CVE-2022-21385 – Some vulnerabilities are not being exploit or there is no available exploit. But it is good to know. 29th Aug 2022

Preface: The vendor who transforming Linux kernel not limit to Apple computer. Oracle, they are also has it own Linux Kernel so called UEK (Unbreakable Enterprise Kernel).
So, who maintains software updates for Oracle Linux? It will depend on Oracle Linux yum server.

Background: Oracle Linux commes with a choice of two kernels, the UEK, which is installed and enabled by default, and the Red Hat Compatible Kernel. The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built by Oracle and supported through Oracle Linux support. Its focus is performance, stability, and minimal backports by tracking the mainline source code as closely as is practical. The UEK 4 Cryptographic Module is a software only cryptographic module that provides general-purpose cyrptographic services to the remainder of the Linux kernel.

Vulnerability details: On 15th Nov, 2021, CVE reserved not disclose to public. Till 30th Aug 2022, the details of vulnerability exposed. A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine.
Reliable Datagram Sockets (RDS) is a high-performance, low-latency, reliable connectionless protocol for delivery datagrams. It is development by Oracle Coporation. This new function come with Linux kernel 2.6.30. And released on 9th June 2009. The code was contributed by the openFabrics Alliance (OFA).

Official details: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea010070d0a7497253d5a6f919f6dd107450b31a

Reference: So far by Oracle Linux design, RDS provides reliable, ordered datagram delivery by using a single reliable connection between two nodes in the cluster.
RDS supports a number of sysctls in/proc/sys/net/rds
Applications can ask the RDS kernel module to receive notifications via control message (for instance, there is a notification when a congestion update arrived, oe when a RDMA operation completes). These notifications are received through the msg[.]msg_control buffer of struct msghdr.

Suspect this is the start of the vulnerability story:
Perhaps such modifications potential driven this vulnerability occured (see below):
An enhancement improved memory usage in 2010. The enhancement is that copy rds_iovecs into kernel memory instead of rereading from userspace.
Implement stack-based storage for small numbers of iovecs, based on net/socket[.]c, to save an alloc in the extremely common case.
Although this time of enhancementis reduces iovec copies in cmsg_rdma_args to 1. However, it still require to do enhancement in rds_rdma_extra_size located in net/rds/rdma[.]c .
But this part will be difficult. So it need to implement in a separate patch.

CVE-2022-1043 A flaw was found in the Linux kernel’s io_uring implementation (29th Aug 2022)

Preface: The identification of this vulnerability is CVE-2022-1043 since 03/22/2022. On 21st Aug 2022 the problem was fixed (see below):
io_uring: fix xa_alloc_cycle() error return value check
We currently check for ret != 0 to indicate error, but ‘1’ is a valid return and just indicates that the allocation succeeded with a wrap. Correct the check to be for < 0, like it was before the xarray conversion.

Background: io_uring (previously known as aioring) is a Linux kernel system call interface for storage device asynchronous I/O operations addressing performance issues with similar interfaces provided by functions like read() / write() or aio_read() / aio_write() etc. for operations on data accessed by file descriptors.
On Linux, the set of file descriptors open in a process can be accessed under the path /proc/PID/fd/ , where PID is the process identifier. File descriptor /proc/PID/fd/0 is stdin , /proc/PID/fd/1 is stdout , and /proc/PID/fd/2 is stderr .
For example: In Fedora, the file descriptor is located at /dev

Vulnerability details: A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.
In some operating systems, including Unix and Linux, a pseudoterminal, pseudotty, or PTY is a pair of pseudo-device endpoints (files) which establish asynchronous, bidirectional communication (IPC) channel (with two ports) between two or more processes. For example, before starting SAP® Sybase® Adaptive Server Enterprise, system engineer need to verify there are sufficient system resources for kernel asynchronous I/O.
Therefore, if CVE-2022-1043 occurs, the impact will be huge. Maybe that’s why the announcement was delayed until after the fix.

