CVE-2021-22641 – Cyber attack on TCPmodbus protocol products (28th July 2022)

Preface: Last September (2021) ICS adviced that the public should be concerned about the multiple vulnerabilities encountered by Modbus products. This product model is (TBox) from the supplier Ovarro.
Such vulnerabilities were documented in a CVE article published until this week (July 28, 2022). The record number is CVE-2021-22642.
Perhaps reader has confuse about this CVE record because same CVE number was found on CISA published on last year (2021) September. I think may be it has admended on vulnerability description and therefore has this matter occurs.
Maybe readers are confused about this CVE record, because the same CVE number was found in a CISA article published last September (2021). I think a modification to the original vulnerability description may be required. Thus this happens.

Reference:

Security focus – Related design weakness brought to my attention
An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system.
As usual, the technical article only writes the description of the vulnerability, but not the root cause. Maybe it’s public safety related, so it wasn’t disclosed.
As far as I know, TBOX products are designed to provide a safe and robust RTU solution for remote automation and monitoring of critical asset functions. Maybe I’ll try to do a quick research and see if it finds hints for your reference.

Observation (CVE-2021-22642): The MODBUS/TCP protocol contains also vulnerability that could allow an attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to an implementation error in the affected protocol when processing Read Discrete Inputs request and response messages.
An unauthenticated, remote attacker could exploit the vulnerability by sending request or response parameters that contain malicious values for the data field option to a system that contains a vulnerable MODBUS/TCP implementation. The processing of the messages could trigger a DoS condition on the vulnerable system.

Official announcement (ovarro)https://www.ovarro.com/content-media/assigned/89928/TBOX-SA-2021-0005.pdf

CVE-2022-36946 – About Android and Linux (Torvalds) netfilter design weakness (27th July 2022)

Preface: What is SKB in Linux kernel? SKBs are composed of a linear data buffer, and optionally a set of 1 or more page buffers. If there are page buffers, the total number of bytes in the page buffer area is ‘data_len’. Therefore the number of bytes in the linear buffer is ‘skb->len – skb->data_len’.

Background: The Linux kernel has built-in packet filtering software in the form of something called netfilter. You use the iptables command to set up the rules for what happens to the packets based on the IP addresses in their header and the network connection type. Furthermore, NFQUEUE is an iptables and ip6tables target which delegate the decision on packets to a userspace software.
To understand NFQUEUE, the easiest way is to understand the architecture inside Linux kernel. When a packet reach an NFQUEUE target it is en-queued to the queue corresponding to the number given by the –queue-num option. The packet queue is a implemented as a chained list with element being the packet and metadata (a Linux kernel skb):

  • It is a fixed length queue implemented as a linked-list of packets.
  • Storing packet which are indexed by an integer
  • A packet is released when userspace issue a verdict to the corresponding index integer
  • When queue is full, no packet can be enqueued to it

Vulnerability details: CVE-2022-36946 – nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

Official details and solution: Details provided in the following link –https://lore.kernel.org/netdev/165889141391.5272.4804742479205778392.git-patchwork-notify@kernel.org/t/

Even though it is protected in the software driver to avoid buffer overflows in the driver. But still let the cyber security provider draw out the shortcomings! (26th July 2022)

Preface: According to technical report (OT:ICEFALL) by cyber security service provider (Forescout). They observe that an APT toolkit targeting several OT devices, such as OPC UA servers and PLCs from Omron and Schneider Electric. According to ICS-CERT advisories on 28th June, 2022. The article had written down the RISK EVALUATION.  Successful exploitation of these vulnerabilities could cause a denial-of-service condition and allow remote code execution.Please refer to the link for details.

Background: The Omron FINS Ethernet Driver provides a reliable way to connect Omron FINS Ethernet controller to client applications; including HMI, SCADA, Historian, MES, ERP, and countless custom applications.
Remark: A PLC is a hardware-based device, SCADA is a system that works in conjunction with the PLC. Furthermore, HMI is also a system that works in conjunction with a PLC.

Omron PLCs usually have three different modes; Program Monitor and Run.

