CVE-2024-0103 – NVIDIA Triton Inference Server for Linux hit Incorrect Initialization of Resource vulnerability (31-05-2024)

Preface: AI-powered systems analyse the severity of the vulnerability, potential impact, and exploitability and prioritise patches based on the criticality of the vulnerability. Perhaps AI contains self diagostic and do remedy by himself!

Background: An open-source software that helps standardize model deployment and delivers fast and scalable AI in production.

Vulnerability details:

CVE-2024-0103 Information disclosure

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user may cause an incorrect Initialization of resource by network issue. A successful exploit of this vulnerability may lead to information disclosure.

Ref: For example, the minimum packet size is 60 bytes (the card typically adds a frame checksum to this, making the minimum packet size on the line 64 bytes). If you only have 40 bytes, then it will still transmit 60 bytes.

Because 40 bytes you send plus the next 20 bytes that happen to be sitting in the buffer beyond the 40 you intended to send.

If you haven’t explicitly initialized that area, those 20 bytes might well be data leftover from a previously sent packet, which may have belonged to some other connection. Or that memory could have previously been a data page for some program that was recently running (and hence could contain a password, or an encryption key or just about any kind of sensitive information).

Official details: For detail, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5546

CVE-2024-38016: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (29-05-2024)

Preface: In the Linux Kernels n_gsm serial line discipline, which can be exploited by local attackers to gain kernel level root access. It original published by other Linux brand on 8th May 2024.

Background: In Unix systems, a tty (which is short for “teletypewriter”) is the standard representation of a terminal device, with at least input and output capabilities and usually much more. These were originally connected to serial ports, but most today are virtual terminals, connected to either a text-mode console (DOS-like) or a graphical terminal program (like xterm or gnome-terminal).

Vulnerability details: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

Assuming the following:

– side A configures the n_gsm in basic option mode

– side B sends the header of a basic option mode frame with data length 1

– side A switches to advanced option mode

– side B sends 2 data bytes which exceeds gsm->len

Reason: gsm->len is not used in advanced option mode.

– side A switches to basic option mode

– side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration.

Official details: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36016

Red Hat security advisory: Important – glibc security update (29-05-2024)

Preface: You can clear the cache of nscd by performing the following actions:

Execute the following command: sudo /etc/init[.]d/nscd restart.

Background:

Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd. conf, determines the behavior of the cache daemon.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

The iconv() function shall convert the sequence of characters from one codeset, in the array specified by inbuf, into a sequence of corresponding characters in another codeset, in the array specified by outbuf. The codesets are those specified in the iconv_open() call that returned the conversion descriptor, cd.

Vulnerability details:

glibc: Out of bounds write in iconv may lead to remote code execution (CVE-2024-2961)

glibc: stack-based buffer overflow in netgroup cache (CVE-2024-33599)

 glibc: null pointer dereferences after failed netgroup cache insertion (CVE-2024-33600)

 glibc: netgroup cache may terminate daemon on memory allocation failure (CVE-2024-33601)

 glibc: netgroup cache assumes NSS callback uses in-buffer strings (CVE-2024-33602)

Official announcement: For detail, please refer to link – https://access.redhat.com/errata/RHSA-2024:3464

CVE-2024-5274: Google Chrome fixed remote code execution vulnerability (28-05-2024)

Preface: Every time I start learning CVE. It helps me enrich my knowledge.  Even though it was released months ago.

Background: V8 is a JavaScript and WebAssembly engine developed by Google for its Chrome browser. Each WebAssembly module executes within a sandboxed environment separated from the host runtime using fault isolation techniques.

Ref: wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.

Vulnerability details: This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.

Official announcement: For detail, please refer to link – https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html?m=1

Apple security updates on 20th May 2024, But it has not published CVE entries. Observe how Apple handled in the past, maybe you can find it in a CVE few months from now. (27-05-2024)

Preface: Apple released iOS 17.5 and iPadOS 17.5 on May 20, 2024, which fixed multiple security vulnerabilities.  I heard that some users found that photos they had deleted years ago suddenly appeared in recent albums as new photos.

Background: The attached pictures document some rare occurrences. For example, which IOS version still support 32 bit applications last year. Perhaps there is a difference regarding to offical announcement. And suspected that may be is the reason to unsupport 32 bits apps.

Official announcement: Why does deleting pictures return?

According to Apple, the photos that did not fully delete from a user’s device were not synced to iCloud Photos. Those files were only on the device itself. However, the files could have persisted from one device to another when restoring from a backup, performing a device-to-device transfer, or when restoring from an iCloud Backup but not using iCloud Photos.

As for vulnerabilities details in security updates, I will pay close attention to see if they can be found.

There are no published CVE entries for this update.  Please refer to the link for details – https://support.apple.com/en-hk/HT201222

CVE-2024-23354 Memory corruption when the IOCTL call is interrupted by a signal. (24May 2024)

Originally published on May 6, 2024

Preface: The Snapdragon 8 Gen 2 Mobile Platform defines a new premium standard for connected computing. Intelligently engineered with groundbreaking AI across the board, this AI marvel enables truly extraordinary experiences.

Background: A vertex buffer object (VBO) is an OpenGL feature that provides methods for uploading vertex data (position, normal vector, color, etc.) to the video device for non-immediate-mode rendering.

KGSL allocates GPU-shared memory from its own page pool. A VBO is a buffer of memory which the gpu can access. That’s all it is. A VAO is an object that stores vertex bindings. This means that when you call glVertexAttribPointer and friends to describe your vertex format that format information gets stored into the currently bound VAO.

Vulnerability details: Memory corruption when the IOCTL call is interrupted by a signal.

Remedy: The VBO bind operation is often synchronous, and needs to be waited on by the ioctl thread. Allocate the completion struct used to synchronize between the ioctl and bind operation on the heap for simplicity.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23354

CVE-2024-22274: vCenter design weakness. Does it similar to this way? (23 May 2024)

Preface: In computer security, arbitrary code execution (ACE) is an attacker’s ability to run any commands or code of the attacker’s choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution.

Background: vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.

Vulnerability details: The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.

The vendor did not disclose details. Are there any design flaws similar to the following:

Ref: The HTTP header offers two distinct ways of specifying where the request ends: the Transfer-Encoding header and the Content-Length header. An HTTP request smuggling vulnerability occurs when an attacker sends both headers in a single request. This can cause either the front-end or the back-end server to incorrectly interpret the request, passing through a malicious HTTP query.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-22274

CVE-2024-36008: The impact may be widespread but has been resolved. Linux, you did a great job. (21May 2024)

Preface: Syzbot has begun to report kernel findings to LKML in 2017. Syzbot is a continuous kernel build / fuzz / report aggregation system.

Background: Linux has two mechanisms for setting routes, one is fib, and the other is routing generated by dynamic. fib uses route (man 8 route) to specify a static route table. What net/ipv4/route[.]c does is dynamic generate routing hash to speed up route decision.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() . syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree .

It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-36008

Is AMD Instinct™ MI300X affected by CVE-2023-4968 (GPU memory leak). AMD has the answer. Official announcement on May 7, 2024.

This article was published on May 21, 2024.

Preface: When I see the vulnerability it shows the date far away from now. Sometimes I lose interest. Maybe I’m missing a major technical detail. AMD officially released CVE-2023-4869 on March 7, 2024.

It happened to wake me up! Although today is May 21, 2024, it seems that my study is not late!

Background: Is MI300X better than H100? While both GPUs are capable, the MI300X has the edge in memory-intensive tasks like rendering large scenes and simulations. In comparison, the H100 excels in its AI-enhanced workflow and ray-traced rendering performance. AMD InstinctMI300X accelerators are designed to deliver leadership performance for Generative AI workloads and HPC applications.

Vulnerability details: Insufficient clearing of GPU memory could allow a compromised GPU kernel to read local memory values from another kernel across user or application boundaries leading to loss of confidentiality.

Official announcement: Please refer to the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html

CVE-2024-23664: CW:601 was fixed by Fortinet (20th May 2024)

Initial publication: 14th May 2024

Preface: What happens if a website uses a user-supplied URL in a URL fragment to redirect the logged-in user to the requested page?

Background: CWE 601 – An open redirect vulnerability occurs when an application allows the user to control redirects or forward to another URL. If the application does not validate untrusted user input, an attacker could provide a URL that redirects an unsuspecting victim from a legitimate domain to the attacker’s phishing site.

Vulnerability details: CVE-2024-23664: A URL redirection to untrusted site (‘Open Redirect’) (CWE-601) vulnerability in FortiAuthenticator may allow an attacker to redirect users to an arbitrary website via a crafted URL.

Ref: You should validate the workspace ID first. If the workspace ID is valid, you can proceed with the HTTP request and return the response. However, if the workspace ID is invalid, you should handle the error appropriately.

Official details: Please refer to the link for details – https://fortiguard.fortinet.com/psirt/FG-IR-23-465