Preface: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Background: A video codec is software or hardware that compresses and decompresses digital video. The libvpx is a free software video codec library from Google and the Alliance for Open Media (AOMedia).
Vulnerability details: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Preface: The classes in the java. util. zip package support two widespread compression formats: GZIP and ZIP. Both of these are based on the ZLIB compression algorithm, which is discussed in RFC 1950, RFC 1951, and RFC 1952.
Background: Compression Ratio: Gzip generally achieves a higher compression ratio than Snappy. If storage space is a primary concern, Gzip may be the better choice. Speed: Snappy is designed for speed. If the speed of data processing is a primary concern, Snappy may be the better choice. The snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google.
Vulnerability details: The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.
Impact: All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue.
Remedy: A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
Preface: In the virtio protocol, the host side provides emulation of the device, and the guest side is responsible for driving the device. The relationship between host and guest is the relationship between device and driver. We usually use the method of reading and writing temporary registers to control and drive physical devices, but for emulated devices in virtio, memory organized in the form of virtqueue is used.
Background: Specific to the network devices in virtio, the driver on the guest side is called “virtio-net”. On the host side, the early classic implementation used the QEMU, that is, the user mode program on the host side provides emulation of the device. Called “vhost-user”.
Like KVM, vhost-net cannot be used alone, but must be used with QEMU, because some setting information still needs to be given from QEMU in user mode.
Vulnerability details: A flaw was found in vringh_kiov_advance in drivers/vhost/vringh[.]c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.
Preface: Netfilter is an infrastructure; it is the basic API that the Linux 2.4 kernel offers for applications that want to view and manipulate network packets.
Background: It can not only block unwanted traffic but also block malicious software from infecting the system. In the Linux ecosystem, iptables is a popular firewall that interfaces with the netfilter framework on the Linux kernel. Most of the modern Linux systems come with these tools pre-built.
Tables and Chains in Iptables, inside each table of iptables, rules are further organized within separate “chains”. While the table represents the type of rules they are holding, the chains describe the netfilter hooks that trigger the rules. In short, chains determine when the rule will be evaluated.
One of the most popular CNI plugins implementing network policies, Calico, creates a virtual network interface on the nodes for each pod and uses Netfilter rules to enforce its firewall rules.
Ref: Calico has emerged as one of the most popular CNI plugins for Kubernetes cluster networking.
Vulnerability details: An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
Preface: Xen is an open-source hypervisor that allows the simultaneous development, execution, and management of multiple virtual machines on one physical computer. Xen offers two types of virtualization: paravirtualization and full virtualization.
Background: XenServer is a Citrix product the company acquired from XenSource in 2007. Citrix’s XenServer provides 7 Network interface cards and 16 virtual disks.
The network I/O virtualization architecture in Xen can be a significant source of overhead for networking performance in guest domains. Xen provides each guest domain with a number of virtual network interfaces, which is used by the guest domain for all its network communications. Corresponding to each virtual interface in a guest domain, a `backend’ interface is created in the driver domain, which acts as the proxy for that virtual interface in the driver domain. All the backend interfaces in the driver domain (corresponding to the virtual interfaces) are connected to the physical NIC and to each other through a virtual network bridge.
Vulnerability details: The fix for XSA-423 added logic to Linux’es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn’t account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that’s specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.
Background: Asteroid 101955 Bennu – Level 3 on the Palermo impact hazard index, a small celestial body with the highest risk of impacting the Earth.
Early in the history of the solar system, the gravity of newly formed Jupiter brought an end to the formation of planetary bodies in this region and caused the small bodies to collide with one another, fragmenting them into the asteroids we observe today.
the slight push created when the asteroid absorbs sunlight and re-emits that energy as heat — and gravitational tugs from other celestial bodies, it has drifted closer and closer to Earth from its likely birthplace: the Main Asteroid Belt between Mars and Jupiter.
Why does NASA track it?
Chicxulub crater, the buried remnants of an asteroid impact off the Yucatán Peninsula in Mexico that killed off the dinosaurs 66 million years ago.
Preface: Perhaps this isn’t the first time this year we’ve heard of Safari and iOS having design flaws. Since both elements are close to each other. It is inevitable that it may have an impact. In addition, Safari includes open source code. So when a design flaw is discovered, sometimes the results look similar. The reason is that it happens in the same component, but that component is composed of other open source software.
In accordance with Apple’s Vulnerability Management Policy. Due to commercial reasons, technical details are not disclosed. But if anyone is interested in what happened. Increases the difficulty of analysis. But no harm. Bold assumptions and careful verification are the definition of science.
Background: On iOS and related software operating system products (macOS and iPadOS), Safari is built into the operating system (OS). Furthermore, it uses Apple’s open source browser engine WebKit, which is derived from KHTML. WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as all web browsers on iOS and iPadOS. Removing Safari is not recommended as it may damage the operating system and cause your Apple device to malfunction. Technically, If you don’t use Safari, it doesn’t accumulate caches or other service files.
Vulnerability details: The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
My observation: Vendor not disclose the details, do you think point b will be trigger similar design weakness (processing web content may lead to arbitrary code execution)!
Universal links let users open your app when they tap links to your website within WKWebView and UIWebView views and Safari pages. The UIWebView uses UIKit framework while WKWebView uses WebKit. framework. in addition to links that result in a call to openURL:, such as those that occur in Mail, Messages, and other apps.
How to Creating and Uploading the Association File?
a.To create a secure connection between your website and your app, you establish a trust relationship between them. You establish this relationship in two parts:
i.An apple-app-site-association file that you add to your website
ii.A com.apple.developer.associated-domains entitlement that you add to your app
b.If your app runs in iOS 9 or later and you use HTTPS to serve the apple-app-site-association file, you can create a plain text file that uses the application/json MIME type and you don’t need to sign it.
Official announcement: Please refer to the following link for details –
Preface: The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built by Oracle and supported through Oracle Linux support. Reliable Datagram Sockets (RDS) is a high-performance, low-latency, reliable, connectionless protocol for delivering datagrams. It is developed by Oracle Corporation. It was included in the Linux kernel 2.6.30 which was released on 9th of June, 2009.
Background: Based on TCP handshake definition: SYN > SYN/ACK > ACK: When the SYN is sent, the remote peer sends back a SYN/ACK. In traditional RDS module, syn-ack at this point would end up marking the conn as RDS_CONN_UP, and would again permit rds_send_xmi() threads through, so ideally we would synchronize on RDS_CONN_UP after lock_sock(), but cannot do that.
Because waiting on !RDS_IN_XMIT after lock_sock() may end up deadlocking with tcp_sendmsg(), and the RDS_IN_XMIT would not get set.
As a result, we set c_state to RDS_CONN_RESETTTING, to ensure that rds_tcp_state_change cannot mark rds_conn_path_up() in the window before lock_sock().
Vulnerability details: In the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options, RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can use this to crash the kernel.
Preface: A Subject Alternate Name (or SAN) certificate is a digital security certificate which allows multiple hostnames to be protected by a single certificate. A SAN certificate may also be called a Unified Communication Certificate (or UCC), a multi-domain certificate, or an Exchange certificate.
A Subject Alternative Name (SAN) certificate is capable of supporting multiple domains and multiple host names with domains. SANS certificates are more flexible than Wildcard certificates since they are not limited to a single domain.
Vulnerability Description: An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers’ apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.
Ref: An issue was found in K3s where an attacker with network access to K3s servers’ apiserver/supervisor port (TCP 6443) can force the TLS server to add entries to the certificate’s Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an excessive message size error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the apiserver/supervisor port (TCP 6443).
Preface: This vulnerability published on September 12, 2023. It had CVSS V3 base score 5.3. But based on the vulnerability details described, it seems it is unknown causes. But why does it happen?
Background: The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.
The Name Service Switch (NSS) configuration file, /etc/nsswitch[.]conf, is used by the GNU C Library to determine the sources from which to obtain name-service information in a range of categories, and in what order.
Vulnerability details: A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash.
This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook.
The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
Therefore, it triggers a use-after-free vulnerability.
What I added during my observation: When malloc hooks is enabled, then the hook pointers are set to the current default allocation functions. It is expected that if an app does intercept the allocation/free calls, it will eventually call the original hook function to do allocations.
Software developers have figured out why: For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free.