  • Program Mode: In PROGRAM mode the CPU unit is stopped so your logic will not be executed. User programming can be created or modified, memory can be cleared, and programs can be checked. Depending on the PLC type there may be other options as well.
  • Monitor Mode: In MONITOR mode the CPU unit is running, so your logic will be executed. I/O is processed in the same way as in RUN mode. The operating status of the CPU unit can be monitored, bits can be forced and/or set or reset. The set values and present values of timers and counters can be modified. The present values of word data can be modified. This mode is used for system adjustments.
  • Run Mode: RUN mode is used for normal system operation. The operating status of the CPU unit can be monitored, but bits cannot be forced and/or set or reset. Present and set values cannot be modified using programming devices.
    Let’s put our CP1H controller into monitor mode. Ctrl + 3, Monitor Icon or PLC | Operating Mode | Monitor from the main menu.

Vulnerability details (see below):

  • CVE-2022-31204 – Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords.
  • CVE-2022-31207 – The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication.
  • CVE-2022-31206 – The Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18 lack cryptographic authentication.
  • CVE-2022-31205 – In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449…D1452 and can be read out using the Omron FINS protocol without any further authentication.
    Remark: Omron Cx series Authentication bypass & plaintext credentials – CVE-2022-31204, CVE-2022-31205

Reference A: Public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors. Please follow this link to download the report – https://www.forescout.com/resources/ot-icefall-report/

Reference B: ICS-CERT advisories on 28th June, 2022. Please follow this link to download the report – https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02

CVE-2022-35651 – A stored XSS and blind SSRF vulnerability was found in Moodle (25th July 2022)

Preface: As time goes by, online training course is the mainstream to offload traditional onsite training course. The Learning Management System (LMS) is a software application designed to deliver, track, report on and manage trainings and learner activity. Some popular LMS used by educational institutions include Moodle, Blackboard Learn and Schoology.
Accroding to security reason, LMS will running in a separate web hosting area. However, if it contains (stored XSS and blind SSRF) vulnerabilities. Even though it is not running in the student office, it is potentially risky allowing cybercriminals to steal their sensitive information. Therefore, it may affect their enterprise systems.

Background: SCORM (Sharable Content Object Reference Model) can be described as a collection of standards and specifications that allow for the description and packaging of an e-learning course. SCORM 1.2 is the most widely distributed version of the SCORM specification. The SCORM 1.2 definition has two main parts SCORM Content Aggregation Model (CAM) and SCORM RunTime Environment (RTE).
SCORM packages are typically zip files. Within the zip file you will find all the content needed at delivery time by the SCORM package and a manifest file, named imsmanifest.xml. The manifest file describes the SCORM package so that the SCORM player understands how to run the SCORM package.
SCORM 1.2 is supported by Moodle 1.9.3 (or higher) and Moodle 1.8.7 (or higher). It is very simple to add a SCORM package to Moodle. The SCORM package is simply added to a course as a course activity.

Vulnerability details: A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Below details are the existing vulnerabilities found by vendor.

CVE-2022-35653 – A reflected XSS issue was identified in the LTI module of Moodle
CVE-2022-35652 – An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature.
CVE-2022-35651 – A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details.
CVE-2022-35650 – The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions.
CVE-2022-35649 – Due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50.

Solution: For Solutions to fix the above vulnerabilities. See the official announcement in the link – https://moodle.org/security/

About CVE-2021-46829 – Sometimes old things are easy to forget. A flaw found last year; it was awakened now (24th July 2022).

Preface: GdkPixbuf is a library with a long history, and it has been incrementally modified over years, so it may retain some older coding practices alongside newer ones.

Background: GdkPixbuf is a library that loads image data in various formats and stores it as linear buffers in memory. The buffers can then be scaled, composited,modified, saved, or rendered.GdkPixbuf can load image data encoded in different formats, such as: PNG, JPEG, TIFF, TGA and GIF.

The GdkPixbuf class provides methods for saving image data in a number of file formats. The formatted data can be written to a file or to a memory buffer. GdkPixbuf can also call a user-defined callback on the data, which allows to e.g. write the image to a socket or store it in a database.

Vulnerability details: GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation[.]c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.

This design weakness found in last year. Since no CVE was registered, it probably is not being considered as a problem for downstream users of the package. Till July 2022, the latest Debian stable package is affected by this vulnerability. Using a GNOME file system browser and browsing to that folder will cause a crash, as will opening it up in a GNOME image viewer and even attempting to load it in Chromium .

The bug is in composite_frame() in io-gif-animation[.]c. The problem appears to be in the calculation of the offset variable (see below):

  • because it is a signed int, it can overwrite when it’s over INT32_MAX.
  • even if it was as an unsigned int, given the calculations, it becomes quite easy to reach very large values.

Solution: Upgrade to gdk-pixbuf 2[.]42[.]8

CVE-2022-31160 : jQuery UI checkboxradio cross site scripting (21st July 2022)

Preface: jQuery is an independent JavaScript library which brings along added functions and additional functionality to the standard built-in objects to what JavaScript natively provides. The programming crowd with jQuery still looks strong. According to w3techs stats. Popular sites are still using jQuery.

Background: jQuery is the core library. jQueryUI is built on top of it. If you use jQueryUI, you must also include jQuery. The plugins and utilities in jQuery UI are divided into four categories—widgets, interactions, effects, and utilities.

The plugins and utilities in jQuery UI are divided into four categories: widgets, interactions, effects, and utilities

jQuery UI is made up of different CSS and JavaScript files. In addition, some files are compressed, while others are not.

  • Uncompressed files are located in the development-bundle directory, under the jQuery UI installation directory (jqueryui).
  • The ui directory (located under development-bundle) contains the JavaScript files. The jquery[.]ui[.]core[.]js file includes the basic features (mandatory), while other files will be included only if required.
  • The themes directory (located under development-bundle) contains the CSS files. It consists of various directories, each containing themes (e.g., the base, smoothness, and ui-lightness directories). Each theme includes an images directory and other CSS files.

Vulnerability details: jQuery UI versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded.

Solution: The bug has been patched in jQuery UI 1.13.2.

Workaround: To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Official announcement: Please refer to the link – https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9

Vulnerability for Improper Handling of Exception Conditions on specifics Juniper Networks Products (20th July 2022)

Preface: Common JUNOS daemons include:

  • The routing protocol daemon (rpd) handles all routing protocol messages and routing table updates and implements routing policies. rpd contains modules that each function independently while sharing information with the others.
  • The device control daemon (dcd) manages all interface devices and configurations. This daemon sends configurations to the kernel to create interfaces. Each configuration has a unique interface index number, common throughout the system.
  • The packet forwarding daemon (pfed) handles communication between the Packet Forwarding Engine and the Routing Engine.
  • The management daemon (mgd) controls all user access to the router.
  • The chassis daemon (chassisd) controls the properties of the router itself, including interactions between the Packet Forwarding Engine’s passive midplane, the Flexible PIC Concentrator (FPC) that connects the switching control board to the router’s interfaces in the Packet Forwarding Engine, and other control boards.

Background: VXLAN is an encapsulation protocol that provides data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network. In data centers, VXLAN is the most commonly used protocol to create overlay networks that sit on top of the physical network, enabling the use of virtual networks.

Vulnerability details: An Improper Handling of Exceptional Conditions vulnerability on specific PTX Series devices, including the PTX1000, PTX3000 (NextGen), PTX5000, PTX10002-60C, PTX10008, and PTX10016 Series, in Juniper Networks Junos OS allows an unauthenticated MPLS-based attacker to cause a Denial of Service (DoS) by triggering the dcpfe process to crash and FPC to restart.

Official announcement: Please see the link for details – https://supportportal.juniper.net/s/article/2022-07-Security-Bulletin-Junos-OS-PTX-Series-FPCs-may-restart-unexpectedly-upon-receipt-of-specific-MPLS-packets-with-certain-multi-unit-interface-configurations-CVE-2022-22202?language=en_US

Ref:

In normal circumstance, a network device, system and method are provided for detection of mismatched VLAN tags on a port of a network chip and a packet. The network device includes a processor, a memory and a network chip having a number of network ports. One of the ports is tagged with a VLAN membership of at least one particular VLAN and configured to receive a packet. Computer executable instructions are storable in the memory and executable by the processor to detect whether the packet received at the port is untagged with any VLAN. Upon detecting that the packet is untagged with any VLAN, the computer executable instructions determine whether the untagged packet is intended to be untagged on the particular VLAN at the port. If the packet is not intended to be untagged on the particular VLAN at the port, the computer executable instructions send a misconfiguration alert signal to a network management program, and determine either the packet is misconfigured to be sent to the network chip without a VLAN tag or the port of the network chip is misconfigured to be tagged with the particular VLAN.
According to this CVE. It looks that the flaw came from detection system daemon.

Oracle Critical Patch Update Advisory – July 2022 Close-up of CVE-2022-21565 (19th July 2022)

Preface: Oracle Database 19c is the current long term release, and it provides the highest level of release stability and longest time-frame for support and bug fixes. Oracle Database 21c, also available for production use today as an innovation release, provides an early insight into the many enhancements and new capabilities.

Background: Use the CREATE PROCEDURE statement to create a standalone stored procedure or a call specification.
A procedure is a group of PL/SQL statements that you can call by name. A call specification (sometimes called call spec) declares a Java method or a third-generation language (3GL) routine so that it can be called from SQL and PL/SQL. The call spec tells Oracle Database which Java method to invoke when a call is made. It also tells the database what type conversions to make for the arguments and return value.


In Oracle Database, use loadjava utility to load JAR file. The loadjava utility creates schema objects in Oracle database and then load JAR file contents into it.
About Designating Database Privileges and JVM Permissions
You must have the following SQL database privileges to load classes:

  • CREATE PROCEDURE and CREATE TABLE privileges to load into your schema.
  • CREATE ANY PROCEDURE and CREATE ANY TABLE privileges to load into another schema.
  • oracle.aurora.security.JServerPermission.loadLibraryInClass.classname


Vulnerability details: Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data.

Official announcement – Oracle Critical Patch Update Advisory – July 2022. See the link for details – https://www.oracle.com/security-alerts/cpujul2022.html

About RISC-V and RISC-V ISA Simulator design weakness (18-07-2022)

Preface: A growing number of Chinese chip design firms have adopted open-source RISC-V in their chip designs as an alternative to Intel’s proprietary X86 and Arm’s architecture, in a bid to minimise potential damage from US sanctions and to save on licensing fees.

Background: If you still remember? The RISC System/6000 (RS/6000) is a family of RISC-based Unix servers, workstations and supercomputers made by IBM in the 1990s.
Who uses RISC-V today? The organization has grown to 2,000+ members from more than 70 countries over the span of just a few years. Members of RISC-V International include founding partners Google, Qualcomm and Western Digital, to name a few, as well as Arduino, Hitachi and Samsung.

What is PMP RISC-V? Physical Memory Protection (PMP) is a part of the RISC-V Privileged Architecture Specification which discribes the interface for a standard RISC-V memory protection unit. The PMP defines a finite number of PMP regions which can be individually configured to enforce access permissions to a range of addresses in memory.

What is a load access fault? Access faults happen as a result of failing a PMP check. Roughly speaking, it means that the processor is trying to use memory that it does not have permission to use. This can only occur in machines with at least User mode, since in Machine mode the processor is always allowed to access everything.

The machine level has the highest privileges and is the only mandatory privilege level for a RISC-V hardware platform. Code run in machine-mode (M-mode) is usually inherently trusted, as it has low-level access to the machine implementation. M-mode can be used to manage secure execution environments on RISC-V.

Vulnerability details:

CVE-2022-34642 – The component mcontrol.action in RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 contains the incorrect mask which can cause a Denial of Service (DoS).
Reference: https://github.com/riscv-software-src/riscv-isa-sim/issues/1032

CVE-2022-34641 – CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a and RISCV-Boom commit ad64c5419151e5e886daee7084d8399713b46b4b implements the incorrect exception type when a PMP violation occurs during address translation.
Reference: https://github.com/openhwgroup/cva6/issues/906 Weakness Enumeration – unknown

CVE-2022-34643 – RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 implements the incorrect exception priotrity when accessing memory.
https://github.com/riscv-software-src/riscv-isa-sim/issues/971 Weakness Enumeration – unknown

CVE-2022-31213 About dbus-broker design weakness (17th July 2022)

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Furthermore, NULL pointer dereference issues can occur through a number of flaws including race conditions.

Background: D-Bus is an inter-process communication (IPC) mechanism initially designed to replace the software component communications systems used by the GNOME and KDE Linux desktop environments. The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification.

Project using D-Bus

  • KDE: A desktop environment based on Qt
  • Gnome: A desktop environment based on gtk
  • Systemd: An init system
  • Network-manager: A daemon to manage network interfaces
  • Bluez: A project adding Bluetooth support under Linux

dbus-broker is an implementation of the D-Bus Message Bus Specification. Each instance provides a single, unique message bus that clients can connect to, and send messages over. The broker takes care of message mediation, access control, subscriptions, and bus control, according to the D-Bus specification.

Vulnerability details: An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.

Ref: Expat is a library, written in C, for parsing XML documents. The goal of a parser is to transform XML into a readable code. XML parser is a software library or a package that provides interface for client applications to work with XML documents. It checks for proper format of the XML document and may also validate the XML documents.

Solution: Update to the latest version – https://github.com/bus1/dbus-broker/releases/tag/v31

Proof of concept and related technical matters – refer to the link
https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/