CVE-2023-22886: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider (30th June 2023)

Preface: Airflow is a platform to programmatically author, schedule, and monitor workflows. Specifically, it is used in Machine Learning to create pipelines.

Background: Apache Airflow™ is an open-source platform for developing, scheduling, and monitoring batch-oriented workflows. This open-source platform most suitable for pipelines that change slowly, are related to a specific time interval, or are pre-scheduled. It’s a popular solution that many data engineers rely on for building their data pipelines. Data pipelines work with ongoing data streams in real time. It’s been used to run SQL, machine learning models, and more.

Apache Airflow is a Python-based platform to programmatically author, schedule and monitor workflows. It is well-suited to machine learning for building pipelines, managing data and training models.

You can use Apache Airflow to schedule pipelines that extract data from multiple sources, and run Spark jobs or other data transformations. Machine learning model training.

Vulnerability details: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.

Recommendation: For security purposes, you should avoid building the connection URLs based on user input. For user name and password values, use the connection property collections. Restrict direct usage of driver params via extras for JDBC connection.

Remedy: To configure driver parameters (driver path and driver class), you can use the following methods:

  1. Supply them as constructor arguments when instantiating the hook.
  2. Set the “driver_path” and/or “driver_class” parameters in the “hook_params” dictionary when creating the hook using SQL operators.
  3. Set the “driver_path” and/or “driver_class” extra in the connection and correspondingly enable the “allow_driver_path_in_extra” and/or “allow_driver_class_in_extra” options in the “providers[.jdbc” section of the Airflow configuration.
  4. Patch the “JdbcHook.default_driver_path” and/or “JdbcHook.default_driver_class” values in the “local_settings[.]py” file.

Official announcement: For details, please refer to the link – https://github.com/advisories/GHSA-mm87-c3x2-6f89

CVE-2023-21220: Outdated communication methods burden modern Androids (29th June 2023)

Preface: Since the official announcement did not contain details. Perhaps the situation describe here is one of the possible reasons for encountering such vulnerabilities.

Background: SMS messages are sent in plain text. Rich Communications Services (RCS) is a communication protocol that will ultimately replace MMS and SMS messages on Android devices.
Android Pie (codenamed Android P during development), also known as Android 9 (API 28) is the ninth major release and the 16th version of the Android mobile operating system. It was first released as a developer preview on March 7, 2018, and was released publicly on August 6, 2018.
Android 8.0 places limitations on what apps can do while users aren’t directly interacting with them. Apps are restricted in two ways:
Background Service Limitations and Broadcast Limitations.
On the other hand, The system distinguishes between foreground and background apps. Foreground app is connected to the app, either by binding to one of its services or by making use of one of its content providers. For example, the app is in the foreground if another app binds to its: Voice or text service.
So, if Android users forget to turn on the RCS function. Their text messages will be read through a man-in-the-middle attack.

Vulnerability details: there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264590585References: N/A

Official announcement: For details, please refer to the link – https://source.android.com/security/bulletin/pixel/2023-06-01

Can you foresee how much AI and machine learning infrastructure there will be in the next few years? (28th June 2023)

Preface: ChatGPT Memory uses the Redis vector database to store an embedded conversation history of past user-bot interactions.
The first interaction between the user and bot is critical to the user experience, said Microsoft.
There are 1482 Companies currently using OpenAI, it also include Adobe and Schneider Electric.

Background: ChatGPT, the full name of Chat Generation Pre-training Converter, is an artificial intelligence chat robot program developed by OpenAI, which will be launched in November 2022. The program uses large language models based on the GPT-3.5 and GPT-4 architectures and is trained with reinforcement learning.
OpenAI is a suite of artificial intelligence (AI) models designed for application developers. It enables users to create AI applications to understand natural-language semantics and generate natural text, translate natural language into programming code, create images from text captions, and classify images.

FastAPI is a Python web framework based on the Starlette microframework. With deep support for asyncio, FastAPI is indeed very fast.
FastAPI also distinguishes itself with features like automatic OpenAPI (OAS) documentation for your API, easy-to-use data validation tools, and more.
Integrating OpenAI APIs into FastAPI applications to facilitate calling them using the Swagger UI.
FastAPI is a modern Python web framework for building APIs quickly and efficiently. By leveraging FastAPI’s features and integrating OpenAI’s APIs,
developers can build applications with powerful AI capabilities such as language translation, sentiment analysis, text summarization, question-answering, and more.

