About CVE-2023-1786: cloud-init impact Oracle Linux 8 & 9. Fix log file permissions. (27th Apr 2023)

Preface: Open source software fosters collaboration. As such, open source software will continue to play a key role in modern software development.

Background: cloud-init is a software package that automates the initialization of cloud instances during system boot. You can configure cloud-init to perform a variety of tasks. Cloud-init is a service used for customizing Linux-based operating systems in the cloud.
Cloud-init is the service that is installed inside the instance and cloud-config are a set of scripts that are executed as soon as the instance is started. Cloud-config is the language of the scripts that cloud-init knows to execute. cloud-init is developed and released as free software under both the GPLv3 open source license and the Apache License version 2.0.

Vulnerability details: Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. (CVE-2023-1786)

Official announcement: For details, please refer to the relevant link – https://linux.oracle.com/errata/ELSA-2023-12298.html

Reference: With structured logging, your logs are relational data sets, like key/value pairs, rather than just text. Structured logging has the advantage of being more easily searched and analyzed. It can also help with keeping sensitive data out of your logs.
The most common structured logging format is JSON since it is the standard message format for every message parsing between systems and within applications.
Understand that, it is require tool convert Common Event Format (CEF) to JSON .
Perhaps there is other solution it can help. For example: Fix log file permissions.

About CVE-2023-30841 – Metal Kubed (27th Apr 2023)

Preface: If a website is hacked, cyber criminals don’t get access to your password. Instead, they just get access to the encrypted “hash” created by your password. Talking about hash algotithms, For example, MD5, SHA1, and so on.
The length of a hash is always a constant, irrespective of the length of the input. For example, if we use the MD5 algorithm and hash two strings like “Password123” and “HelloWorld1234”, the final hash will have a fixed length.
To enforce security and protect hashes from attacks, use strong passwords and salts before hashing passwords.

Background: Metal³ works as a Kubernetes application, it runs on Kubernetes and is managed through Kubernetes interfaces. Metal³ provides Platform9 uses a truly unified operating model by providing bare metal host provisioning integration for Kubernetes.

Bare Metal Operator

  • Define and manage BareMetaHost as Custom Resource(CR) in Kubernetes
  • Handles reconciling the BareMetaHost with Ironic API underneath

Reference:
The bmc fields contain the connection information for the BMC (Baseboard Management Controller) on the host.
The sub-fields are
• address — The URL for communicating with the BMC controller, based on the provider being used. See below for more details.
• credentialsName — A reference to a secret containing the username and password for the BMC.
• disableCertificateVerification — A boolean to skip certificate validation when true.

Vulnerability details: Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0[.]3[.]0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy[.]sh store their [.]htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster’s Etcd storage.

Solution:This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-30841

About CVE‑2023‑25512, CVE‑2023‑25513 & CVE‑2023‑25514 vulnerabilities – NVIDIA CUDA Toolkit (25th Apr 2023)

Preface: In next generation of computing technology, perhaps this so called next generation has came. Any software or hardware design weakness will affected our daily life. It looks that man kind does not have choice, an intangible force push the world to that zone. The situations similar gravity in our earth.

Background: Parallel processing is a method in computing of running two or more processors (CPUs) to handle separate parts of an overall task. Breaking up different parts of a task among multiple processors will help reduce the amount of time to run a program. GPUs render images more quickly than a CPU because of its parallel processing architecture, which allows it to perform multiple calculations across streams of data simultaneously. The CPU is the brain of the operation, responsible for giving instructions to the rest of the system, including the GPU(s).

NVIDIA CUDA provides a simple C/C++ based interface. The CUDA compiler leverages parallelism built into the CUDA programming model as it compiles your program into code.
CUDA is a parallel computing platform and programming interface model created by Nvidia for the development of software which is used by parallel processors. It serves as an alternative to running simulations on traditional CPUs.

The CUDA Toolkit targets a class of applications whose control part runs as a process on a general purpose computing device, and which use one or more NVIDIA GPUs as coprocessors for accelerating single program, multiple data (SPMD) parallel jobs. Such jobs are self-contained, in the sense that they can be executed and completed by a batch of GPU threads entirely without intervention by the host process, thereby gaining optimal benefit from the parallel graphics hardware.

