CVE-2023-27267 : Issue of concern – April 11, 2023 SAP released the latest security patch date (14th Apr 2023)

Preface: According to the CVSS 3.1 standard, if the score reaches 9.0, it is considered high risk. I beleived that the design limitation of CVE-2023-27267 also concern by vendor. From a security point of view, how does an attacker trigger this design weakness? Let’s start a short journey based on speculation. See whether it give us room to expand our thinking?

Background: SAP Solution Manager Diagnostics Agent is the remote component of End-to-End Root Cause Analysis. It allows having a connection between SAP Solution Manager and the Managed System(s), and then to collect information from the Managed Systems for reporting purposes.

Vulnerability details: A vulnerability was found in SAP Diagnostics Agent 720. It has been declared as critical. This vulnerability affects some unknown functionality of the component Command Bridge.
Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent – version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system.

Official announcement: Please refer to SAP Patch Day Blog for details – https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2023-0208 – update for NVIDIA® Data Center GPU Manager (DCGM) (13th Apr 2023)

Preface: The easter hoilday in 2nd week of April. So this news may have late. On 03/31/2023 03:00 PM, NVIDIA has released a software update for NVIDIA® Data Center GPU Manager (DCGM). The update addresses security issues that may lead to denial of service and data tampering.
Be my guest, see wether you will be interested?

Background: NVIDIA Data Center GPU Manager (DCGM) is a suite of tools for managing and monitoring NVIDIA datacenter GPUs in cluster environments. It includes active health monitoring, comprehensive diagnostics, system alerts and governance policies including power and clock management.
DCGM provides several mechanisms for understanding GPU topology both at a verbose device-level view and non-verbose group-level view. These views are designed to give a user information about connectivity to other GPUs in the system as well as NUMA/ affinity information.

Ref: Non-uniform memory access is a computer memory design used in multiprocessing, where the memory access time depends on the memory location relative to the processor. Under NUMA, a processor can access its own local memory faster than non-local memory.

Vulnerability details: NVIDIA DCGM for Linux contains a vulnerability in HostEngine (server component) where a user may cause a heap-based buffer overflow through the bound socket. A successful exploit of this vulnerability may lead to denial of service and data tampering.

Official announcement: For details, please refer to the official announcement – https://nvidia.custhelp.com/app/answers/detail/a_id/5453

About CVE-2023-28205 and CVE-2023-28206: Hunter, hunting apple design weakness (12th Apr 2023)

Preface: memcpy() function is is used to copy a specified number of bytes from one memory to another. memmove() function is used to copy a specified number of bytes from one memory to another or to overlap on same memory.

Background: WebKit is the part of Apple’s browser engine that sits underneath absolutely all web rendering software on Apple’s mobile devices.
Found use-after-free and input validation issue in apple iOS ,macOS and Safari software product. Proof of concept released to public shown the design weakness.
A proof-of-concept (PoC) exploit for the CVE-2023-28206 flaw,  revealing an out-of-bounds memory move in IosaColorManagerMSR8::getHDRStats_gatedContext.
CVE-2023-28206: IOSurfaceAccelerator – An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
CVE-2023-28205: WebKit – Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Ref: WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as all web browsers on iOS and iPadOS.

Vulnerability details:
CVE_2023-28205: A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVE-2023-28206: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Official announcement – For details, please refer to the link – https://support.apple.com/en-us/HT213720

About CVE-2023-27727 (11th April 2023)

Preface: In computing, a segmentation fault (often shortened to segfault) or access violation is a fault, or failure condition, raised by hardware with memory protection, notifying an operating system (OS) the software has attempted to access a restricted area of memory (a memory access violation).

Background: NJS is a subset of the JavaScript language that allows extending NGINX functionality. njs is created in compliance with ECMAScript 5.1 (strict mode) with some ECMAScript 6 and later extensions.
To use njs in nginx:

  • install njs scripting language
  • create an njs script file
  • in the nginx[.]conf file, enable ngx_http_js_module module and specify the js_import directive with the http[.]js script file.
    Example: load_module modules/ngx_http_js_module.so

Vulnerability details: Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function[.]h.
Observation: One of the possible ways. If the data being passed to the variable is user-controlled, it can lead to stack-based buffer overflow attacks. Sometimes, it will hit a error due to a security feature called stack cookies.

Official Announcement – Please refer to this link – https://nvd.nist.gov/vuln/detail/CVE-2023-27727

My comments below:
As a matter of fact, it is hard to detect. However the Trigger of exploitation to bug is only few seconds to minute. If it is successful, SoC event correlation may found this suspicious activity.
So, SoC is important today!

About CVE-2023-0461 – When you take this way, you should be aware of it. (6th April 2023)

Preface: Combining kTLS and sendfile() means data is encrypted directly in kernel space, before being passed to the network stack for transmission.

