About CVE-2023-0394 (30th Jan 2023)

Preface: Believed that this design weakness already been fixed before CVE release to public. So do not worry about that.
To become secure, since a known Potential issues of IPv6 extension headers. Therefore , both stateful and stateless firewalls should do a deep inspection. Otherwise, it can do the evasion silently.

Background: From an early deployment aspect, IPv6 is seen as mandatory for specific 5G traffic flows, such as the 5G Control Plane (CP) and the 5G User Plane (UP). For the Management Plane (MP) and IPSec, IPv6 deployment in the early phase is not seen as mandatory but optional if available. But time will tell, IPv6 will have a major role to play in 5G, as IPv4 addresses, which are already in short supply, could never suffice the ever-growing connection demand further down the road.
IPv6 extension headers contains supplementary information used by network devices (such as routers, switches, and endpoint hosts) to decide how to direct or process an IPv6 packet. The length of each extension header is an integer multiple of 8 octets.

Vulnerability Details: A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.

Ref:In normal circumstances, Extension headers other than the Hop-by-Hop (HBH) options header are not processed, inserted, or removed by any node until the packet reaches the destination node, but this is a potential problem.

For the official announcement, please refer to the following URL: https://nvd.nist.gov/vuln/detail/CVE-2023-0394

Speculation – Cause of Microsoft Edge (Chromium-based) Vulnerabilities (25th Jan 2023)

Preface: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.

The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.

Background: In Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. Last year it found flaw occurred. CVE-2022-1134 – bug got remote code execution in Chrome renderer. The bug exists in the super inline cache (SuperIC) feature.

Blink is Google Chrome’s rendering engine , V8 is the JavaScript Engine used within Blink. Inline cache is an optimization used in V8 for speeding up property accesses in bytecode generated by Ignition (the interpreter in V8). 

Edge and Chrome are both built on the Chromium open-source browser using the Blink rendering engine

Vulnerability details:

CVE-2023-21796: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21795.

CVE-2023-21795: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21796.

CVE-2023-21775: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-21719: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

Official announcement: See URL for details – https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security

Observation: Refer to CVE-2022-1134. A JavaScript object has its map as its first field. In V8, this field is used for determining the type of an object, so by putting the map of a double Array in our fake object, V8 will interpret it as a double array. So, code region overwritten.

Since no details release by vendor. But think it over, in Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. However if there is Remote Code Execution Vulnerability happened (similar CVE-2022-1134). Then the impact will be different.

The flaw display in diagram so called  type confusion vulnerability. When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution. Then Exploiting this flaw to get a Privileged Shell.

What is the value of the Trusted Execution Environment (TEE) ? (20th JAN 2023)

Preface: Some said, found malware lets cybercriminal remotely manipulate your Android.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel.

Technical details: According to headline news, a new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). said bleepingcomputer news.

For details, please refer to URL – https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/

Speculation: If this reported malware achieves their goals, do you think they will relies on vulnerability such as CVE-2023-21420?

Solution: To avoid Android malware, you should only install apps from the Google Play Store.

Here’s wishing you a Happy Chinese New Year 2023.

Potential threat of ChatGPT (Artificial intelligence) – 19th JAN 2023

Preface: OpenAI was founded by Elon Musk, Sam Altman, Ilya Sutskever, Greg Brockman, Wojciech Zaremba and John Schulman in Nov 2015. ChatGPT is a chatbot launched by OpenAI in November 2022. It is built on top of OpenAI’s GPT-3 family of large language models, and is fine-tuned with both supervised and reinforcement learning techniques.

Background: OpenAI GPT-3 is a machine learning model that can be used to generate predictive text via an API.

In GPT-3’s API, a ‘prompt’ is a parameter that is provided to the API so that it is able to identify the context of the problem to be solved. Depending on how the prompt is written, the returned text will attempt to match the pattern accordingly.

Security Focus: ChatGPT is being abused to build hacking tools, why? Programmed with the help of AI, even script kiddies might be lucky enough to craft malware. Experts say it’s a sinister allusion. What are the design flaws in AI itself under normal circumstances? Yes, there is a known issue with so-called prompt injection attacks. Prompt Injection is a new vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. 

Additional details: ChatGPT can also code malicious software that can monitor users’ keyboard strokes and create ransomware. For your information, ChatGPT has been developed by OpenAI as an interface for its LLM (Large Language Model).

Moreover, scammers can also use ChatGPT to build bots and sites to trick users into sharing their information and launch highly targeted social engineering scams and phishing campaigns.