How to install OpenAI in python
Step 1: Sign up for an OpenAI API key: You will visit the link to register for an account and if you already have an active account using Chat-Gpt 3, you can use the same account to sign in.
If you are a Linux user, have a good try.
How to Install OpenAI on Linux?
Step 2 : upgrade pip and install the openai library.
python3 -m pip install –upgrade pip
python3 -m pip install –upgrade openai

….
For details, please refer to the official linkhttps://openai.com/

CVE-2023-20892, CVE-2023-20893, CVE-2023-20894 and CVE-2023-20895, CVE-2023-20896: Double confirm to your admin, vcenter server has patch applied. (27th June 2023)

Preface: VMware published multiple vulnerabilities on 22nd June 2023. It make the reader dazzled. Since the actual attack exploit technique did not released by VMware.
However they told vulnerability caused by DCEPRC. So, let us take a closer look of DCEPRC protocol. See whether it will lure your interest?

Background: (DCERPC) Distributed Computing Environment / Remote Procedure Calls, is the remote procedure call system developed for the Distributed Computing Environment (DCE) Networking. The usage of this protocol including Common Binding Services, Common Interface Registry Services, RPC Nameservice Interface, Call Thread Services, Clock and Timer Services,…
Remote Procedure Call (RPC) protocol is generally used to communicate between processes on different workstations. However, RPC works just as well for communication between different processes on the same workstation.
Microsoft server technique also based on RPC technique. RPC uses the client and server model. Bruce Jay Nelson is generally credited with coining the term “remote procedure call” in 1981. Remote procedure calls used in modern operating systems trace their roots back to the RC 4000 multiprogramming system, which used a request-response communication protocol for process synchronization.
Some experts has concern of RPC. The reason is that there is no uniform standard for RPC; it can be implemented in a variety of ways.

In traditional way, the RPC runtime library maintains numerous lists, and provides a common list management mechanism used by several runtime components, principally the Name Service Interface and the connection-oriented RPC protocol service.
The file rpclist[.]h defines the structure of a list element and a list, and provides macros used for manipulating these lists. The underlying list management routines in rpclist[.]c should not, as a rule, be called directly. When addition of a new element would cause a list to exceed its maximum allowable size, the element is returned to heap storage instead.

Vulnerability details: Please refer below links for reference.
Advisory ID: VMSA-2023-0014
https://www.vmware.com/security/advisories/VMSA-2023-0014.html

Applying individual product updates to VMware Cloud Foundation environments using Async Patch Tool (AP Tool) (88287)
https://kb.vmware.com/s/article/88287

About CVE-2023-32434, CVE-2023-32435 and CVE-2023-32439: When those vulnerabilities details shown, it made me think of a software (Redux) (25th June 2023)

Preface: The state in Redux is stored in memory. This means that, if you refresh the page the state gets wiped out. The state in redux is just a variable that persists in memory because it is referenced by all redux functions.

Background: Safari is a web browser developed by Apple. It is built into Apple’s operating systems, including macOS, iOS, and iPadOS, and uses Apple’s open-source browser engine WebKit, which was derived from KHTML.
The rendering engine is used to display the requested content on the user interface and the browser engine marshalling actions between the UI and the rendering engine.
Redux is a predictable state container for JavaScript apps. It helps you write applications that behave consistently.
Refer to my speculation (see attached picture). Due to such operation and design. I speculate that these three vulnerabilities are caused by Redux JavaScript library located in browser.

Vulnerability details:
According to CVE-2023-32434, the vulnerability details indicated that a design weakness in input validation.
Thereby, an integer overflow was triggered (CVE-2023-32439), due to weakness of input validation. As a result, a memory corruption issue was happened due to state management weakness (CVE-2023-32435).

https://nvd.nist.gov/vuln/detail/CVE-2023-32434
https://nvd.nist.gov/vuln/detail/CVE-2023-32435
https://nvd.nist.gov/vuln/detail/CVE-2023-32439

CVE-2023-2431: Bypass of seccomp profile enforcement.About access control logic on cloud (22nd Jun 2023)

Preface: Information security driven role base access control. But when cloud service provider design or implement access control. It will be sophisticated. If access control include virtual machine technology under hierarchical structure. In order to harden the effectiveness of the control.
Cloud resources are organised hierarchically, where the organisation node is the root node in the hierarchy, the projects are the children of the organisation, and the other resources are descendants of projects. You can set allow policies at different levels of the resource hierarchy.

Background: Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container.
The seccomp() system call operates on the seccomp state of the calling process.
You can use this feature to restrict your application’s access.
This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled.

Vulnerability details: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2431

About CVE-2023-3220 An issue was discovered in the Linux kernel through 6.1-rc8 (20th June 2023)

Preface: AI Engines are built from the ground up to be software programmable and hardware adaptable. There are two distinct design flows for any developer to unleash the performance of these compute engines with the ability to compile in minutes and rapidly explore different microarchitectures.
As of today, current technology are capable On-device intelligence powered by the AI Engine. Our dreams come true, the 3rd generation AI Engine enables on-device intelligence and simplifies how pictures and videos are taken.