Background: improving web server on freebsd Linux performance with kernel tls (ktls).
Kernel TLS operation – Linux kernel provides TLS connection offload infrastructure. Once a TCP connection is in ESTABLISHED state user space can enable the TLS Upper Layer Protocol (ULP) and install the cryptographic connection state.
ktls can operate in three modes:
– Software crypto mode (TLS_SW)
– Packet-based NIC offload mode (TLS_HW)
– Full TCP NIC offload mode (TLS_HW_RECORD)

Vulnerability details: A use-after-free flaw was found in the Linux kernel’s TLS protocol functionality in how a user installs a tls context (struct tls_context) on a connected TCP socket. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Resolution
– In order to prevent kernel modules loading during boot, the module name must be added to a configuration file for the “modprobe” utility. This file must reside in /etc/modprobe[.]d .
– Ensure the module is not configured to get loaded in either /etc/modprobe[.]conf, /etc/modprobe[.]d/*, /etc/rc[.]modules, or /etc/sysconfig/modules/* before making the following modifications.

For details, please refer to the link – https://access.redhat.com/solutions/41278

Whether we can open the mask – About CVE-2023-21085 & CVE-2023-21096 (5th April 2023)

Preface: Vendor did not describe in details, see whether this is the vulnerability they found?

Background: The Android Runtime (ART) and managed core library (libcore) were part of the Runtime module effort in Android 10 along with the native runtime (Bionic) and ICU.
In Android 11, ART and libcore are packaged as non-updateable APEX. Bionic and ICU (code and data) remain on the platform and are separated from ART to improve updatability.

Vulnerability details: Google has started rolling out April 2023 security update for its mobile operating system platform to address a total of 69 new security vulnerabilities affecting Android devices, 6 of which have been rated critical in severity.
This topic we focus to the following vulnerabilities CVE-2023-21085 and CVE-2023-21096.

Official announcement: For details, please refer to the link – https://source.android.com/docs/security/bulletin/2023-04-01

New Design vs Old Style Attacks (5th April 2023)

Preface: On Dec 2022, Microsoft has warned that malicious hackers were able to get the software giant to digitally sign their code so it could be used in attacks, such as the deployment of ransomware.

Background: The newest update to AMD’s P-State EPP Linux driver hit today, offering better Ryzen & EPYC performance & better power control on CPUs.
AMD P-State EPP can further help tune the performance and power efficiency of AMD Linux systems beyond the existing basic AMD P-State driver support and address some existing deficiencies.
AMD EPYC processors are the only x86 server CPUs with an integrated, embedded security processor that is “hardened at the core” to help secure customer data whether in a central data center or distributed across locations at the network edge.

Observation of the subject: AMD confirms Ryzenfall vulnerabilities, but says they’ll be fixed soon via routine BIOS updates on 2018. From earlier stage, AMD has neither confirmed nor denied whether the attacks can be executed remotely, or require local access.
AMD has recently released a BIOS update that supposedly allows users disable the Secure Processor, but this feature works only partially and does not stop the RYZENFALL attacks. But some experts say this is not an effective mitigation measure.

What do you think? Do you think the specify design weakness still valid or it has fixed by vendor?

About Kubernetes Hardening Guide (3rd Apr 2023)

Prefect: The Lord taught Enoch that those who build their lives upon the Savior would never fall.
Don’t mind about it was really had Lord or advanced civilization, human being go to digitization. In bible it mention about Lucifer. It is similar to cyber threat actor.

Background: Technology trends from on-premises to cloud. Cloud-based attack most likely through below ways
– Compromised Laptop via Phishing Emails – The RansomCloud attack is a relatively new type of ransomware that targets cloud-based email services such as Office 365.
– Compromised Server via Unpatched Vulnerabilities
Based on cyber defense capabilities, we believe that major cloud service providers will have effective ways to deal with disruptions caused by cyber attacks.

However , more and more native applications rely on CSPs’ API. For example: Push notification, push messages, or notifications, through its cloud messaging service. However Applications running on mobile devices, browsers or IoT devices can use push technology. For example: application-to-application (A2A) and application-to-person (A2P) communication.
A2A provides high-throughput, push-based, many-to-many messaging between distributed systems, microservices, and event-driven serverless applications.
Push notifications can be cloud-based or app-based, and are built to work with a server that provides the notification. An API can enable push notifications from cloud services as app and web push services. Once an organization requests a push notification, an API calls this service and sets the message in place to be delivered.
Push API can use these capabilities in order to spread fake or deceptive messages, flood the user’s device with spam, and trick people into installing malicious apps.
Remark: Push API is the general term for all push APIs.

Ref: Push notifications can be cloud-based or app-based, and are built to work with a server that provides the notification. An API can enable push notifications from cloud services as app and web push services. Once an organization requests a push notification, an API calls this service and sets the message in place to be delivered.

Technical details: My friend Enoch (CCIE) recommend Kubernetes Hardening Guide last week. In my view that it is good for preventive control. Since it is a lot of uncertainty in digital world. Be my guest, you can download on this official link.

https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF