POS) systems. Elo’s IntelliTouch controllers are designed and manufactured to work specifically with IntelliTouch SAW touchscreens for optimal performance. No additional drivers are required for your projected-capacitive touch monitor with Windows 7, Windows 10 and most versions of Mac OS X, Android or Linux as it will use the built-in HID drivers in the Operating System.

Come from Linux Operating system the driver (hid-elo[.]c) located in drivers/hid subdirectory. It is compatible with ELO controller (single touch unit) that works through serial interface or via USB. This hardware controller is a full-speed, self-powered, USB device. By default, the controller communicates over a RS-232 serial link. If, however, a USB cable is connected, the controller switches to an exclusively USB communicating mode.

Vulnerability details: In drivers/hid/hid-elo[.]c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. When hid_parse() in elo_probe() fails, it forgets to call usb_put_dev to
decrease the refcount.

Remedy: Fix this by adding usb_put_dev() in the error handling code of elo_probe(). For details, please refer to attached diagram.

Recommendation: Update to driver v5.17-rc5

About CVE-2022-27948 (Tesla electric cars) – 27th Mar 2022

Preface: Hacking using RF tools due to RF transmit power limiting capabilities. From a technical point of view, it is similar to a short-range attack. Compared to traditional network attacks that run on top of TCP/IP networks. Network-based cyberattacks will be more disruptive because they are not limited to a single device.

Background: The following attacks can be performed on the radio communication component of any IoT device.
Utilize tools to capture the raw data transmitted to the IoT device and attack. This is so called a replay attack. Since the raw data is played back to the IoT device to perform the actual attack. Whereby, this is the most common method for cyber expert to dig out the cyber security matter.

Tools used – HackRF, BladeRF, RTL-SDR, FUNcube dongle, GQRX, SDR#, URH, etc.

Vulnerability details: Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols.

According to the security expert findings. Doing a little post analyses on the message it appears to be ASK/OOK with a symbol rate ~2.5KHz at 315MHz. Once the data is analyzed and processed, it will obtained the binary data including center frequency and the Modulation scheme that is being used. Then attacker will use the reserve engineering. Exploiting RFtool sent back original data to the IoT device for launching the actual attack. This kind of attack is complicated to perform when compared to the replay attack.

Remark: Tesla US model S, requires a 315Mhz module.

Observation: According to the original design. If the charge cable is close to the charge port door, you can press the button on the charge cable to open the charge port door even when Model S is locked or a recognized key is not within range. About eight years ago, a technical expert found that when you use Type 2 charge cable on Tesla model S. The auto sense function cannot open the charge port door. In additional, he discovered that available data memory divided into Bank 0-15. Each Bank may contain Special Function Registers, General Purpose Registers, and Access RAM .
As a result, it looks that the existing design do not have tight protection in this area. Therefore, it is possible make use of a 315Mhz transmitter send the original function.
It looks that this design weakness require vendor enhancing the protection of this feature in this area.

Details of Design Weaknesses: Please refer to the link – https://github.com/pompel123/Tesla-Charging-Port-Opener

CVE-2022-21820 – NVIDIA DCGM contains a vulnerability in nv-hostengine (24th Mar, 2022).

Preface:The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Background: The NVIDIA host engine, nv-hostengine, is a thin wrapper around the DCGM shared library. Its main job is to instantiate the DCGM library as a persistent standalone process, including appropriate management of the monitoring and management activities.

Vulnerability details: NVIDIA DCGM contains a vulnerability in nvhostengine, where a network user can cause detection of error conditions without action, which may lead to limited code execution, some denial of service, escalation of privileges, and limited impacts to both data confidentiality and integrity.

My observations and details

Step1. The NVIDIA host engine, nv-hostengine, is a thin wrapper around the DCGM shared library. Its main job is to instantiate the DCGM library as a persistent standalone process, including appropriate management of the monitoring and management activities.

