Preface: Whether it is correct or not, this is a spirit for learning.

Background: The critical CVE (CVE-2022-34718 ) impacts Windows TCP/IP, allowing an unauthenticated attacker to send a specially crafted IPv6 packet to Windows node where IPSec is enabled. But the supplier didn’t reveal too many details.

My observation: CVE-2021-24074 and CVE-2021-24094 occurred in 2021.The RCE vulnerability is more complex, and it is more difficult to initiate exploit, and it will not happen in a short period of time.
In response to CVE-2021-24074, Microsoft recommends turning off Source Routing to defend against, which is already turned off by default in Windows.
For CVE-2021-24094, Microsoft recommends turning off packet reassembly to block IPv6 packet fragmentation, but this may also affect services that rely on IPv6.
Essentially, fragments are reassembled in IP Filter mechanism. So, Disable fragment reassembly is a workaround.

VPN support IPv6 protocol. Meanwhile the VPN support reassembly features. If unautheticated attacker send a specially crafted IPv6 packet to Windows node where IPSec is enabled. As a result, if WFP still support packet reassembly, the TCP RCE vulnerability (CVE-2021-24074 and CVE-2021-24094) will appears again.

Official detail:Please go to the link for details https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718

Preface: Failures happen all the time, it’s important to see how to deal with them.

Background: Background: The new OLE DB provider is called the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL). The Microsoft OLE DB Provider for SQL Server (SQLOLEDB) still ships as part of Windows Data Access Components. It isn’t maintained anymore and it isn’t recommended to use this driver for new development. When developing an application that uses the OLE DB Driver for SQL Server library, developer is able to use ADO with OLE DB Driver for SQL Server.

Vulnerability details: Certain versions of Windows from Microsoft contain the following vulnerability:
Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, & CVE-2022-35840.

My observation: Because Microsoft did not disclose the reason. I guess that one of the possibility will be triggered by ADO with OLE DB Driver for SQL Server. My speculation is shown on diagram. Let’s recall CVE-2019-0888.

A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with the victim user’s privileges. An attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website. The security update addresses the vulnerability by modifying how ActiveX Data Objects handle objects in memory.

Even if my speculation not a correct story, long story short. We should do a patch.

Official announcement – Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35836

Preface: Not sure if this vulnerability affects all linux brands. However, Debian has solved this problem. Maybe when you turned on your linux yesterday. A critical update will cover this issue.
Remark: Debian Linux’s mainline kernel has been ported bare-metal to the Apple M1 SoC, opening up the way for a Linux ecosystem replacing MacOS.

Background: BIOS uses the Master Boot Record (MBR) to save information about the hard drive data while UEFI uses the GUID partition table (GPT). Compared with BIOS, UEFI is more powerful and has more advanced features. It is the latest method of booting a computer, which is designed to replace BIOS.UEFI is the replacement for BIOS. EFI is the storage partition used with UEFI.
Unified Extensible Firmware Interface is a personal computer system specification that defines the software interface between the operating system and system firmware as an alternative to BIOS. The extensible firmware interface is responsible for POST, contacting the operating system, and providing the interface between the operating system and the hardware. The predecessor of UEFI was the Intel Boot Initiative, which was developed by Intel in 1998, and was later renamed the Extensible Firmware Interface.

Introducing a kernel module to expose capsule loader interface (misc char device file note) for user to upload capsule binaries. This option exposes a loader interface “/dev/efi_capsule_loader” for user to load EFI capsule binary and update the EFI firmware through system reboot. It expose a misc char interface for user to upload the capsule binary and calling efi_capsule_update() API to pass the binary to EFI firmware. The steps to update efi firmware are:
1) cat firmware[.]cap > /dev/efi_capsule_loader
2) reboot

Vulnerability details: An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader[.]c has a race condition with a resultant use-after-free.

NVD Published Date:09/09/2022
NVD Last Modified:09/09/2022

Official announcement – https://nvd.nist.gov/vuln/detail/CVE-2022-40307

Preface: Race conditions are most commonly associated with computer science and programming. They occur when two computer program processes, or threads, attempt to access the same resource at the same time and cause problems in the system. Race conditions are considered a common issue for multithreaded applications.

Background: The kernel uses virtual memory areas to keep track of the process’s memory mappings; for example, a process has one VMA for its code, one VMA for each type of data, one VMA for each distinct memory mapping (if any), and so on. VMAs are processor-independent structures, with permissions and access control flags.

Vulnerability details: An issue was discovered in include/asm-generic/tlb[.]h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

Summary found by Google project zero – There are drivers (in particular GPU drivers) that create VM_PFNMAP VMAs containing PTEs that point to normal pages from the page allocator. VM_PFNMAP means that the core kernel won’t track this using the page mapcounts.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-39188

Preface: Don’t contempt this design weakness. Why? Red Hat Virtualization (RHV, previously known as Red Hat Enterprise Virtualization) is an enterprise virtualization product based on the KVM hypervisor.

Background: Avi Kivity began the development of KVM in mid-2006 at Qumranet, a technology startup company that was acquired by Red Hat in 2008. KVM surfaced in October, 2006 and was merged into the Linux kernel mainline in kernel version 2.6. 20, which was released on 5 February 2007. KVM is maintained by Paolo Bonzini.

• OpenShift Virtualization uses the Red Hat Enterprise Linux KVM hypervisor technology deployed using containers, allowing Kubernetes to deploy and manage VMs locally.
• KVM is a hypervisor, which is used to achieve full virtualization. Many of the cluster environments make use of KVM in order to achieve a cluster of virtual machines. In order to manage this type of cluster and the virtual machines therein, managing systems have been developed.

Vulnerability details: An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.
As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all
cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.

Refer to attached diagram. If a vCPU 0 is outside guest mode and is scheduled out, it might be in the process of making a memory access. A problem occurs if another vCPU (vcpu 1) uses the PV TLB flush feature during the period when the vCPU 0 is scheduled out. The problem is that a virtual address has already been translated but has not yet been accessed.
If such scenario occurs, the attacker can do attack not prevented by deployed defenses. Specifically, the attacks exploit the Return Stack Buffer (RSB) to cause speculative execution of the payload gadget that reads and exposes sensitive information.

Official announcement – Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-39189

Preface: What is the Slice() method in JavaScript? In any programming language, arrays play an important role in storing data and managing different types of data. Developers often need to filter out the array, merge multiple arrays, and push or pop elements from an array to fulfill the required tasks.The slice() method is used to get some specific elements of an array from a given starting index to the given ending index.

• slice() – The Blob interface’s slice() method creates and returns a new Blob object which contains data from a subset of the blob on which it’s called.

Background: Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries. By far the most commonly used API defined by Mojo, the C++ Bindings API exposes a robust set of features for interacting with message pipes via generated C++ bindings code.

Vulnerability details: Insufficient data validation in Mojo. Google has confirmed an exploit for the bug exists in the wild, making the vulnerability a zero-day security issue. Attacker can exploit the bug by feeding a malicious input.

Official announcement – Stable Channel Update for Desktop (Friday, September 2, 2022) – https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html

My observation: Refer to attached diagram. Is it possible to trigger the vulnerability in this situations?

Preface: The slogan in past stated that Linux is secure because vulnerability not often happen compare to Microsoft Windows OS. Perhaps the dream was broken. Linux like a free of charge Lego toys.
Since there are plenty of opensource driver and library around. As a result, it is hard to avoid the vulnerability happen.
Sometimes, when vulnerability occurs in Linux just do a minor modification in a C langauge written program file can fix.
Even through vulnerability occurs in Linux daily. But I still a Linux lover.

Background: XScale is a microarchitecture for central processing units initially designed by Intel implementing the ARM architecture (version 5) instruction set. XScale comprises several distinct families: IXP, IXC, IOP, PXA and CE (see more below), with some later models designed as SoCs. Intel sold the PXA family to Marvell Technology Group in June 2006.[1] Marvell then extended the brand to include processors with other microarchitectures, like ARM’s Cortex.
XScale processors are a range of reduced instruction set computer (RISC) CPUs. XScale is an advanced RISC machines (ARM) processor with a few extra features. Codenamed Monahan P, the PXA320 is the fastest processror in the PXA3xx familt and is designed to power high-end handheld devices like Smartphones, PDAs and even UMPCs.

Vulnerability details: An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu[.]c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.
Ref 1: pxa3xx-gcu.c – Linux kernel module for PXA3xx graphics controllers. This driver needs a DirectFB counterpart in user space, communication is handled via mmap()ed memory areas and an ioctl.

Solution: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write – https://github.com/torvalds/linux/commit/a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7

Preface: Qualcomm has been a major player in the technology space, especially since the company saw the potential of IoT and mobile processing early on, so it’s been growing.

Background: Qualcomm enables programming of the Adreno GPU in its Snapdragon application processors via the open standard OpenCL language and API. OpenCL support enables programmers to offload computer vision algorithm kernels to the GPU, which in turn provides speed and power-consumption advantages over a CPU implementation.

The major functionality includes execution of the graphics shaders (e.g., vertex shader, fragment shader and compute shader), as well as the OpenCL kernels.

Texture processor (TP) and level-1 (L1) cache. Texture processor is an important engine in Adreno that handles many texture related operations for graphics and compute. Its primary function for OpenCL is to serve the request of SP to do texture operations such as sampling on image objects. The sampling could be point sampling or bi-linear filtering, which can be useful for down- or up-sampling. The image object could be of 1D, 2D, or 3D, and in different channel order, such as RGBA, RG, R, etc. TP in Adreno has a dedicated L1 cache, which is read-only cache and stores data fetched from level-2 (L2) cache for texture operations.

