Monthly Archives: February 2024

Application Development, Potential Risk of CVE

Incorrect authorization vulnerability was identified in GitHub Enterprise Server (14 Feb-2024)

Leave a comment

Preface: The main difference between the products is that GitHub Enterprise Cloud is hosted by GitHub, while GitHub Enterprise Server is self-hosted. GitHub Enterprise Cloud includes an enterprise account that lets you manage multiple organizations.

Sign in to the AWS Management Console and open the Developer Tools Console: https://console[.]aws[.]amazon[.]com/codesuite/settings/connections. Select Settings > Connections, then select Make a connection. To establish a connection to an installed GitHub Enterprise Server repository, select GitHub Enterprise Server.

Background: The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes.

To modify the permission of the GITHUB_TOKEN, we can make the change at the enterprise, organisation or repository level. To do this go to settings, select Actions then General, here we will find the Workflow Permissions sections.

Vulnerability details: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1482

Potential Risk of CVE

Regarding CVE-2024-22237, VMware did not provide details. But do you think this design weakness is the similar as what you’ve seen before? (13th Feb 2023)

Leave a comment

Preface: CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.

Background: VMware Aria Operations for Networks is a pre-hardened and secured appliance. VMware Aria Operations for Networks is hardened against well-established and industry-accepted security benchmarks, for example: CIS. VMware Aria Operations for Networks also follows all security and privacy best practices defined by VMware Security Engineering, Communications, and Response (vSECR) team.

Vulnerability details: Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system.

Official details: Please refer to the link for details –https://docs.vmware.com/en/VMware-Aria-Operations-for-Networks/index.html

AI and ML, Potential Risk of CVE

About NVIDIA Security Bulletin – CVE-2023-31031 (12th Feb 2024)

Leave a comment

This NIVIDIA security bulletin was originally published on 8th Feb 2024.

CVE-2023-31031 was released by NIST on January 12, 2024. But what were the design flaws found in SBIOS? Officials stated that the flaw will lead to a stack-based buffer overflow in local access.

Preface: NVIDIA did not describe the details of this vulnerability. Do you think whether the description on attached diagram (step 4) may be related to this design flaw?

Background: Because the SBIOS update is accomplished in two phases (main SBIOS update first, followed by the Intel ME update), you will need to power cycle the server a couple of times to update all the components.

Updating the SBIOS Certificate

1.Obtain the CA certificate from the signing authority that was used to sign the SSL certificate.

2.Copy the CA certificate onto a USB thumb drive or to /boot/efi on the A100 OS.

3.Access the DGX A100 console from a locally connected keyboard and mouse or through the BMC remote console.

4.Reboot the server

Ref: Memory on the heap is dynamically allocated at runtime and typically contains program data.

Vulnerability details: NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a heap-based buffer overflow by local access. A successful exploit of this vulnerability may lead to code execution, denial of service, information disclosure, and data tampering.

Official details: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5513

AI and ML, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2023-33072: Buffer copy without checking size of Input in Core (6th Feb 2024)

Leave a comment

Preface: The title states that Buffer does not check the size of the input in Core when copying. But I believe it is more important to avoid unauthorized copying.

Background: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

OpenCL supports buffer and image objects (and pipe objects from OpenCL 2.0). The one-dimensional buffer objects are a natural choice for many developers due to their simplicity and flexibility, such as the support of pointers, byte-addressable access, etc. For instance, using images allows hardware to handle out-of-boundaries read automatically.

Ref: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

Vulnerability details: The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Date Reported        2022/12/20

Customer Notified Date   2023/08/07

Official details: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2024-bulletin.html

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2023-5643: Mali GPU Kernel Driver allows improper GPU memory processing operations (5th Feb 2024)

Leave a comment

Preface: Out-of-bounds writes, a common explanation, are the consequences of writing to memory outside the boundaries of the buffer or to invalid memory when the root cause is not sequential copying of too much data from a fixed starting position. This may include issues such as incorrect pointer arithmetic, access to invalid pointers due to incomplete initialization or memory deallocation.

