About Das U-Boot (CVE-2022-34835) – 30th June 2022

Preface: Who use the Das u-boot?

  • SpaceX’s Falcon and Dragon both use U-Boot.
  • Asahi Linux uses it as payload for m1n1 in order to boot Linux on Apple Silicon Mac.

Background: U-Boot is an open-source, cross-platform boot loader that provides out-of-box support for hundreds of embedded boards and many CPUs, including PowerPC, ARM, XScale, MIPS, Coldfire, NIOS, Microblaze, and x86.
U-Boot has a command shell (also called a monitor) in which you work with U-Boot commands to create a customized boot process.

Ref: When the processor is powered on, the memory doesn’t hold an operating system, so special software is needed to bring the OS into memory from the media on which it resides. This software is normally a small piece of code called the boot loader.
In an embedded system, the boot loader’s role is more complicated because these systems rarely have a BIOS to perform initial system configuration.
At a minimum, a boot loader for an embedded system performs these functions:

  • Initializing the hardware, especially the memory controller
  • Providing boot parameters for the OS
  • Starting the OS

Vulnerability details: In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the “i2c md” command enables the corruption of the return address pointer of the do_i2c_md function.

Official announcement: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md command. Please refer to the link – https://github.com/u-boot/u-boot/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409

CVE-2022-31106 – The function deepFromFlat of underscore[.]deep is vulnerable to prototype pollution (28th June 2022)

Preface: When defining mappings, it will configure the fields that contain an array of objects within them as “object” type. This is fine in many cases, but sometimes the mappings will need to be adjusted.
Nested is a special type of object that is indexed as a separate document, and a reference to each of these inner documents is stored with the containing document, so we can query the data accordingly.

Background: The basic definition of an object in JavaScript is a container for named values called properties (keys). Sometimes, we need to create an object inside another object. In this case, it’s called a nested object.Nested objects are objects that are inside another object.Underscore.deep is a collection of Underscore mixins that operate on nested objects. Dealing with nested objects often we’ll be needing to access the innermost nested values safely.

Vulnerability details: Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of underscore.deep prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to deepFromFlat, which would pollute any future Objects created. Any users that have deepFromFlat or deepPick (due to its dependency on deepFromFlat) in their code should upgrade to version 0.5.3 as soon as possible.

Workarounds: Is there a way for users to fix or remediate the vulnerability without upgrading? Modifying deepFromFlat to prevent specific keywords will prevent this from happening. For details, please refer to link – https://github.com/clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7

Remedy: Users should upgrade to 0.5.3.

About Apache Tika (CVE-2022-33879): Second round of fixes for CVE-2022-30126 and CVE-2022-30973 (27th June 2022)

Preface: Backtracking is a technique based on algorithm to solve problem. It uses recursive calling to find the solution by building a solution step by step increasing values with time.

Background: Apache Tika is a content type detection and content extraction framework. The Apache Tika™ toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF). All of these file types can be parsed through a single interface, making Tika useful for search engine indexing, content analysis, translation, and much more. Perhaps we think Apache Tika is not popular in digital world. However, Analysis Panama Papers also uses Apache Tika.

Vulnerability details: The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, found a separate new regex DoS in a different regex in the StandardsExtractingContentHandler.

Reference:

CVE-2022-30973 – Published: 31 May 2022
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.

CVE-2022-30126 – 2022-06-06 22:57:18
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

Solution: Fixed in 1.28.4 and 2.4.1.

Dramatic remedy (CVE-2022-34494 & CVE-2022-34495), another new finding occured on 24th June 2022

Preface: Modern SoCs typically employ heterogeneous remote processor devices in asymmetric multiprocessing (AMP) configurations, which may be running different instances of operating system, whether it’s Linux or any other flavor of real-time OS.

The Linux* Kernel vhost-net module was developed as an offload mechanism for virtio-net. The vhost-net module enables KVM (QEMU) to offload the servicing of virtio-net devices to the vhost-net kernel module, reducing the context switching and packet copies in the virtual dataplane.

Background: Rpmsg is a virtio-based messaging bus that allows kernel drivers to communicate with remote processors available on the system. In turn, drivers could then expose appropriate user space interfaces, if needed.

Every rpmsg device is a communication channel with a remote processor (thus rpmsg devices are called channels). Channels are identified by a textual name and have a local (“source”) rpmsg address, and remote (“destination”) rpmsg address.

When a driver starts listening on a channel, its rx callback is bound with a unique rpmsg local address (a 32-bit integer). This way when inbound messages arrive, the rpmsg core dispatches them to the appropriate driver according to their destination address (this is done by invoking the driver’s rx handler with the payload of the inbound message).

About double free: Double free errors occur when free() is called more than once with the same memory address as an argument. Calling free() twice on the same value can lead to memory leak.

Vulnerability details: The following vulnerabilities have remediation released on April 26, 2022.

CVE-2022-34494 – rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
vch will be free in virtio_rpmsg_release_device() when rpmsg_ctrldev_register_device() fails. There is no need to call kfree() again.

CVE-2022-34495 – rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
vch will be free in virtio_rpmsg_release_device() when
rpmsg_ns_register_device() fails. There is no need to call kfree() again.

Summary: Fix this by changing error path from free_vch to free_ctrldev.It is recommended to upgrading to version 5.18.4 eliminates this vulnerability.

Observation: I say this vulnerability is dramatic. See the new findings from June 24, 2022 below. My feeling is that the design weaknesses fixed in April 2022 are not done yet. Maybe in a hurry.

Vulnerability details: rpmsg_register_device_override need to call put_device to free vch when driver_set_override fails. Fix possible refcount leak in rpmsg_register_device_override()

Remedy: Fix this by adding a put_device() to the error path.

Status: Not sure whether this fix will be included in 5.18.4 or require to update to latest version.

June 25th 2022 (APAC time zone), an extremely rare astronomical phenomenon

In the early morning of June 25th 2022 (APAC time zone), an extremely rare astronomical phenomenon “Eight Starts Converging” will be staged. During this period, Jupiter,Mars,Venus and Mercury, a total of five stars will appear in the night sky at the same time, and will be connected in a line to form the “Five Stars Convergence”, and the invisible Uranus, Neptune and Pluto are connected in a line, forming an extremely rare “eight-star converging”.

Reference: http://www.antihackingonline.com/science/prophecy-astrology-and-astronomical-henomenon-16th-jan-2022/

CVE-2022-1665 – Signed build of Red Hat Enterprise Linux for IBM Power can boot pre-production kernels

21st June 2022

Preface: What is Linux boot security?
Secure Boot allows only approved operating systems to run on the machine. Secure Boot checks the cryptographic signature in the operating system’s bootloader to see if it matches a registered key in the UEFI firmware. If a match is found, the boot process proceeds.

Background: UEFI Secure Boot requires that the operating system kernel is signed with a recognized private key. UEFI Secure Boot then verifies the signature using the corresponding public key. For Red Hat Enterprise Linux Beta releases, the kernel is signed with a Red Hat Beta-specific private key. UEFI Secure Boot attempts to verify the signature using the corresponding public key, but because the hardware does not recognize the Beta private key, Red Hat Enterprise Linux Beta release system fails to boot. Therefore, to use UEFI Secure Boot with a Beta release, add the Red Hat Beta public key to your system using the Machine Owner Key (MOK) facility.

To determine your version, use grub-install -V. (GRUB2 is configured with /boot/grub2/grub[.]cfg)

Red Hat Enterprise Linux 7 is distributed with version 2 of the GNU GRand Unified Bootloader (GRUB 2), which allows the user to select an operating system or kernel to be loaded at system boot time.

Vulnerability details: A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn’t. These kernel builds don’t have the secure boot lockdown patches applied to it and can bypass the secure boot validations, allowing the attacker to load another non-trusted code.

Red Hat Bugzilla – Bug 2089529 – https://bugzilla.redhat.com/show_bug.cgi?id=2089529

About CVE-2022-32973 (Tenable) – An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges. 21st June 2022

Preface: In order to prevent malicious scripts from running on your system, PowerShell enforces an execution policy. There are four execution policies you can use: Restricted, RemoteSigned, AllSigned and Unrestricted.

Background: The Nessus vulnerability scanner allows you to perform compliance audits of numerous platforms including (but not limited to) databases, Cisco, Unix, and Windows configurations as well as sensitive data discovery based on regex contained in audit files. Audit files are XML-based text files that contain the specific configuration, file permission, and access control tests to be performed. 

After you create an audit file, you can reference the audit file in a template-based Policy Compliance Auditing scan policy or a custom scan policy, said Tenable.

