CVE-2023-20900 – Does SAML token signing bypass happen this way?  (31-08-2023)

Preface: The easier way to get the SAML token is directly through the UserSession you can access in your Java plugin.  UserSession has a samlTokenXml field.  Then you can use the SSO API to convert that xml into the SAML token object.

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of guests operating systems. For example:

– Pass messages from the host operating system to the guest operating system.

– Customize guest operating systems as a part of the vCenter Server and other VMware products.

– Run scripts that help automate guest operating system operations. The scripts run when the power state of the virtual machine changes.

– Synchronize the time in the guest operating system with the time on the host operating system

Vulnerability details: CVE-2023-20900 VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor with man-in-the-middle (MITM) network positioning between vCenter server and the virtual machine may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations.

Official announcement: For details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2023-0019.html

Security Focus of CVE-2023-34039: About Aria Operations for Networks design weakness (Issue Date:2023-08-29)

Preface: VMware Aria Operations for Networks (Formerly vRealize Network Insight).

Background: VMware Aria Operations for Networks (formerly vRealize Network Insight) delivers end-to-end network visibility converged across virtual and physical networks, planning and troubleshooting with assurance and verification that network and application connectivity performs towards business and security intents across Software Defined Data Center, VMware NSX, VMware SD-WAN™ by VeloCloud®, VMware Cloud on AWS, Azure, AWS, and Kubernetes.

Vulnerability details: Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.

Official announcement: For details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2023-0018.html

Resolution: Using VMware Aria Operations for Networks 6.11

CVE-2023-41361: FRRouting 9.0 encountered buffer overflow (29th Aug 2023)

Preface: OSPF is used to determine the fastest route, while BGP focuses on determining the best path.

Background: Network architects using FRR for ISPs, SaaS infrastructure, web 2.0 businesses, hyperscale services, and Fortune 500 private clouds. If you look around, the traditional networking equipment vendors also offer software appliances, because now it’s a tiny stackable virtual machine world.

FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms.

The worker nodes are responsible for running the containers and doing any work assigned to them by the master node.

Ref: Calico is a networking and security solution that enables Kubernetes workloads and non-Kubernetes/legacy workloads to communicate seamlessly and securely.

Vulnerability details: An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open[.]c does not check for an overly large length of the rcv software version.

Official details: For details, please refer to the link – https://github.com/FRRouting/frr/pull/14241

CVE-2023-36481 – Buffer copy without checking input size during PPP communication in Shannon BaseBand (28th Aug 2023)

Preface: Samsung has also used a cheaper and less smart processor, Exynos 9610 with the unit cost of $14.90, for the affordable Galaxy A50 model.

Background: Global edition devices instead use EXYNOS – Samsung LSI’s in-house SoC (System on a chip). Shannon co-exists in the SoC floorplan as an IP block.

Every phone today that has a SIM card has a baseband processor. Shannon is-a particular implementation of these standards.

Remark: When writing Linux kernel driver software for a new SOC, it can be helpful to know the specific IP block (and it’s heritage) used in a chip, in order to reuse software from other projects.

Vulnerability details: An issue was discovered in Samsung Exynos Mobile Processor and Wearable Processor 9810, 9610, 9820, 980, 850, 1080, 2100, 2200, 1280, 1380, 1330, 9110, and W920. Improper handling of PPP length parameter inconsistency can cause an infinite loop.

Official announcement: For details, please refer to the link – https://semiconductor.samsung.com/support/quality-support/product-security-updates/

CVE-2023-40017 on GeoNodes (24th Aug 2023)

Preface: Server Side Request forgery (SSRF) in few years ago not bring IT admin attention. But when ransomware was born, SSRF vulnerability make worries because it can exploit by cyber criminals. So we should be careful when we know our web server apps contains SSRF vulnerability.

Background: GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. It brings together mature and stable open-source software projects under a consistent and easy-to-use interface allowing non-specialized users to share data and create interactive maps.

For reference:

  • Django is a high-level Python web framework
  • PostgreSQL / PostGIS (Vector Datasets)
  • pyCSW – pycsw is an OARec and OGC CSW server implementation written in Python.
  • Raster Datasets – Raster datasets represent geographic features by dividing the world into discrete square or rectangular cells laid out in a grid. Each cell has a value that is used to represent some characteristic of that location, such as temperature, elevation, or a spectral value.
  • File System Raster Datasets – There are three methods to store image and raster data: as files in a file system, within a geodatabase, or managed from within the geodatabase but stored in a file system.

Vulnerability details: GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts.

Remedy: A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40017

CVE-2023-40178: Node-SAML Improper Verification of Cryptographic Signature(23rd Aug 2023)

Preface: Now that said, SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. Or are there other concerns?

Background: Node-SAML has built in support for SLO including. Signature validation. IdP initiated and SP initiated logouts. Decryption of encrypted name identifiers in IdP initiated logout. Redirect and POST SAML Protocol Bindings.

A SAML Service Provider (SP) is a system entity that receives and accepts authentication assertions in conjunction with a Single Sign-On (SSO) profile of the Security Assertion Markup Language (SAML).  For example: Gmail, Salesforce,…etc

An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service. Microsoft Active Directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication.

Vulnerability details: Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.

Remedy: This issue was patched in version 4.0.5.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40178

CVE-2023-41105: Python 3.11 through 3.11.4.(os[.]path[.]normpath) truncates input on null bytes (23th Aug 2023)

Preface: It is popular like Java, Python applications can run on all operating systems (Windows, Unix, Linux, Mac).

Background: What’s New in Python 3.11. One of the new module is tomllib – For parsing TOML.
I. TOML makes writing configuration files simple, straightforward, and more human-readable than many other formats, including JSON.
The TOML file used to configure the buildkitd daemon settings has a short list of global settings followed by a series of sections for specific areas of daemon configuration.
The file path is /etc/buildkit/buildkitd.toml for rootful mode, ~/.config/buildkit/buildkitd.toml for rootless mode.

II. os[.]path[.]normpath() method in Python is used to normalize the specified path. All redundant separator and up-level references are collapsed in the process of path normalization.
For example: A//B, A/B/, A/./B and A/foo/../B all will be normalized to A/B.

If your Docker setup automation programming including above I and II. You should staying alert.

Vulnerability details:

'\0' means NULL. If a path containing ‘\0’ bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first ‘\0’ byte.

In some cases, in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11 through 3.11.4.

08/23/2023 disclosed

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-41105

CVE-2023-36787: What’s up? (2023-08-23)

Background: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.

Chrome used only WebCore, and included its own JavaScript engine named V8 and a multiprocess system. Chrome for iOS continues to use WebKit because Apple requires that web browsers on that platform must do so.

Remark: Edge was originally based on Chakra but has more recently been rebuilt using Chromium and the V8 engine. V8 is written in C++, and it’s continuously improved.

Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.

06/27/2023 CVE reserved

08/17/2023 +51 days

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36787

CVE-2023-21273: When you run this design, you should be concerned about this vulnerability! (20th Aug 2023)

Preface: UUID is an simple 128 bit digit which uniquely distributed across the world. Bluetooth sends data over air and all nearby device can receive it.

Background: Android “O” was officially released on August 21, 2017 under the name “Oreo”. The BluetoothHidDevice framework adds the SDP record during app registration, so that the Android device can be discovered as a Bluetooth HID Device. The related module include file “sdp_db[.]cc” was appear during this period of time. As time goes by, bluetooth module including file sdp_db[.]cc carry forward to present. So called Android Open Source Project (ASOP).

Vulnerability details: In SDP_AddAttribute of sdp_db[.]cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Severity – Critical

Type – RCE

Updated AOSP versions – 11,12,12L, 13

Official Announcement: For details, please refer to the link below:

https://android.googlesource.com/platform/packages/modules/Bluetooth/+/1e27ef69755a0735278a1c6af130c71a92b94e3f%5E%21/#F0

https://source.android.com/security/bulletin/2023-08-01

CVE-2023-40272: Apache Airflow Spark Provider design weakness (17th Aug 2023)

Background: What is Apache Airflow used for?

Apache Airflow is an open-source tool to programmatically author, schedule, and monitor workflows. It is one of the most robust platforms used by Data Engineers for orchestrating workflows or pipelines. You can easily visualize your data pipelines’ dependencies, progress, logs, code, trigger tasks, and success status.

What is the difference between extras and providers in Airflow?

Extras are standard Python setuptools feature that allows to add additional set of dependencies as optional features to “core” Apache Airflow. One of the type of such optional features are providers packages, but not all optional features of Apache Airflow have corresponding providers.

Providers can contain operators, hooks, sensor, and transfer operators to communicate with a multitude of external systems, but they can also extend Airflow core with new capabilities. You can install those provider packages separately in order to interface with a given service.

What is deployment Mode in Apache Spark?

  • Client mode – As the behavior depends on the driver component, so here job will run on the machine from which job is submitted. So this mode is client mode.
  • Cluster mode – Here driver component of spark job will not run on the local machine from which job is submitted, so this mode is cluster mode.

Vulnerability Details: Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

Affected versions: Apache Airflow Spark Provider before 4.1.3

Remedy: Patched versions 4.1.3

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-40272