About CVE-2022-28197: NVIDIA Jetson Linux Driver Package design weakness (26-4-2022)

Preface: Embedded AI solutions on the Linux platform. With the superior performance, small size and low power consumption, it will be able to do more real-time processing at the demanding environment than ever before.

Background: NVIDIA® Jetson Nano™ Developer Kit is a small, powerful computer that lets you run multiple neural networks in parallel for applications like image classification, object detection, segmentation, and speech processing. All in an easy-to-use platform that runs in as little as 5 watts.

Jetson Board Support Package
• Linux Kernel: A UNIX-like computer operating system kernel mostly used for mobile devices.
• Sample Root Filesystem derived from Ubuntu: A sample root filesystem of the Ubuntu distribution. Helps you create root filesystems for different configurations.
• Toolchain: A set of development tools chained together by stages that runs on various architectures.
• Bootloader: Boot software boot for initializing the system on the chip.
• Sources: Source code for kernel and multimedia applications.

…..more

Vulnerability details: NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_mount function, where Insufficient validation of untrusted data may allow a highly privileged local attacker to cause an integer overflow. This difficult- to-exploit vulnerability may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity.

Speculation: This is an old design weakness in the kernel. Is it possible to reuse again in this case?
An integer overflow flaw was found in the extent range checking code in the Linux kernel’s ext4 file system implementation. A local, unprivileged user with write access to an ext4-monted file system could trigger this flaw by writing to a file at a very large file offset. The expected impact will result in a denial of service.

Official announcement: NVIDIA has released a software update for NVIDIA® Jetson AGX Xavier™ series, Jetson Xavier™ NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX) in the NVIDIA JetPack™ software development kit (SDK). Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5343

Redis vulnerabilities – Lua readonly tables (CVE-2022-24736, CVE-2022-24735) – 27th April 2022

Preface: Complex data queries not to use Redis as a Database.
Big data and the new phenomenon open data are closely related but they’re not the same. Open data is information that is available to the public, regardless of its intended purpose.

Background: Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet. Redis is an in-memory database that persists on disk. It can be used as a distributed cache, which is probably its most common and popular use case, as a NoSQL Database and as a Message broker (pub\sub mode, similar to Kafka or RabbitMQ).

Redis EVAL command is used to evaluate scripts using the Lua interpreter. Lua lets you run part of your application logic inside Redis. Such scripts can perform conditional updates across multiple keys, possibly combining several different data types atomically. Scripts are executed in Redis by an embedded execution engine.

Vulnerability details:

(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis.
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

Ref: This type of vulnerability (known as CWE-94) occurs when a developer uses the Lua loadstring() function and passes it untrusted data that an attacker can modify. The loadstring() function will compile the code and return a function that when called has the same effect as executing the string. Attackers can use this to inject arbitraty Lua code that is then executed by the web application.

Several weaknesses of these measures have been publicly known for a long time.

Official announcement: Please refer to the link for details – https://github.com/redis/redis/pull/10651

Remedy: The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.

Big data perspective , CVE-2022-24706: Apache CouchDB Remote Privilege Escalation (26th April 2022)

Preface: NoSQL is used for Big data and real-time web apps. Perhaps if you can manage big data, you can rule the AI zone in future.

Background: NoSQL is used for Big data and real-time web apps. For example, companies like Twitter, Facebook and Google collect terabytes of user data every single day. There are many indexing data structures used in NoSQL databases. For example: B-Tree indexing, T-Tree indexing, and O2-Tree indexing…..

Apache CouchDB is an open source repository that is a file-oriented NoSQL database using JSON as the storage format, JavaScript as the query language, and MapReduce and HTTP as the API. CouchDB accepts queries via a RESTful HTTP API, while MongoDB uses its own query language. CouchDB is written in Erlang. It uses JSON to store data.

Vulnerability details: In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. An attacker can access an improperly secured default installation without authenticating and gain admin privileges.

  1. CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called epmd advertises that random port to the network.
    Remark: epmd itself listens on a fixed port.
  2. CouchDB packaging previously chose a default cookie value for single-node as well as clustered installations. That cookie authenticates any communication between Erlang nodes

Workaround: The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

Remediation: Upgrade to version 3.2.2.

Details: CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of monster. Installations that upgrade to this versions are forced to choose a different value.

In addition, all binary packages have been updated to bind epmd as
well as the CouchDB distribution port to 127.0.0.1 and/or ::1
respectively.

Please refer to the link for details – https://www.openwall.com/lists/oss-security/2022/04/26/1

CVE-2022-29078 EJS package Security Focus (25th April 2022)

Preface: EJS is one of the most popular template engines for JavaScript. One of the reasons to choose it is that EJS code looks like pure HTML.

Background: EJS or Embedded Javascript Templating is a templating engine used by Node. js. The template engine helps to create an HTML template with minimal code. Also, it can inject data into the HTML template at the client-side and produce the final HTML.
Set EJS as templating engine with Express which is a Node.js web application server framework.

EJS (Embedded JavaScript Templating) is one of the most popular template engines for JavaScript. It lets us embed JavaScript code in a template language that is then used to generate HTML.

Vulnerability details: The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Ref: The EJS don’t allow ‘cache’ option to be passed in the data obj for the normal render call, but this is where Express 2 & 3 put it so we make an exception for renderFile. So in the case of express view options ejs will copy everything into the options without restrictions.

Remedy: Ejs has issued a fix to prevent injecting any code in the options especially opts.outputFunctionName. For user who is going to fix the problem. You can upgrade to v3.1.7.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-29078

About CVE-2022-29582 (asynchronous I/O interface provided by Linux kernelbefore 5.17.3)

Preface: On 29th March, 2022 Linus Torvalds announced the release and general availability of Linux 5.17 as the latest and greatest kernel series for Linux-based operating systems adding new features and improving hardware support.

Background: As HPC workflows become more complex, data management services need to perform asynchronous I/O operations in the background. In addition, task parallelism and application performance asynchronous I/O strategies will be involved in large-scale deep learning applications.
I/O tasks and the runtime support to enable overlapping the execution of I/O tasks and compute task. This will increase the task parallelism and the application performance.
Asynchronous I/O is becoming more and more popular with the massive data access required for scientific applications.

Vulnerability details (official announcement): In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

Security focus in design flaws (use after free): Refer to step 6 of the attached diagram. What happens next is shown in below:
io_uring_enter() is used to initiate and complete I/O using the shared submission and completion queues setup by a call to io_uring_setup(2). A single call can both submit new I/O and wait for completions of I/O initiated by this call or previous calls to io_uring_enter().
fd is the file descriptor returned by io_uring_setup(2). to_submit specifies the number of I/Os to submit from the submission queue.

When the IORING_OP_TIMEOUT (T) and IORING_OP_LINK_TIMEOUT (LT) opcodes are combined in a linked submission queue entry, and another request (B) finishes, a race might occur: namely, when due to the completion of B, T is cancelled (through the completion event count), and LT is canceled by its hrtimer at the same time. Whilst T is still being cleaned up, LT is already freed by a different execution context, and since they are linked, the > cleanup of T retains a dangling reference to the now-freed LT. Hence, there’s a use-after-free.

Remedy: io_uring: fix race between timeout flush and removal. Please refer to the link for details – https://github.com/torvalds/linux/commit/e677edbcabee849bfdd43f1602bccbecf736a646

CVE-2022-23711 A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source (21st Apr, 2022)

Preface: According to market survey, there are 3723 companies reportedly use Elasticsearch in their tech stacks, including Uber, Shopify, and Udemy. Perhaps part of the 3723 companies will use Kibana at the same time.

Background: As suggested by Elasticsearch, customers can install Kibana on the same server as Elasticsearch. But that’s not the only setup method that can be used.

Elasticsearch allows you to store, search, and analyze huge volumes of data quickly and in near real-time and give back answers in milliseconds. It’s able to achieve fast search responses because instead of searching the text directly, it searches an index.

By default, data is retrieved from the cluster specified in the elasticsearch.hosts value in the kibana.yml file. If you want to retrieve it from a different cluster, set monitoring.ui.elasticsearch.hosts.

