About CVE-2023-33962 – JStachio fails to escape single quotes in HTML (31st May 2023)

Preface: About 20 years ago, people know java is unsafe. Perhaps of technology trend, so whatever the design appyling java language. The flexibility and easy to use will let people contempt about awareness of cyber security. While Java is considered relatively safe because it is a server side language, there are still multiple ways to attack and access secure code you’d like to remain private.

Background: The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform.
Mustache is a logicless template engine and it is helpful for creating dynamic content like HTML and configuration files.
If your models are type based and not just Map then JStachio is good choice.

Ref:End-users only use JVM and JRE to execute the application program. JRE identifies all the helpful class libraries needed for execution, while JVM is a subclass of JRE that decodes the bytecode into machine language and other minor tasks. Each JVM server can have a maximum of 256 threads to run Java applications.

Vulnerability details: Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware.

Solution: Version 1.0.1 contains a patch for this issue.

Workaround: To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape ' as &#39. As a workaround, users can avoid this issue by using only double quotes " for HTML attributes.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-33962

CVE-2023-32067 – c-ares is vulnerable to denial of service (30th May 2023)

Preface: c-ares is a C language implementation of asynchronous request DNS. When using c-ares, you usually only need to reference the ares.h header file, and the related header files of the library are included.

Background: For some asynchronous DNS requests, Node[.]js uses a C library called c-ares.
So called Async DNS – This feature bypasses the normal operating system mechanisms for resolving domain names and uses the browser directly. In this mode, DNS requests will communicate directly own DNS servers and some third party providers.

Vulnerability details: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

According to the technical aspect of UDP packet with a length of 0 matter. Do you have below queries?
Writing a datagram of length 0 is acceptable. In the case of UDP, this results in an IP datagram containing an IP header (normally 20 bytes for IPv4 and 40 bytes for IPv6), an 8-byte UDP header, and no data. This also means that a return value of 0 from recvfrom is acceptable for a datagram protocol: It does not mean that the peer has closed the connection, as does a return value of 0 from read on a TCP socket. Since UDP is connectionless, there is no such thing as closing a UDP connection.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32067

About CVE-2023-32695 – A patch has been released in socket[.]io-parser version 4.2.3.

Preface: In technical aspect, a Socket[.]IO server can sustain 10,000 concurrent connections. Therefore you can build a chat experience and using Socket[.]IO as your realtime communication solution. But if you want chat users to receive push notifications when they’re not actively using the app, Socket[.]IO can’t help, as it relies on a persistent socket connection.

Background: Socket[.]IO is a library that enables real-time, bidirectional and event-based communication between the browser and the server.
A socket[.]io encoder and decoder written in JavaScript complying with version 4 of socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.
In addition, a socket[.]io-parser has included. A socket.io encoder and decoder written in JavaScript complying with socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.

Ref:socket-io[.] client is the code for the client-side implementation of socket[.]io[.] That code may be used either by a browser client or by a server process that is initiating a socket[.]io connection to some other server (thus playing the client-side role in a socket[.]io connection).

Vulnerability details: socket[.]io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket[.]io-protocol.

Potential impact: A specially crafted Socket[.]IO packet can trigger an uncaught exception on the Socket[.]IO server, thus killing the Node[.]js process.

Solution: A patch has been released in version 4.2.3.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32695

CVE-2022-33302 – Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.(25th May 2023)

Preface: Perhaps you feeling that it’s not follow best practice when it is a zero-day matter. Seems this CVE was late published. The fact is that the impact look serious. So before vendor resolve the problem. Vendor do not intent disclose to public. But problem resolved now.

Background: The User Identity Module may contain information such as the NAM (Number Assignment Module) and subscription feature information. Based on design, UIM can be integrated into the smartphone or it may be a R-UIM (Removable Identity Module).
Refer to vendor design mechanism, Reading a mobile subscriber identity from a memory device associated with the smartphone; determining if part or all of the mobile subscriber identity matches a data set entry within a file associated with the smartphone.
For example, a program assists find highest number in an array by the pointer. As a result, the result of high-array is the number of elements from the start of the array to the element pointed to by high, and that is the index of that element.

Ref: What is a Function Pointer? Function Pointers are pointers, i.e. variables, which point to an address of a function. The running programs get a certain space in the main memory. Both, the executable compiled program code and the used variables, are put inside this memory.

Vulnerability details: Qualcomm found that a memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

Official details: Please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2022-33302

About CVE-2023-21930, new CVE added on 16th May 2023 by Oracle (24th May 2023)

Preface: Oracle Linux is an optimized and secure operating environment for application development and deployment. Oracle Linux 9 with UEK R7 provides kernel, performance, and security enhancements.
On 16th May 2023 Oracle added second revise on their bulletin which held on April 2023. In NVD CVE publications advisories, CVE-2023-21930 also provided lasted update on 27th April 2023.
Does this update related to oracle DB environment stability ? This is the goal of this short discussion.

Background: What does Java SE do? It provides a foundation for building and deploying network-centric enterprise applications that range from the PC desktop computer to the workgroup server.

Vulnerability details: Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Impact of Java SE Security Vulnerabilities on Oracle Products:

  • Oracle WebLogic Server – Version 10.3.2 and later
  • Oracle Fusion Middleware – Version 10.1.2.0.0 to 10.1.4.3.0 [Release AS10gR2 to AS10gR3]
  • Oracle Containers for J2EE – Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
  • Oracle Database – Enterprise Edition – Version 11.1.0.7 and later

Official announcement: For details, please refer to the link – https://www.oracle.com/security-alerts/linuxbulletinapr2023.html

CVE-2023-32413 A race condition occurred in process state handling. It is very common in OS systems, be it Linux or Microsoft Windows. (23rd May 2023)

Preface: A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously. Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
In Linux, a process is an instance of executing a program or command. While these processes exist, they’ll be in one of the five possible states:

  • Running or Runnable (R)
  • Uninterruptible Sleep (D)
  • Interruptable Sleep (S)
  • Stopped (T)
  • Zombie (Z)

Ref: Zombie processes are already dead, so they cannot be killed, they can only be reaped, which has to be done by their parent process via wait*(). This is usually called the child reaper idiom, in the signal handler for SIGCHLD.

When a child process stops or terminates, SIGCHLD is sent to the parent process. The default response to the signal is to ignore it. The signal can be caught and the exit status from the child process can be obtained by immediately calling wait(2) and wait3(3C). This allows zombie process entries to be removed as quickly as possible.

Vulnerability details: A race condition was addressed with improved state handling.

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Official announcement: About the security content of iOS 16.5 and iPadOS 16.5. Please refer to the link – https://support.apple.com/en-us/HT213757

About CVE-2023-33252 – Similar concern for cyber security today, it also apply to future digital world Artificial intelligence zone. (22nd May 2023)

Preface: Foreseeing the continuous development of artificial intelligence, use blockchain technology for network communication is a must.
A blockchain is a distributed database or ledger shared among nodes in a computer network. They are known for their key role in maintaining a secure and decentralized record of transactions in cryptocurrency systems, but they are not limited to the use of cryptocurrencies.

Background: IDEN3 is NOT an ICO (Initial Coin Offerings). It has no token at all. It is an open source permissionless identity layer built on top of Ethereum that we expect many projects will be able to use as a foundational layer for their own identity solution.
What are Initial Coin Offerings? ICOs are another form of cryptocurrency that businesses use in order to raise capital. Through ICO trading platforms, investors receive unique cryptocurrency “tokens” in exchange for their monetary investment in the business.

Ref: Circom is a compiler written in Rust for compiling circuits written in the circom language. The compiler outputs the representation of the circuit as constraints and everything needed to compute different ZK proofs.

