About CVE-2022-41828: AWS Redshift JDBC Driver, a secure class loading and verification mechanism is require. (29-09-2022)

Preface: This design weakness was fixed on earlier June 2022. As we know, there is no mandatory policy on vendor side when should be disclosed the vulnerability details. It all depends on vendor analysis and judgement. So, as a user we only take the action to do the patching.

Background: By default, Redshift stores data in a raw, uncompressed format, and you can choose whether to compress data. Each column within a table can use a different type of compression. It is possible to let Redshift automatically select encoding for column compression, or select it manually when creating a table.

Data Warehousing and Analytics Using Amazon Redshift
To access a Redshift data store using the Amazon Redshift JDBC Driver, you need to configure the following:

  • Referencing JDBC Driver Libraries
  • Registering the Driver Class
  • The connection URL for the driver

Vulnerability details: In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.

Remedy: upgrade to 2.1.0.8

Official detail: Please refer to the link for details – https://github.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5

Casual style mining CVE-2022-22074 details (28th Sep 2022)

Foreword: A vulnerability published a few months ago (CVE-2022-22071) intrigued me due to a design flaw in snapdargon’s memory management. Therefore written down my gather information on the subject.
CVE-2022-22071 – Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music. Perhaps there is no proof of concept how to exploit this flaw. As an Android lover, it allowed me to learn and gain understanding.

Background: In Snapdragon SoCs, three components are used to provide access control: Virtual Master ID Mapping Table (VMIDMT), External Protection Unit (XPU), and System Memory Management Unit (SMMU). The SMMU is a hardware component that performs address translation and access control for bus initiators outside of the CPU. An SMMU can perform two stages of address translation.

  1. usually controlled by the CPU OS, maps the virtual addresses visible to applications and the OS kernel to intermediate physical addresses visible to a virtual machine.
  2. maps intermediate physical addresses to physical addresses.

Vulnerability details: Memory Corruption during wma file playback due to integer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
See the diagram for details on my research on such vulnerabilities.

Official announcement: See the link for details – https://www.qualcomm.com/company/product-security/bulletins/september-2022-bulletin

About CVE-2022-22058 – Memory corruption due to processing ION handles (Qualcomm Snapdragon products) 26th Sep 2022

Preface: The vmalloc() function works in a similar fashion to kmalloc(), except it allocates memory that is only virtually contiguous and not necessarily physically contiguous.

Background: In the kernel, ION supports multiple clients, one for each driver that uses the ION functionality. A kernel driver calls the following function to obtain an ION client handle:

struct ion_client *ion_client_create(struct ion_device *dev, unsigned int heap_mask, const char *debug_name)

ION usage on Snapdragon is slightly different from the standard linux implementation.

Heaps are listed in the order they will be allocated. Do not swap the order unless you know what you are doing, said Qualcomm.

Vulnerability details: Memory corruption due to use after free issue in kernel while processing ION handles in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.

Reference:

  • A use-after-free vulnerability is an issue related to incorrect use of dynamic memory during program operation, according to MITRE.
  • “Heap” memory, also known as “dynamic” memory, is an alternative to local stack memory. Local memory is quite automatic. Local variables are allocated automatically when a function is called, and they are deallocated automatically when the function exits.

Remedy: Waiting for vendor provide the solution.

CVE-2022-41340 – A security issue in ECDSA verify (25th Sep 2022)

Preface: The term vanilla script is used to refer to the pure JavaScript (or we can say plain JavaScript) without any type of additional library.

Background: Pure JS implementation of secp256k1 signing, verification, recovery ECDSA. The code works as-is both in browsers and NodeJS, without the need of a bundler. See this link for details – https://github.com/lionello/secp256k1-js

Vulnerability details: The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. See this link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-41340

Ref: Signature forgery – a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret.

Design defect: The ecverify function does not check sig[.]r = sig[.]s = 0, which leads an attacker can construct a malicious signature (0, 0) that passes arbitrary checks.

Remedy: Upgrading to version 1.1.0 resolved the issue

Current possibility of exploitation: No technical details available. The vulnerability is less known than average, and there are no exploits available.

Observation: Can hacker crack the private key from the public key”? Well, the answer is always, “No”, unless there’s a weakness in the implementation.

CVE-2022-39224: arr-pm versions prior to 0.0.12 are subject to this vulnerability (22nd Sep 2022)

Preface: Companies like SlideShare, Airbnb, CrunchBase, Bloomberg, Dribble, Shopify, and GitHub have trusted Ruby on Rails and used the framework in their applications.

