Preface: Server-side request forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. Additionally, SSRF attacks against other backend systems are also an evasion path. Sometimes an SSRF risk rating is medium risk, so it goes unnoticed (contempt).

Background: vCenter Server manages VMware vSphere environments, giving IT administrators simple and automated control over the virtual environment to deliver infrastructure with confidence. VMware vSphere Web Client plug-in is the program that extends the user interface for VMware vSphere Web Client to a browser. The VMware vSphere Web Client allows an administrator to connect to a vCenter Server system and manage a vSphere environment.

Vulnerability details: The vCenter Server contains a server-side request forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Impact: A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service. For more details, please refer to attached diagram.

Solutions: Before installation of the software, please visit the vendor web-site for more details – https://www.vmware.com/security/advisories/VMSA-2022-0018.html

Preface: We known that so called vulnerability may be found few months or year ago. But zero-day vulnerability have different. A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Because of it urgency, it need to announce or release the fix shortly.

Background: What does Site Recovery do?

Site Recovery contributes to your business continuity and disaster recovery (BCDR) strategy, by orchestrating and automating replication of Azure VMs between regions, on-premises virtual machines and physical servers to Azure, and on-premises machines to a secondary datacenter.

Vulnerability details: Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30181, CVE-2022-33641, CVE-2022-33642, CVE-2022-33643, CVE-2022-33650, CVE-2022-33651, CVE-2022-33652, CVE-2022-33653, CVE-2022-33654, CVE-2022-33655, CVE-2022-33656, CVE-2022-33657, CVE-2022-33658, CVE-2022-33659, CVE-2022-33660, CVE-2022-33661, CVE-2022-33662, CVE-2022-33663, CVE-2022-33664, CVE-2022-33665, CVE-2022-33666, CVE-2022-33667, CVE-2022-33668, CVE-2022-33669, CVE-2022-33671, CVE-2022-33672, CVE-2022-33673, CVE-2022-33674, CVE-2022-33675.

As usual, vendor has the right not to release vulnerability details. See whether we can find out the one of the possible causes?

For disaster recovery of VMware VMs to Azure, system administrator should deploy the configuration server as a VMware VM. Based on my speculation of existing design flaws. So just focus on suspicious components.
Software requirements: IIS (Web server)

• No pre-existing default website
• No pre-existing website/application listening on port 443
• Enable anonymous authentication
• Enable FastCGI setting

When using TCP sockets, as long as the default configuration file (php-frm.conf) options (listen.user/list.group) with privileges permission.

Local attacker is possible to exploit this vulnerability. It is as simple as pointing some FastCGI clients to the socket. Then it will execute priviliges escalation. Please refer to attached diagram for reference.

Azure Site Recovery Elevation of Privilege Vulnerability. For official announcement, please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-33677

Remedy: What can I do to protect myself from this vulnerability? You can follow the steps here to update to version 9.49.

Preface: There is no limit according to the HTTP protocol itself, but implementations will have a practical upper limit. I have sent data exceeding 4 GB using POST to Apache, but some servers did have a limit of 4 GB at the time.

Background: KubeEdge consumes less resources and provides both edge-cloud collaboration and device management. So, it is suitable for internet big data center. KubeEdge is an open source system extending native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge.
Core edge part of KubeEdge, which contains six modules: devicetwin, edged, edgehub, eventbus, metamanager, and servicebus.

Vulnerability details:
CVE-2022-31073 – the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh
CVE-2022-31075 – EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to /edge[.]crt.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x3px-2p95-f6jr
CVE-2022-31074 – several endpoints in the Cloud AdmissionController may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-w52j-3457-q9wr
CVE-2022-31078 – the CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler. An attacker could use this weakness to make a request that will return an HTTP response with a large body and cause DoS of CloudCore.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-qpx3-9565-5xwm
CVE-2022-31079 – the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-wrcr-x4qj-j543
CVE-2022-31080 – a large response received by the viaduct WSClient can cause a DoS from memory exhaustion.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-6wvc-6pww-qr4r

Preface: The use of the custom HTTP header “SOAP Action” for SOAP web services, and cookies, and E-tags, and … well, the list goes on. HTTP headers carry data used by applications and therefore should be considered a viable transport mechanism for malicious code.

