Retrospective of 2022 CVE records – CVE-2022-4292 (The Silence of the Lambs on Linux) 30thDec2022

Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Most of the victims are based on Windows OS. But some of the victims were Linux users. A common approach among cyber defense vendors is to enforce detection and prevention measures.

Sometimes a vulnerability doesn’t get your attention, but it’s a passive exploitation tool. Because this kind of design weakness can let the attacker do the evasion. Yes, it is a Use After Free vulnerability in vim (prior to 9.0.0882).

All Unix Like systems will have built-in vi text editor, but currently we use more vim editor (vim has the ability of program editing).

Vulnerability details: Use After Free in GitHub repository vim/vim prior to 9.0.0882. For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2022-4292

Observation: An attacker could exploit a Use After Free vulnerability to pass arbitrary malicious code (or a reference to it) into an application and then use the dangling pointer to navigate to the start of the arbitrary code and so execute it.

Afterwards, exploit other vulnerabilities on Linux to execute the attack.

As there is currently no such exploit. But my point is that Linux users and environments should be aware of this small vulnerability. Do not despise this power.

Mitigation – Untrusted vim scripts with -s [scriptin] are not recommended to run.

CVE-2022-46174 race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. (28th Dec 2022)

Preface: Sometimes it is difficult to determine what the clear impact of a vulnerability is. However if there is design weakness found, it should do a corrective control. There is a race condition issue exists within the Amazon EFS mount helper in efs-utils. What is race condition in traditional understanding.

When race conditions occur. A race condition occurs when two threads access a shared variable at the same time.

Background: EFS offers two methods to connect your Linux-based EC2 instance to your EFS file system. Both use a process called mounting whereby you mount a target to the EFS file system on your instance.

The EFS mount helper is a utility that has to be installed on your EC2 instance.

After installing the Amazon EFS mount helper amazon-efs-utils, just add the -o tls option when mounting, and your communication with Amazon EFS will be encrypted without any changes to your application. Please see the picture for details.

Vulnerability details: When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer’s local mount points to that customer’s EFS file systems.

Remedy: This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later.

Official details: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-46174

Retrospect a simple bug in smartphones software development in 2022 (28th Dec 2022)

Denial of service from the big world to the small world

Preface: Perhaps the historical information can be enrich our knowledge base. Even through you think the information I posted by today not very useful. However this is so called database. See whether you are still interested in this matter today?

Background:

The Flutter framework is a popular, multi-platform UI toolkit that’s powered by the Dart platform, and that provides tooling and UI libraries to build UI experiences that run on iOS, Android, macOS, Windows, Linux, and the web. When creating configuration files for application projects, languages like Python and the Google-developed Flutter framework for Dart both use YAML (. yaml). Furthermore, YAML can be used to format containerized files. Cloud computing operations also using it.

There are several libraries available to parse. yaml is a popular library to read yaml files. yaml_writer library is used to write to a yaml file.

  • yaml[.]dart for reading
  • yaml_writer for write operations

yaml is a popular library in dart and flutter for reading the yaml file and yaml_writer for writing to yaml document.

Ref: YAML is a data serialization language that is often used for writing configuration files. Depending on whom you ask, YAML stands for yet another markup language or YAML ain’t markup language (a recursive acronym), which emphasizes that YAML is for data, not documents. 

Vulnerability details: Certain versions of Gopkg[.]in/yaml[.]v2 from Gopkg[.]inyaml[.]v2 contain the following vulnerability:
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Official announcement: For details about the vulnerability, please refer to the official announcement – https://pkg.go.dev/vuln/GO-2022-0956

Wish you a Happy New Year.

Santa patched his ksmbd kernel server (SMB/CIFS server) just before Christmas break. (26th Dec 2022)

Preface: The researchers found that 91.88 percent of attacks targeting port 445, the most common SMB port, attempted to use the EternalBlue exploit. Even if this is a Linux environment, when the server supports the SMB version of the protocol. It more or less may have the opportunity to integrate with other peer servers, especially Windows servers. Therefore, it must be aware of the potential risks of ransomware.

Background: Common Internet File System (CIFS), an implementation of the Server Message Block (SMB) protocol, is used to share file systems, printers, or serial ports over a network. Notably, CIFS allows sharing files between Linux and Windows platforms regardless of version.

Ref: To mount the CIFS share on Linux for File Viewer, use the command: mount -t cifs // host_name / VIEWER_SHARE -o username= username ,password= password / local_path. CIFS is an unsecure implementation of SMB – its lack of encryption has seen it exploited through malware like NotPetya and the WannaCry ransomware attack, which occurred through a zero-day exploit called EternalBlue.

