CVE-2023-20947 : About Permission Controller APK (30th March 2023)

Preface: The Android operating system is mainly based on Linux, and its kernel is written in C language. Some modifications may have been done using the C++ language.

Background:
Get Group State – Different software uses different way (see below):

  • only need to input the queried union information unionID
  • need unionID and zoneID; query information about the state of the union binding the group Return information and result:

static void GetGroupState (String unionID, String zoneID = “”, String extraJson = “”) ;

Vulnerability details: In getGroupState of GrantPermissionsViewModel.kt, there is a possible way to keep a one-time permission granted due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

If a permission is split, all permissions the original permission is split into are affected.
For <= N_MR1 apps all permissions of the groups of the requested permissions are affected

Affected Products: AndroidVersions: Android-12 Android-12L Android-13Android

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2023-20947

CVE-2022-42827 – A type confusion issue was addressed with improved checks (29th Mar 2023).

Preface: WebKitGTK is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.

Background: There is no Webkit. framework in Cocoa Touch. The webkit framework is only available on OS X. For iOS, just use UIWebview.
The Core OS Layer is the last layer of the iOS stack and sits directly on top of the device hardware. This layer provides a variety of services including low level networking, access to external accessories and the usual fundamental operating system services such as memory management, file system handling and threads.

Vulnerability details: A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

My observation: Since the vulnerability not described in details! My speculation, does vendor found attacker exploit below design weakness (see belwo):
%rbx is a callee save register , we know that some callee of JITCode::execute() must have modified %rbx and failed to restore it before returning. JSC does have code to save and restore callee save registers in LLInt interpreter and Just-In-Time (JIT) compiler generated code.
Perhaps the vulnerability enhancement is going to correctly caller-save return address register.

Official announcement: For details, please refer to the link https://nvd.nist.gov/vuln/detail/CVE-2023-23529

Redhat provide a quick way to do the mitigation for CVE-2023-1281 (28th Mar 2023)

Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Background: tcindex, traffic control index filter. This filter allows to match packets based on their tcindex field value, i.e. the combination of the DSCP and ECN fields as present in IPv4 and IPv6 headers.
SYNOPSIS:
tc filter … tcindex [ hash SIZE ] [ mask MASK ] [ shift SHIFT ] [ pas_on | fall_through ] [ classid CLASSID] [ action ACTION_SPEC ]

Vulnerability details: A use-after-free vulnerability was found in the traffic control index filter (tcindex) in the Linux kernel. The imperfect hash area can be updated while packets are traversing. This issue could allow a local attacker to cause a use-after-free problem, leading to privilege escalation.

Solution: How do I blacklist a kernel module to prevent it from loading automatically?
https://access.redhat.com/solutions/41278

CVE-2023-0767: nss – Arbitrary memory write via PKCS 12 (27th Mar 2023)

Preface: During the learning process of artificial intelligence, he was always disrupted by vulnerabilities. Artificial intelligence said, to become an artificial intelligence, I will use my wisdom to create a perfect OS system.

Background: Large scale of artificial intelligence structure especially machine learning may have a enterprise Linux system installed. The key component is shown as below:
Apache Kafka is an open source distributed streaming system for stream processing, real-time data pipelines, and large-scale data integration.
Kafka with more than one broker is called Kafka Cluster. It can be expanded and used without downtime. Apache Kafka Clusters are used to manage the persistence and replication of messages of data, so if the primary cluster goes down, other Kafka Clusters can be used to deliver the same service without any delay.
However if there is vulnerability occurs on Linux system. It will cause unforseen problem on the infrastructure.

Vulnerability details: CVE-2023-0767 – An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.
Firefox and Thunderbird in Red Hat Enterprise Linux 8.6 and later are not affected by this vulnerability, as they use the system NSS library. Firefox and Thunderbird in earlier Red Hat Enterprise Linux 8 extended life streams were affected, and should be updated to fixed versions as they become available.
Remark: To better support the PKCS12 format add one or several command line options to the pkcs12 tool to allow adding arbitrary attributes to bags.

