Monthly Archives: May 2024

AI and ML, Potential Risk of CVE

CVE-2024-21792: Time-of-check Time-of-use race conditionin Intel® Neural Compressor software. Intel fixes exploited bugs. (16th May 2024)

Leave a comment

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: Intel Neural Compressor is an open source Python* library that performs model compression techniques such as quantization, pruning, and knowledge distillation across multiple deep learning frameworks including TensorFlow*, PyTorch*, and ONNX* (Open Neural Network Exchange) Runtime. The model compression techniques reduce the model size and increase the speed of deep learning inference for more efficient deployment on CPUs or GPUs.

Vulnerability details: Time-of-check Time-of-use race condition in Intel® Neural Compressor software before version 2.5.0 may allow an authenticated user to potentially enable information disclosure via local access.

Ref: When calling a series of methods which require a consistent view of an object, make sure to synchronize on a monitor that will prevent any other access to the object during your operations.

If the class that you are using has a well-designed interface, then synchronizing on the object itself will prevent its state being changed inappropriately.

Official details: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01109.html

AI and ML, Potential Risk of CVE

CVE-2024-22476: Improper input validation in some Intel® Neural Compressor software. Intel fixes exploited bugs. (16th May 2024)

Leave a comment

Preface: Intel Neural Compressor performs model optimization to reduce the model size and increase the speed of deep learning inference for deployment on CPUs or GPUs.

Background: Intel Neural Compressor is an open source Python* library that performs model compression techniques such as quantization, pruning, and knowledge distillation across multiple deep learning frameworks including TensorFlow*, PyTorch*, and ONNX* (Open Neural Network Exchange) Runtime. The model compression techniques reduce the model size and increase the speed of deep learning inference for more efficient deployment on CPUs or GPUs.

Vulnerability details: Improper input validation in some Intel® Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.

Ref: GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Official details: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01109.html

Potential Risk of CVE

About CVE-2024-22252: Recently, Broadcom VMware has often repeated previous CVE posts. Maybe it’s a new company policy or necessary? (14-May-2024)

Leave a comment

Official last updated on May 8, 2024. An early advisory for this vulnerability was issued on March 5, 2024.

Preface: If you recall, this design flaw was discovered in April 2021. Has it been fixed? Or it is vendors fine-tuned their vulnerability management strategies?

Background: A Transfer Ring is an array of Transfer Request Blocks (TRBs). Each TRB points to a block of contiguous data (up to 64 KB) that will be transferred between hardware and memory as a single unit. The xHCI does not require this constraint. Any buffer pointed to by a Normal, Data Stage, or Isoch TRB in a TD may be any size between 0 and 64K bytes in size. For instance, if when an OS translates a virtual memory buffer into a list of physical pages, some of the entries in the list reference multiple contiguous pages, the flexible Length fields of TRBs allow a 1:1 mapping of list 68 entries to TRBs, i.e. a multi-page list entry does not need to be defined as multiple page sized TRBs.

Vulnerability details: VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Official announcement: Please refer to the link for details – https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24266

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-21474: Qualcomm did not disclose technical details. Could this situation cause this problem? (6th May 2024)

Leave a comment

Preface: The Qualcomm Snapdragon X65 5G Modem is the baseband chipset used in the iPad Pro (11-inch) (4th generation), iPad Pro (12.9-inch) (6th generation), iPhone 14, iPhone 14 Plus, iPhone 14 Pro and iPhone 14 Pro Max.

Background: A power management integrated circuit (PMIC) is used to manage power on an electronic devices or in modules on devices that may have a range of voltages. The PMIC manages battery power charging and sleep modes, DC-to-DC conversion, scaling of voltages down or up, among others.

Vulnerability details: Memory corruption when size of buffer from previous call is used without validation or re-initialization.

Vulnerability Type: CWE-121 Stack-based Buffer Overflow

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2024-bulletin.html

https://nvd.nist.gov/vuln/detail/CVE-2024-21474

Potential Risk of CVE

About VMware Enhanced Authentication Plug-in (EAP): VMware urges customers to remain alert for CVE-2024-22245 and CVE-2024-22250. (May 7, 2024)

Leave a comment

This announcement original published on 20th Feb 2024

Preface: When two components have problems in the same place. If vendor did not specify the details in clear. In this circumstances, the design weakness looks the same.

Background: The Enhanced Authentication Plugin (EAP) is an extra software package that doesn’t come pre-installed. Administrators need to install it on client computers used for administration to allow direct login when using the VMware vSphere Client through a web browser.

The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.

Vulnerability details:

Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250) – The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245) – The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Official announcement: Please refer to the link for details:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24257

https://nvd.nist.gov/vuln/detail/CVE-2024-22250

https://nvd.nist.gov/vuln/detail/CVE-2024-22245

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

Android Security Bulletin – May 2024 There’s a lot you can explore (9 May 2024)

Leave a comment

Preface: Heard that Long-term support (LTS) for Linux kernels is being reduced from six to two years now.

Background: Greg Kroah-Hartman is a major Linux kernel developer. As of April 2013, he is the Linux kernel maintainer for the -stable branch, the staging subsystem, USB, driver core, debugfs, kref, kobject, and the sysfs kernel subsystems, Userspace I/O, and TTY layer.

