Alert industries using PCMCIA technology 31st Oct 2022

Preface: PCMCIA Cards have been around for many years and can still be found in today’s technology. These cards are now classed as legacy products, as they were first introduced over 25 years ago.
PCMCIA cards come in 3 different types of memory; ATA, SRAM and Linear. The cards are still being made today to help support legacy products and applications, mainly aerospace, defence and transportation.

Background: Linux 5.4 was released on 24 November 2019. Although the PCMCIA subsystem will allocate resources for cards, it no longer marks these resources busy. This means that driver authors are now responsible for claiming your resources as per other drivers in Linux. You should use request_region() to mark your IO regions in-use, and request_mem_region() to mark your memory regions in-use.

PCMCIA design weakness recently (28th Oct 2022):
CVE-2022-44032 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach(). Please refer to the link for details – https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44033 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().Please refer to the link for details –
https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44034 —–> SCR24x PCMCIA Smart Card Reader Driver
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove(). Please refer to the link for details –
https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/

Remedy:
In order to avoid vulnerabilities, we recommend the following:
The dangling pointer errors can be avoided by initializing the pointer to the NULL value. If we assign the NULL value to the pointer, then the pointer will not point to the de-allocated memory. Assigning NULL value to the pointer means that the pointer is not pointing to any memory location.

A long run in CPython Design weakness, it is talking about seven years! 28th Oct 2022

Preface: The design weakness found on 2015. But till today, it looks the matter not been fixed. Perhaps you also read vendor statement. they will continue to update this advisory as additional information becomes available, said vendor.

NetApp Advisory ID: NTAP-20220616-0001 Version: 4.0 Last updated: 09/26/2022 – https://security.netapp.com/advisory/ntap-20220616-0001/
[SECURITY] Fedora 36 Update: 18 June 2022 – https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/

Background: When you run python at the console or install a Python distribution from python.org, you are running CPython. CPython is one of the many Python runtimes, maintained and written by different teams of developers. The unique thing about CPython is that it contains both a runtime and the shared language specification that all Python runtimes use.
The mailcap format is documented in RFC 1524, “A User Agent Configuration Mechanism For Multimedia Mail Format Information”, but is not an internet standard. However, mailcap files are supported on most Unix systems. According to Python (CPython) techincal document. Mailcap files are used to configure how MIME-aware applications such as mail readers and Web browsers react to files with different MIME types. (The name mailcap'' is derived from the phrasemail capability”.) For example, a mailcap file might contain a line like “video/mpeg; xmpeg %s”. Then, if the user encounters an email message or Web document with the MIME type video/mpeg, “%s” will be replaced by a filename (usually one belonging to a temporary file) and the xmpeg program can be automatically started to view the file.

CPython is the standard Python software implementation or the default Python interpreter. The main purpose of CPython is to execute the programming language Python. CPython has great compatibility with various Python packages and modules.

Vulnerability details: Mailcap file handling in Python through 3.10.4
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.

Remedy: Filename should be quoted with quote(filename) to fix the bug. Please refer to the link for details – https://bugs.python.org/issue24778

Status: Deprecated since version 3.11, will be removed in version 3.13: The mailcap module is deprecated

CVE-2022-43750: Linux Kernel usbmon module design weakness (26th Oct 2022)

Preface: Despite the presence of USB C ports, many smartphones launching in 2022 will feature USB 2.0. USB 2.0 is generally considered to have a signaling rate of 480 MB/s.

Background: What is Usbmon in Linux? The name “usbmon” in lowercase refers to a facility in kernel which is used to collect traces of I/O on the USB bus. This function is analogous to a packet socket used by network monitoring tools such as tcpdump or Ethereal.

Vulnerability details: drivers/usb/mon/mon_bin[.]c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor’s internal memory. The weakness was disclosed 10/26/2022. The manipulation with an unknown input leads to a memory corruption vulnerability.

Reference: Found an issue in usbmon module, where the user space client can corrupt the monitor’s internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc.

The PoC exploits mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which triggers this vulnerability.

Remedy: Upgrading to version 5.19.15 or 6.0.1 eliminates this vulnerability. The upgrade is hosted for download at cdn.kernel.org. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org.

Official announcement: Please refer to the link for details – https://github.com/torvalds/linux/commit/a659daf63d16aa883be42f3f34ff84235c302198

CVE-2022-38181 Mali GPU Kernel Driver allows improper GPU memory processing operations (25th Oct 2022)

Preface: The GPU can not only receive transactions, but it can also initiate transactions. Which also means it has access to DRAM memory too.
How can the GPU communicate to the CPU? Well, both have access to DRAM memory. The CPU can store information in DRAM memory (0x8000_0000 – 0x0000_0000) and then write to a register in the GPU (0x9000_0000 – 0x8000_0000) to inform the GPU that the information is ready.

Background: ARM produce designs for a GPU called “Mali”. This is incorporated in many SoCs and thus devices. It is used in a number of devices that can run Debian. There are four major revisions of Mali GPUs: Utgard, Midgard, Bifrost, and Valhall.
There are only two hardware implementations of GPUs that are particularly popular in Android devices: ARM Mali and Qualcomm Adreno.
The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Bifrost family.
July 2021 Collabora announced that they reverse engineered the Valhall instruction set of the Mali-G78 GPU using a Samsung Galaxy S21 smartphone. If the mainline Linux and GPU drivers are not rooted, this cannot be done on the device. Turns out they just use It comes to reverse engineer instructions and do some testing by modifying compiled shaders and GPU data structures.
Remark: The Input/Output Memory Management Unit (IOMMU) is a hardware extension to control memory accesses of I/O devices. The IOMMU prevents malicious devices from performing arbitrary Direct Memory Access (DMA) operations and can be used to isolate device drivers.

Vulnerability details: An Arm product family through 2022-08-12 mail GPU kernel driver allows non-privileged users to make improper GPU processing operations to gain access to already freed memory.
In certain circumstances, some versions of the Mali GPU Kernel driver can become compromised.
Affects:
Midgard GPU Kernel Driver: All versions from r4p0 – r31p0
Bifrost GPU Kernel Driver: All versions from r0p0 – r38p1, and r39p0
Valhall GPU Kernel Driver: All versions from r19p0 – r38p1, and r39p0

Resolution: This issue is fixed in Bifrost and Valhall GPU Kernel Driver r38p2 and r40p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities#Technical-Specifications

CVE-2022-41986 Extended question of One-time-password to similar. How secure you were? (24th Oct 2022)

Preface: One time password is secure. What If we following their algorithm generate a password and apply in both end. If it is matches with each other. Can we do the exploit? Perhaps the answer is “Yes”. The key technology is you understand how to use the “Time” value.

Background: The IIJ SmartKey app produces one-time passwords that conform to TOTP (RFC 6238) standards and can be used in the 2-step verification authentication processes of a variety of online services supporting TOTP. RFC 6238 – The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038.
The HMAC-based One-Time Password (HOTP) algorithm specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security.

Vulnerability details: A vulnerability, which was classified as problematic, was found in Iij SmartKey up to 2.1.3 on Android (Android App Software). This affects some unknown processing of the component One-Time Password Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

Information disclosure vulnerability in Android App ‘IIJ SmartKey’ versions prior to 2.1.4 allows an attacker to obtain a one-time password issued by the product under certain conditions.

Official description: This vulnerability was fixed in version 2.1.4 released on June 16, 2020. Please refer to the link for details – https://jvn.jp/en/jp/JVN74534998/index.html

Remedy: Upgrading to version 2.1.4 eliminates this vulnerability.

10/07/2022 CVE reserved
10/24/2022 +17 days Advisory disclosed

CVE-2022-3642 – Insecure Default Variable Initialization on IoT USB adapter (21st Oct 2022)

Preface: In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents.

Background: Wireless routers have fourteen different channels they can use for 2.4 GHz Wi-Fi, but three of them are off limits. Channels 12 and 13 are allowed in low-power mode, while channel 14 is banned—and only allowed in Japan.
Till today, the most common Wi-Fi frequency bands that are in widespread use are 2.4 GHz and 5 GHz. 2.4 GHz and 5 GHz are the two Wi-Fi frequency bands that are in widespread use today.

Not sure if low cost USB wifi adapters will still be of interest to computer users. But suppliers of low-cost IoT products are still in demand.
For example: USB WiFi module (rtl8188fu). rtl8188fu support will be add to rtl8xxxu module of Linux kernel.
However, if you are using kernel 5.15 and 5.16, you must create a configuration file with following commands for preventing to conflict rtl8188fu module with built-in r8188eu module.

echo ‘alias usb:v0BDApF179ddcdscdpicFFiscFFipFFin* rtl8188fu’ | sudo tee /etc/modprobe.d/r8188eu-blacklist[.]conf

Vulnerability details: A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f[.]c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue.

Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=80e5acb6dd72b25a6e6527443b9e9c1c3a7bcef6

CVE-2022-3621 NILFS inode[.]c null design weakness (20th Oct 2022)

Preface: NILFS merged into Linux as the first File System from Japan in June 2009. This job completed by NTT Cyber Space Laboratories.
NILFS is a file system for Linux that saves a snapshot, a historical view of the file system, automatically and continuously. This feature enables the system not only to quickly recover from system failures, but also to recover from human operation errors because the system’s state can be restored from any point in the past.

Background: Each file in a filesystem has a unique inode number. A typical allocation heuristic for inodes in a file system is one inode for every 2K bytes contained in the filesystem. The inode number indexes a table of inodes in a known location on the device.
When you created your ext3 filesystem with smaller block sizes. The ext3 default block size is 4096 bytes. If you are using your filesystem for storing lots of very small files, you might create the filesystem with a block size of 1024 or 2048. This would let you use your disk space more efficiently, but raises the likelihood of running low on inodes.
Inodes stores metadata about the file it refers to. The metadata contains Size, Permission, Owner/Group, Location of the hard drive, Date/time & Other information.
NILFS or NILFS2 (New Implementation of a Log-structured File System) is a log-structured file system implementation for the Linux kernel. Using a copy-on-write technique known as “nothing in life is free”, NILFS records all data in a continuous log-like format that is only appended to, never overwritten, an approach that is designed to reduce seek times, as well as minimize the kind of data loss that occurs after a crash with conventional file systems. For example, data loss occurs on ext3 file systems when the system crashes during a write operation. When the system reboots, the journal notes that the write did not complete, and any partial data writes are lost.
An ordinary file is just a sequence of data bytes stored in some physical device without any name attached to it. The administrative information of this file, such as owner, permissions, size, times, etc., is stored in the inode structure of the file. All of the file system’s inodes are collected together to form an inode table. Each file system occupies a logical disk.

Vulnerability details: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.

A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. Null-pointer dereferences, while common, can generally be found and corrected in a simple way.

More details on this technical information. Please refer to the official announcement – https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=21a87d88c2253350e115029f14fe2a10a7e6c856

New faces replace traditional attack tools (Oct 20, 2022)

Preface: In IoT and IIoT world, windows OS and Linux Based OS become the mainstream technology. The endpoint devices mainly based on Linux operation system as a design baseline. If you have chances to explore the operation system architecture for IIoT and IoT. Your will found that it is a Linux world. Even through the IoT monitor API (mini dashboard) installed on your mobile phone is a Linux.
Pehaps to indicated the border of IT and consumer IoT can be catalogries by operation system. Why? Because the mainstream of information technology (IT) deploy the windows OS system.
The concept above might not apply to Industrial area. As you know, OPC technology implemented to OT environment nearly 20 years. Perhaps OPC-UA is based on Linux. But when you look at it from a wide angle, it lets you know that hybrid OS architecture design has settled in the OT space.

Background: About two decades ago, PsExec was a powerful tool. Meanwhile, Threat actors misused and transformed this program as a tool. In fact, PsExec can help use scripts and exploit vulnerabilities when malware downloads payloads to victim machines. Why do they use the PsExec program because it’s a Windows based machine. Few years ago, hacker misuse powershell language and jepodized a bunch of MS Exchange servers. As of today, powershell still capable to enagage cyber attack in misconfig system environment. Long story tell short, IoT and IIoT devices based on Linux. It seems that the above serious effects can be avoided. is this real?

Details: The common programming language in IoT and IIoT environment will using Python. As we heard by far when IoT devices vulnerable, it can tranform into a botnet thus engage cyber attack. But in what way they do?
CISA discovery activity shows that, the new method for engaging in cyber attacks will use two Impacket tools: wmiexec[.]py and smbexec[.]py.
Smbexec[.]py uses a similar approach to psexec w/o using RemComSvc. Remcomsvc.exe is a tool used by us to execute remote command on the agent machines. Actors used Impacket tools wmiexec[.]py and smbexec[.]py to leverage Windows Management Instrumentation and execute malicious commands.
According to the above information, this is a new way for botnet activity to effectively affect the Microsoft operating system architecture environment.
But don’t take this approach lightly. People will feel when the windows OS machine doesn’t have python installed. There is no chance of falling into this attack scenario. The details below show that it can run Python scripts if you don’t have Python installed on your Windows PC.

You can either use py2exe or use the Python exe without installing. py2exe will require setting up beforehand with an environment with Python, as it is an extension of Distutils. Create a file called setup.py, with the content

from distutils[.]core import setup
import py2exe
setup(console=[‘script[.]py’])

For using python without installing:
You can download the latest version in zip format and extract it into any folder and add that folder to your PATH environment variable so you can execute python from any directory or use the exact path to the python exe.

More details on this technical information. Please refer to the official CISA article – https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

History:

  • July 2004 issue of Windows IT Pro Magazine for Mark’s article that covers advanced usage of PsExec.
  • Threat actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:
    powershell add-pssnapin exchange;New-ManagementRoleAssignment – name:”Journaling-Logs” -Role:ApplicationImpersonation -User:
    This command gave the service account the ability to access other users’ mailboxes.
  • On Oct 2022, CISA found that two different types of Python script in frequently exploit by attacker. So called wmiexec[.]py and smbexec[.]py。

CVE-2022-31813 :Hop-by-hop definition of RFC2616 (13.5.1) as a vulnerability in Oracle Secure Backup (18th Oct 2022)

Preface: The X-Forwarded-For request header is automatically added and helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. To see the IP address of the client, use the X-Forwarded-For request header.

Background: The observiced service daemon provides a wide variety of services. It runs continually on the administrative server, media server, and client. On the administrative server, observiced runs jobs at the request of the schedule daemon, cleans up log files and transcripts, and provides access to Oracle Secure Backup configuration data to other hosts in the domain.
observiced starts the schedule daemon and the Apache Web server during initialization.
When running on a media server or client, observiced handles membership in a administrative domain, allows for remote administration of the host, and handles certificate operations. The identity certificate of the requesting host is used to verify that it is permitted to invoke the operation
The obhttpd daemon provides the Web tool for Oracle Secure Backup. This daemon runs continually on the administrative server. The Web server daemon is signaled to start by the observiced daemon, which itself is normally started as part of system startup.

Vulnerability Details: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
Additional CVEs addressed are:The patch for CVE-2022-31813 also addresses CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, and CVE-2022-30556.

According to RFC 2616 13.5.1, it stated the following:
Hop-by-hop headers, which are meaningful only for a single transport-level connection, and are not stored by caches or forwarded by proxies.

If following step 3 in attached diagram do it hop-by-hop, since X-Forwarded headers do not have IP address provided. As a result, it is able to bypass access control.

Official announcement: Oracle Critical Patch Update Bulletin – October 2022 has been released. See the link for details – https://www.oracle.com/security-alerts/cpuoct2022.html

CVE-2022-3541 has impact on IoT Linux chips and should be upgraded with firmware (17th Oct 2022)

Preface: BPF introduced two big innovations in packet filtering:

  • A new virtual machine (VM) designed to work efficiently with register-based CPUs.
  • The usage of per-application buffers that could filter packets without copying all the packet information. This minimized the amount of data BPF required to make decisions.

Background: BPF programs are designed to run in the linux kernel which is written in C, hence BPF defines instruction set compatible with two most used architectures x64 and arm64.
BPF allows a user-space program to attach a filter onto any socket and allow or disallow certain types of data to come through the socket. LSF follows exactly the same filter code structure as BSD’s BPF, so referring to the BSD bpf.4 manpage is very helpful in creating filters.
New generation of IoT security framework implements a packet filtering mechanism on the gateway side in order to mitigate DoS network attacks. The packet filtering module can cover all the networking stack layers, focusing on the Message Queuing Telemetry Transport (MQTT) / MQTT for Sensor Networks (MQTT-SN) and CoAP application layer protocols. The network filter layer consists of two sub-modules: the packet filter mechanism in the kernel side and the userspace filter component. The packet filtering on the kernel side will be implemented the Berkeley Packet Filter or Extended Berkeley Packet Filter (eBPF) technology.
An SoC that has the power of a Linux-grade chip and the integration simplicity of a micro-controller. So called IoT Linux chips. CVE-2022-3541 has impact on IoT Linux chips and should be upgraded with firmware.

Vulnerability Details: CVE-2022-3541 A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver[.]c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue.

For official announcement, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-3541