Step2. Starting the Prometheus Client
The script dcgm_prometheus.py is provided as a fully functional Prometheus client that will publish timeseries data on a port to be read (scraped) by Prometheus. By default, this script will publish common fields read from a DCGM instance running locally every 10 seconds to localhost:8000. Information on controlling what is published, how often, and on what port will be in the section on customization.
On the client side, start this script. It can either connect to a standalone host engine or run on embedded in the script.
To start an embedded host engine and check that it is publishing:
$ python dcgm_prometheus[.]py -e
$ curl localhost:8000 > tmp[.]txt

Step3. Whether below details is the design weakness of this vulnerability because vendor did not explain in details.
dcgm_prometheus.py error AttributeError: ‘DcgmPrometheus’ object has no attribute ‘m_publishFieldIds’

Remark: When class-validator is used to validate user-input, the attributes in the user-input object will be transformed into the validation class instance.
However, the transforming procedure will overwrite the internal attribute of validation class instance (e.g., constructor attribute) if the attacker injects an attribute with the same name into user-input. Once this internal attribute being overwritten, class-validator will be bypassed.

Official announcement: Reference link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5328

CVE-2022-27666 – a buffer overflow in ESP transformation in net/ipv4/esp4.c and net/ipv6/esp6.c via a large message. (23rd Mar 2022)

Preface: There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program.

Background: Encapsulating Security Payload (ESP) is a protocol in the Internet Protocol Security (IPsec) family that encrypts and authenticates data packets sent between computers via a virtual private network (VPN). VPNs can work securely because of the emphasis and layers on which ESP functions.

When one protocol’s packets or frames are encapsulated within another protocol, it increases the overall frame size. Encapsulation adds a protocol header, so any packets that are created at 1500 bytes and are then encapsulated will exceed MTU the network can handle. For example (see below):

IPsec encryption performed by the DMVPN adds 73 bytes for ESP-AES-256 and ESP-SHA-HMAC overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC)

Ref: What is Iotlb?
IOMMUs include an input/output translation lookaside buffer (IOTLB) to speed-up address resolution, but still every IOTLB cache-miss causes a substantial increase in DMA latency and performance degradation of DMA-intensive workloads.

Vulnerability details: In the Linux kernel before 5.16.15, there is a buffer overflow in ESP transformation in net/ipv4/esp4.c and net/ipv6/esp6.c via a large message. In some configurations, local users can gain privileges by overwriting kernel heap objects.

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4[.]c and net/ipv6/esp6[.]c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

Remedy: The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Observation: Presumably firewall and VPN vendors will suffer in this matter.

About BIND 9.18.0 (22nd Mar, 2022)

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: BIND (Berkeley Internet Name Domain) is a software collection of tools including the world’s most widely used DNS (Domain Name System) server software. This feature-full implementation of DNS service and tools aims to be 100% standards-compliant and is; intended to serve as a reference architecture for DNS software.
DS Lookup lets you check DS records for any domain. The online tool allows you to query the DNS servers and identify the Delegation Signers (DS) record for the specified domain.

On 26th Jan, 2022. ISC official announce the release of BIND 9.18.0. This is the first stable release that contains support for DoT and DoH. This branch will be supported for 4 years, through the end of 2025. With this new branch, the BIND 9.11 branch is officially EOL. We will continue to issue security patches for 9.11 for the remainder of Q1 2022, but that will be the end of maintenance for 9.11.

Remark: Support for securing DNS traffic using Transport Layer Security (TLS). TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).

Vulnerability details:

CVE-2022-0635:The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled)

Solution: Users of BIND 9.18.0 should upgrade to BIND 9.18.1

Ref: https://kb.isc.org/docs/cve-2022-0635

CVE-2022-0667:While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down. This introduces the possibility of triggering an assertion failure, which could cause the BIND process to terminate.

Solution:Users of BIND 9.18.0 should upgrade to BIND 9.18.1

Ref: https://kb.isc.org/v1/docs/cve-2022-0667

End of topic

About CVE-2022-24237 (21st Mar 2022)

Preface: What is application layer load balancing?
Application layer load balancers distribute requests based on content of the requests being processed, including its HTTP/S header and message in addition to session cookies. They can also track responses as they travel back from the server, thereby providing data on the load each server is processing at all times.

Background: There are two primary protocols on the internet – TCP and UDP. These are what we call layer 4 protocols. How about the web browsing and email? The majority of the data sent across the internet is TCP and that is what Snapt load balances. Protocols like HTTP, SMTP, SSL and much more all use TCP.
HTTP is a layer 7 protocol. All web browsing are communicating with either HTTP or SSL (HTTPS) to browse web content. Aria is the premier ADC solution for businesses, providing a load balancer, web accelerator, web app firewall (WAF), global server load balancer (GSLB),..etc
The Snapt Balancer is a feature-rich layer 7 TCP load balancer.

Vulnerability details: The snaptPowered2 component of Snapt Aria v12.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands.

To establish a typical remote shell, a machine controlled by the attacker connects to a remote network host and requests a shell session – this is called a bind shell. But what if the remote host is not directly accessible, for example because it has no public IP or is protected by a firewall? In this situation, a reverse shell might be used, where the target machine initiates an outgoing connection to a listening network host and a shell session is established.
Refer to diagram , the Proof of concept try to spawn a reverse shell on the target host to the attackers machine. For more technical details, please refer to the link – https://www.cryptnetix.com/blog/2022/03/19/Snapt-Aria-Vulnerability-Disclosure.html

About CVE-2022-27250 (18th Mar, 2022)

Preface: Firmware is stored in a flash memory either inside or outside of a microcontroller. If Firmware had vulnerability occurs. It should finally do the Firmware update to fix the problem.
Firmware is usually found in general purpose computing devices like smartphones, PCs, laptops, etc.

Background: About CVE-2022-27250, may be this matter occured since 2019. The specify chip model tends to be the processor brand of choice for many low-cost manufacturers. Per hostorical record, Low-cost brands are usually involved malware cases, ostensibly due to limited resources, let the bug cannot fix it in effective way.

Vulnerability details: The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device’s screen, record video of the device’s physical environment, or modify data. See the link for details.
https://www.tenable.com/cve/CVE-2022-27250
The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Quote: Some have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it’s memory or storage).

One of the possibilities to isolate the problem. If you’re interested, you can check out ROM dumps.Or other method: add basic DT to support Unisoc’s SC9863A, with this patch, the board sp9863a-1h10 can run into console.
Link: https://lore.kernel.org/r/20191223092948.24824-4-zhang.lyra@gmail.com

Temporary remedy: Install antivirus software on your smartphone, in which case data breaches or evasion activities may not be avoided. But this is baseline control.

CVE-2022-0237 – Certain versions of Insight Agent from Rapid7 contain a privilege escalation vulnerability. (17th Mar 2022)

Preface: A lot of people will familiar with Rapid 7 (metasploit), it is a powerful penetration test tools in existing market. If the product only provide a penetration test tool in today demanding market. It is limited the business development. However, from my personal point of view, SIEM and log management functions by Rapid 7 is a new area to me. Perhaps this is not new product.

Background: The universal Insight Agent is lightweight software you can install on any asset—in the cloud or on-premises—to collect data from across your IT environment. With unified data collection, security, IT, and DevOps teams can collaborate effectively to monitor and analyze the environments. View endpoint data is one of the powerful feature, it including: detailed asset information, Windows registry information, file version and package information, running processes, authentication information, local security and event logs. As a agent based design, so it is compatible with Linux, Mac and windows. Vendor claimed that the agent footprint is small. Apart from that memory consumption is low.

Vulnerability details: When security expert utilizing procmon boot-logging, it give a seen to him found that the call for ‘Program.exe’ via command line utilizing Windows ‘runas’ only single-quoted. Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine.

Remedy: Fix-Windows runas when used with spaces in the path needs to be double-quoted. Please refer to attached diagram (point 8)

Vendor announcement: For details, please refer to the link – https://docs.rapid7.com/release-notes/insightagent/20220225/