Official announcement: For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the link – https://access.redhat.com/security/cve/CVE-2023-0767

Closer look CVE-2022-42331: x86 speculative vulnerability in 32bit SYSCALL path (26th Mar 2023)

Preface: Meltdown is a vulnerability allowing a process to read all memory in a given system.

Background: The Xen Project is a free and open source type-1 or bare-metal hypervisor that enables a computer to run multiple operating systems simultaneously on the same hardware. A Type 1 hypervisor runs directly on the underlying computer’s physical hardware, interacting directly with its CPU, memory, and physical storage. For this reason, Type 1 hypervisors are also referred to as bare-metal hypervisors. A Type 1 hypervisor takes the place of the host operating system.
The pros of type-1 hypervisors lie in performance and security. It offerrs high performance because the hypervisor has direct access to the hardware. Security is also more reliable on type-1 than type-2, because there is no interface between the hypervisor and CPU.

Vulnerability details: Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late.
In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

Affected system: Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-42331

Your first quantum programming (24th Mar 2023)

Preface: How much does a 1 qubit quantum computer cost? Commercial quantum computers like D-Wave One with 50 qubits – $10,000,000. D-Wave systems use a process called quantum annealing to search for solutions to a problem.

Background: The Microsoft Quantum Development Kit offers durable quantum application development on hardware-accelerated compute resources. Program your quantum algorithms and formulate optimization solutions to cope with your AI development. Perhaps this is a prelude before the development of a scalable quantum computer in the future. Quantum computers have great potential to process the large datasets often used in AI experiments. By using quantum computing techniques to analyze data sets faster and more accurately than ever before, AI researchers have been able to make significant advances in fields such as machine learning.
Because quantum computers are fundamentally different from classical computers, conventional techniques used to communicate electronic information do not directly translate to quantum devices.

Suggestion:
Learn quantum programming (Q# programming language) with Microsoft QUANTUM Development KIT. It can use simulation. API for quantum computing simulation using the .NET ecosystem and Python.

Quantum Development Kit (SDK) contains below basic components

  • The Q# programming language (pronounced like Q-Sharp)
    Remark: The Q# development tools are based on the Microsoft.NET ecosystem. Therefore, need to install the correct version of the .NET Software Development Kit (so called .NET SDK)
  • API for quantum computing simulation using the .NET ecosystem and.or Python
  • Tools to help you develop and simulate your quantum programs using commas-line tools, Visual Studio Code, or Microsoft Visual Studio

Please refer to this link for details- https://azure.microsoft.com/en-us/resources/development-kit/quantum-computing/#overview

Linux kernel BUG: About hugetlb[.]c in mm folder (22nd Mar 2023)

Preface: Enabling HugePages makes it possible for the operating system to support memory pages greater than the default (usually 4 KB). Using very large page sizes can improve system performance by reducing the amount of system resources required to access page table entries.

Background: For Red Hat Enterprise Linux systems, it is recommend configure HugeTLB pages to guarantee that JBoss EAP processes will have access to large pages.
Reminder: Activating large pages for JBoss EAP JVMs results in pages that are locked in memory and cannot be swapped to disk like regular memory.

Ref: Hugetlb boot command line parameter semantics hugepagesz. Specify a huge page size. Used in conjunction with hugepages parameter to preallocate a number of huge pages of the specified size. Hence, hugepagesz and hugepages are typically specified in pairs such as: hugepagesz=2M hugepages=512.

Design weakness: The special hugetlb routine called at fork took care of structure updates at fork time. However, vma_splitting is not properly handled for ipc shared memory mappings backed by hugetlb pages. This can result in a “kernel NULL pointer dereference” BUG or use after free as two vmas point to the same lock structure.

Solution: Update the shm open and close routines to always call the underlying open and close routines.
For Redhat Linux, do the kernel update from 6.1.18-100.fc36 to 6.2.7-1000.fc36.