Kibana is a free and open user interface that lets you visualize your Elasticsearch data and navigate the Elastic Stack. Do anything from tracking query load to understanding the way requests flow through your apps.

Vulnerability details: A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.

Doubt: Kibana can retrieve monitoring event logs. See attached diagram (item 5). User IDs and passwords are not encrypted. Since the vulnerability is not described in detail. Whether this the reason said that it expose sensitive information?

Official announcement: For official details, please refer to the link https://discuss.elastic.co/t/kibana-7-17-3-and-8-1-3-security-update/302826

CVE-2022-29527 – Hiccups, AWS amazon-ssm-agent sudoer File default permission (20th April 2022)

Preface: Security misconfiguration vulnerabilities take place when an application component is vulnerable to attack as a result of insecure configuration option or misconfiguration.

Background: AWS Systems Manager (formerly known as SSM) is Amazon software that runs on Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs). A managed node is any machine configured for Systems Manager. Systems Manager supports Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs), including VMs in other cloud environments. SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources.

System administrator can securely connect to your Amazon EC2 instances using AWS Systems Manager Session Manager. AWS Systems Manager Session Manager is a browser/CLI based shell that enables you to connect to Amazon EC2 instances without the need to open ports.
However, AWS Systems Manager SSM Agent (version 2.3.68.0 or later ) must be installed on the EC2.
By default, sessions are launched using the credentials of a system-generated ssm-user account that is created on a managed node. (On Linux and macOS machines, this account is added to /etc/sudoers/.)
Starting with version 2.3.50.0 of SSM Agent, the agent creates a local user account called ssm-user and adds it to the /etc/sudoers.d directory (Linux and macOS) or to the Administrators group (Windows Server).

Vulnerability details: Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root. This occurs in certain situations involving a race condition.

Ref: In layman terms, a race condition can be defined as, a condition in which two or more threads compete together to get certain shared resources. For example, if thread A is reading data from the linked list and another thread B is trying to delete the same data.

Data in world-writable files can be read, modified, and potentially compromised by any user on the system. If ssm-user had remove sudo access for some reason. If sudoers file is world-writable. Non admin User can restore sudo access. For example: Change the working directory (cd /etc/sudoers.d),open the file named ssm-agent-users for editing. Add the following line.
ssm-user ALL=(ALL) NOPASSWD:ALL.

Remedy: Amazon SSM Agent – Release 3.1.1260.0 – 2022-04-12. Please refer to the link for details – https://github.com/aws/amazon-ssm-agent/releases/tag/3.1.1260.0

CVE-2022-24826 – Git LFS can execute a binary from the current directory on Windows (19th April 2022)

Preface: In medium to small size firm, software developer is busy to achieve their company objective. Perhaps cyber security is not the priority of their awareness. The software version control is major successful factor of their software development. Perhaps they will make use of Git LFS (Large File Storage).

Background: What is a git LFS? Git LFS (Large File Storage) is a Git extension developed by Atlassian, GitHub, and a few other open source contributors, that reduces the impact of large files in your repository by downloading the relevant versions of them lazily. The git repository is github. It is free unless you want to create a private repository. For private repositories you have to pay a monthly price but it is not mandatory. GitHub’s recommended maximum file size of 50 MB. If your push operation failed because file size exceeded limit. The solution to this is to install Git Large File Storage support.

Managing large files such as audio, video and graphics files has always been one of the shortcomings of Git. The general recommendation is to not have Git repositories larger than 1 GB to preserve performance.

Vulnerability details: On Windows, if Git LFS operates on a malicious repository with a ..exe file as well as a file named git[.]exe, and git[.]exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code.
Similarly, if the malicious repository contains files named ..exe and cygpath[.]exe, and cygpath[.]exe is not found in PATH, the ..exe program will be executed when certain Git LFS commands are run.

Remark: This does not affect Unix systems.

Remedy: Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in PATH rather than passing an empty string to the Go os/exec package in this case.

The bug in the Go os/exec package has been reported to the Go project and is expected to be patched after this security advisory is published.

The problem was introduced in v2.12.1 and is patched in v3.1.3 and v3.1.4. Users of affected versions should upgrade to v3.1.4.

CVE-2022-28893 – Sun Microsystem not appear any more, however sunrpc still working on Linux. (14th April 2022)

Preface: ONTAP or Data ONTAP or Clustered Data ONTAP or Data ONTAP 7-Mode is NetApp’s proprietary operating system used in storage disk arrays such as NetApp FAS and AFF, ONTAP Select and Cloud Volumes ONTAP. RHEL 6.3 and later can be used with NetApp Clustered Data ONTAP. This setup integrate with SUNPRC UNIX Network Programming.
Remark: RHEL 6.3 end of life on November 30, 2020. Additionally, Extended Lifecycle Support will end on June 30, 2024.

Background: Remote Procedure Call (SunRPC) protocol provides access to run procedures on remote machine. RPC is used heavily in UNIX to implement many protocols, for example NFS and NIS. RPC protocol is designed to be machine, operating system, network architecture, and transport protocol independent.
Sun RPC does not have a network-wide binding service. Instead it provides a local binding service called the port mapper which runs on every computer. Each instance of a port mapper records the port in use by each service running locally. The port mapper assigns a unique TCP/UDP protocol port number to an RPC program. Upon starting, the Network File System uses a port map to listen to and send data to specific ports.

Vulnerability details: The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.

Highlight one of the technical issues – In the C programming language, the instruction malloc() is used to allocate memory space of the requested size for use by the program. When a program needs to read or write data in memory, it uses pointers. When the program is done using the data, it can use the function free() to free the memory.
It’s important to note that free() just marks the block of memory as free and available for use. It does not clear any data stored in the memory block, nor does it free or clear the pointers that the program uses to refer to the memory block.

Remedy: Ensure we flush any closed sockets before xs_xprt_free().

For solution details, please refer to the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a3b1bba7c7a5eb8a11513cf88427cb9d77bc60a

CVE-2022-29156 drivers/infiniband/ulp/rtrs/rtrs-clt[.]c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release. 13th April 2022

Preface: In fact, when the details of a vulnerability were announced. It’s hard to guess when it first happened. This is a well-known fact in the cybersecurity community. However, security analysts and researchers don’t mind the delay. Since the goal is to fix the problem and avoid a similar vulnerability in another product.
For example, the details of the fix for this vulnerability were released on February 18, 2022. But details of the vulnerability just revealed this week.

Background: Currently, there are three technologies that support RDMA: InfiniBand, Ethernet RoCE and Ethernet iWARP. All three technologies share a common user API which is defined in this docu- ment, but have different physical and link layers.
InfiniBand (IB) is a computer network communication standard for high-performance computing with extremely high throughput and low latency. Six of the top ten high-performance computing (HPC) and artificial intelligence (AI) supercomputers on June 2019 TOP500 list. They deployed infiniBand technology.

Vulnerability details: CVE-2022-29156 – drivers/infiniband/ulp/rtrs/rtrs-clt[.]c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.

Traditionally, the kfree( ) function is generally paired with the kmalloc( ) function to free a section of memory starting at address objp.
What is objp? The memory address, usually the return value of the kmalloc( ) function, that is, the address pointer to the starting address of the allocated memory block.

In practice, double-freeing a block of memory will corrupt the state of the memory manager, which might cause existing blocks of memory to get corrupted or for future allocations to fail in bizarre ways (for example, the same memory getting handed out on two different successive calls of malloc). Double frees can happen in all sorts of cases.

  • kmalloc() can be called only in kernel-space
  • malloc() can be called in user-space and kernel-space

Reason (Official announcement): Callback function rtrs_clt_dev_release() for put_device() calls kfree(clt) to free memory. We shouldn’t call kfree(clt) again, and we can’t use the clt after kfree too.

Solution: Replace device_register() with device_initialize() and device_add() so that dev_set_name can() be used appropriately. Move mutex_destroy() to the release function so it can be called in the alloc_clt err path.

Do mutexes need to be destroyed? Implementations are required to allow an object to be destroyed and freed and potentially unmapped immediately after the object is unlocked.

Below version of rtrs-clt[.]c was fixed this vulnerability.
v5.18-rc2 v5.18-rc1 v5.17 v5.17-rc8 v5.17-rc7 v5.17-rc6