Background: The Qualcomm Robotics RB3 development kit includes the purpose-built robotics-focused DragonBoard™ 845c development board, based on the Qualcomm® SDA845 processor and compliant with the 96Boards open hardware specification to support a broad range of mezzanine-board expansions.
The development board supports Linux and Robotics Operating System (ROS), while also including support for the Qualcomm® Neural Processing software development kit (SDK) for advanced on-device AI, the Qualcomm ® Computer Vision Suite, the Qualcomm ® Hexagon DSP SDK, and AWS RoboMaker.

Vulnerability details: An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc[.]c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.

Ref: The kzalloc() function is the same as kmalloc().
Difference: Cleared to zero after memory allocation is successful. After each use of kzalloc(), there must be a corresponding memory release function kfree().

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3220

While IPv6 addresses the design limitations of IPv4. The Linux kernel says it takes time to adjust. (20th June 2023)

Preface: Why do I say on behalf of the Linux kernel that it takes time to adjust. If you recall, last year (December 2022), a flaw was found in fib6_rule_suppress() that would crash the kernel. According to the RedHat knowledge base, a resolution is in the works. That’s why I mentioned. Perhaps the website not update the status yet. However there is another new flaw relate to fib6_rule_suppress( ) was found.

Background: Linux kernel has had IPv6 support since 1996. So, you must compile the Linux kernel with IPv6 networking support.
When the IPv6 is in enabled state is set to 0 else it is 1:
cat /sys/module/ipv6/parameters/disable
IPv6 uses the same data struct for both control plane (FIB entries) and
data path (dst entries). This struct has elements needed for both paths
adding memory overhead and complexity (taking a dst hold in most places but an additional reference on rt6i_ref in a few). Furthermore, because of the dst_alloc tie, all FIB entries are allocated with GFP_ATOMIC (Used to allocate memory from interrupt handlers and other code outside of a process context).to improve the scalability of the IPv6 code. It include:
Allow FIB lookups without generating a dst (e.g., most rt6_lookup users just want to verify the egress device). Means moving dst allocation to the other side of fib6_rule_lookup which again aligns with IPv4 behavior.

Vulnerability details: A flaw in the Linux Kernel found. If IPV6 being used in the way that some specific networking local rule enabled and both IPV6 being used, then it can lead to Kernel crash with the message “fib6_rule_suppress+0x22”. It happens when receiving some networking packet to the local IPV6 address that matches this specific rule.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3022

About CVE-2023-33307: When a firewall or proxy encounters a null pointer dereference flaw, which part of its functionality is most likely to be affected? (19th June 2023)

Preface: Linux supports virtual memory, that is, using a disk as an extension of RAM so that the effective size of usable memory grows correspondingly. The kernel will write the contents of a currently unused block of memory to the hard disk so that the memory can be used for another purpose.

Background: Linux supports virtual memory. You can adjust the usage of virtual memory of the Linux kernel.The default on most systems is 60. Setting it to 0 means that Linux won’t swap.
Example: use the sysctl command: sudo sysctl vm[.]swappiness=40.
To change it permanently, edit the /etc/sysctl[.]conf file as root and place the line, “vm[.]swappiness=[swappiness number]”, where “[swappiness number]” is the swappiness number you want.

Ref: Routing and ARP tables are stored in RAM.

Vulnerability details: FortiOS & FortiProxy: authenticated user null pointer dereference in SSL-VPN.
A null pointer dereference in Fortinet FortiOS before 7.2.5 and before 7.0.11, FortiProxy before 7.2.3 and before 7.0.9 allows attacker to denial of sslvpn service via specifically crafted request in network parameter.

Official details: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-33307

About CVE-2023-32027, CVE-2023-32026, CVE-2023-32025, CVE-2023-29356, and CVE-2023-29349. Carefully observe and speculate on design weaknesses in ODBC and OLE DB remote code execution vulnerabilities. (June 16, 2023)

Preface: Since Microsoft didn’t provide details. In this example, no dangerous code is included, just my speculation about a design weakness in the ODBC Driver for SQL Server for this week’s Patch Tuesday.

Background: Switch to the new Microsoft OLE DB Driver (MSOLEDBSQL) for SQL Server or the latest Microsoft ODBC Driver for SQL Server going forward.
The SQL Server Native Client (often abbreviated SNAC) has been removed from SQL Server 2022 (16.x) and SQL Server Management Studio 19 (SSMS). The SQL Server Native Client (SQLNCLI or SQLNCLI11) and the legacy Microsoft OLE DB Provider for SQL Server (SQLOLEDB) are not recommended for new application development. Switch to the new Microsoft OLE DB Driver (MSOLEDBSQL) for SQL Server or the latest Microsoft ODBC Driver for SQL Server going forward. For SQLNCLI that ships as a component of SQL Server Database Engine (versions 2012 through 2019).

Vulnerability details:
Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability:
CVE-2023-32027, CVE-2023-32026, CVE-2023-32025 , CVE-2023-29356
Microsoft ODBC and OLE DB Remote Code Execution Vulnerability
CVE-2023-29349

Office announcement: For details, please refer to link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349