Details of the official fix are shown in the link below:
https://github.com/torvalds/linux/commit/a30f895ad3239f45012e860d4f94c1a388b36d14


Official details: https://nvd.nist.gov/vuln/detail/CVE-2022-1043

CVE-2022-38556 – We should be vigilant (28th Aug 2022)

Preface: A similar vulnerability to Dlink (CVE-2022-36524).The device vulnerable to Static Default Credentials via /etc/init0.d/S80telnetd[.]sh.

Background: According to Trendnet’s official announcement, TEW-733GR (version v1.0R) has been discontinued. Because not sure if the vendor is talking about hardware or firmware. In fact, you go through their portal. The firmware (Trendnet TEW733GR v1.03B01) is still available for download.

Vulnerability details:Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd[.]sh.
Coincidentally, DLink (CVE-2022-36524) encountered similar of design weakness.The device vulnerable to Static Default Credentials via /etc/init.d/S80 Telnetd[.]sh.

Observation: Once the attacker does small reverse engineering. This design weakness (the valid credentials stored by default) similarly helps them run scripts that download and install XorDdos on the target device with root privileges. Similar to the 2.4 Tbps DDoS attack Microsoft encountered in August 2021 will be happened again.

Due to the attack method of XorDdos, botnet attacks will be formed on victims in different regions. It’s hard to say that it can be avoided through a GRE tunnel. Or stop an ongoing attack by identifying patterns in traffic. If the remedy or mitation can do it quickly. It can avoid the unknown cyber attack. As we know, IoT and computing devices flaw happen hourly or daily. But it’s easy to forget. In fact, even if the fix is ready, the end user may not take immediate action. That’s what security experts feared a decade ago. When the Internet of Things was born, cybersecurity would make the digital world crazy.

Official announcement – Please refer to the link for details:

Trendnet CVE-2022-38556 – https://nvd.nist.gov/vuln/detail/CVE-2022-38556

DLink CVE-2022-36524 – https://nvd.nist.gov/vuln/detail/CVE-2022-36524

CVE-2022-2959 follow up (25th Aug 2022)

Preface: If an attacker used our hypothetical race condition above to perform malicious operations and help bypass secured mechanisms, it then becomes “Race Condition Vulnerability.” This vulnerability commonly occurs when threads use the same shared memory to update the values of variables.

Technical background to the file named pipe[.]c: New pipe buffers will be restricted to this size while the user is exceeding their pipe buffer quota. The general pipe use case needs at least two buffers: one for data yet to be read, and one for new data. If this is less than two, then a write to a non-empty pipe may block even if the pipe is not full.
Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their own risk, namely: pipe writes to non-full pipes may block until the pipe is emptied.

Vulnerability details: CVE-2022-2959 updated on 25th Aug, 2022. However it was not published in past. The vulnerability is that a race condition was found in the Linux kernel’s watch queue due to a missing lock in pipe_resize_ring(). The solution issued on 28th May 2022.

Description: A race condition was found in the Linux kernel’s watch queue due to a missing lock in the pipe_resize_ring(). The race condition occurs when a thread uses ioctl(IOC_WATCH_QUEUE_SET_SIZE) to resize the pipe buffer and free the old pipe buffer, while another thread uses keyctl() to trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer. This flaw allows a local user to crash the system or escalate their privileges on the system.

Red Hat Enterprise Linux 6, 7 and 8 are not affected by this issue. Some versions of Linux . For that one need to use ioctl with FIONREAD command to get the size of unread data inside pipe.

If you are interested in this topic, please see the details of my speculation from the attached picture.

Official details (CVE-2022-2959): See the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-2959

CVE-2022-37428 – The RollBack attack works on some Nissan, Kia, and Hyundai vehicles in production 2017. 08/24/2022

Preface: Capturing and replaying a couple of signals are-synchronizes the rolling codes and unlocks most of today’s vulnerable vehicles.

Background: Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However a attack so called jamming. This is done by jamming the receiver, capturing 2 or more remote presses, then stopping the jammer nd replaying the first remote press saving the next capture iin the rolling code series to replay later.

