Preface: The Linux framebuffer and a GPU’s memory serve different purposes in the context of graphics processing. The Linux framebuffer is a simple, low-level graphics interface that allows applications to draw graphics directly to the screen.

Background: The DRM/KMS framework is dedicated to the management of the display, graphic and composition subsystems. With the help of other Linux multimedia frameworks and applications, the DRM/KMS framework is typically used: to compose animated contents taking advantages of the hardware acceleration.

Remark: Kernel Mode Setting (KMS) is a method for setting display resolution and depth in the kernel space rather than user space.

Vulnerability details: NVIDIA GPU Display Driver for Linux contains a vulnerability where an attacker may access a memory location after the end of the buffer. A successful exploit of this vulnerability may lead to denial of service and data tampering.

Official announcement: Please refer to the official announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5520

Preface: Kernel extensions – VMWare as well as Qemu also enable you to install a device driver in your host operating system that enables them to speed up execution of kernel code and device accesses by directly executing in kernel mode.

Background: VMware Fusion is a software hypervisor developed by VMware for macOS systems. It allows Macs with Intel or the Apple M series of chips to run virtual machines with guest operating systems, such as Microsoft Windows, Linux, or macOS, within the host macOS operating system.

Vulnerability details: VMware Workstation and Fusion contain an out-of-bounds read vulnerability in the USB CCID (chip card interface device). VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may trigger an out-of-bounds read leading to information disclosure.

Official announcement: Please refer to the official announcement for details – https://www.vmware.com/security/advisories/VMSA-2024-0005.html

Preface: Compared to pageable memory, pinned memory has only 1 memory transfer. Hence memory transfer time is less for pinned memory than pageable memory. In mapped memory, the address is mapped to the device address space. Hence there is no explicit memory transfer.

Background: InfiniBand is a network architecture that is designed for the large-scale interconnection of computing and I/O nodes through a high-speed switched fabric.

Vulnerability details: hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a

Here are the specific bugs:

1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet.

2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages.

Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52474

Preface: In the modern digital world. Digital signatures replace traditional handwritten signatures for identity verification. In the past, pattern matching methods were used to confirm signature integrity through human observation. The integrity of digital signatures is ensured through the Elliptic Curve Digital Signature Algorithm (ECDSA).

Background: Elliptic Curve Digital Signature Algorithm (ECDSA) is a cryptographic algorithm used by Bitcoin to ensure that funds can only be used by their legitimate owners. The private key is a secret number known only to the person who generated it.

Is bitcoinlib popular? The python package bitcoinlib receives a total of 7,081 weekly downloads. As such, bitcoinlib popularity was classified as a recognized.

Fastecdsa efficient faster than the ecdsa package. There are several examples, how to use fastecdsa package. It proven that fastecdsa capable work with bitcoinlib.

In security point of view, fastecdsa are secure.There is no nonce reuse, no branching on secret material, and all points are validated before any operations are performed on them. Timing side challenges are mitigated via Montgomery point multiplication. Nonces are generated per RFC6979. The default curve used throughout the package is P256 which provides 128 bits of security.

Vulnerability details: Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable’s actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-21502

This announcement original published on 20th Feb 2024

Preface: When two components have problems in the same place. If vendor did not specify the details in clear. In this circumstances, the design weakness looks the same.

Background: The Enhanced Authentication Plugin (EAP) is an extra software package that doesn’t come pre-installed. Administrators need to install it on client computers used for administration to allow direct login when using the VMware vSphere Client through a web browser.

The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.

Vulnerability details:

Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250) – The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245) – The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Official announcement: Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2024-0003.html

Preface: Do you think this design flaw is risky? Yes, I think so.

Background: The UIO is a general purpose kernel driver that can be accessed from user space. The purpose of the driver is to act as a thin layer between user space programs and the hardware.

Since Linux uses a virtual address system, you cannot directly access the physical addresses of devices. You can gain a virtual address pointer to the device by using mmap() on the UIO device file for the device.

Vulnerability details:

There are two cores (processors) on a single chip, a SMP Kernel and RAM.

In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1.

But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then:

After core-1 kfree idev, the core-2 will do use-after-free for idev.

When core-2 do uio_release and put_device, the idev will be double freed.

Remedy: To address this issue, we can get idev atomic & inc idev reference with minor_lock. For details, please refer to https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0c9ae0b8605078eafc3bea053cc78791e97ba2e2

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52439

Ref: mutex_unlock() returns 0 after successful operation. If any of the following conditions are detected, mutex_unlock() will fail and return the corresponding value.

EFAULT Description: The address pointed to by mp is illegal.

EPERM Description: The calling thread does not own the mutex lock.

Preface: At the most fundamental level, product lifecycle management (PLM) is the strategic process of managing the complete journey of a product from initial ideation, development, service, and disposal.

Background: Agile product lifecycle management (PLM) applies agile principles and methodologies to product management. It is often utilized in software development and its ongoing refinements, improvements, and variations. Critically, Agile methodology breaks down a development project into smaller cycles, called iterations.

Core PLM for discrete industries covers key capabilities like product data management, bill of materials management, engineering change management, and more.

Vulnerability details: Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Official details: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-20953

Preface: Because when using TLS to transmit static content, the data needs to be read into user space and encrypted before the encrypted data can be transmitted. Facebook found that in the process of using TLS, it will spend 2% of the CPU processing copy from/to user space, and 10% of the CPU will be used for encryption.

Background: ktls is informed when data is queued to the socket and the strparser mechanism is used to delineate the records. Upon read request, records are retrieved from the socket and passed to decryption routine.

Linux kernel provides TLS connection offload infrastructure. Once a TCP connection is in ESTABLISHED state user space can enable the TLS Upper Layer Protocol (ULP) and install the cryptographic connection state.

ktls can operate in three modes: Software crypto mode (TLS_SW) , Packet-based NIC offload mode (TLS_HW) and Full TCP NIC offload mode (TLS_HW_RECORD)

Vulnerability details: An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official details: Please refer to the link for details –https://nvd.nist.gov/vuln/detail/CVE-2024-0646