CVE-2024-0564: A flaw was found in the Linux kernel’s memory deduplication mechanism. (30th Jan 2024)

Preface: KVM hypervisor enables full virtualisation capabilities. It provides each VM with all typical services of the physical system, including virtual BIOS (basic input/output system) and virtual hardware, such as processor, memory, storage, network cards, etc. As a result, every VM completely simulates a physical machine.

Background: Kernel same-page Merging (KSM), used by the KVM hypervisor, allows KVM guests to share identical memory pages. These shared pages are usually common libraries or other identical, high-use data. KSM allows for greater guest density of identical or similar guest operating systems by avoiding memory duplication.

Vulnerability details: A flaw was found in the Linux kernel’s memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is “max page sharing=256”, it is possible for the attacker to time the unmap to merge with the victim’s page. The unmapping time depends on whether it merges with the victim’s page and additional physical pages are created beyond the KSM’s “max page share”. Through these operations, the attacker can leak the victim’s page.

Ref: It leaves one page unchanged, and re-maps each duplicate page to point to the same physical page, after which it releases the extra physical pages for re-use.

Mitigation: Deactivating memory deduplication will effectively mitigate all attack vectors. This measure unfortunately eliminates all the highly appreciated benefits of memory deduplication, namely the increase of operational cost-effectiveness through inter-VM memory sharing. This will cause an increase in the amount of memory required and in some situations may adversely impact performance (e.g. due to slower swap space being used). It is recommended that customers test this workaround before using it in production. See for how to disable KSM from Red Hat Enterprise Linux 6 and newer.

Official details: Please refer to the link for details –

CVE-2023-46805 and CVE-2024-21887 on Ivanti ICS 9[.]x, 22[.]x and Ivanti Policy Secure 9[.]x, 22[.]x (30-01-2024)

Preface: MobileIron was acquired by Ivanti on December 1, 2020. Ivanti acquired Pulse Secure that same year. As part of the acquisition, Pulse Secure has been renamed Ivanti Secure Access. Starting October 9, 2023, Pulse Secure/Ivanti Secure Access will be upgraded to the latest version of Ivanti Secure Access.

Background: Ivanti Connect Secure (ICS) provides secure connection. Ivanti Connect Secure includes VPN deployments and simplified appliance management. Ivanti Policy Secure (IPS) is a network access control (NAC) solution which provides network access only to authorized and secured users and devices.

The REST API provides a standardized method for Next-Gen firewalls and third-party systems to interact with IPS. Representational state transfer (REST) or RESTful Web services are one way of providing interoperability between computer systems on the Internet. In a RESTful Web service, requests made to a resource’s URI will elicit a response that may be in XML, HTML, JSON or some other defined format. IPS supports JSONformat only.

Vulnerability details:

CVE-2023-46805: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

My observation: Some vulnerabilities often arise from the way JSON data is processed and parsed. For example, without proper validation, JSON data can be manipulated for injection attacks. Furthermore, it is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters.

Official announcement: Please refer to the link for details –

CVE-2023-6200: A race condition was found in the Linux Kernel.(29th Jan 2024)

Preface:An essential race condition occurs when an input has two transitions in less than the total feedback propagation time.

Background: ICMPv6 over the Internet is important for Path MTU Discovery (which uses the ICMPv6 Packet Too Big message) since ipv6 routers don’t fragment packets. ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic functions.

ICMP in IPv6 functions the same as ICMP in IPv4. ICMP for IPv6 generates error messages, such as ICMP destination unreachable messages, and informational messages, such as ICMP echo request and reply messages.

The working process of ICMPv6 is similar to the ICMP in IPv4, but IPv6 use neighbor discovery with multicast address and IPv4 use ARP with broadcast address.

Vulnerability details: A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.

Workaround suggested by Red Hat: To trigger this issue, the attacker must be on the local network, IPV6, and the parameter net.ipv6.conf must be enabled.[NIC].accept_ra enabled. By default, net.ipv6.conf.[NIC].accept_ra is disabled for Red Hat Enterprise Linux. In the default configuration, only local attacks are possible.

