Preface: Public Key Infrastructure is the proven solution for authentication, encryption and data integrity. DigiCert PKI solutions are built on trust. Public trust. Private trust. And the world’s most trusted roots. XenMobile Server GPKI support includes DigiCert Managed PKI, also referred to as MPKI.

Background: XenMobile Server GPKI support includes DigiCert Managed PKI, also referred to as MPKI. The requirements are including Windows Server 2012 R2 server with the following components installed.

– Java
– Apache Tomcat (Install Apache Tomcat on Windows Server)
– DigiCert PKI Client
– Portecle

Vulnerability details: CVE-2022-26151 – The underlying operating system in Citrix XenMobile Server allows unauthorized root access. For official announcement of details, please refer to Citrix Endpoint Management (XenMobile Server) Security Bulletin for CVE-2021-44519, CVE-2021-44520, and CVE-2022-26151. The url is shown as below:

https://support.citrix.com/article/CTX370551

CVE-2022-26151

Unauthorized root access to the underlying OS

CWE-20: Improper Input Validation

Admin access to XenMobile Server CLI

Speculation: Vendor did not provide vulnerability details. But the problem can happen in the following area:

XenMobile server (that is, localhost).

This Tomcat server allows callers to execute a variety of commands that should not be available to unauthenticated users. For example:

• Change the administrator password (/admin_user/cli/reset_password)
• Create a new administrator (/admin_user/ui/create1)
• Decrypting passwords (/sftu/crypto/dec)
• Dropping firewall rules (/firewall/iptables_stop)

Workaround: Mitigated by the internal firewall that limits access to configuration services to localhost.

Remedy:

CVE-2021-44519, CVE-2021-44520 – Medium severity:
XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0
XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0

CVE-2022-26151 – Low severity:
XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0
XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0

Preface: Several vulnerabilities in VMware products (CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, and CVE-2022-22958) are reported to be at high risk of being exploited. System administrators should immediately install patches to affected systems to reduce the risk of cyber-attacks.

Background: VMware Workspace ONE is an intelligence-driven digital workspace platform that enables you to simply and securely deliver and manage any app on any device, anywhere. You can add Web applications to the Workspace ONE Access catalog and assign them to users and groups to provide users access to these applications from the Workspace ONE Intelligent Hub app and portal. You configure single sign-on (SSO) to the applications by using a federation protocol such as SAML 2.0 to configure the applications.

Vulnerability details: CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. You can create a template to enable a group of clients to register dynamically with the VMware Identity Manager service to allow users access to a specific application.

Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.

Remedy:

HW-154129 – Patch instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 in Workspace ONE Access Appliance (VMware Identity Manager) (88099) – https://kb.vmware.com/s/article/88099

HW-154129 – Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098) – https://kb.vmware.com/s/article/88098

Preface: JBD2 is the kernel thread of the ext4 file system. It often experiences the shadow (BH_Shadow) state during its use, which can affect the system performance. To solve this problem, Alibaba Cloud Linux 2 provides an interface in version 4.19. 81-17.

Background:

• Ext3 would call an allocator for each block
  A 100MB file would need to call the allocator 25600 times for each individual block in Ext3
• Ext4 only calls the allocator once for each file
  In Ext4, the allocator is called only once to allocate the 25600 blocks

Ext4 uses 48-bit internal addressing, making it theoretically possible to allocate files up to 16 TiB on filesystems up to 1,000,000 TiB (1 EiB). Early implementations of ext4 were still limited to 16 TiB filesystems by some userland utilities, but as of 2011, e2fsprogs has directly supported the creation of >16TiB ext4 filesystems. As one example, Red Hat Enterprise Linux contractually supports ext4 filesystems only up to 50 TiB and recommends ext4 volumes no larger than 100 TiB.

Lustre is an open source parallel distributed file system (DFS) specialized for large-scale cluster computing. The name is a portmanteau of Linux and cluster. Lustre is used by many supercomputers and large multi-cluster sites. A large precent of supercomputers use Lustre file systems. LCOC (Lustre Cache on Client) provides a group of local cache. Each client has its own local cache based on SSD. For example, LCOC uses Ext4 (Samsung SSD 850 EVO 500GB) as local cache.

Vulnerability details: CVE-2022-28796 – jbd2_journal_wait_updates in fs/jbd2/transaction[.]c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

In the case of traditional (use-after-free) vulnerabilities. Due to an absence of a locking mechanism, an attacker is able to create a race condition in the device mechanism and trigger a Use After Free vulnerability. But the developers discovered the following reasons.
jbd2_journal_wait_updates() is called with j_state_lock held in normal circumstances. But if there is a commit in progress, then this transaction might get committed by function (jbd2_journal_commit_transaction()). Finally freed via this function (jbd2_journal_free_transaction()) release j_state_lock.

Solution: Upgrade to 5.18-rc2

Preface: President Biden’s Executive Order is modernizing the Federal Government defenses and improving the security of widely-used technology. On March 2022, he urged U.S. companies operating critical infrastructure, including in the energy sector, to harden their digital defenses.