Background: CICS TX 11.1 offers an enhanced inbound SOAP XML web services capability. This includes support for the channels and container interface for CICS TX inbound web services. CICS TX applications that use the APIs of channels and containers can be exposed as inbound SOAP XML web services. This provides pipeline configuration that enables the processing of SOAP messages through a sequence of predefined message handlers.

Remark: Capability to pass more than 32K bytes of data through SOAP XML web services using channel and container APIs

Vulnerability details: IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

Affected Products and Versions: IBM CICS TX Advanced 11.1

Remediation: Download fix from here – https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=ibm-cics-tx-advanced-image-11.1.0.0-ifix2&source=SAR&function=fixId&parent=ibm/Other%20software

Usage of CICS TX Standard and CICS TX Advanced (Example):

• Load a CICS TX container on Docker, open a port to connect to the container through a 3270-terminal, deploy a simple CICS COBOL application on the CICS TX container and run the application by using a 3270 terminal.
• Deploy CICS TX on a container
• Deploy CICS TX Standard on a Red Hat OpenShift Container Platform

Preface: NVM Express is highly optimized for memory-based storage. There are many distinct benefits associated with NVM Express. It significantly improves sequential and random performance thanks to reduction in latency. It is capable of accessing more data per CPU cycle.

Background: The Dell EMC PowerMax family is the first Dell EMC hardware platform that uses an end- to-end Non-Volatile Memory Express (NVMe) architecture for customer data.

Cloud Mobility for Dell EMC PowerMax is configured within an embedded guest running on the PowerMaxOS hypervisor. Management of Cloud Mobility is performed using the Embedded Management (eManagement) Unisphere for PowerMax. Communication between the embedded Unisphere and Cloud Mobility is through REST API over a PowerMax internal private network connection.

Example:
The most recent PowerMax REST documentation can found by going to your embedded management instance of Unisphere for PowerMax at:
https://{ip-address|hostname}:8443/univmax/restapi/docs

Vulnerability details: Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains a RCE vulnerability. A non-privileged user could potentially exploit this vulnerability, leading to achieving a root shell. This is a critical issue; so Dell recommends customers to upgrade at the earliest opportunity.

For official announcement details, please refer to the link – https://www.dell.com/support/kbdoc/zh-hk/000201258/dsa-2022-182-cloud-mobility-for-dell-emc-storage-security-update-for-a-path-traversal-rce-vulnerability

Preface: When you do the fix for CVE-2022-26365, CVE-2022-33740, CVE-2022-33741& CVE-2022-33742. You should consider this matter.

Patch 1 introduces a new field to the disk and nic configurations that allow signaling on a per-device basis whether the backend should be trusted. This is an ABI incompatible change, and cannot be applied to stable branches.
Patch 2 introduces support to libxl for libxl_{disk,nic}_backend_untrusted environment variable to be used in order to set whether disk and network frontends should be trusted in the absence of a per-device setting.

Background:Citrix Hypervisor is based on the Xen Project hypervisor, with extra features and supports provided by Citrix. Citrix XenServer is an open source server virtualization platform based on the Xen hypervisor. Citrix also offers a supported version that you can purchase, with two options: Standard and Enterprise.
Citrix Hypervisor requires at least two separate physical x86 computers: one to be the Citrix Hypervisor server and the other to run the XenCenter application or the Citrix Hypervisor Command-Line Interface (CLI).

Vulnerability details: Linux Block and Network PV device frontends don’t zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn’t allow sharing less than a 4K page,leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

The following 2 files need to be enhanced. For details, please refer to the official announcement. Linux disk/nic frontends data leaks – https://xenbits.xen.org/xsa/advisory-403.html

xen-blkfront.c – CVE-2022-33742 CVE-2022-26365
xen-netfront.c – CVE-2022-33741 CVE-2022-33740

IMPACT: An untrusted backend can access data not intended to be shared. If such mappings are made with write permissions the backend could also cause malfunctions and/or crashes to consumers of contiguous data in the shared pages.