Official announcement: Please refer to the link for details –

CVE-2023-33036: NULL Pointer Dereference in Hypervisor (26th Jan 2024)

This Qualcomm security bulletin was originally published on 1st January 2024.

Preface: One method of conducting these PDoS attacks is commonly referred to as phlashing. During such an attack, an attacker bricks a device or destroys firmware, rendering the device or an entire system useless. This is one method to exploit vulnerabilities and replace a device’s basic software with a corrupt firmware image.

Background: The ARM Trusted Firmware implements a subset of the Trusted Board Boot Requirements (TBBR) Platform Design Document (PDD) for ARM reference platforms. The TBB sequence starts when the platform is powered on and runs up to the stage where it hands-off control to firmware running in the normal world in DRAM. This is the cold boot path.

The ARM Trusted Firmware also implements the Power State Coordination Interface (PSCI) PDD as a runtime service. PSCI is the interface from normal world software to firmware implementing power management use-cases (for example, secondary CPU boot, hotplug and idle). Normal world software can access ARM Trusted Firmware runtime services via the ARM SMC (Secure Monitor Call) instruction.

Vulnerability details: Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.

Vulnerability Type : CWE-476 NULL Pointer Dereference

My observation: I speculated that Linux initiate various CPU-centric power operations will be affected.

Official announcement: Please refer to the link for details –

CVE-2024-23212: Apple Neural Engine design has weakness in memory handling. (25th January 2024)

This announcement was originally published on January 22nd 2024

Preface: Neural networks, also known as artificial neural networks (ANNs) or simulated neural networks (SNNs), are a subset of machine learning and are at the heart of deep learning algorithms.

Recent advances in artificial intelligence systems, such as voice or facial recognition programs, have benefited from neural networks, densely interconnected meshes of simple information processors that learn to perform tasks by analyzing large amounts of training data.

Background: The Apple Neural Engine (or ANE) is a type of NPU, which stands for Neural Processing Unit. It’s like a GPU, but instead of accelerating graphics an NPU accelerates neural network operations such as convolutions and matrix multiplies.

Beyond image generation from text prompts, developers are also discovering other creative uses for Stable Diffusion, such as image editing, in-painting, out-painting, super-resolution, style transfer and even color palette generation.  Getting to a compelling result with Stable Diffusion can require a lot of time and iteration, so a core challenge with on-device deployment of the model is making sure it can generate results fast enough on device. As a result, we require the Apple Neural Engine.

Vulnerability details: Apple security advisory shown that the vulnerability belongs to Apple Neural Engine.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

Official announcement: Please refer to the link for details –

CVE‑2023‑31037: Design weakness on NVIDIA Bluefield 2 and Bluefield 3 DPU BMC (Updated 01/22/2024)

Preface: Virtio-net device emulation enables users to create VirtIO-net emulated PCIe devices in the system where the NVIDIA® BlueField® DPU is connected.

Background: The Intelligent Platform Management Interface (IPMI) is a standard interface for hardware management used by system administrators to control the devices and monitor the sensors. For these, it is necessary the IPMI Controller called Baseboard Management Controller (BMC) and a manager software (for example, IPMItool). It provides an interface to manage IPMI functions in a local (in-band) or remote (out-of-band) system.

Ref: Developer can wrote their own tools to query the sensors, via the IPMItool

Vulnerability details: NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS.

Official announcement: Please refer to the link for details –

CVE-2023-34063: A vulnerability was discovered in VMware Aria Automation and Cloud Foundation that affects unknown components. (23rd Jan 2024)

Preface: The missing function-level access control vulnerability refers to the flaws in the authorization logic. By exploiting it, an attacker, who could be an existing user of the application, is able to escalate privileges and access restricted functionalities.

Background: VMware Aria Automation Orchestrator. (formerly vRealize Orchestrator). VMware Aria is an intelligent multi-cloud management solution that enables you to consistently deploy and operate your apps, infrastructure, and platform services across private, hybrid, and multiple clouds from a single platform with a common data model.