Vulnerability details: An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

Ref: In normal circumstances, if you are going to run powershell(xxx.ps1), you need to execute below action.

  • PowerShell as an Administrator
  • Set-ExecutionPolicy RemoteSigned
  • Running script (see below)
    & “xxx.ps1”

Official announcement: Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.2.0 fixes the reported Audit function vulnerabilities. For more details, please refer to link – https://www.tenable.com/security/tns-2022-11

About CVE-2022-31794 – Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04 (21st June 2022)

Preface: If management functions follow best practices, keep them running on separate network segments. Among other things, it limits the management console to a small number of workstations. Even if the product has vulnerabilities. Risk may be significantly reduced.

Background: TERNUS CS8000 is a datacenter solution for backup storage for mainframe and open systems. Using intelligent process automation and the pooling of storage capacities, backup data is automatically managed between different storage tiers, including disk, deduplication and tape technology.
The console GUI provides a complete graphical representation of an ETERNUS CS8000 system, and covers all connected devices and ISPs(Integrated Service Processor) such as ICPs(integrated channel processor), IDPs (integrated device processor) and VLPs (virtual library processor).

Vulnerability details: An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The vulnerability resides in the “requestTempFile” function in hw_view[.]php.

Solution: Applying the patch 8.1A SP02 P04 is able to eliminate this problem.

Typically, a data center already has a SIEM installed. A SIEM might have no trouble tracking down similar cyber attacks.
In order to correctly define the triggering rules. You can refer to NCCGroup technical papers as a reference. Please refer to the link for details – https://research.nccgroup.com/2022/05/27/technical-advisory-fujitsu-centricstor-control-center-v8-1-unauthenticated-command-injection/

CVE-2022-33987 The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket (18/06/2022)

Preface: You can use POSIX permissions to lock down access to the file descriptor (FD) associated with the socket, and the server side can request information such as credentials and PID of clients before they can fully connect.

Background: node.js can process upwards of 1000 requests per second and speed limited only to the speed of your network card.
From techincal point of view, in order to improve the loading on new generation of web services. There are web application design not using traditional way. They uses “GOT” to communicate from the API frontend where all correspondence ingresses to the official’s lookup database in back.

It’s a GET request by default, but can be changed by using different methods or via options.method. By default, Got will retry on failure. To disable this option, set options.retry to 0.

Vulnerability details: A vulnerability was found in got Package up to 12.0.3. The design weakness allow Node.js redirect to a UNIX socket. A Unix domain socket aka UDS or IPC socket (inter-process communication socket) is a data communications endpoint for exchanging data between processes executing on the same host operating system.

This bug sounds like attacker exploit netcat command redirecting TCP traffic(http) to a UNIX domain socket. If the application design similar as picture attached. This vulnerability has possibilities, let’s the attacker query the database.

Remedy: Disable redirects to UNIX sockets – https://github.com/sindresorhus/got/pull/2047/commits/ef5cc13996b9765f306625ac5a0040bd445580eb

About CVE-2022-29865 – OPC UA .NET Standard Stack impact by log4j (16-06-2022)

Preface: Accessing OPC UA servers or any other industrial system from the IIoT should be done through a secure network connection.

Background: OPC Unified Architecture (OPC UA) is a machine-to-machine communication protocol used for industrial automation and developed by the OPC Foundation. The OPC UA platform in an platform-independent service-oriented architecture that integrates individual OPC Classic specifications into an extensible framework.
.NET Standard allows to develop apps that run on all common platforms available today, including Linux, iOS, Android (via Xamarin) and Windows 7/8/8.1/10/11 (including embedded/IoT editions) without requiring platform-specific modifications. OPC UA .NET Standard SDK enables fast integration of OPC UA communication into .NET Standard applications.

Vulnerability details: This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows a malicious client or server to bypass the application authentication mechanism and allow a connection to an untrusted peer.
This security update has a base score of 6.5 (medium) using the CVSS v3.1 guidelines.

Mitigating Factors: Only affects applications running on Windows or MacOS.
Workarounds: Use self-signed Certificates for application authentication. Move CAs from the trust list to the issuers list and explicitly add each trusted peer into the trust list. Require user authentication in addition to application authentication.

Reference: https://cve.report/CVE-2022-29865/fd870923.pdf