CVE-2023-21372: Google Android design flaw, component Libdexfile triggers an out-of-bounds vulnerability. (31st Oct 2023)

Preface: Many users agree that learning Apex is simpler than learning Java because there is less syntax.

Background: Apex is a proprietary language developed by Salesforce.com. It is a strongly typed, object-oriented programming language that allows developers to execute flow and transaction control statements on the Force.com platform server in conjunction with calls to the Force.com API.

Remark: If file (libdexfile[.]so) is belongs APEX_MODULE_LIBS. Whereby, I change my security focus appoint to APEX proprietary language.

Vulnerability details: In libdexfile, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Remark: Due to the limited details released in the vulnerability advisory. See if attached diagram situations can trigger similar faults?

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-21372

Remedy of CVE-2023-46862: Kernel (io_uring/fdinfo[.]c) enhancement: lock SQ thread while retrieving thread cpu/pid (30th Oct 2023)

Preface: Quick comparison of Windows (IoRing) and Linux (io_uring):

Windows: The kernel fully initializes the new ring, including the creation of both queues and creating a shared view in the application’s user-mode address space, using an MDL (memory descriptor list).

Linux: In the Linux io_uring implementation, the system creates the requested ring and the queues but does not map them into user space. The application is expected to call mmap(2) using the appropriate file descriptors to map both queues into its address space, as well as the SQE array, which is separate from the main queue.

Background: A potential performance benefit of io_uring for network I/O is reducing the number of syscalls.

Vulnerability details: An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo[.]c io_uring_show_fdinfo NULL pointer dereference can occur.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-46862

Observation: Most null pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic.

Many io_uring features are available in Red Hat Enterprise Linux 9.3, which is distributed with kernel version 5.14.

Since the CVSS score has not yet been defined. But we know the vulnerability will occur during a proof-of-concept exercise. Maybe, a local attack (rather than a remote attack). But we should fix this design flaw immediately.

Don’t take it lightly CVE-2023-46753: Regarding the BGP protocol using FRRouting (26-10-2023)

Preface: Microsoft has been a mainstay of the computer systems world for more than four decades. At the same time, it also promotes the development of the Internet and other technologies. About fifteen years ago, virtual machines led the way, bringing the concept into the business world and successfully fending off mainstream cybersecurity attacks. It seems that the computer system has quietly transformed into a virtual world. Maybe you will say because of cloud technology. The collaboration between network technology and cloud computing creates another potential opportunity for open source network software to jump into the competition.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

The FRR suite consists of various protocol-specific daemons and a protocol-independent daemon called zebra. Each of the protocol-specific daemons are responsible for running the relevant protocol and building the routing table based on the information exchanged.

Remark: zebra is an IP routing manager. It provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols.

Vulnerability details: An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-46753

CVE-2023-5044 : Design weakness of ingress-nginx (26th Oct 2023)

Preface: You can configure the nginx ingress controller in various ways. To use the Openstack load balancer Octavia with ssl offloading you will need to configure the ingress controller with the proxy protocol. The alternative would be to use the Openstack service barbican to store your ssl certificate. Which is currently not directly supported by Kubernetes.

Background: The Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.

Vulnerability details: A security issue was identified in ingress-nginx where the nginx[.]ingress[.]Kubernetes[.]io/permanent-redirect annotation on an Ingress object (in the networking[.]k8s[.]io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Affected Versions : <v1.9.0

Versions allowing mitigation: v1.9.0

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5044

SUSE Enterprise Linux Server 15: Apart from libvirt framework , how to manages memory in units called pages? (25-10-2023)

Preface: HPE Cray OS Based on standard SUSE Enterprise Linux Server 15. A supercomputer, dubbed Frontier, was developed by HPE Cray. Frontier and HPE Cray OS to run standard Linux applications, but rather enhance it for performance, scale, and reliability.

Ref: Frontier is based on the latest HPE Cray EX235a architecture and equipped with AMD EPYC 64C 2GHz processors. The system has 8,699,904 total cores, a power efficiency rating of 52.59 gigaflops/watt, and relies on Slingshot-11 interconnect for data transfer.  

SUSE Enterprise Linux Server 15: How to manages memory in units called pages?

Linux manages memory in units called pages (default page size is 4 KB). Linux and the CPU need to know which pages belong to which process. Those parameters stored in a page table. If high volume of processes are running, it takes more time to fnd where the memory is mapped, because of the time required to search the page table. To speed up the search, the TLB (Translation Lookaside Buer) was invented. But on a system with a lot of memory, the TLB is not enough.

To avoid any fallback to normal page table (resulting in a cache miss, which is time consuming), huge pages can be used. Using huge pages will reduce TLB overhead and TLB misses (pagewalk).

Example: A host with 32 GB (32*1014*1024 = 33,554,432 KB) of memory and a 4 KB page size has a TLB with 33,554,432/4 = 8,388,608 entries. Using a 2 MB (2048 KB) page size, the TLB only has 33554432/2048 = 16384 entries, considerably reducing the TLB misses.

Closer look of CVE-2023-34051: VMware Aria Operations for Logs contains an authentication bypass vulnerability. (24th Oct 2023)

Preface: VMware Aria Operations™ for Logs (formerly VMware vRealize® Log Insight™) analyzes complex log management through dashboards to provide shortest path to identify the problem.