Remark: So far, the root cause is not confirmed and no explicit mitigation exists, said Blackhat conference 2022 .

Vulnerability details: The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.

Official announcement: Refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-37418

CVE-2022-31676 – VMware Tools (23rd Aug 2022)

Preface: This time openSSL.cnf is not involved this vulnerability, maybe C_REHASH is the suspect?

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.

Some VMware Tools seĴings might expose security risks. For example, VMware Tools enables you to
connect virtual devices such as serial and parallel ports to virtual machines. A connected device might be a potential channel of attack.

When serial port access is enabled for a VM instance, clients can attempt to connect to that instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone.

Vulnerability Details: A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine , said VMware. Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0024.html

My observation: Since the vendor didn’t describe what the actual reason was. A hints for my analysis is based on openssl 3.0 working with VMware Tools 3.0.0 written in offical article. Coincidentally, a bug was discovered in OpenSSL 3.0.0, which was released in June 2022. The flaw will be fixed on OpenSSL 3.0.4. Affected products include 3.0.0, 3.0.1, 3.0.2, and 3.0.3. If you are interested in this, please refer to the attached image.

CVE-2022-33916 – OPC UA .NET Standard Reference Server 1.04.368 allows a remote attacker to cause the application to access sensitive information (23rd Aug 2022)

Preface: OPC UA bridges the divide between information technology and operational technology. It enables information and data exchange on devices within machines, between machines, and from machines to systems. As a result, companies cannot realize the benefits of the Internet of Things (IoT) and Industry 4.0 without OPC UA.

Background: Microsoft contributing Open-Source OPC UA stack to OPC Foundation on 2017. Upon today, the new OPC Foundation .NET reference stack, based on the new .NET Standard Library technology, was developed and optimized by Microsoft to serve as the complete platform-independent infrastructure, from the embedded world to the cloud.
This new version is enabled on the following supported platforms: Various Linux distributions, iOS, Android, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Phone, HoloLens and the Azure cloud.

Vulnerability details: The vulnerability exists due to excessive data output by the application within the handling of OPC UA BrowseRequests. A remote attacker can gain unauthorized access to sensitive information on the system.

With the information obtained an unauthorized user can create a valid session with the OPC UA server or client to obtain sensitive information.

OPC Foundation Security Bulletin https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2022-33916.pdf

Have you awaken by this alert [CVE-2022-32894] few days ago? (21st Aug 2022)

Preface: Security Alert from the vendor (Apple) on 17th Aug 2022, found a bug on their iOS. If you use iPhone and iPad, you need to update now. Some experts said that the update was also taken seriously by security research unit ZecOps, who tweeted that the iOS 15.6.1 patch vulnerability was already in use, and emphasized that hackers may launch one-click and “zero-click attacks”. Same strategy as NSO Group Pegasus Spyware.

What is zero-click attack?
On 2021, cybersecurity firm ZecOps claimed iPhones and iPads have had a traditional vulnerability to unassisted attacks, especially with its mail app. From iOS 13, this became a vulnerability to zero-click attacks too. “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory,” a ZecOps blog published this April said. Apple reportedly patched this in April 2020.

Background: The vulnerability has been fixed, why is there another round of attacks on iPhones and iPads around the world?
As we know, the Linux kernel is composed of multiple kernel types, whereas the iOS kernel types use hybrids.
Since the CVE vulnerability information stated that this vulnerability is caused by an out-of-bounds vulnerability. The vendor, as usual, did not disclose details. But which key point drives the vendor to issue a remedy immediately? Let’s imagine the flaw based on the hints provided. In a multi-core environment, it is possible to trigger similar attacks. The attached image is when multiple kernels encounter errors on FreeBSD. For example, the vulnerability for FreeBSD was released on August 10, 2022. The vulnerability is an out-of-bounds read in elf_note_prpsinfo(). According to this circumstances, when an operating system runs on a multi-kernel system architecture (includes the FreeBSD operating system architecture). An out-of-scope defect occurred by design weakness.Thus triggering a serious flaw.
Above is only an example, as a matter of fact not know what the vulnerability was? But even what is the root causes , nobody can tell?
But if you keep your eyes open, when there is a new unknown critical bug occurs in on going future.