Vulnerability details (CVE[‑]2023[‑]25512, CVE[‑]2023[‑]25513 & CVE[‑]2023[‑]25514): NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds read by tricking a user into running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure.

Official announcement: Please refer to the supplier announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5456

About CVE-2023-21930: JSSE design weakness (24th Apr 2023)

Preface: The goal is to make internal adjustment to the design of security classes (including the SecurityManager and ClassLoader classes) to reduce the risks of creating subtle security holes in future programming.

Background: The Java Secure Socket Extension (JSSE) enables secure Internet communications. It provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.
JSSE provides both an application programming interface (API) framework and an implementation of that API. The JSSE API supplements the core network and cryptographic services defined by the java.security and java.net packages by providing extended networking socket classes, trust managers, key managers, SSL contexts, and a socket factory framework for encapsulating socket creation behavior. Because the SSLSocket class is based on a blocking I/O model, the Java Development Kit (JDK) includes a nonblocking SSLEngine class to enable implementations to choose their own I/O methods.

Vulnerability details: This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Impact: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.

Official announcement: Refer the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-21930

About CVE-2023-27536 – Amazon provides alert on “libcurl” design weakness (23rd Apr 2023)

Preface: cURL command is an important Linux tool, commonly used for data transfer and connection troubleshooting.

Background: EC2 Instance – Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 eliminates your need to invest in hardware up-front so that you can develop and deploy applications faster.
Best Practices for Building AMI:
Check port settings as follows:

  • Linux-based AMIs – Ensure that a valid SSH port is open. The default SSH port is 22.
  • Windows-based AMIs – Ensure that an RDP port is open. The default RDP port is 3389. Also, the WinRM port (5985 by default) must be open to 10.0.0.0/16.
    Ensure that your AMI meets all AWS Marketplace policies, including disabling root login.

Vulnerability details: An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-27536

About CVE-2023-2194: Design weakness found in the Linux kernel’s SLIMpro I2C device driver (21st Apr 2023)

Preface: Every day on earth, there is a vulnerable presence in the digital world. This penguin make your life easily, sometimes it was not good. But this is the life cycle of our digital world.

Background: This driver (X-Gene SLIMpro I2C Driver) provides support for X-Gene SLIMpro I2C device access using the APM X-Gene SLIMpro mailbox driver.

Historical details: In November of 2016, AppliedMicro was acquired by MACOM.
On Jan 2021, X-Gene 3 has re-launched by Ampere under the eMAG family.
Ampere Computing LLC is an American fabless semiconductor company based in Santa Clara, California that develops cloud native server microprocessors (CNPs).

Third-generation of X-Gene processors were announced in 2016 and started sampling in 2017. X-Gene 3 processors are based on the Skylark microarchitecture and were fabricated on TSMC’s 16 nm process. AppliedMicro made large changed to the system architecture of the chip and some minor changes to the core. The chip design shifted from incorporating an array of accelerators on-die to offering a large set of I/O (mostly PCIe lanes) so that high-performance PCIe-based accelerators could be attached instead. In 2017 AppliedMicro sold the X-Gene assets to Ampere Computing and consequently discontinued the X-Gene line. X-Gene 3 has re-launched by Ampere under the eMAG family.

Vulnerability details: An out-of-bounds write vulnerability was found in the Linux kernel’s SLIMpro I2C device driver. The userspace “data->block[0]” variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.

Official details: Please refer to the link – https://github.com/torvalds/linux/commit/92fbb6d1296f

Oracle April 2023 Critical Patch Update Addresses 231 CVEs (19th Apr 2023)

Preface: WebLogic was a company (from 1995 to 1998) credited with creating the first J2EE application server, the WebLogic Application Server.

Background: Oracle Fusion Middleware provides the WebLogic Management Framework, which provides heterogeneous management capabilities for Oracle Fusion Middleware products that require basic administrative capabilities.
Fusion Middleware Control is a Web-based administration console used to manage Oracle Fusion Middleware, including components such as Oracle WebLogic Server, Oracle Coherence, and Oracle HTTP Server.
Oracle HTTP Server is based on Apache HTTP Server infrastructure, and includes modules developed specifically by Oracle. The features of single sign-on, clustered deployment, and high availability enhance the operation of the Oracle HTTP Server.

Vulnerability details: The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the April 2023 Critical Patch Update. It is, therefore, affected by multiple vulnerabilities.

  • Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
  • Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples (XStream)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0.
  • Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party (Apache Commons Compress)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0.

Official announcement: For details, please refer to the following link – https://www.oracle.com/security-alerts/cpuapr2023.html

Maybe you need to know – Amazon Linux 2 Security Advisory (19th Apr 2023)

Preface: Is it legal to modify Linux kernel? Yes, it is completely legal to edit the Linux kernel since it is under General Public License – GNU.

Background: With Amazon Linux 2, you get an application environment that offers long term support with access to the latest innovations in the Linux ecosystem. Amazon Linux 2 is a Linux operating system from Amazon Web Services (AWS).

Vulnerability details: CVE-2023-28466, do_tls_getsockopt in net/tls/tls_main[.]c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition.

Ref: A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously. Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

Official announcement https://nvd.nist.gov/vuln/detail/CVE-2023-28466

On Tuesday April 18, 2023, Oracle Pre-Release April Critical Patch Update.

Preface: The blockchain technology can ensure the security and integrity of data. By combining AI and blockchain, it is possible to create more powerful systems.

Background: When taking about Blockchain, we simply will think about ctyptocurrecy. As a matter of fact, Blockchain technology influenced far-reaching in the world of science and technology.
Oracles provide a way for the decentralized Web3 ecosystem to access existing data sources, legacy systems, and advanced computations. Decentralized oracle networks (DONs) enable the creation of hybrid smart contracts, where on-chain code and off-chain infrastructure are combined to support advanced decentralized applications (dApps) that react to real-world events and interoperate with traditional systems.
A pre-release announcement of Oracle will be published on the Thursday preceding each Critical Patch Update release. On 18th April 2023, the Pre-Release Announcement said that Critical Patch Update contains 7 new security patches for Oracle Blockchain Platform. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Before we wait for the official details to be released, let’s take a quick look at the Oracle Blockchain Platform. For details, please refer to attached diagram.

Official announcement: For detail of Oracle Critical Patch Update Pre-Release Announcement – April 2023, please refer to official url for reference – https://www.oracle.com/security-alerts/cpuapr2023.html

Remark: So far, security expert was concerns how below broadcast protocol may be used for malicious behavior as a botnet command and control (C2) channel. Be my guest, see below for details whether you will think more ideas.

Reference: Atomic transactions work at the application level. Typically you do not need to change existing chaincode logic to support atomic transactions. Because one or more additional arguments are added by the atomic transactions framework, make sure that any existing chaincode does not perform strict checks on the number of arguments passed in the chaincode method. Atomic transactions are supported by the following REST API endpoint:

  • restproxy/api/v2/atomicTransactions

CVE-2023-26083 – expose sensitive kernel metadata (16-04-2023)

Preface: The kernel doesn’t have libc or system calls if you’re not running in user mode.

Background: Open Source Mali Midgard GPU Kernel Drivers – The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali-T6xx, Mali-T7xx and Mali-T8xx series GPUs.
Under normal circumstances once kernel driver and user-space libraries are installed, you can enable OpenCL support with:
echo “libmali[.]so” | sudo tee /etc/OpenCL/vendors/mali[.]icd
And check it is found with:
sudo clinfo

Vulnerability details: Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 – r32p0, Bifrost GPU Kernel Driver all versions from r0p0 – r42p0, Valhall GPU Kernel Driver all versions from r19p0 – r42p0, and Avalon GPU Kernel Driver all versions from r41p0 – r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

Reminder: If vulnerability category as CWE-401 – Improper Release of Memory Before Removing Last Reference (‘Memory Leak’). Whether If it can be reuse. If it can, the risk rating will be higher.

Product: Arm Avalon GPU Kernel Driver

CVSS Score: 5.5

** KEV since 2023-04-07 **

Official announcement: NVD – https://nvd.nist.gov/vuln/detail/CVE-2023-26083