About CVE-2023-22881 and CVE-2023-22882 : malicious UDP receive by client cause a denial of service (16th Mar 2023).

Preface: Make sure to use the STUN message format specified in standard, to perform the MESSAGE-INTEGRITY computation. This protocol uses Simple Traversal of UDP through NAT (STUN) binding request and response messages for connectivity checks between the two endpoints.

Background: Most attackers utilize UDP to launch amplification attacks since reflection of traffic with spoofed IP source address is possible due to the lack of proper handshake. While UDP makes it easy to launch reflected amplification attacks.
Since the STUN mechanism is that if request is valid, the endpoint MUST send a Simple Traversal of UDP through NAT (STUN) binding response message.
UDP a low-level network protocol which does not set up a connection verifying the return address of the sender, it was possible to spoof the return address of the requests to that of the victim.

Vulnerability details: Zoom clients before version 5.13.5 contain a STUN parsing vulnerability. A malicious actor could send specially crafted UDP traffic to a victim Zoom client to remotely cause the client to crash, causing a denial of service.

Official details: Please refer to the URL link – https://explore.zoom.us/en/trust/security/security-bulletin/

Staying alert of opensips vulnerabilities (16th Mar 2023)

Preface: SIP protocol take the stage of traditional telephony system. We cannot lack of this protocol today.

Background: The Session Initiation Protocol is a signaling protocol that enables the Voice Over Internet Protocol (VoIP) by defining the messages sent between endpoints and managing the actual elements of a call. SIP supports voice calls, video conferencing, instant messaging, and media distribution.
OpenSIPS is used by telecom operators, enterprises and network operators. OpenSIPS is essentially a SIP proxy server. Relevant only to signaling, OpenSIPS is a multipurpose, multifunctional SIP server that can be used as: A switch. router.

Found vulnerabilities on openSIPS, offical developer conduct demon found the symptoms. However, I observed that the msg_parser[.]c has it own design weakness. When it run in switch mode, pkg_malloc may provide way to the attacker do the exploitation.
Whether the attacker can exploit SIP Header Manipulation . SIP Header Manipulation allows you to automatically modify the user fields in a SIP INVITE.
For reference (below) and refer to attached picture.
if header-field well-known, parse it, find its end otherwise ;
– after leaving the hdr->type switch, tmp should be set to the next header field

Vulnerability details:
CVE-2023-28096 – A memory leak was detected in the function parse_mi_request while performing coverage-guided fuzzing. moderate severity 4.5
CVE-2023-27596 – OpenSIPS crashes when a malformed SDP body is sent multiple times to an OpenSIPS configuration that makes use of the stream_process function.
This issue was discovered during coverage guided fuzzing of the function codec_delete_except_re.
CVE-2023-28097 – A malformed SIP message containing a large Content-Length value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS.
CVE-2023-27597 – When a specially crafted SIP message is processed by the function rewrite_ruri, a crash occurs due to a segmentation fault.
CVE-2023-27598 – Sending a malformed Via header to OpenSIPS triggers a segmentation fault when the function calc_tag_suffix is called. A specially crafted Via header which is deemed correct by the parser, will pass uninitialized strings to the function MD5StringArray which leads to the crash.
Please refer to this link for details – https://github.com/OpenSIPS/opensips/security/advisories?state=published

Have you upgraded your Linux kernel? (15th Mar 2023)

Preface: Blue screen of death (BSOD) is error display on Windows commonly. In Linux, it is unlikely and uncommon, but is it possible?

Background: As the only copyright holder to the GPL-covered components of the software, you are free to add exceptions and additional terms to the GPLv3, as described in section 7 of that license. In fact, the LGPLv3 is just such a GPLv3 section 7 additional permission, allowing the component to be linked to proprietary code. But it is not recommended. Because it is extreme tricky.

The kernel marks itself as “tainted” when some event occurs that may be relevant when investigating the problem. Found that Kernel 6.1.16 was apparently subject to “oops”. What is “oops”? See below:
The tainted status is printed when a kernel internal problem (“kernel bug”), recoverable error (“kernel oops”), or unrecoverable error (“kernel panic”) occurs, and debug information about this is written to the log dmesg output. The tainted status can also be checked at runtime via files in /proc/.

Solution: Maybe it has nothing to do with serious cyberattacks. But it is recommended to upgrade the kernel . 6.2.5 and 6.1.18 has been updated

ndctl: release v76.1, have you update yet? (14th Mar 2023)

Preface: Preface: Advantages of NVDIMMs in servers. NVDIMMs provide high-speed DRAM performance coupled with flash-backed persistent storage. Aside from providing an additional memory tier in servers, NVDIMM persistence allows applications to continue processing I/O traffic during planned or unexpected system failures.

Background: Persistent Memory (PM) is a type of Non-Volatile Memory (NVM). The ndctl utility is used to manage the libnvdimm (non-volatile memory device) sub-system in the Linux Kernel. It is required for several Persistent Memory Developer Kit (PMDK) features if compiling from source. If ndctl is not available, the PMDK may not build all components and features.
Utility library for managing the libnvdimm (non-volatile memory device) sub-system in the Linux kernel
If you going to Writing Applications for Persistent Memory. Below details is the Programming Model Modes:

Block and File modes use IO

  • Data is read or written using RAM buffers
  • Software controls how to wait (context switch or poll)
  • Status is explicitly checked by software

Volume and PM modes enable Load/Store

  • Data is loaded into or stored from processor registers
  • Processor makes software wait for data during instruction
  • No status checking – errors generate exceptions

Recommendation: Suggest upgrade to ndctl: release v76.1
Version 76.1 Fixed the following:
cxl/event-trace: use the wrapped util_json_new_u64()
cxl/monitor: fix include paths for tracefs and traceevent
cxl/monitor: Make libtracefs dependency optional

Ccache technical matter , whether it will bring your attention? (13th Mar 2023)

Preface: Multiphysics Object-Oriented Simulation Environment (MOOSE) – An open-source, parallel finite element framework.

  • Free and open source (LGPL license).
  • Large user community
  • Easy to use and customize
  • Takes advantage of high performance computing

Background: ccache is a compiler cache that speeds up recompilation by caching previous compilations and detecting when the same compilation is being done again. ccache can deliver significant speedups when developing MOOSE-based applications, or working on the framework itself.
Multiphysics Object Oriented Simulation Environment (MOOSE) is an open-source framework to facilitate solving complex real-world engineering problems.

Major components of a mesh based numerical solution technique:
1 Read the mesh from file
2 Initialize data structures
3 Construct a discrete representation of the governing equations

Security Focus: In order to use ccache with MOOSE-based applications, it will be necessary to first build libMesh using ccache. Ccache prior to 4.7.4 suffered from a design weakness of inode cache race conditions.

Solution: Upgrade to 4.7.4.

About CVE-2022-46394 – know a little bit about it (9th Mar 2023)

Preface: The Android Neural Networks API (NNAPI) is an Android C API designed for running computationally intensive operations for machine learning on Android devices. NNAPI is designed to provide a base layer of functionality for higher-level machine learning frameworks, such as TensorFlow Lite and Caffe2, that build and train neural networks. The API is available on all Android devices running Android 8.1 (API level 27) or higher.

Background: The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Valhall family. What is Mali driver? This driver enables support for Mali Bifrost and Midgard GPUs in Android NNAPI. The files are provided under an MIT software license.
The Android Neural Networks API (NNAPI) is an Android C API designed for performing computationally intensive tasks on Android devices for machine learning. Pickle is a useful Python tool that allows you to save your ML models, to minimize lengthy re-training and allows you to share, commit, and re-load pre-trained machine learning models.
Furthermore, Midgard architecture Mali GPUs are typically used in a mobile or embedded environment to accelerate 2D graphics, 3D graphics, and computations.

Vulnerability details: CVE-2022-46394 – An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. The vulnerability is identified as CVE-2022-46394 and requires local access to exploit. Please refer to the url for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Observation:A shared pointer makes it almost impossible to track the owner of objects. If this is the way, it give a way for attacker gain access to already freed memory.

Impact:This affects Valhall r39p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.

CVE-2022-4904 : Does C-ares weakness impact chrome. Perhaps it has fixed. (8th Mar 2023)

Preface: Google Chrome employ a feature, Async DNS. The objective is avoid traditional way using public DNS function. When google (Chrome) running, all the resolving domain name activities will be point to google DNS server.In Security point of view, it is good. At least it reduced unknown trap intend to hunting victim. It benefits to chrome reduce attack by threata actors detect the vulnerabilities. This is true, statistic shown that cyber attack require compromised or black list domain server.
It can be enabled or disabled (see below):
Open “chrome://flags/#enable-async-dns” Change option to “Disabled” Click “Relaunch Now” at the bottom of the page. After relaunch open “chrome://net-internals/#dns”

Background:For some asynchronous DNS requests, Node.js uses a C library called c-ares. It is exposed through the DNS module in JavaScript as the resolve() family of functions. The lookup() function, which is what the rest of core uses, makes use of threaded getaddrinfo(3) calls in libuv.
c-ares is a C library for asynchronous DNS requests (including name resolves)

Vulnerability details: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Official details: Please refer to the url for details – https://www.tenable.com/cve/CVE-2022-4904

Additional: It is a stack overflow, however the risk level (whether it is severity), it depends on the design structure of product when it use. Therefore it is better to follow the recommendation by the product which involves this vulnerability.