Background: Arm Mali-G71 is the first high-end GPU to implement the Mali Bifrost architecture. Bifrost enables high-end mobile GPUs to provide additional computing performance. This additional performance is used to solve the increasingly complex problems of modern use cases such as VR and high-fidelity gaming.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel Driver, and if the system’s memory is carefully prepared by the user, then this in turn could write to memory outside of buffer bounds.

Affected products:

Bifrost GPU Kernel Driver: All versions from r41p0 – r45p0

Valhall GPU Kernel Driver: All versions from r41p0 – r45p0

Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r45p0

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5643

Network (Protocol, Topology & Standard), Potential Risk of CVE

Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, Security focus of CVE-2023-4523 (5th Feb 2024)

Leave a comment

Original article published January 2024, status update published January 23, 2024.

Preface: Supermicro is aware of a potential vulnerability known as “PixieFAIL” in the BIOS firmware. Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of UEFI. These nine vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information.

Background: The UEFI image parser is well-implemented, with a strict set of format validation requirements. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The required memory is extended by a single page so that the loader has enough space to store information about the debugging symbols. Usually this is not necessary, but depending on the linker, debugging information can be placed inside the image overlay. Because the overlay information is not loaded into memory, the UEFI loader ensures that it is available by copying it from disk to this additionally allocated page.

EDK2’s Network Package provides network modules that conform to UEFI 2.4 specification

Vulnerability details: EDK2’s Network Package is susceptible to an out-of-bounds read vulnerability when processing  Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

Ref: The subject matter expert performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.

NIST Official details: Please refer to the link for details –

https://www.supermicro.com/en/support/security_BIOS_Jan_2024

Supermicro Official details: Please refer to the link for details –

https://www.supermicro.com/en/support/security_BIOS_Jan_2024

AI and ML, Application Development, Potential Risk of CVE

About CVE-2018-1311: Security update for xerces-c provided by SUSE on Feb 2024. Why do design weakness can tolerance by HPC Operating system for long year? (02-02-2024)

Leave a comment

Preface: Different HPC compilers allow the coder to make use of these tools for better performance and capability. For example, using HPC compilers allow for easier coding to run a parallel job. Compilation is the process of converting C language source code into executable program code. Running is the process of executing executable code. Compilation only needs to be completed once to produce executable code. The resulting executable code can be run multiple times.

Background: XML parser for C++ determines whether an XML document is well-formed and optionally validates it against a DTD. A DTD is a Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document. The parser constructs an object tree that can be accessed through a DOM interface or operates serially through a SAX interface.  SAX defines an abstract programmatic interface that models the XML information set (infoset) through a linear sequence of familiar method calls.

Validating an XML document determines whether the structure and content of the document conform to a set of rules.  Xerces-C++ is a validating XML parser written in a portable subset of C++.

Remark: SAX-type parsing performance of Fast Infoset is also much faster than parsing performance of XML 1.0.

Vulnerability details: A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.

Ref: To understand the twists and turns of this story, please refer to the pictures attached to this article.

Official details: Please refer to the link for details – https://www.suse.com/support/update/announcement/2024/suse-su-20240299-1/

AI and ML, Application Development, Potential Risk of CVE

VE-2023-6780: Do not contempt his power! (1st Feb 2024)

Leave a comment

Preface: The GNU C Library – The project provides the core libraries for the GNU system and GNU/Linux systems. GLib is a platform library which is used by many hundreds of projects outside of GNOME.

Background: R is a language and environment for statistical programming which includes statistical computing and graphics. Python is a general-purpose programming language for data analysis and scientific computing. It is essential to know programming languages like R and Python in order to implement the whole Machine Learning process. Python and R both provide in-built libraries that make it very easy to implement Machine Learning algorithms.

What is glibc in Python? glibc provides a complete implementation of the ISO C standard library, which includes functions for file I/O, string manipulation, memory allocation, and more. This makes it easy for us to write portable and efficient code that can run on different systems.

Vulnerability details: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-6780