Ref: vRealize Automation includes a preconfigured embedded vRealize Orchestrator instance. You can access the client of the embedded vRealize Orchestrator from the vRealize Automation Cloud Services Console.

Vulnerability details: An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Resolution: To remediate CVE-2023-34063 apply the patches

Official announcement: Please refer to the link for details –

CVE-2023-6531: A use-after-free flaw was found in the Linux Kernel , fixed design weakness, attacker cannot relies on io_uring_get_socket() anymore (21st Jan 2024)

Preface: In my opinion, this design flaw is dangerous. But no worries, about a month ago. Vendors have issued remediations based on their priorities. CVE technical details were released today (21st Jan 2024).

Background: io_uring is applicable to most businesses and applications with a demand for asynchronous I/O. As of now, io_uring has been integrated into multiple mainstream open-source applications, such as RocksDB, Netty, QEMU, SPDK, PostgreSQL, MariaDB, etc.

What is io_uring? io_uring is an asynchronous I/O interface for the Linux kernel. An io_uring is a pair of ring buffers in shared memory that are used as queues between user space and the kernel:

Submission queue (SQ): A user space process uses the submission queue to send asynchronous I/O requests to the kernel.

Completion queue (CQ): The kernel uses the completion queue to send the results of asynchronous I/O operations back to user space.

Many io_uring features will soon be available in Red Hat Enterprise Linux 9.3, which ships with core version 5.14. Fedora 37 currently provides the latest io_uring functionality.

Vulnerability details: A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector’s deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.

Official announcement: Please refer to the link for details –

CVE-2024-21735: SAP LT Replication Server design weakness (included – version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108) 18th Jan 2024

Preface: The latest version of SAP Landscape Transformation Replication Server. It combines the latest SAP Landscape Transformation Replication Server functionality with the latest SAP Basis version for the best support of all uses cases involving SAP systems and databases. There are two options for using this version of SAP Landscape Transformation Replication Server (see also chapter Installation Options):

i.As a standalone system based on SAP S/4HANA Foundation 2020 (or higher) together with the DMIS 2020 addon.

ii.Embedded in SAP S/4HANA 2020 (or higher).

Background: (S_DMIS – Authority object for SAP SLO Data migration server)

The user role SAP_IUUC_REPL_ADMIN is required to use SAP Landscape Transformation Replication Server. By default, this role does not allow users to view the data that is replicated from the source system to the target system. However, the authorization object S_DMIS (with activity 29) allows users to view the data that is being replicated (by means of the replication logging function).

SAP strongly recommend that you use the Read Access Logging (RAL) component to monitor and log read access to the relevant data.

Vulnerability Details: SAP LT Replication Server – version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system.

Official announcement: Please refer to the link for details –

Oracle’s January 2024 Critical Patch Update Bulletin to remediate the related CVE-2023-44487 vulnerability in its product family (17th Jan 2024)

Preface: HTTP/2 Rapid Reset, based on stream multiplexing. HTTP/2 Rapid Reset attacks mostly affect the large infrastructure providers. Software smaller providers use, such as NGINX, Apache Server, ….etc

Background: Oracle GraalVM is a high-performance JDK that can speed up the performance of Java and JVM-based applications using an alternative just-in-time (JIT) compiler.

Vulnerability details: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

If you are managing or operating your own HTTP/2-capable server (open source or commercial) you should immediately apply a patch from the relevant vendor when available.

Official announcement: Please refer to the link for details –

The patch for CVE-2023-44487 also addresses CVE-2023-36478, CVE-2023-40167, CVE-2023-42794, CVE-2023-42795, and CVE-2023-45648.

The patch for CVE-2023-44487 also addresses CVE-2023-45143.

The patch for CVE-2023-45648 also addresses CVE-2023-42794, CVE-2023-42795, and CVE-2023-44487.

The patch for CVE-2023-44487 also addresses CVE-2023-36478.