CWE-787: Out-of-bounds Write – Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

Remark: The Service.RestartSec setting specifies the downtime in seconds after which systemd restarts a crashed service (5 seconds by default).

Vulnerability details:
CVE-2022-32893 vulnerability can exploit the WebKit that allows crafted web content to run arbitrary code on the targeted system.
CVE-2022-32894 vulnerability can exploit the Kernel that allows malicious apps to run arbitrary code with kernel privileges on the targeted system.
Fixes and Solutions:
Safari 15.6.1 | HT213414 https://support.apple.com/en-gb/HT213414
macOS Monterey 12.5.1 | HT213413 https://support.apple.com/kb/HT213413
iOS 15.6.1 and iPadOS 15.6.1 | HT213412https://support.apple.com/kb/HT213412

CVE-2022-2568 – Logic flaw leads to privilege escalation (Red Hat Ansible Automation Platform) 18th Aug 2022

Preface: What is backward compatibility in Linux?
Backward compatible (also known as downward compatible or backward compatibility) refers to a hardware or software system that can successfully use interfaces and data from earlier versions of the system or with other systems.

Background: Ansible Automation Platform provides an enterprise framework for building and operating IT automation at scale, from hybrid cloud to the edge. Ansible Automation Platform enables users across an organization to create, share, and manage automation—from development and operations to security and network teams.

Configure Automation Hub to support your organization by creating groups for your users and providing them with the level of system access they require. For this design, system administrator will configure Automation Hub to support the operation structure by creating groups for users and providing them with the level of system access they require.

The relevant packages are as follows:

  • python-galaxy-ng – A Pulp plugin to support hosting your very own Ansible Galaxy server.
  • pulpcore-selinux – pulpcore-selinux is a set of SELinux policies for Pulp 3, with several plugins[0] installed.
  • openshift-clients – With the OpenShift command-line interface (CLI), the oc command, you can create applications and manage OpenShift Container Platform projects from a terminal.
  • automation-hub – The Red Hat Ansible Automation Automation Hub is the official location to discover and download supported Ansible content collections.
  • automation-controller – The automation controller allows users of Red Hat® Ansible® Automation Platform to define, operate, scale, and delegate automation across their enterprise.
  • ansible-core – Ansible core or ansible-core is the main building block and architecture for Ansible and includes: CLI tools such as ansible-playbook, ansible-doc. and others for driving and interacting with automation.

Vulnerability details: A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with ‘change user’ permissions to modify the account settings of the superuser account and also remove the superuser privileges.

Official details https://access.redhat.com/security/cve/cve-2022-2568

When you are interested in reading this article, you may agree that the industrial sector needs to strengthen cybersecurity protection (17th Aug 2022)

Preface: OPC UA is a standard that ensures the open connectivity, interoperability, security, and reliability of industrial automation devices and systems. OPC UA is widely recognized as the key communication and data modeling technology for the Industry 4.0 initiative.
The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types that are defined in the OPC UA Communication Stack by the OPC Foundation.

Background: The C++ OPC UA Server SDK provides a C++ class library used to develop OPC UA Servers providing a standard interface to vendor specific systems. The OPC UA Server is normally used to describe the available information from a vendor system and to provide access to the data for external systems in a standardized way.
The SDK allows multiple instances of our address space implementation. For every namespace you create a new address space, which together form the complete server address space. For each address space the “ns” is well known which allows to eliminate redundant “ns” information in the nodes. For each address space you can configure the size constraints and if the address space is created dynamically in RAM or if it is compiled into the application.

Vulnerability details: On 17th Aug 2022, Softing OPC UA C++ SDL from version 6.0 has information update. Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.
NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator – https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html

Ref: On June 17, 2021, Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.
https://nvd.nist.gov/vuln/detail/CVE-2021-32994
https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02