Technical reference: A subroutine IOBUFSET is provided to craved up an arbitrarily sized storage area into perforated buffer blocks with space for 132 data bytes. The beginning and ending addresses of the buffer storage area are specified to IOBUFSET in age A- and B-registers, respectively.

Sometimes, cyber security incidents are caused by Java script. What type of Java script is claimed to be dangerous? (22nd Mar 2023)

Preface: Vanilla JS is faster than other frameworks. It provides better response than all other front-end frameworks. In additional, it renders UI up to 30 times faster than React JS. In Vanilla, handling UI state is simple.React is a free and open source front-end JavaScript tool library for building user interfaces based on UI components. It is maintained by Meta and a community of individual developers and companies. React can be used as the basis for developing single-page, mobile or server-side rendering applications with frameworks like Next[.]js.

Background: Since client-side JavaScript is a necessity for any business building dynamic web pages or websites that use single-page application (SPA) architecture.
About twelve years ago, the modern web frontend development has advanced a lot. In order to exploit the features of Model-View-Controller (MVC) architecture. So it need to consider the frontend as a separate entity which talks to the backend only using the REST API (most preferably, REST JSON).
Below details describe the flow of SPA (single-page application).

  • Request the HTML template/s to the browser in one single go.
  • Then, query the JSON REST API to fill a model (data object).
  • Adjust the UI according to the data in the model (JSON).
  • When users modify the UI, the model (data object) should change automatically. For example, in AngularJS, it is possible with two-way data binding. Finally, make REST API calls to notify the server about changes whenever you want.

Suggestion: Refer to picture, Example A and B has the own advantage. Perhaps developers will be overlook cyber security awareness. Make it simple use Vanilla JS. However it contains a potential risk when used. It’s because the JavaScript code is viewable on the client-side. Thus, the most significant disadvantage of a Vanilla script is client-side security.
Remark: The design objective of vanilla script is used to refer to the pure JavaScript without any type of additional library.

CVE-2023-28425 : About Redis (20th Mar 2023)

Preface: The word Database, inspire you thinking a large volume of database. For example, a structured set of data held in a computer, especially one that is accessible in various ways. Do a transformation of design, bring the data which going to use to a specify memory. Compare to disk access storage, direct access to memory will be more faster. This is one of the modern strategy in big data analytic design solution.

Background: Running in-memory means requests for data do not require a trip to disk.

  • What memory does Redis use? An empty instance uses ~ 3MB of memory. 1 Million small Keys -> String Value pairs use ~ 85MB of memory. 1 Million Keys -> Hash value, representing an object with 5 fields, use ~ 160 MB of memory.
    In Ubuntu and other Linux distributions, the Redis database directory is /var/lib/redis .

Vulnerability details: The vulnerability exists due to a reachable assertion when handling the MSETNX command. A remote attacker can send a specially crafted MSETNX command and perform a denial of service (DoS) attack.
Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.

Solution: The problem is fixed in Redis version 7.0.10.

Official details: Please refer to NATIONAL VULNERABILITY DATABASE – https://nvd.nist.gov/vuln/detail/CVE-2023-28425

CVE-2023-0361 – About RSA ClientKeyExchange messages in GnuTLS (19th Mar 2023)

Preface: As a computer end user. When there is a vulnerability, the only way is to patch it according to the official announcement.
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language API to access the secure communications protocols.
Remark: If OpenSSL is selected over GnuTLS, neither libnettle nor libgcrypt will be used.

Background: GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

Vulnerability details: A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

SUSE – Recommended update for gnutls: This update for gnutls fixes the following issues:

FIPS: Establish PBKDF2 additional requirements [bsc #1209001]

  • Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N)
  • Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1)
  • Set the minimum iterations count to 1000 (SP 800-132 sec 5.2)
  • Set the minimum passlen of 20 characters (SP SP800-132 sec 5)
  • Add regression tests for the new PBKDF2 requirements.

Official announcement: please refer to National vulnerability database – https://nvd.nist.gov/vuln/detail/CVE-2023-0361