CVE-2023-23518 Design Weaknesses – How to lead to evasion of sandbox controls (28th Feb 2023)

Preface: Sandbox evasion techniques. Common evasion techniques include the use of specific assembly instructions, and looking for specific registry keys or file names.


Background: iOS and iPadOS help ensure runtime security by using a “sandbox,” declared entitlements, and Address Space Layout Randomization (ASLR).
All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device. Sandboxing is designed to prevent apps from gathering or modifying information stored by other apps. Each app has a unique home directory for its files, which is randomly assigned when the app is installed. If a third-party app needs to access information other than its own, it does so only by using services explicitly provided by iOS and iPadOS.
System files and resources are also shielded from the users’ apps. Most iOS and iPadOS system files and resources run as the nonprivileged user “mobile,” as do all third-party apps. The entire operating system partition is mounted as read-only. Unnecessary tools, such as remote login services, aren’t included in the system software, and APIs don’t allow apps to escalate their own privileges to modify other apps or iOS and iPadOS.

Vulnerability details: The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Official announcement: For details, please refer to the url for reference – https://support.apple.com/en-us/HT213605

CVE-2023-26605 ARM DevOps developers beware of this design weakness (27th Feb 2023)

Preface: When using the U-Boot UEFI implementation to boot the operating system the UEFI runtime stays in memory. Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Why am I reminding devops of this design weakness. See whether if you have experienced similar bugs in 2019.
CVE-2019-2215 A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.

Vulnerability details: In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback[.]c, related to __list_del_entry_valid.

Official details: For details, please refer to the link – https://lkml.org/lkml/2023/2/22/3

All aspects of CVE-2023-0045 (24th Feb 2023)

Preface: Back to forty years ago, computer trend in mainstream is command mode. When Microsoft windows GUI born, people favour Windows OS. As time goes by, because of Microsoft system vulnerability, people said I like Linux. As of today, from time-to-time you will heard Linux Kernel vulnerability occurs. Can you change to Microsoft windows now? A classic Linux operating system footprint is smaller than Microsoft windows. Besides, opensource software assists Linux even it has vulnerability. If a merchant is to choose between being cost-effective (free) and paying for the option to license the product. Perhaps they are not so worry about vulnerability. The truth is that even though you pay to but software product it also bundle with vulnerability matter.

Background: CPU supports multiple threads per physical core also referred to as Simultaneous multithreading (SMT) or Hyper-Threading (HT).
AMD and Intel chips with micro-op caches are vulnerable to Spectre-style attacks. The attacks exploit the micro-op cache to leak secrets in three ways:

  1. Across the user-kernel boundary.
  2. Between two SMT (Simultaneous MultiThreading) threads running on the same physical core
  3. Along a mis-speculated execution paths
    This design weakness depends on how the CPU uses his internal memory cache (level 1). So the vulnerability doesn’t specify which brand is vulnerable. Perhaps all is fall into the scope.
    On systems with simultaneous multi-threading (SMT), attacks are possible from the sibling thread, as level 1 cache and branch target buffer(BTB) may be shared between hardware threads in a CPU core. A malicious program running on the sibling thread may influence its peer’s BTB to steer its indirect branch speculations to gadget code, and measure the speculative execution’s side effects left in level 1 cache to infer the victim’s data.

Disable Hyper-Threading (SMT) to Avoid Spectre-Like Exploits, but causing CPU performance issue.

Vulnerability details:
The Linux kernel does not correctly mitigate SMT attacks, as discovered through a strange pattern in the kernel API using STIBP as a mitigation. For details, please refer to this link – https://bugzilla.redhat.com/show_bug.cgi?id=2167288

The vendor has addressed the issue (CVE-2023-20858). Are you interested in digging a little more? (23rd Feb 2023)

Preface: Fundamentally, so called software application system is integrated with operating system, web server/server, database and application software program. If software application program design have relationship with web server bundle application framework. Such impact not only affect a single component.

Background: VMware Carbon Black Cloud Endpoint™ Standard is a next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution that protects against the full spectrum of modern cyberattacks. Furthermore, VMware Carbon Black® App Control™ is used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. VMware Carbon Black App Control software platform requirements for App Control Server, the SQL Server database that stores App Control data, and the App Control Agent.

Vulnerability details: VMware Carbon Black App Control contains an injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
Impact: A vulnerability, which was classified as critical, has been found in VMware Carbon Black App Control up to 8.7.7/8.8.5/8.9.3.

One of the possibilities of encountering the CVE-2023-20858 vulnerability: (Observation) VMware Carbon Black App Control 8.8 works with Microsoft .NET Framework 4.8.
A zero-day vulnerability released by Microsoft this month on February 14, 2023(CVE-2023-21808). Design weakness leads to RCE (Remote Code Execution). This design weakness possible trigger similar Carbon black App-Control vulnerability (CVE-2023-20858).

Official announcement: For details of vulnerability on carbon black product published by VMware. Please refer to official article – https://www.vmware.com/security/advisories/VMSA-2023-0004.html

All aspects of Spectre-BHB from vulnerability to mitigation (21st Feb 2023)

Preface: Several companies are currently using Arm processors to create artificial intelligence-powered software to help make the driving experience safer. Some experts believe that artificial intelligence will affect human life. Yes it is real. The late Stephen Hawking speculated about this potential impact, but it looks like part of the process of human civilization. The man kind involves into automation life when smartphone and GUI was born. It was not possible to jump back. Perhaps this is the destinely. On the other hand, computer vulnerabilities is the effective way to against out of control AI. Perhaps it is a effective solution.

Background: Branch predictor hardware typically uses a form of cache to hold branch information. When vendor release announcement of their design weakness few years ago, a misunderstand was that it only appears on a single brand. But the truth is that properly not. When CPU designer intend improve the efficiency of CPU response time. It will be using it. The ARM architecture permits this branch predictor hardware to be visible to the functional behaviour of software, and so the branch predictor is not architecturally invisible.

The possible attack mechanism of Spectre-BHB: The branch target injection in the same software context (unlike Spectre v2, which injects branch targets across different exception levels) . If the attacker can poison branch history from user space to force the kernel to mispredict targets. When the victim executes an allegedly safe branch that is mis-predicted , redirecting the control flow to a gadget that, with attacker controlled registers. Therefore it triggered the vulnerability. For information on this attack mechanism and mitigations concept. Please refer to attached diagram.

Development in 2023: Arm announced a new generation of Armv9 CPUs, namely the Cortex-X3 and the Cortex-A715. The Armv9 CPU use L1 instruction cache Speculative memory accesses. The L1 instruction memory system provides an instruction stream to the decoder. To increase overall performance and reduce power consumption, the L1 instruction memory system uses dynamic branch prediction and instruction caching.
Whether is there any design weakness similar to branch prediction of this new design. Let’s keep our eyes open. stay tuned!

CVE-2022-27672 – Addresses Cross-Thread Return Address Predictions design weakness (20th Feb 2023)

Preface: Two different methods and names, but similar in function.
AMD CPUs with four cores use simultaneous multithreading to provide eight threads, and most Intel CPUs with two cores use hyper-threading to provide four threads.

Background: In IBM S390 system configuration. Use the smt= and nosmt kernel parameters to control multithreading.
By default, Linux in LPAR mode uses multithreading if it is provided by the hardware.
In Linux terminology, simultaneous multithreading is also known as SMT or Hyper-Threading. With multithreading enabled, a single core on the hardware is mapped to multiple logical CPUs on Linux. Thus, multiple threads can issue instructions to a core simultaneously during each cycle.

Vulnerability details: When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.

Remark: AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges. As of this notice, AMD is not aware of any actual real-world exploits based on this behavior.

Official announcement: For details, please refer to the link – https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045

CVE-2023-23514: An app may be able to execute arbitrary code with kernel privileges (19th Feb 2023)

Preface: iOS 16 is the sixteenth and current major release of the iOS mobile operating system developed by Apple for its iPhone line of products. It was announced at the company’s Worldwide Developers Conference (WWDC) on June 6, 2022, as the successor to iOS 15.

Background: Use-after-free is still a common bug class because the task of manually identifying them, especially in large and complex codebases is a challenge. If program does not clear the pointer after freeing memory allocation. It is possible to encounter use-after-free vulnerability.
An attacker can use UAFs to pass arbitrary code or a reference to it. To a program and navigate to the beginning of the code by using a dangling pointer.

Vulnerability details: An app may be able to execute arbitrary code with kernel privileges. A use after free issue was addressed with improved memory management.

Official announcement: For customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For details, see the link – https://support.apple.com/en-us/HT213635

SAP GUI chronicle – even you are using NWBC client, can you ignore web browser vulnerability? (17th Feb 2023)

Preface: It was the periodically recurring SAP Security Note #2622660 which patches the latest Chromium vulnerabilities for SAP Business Client.

Background: Difference between SAP NWBC and SAP GUI?
Web Dynpro is the SAP NetWeaver programming model for user interfaces (UIs).
– Using SAP GUI, when you execute WD (Web Dynpro) application, it opens in a browser.

-The SAP NetWeaver Business Client enables direct connectivity to the ABAP back-end system and PFCG role repository centrally holding SAP GUI, Web Dynpro and various Web content applications. NWBC provides role-based access to applications either.

Remark: SAP GUI is a prerequsite of NWBC client. You will still require SAP GUI to be installed on the desktop.

Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).

Technical articles: SAP Security Patch Day (February 2023. For details, please refer to the url link – https://blogs.sap.com/2023/02/14/sap-security-patch-day-february/

CVE-2023-20927 About Android “AndroidManifest[.]xml” (15th Feb 2023)

Preface: When an Android application needs to access sensitive resources on the device, whether it hit design weakness lead to vulnerability occurs.

Background: Usually, if we want to add some user permissions, we write the following code in the AndroidManifest[.]xml file:

The android system grants these permissions at the installation time but there is one condition. The app that is asking for some permission must be signed with the same signature as that of the app that defines the required permission.

Following are some of the Signature permissions:
1. BIND_ACCESSIBILITY_SERVICE
2. BIND_AUTOFILL_SERVICE
3. BIND_CARRIER_SERVICE
4. BIND_DEVICE_ADMIN
5. BIND_INPUT_METHOD
6. BIND_NFC_SERVICE
7. BIND_TV_INPUT
8. BIND_WALLPAPER
9. READ_VOICEMAIL
10. WRITE_SETTINGS
11. WRITE_VOICEMAIL

Vulnerability details: In permissions of AndroidManifest[.]xml, there is a possible way to grant signature permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2023-20927

CVE-2023-21808 – Patched MS zero-day vulnerability (14th Feb 2023)

Preface: .NET is a free, cross-platform, open source developer platform for building many different types of applications. With .NET, you can use multiple languages, editors, and libraries to build web, mobile, desktop, games, IoT, and more.

Background: The demand for .NET will continue to increase as long as new and better technologies are developed.
NET 6 is a LTS (Long Term Support) release and will be supported with bug and security fixes for (has to look it up) 3 years. . NET 7 however is a STS (Short Term Support) release and will only be supported for 18 months (6 months beyond the release of . NET 8).
The release date of .NET 8, which will ship during the .NET Conf 2023 event about Nov. 10.

Internet Information Service (IIS) is the flexible and general-purpose web server provided by Microsoft that will be run on Windows.
IIS can be used to host, deploy, and manage web applications using technologies such as ASP.NET and PHP.
A PDB file is created when you compile a C/C++ program with /ZI or /Zi or a Visual Basic, Visual C#, or JScript program with the /debug option.
You need to configure your build machine to publish your .pdb files into a known directory which is later used in your IIS configuration.
However, when .PDB files on website exception occurs, and you do not aware to set the CustomErrors property in web.config. The stack trace will be displayed with file names and line numbers.

Vulnerability details: A vulnerability exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in remote code execution.

Solution: For details, see the link – https://devblogs.microsoft.com/dotnet/february-2023-updates/