About CVE-2023-20575: Learn about CPU Vendor Low Risk Vulnerabilities and learn more about specific technologies (17-07-2023)

Preface: Enable/Disable AMD virtualization in BIOS

  1. Open BIOS menu.
  2. Go to Advanced- > IOMMU and enable/disable AMD IOMMU. B. AMD SVM.
  3. Go to Advanced -> SVM Mode and enable/disable AMD SVM.

Background: AMD-V technology added VM capability via VM instructions in AMD’s x86 CPU chips. The technology uses hardware to simplify the tasks that VM managers normally perform via software emulation.

Prior to starting an encrypted VM, software must enable MemEncryptionModEn through MSR C001_0010 (SYSCFG). SEV may then be enabled on a specific virtual machine during the VMRUN instruction if the hypervisor sets the SEV enable (bit 1) in VMCB offset 090h.

Vulnerability details: A potential power side-channel vulnerability in some AMD processors may allow an authenticated attacker to use the power reporting functionality to monitor a program’s execution inside an AMD SEV VM potentially resulting in a leak of sensitive information.

This attack exploit by attacker does not seem to be a particularly novel attack as it uses the same technique as the Platypus attack from 2020. One difference from the Platypus attack is this reported attack is used against an AMD SEV virtual machine.

2022-10-27 CVE assigned

2023-07-11 +257 days Released to public

Official announcement: For details, please refer to the links:

https://nvd.nist.gov/vuln/detail/CVE-2023-20575

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3004.html

About CVE-2023-37466: vm2 sandbox hit high severity risk vulnerability. (14th July 2023)

Preface: If you recall, programming in Java was involved in the field of network security ten years ago, because many serious incidents were caused by Java applications. Over time, the Java sandbox and secure programming techniques temporarily calmed the field. However, there was no long-term peace.

Background: vm2 is a sandbox that can run untrusted code with whitelisted Node’s built-in modules. It specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host’s system resources or external data.

Vulnerability details: The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code. Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Ref: A Node[.]js Promise is a placeholder for a value that will be available in the future, allowing us to handle the result of an asynchronous task once it has completed or encountered an error. Promises make writing asynchronous code easier. They’re an improvement on the callback pattern and very popular in Node[.]js.

Ref: The Proxy object allows you to create an object that can be used in place of the original object, but which may redefine fundamental Object operations like getting, setting, and defining properties. Proxy objects are commonly used to log property accesses, validate, format, or sanitize inputs, and so on.

Official announcement: For details, please refer to the link – https://www.tenable.com/cve/CVE-2023-37466

About CVE-2023-33308: Does the fault not belong to Forti? (12th Jul 2023)

Preface: Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Background: In HTTP/2, a series of “pseudo-headers” is used to send key information about the message. Most notably, several pseudo-headers effectively replace the HTTP/1 request line and status line. In total, there are five pseudo-headers: :method – The HTTP method of the request, such as GET or POST .
Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.
Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Vulnerability details: A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Ref: When using TLS, most clients default to HTTP/1 and explicitly advertise support for HTTP/2 via the ALPN field during the web server TLS handshake. Some web servers that support HTTP/2 are misconfigured to advertise this fact, causing clients to only communicate with them HTTP/1, and hiding the potential attack surface. Attacker takes HTTP/1.1-formatted requests as input, then rewrites them as HTTP/2. During the rewrite, it performs a few character mappings on the headers to override pseudo-headers by specifying them as fake HTTP/1.1 headers.

Official announcement: For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-23-183

About CVE-2023-24492: Citrix managed to fight it all (11th July 2023)

Preface: The secure access solution from Citrix provides a unified stack of cloud-delivered services that allows IT to provide a productive hybrid work environment with zero trust security.

Background: Citrix Secure Access client for Linux is a VPN client software managed by NetScaler Gateway that enables users to access corporate data and applications remotely. It protects applications from unauthorized access, application-level threats, and browser-based attacks.
Ref: If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client side JavaScript. This measure makes certain client side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie’s value via an injected script.

Vulnerability details: Vulnerabilities have been discovered in Citrix Secure Access client for Ubuntu (previously Citrix Gateway VPN client for Ubuntu). 
If exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts.
The following supported versions are affected by the vulnerability: Versions before 23.5.2
Ref: The Citrix Secure Access and Citrix EPA clients support the HTTPOnly flag on the  authentication cookies.
NetScaler Gateway admins configure the HTTPOnly feature on the authentication cookie that are generated by web applications. This feature help in preventing cookie theft due to cross site scripting .

Official announcement:For details, please refer to the link – https://support.citrix.com/article/CTX564169/citrix-secure-access-client-for-ubuntu-security-bulletin-for-cve202324492

About CVE-2023-21633: This time not my flaw, said Android (11th July 2023)

Preface: Android Ril The RIL part of Android is mainly divided into two parts: RILJ and RILC. RILJ runs in the java part of framework->telephony, and RILC runs in the native part of the HAL layer.

Background: The AP side of different manufacturers of the Android platform can be the same, but the Modem side will definitely be very different. One problem that the RIL layer needs to solve is to adapt to the Modem of different manufacturers. In order to meet the compatibility requirements, Android builds a In the framework of RILC, different Modem manufacturers connect their own protocols to the AP side. For the Qualcomm platform, his RILC is QCRIL.

Vulnerability details: Memory Corruption in Linux while processing QcRilRequestImsRegisterMultiIdentityMessage request.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-21633

Understanding the AI strucrure will help you defend your facilities (10th July 2023)

Preface: Python has 100s of pre-built libraries to implement various Machine Learning and Deep Learning algorithms.

Background: When the word “AI” not found, Python alive everywhere in IT world. Scientist use Python programming language assists their complicated mathematics calculations. Data scientist to analyze geospatial vector data to identify a specific location. Python language is flexi and powerful. But the fundamental design weakness is well known. As a result, you should protect your AI system structure attack by threat actors. For example:
– Some Python security vulnerabilities come from Python’s open-source libraries.
– Injection: Dependency injection is a common design pattern used in most modern programming language. As a matter of fact, such weakness remains an underutilized functionality in Python.
– Command injection which can be expose through misconfig software application. As a result, the possible attack will execute arbitrary command injection, XML external entity injection and server side template injection.


About best practices for Python security

  • Conducting a vulnerability scan weekly. This is the way let you identify and fix Python security vulnerability
  • You should sanitize external data before use.
  • Follow your Python version SDLC, DevSEC should aware of this matter.
    Additional: NVIDIA empower Artificial Intelligence competence. Staying alert with GPU vendor vulnerability management announcement.

CVE-2023-21250 and CVE-2023-2136: Android managed to fight it all (7th Jul 2023)

Preface: VMOS is a virtual machine app that runs on Android, which can run another Android OS as the guest operating system. Users can optionally run the guest Android VM as a rooted Android OS. The VMOS guest Android operating system has access to the Google Play Store and other Google apps.

Background: It comes down to Android 13 featuring better handling of virtualization. Android 13 supports a common hypervisor in the form of KVM — a kernel-based virtual machine. VMOS Lets You Run a Virtual Android Machine on your Phone. CAP_NET_ADMIN is in any user or network namespace. If VMOS also relies on namespaces architecture. Therefore, the consequence of the vulnerability will be happened. It is a critical vulnerability.
It comes down to Android 13 featuring better handling of virtualization. Android 13 supports a common hypervisor in the form of KVM — a kernel-based virtual machine.
As a result, the consequences of the vulnerability occur. This vulnerability is the same as CVE-2023-21250, which is a critical level vulnerability.

Vulnerability details: Since official announcement did not provided any details on CVE-2023-21250. However, my speculation believed that CVE-2023-21250 and CVE-2023-2136 may be same as vulnerability shown in attached diagram.

Official announcement: For details, please refer to the link – https://source.android.com/docs/security/bulletin/2023-07-01

About CVE-2023-31248 & CVE-2023-35001: CAP_NET_ADMIN is in any user or network namespace. Does it have impact to downstream vendor? (6th July 2023)

Preface: CAP_NET_ADMIN is in any user or network namespace.

Background: The “Capabilities” mechanism was introduced after the Linux kernel 2.2. If the “Capabilities” setting is incorrect,
it will give attackers an opportunity to achieve privilege escalation. Linux capabilities provide a subset of the available root privileges to a process.
Starting from the Linux-2.1 kernel, the concept of capability is introduced to achieve grained access control.
You can find the capabilities defined in /usr/include/linux/capability[.]h (see below):
CAP_CHOWN 0 allows changing file ownership
CAP_DAC_OVERRIDE 1 ignores all DAC access restrictions on the file
CAP_DAC_READ_SEARCH 2 Ignore all restrictions on read and search operations
CAP_FOWNER 3 If the file belongs to the UID of the process, cancel the restriction on the file
CAP_FSETID 4 Allows setting the setuid bit
.
CAP_NET_ADMIN 12 Allows performing network administration tasks: interfaces, firewalls, routing, etc.

Vulnerability details:
CVE-2023-31248 Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability;
nft_chain_lookup_byid() failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace.
For details, please refer to the link – https://www.tenable.com/cve/CVE-2023-31248

CVE-2023-35001 Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

Focus on CVE-2023-31248
This is due to the nft_chain_lookup_by id ignoring the genmask.
Remark: The Genmask field is the bit mask that IP applies to the destination address from the packet to see if the address matches the destination value in the table.
If a bit is on in the bit mask, the corresponding bit in the destination address is significant for matching the address.
Once the first table is removed, all the member objects, as well as the table itself, are kfree()’d, but the references will be kept in the second table, so it encountered a use-after-free condition.

CVE-2023-22387 Use of Out-of-range Pointer Offset in Qualcomm IPC (4th July 2023)

Preface: Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity. Independent of any high-level OS kernel, Gunyah runs in a higher CPU privilege level, and does not depend on any lower-privileged OS kernel/code for its core functionality.

Background: Gunyah is a product of Qualcomm Innovation Center, Inc. Gunyah is an open-source type-1 hypervisor developed by Qualcomm with an emphasis on security and other features.
There are 2 types of process:

  • Independent Processes – Processes that do not share data with other processes.
  • Cooperating Processes – Processes that shares data with other processes.
    Inter-Process Communication is the mechanism by which cooperating process share data and information.
  • Shared memory: A particular region of memory is shared between cooperating process.
  • Cooperating process can exchange information by reading and writing data to this shared region.
  • It’s faster than Memory Parsing, as Kernel is required only once, that is, setting up a shared memory . After That, kernel assistance is not required.

Vulnerability details: Arbitrary memory overwrite when VM gets compromised in TX write leading to Memory Corruption.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-22387

A hundred years later, communication was ready to receive phone call again.

Preface: When you read the newspaper, you will found some news, some prophet had prophecy alien may visit to our earth in 2023. Like a fiction. But coincidentally SITA also prepare for advance civilization communications.

MAVEN, is an orbiter dedicated to studying Mars’ atmosphere. MAVEN launched in November 2013 and arrived at Mars in September 2014.

Have you ever heard of an organization called SETI?

In 1997, scientists at the SETI Institute detected an interesting signal. Although the transmission was initially thought to be from extraterrestrial origin. It was identified as a SOHO solar research satellite later. But it did not upsad to scientists .

The SETI Institute is a non-profit organization that aims to “explore, understand and explain the origin, properties and spread of life in the universe”. SETI stands for “Search for Extraterrestrial Intelligence Initiative”. One of these plans is to use radio and optical telescopes to search for intentional signals from extraterrestrial intelligent life.

SETI arrange emulate Alien-like message sent to Earth in a test to prepare for the real thing.

The message went out on 24th May, 2023 from the ExoMars Trace Gas Orbiter, a spacecraft launched in 2016 that is currently orbiting Mars to study its atmosphere. Once received in earth three different stations, the raw data containing the message was released on the internet via Filecoin, a large decentralized storage network. For details, please refer to the link – https://edition.cnn.com/2023/06/01/world/seti-alien-message-test-scn/index.html

Generally speaking, it takes about 5 to 20 minutes for a radio signal to travel the distance between Mars and Earth, depending on planet positions. Using orbiters to relay messages will be more efficient because they are much closer to “Perseverance” than the Deep Space Network (DSN) antennas on Earth.

In 1901, engineer Nicola Tesla made the astonishing claim that he was receiving radio communications from Mars. His description was picked up and reported on broadly in the press.

Telsa coils are mounted in a tower structure and include coils, capacitors and spark gaps (equivalent to resistors). It constitutes the LCR circuit, which can generate radio frequency emission waves. Furthermore, such a coil structure is capable of receiving signals. Maybe that’s why he mentions that he’s getting an unknown strange signal from somewhere.

Tesla was a famous scientist. I strongly believe that he has enough facts to proof his findings. But it is sad that he is not in this world anymore. Perhaps we never find the final answer found by Tesla. But in our earth, there are more ancient ruins can tell. For example, Pyramid of Khufu, Bolivia Puma Punku advanced technology cutting stone blocks ruins and The Temple of Bacchus, …etc.

If you compare SETI’s method of rehearsing the test signal with the signal discovered by Nicholas Tesla in 1901, maybe you will see that the way we communicate in space today is similar to 1901 (the unknown signal discovered by Tesla) place. Perhaps the signal Telsa received was from a UFO near Earth. But the source of the signal was sent from Mars.

End of article

R.I.P Titan submarine tragedy on Jun 2023. One of the victim Dawood was a passionate champion for the environment. He is also a trustee at the SETI Institute. Include another four victims, it is a regret news in 2023!