For details about Prompt injection attacks against GPT-3, please refer to this link – https://simonwillison.net/2022/Sep/12/prompt-injection/

Oracle Critical Patch Update Advisory – January 2023 : Security Focus CVE-2022-2274 (17th JAN 2023)

Preface: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon possible.

Background: AVX-512 debuted in 2016 on Intel’s Xeon Phi x200 (codenamed Knights Landing). However, the instruction set has since found its way into other products from the chipmaker, such as Skylake-SP, Skylake-X, Cannon Lake, and Cascade Lake.
Furthermore, Intel’s support for AVX-512 instructions with its Alder Lake processors.
But an information disclosed by vendor to downstream manufacture that AVX-512 support on Alder Lake much like overclocking.
Remark: Overclocking is the action of increasing a component’s clock rate, running it at a higher speed than it was designed to run.

Oracle Essbase is a business analytics solution that uses a proven, flexible, best-in-class architecture for analysis, reporting, and collaboration. Oracle Essbase can be accessed on an intuitive web interface, or using Microsoft Office, for all of your analytic and business modeling needs, from multi-dimensional analysis to complex procedural business logic applied to your data.

Vulnerability details: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

Observation: Fundamentally, OpenSSL will build a record from each call to SSL_write and the kernel. The improvement is that build buffer in front of OpenSSL and don’t make SSL_write calls with small amounts of data if it have more coming. If AVX512IFMA instructions of the X86_64 architecture cause memory corruption due to overclocking.
So the buffer in front of openssl may have way exploit by attacker.

Due to memory corruption, an attacker may be able to trigger remote code execution on the machine performing the computation. I speculate that there may be an opportunity to exploit code execution in a similar vulnerability CVE-2022-42475 (heap-based buffer overflow vulnerability).

Workaround (RedHat) – Disabling the AVX512IFMA instruction set extension can effectively mitigate this flaw:
export OPENSSL_ia32cap=:~0x200000

Official announcement (Oracle):  For  details please refer to link – https://www.oracle.com/security-alerts/cpujan2023.html

CVE-2022-47630 – See whether your android can skip this vulnerability? Perhaps it can. (16th Jan 2023)

Preface: Why configure Secure Boot? This type of hardware restriction protects the operating system from rootkits and other attacks that may not be detected by antivirus software.

Background: Secure Boot is the process where the operating system boot images and code are authenticated against the hardware before they are authorized to be used in the boot process. The hardware is pre-configured to authenticate code using trusted security credentials. ARM architectures are the most common electronic design in the world, even though x86 is more common in the server market. ARM architectures are used in almost all smartphone designs, as well as in other small mobile devices and laptops.

Arm is the CPU architecture used by all modern smartphones in the Android and Apple ecosystems.

Vulnerability details: Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.

Additional Details – One of its designs is not affected by this vulnerability:

If the config like below:

“load_auth_image” invoke “load_auth_image_internal” – See the attached picture for details

If the platform uses a custom image parser instead of the certificate
parser, the bug in the certificate parser is obviously not relevant. The
bug in auth_nvctr() may be relevant, but only if the returned data is:

  • Taken from an untrusted source (meaning that it is read prior to
    authentication).
  • Not already checked to be a primitively-encoded ASN.1 tag.
    In particular, if the custom image parser implementation wraps a 32-bit integer in an ASN.1 INTEGER, it is not affected.

Official announcement : Official details, please refer to url – https://nvd.nist.gov/vuln/detail/CVE-2022-47630

Security Focus (CVE-2023-0022) – This CVE is included in SAP’s first 2023 security update. (15th JAN 2023)

Preface: OLAP is all about BI and Big Data. Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets.

Background: SAP have released a new statement of direction for SAP BusinessObjectsthat introduces a new version of the SAP BusinessObjects BI suite code named SAP BusinessObjects BI 2024, available on-premises and through managed cloud. SAP will provide clear use case migration paths for the components that they plan to end support of after 2027.

https://www.sap.com/documents/2020/03/908ee705-8a7d-0010-87a3-c30de2ffd8ff.html

Vulnerability details: A code injection flaw in the BusinessObjects Business Intelligence platform (CVSS score of 9.9).

SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network. On successful exploitation, an attacker can perform operations that may completely compromise the application causing a high impact on the confidentiality, integrity, and availability of the application.

What was that happen? In what way Does customer will trigger this vulnerability? As usual, vendor did not disclosed the details. But in case of similar design. Attacker will do the attack in this way. For details, please refer to diagram for reference.

Official Announcement: Please see the link for details of this official announcement

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Affected Products: SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP), Versions – 420, 430

Headline news: FAA system outage disrupts thousands of flights across U.S. (12th Jan 2023)

Preface: Thousands of flights across the U.S. were delayed Wednesday after a Federal Aviation Administration pilot alert system failed overnight, prompting a nationwide halt to departures. said CNBC news.

Headline news – https://www.cnbc.com/2023/01/11/faa-orders-airlines-to-pause-departures-until-9-am-et-after-system-outage.html

Background: The Department of Homeland Security published the following opinion piece four years ago.

The GPS system is now considered a “crosssector dependency” for the Department of Homeland Security’s (DHS) 16 designated critical infrastructure sectors. GNSS is vulnerable to jamming and natural interference. When GNSS is denied, PNT information can be seriously affected in ways that increase risks to the safety of navigation.

My observation: Perhaps the incident was not caused by a cyber attack. But industry experts know that the overall system architecture will be combined with OS vendor-dependent drivers.

For example: if the driver is written as a specify standard driver using user-mode extensions is not recommended because this model will likely require more memory usage. However, this specify standard is available on all platforms and it is strongly recommended to use the driver written in user mode.

So, the function is not only OS specific, it also including 3rd party vendor to do the software development. As a matter of fact, aero industry is a special zone. The current computer technology is also involving such zone. In computer world nowadays, the patch to vulnerability is common. So, who can say that this is a trust zone and it is without vulnerability forever.

CVE‑2022‑42271 Staying alert, Artificial intelligence world! (12th Jan 2023)

Preface: An “intelligent” computer uses AI to think like a human and perform tasks on its own. Machine learning is how a computer system develops its intelligence. One way to train a computer to mimic human reasoning is to use a neural network, which is a series of algorithms that are modeled after the human brain.

Quote: A GPU devotes more transistors to arithmetic logic than a CPU does to caching and flow control. As of 2022, the highest transistor count GPU is Nvidia’s H100, built on TSMC’s N4 process and totalling 80 billion MOSFETs.

Background: The Intelligent Platform Management Interface, or IPMI, is a standard for controlling intelligent devices that monitor a system. To use this, you need an interface to an IPMI controller in your system (called a Baseboard Management Controller – BMC) and management software that can use the IPMI system.

Under normal circumstance, you must pick ‘IPMI top-level message handler’ to use IPMI. The message handler does not provide any user-level interfaces. Kernel code (like the watchdog) can still use it. If you need access from userland, you need to select ‘Device interface for IPMI’ if you want access through a device driver.

The Linux IPMI driver is modular. This driver is for supporting a system that sits on an IPMB bus; it allows the interface to look like a normal IPMI interface. Sending system interface addressed messages to it will cause the message to go to the registered BMC on the system (default at IPMI address 0x20).

Vulnerability details: NVIDIA baseboard management controller (BMC) contains a vulnerability in the Intelligent Platform Management Interface (IPMI) handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

Official announcement: For official details see the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5435

NVIDIA recommends that customers follow best security practices for BMC management (IPMIport). These include, but are not limited to, such measures as:

  • Restricting the DGX A100 IPMI port to an isolated, dedicated management network.
  • Using a separate, firewalled subnet.
  • Configuring a separate VLAN for BMC traffic if a dedicated network is not available.

Intel security advisory (AV23-015) 10th JAN 2023

Preface: OpenMP (Open Multi-Processing) is an application programming interface (API) that supports multi-platform shared-memory multiprocessing programming in C, C++, and Fortran, on many platforms, instruction-set architectures and operating systems, including Solaris, AIX, FreeBSD, HP-UX, Linux, macOS, and Windows.

Background: A LEGO brick is a small plastic part, but it can build a big robot. Similar concept, CPU manufacturers provide main components, guidelines as upstream product suppliers. Let computer hardware manufacturers build their own powerful supercomputers. So they use their own design for load sharing, offloading resources to the GPU. That’s how the tech world works right now.

We often hear that computer hardware has backdoors. It usually happens during the design phase of the hardware. If you ask, who will bear this burden, the downstream hardware developer or the upstream CPU manufacturer? My comment is two-sided (see below).

  • If the hardware developer does not follow the best practices recommended by the CPU manufacturer. Risks will happen.
  • If CPU and development tool manufacturers have design flaws. The risk will be on this side.

Vulnerability details: CVE-2022-40196

Description: Improper access control in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

For details, see the link – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00773.html

My observation: As usual, the vendor does not reveal the root cause. See whether it can dig out part of the possibility.

For example: Unified Shared Memory (USM): Device Kernels can access the data using pointers. Like this programming example. The memcpy operation will wait on events e1 and e2 and Transfers data back from device to host memory. As we know, the memcpy() and memmove() functions are a source of buffer overflow vulnerabilities. Will Intel oneAPI DPC++/C++ Compiler encounter a vulnerability in this place?