Vulnerability details: iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

References:
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags

CVE-2023-31655 Crash while running redis-7.0.10 with the redisraft-cd52ee4.(19th May 2023)

Preface: What does the ERROR: Segmentation violation mean?
Traditionally, a “segmentation violation” is a signal sent by the kernel to a process when the system has detected that the process was attempting to access a memory address that does not belong to it. Typically, this results in the offending process being terminated.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
This is how a server might accept multiple clients: we would spin up a separate thread for each client so the server could have an independent conversation with that client. Unlike processes, they share their memory with each other.
All Redis data resides in memory, enabling low-latency and high-throughput data access. Unlike traditional databases, in-memory data stores do not require access to disk.
RedisRaft is a Redis module that implements the Raft Consensus Algorithm, making it possible to create strongly-consistent clusters of Redis servers.

Vulnerability details: redis-7.0.10 was discovered to contain a segmentation violation.

Current status: Reply by developer, Redisraft is still being developed and currently, we only maintain compatibility with redisraft (master) and redis (unstable) branches.

Official announcement: Please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-31655

Dig out details on CVE-2023-20877 – VMware fixed this matter already. (18th May 2023)

Preface: If you have set “Read& Execute“ permission to everyone on parent folder, and not disable inheritance permission on the subfolder, in theory, subfolder permission should inherit the parent folder permission.

Background: VMware Aria Operations is a unified, AI-powered self-driving IT operations management platform for private, hybrid & multi-cloud environments.
You can execute scripts from the local OS using Orchestrator. To do that, Orchestrator needs access (x) to the folder where the script is located and the Orchestrator user needs to be able to read and execute (rx) it. You also need to allow Orchestrator to execute local files.
The access for Orchestrator is regulated by the entries in the js-io-rights[.]conf file.
Please note that the script needs to be in a file location that Orchestrator can access and that Orchestrator will run as user vco with the group vco.
Orchestrator has full access preconfigured for the /var/run/vco directory. The operator means that Orchestrator has the right to access the directory, for example, to list the content or to execute a file.

Vulnerability details: VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

Official announcement: Check out the details on the link – https://www.vmware.com/security/advisories/VMSA-2023-0009.html

About Ryzen 6000 design weakness CVE-2021-26365, CVE-2021-26365 & CVE-2021-46765 (17th May 2023)

Preface: Based on limited details provided by CPU vendor. Based on the steps shown in the diagram, try to speculated that where the vulnerability is located.

Background: With the introduction of the Ryzen 5000-series Zen 3, AMD leads in gaming performance (especially in single-threaded performance). Announced on January 4, 2022, the Ryzen 6000 mobile-specific series of processors uses TSMC’s modestly altered Zen3+ cores on the 6nm process, claiming up to 15% (typically 10%) performance gains (supposedly from frequency rather than IPC (instructions per clock cycle)).

Ref: Because the IPC varies depending on workload, it’s not a straightforward number.
The clock frequency, on the other hand, generally only varies when there are thermal or power constraints (thermal throttling, TDP limiting).

The AMD secure processor (ASP), also known as platform security processor (PSP), is an isolated ARM processor that runs independently from the main x86 cores of the platform. ASP executes its own firmware, and hosts security sensitive components that can run without being affected by the main system workload.

Remark: The kernel supports the SuperVisor Call (SVC) instruction, through which the user can trigger an exception. For example: If the kernel is in unprivileged mode, the program needs to access special registers that can only be accessed in privileged mode. This exception is handy when running in privileged mode.

Vulnerability details (see below):
CVE-2021-26365 – Certain size values in firmware binary headers could trigger out of bounds reads during signature validation, leading to denial of service or potentially limited leakage of information about out-of-bounds memory contents.
CVE-2021-46753 – Failure to validate the length fields of the ASP (AMD Secure Processor) sensor fusion hub headers may allow an attacker with a malicious Uapp or ABL to map the ASP sensor fusion hub region and overwrite data structures leading to a potential loss of confidentiality and integrity.
CVE-2021-46765 – Insufficient input validation in ASP may allow an attacker with a compromised SMM to induce out-of-bounds memory reads within the ASP, potentially leading to a denial of service.

Official details: For details, please refer to the remedial measures released by AMD – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4001.html