Preface: Registering callback in C means you are providing function pointer to any module. When any event arises, registered function will be called to serve this event.

Background: The netfilter hooks are a framework inside the Linux kernel that allows kernel modules to register callback functions at different locations of the Linux network stack. The registered callback function is then called back for every packet that traverses the respective hook within the Linux network stack.

Connction tracking in Linux kernel is implemented as a module in Netfilter framework. Netfilter is a packet manipulating and filtering framework inside the kernel. It provides several hooking points inside the kernel, so packet hooking, filtering and many other processings could be done.

Vulnerability details: An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.)

Ref: The user namespace is a way for a container (a set of isolated processes) to have a different set of permissions than the system itself. Every container inherits its permissions from the user who created the new user namespace. For example, in most Linux systems, regular user IDs start at or above 1000.

Remedy: This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api[.]c. For details please refer to link – https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6

Additional information: For Linux drivers, it is difficult to know who called a certain callback function. Is there a way to know? Tracking can be done through the dump_stack() function provided by the kernel. Dump_stack() in Linux Kernel is used to output call stack information when there is a kernel crash/panic but we can also use it for debugging/tracing.

Preface: Collecting and storing data is one of the most important steps of the AI workflow. AI analytics refers to a subset of business intelligence that uses machine learning techniques to discover insights, find new patterns and discover relationships in the data. In practice, AI analytics is the process of automating much of the work that data analysts typically perform.

Background: There are two models of the NVIDIA DGX A100 system: the NVIDIA DGX A100 640GB system and the NVIDIA DGX A100 320GB system.Both FLOPS and MIPS are used to measure the performance of a computer’s number-crunching performance.The DGX A100, as the most recent iteration is named, is capable of five petaflops of FP16 performance, or 2.5 petaflops TF32, and 156 teraflops FP64. It also runs at 10 petaops (not flops) with INT8.
The NVIDIA DGX A100 system comes with a system BIOS with optimized settings for the DGX system. There may be situations where the settings would need to be changed, such as changes in the boot order, changes to enable PXE booting, or changes in the BMC network settings.
Connect to the DGX A100 console using either a direct connection or a remote connection through the BMC.
Ref: DGX OS Server software installs Docker Engine which uses the 172.17.xx.xx sub-net by default for Docker containers. If the DGX A100 system is on the same subnet, you will not be able to establish a network connection to the DGX A100 system.

Vulnerability details: NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.

My observation: It was because vendor not disclosed. Based on existing desisgn. See whether the “REDFISH” server had contained following vulnerability. This SSH design weakness was found this year.
My speculation is based on the following.
By default, Redfish support is enabled in the DGX A100 BMC and the BIOS.

1. After first-boot setup. Click Launch KVM. The DGX A100 console appears in your browser.
2. After the system has been configured, you can also establish an SSH connection to the DGX A100 OS through the network port.

If below circumstances occurs. The consequence will similar as CVE article description.

curl would reuse a connection even if the subsequent transfer would have changed one or more of these options.
TLS options
• CURLOPT_SSL_OPTIONS(since 7.25.0)
• CURLOPT_CRLFILE (since 7.19.0)
• CURLOPT_TLSAUTH_USERNAME (since 7.21.4)
• CURLOPT_TLSAUTH_PASSWORD (since 7.21.4)
• CURLOPT_PROXY_SSL_OPTIONS (since 7.52.0)
• CURLOPT_PROXY_CRLFILE (since 7.52.0)
• CURLOPT_PROXY_TLSAUTH_USERNAME (since 7.52.0)
• CURLOPT_PROXY_TLSAUTH_PASSWORD (since 7.52.0)
SSH options
• CURLOPT_SSH_PUBLIC_KEYFILE (since 7.16.1)
• CURLOPT_SSH_PRIVATE_KEYFILE (since 7.16.1)

Official announcement – NVIDIA has released a security update for NVIDIA DGX A100 firmware. This update addresses issues that may lead to information disclosure, denial of service, or escalation of privileges.
https://nvidia.custhelp.com/app/answers/detail/a_id/5367

Solution: To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.