Background: CODESYS, formerly known as CoDeSys, is an acronym for Controller Development System, an Integrated Development Environment for Programmable Logic Controller applications, compliant with the IEC 61131-3 standard, a hardware and manufacturer-independent integrated development environment . IEC 61131-3:2013 specifies the syntax and semantics of a unified suite of programming languages for programmable controllers (PCs).The product CODESYS Control RTE SL is a real-time software PLC for PC-based industrial controllers under Windows. The CODESYS Control RTE SL product is a real-time soft PLC used to develop industrial controllers under the Windows operating system on the PC side. The runtime system has its own real-time kernel: in the absence of other hardware components or OS extensions, the system jitter value can remain in the μs range.

Vulnerability details: A remote, authenticated attacker can send a specific crafted HTTP or HTTPS requests causing CODESYS V3 runtime systems (CmpWebServer) encounter buffer-over-read.
A buffer overread is like a buffer overflow, except that it occurs during a read operation. While reading from a buffer, the program goes over the buffer boundary and reads adjacent memory.
In languages like C, programs are free to access data in any part of the virtual memory via a pointer. Because of this, buffer overread issues can occur when pointers or their indexes are incremented beyond the bounds of the buffer (when iterating an array or reading a string), or when pointer arithmetics yields a result outside a valid memory address.

Impact: maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone.

Official announcement: For details, please refer to the link – https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17094&token=2fb188e2213c74194e81ba61ff99f1c68602ba4d&download=

Preface: If the workstation is running in Linux kernel 5.17.1, due to this vulnerability (CVE-2022-28390). The adjacent communications peer device will be at risk. As a result, it allowing an attacker to execute arbitrary code to adjacent communications peer device.

Background: The CANbus USB adapter connects a CANbus to the USB port of a PC or notebook, which also supplies the power to the adapter (no power supply needed). The CAN/USB Data Converter allows a personal computer to act as a diagnostic analyzer during development and testing of an automotive ECU (electronic control unit) or industrial field bus system that supports the CAN communications protocol.

Vulnerability details: ems_usb_start_xmit in drivers/net/can/usb/ems_usb[.]c in the Linux kernel through 5.17.1 has a double free. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

According to Developer (Hangyu Hua) explanation. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes the original skb and can_free_echo_skb() deletes the cloned skb.

Known Limitations: dev_kfree_skb() is just a macro that simply calls kfree_skb(). kfree_skb bypasses the reference count of skb. Generally speaking, adding “” before the function name in the kernel prompts to be used with caution, that is, some checks are omitted, so check before calling such functions.

Solution: upgrade to v5.18-rc1.

Preface: Chromium is a free and open-source web browser project, principally developed and maintained by Google. This codebase provides the vast majority of code for the Google Chrome browser, which is proprietary software and has some additional features. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.

Background: The story begin: Due to the on-demand market trend, Microsoft decided to use the Chromium and Blink rendering engines in 2018. With Microsoft moving away from EdgeHTML. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS. Chrome based browser in their way to expand the market share. As a result, when chrome have design weakness occurs, it might impact the partner products.

Vulnerability details: CVE-2022-26912 – Microsoft Edge privilege escalation
Microsoft Edge could allow a remote attacker to gain elevated privileges on the system. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
Important – The remote host has an web browser installed that is affected by multiple vulnerabilities.

Since Microsoft did not explain the details, symptoms similar to CVE-2022-26912 may appear in this case. Perhaps the following information will attract your interest in digging for more information.
CSS Animations is a module of CSS that lets you animate the values of CSS properties over time, using keyframes. The behavior of these keyframe animations can be controlled by specifying their timing function, duration, their number of repetitions, and other attributes.
As early as 2007, WebKit had announced its intent to include CSS animation, transitions, and transforms as features of WebKit.
Use after free errors occur when a program continues to use a pointer after it has been freed. Under CSS animation circumstance, there is no way to explicitly ask the browser to collect garbage.
Example: Use-After-Free when Array.sort() is called with a comparator function. The two arguments are untracked by the garbage collector.

Solutions: Apply fixes issued by the vendor: Update to version 100.0.1185.29

Preface: IEEE 802.2 provides two connectionless and one connection-oriented operational modes:
– Type 1 is an unacknowledged connectionless mode for a datagram service.
– Type 2 is a connection-oriented operational mode.
– Type 3 is an acknowledged connectionless service. It supports point-to-point communication only.

Background: af_llc[.]c (LLC User Interface SAPs):
Description: Functions in this module are implementation of socket based llc communications for the Linux operating system. Support of llc class one and class two is provided via SOCK_DGRAM and SOCK_STREAM respectively.
General speaking, TCP almost always uses SOCK_STREAM and UDP uses SOCK_DGRAM.

Vulnerability details: In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc[.]c. Refcount bugs happen when there is a mismatch between refcount inc instructions and dec instructions (see below).
The inc and dec instructions use the following syntax:
– inc( mem/reg );
– dec( mem/reg );
However, when to perform dec instructions largely depends on the purpose of the developers and the usage of the tracked object.
The single operand can be any legal 8-bit, 16-bit, or 32-bit register or memory operand. The inc instruction will add 1 to the specified operand, and the dec instruction will subtract 1 from the specified operand.

Reminder: Whenever llc_ui_bind() and/or llc_ui_autobind() took a reference on a netdevice but subsequently fail, they must properly release their reference.

Synopsis by developer findings: unregister_netdevice: waiting for eth0 to become free. Usage count = 3
Result: The bug encountered the following symptom. It dismantled the device and messaging his handlers saying he had pulled out. So called a refcount leak bug occured.

Resolution: Upgrade to “Linux-2.6.12-rc2”