About CVE-2023-23916 – Don’t take vulnerabilities lightly (8th Mar 2023)

HTTP/1.1 – The current resource must finish downloading before making another request; each has a delay of one round-trip-time (RTT).
HTTP/2 solves the HOL Blocking problem with multiplexing that uses streams which can be prioritized.

Background: Curl attempts to provide a unified model through which applications belonging to different platforms and languages can communicate. The simple content layout uses HTML tags, the scripting features of JavaScript and the object oriented features of C, C++ and Java, which are merged in a common framework defined by Curl.
Case Study: Assumptions
Whether your programming development will involve curl.
One situation occurs when an application server communicates with other peers. Adjacent peer web servers are vulnerable to CSRF. An attacker impersonates a malicious site to exploit the curl vulnerability. Exploit the CSRF weakness on adjacent web server and then redirects the connection to the malicious site. Finally, it causes a denial of service on web servers where curl is installed. Just like the vulnerability description, similar to malloc bombs.

Vulnerability details: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the “chained” HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable “links” in this “decompression chain” was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a “malloc bomb”, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2023-23916

Whatever it was, no details were officially provided. Are you talking about this feature? (7th Mar 2023 GMT+9)

Preface: In Android 11, its automatically resetting permissions for apps you haven’t used for an extended period of time.
In Android 13, app makers can go above and beyond in removing permissions even more proactively on behalf of their users.
How do I stop Android from removing app permissions? Go into your system settings, go to app settings, find the app, go to permissions. There should be a toggle option named “Remove permissions if app isn’t used”. Turn that option off.
The above function is one of the preventive controls in Android. Vulnerabilities occur because outdated applications may have design flaws.

Background: Which component of an Android application allows users to interact with the app?
Broadcast Receivers – They handle communication between Android OS and applications.
A broadcast receiver is typically only a gateway to other components that perform minimal work.
public abstract class BroadcastReceiver
extends Object
↳ android.content.BroadcastReceiver
Apart from system-generated events, an application can also generate custom broadcast intents for which a receiver can be registered. If the developer does not enforce restrictions . For example, if the receiver receives broadcasts from untrustworthy sources, the system may be at risk.

Vulnerability details: The most severe of the CVE-2023-20951 and CVE-2023-20954 issues is a critical vulnerability in a system component that could lead to remote code execution without additional execution privileges. Development requires no user interaction. As the supplier does not provide details! Therefore, it should be patched according to the vendor instructions.

Official details: For more information on this topic, see url – https://source.android.com/docs/security/bulletin/2023-03-01

KB5019180: Urged by Microsoft on Intel former CPU vulnerability this month (2nd Mar 2023), we should staying alert. (6th Mar 2023 GMT+9)

Preface: Windows 10’s market share jumped from 68.86% in January 2023 to 73.31% in February 2023. Windows 11’s market share increased as well, but only by 1.01% to 19.13% in February 2023, said ghacks[.]net.
Remark: Windows 10 continues to be supported by Microsoft until October 2025.

Background: Some said, Intel microprocessors use direct I/O. Yes, Direct IO is talking about Data Direct I/O Technology. With Intel DDIO, Intel Ethernet Server Adapters and controllers talk directly to the processor cache without a detour via system memory. Intel DDIO makes the processor cache the primary destination and source of I/O data rather than the main memory. Traditionally, inbound PCIe transactions target the main memory, and data movement from the I/O device to the consuming core requires multiple DRAM accesses. For I/O-intensive use cases, such as software data planes, this scheme becomes inapplicable. But the design weakness is not another matter than above.
Below vulnerability is focusing to the following concept. The default thing is to have a device driver in the OS that does the actual I/O reads and writes while running with kernel privileges. User programs ask for I/O by doing system calls. The driver is trusted to check the calls for validity.
The Memory Mapped design objective. It stores program instructions and data that are used repeatedly in the operation of programs or information that the CPU is likely to need next. The computer processor can access this information more quickly from the cache than from the main memory.

Vulnerability details: Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities that can expose data. When a processor core reads or writes MMIO, the transaction is normally done with uncacheable or write-combining memory types and is routed through the uncore, which is a section of logic in the CPU that is shared by physical processor cores and provides several common services. Malicious actors may use uncore buffers and mapped registers to leak information from different hardware threads within the same physical core or across cores.

Related vulnerabilities: CVE-2022-21166, CVE-2022-21127), CVE-2022-21123 & CVE-2022-21125

Official announcement: KB5019180: Security vulnerabilities exist in Memory Mapped I/O for some Intel processors for Windows 10. The related official article and advisory can be found in follow link – https://support.microsoft.com/en-us/topic/kb5019180-security-vulnerabilities-exist-in-memory-mapped-i-o-for-some-intel-processors-for-windows-10-version-20h2-21h2-and-22h2-march-2-2023-f8c174f1-ce5c-469f-9eac-21f8af66b8ea