What will be the next LTS kernel?

But in any event Greg Kroah-Hartman has decided to go ahead and declare Linux 6.6 as the newest LTS kernel. Kernel.org has been updated to reflect Linux 6.6 LTS. The current plan is for Linux 6.6 to be maintained until going end-of-life in December 2026: the same time Linux 6.1, 5.15, and 5.10 will reach end-of-life.

Android Security Bulletin—May 2024 (Published May 6, 2024)

The diagram above shows that kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch. Please refer to the following link for details:

https://source.android.com/docs/security/bulletin/2024-05-01

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-1067: Mali GPU Kernel Driver allows improper GPU memory processing operations (8 May 2024)

Leave a comment

Date of issue: 3rd May 2024

Preface: The Mali-G720 and Mali-G620 GPUs complete the world-class GPU portfolio for a wide range of consumer devices. After four generations of GPUs on the fourth-generation Valhall architecture, the latest Arm GPUs are built on a new fifth-generation GPU architecture (called Gen 5).

Background: The New 5th Gen Arm GPU Architecture

The 5th Gen GPU architecture introduces a key feature called Deferred Vertex Shading (DVS), which revolutionizes data flow within the GPU and expands the number of GPU cores, reaching up to 16 cores for enhanced performance.

The Arm 5th Gen GPU architecture is the most efficient GPU architecture Arm has ever created, designed with CPU and system architecture in mind. It redefines parts of the graphics pipeline to significantly reduce memory bandwidth, thus improving total system efficiency and power.

Technical reference: It solves the bandwidth problem of the traditional model because the fragment shader reads a small block each time and puts it on the chip. It does not need to read the memory frequently until the final operation is completed and then writes it to the memory. You can even further reduce memory reads and writes by compressing tiles. In addition, when some areas of the image are fixed, the function can be called to determine whether the tiles are the same to reduce repeated rendering.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. On Armv8.0 cores, there are certain combinations of the Linux Kernel and Mali GPU kernel driver configurations that would allow the GPU operations to affect the userspace memory of other processes.

Ref: Arm did not provide details. Is the senario on attached diagram similar to this CVE?

Resolution: This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r48p0. Users are recommended to upgrade if they are impacted by this issue.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1067

Potential Risk of CVE

CVE-2024-33602: Name Service Cache Daemon’s (nscd) design limitation (6 May 2024)

Leave a comment

Preface: Kubernetes creates DNS records for Services and Pods. You can contact Services with consistent DNS names instead of IP addresses. Kubernetes publishes information about Pods and Services which is used to program DNS. Kubelet configures Pods’ DNS so that running containers can lookup Services by name rather than IP.

Background: When nscd enabled, this function allows your Linux computer to retrieve DNS messages locally. Since the Linux operating system have additional function collects the browser cache and DNS cache (instead of waiting for a public DNS resolver). Therefore, your frequently visited sites will load much faster than other sites.

Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd[.] conf, determines the behavior of the cache daemon.

DNS domain name resolution in Kubernetes cluster often has problems for various reasons, including kernel problems and load problems. You can use nscd in Kubernetes cluster to improve the lookup efficiency.

Vulnerability details: nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon’s (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-33602

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

Starting from CVE-2024-34476, other design flaws have also been found, please use non-vulnerable Open5GS versions for development. (4-May-2024)

Leave a comment

Preface: The two prerequisites for running Open5GS are the Open5GS core and MongoDB. The MongoDB, a document-based database, for user equipment registration. MongoDB uses some weird special processor instruction, which is not provided in intel Celeron processor.

Background: The Access and Mobility Management Function (AMF) is one of the control plane network functions (NF) of the 5G core network (5GC). The control plane in 5G Network Architecture contains the AMF which is the first node in the control plane that connects to the gNB. And it is responsible for the access and mobility management. The SMF, that is responsible for session management.

Authentication messages are a set of NAS message involved in Athenticating UE to 5G RAN and Core Network. Mainly three NAS messages are involved : AuthenticationRequest, AuthenticationResponse. Important Information of RegistrationRequest are : Authentication Key Information.

Vulnerability details: Open5GS before 2.7.1 is vulnerable to a reachable assertion that can cause an AMF crash via NAS messages from a UE: ogs_nas_encrypt in lib/nas/common/security[.]c for pkbuf->len.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-34476

AI and ML, Potential Risk of CVE

Will such scenario be similar to the CVE-2024-0087 mentioned? (3May 2024)

Leave a comment

Preface: NVIDIA Triton Inference Server, part of the NVIDIA AI platform and available with NVIDIA AI Enterprise, is open-source software that standardizes AI model deployment and execution across every workload.

Background: The Triton Inference Server is available as a pre-built Docker container or you can build it from source.The Triton Docker container is available on the NVIDIA GPU Cloud (NGC). For best performance the Triton Inference Server should be run on a system that contains Docker, nvidia-docker, CUDA and one or more supported GPUs.

Vulnerability details: NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Ref: . LFI (Local File Inclusion) is a web vulnerability that allows an attacker to access server files by manipulating paths in HTTP requests.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5535