CVE-2022-1934 Mruby/mruby prior to 3.2 contain Use After Free vulnerability (31st May 2022)

Preface: mruby or mruby/c, mruby / c is an implementation of mruby that inherits the features of Ruby and consumes less memory than the conventional mruby (lightweight Ruby for embedded systems developed in Fukuoka).

Dassai|Asahishuzo – (日本獺祭(旭酒造)) also uses mruby/c to develop winery-related monitoring equipment.

Background: mruby is a Fukuoka-developed programming language for embedded software. It’s a version of the high-efficiency development language “Ruby” that has been lightened in order to use less memory, making it suitable for embedded software.
It works using 1/4 the amount of code that C languages do and because it is also highly readable, some of its strengths are high productivity, easy trial-and-error debugging and maintenance, and it’s simple to learn.

Vulnerability details: Mruby/mruby prior to 3.2 contain Use After Free vulnerability. Use-After-Free in function hash_new_from_values in Mruby/mruby.

Remedy: The impact of this vulnerability is unclear. Upgrading to version 3.2 eliminates this vulnerability.

Official announcement: https://github.com/mruby/mruby/commit/aa7f98dedb68d735a1665d3a289036c88b0c47ce

About macOS Monterey 12.3 (26th May 2022)

Preface: A CVE with similar symptoms occurred in March 2022.
CVE-2022-22633 – A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

Background: The IOMMU (Input–Output Memory Management Unit) is a feature that is commonly present in 64-bit x86 processors as well as other architectures. Linux’ support for IOMMU has been a relatively disorganized development process, with several obscurities along the way. This is quite remarkable given that it’s part of the kernel’s memory management — a central role in the kernel’s functionality.

Quote:
macOS 12.3 (21E230) – Kernel stack memory corruption detected ‘ restart problem in the past.
A end user in apple community reporting that he encountered Kernel stack memory corruption when he use PCIe-4 card being used in a PCIe-3 external Thunderbolt-3 drive for the boot device.
My concept is based on Enable IOMMU kernel support, Append amd_iommu=on to the kernel command line in /boot/grub/grub.conf so that AMD IOMMU specifications are enabled at boot.
My assumptoon is that attacker write a malicious Linux PCI Drivers, once it has successfully modified the IOMMU configuration so that it can make read/write accesses to kernel memory.

Vulnerability details: A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4. An application may be able to execute arbitrary code with kernel privileges. For more details, please refer to the link – https://support.apple.com/en-us/HT213257

CVE-2022-1348:This flaw affects logrotate versions before 3.20.0 (28th May 2022)

Preface: Log management allows you to monitor requests at any level (API, database, etc.) and see which are underperforming. Log management is based on log files.
Log files are important data points for security and surveillance, providing a full history of events over time. Beyond operating systems, log files are found in applications, web browsers, hardware, and even email.

Background: It is important to control the sizes of log files on a Linux server because their size always grows over time. Every server has limited resources and too large logs can lead to performance and memory problems, not to mention the loss of precious storage space. This problem is typically solved through log rotation, a process that involves renaming or compressing a log file before it gets too large, and cleaning up old logs to reclaim storage.

Vulnerability details: A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation.

Remedy for older releases of logrotate (from 3.17.0 to 3.19.0):

https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d

Besides users can upgrade to 3.20.1https://github.com/logrotate/logrotate/releases/tag/3.20.1

My comment: From security point of view, it is a critical risk. For example, SIEM relies log event to do the correlation function. If such vulnerability happen and log event agent do not have reporting mechanism to confirm the log events activities. It such a way provide a channel to attacker to try the evade activities because alert function will not respond by firing rule.

CVE-2022-29246 – Certain versions of Usbx from Azure-rtos contain vulnerabilities, please be aware! 24-May-2022

Preface: The main difference is that FreeRTOS has traditionally been completely open source (MIT license) whereas ThreadX has traditionally been completely commercial / proprietary. Therefore, FreeRTOS is dominating the embedded RTOS market, with something like 20% of new projects using it.

Background: Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack. Azure RTOS USBX is fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors.

Azure RTOS USBX has a remarkably small minimal footprint of 10.5 KB of FLASH and 5.1 KB RAM for Azure RTOS USBX Device CDC/ACM support. Azure RTOS USBX Host requires a minimum of 18 KB of FLASH and 25 KB of RAM for CDC/ACM support.

The CDC-ACM class provides a serial interface for connecting devices such as modems to an embedded system. The package provides a CDC-ACM host class driver for a USB stack. The system allows a USB serial port device to be plugged into the host and recognized as a remote serial port.

Vulnerability details: The implementation of ux_device_class_dfu_control_request function does not assure that a buffer overflow will not occur during handling of the DFU UPLOAD command. When an attacker issues the UX_SLAVE_CLASS_DFU_COMMAND_UPLOAD control transfer request with wLenght larger than the buffer size (UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH, 256 bytes), depending on the actual implementation of dfu -> ux_slave_class_dfu_read, a buffer overflow may occur. In example ux_slave_class_dfu_read may read 4096 bytes (or more up to 65k) to a 256 byte buffer ultimately resulting in an overflow. Furthermore in case an attacker has some control over the read flash memory – in example DFU is used with an external SPI flash chip or the DFU DOWNLOAD command may be used – this may result in execution of arbitrary code and platform compromise.

Remedy: This fix has been included in USBX release 6.1.11.

Official announcement: Please refer to the link for details – https://github.com/azure-rtos/usbx/security/advisories/GHSA-hh5p-x584-j8hv

CVE-2022-1467 Who is the one created the vulnerability? (24-05-2022)

Preface:If the operating system itself contains unknown technical matter. When 3rd party application installed, a vulnerability merely encounter on the specified software. Do you think operating system vendor should do the remedy? Or third party vendor take the responsibility?

Background: Cybersecurity related to functional safety will be included Powergrid, public facilities and manufacturing industry. SCADA systems are used in many different industries to collect and analyze real-time data, as well as to control functions, which makes them a target to malicious hackers.

AVEVA InTouch Access Anywhere enables you to remotely view a running InTouch application from a desktop computer or a mobile device including tablets, smartphones, or laptops. You view and control the application through a secure web browser without requiring a separate client application.
InTouch Access Anywhere provides the following features:
– Provides secure and remote access to InTouch applications.
– Incorporates image compression, packet shaping, and whole frame rendering to improve Internet performance.
– Automatically adjusts the size of your InTouch Access Anywhere session to the web browser window showing the application.
– Supports finger gestures on touch screen devices.
– Works on devices that only support web applications like Chromebooks
– Provides an expandable session toolbar with icons to disconnect your InTouch Access Anywhere sessions, access system keys, and copy application data to your Windows clipboard.

Vulnerability details: Certain versions of AVEVA InTouch Access Anywhere from AVEVA contain the following vulnerability:
Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is possible to manipulate the Windows OS language bar to launch an OS command prompt, resulting in a context-escape from application into OS.

Remedy:

Application Software Vendor Security Updates – https://www.aveva.com/en/support-and-success/cyber-security-updates/

ICS Advisory (ICSA-22-130-05) – https://www.cisa.gov/uscert/ics/advisories/icsa-22-130-05

When you read the news, it mentions unknown things in the universe and you will want to know more.(22nd May 2022)

Preface: How fast are the Voyager computers?

Official Reply from NASA: Not very fast compared to today’s standards. The master clock runs at 4 MHz but the CPU’s clock runs at only 250 KHz. A typical instruction takes 80 microseconds, that is about 8,000 instructions per second. To put this in perspective, a 2013 top-of-the-line smartphone runs at 1.5 GHz with four or more processors yielding over 14 billion instructions per second.

Background: Voyager 1 launched in September 1977 and is now the farthest spacecraft from Earth. The Voyagers transmit data to Earth every day. The spacecraft collect information about their surrounding environment in real time and then send it back through radio signals. Voyager 1 data takes about 19 hours to reach Earth, and signals from Voyager 2 about 16 hours. According to official information, Voyager 1 is 14.5 million miles away from Earth (as of January 2022).

Goal of Voyager Interstellar Mission: NASA’s Deep Space Network (DSN) is an international network of facilities managed and operated by JPL’s Interplanetary Network Directorate. The DSN supports interplanetary spacecraft missions, radio astronomy, radar astronomy and related observations for the exploration of the solar system and the universe.

Voyager 1 is powered by a radioisotope thermoelectric generator (RTG).

About news related to the topic: NASA is investigating this ‘mystery’ data coming from Voyager 1,…..Everything about the AACS suggests it is functioning normally, yet the telemetry data it’s sending back to Earth is “invalid”, producing what appears to be randomly generated data that doesn’t match any possible state the system could be in.

For details, please refer to the website – https://www.zdnet.com/home-and-office/networking/nasa-is-investigating-this-mystery-data-coming-from-voyager-1/?bhid=%7B%24external_id%7D&cid=%7B%24contact_id%7D&eh=%7B%24CF_emailHash%7D&ftag=TRE6a12a91&mid=%7B%24MESSAGE_ID%7D

Additional comments: Goal of Voyager Interstellar Mission is keen to find out unkown matter of the universe. As of January 2022, Voyager 1 is 14.5 billion miles from Earth. If Deep Space communication center receive randomly generated data.
May be it can do a colloboraton with SETI. SETI Research have several observing projects on the Allen Telescope Array. From techincal point of view, randomly generated data do not have reference model is hard to do the interpretation. If there is similar pattern or unknown signal had detected by SETI in past. If it had, perhaps make use of both set of data can do a corellation.Perhaps, it is the advanced civilization that wants to communicate with our earth.


Ref: Random numbers are numbers that occur in a sequence such that two conditions are met: (1) the values are uniformly distributed over a defined interval or set, and (2) it is impossible to predict future values based on past or present ones.

This CVE reference number (CVE-2022-21500) whether awaken known design weakness on EBS 12.2. (19th May 2022)

Preface: If a company or organization suffers a data breach, a significant concern is what PII might be exposed—the personal data of the customers that do business or otherwise interact with the entity. Exposed PII can be sold on the dark web and used to commit identity theft, putting breach victims at risk.

Background: Within Oracle WebLogic Server 10.3.6, Oracle E-Business Suite Release 12.2 employs Java Database Connectivity (JDBC) data sources to maintain a pool of connections for database connectivity. These JDBC data sources are associated with the managed servers (such as oacore and forms) in which Oracle E-Business Suite applications are deployed.

Based on existing software products included in Oracle E-Business Suite Releases 12.1, 12.2. So the details below will get you there. Maybe this is the answer you are looking for.
R12.1 – OHS 10.1.3.5 is based on Apache 2.0 that is “end of life”
R12.2 – OHS 11.1.1.9 is based on Apache 2.2 which is in EOL since June 2017, but still covered by Oracle support.

Vulnerability details: Vulnerability in Oracle E-Business Suite (component: Manage Proxies). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data.

Official announcement – This Security Alert addresses vulnerability CVE-2022-21500, which affects some deployments of Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in the exposure of personally identifiable information (PII). See the link for details – https://www.oracle.com/security-alerts/alert-cve-2022-21500.html

About CVE-2022-1734 – When Linux finds a vulnerability, how will it affect the IoT or IIoT world. 18 May 2022

Preface: A system on a chip (SoC), is an integrated circuit that integrates all or most components of a computer or other electronic system. A SoC chip may have several GPIO components. Linux doesn’t usually run on Cortex-M, 8051, AVR, or other popular microcontroller architectures. Instead, we use application processors — popular ones are the Arm Cortex-A, ARM926EJ-S, and several MIPS iterations.

Background: How can mobile device download firmware directly from vendor if it don’t have windows, Linux or Mac workstation? Mobile device can use firmware downloader to check for the latest update for your device, download that firmware as long as you know the correct model, region, and firmware string.

The file which responsible for Firmware downloader function is (./drivers/nfc/nfcmrvl/fw_dnld.h). Furthermore, the file name (./drivers/nfc/nfcmrvl/main.c) is responsible for major function.

Vulnerability details: A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.

Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Official announcement: See the link for details on this vulnerability – https://github.com/torvalds/linux/commit/d270453a0d9ec10bb8a802a142fb1b3601a83098

Guidelines 04/2022 on the calculation of administrative fines under the GDPR (16 May 2022)

What is the definition of data mishandling in the digital world, it is difficult to define a scope. There may be gaps in definition in different situations. Whether a different angle of justice occurs depends on the undefined element.
The European Data Protection Board welcomes comments on the Guidelines 04/2022 on the calculation of administrative fines under the GDPR. For more information on this, see the link – https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en

CVE-2022-28184 – Exploiting NVIDIA GPU driver design weaknesses (05/17/2022)

Preface: Looking back, a vulnerability was discovered in NVIDIA GPU Display Driver on 2016. A flaw exists in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape IDs 0x600000E, 0x600000F, and 0x6000010 due to improper validation of user-supplied input that is used as an index to an internal array. A local attacker can exploit this to corrupt memory, resulting in a denial of service condition or an escalation of privileges.

Background: NVIDIA GPU Display Driver support 2 different operation systems. So called the kernel mode layer (nvlddmkm.sys for Windows or nvidia.ko for Linux).

Vulnerability details: NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering. IOCTL in Linux is referred to as Input and Output Control, which is used to talking to device drivers. This system call, available in most driver categories.

Conjecture : Attacker need to know PML4 The actual physical address of the table (CR3 Value) , Otherwise, attacker will not be able to remap the target virtual address to the address he want to control.

There are other ideas.Use Paging table Primitives to destroy bitmaps , And use it GDI Primitive language to restore our relevant mmPfnDatabase entry .

Ref: x64 Used 4 Level page table to map physical memory and virtual memory. This 4 levels are PML4(Page Map Level 4),(Common name :PXE),PDPT(Page Directory Pointers),PD(Page Directory)as well as PT(Page Table), CR3( Control register )that holds the current process PML4 Base address(Physical address).

CR3 enables the processor to translate linear addresses into physical addresses by locating the page directory and page tables for the current task.

Vendor announcement: Security Bulletin: NVIDIA GPU Display Driver – May 2022 – https://nvidia.custhelp.com/app/answers/detail/a_id/5353