Vulnerability details: Memory corruption due to out of bound read while parsing a video file in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile. The weakness was published 09/02/2022. The advisory is shared at qualcomm.com.

Vendor not disclosed the details, I suspected that an example will encountered out of bound vulnerability. (see attached diagram).
Convolution processes an image by weighting pixels in a neighborhood. The matrix of the weights is a filter.

• Since work group sizes are fixed, there may be more work items created than pixels to be computed.
• It need to ensure each work item is not reading out of bounds. Automatic bounds checking and handling cannot help in this regard.

The weakness was published 09/02/2022. The advisory is shared at https://www.qualcomm.com/company/product-security/bulletins/august-2022-bulletin

Preface: What is difference between underflow and overflow?
Buffer Overflow – When accessed memory is beyond the end of the buffer.
Buffer Underflow – When the accessed memory is before the beginning of a buffer.

Background: Zephyr is embedded RTOS, it compatible to support more than 350 CPU boards includes x86, ARM, ARC, MIPS, etc. The Zephyr Project has been one of the fastest growing RTOSes, with ambitious goals established in their charter for connected and constrained devices; but it is more than just an RTOS. It is an open-source and open-governance project with a full and growing ecosystem of drivers, communication stacks, hardware abstractions, low-power OS services, build system and application components that allow for the rapid creation of innovative applications.

About Control use of Explicit Congestion Notification (ECN) by TCP: ECN is used only when both ends of the TCP connection indicate support for it. This feature is useful in avoiding losses due to congestion by allowing supporting routers to signal congestion before having to drop packets.

Vulnerability details: In subsys/net/ip/tcp[.]c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.

When a malformed tcp packet is received, the tcp_flags function does not check the validity of the parameters, but directly parses the th_flags field in TCP header. When th_flags is ECN or CWR , in the tcp_flags function, len is always 0, and buf[0-1] will be
written ‘\0’ . This will modify other data on the stack.

On 20th May 2022, it was fix possible buffer underflow. It do the remedy in file (tcp[.]c). Details can be found at this link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5c3j-p8cr-2pgh

Question: ECN is used only when both ends of the TCP connection indicate support for it. If it is not in use or ignore. Why do not disable it? Perhaps if it is disabled, it also avoid CVE-2022-1841 vulnerability.

Preface: Microsoft officials said a bug in Ubuntu 18/04 “will lead to DNS resolution errors”, and that “reports of this issue are confined to this single Ubuntu version.” 31st Aug 2022

Background: How to install Kubernetes on Ubuntu 18.04 Bionic Beaver Linux?

1. Install docker on every node (master and slave nodes). Execute the below linux command to install docker on all your Kubernetes nodes:
   $ sudo apt install docker[.]io
   Once the Docker is installed ensure that it is enabled to start after reboot:
   $ sudo systemctl enable docker
2. Install Kubernetes on all nodes (master & slave):
   Adding the Kubernetes signing key:
   $ curl -s https://packages[.]cloud[.]google.com/apt/doc/apt-key[].gpg | sudo apt-key add
3. Add the Kubernetes repository and install Kubernetes
   $ sudo apt-add-repository “deb http://apt[.]kubernetes[.]io/ kubernetes-xenial main”
   $ sudo apt install kubeadm
4. Disable swap memory on all your nodes (master & slave):
   $ sudo swapoff -a
5. Next, ensure that all your nodes have a unique host name. set the master node with the kubernetes-master hostname:
   $ sudo hostnamectl set-hostname kubernetes-master
   5.1 Set the slave node with the kubernetes-master hostname:
   $ sudo hostnamectl set-hostname kubernetes-slave
   6.Initialize the Kubernetes master node – Execute the following linux command on your master node:
   kubernetes-master:~$ sudo kubeadm init –pod-network-cidr=10[.]244[.]0[.]0/16
   6.1 Execute the bellow commands as a regular user to start using Kubernetes cluster:
   kubernetes-master:~$ mkdir -p $HOME/.kube
   kubernetes-master:~$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   kubernetes-master:~$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
   7.Deploy a pod network
   kubernetes-master:~$ kubectl apply -f https://raw[.]githubusercontent[.]com/coreos/flannel/master/Documentation/kube-flannel[.]yml
6. Join Kubernetes Cluster
   kubernetes-slave:~$ sudo kubeadm join 10[.]1[.]1[.]9:6443 –token qdjnpd[.]5glu39uxr92xarsj –discovery-token-ca-cert-hash sha256:ed0684156c718caf425ceae6c85a56c05f7b49037cde3a2f1fd57430a4f58f89
   Remark: Refer Step 6, copy the token hash from the screen display.

Vulnerability details: A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in ‘resolved-dns-stream[.]c’ not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

For headline news details, please refer to the link – https://www.theregister.com/2022/08/30/ubuntu_systemd_dns_update/