Vulnerability details: CVE-2022-47939 – An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu[.]c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.

  • In computing, an oops is a serious but non-fatal error in the Linux kernel.

Details about this design weakness, see the link https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf6531d98190fa2cf92a6d8bbc8af0a4740a223c

Merry Christmas and Happy New Year

CVE-2022-46702 Apple iOS/iPadOS up to 16.1.2 GPU Drivers memory corruption (23rd Dec 2022)

Preface: When an external GPU is connected to the iOS system. Refer to attached diagram , it will perform compute simulations on that external GPU. And thus graphics rendering on a built-in GPU.

According the current GPU design. Do you think is there desugn weakness happen here. For instance, memory access control and access permission.

Background: A MTLBuffer can’t be directly transferred between different devices; its data must be transferred via system memory. Refer to attached diagram. The sample calls the vm_allocate function to allocate a page-aligned buffer, updateAddress, backed by system memory. The sample then calls the newBufferWithBytesNoCopy:length:options:deallocator: method to create a new MTLBuffer, _updateBuffer, backed by the same system memory used for the previous buffer.

Vulnerability details: The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

As details could not be found in the official announcement. My speculation is shown as below:

According to step 1 and 2 (refer to attached diagram), believe that it will have way to enhance the access control of GPU Driver buffer. The reason is that it may have potential risk  let attacker do manipulation with an unknown input leads to a memory corruption vulnerability. As a result, it may be possible for an application to leak kernel memory.

Official announcement: For details, see the link – https://support.apple.com/en-us/HT213530

  • Christmas is celebrated to commemorate the birth of Jesus Christ, who Christians believe is the Son of God. Sunday, December 25, 2022 is Christmas. Maybe you don’t have this belief. However, I also wish you Merry Christmas and my best wishes to you and your family.

Commonplace, smartphone OS vulnerability  (22nd Dec 2022)

Preface: The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution.

Background: In the Android system, an application has at least one process, and each process has its own independent resources and memory space. Other processes cannot arbitrarily access the memory and resources of the current process. If you want to communicate between processes, you need to use IPC means.

Virtual memory managed by the kernel, with the help of hardware (the memory management unit). Multiple mappings are maintained at all times. In modern smartphone design, kernel has one or two of its own, shared by all processes, and each process gets its own user-space mapping.

A Look Back at Previous Linux Design Flaws  – eBPF ALU32 boundary tracking for bitwise operations (AND, OR, and XOR) in the Linux kernel did not properly update 32-bit boundaries, causing out-of-bounds reads and writes in the Linux kernel, leading to arbitrary code execution. The three vulnerable functions are scalar32_min_max_and(), scalar32_min_max_or(), scalar32_min_max_xor(). AND/OR was introduced in Linux 5.7-rc1 and XOR was introduced in Linux 5.10-rc1.

Research and speculation: Communication in Microkernels use the messaging queues. A message queue is an inter-process communication (IPC) mechanism that allows processes to exchange data in the form of messages between two processes. In this case, if the Linux kernel did not properly update 32-bit boundaries, Therefore, there are potential risks to occur. Successful exploitation of this vulnerability may lead to abnormal system services.

Today is the winter solstice, I wish you a happy dinner with your family tonight.

CVE-2022-43875 It looks like the flaw is not in cyber security. This is a design flaw. (21st Dec 2022)

Preface: Long time ago,  blockchain developers announcement that they have developed a blockchain platform to launch a digital system for international payments capable of replacing the global Swift system. Seems they are not successful.

Background: IBM FTM for swift services is certified real-time SWIFT messaging interface. Ensure faster payments in addition to SWIFT without changing the back office. Lower costs of compliance and get tailored solutions for your organization

About RMA: When RMA was introduced in 2009 as a replacement for the Bilateral Key Exchange (BKE), the spirit of the product was for banks to open the door to as many counterparties and correspondents as possible. Legacy RMAs can also create the opportunity for payments to be sent to destinations which may no longer be wanted or authorised, resulting in fraud risk.

The RMA is a SWIFT-mandated authorisation that enables financial institutions to define which counterparties can send them FIN messages.

Vulnerability details: IBM Financial Transaction Manager SWIFT could allow an authenticated user to lock additional RM authorizations, resulting in a denial of service on displaying or managing these authorizations.