Background: Ruby is an open source, object oriented language that was developed in the mid-90s. Since it is a scripting language. Ruby doesn’t talk to the hardware directly. Rather, it is written in a text file and parsed by an interpreter before it can be turned into code.
The library (arr-pm) allows to you to read and write rpm packages. It is written in pure ruby because librpm is not available on all systems.
This programming language is also used in automation, website deployment, and DevOps.

Vulnerability details: Vulnerability details: Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious “payload compressor” field. This vulnerability impacts the extract and files methods of the RPM::File class of this library.

Additional: The vulnerability may impact fpm only when using the flag -s rpm or –input-type rpm to convert a malicious rpm to another format. It does not impact creating rpms.

gem is a command provided by a the Ruby packaging system called rubygems. This allows you to install, and later upgrade, fpm.
So when you do the installation : gem install -no-ri –nordoc fpm
You can see the installation process fetching arr-pm-.0.0.xx[.]gem

This is the problem that arises in this design weakness.

Solution: It is recommended to upgrade your arr-pm to 0.0.12.

09/02/2022 CVE reserved
09/22/2022 +20 days Advisory disclosed

About CVE-2022-41218 – The vendor who sharing this technology, you should fix immediately. Otherwise, you will be headache! 21st Sep 2022.

Preface: In 2021, Linux has been one of the most popular software packages for client devices. According to Digital TV Europe, 800 million set-top boxes are powered by this platform worldwide.

Background: The LinuxTV project is an informal group of volunteers who develop software regarding digital television for the Linux kernel-based operating systems. The community develops and maintains the Digital Video Broadcasting (DVB) driver subsystem which is part of the Linux kernel since version 2.6. x.

Vulnerability details: In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.

Ref: In computer world, reference counting is a programming technique of storing the number of references, pointers, or handles to a resource, such as an object, a block of memory, disk space, and others.
Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
An invalid pointer reference occurs when a pointer’s value is referenced even though the pointer doesn’t point to a valid block.

My observation:
The reference counting is a programming technique of storing the number of references, pointers, or handles to a resource. Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed. The vulnerability will occurs a use-after-free caused by refcount races. Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The driver is located in ring 0 (kernel). If attacker know how to exploit this bug in user space. Therefore, the risk will be significant higher.

Solution and official details: Please refer to this link – https://nvd.nist.gov/vuln/detail/CVE-2022-41218

CVE-2022-32917, CVE-2022-32912 & CVE-2022-32788 – Bounds check design weakness require improve in IOS (affecting iOS 16 Beta 9 and previous versions). Apple claimed that it fixed now.(20th Sep 2022)

Preface: Bounds checking is a compiler-based technique that adds run-time bounds information for each allocated block of memory, and checks all pointers against those at run- time. For C and C++, bounds checking can be performed at pointer calculation time or at dereference time.

Background: The calloc () function allocates memory for an array of nmemb elements of size bytes each and returns a pointer to the allocated memory. The memory is set to zero. If nmemb or size is 0, then calloc () returns either NULL, or a unique pointer value that can later be successfully passed to free ().
The Difference Between Malloc and Calloc is that calloc allocates the memory and initializes every byte in the allocated memory to 0. In contrast, malloc allocates a memory block of a given size and doesn’t initialize the allocated memory.
Mach Kernel Abstractions:
Mach provides a small set of abstractions that have been designed to be both simple and powerful. These are the main kernel abstractions:

  • Tasks. The units of resource ownership; each task consists of a virtual address space, a port right namespace, and one or more threads. (Similar to a process.)
  • Threads. The units of CPU execution within a task.
  • Address space. In conjunction with memory managers, Mach implements the notion of a sparse virtual address space and shared memory.
  • Memory objects. The internal units of memory management. Memory objects include named entries and regions; they are representations of potentially persistent data that may be mapped into address spaces.
  • Ports. Secure, simplex communication channels, accessible only via send and receive capabilities (known as port rights).
  • IPC. Message queues, remote procedure calls, notifications, semaphores, and lock sets.
  • Time. Clocks, timers, and waiting.

Vulnerability details:
CVE-2022-32917 The issue was addressed with improved bounds checks – https://nvd.nist.gov/vuln/detail/CVE-2022-32917
CVE-2022-32912 An out-of-bounds read was addressed with improved bounds checking – https://www.tenable.com/cve/CVE-2022-32912
CVE-2022-32788 A buffer overflow was addressed with improved bounds checking – https://nvd.nist.gov/vuln/detail/CVE-2022-32788

About the September 2022 Trend Micro Critical Security Bulletin (20th Sep 2022)

Quote: A technical discussion on devblogs.microsoft.com – https://devblogs.microsoft.com/oldnewthing/20200113-00/?p=103322
This is not a vulnerability. In Windows, you can put a file in a directory that the user does not have access to, but if the user can produce the name of the file, they can still access it. This works because Windows by default enables “bypass traversal checks”, which means that you can access anything you can name.