Background: What is aria operations for logs? Centralized Log Management VMware Aria Operations for Logs. Manage data at scale with centralized log management, deep operational visibility, and intelligent analytics for troubleshooting and auditing across environments. Protocol that the agent uses to send log events to the Aria Operations for Logs server. The possible values are cfapi and syslog. The default is cfapi. Ingestion API (CFAPI) The ingestion API provides several advantages over the syslog protocol including the ability to collect statistical and operational information about the agents directly in the server UI and also allows for server-side configurations to be pushed to agents. vRealize Log Insight uses Apache Thrift for node-to-node communication.

Vulnerability details: VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Additional: The code execution via triggering a RemotePakDownloadCommand command via the exposed thrift service after obtaining the node token by calling a GetConfigRequest thrift command. After the download, it will trigger a PakUpgradeCommand for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon extraction for gaining remote code execution.

Official announcement: Please refer to the link for details –https://nvd.nist.gov/vuln/detail/CVE-2023-34051

Closer look of CVE-2023-4966 (19-10-2023)

Preface: On October 10, 2023, Citrix released a security advisory regarding a sensitive information disclosure vulnerability (CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway appliances.

Background: Citrix NetScaler improves performance by using HTTP compression and data caching. The workload is shared over multiple servers and networks to ensure that there is not one point of failure or that one server is not overloaded, causing a slow or inefficient performance.

The Citrix ADC (formerly NetScaler) appliance instantiates the number of PEs based on the number of vCPUs, memory, and licenses.

The packet engine is created to perform TCP/IP processing, optimization tasks and acceleration of packages. This is a continues process of grabbing packets, handling them accordingly and putting the packets in place again, the packet engine is designed to run an entire instance of NetScaler’s packet engine on each processor core (nCore technology) and runs as a kernel component on the NetScaler.

Vulnerability details: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. 

Official announcement: Please refer to the link for details –

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

CVE-2023-22089: About Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). (18-10-2023)

Preface: When Oracle releases a security advisory. These vulnerabilities may have occurred months ago, or may be further back. But the technical details published in the CVE are only limited. So, that’s one of the reasons I’m interested in digging into the details.

In the spirit of science, everyone dares to assume but careful to verify.

Background: A WebLogic Server 10.3.6, 12.1.3, and 12.2.1.x client can invoke RMI-based applications hosted on a WebLogic Server 14c (14.1.1.0.0) server using IIOP, T3, T3S, HTTP, and HTTPS. JMS applications can be invoked using T3, T3S, HTTP, and HTTPS.

A WebLogic Server 14c (14.1.1.0.0) client can invoke RMI-based applications hosted on

A WebLogic Server 10.3.6, 12.1.3, and 12.2.1.x server using IIOP, T3, T3S, HTTP, and HTTPS. JMS applications can be invoked using T3, T3S, HTTP, and HTTPS.

For WebLogic Server 14c (14.1.1.0.0) instances running on JDK11, IIOP interoperability with Java clients is only available with a WebLogic Server 14c (14.1.1.0.0) install client running on JDK 11.

Vulnerability details: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

Remark: The vendor did not disclose details. Could this vulnerability occur under this circumstances? Please refer to attached diagram.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-22089

CVE-2023-44487: Exploiting HTTP 2 design weaknesses to trigger a denial of service (17-10-2023)

Preface: If you still remember more than ten years ago, a snowhttp attack target web server especially Apache web server. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests piece by piece at a slow pace to a web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data.

Background: HTTP 2.0 uses a binary, length-prefixed framing layer, which offers more compact representation than the newline-delimited plaintext HTTP 1.x protocol and is both easier and more efficient to process.

HTTP/2 makes web pages load faster and more efficiently by simplifying communication between the browser and the server. Accessing a website using the HTTP/2 protocol is as follows: the browser requests a TCP connection. The server establishes a TCP connection. The browser requests the website’s index HTML file.

Vulnerability details: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Additional: Because of CVE-2023-44487, HTTP/2 enabled web servers are vulnerable to a DDoS attack. It so called “Rapid Reset Attack”.

The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally.

The ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. As a result, the server keeps its resources in heavy load status.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Take a closer look at CVE-2023-5115 and CVE-2023-41164 (16th Oct 2023)

Preface: Infrastructure as code (IaC) is the process of dynamically managing and provisioning infrastructure through code instead of through a manual process to simplify app development, configuration, and runtime. IaC uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure. For example: Cloud comupting platform structure components includes networks, virtual machines, load balancers, and connection topologies.

Infrastructure as code (IaC) uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure. For example: Cloud comupting platform structure components includes networks, virtual machines, load balancers, and connection topologies.

Remark: A general example of descriptive modeling is business reporting in the form of graphs, charts, and dashboards.

Background: Ansible is an tool for simple automation tasks. Python tool provides more flexibility and control over automation and is an excellent tool for complex automation tasks. Based on Python and Django, it can develop an automated task execution and asset management (CMDB) system with DevOps concept.

Ansible architecture is client-server architecture model. It has three main components: control nodes, managed nodes and communication channels.

Ansible automates Linux and Windows by connecting to managed nodes and pushing out small programs called Ansible modules. Ansible executes these modules, which are the resource models of the desired system state, over Secure Socket Shell (SSH) by default and removes them when finished.

Vulnerability details:

CVE-2023-5115 – ansible-core: malicious role archive can cause ansible-galaxy to overwrite arbitrary files

CVE-2023-41164 – automation-controller: Django: Potential denial of service vulnerability in  django.utils.encoding.uri_to_iri()

Official announcement: Please refer to the link for details –

https://access.redhat.com/errata/RHSA-2023:5701