Official announcement: For details, see the link – https://www.ibm.com/support/pages/node/6848881

Some performance problems might seem to be locking problems even though they are really problems somewhere else in the system. For example, a table space scan of a large table can result in timeout situations. Similarly, when tasks are waiting or swapped out, and the unit of work is not committed, the tasks continue to hold locks.

One of the recommendation: Reduce locking contention on the catalog and directory for data definition, bind, and utility operations

You can use the following approaches to reduce this type of contention:

Avoid using LOCK TABLE statements and statements that use RR isolation to query the catalog.

CVE-2022-46400 Microchip RN4870 module firmware 1.43 (19th Dec 2022)

Preface: There are two types of paring base on BLE version:

  •  LE Legacy Pairing (supported in Bluetooth 4.0 and 4.1)
  • LE Secure Connections (introduced in Bluetooth 4.2)

Background: The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing.

Do you think this is a fundamental problem or flaw in the product itself? I speculate this is not a new finding, maybe we have seen this problem in BLE before (see below):

A BLE device that wants to share secure data with another device must first pair with that device. The Security Manager Protocol (SMP) carries out the pairing.Responder (in the context of BLE Security Manager), who has already sent their commitment Sconfirm,
Sconfirm =presumably c1(TK, Srand, p1, p2) = AESTK[AESTK(Srand ⊕ p1) ⊕ p2], but who has not revealed their Srand, yet. Due to the lack of binding in c1, such a Responder can still arbitrarily change their “committed” passkey TK and labels p1, p2, since – as we have seen above – the correct Srand for any new value of (TK, p1, p2) can be trivially found by Eq. 2 while keeping the former Sconfirm still the same.

rand = AES-1TK [AES-1TK(C) ⊕ p2] ⊕ p1. (Eq. 2)

I speculate that the product is still using LE Legacy Pairing (supporting Bluetooth 4.0 and 4.1), so presumably this is the root cause.

Vulnerability details: CVE-2022-46400 The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing.

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2022-46400

If the vendor does not disclose details about Android kernel design weaknesses. What are the possible weaknesses? (18th Dec 2022)

Preface: Android 13, released on August 15, 2022, is the latest version, and the recently released Android 12.1/12L includes improvements specific to foldable phones, tablets, desktop-sized screens and Chromebooks.

Background: In Android 11, the Android Common Kernel v5. Before kernel 4.12, opening /dev/ion allocated an Ion client. The IOC_ION_ALLOC ioctl allocated a new buffer and returned it to userspace as an Ion handle (an opaque integer meaningful only to the Ion client that allocated it). To map buffers into userspace or share them with other processes, Ion handles were re-exported as dma-buf fds using the IOC_ION_SHARE ioctl.

My speculation based on the details above: Using ION, each DMA-BUF heap is a separate character device, access to each heap can be controlled separately with sepolicy. This wasn’t possible with ION because allocation from any heap only required access to the /dev/ion device.

Vulnerability details: CVE-2022-42529 – A vulnerability was found in Google Android Smartphone Operating System – Android kernel (Android ID: A-235292841))

Official announcement: For details, see the link – https://source.android.com/docs/security/bulletin/pixel/2022-12-01

Details about my research on the Windows Kernel Elevation of Privilege Vulnerability CVE-2022-44683 (December 15, 2022)

Preface: Continuing yesterday’s discussion on CVE-2022-44683. Since cve doesn’t provide technical details. This point piqued my interest.

Background: NTDEF(.)H is among the headers in the Software Development Kit (SDK). It is there in the “shared” subdirectory with many other headers that are intended for use in both kernel-mode and user-mode programming.

Ref: NTDEF(.)H is also a ready illustration of how some, if not many, headers in the WDK and SDK are created from some sort of script or master header that extracts from yet more headers. This applies especially to some of the most prominent headers: WDM(.)H, NTDDK(.)H and NTIFS(.)H for kernel-mode programming and WINNT(.)H for user-mode programming.

Vulnerability details: A vulnerability has been discovered and classified as critical in Microsoft Windows (operating system). It’s about an unknown feature of a kernel component. The exact effect of a successful attack is unknown. Furthermore there is no technical details on this vulnerability.

Since the official details do not have information provided.  Following details is my speculation. If the attacker has a way to use InitializeObjectAttributes copy from ntdef(.)h to initialize an Object pointing to OBJECT_ATTRIBUTES. The consequence will similar description of CVE. It may have the potential risk of causing privilege escalation.

Official announcement: For details, see the link – CVE-2022-44683: Windows Kernel Elevation of Privilege Vulnerability.