Background: Trend Micro Apex One as a Service is a centrally managed anti-malware solution that protects endpoints (servers, desktops, and portable endpoints) from a wide variety of Internet threats.
– CVE-2022-40139: Improper Validation of Rollback Mechanism Components RCE Vulnerability
– CVE-2022-40140: Origin Validation Error Denial-of-Service Vulnerability
– CVE-2022-40141: Information Disclosure Vulnerability
– CVE-2022-40142: Agent Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40143: Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40144: Login Authentication Bypass Vulnerability
On this discussion, I am focusing on CVE-2022-40144. On 2019, Directory Traversal Vulnerability discovered in Trend Micro Apex One, OfficeScan and Worry-Free Business Security. Since the vulnerability details annouce by vendor lure my interested. Perhaps there is no offical details annonucment. However, it might have Directory Traversal Vulnerability awaken again in CVE-2022-40144. The design weakness will be on web console.

Vulnerability details: CVE-2022-40144 – A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product’s login authentication by falsifying request parameters on affected installations.

Remark: Trend Micro has released a new Service Pack for Trend Micro Apex One (On Premise) and Critical Patches for Apex One as a Service (SaaS) that resolve multiple vulnerabilities in the product.
Zero-Day-Initiative – CVE-2022-40140, CVE-2022-40142 and CVE-2022-40143

Remedy: To address multiple vulnerabilities in their product, follow their recommendations for fixes. For details, please refer to the following link for reference.
https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US

CVE-2022-40768 – drivers/scsi/stex[.]c in the Linux kernel through 5[.]19[.]9 allows local users to obtain sensitive information from kernel memory (18th Sep 2022)

Preface: iSCSI is popular in the implementation of SAN systems because of their block level storage structure. When data arrives at its destination the iSCSI protocol separates the SCSI commands so that the Operating System will see the storage as a local device and allow formatting as usual.

Background: iSCSI is a block protocol for storage networking and runs the very common SCSI storage protocol across a network connection which is usually Ethernet. iSCSI, like Fibre Channel, can be used to create a Storage Area Network (SAN). iSCSI traffic can be run over a shared network or a dedicated storage network.

Design concept:

Initiator – The SCSI layer generates command descriptor blocks (CDBs) and transfers them to the iSCSI layer. The iSCSI layer generates iSCSI protocol data units (PDUs) and send them to the targer over an IP network.
Target – The iSCSI layer receives PDUs and sends CDBs to the SCSI layer.The SCSI layer interprets CDBS and gives responses when necessary.

Vulnerability details: A vulnerability was found in Linux Kernel up to 5[.]19[.]9. The design weakness occurs in the function stex_queuecommand_lck of the file drivers/scsi/stex[.]c. The manipulation leads to information disclosure.

Remedy: The passthrough structure is declared off of the stack, so it needs to be zeroed out before copied back to userspace to prevent any unintentional data leakage.

References to Advisories – Please refer to the link for details:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/scsi/stex.c
https://lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org/
https://www.openwall.com/lists/oss-security/2022/09/09/1

CVE-2022-40476: If you use io_uring to optimize your Redis, you should stay alert! (15th Sep 2022)

Preface: Dereferencing a null pointer is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code.

Background: io_uring (previously known as aioring) is a Linux kernel system call interface for storage device asynchronous I/O operations addressing performance issues with similar interfaces provided by functions like read()/write() or aio_read()/aio_write() etc. for operations on data accessed by file descriptors.

Vulnerability details: A null pointer dereference issue was discovered in fs/io_uring[.]c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.

Reminder: In the moment, open source developer did not had good way to completely fix the destructive RMW (unless we go full scrub for each partial write), But the fix thet test can be limited the damage .

Software developer announcement:
Although we have no good way to completely fix the destructive RMW (unless we go full scrub for each partial write), we can still limit the damage.
With patch “btrfs: only write the sectors in the vertical stripe which has data stripes” now we won’t really submit the P/Q of unrelated vertical stripes, so the on-disk P/Q should still be fine.

Remark:

  • btrfs is a modern copy on write (CoW) filesystem for Linux aimed at implementing advanced features while also focusing on fault tolerance or repair.
  • destructive read-modify-write (RMW)

Related details reference link: