About CVE-2024-37571: SAS: Data and AI Solutions (SAS Broker – V9.2, build 1495) 26-June-2024

Preface: What’s required to create good machine learning systems?

-Data preparation capabilities.

-Algorithms – basic and advanced.

-Automation and iterative processes.

-Scalability.

 -Ensemble modeling.

Did you know?

-In machine learning, a target is called a label.

-In statistics, a target is called a dependent variable.

-A variable in statistics is called a feature in machine learning.

-A transformation in statistics is called feature creation in machine learning.

Background: SAS offers many different solutions to use machine learning to model and predict your data. Machine learning is in high demand. Whether you are a citizen data scientist who wants to work interactively or you are a hands-on data scientist who wants to code. Migration of your BI/DI environment from SAS 9.2 to SAS 9.3 and the installation of SAS Visual Analytics (SAS 9.4).

You have access to the latest analytic techniques with SAS® Visual Data Mining and Machine Learning on SAS® Viya.

What is the difference between SAS 9.4 and SAS Viya?

SAS® 9.4 and SAS® Viya® Functional Comparison – Perhaps the most significant core platform functional difference between SAS 9.4 and SAS Viya is in the way that each one handles distributed processing. SAS Viya leverages the CAS server, and SAS 9.4 uses SAS® LASR™, SAS® HighPerformance Analytics (HPA) and SAS® Grid Manager.

Vulnerability details: Buffer Overflow vulnerability in SAS Broker 9.2 build 1495 allows attackers to cause denial of service or obtain sensitive information via crafted payload to the ‘_debug’ parameter.

Official announcement: For detail, please refer to link –

https://www.tenable.com/cve/CVE-2024-37571

About CVE-2024-38952 on PX4-Autopilot v1.14.3 (27 June 2024)

Preface: The PX4 is a professional autopilot. Developed by world-class developers from industry and academia and supported by an active worldwide community, it powers a variety of vehicles from racing and cargo drones to ground vehicles and submersibles.

Background:  What is needed to control a drone using PX4 flight controller?

-A computer with Internet Access.

-Linux operating system (I am using Ubuntu 14.04 LTS, you can use the operating system you want, but since I am also doing source code development, Linux will make my days a lot easier).

-A PX4 autopilot (Pixhawk, Pixfalcon, HK Pilot 32, Pixracer) with micro usb cable.

-Your drone.

-A pair of telemetry modules (optional).

Vulnerability details: PX4-Autopilot v1[.]14[.]3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics[.]cpp.

Official announcement: For detail, please refer to link –

https://nvd.nist.gov/vuln/detail/cve-2024-38952

CVE-2024-38663: blk-cgroup – fix list corruption from resetting io stat (25-June-2024)

Preface: Android uses cgroups to control and account for system resources such as CPU and memory usage and allocation, with support for Linux kernel cgroups v1 and cgroups v2.

Background: New IO stats are stored in the percpu iostat_cpu within blkcg_gq (blkg). There are multiple blkg’s (one for each block device) attached to each blkcg. The rstat code keeps track of which cpu has IO stats updated, but it doesn’t know which blkg has the updated stats. If there are many block devices in a system, the cost of iterating all the blkg’s to flush out the IO stats can be high. To reduce such overhead, a set of percpu lockless lists (lhead) per blkcg are used to track the set of recently updated iostat_cpu’s since the last flush. An iostat_cpu will be put onto the lockless list on the update side [blk_cgroup_bio_start()] if not there yet and then removed when being flushed [blkcg_rstat_flush()].

References to blkg are gotten and then put back in the process to protect against blkg removal.

Vulnerability details: blk-cgroup: fix list corruption from resetting io stat. Since commit 3b8cc6298724 (“blk-cgroup: Optimize blkcg_rstat_flush()”), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can’t reset the stat instance by memset(), otherwise the llist may be corrupted.

Fix the issue by only resetting the counter part.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-38663

About LoLLMS WebUI: CVE-2024-5443 design flaw related to CVE-2024-4320 (NVD Last Modified: 06/24/2024)

Preface: Large language models (LLM) are very large deep learning models that are pre-trained on vast amounts of data. The underlying transformer is a set of neural networks that consist of an encoder and a decoder with self-attention capabilities.

The key feature of a multimodal model is its ability to integrate and interpret information from these different data sources, often simultaneously. These can be understood as more advanced versions of large language models (LLMs) that can work not only on text but diverse data types.

Background:

1.Activate the environment

conda activate lollms

2.Install cudatoolkit

conda install -c anaconda cudatoolkit

3.Install lollms

pip install –upgrade lollms

4.Lord of Large Language Models (LoLLMs) are ready

Vulnerability details: CVE-2024-5443: CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the ExtensionBuilder().build_extension() function.
The vulnerability arises from the /mount_extension endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the data.category and data.folder parameters accepting empty strings (“”), which, due to inadequate input sanitization, can lead to the construction of a package_path that points to the root directory.
Consequently, if an attacker can create a config.yaml file in a controllable path, this path can be appended to the extensions list and trigger the execution of init.py in the current directory, leading to remote code execution. The vulnerability affects versions from 5.9.0, and has been addressed in version 9.5.1.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-5443

CVE-2024-36532: Insecure permissions in kruise v1.6.2 (21 June 2024)

Preface: CNCF (Cloud Native Computing Foundation) is the open source, vendor-neutral hub of cloud native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable.

Background: OpenKruise is a suite of extension components for Kubernetes that focuses on automated management of large-scale applications, such as deployment, upgrades, maintenance, and availability protection. Most of the functionality provided by OpenKruise is primarily built on CRD extensions.

Vulnerability details: Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account’s token.

  1. the attacker stole the token.
    Here is an example of stealing a token:in cncf, there is a project named hwameistor, and the DaemonSet hwameistor-local-disk-manager for that project has a cluster role named hwameistor-admin, which has the update/patch verb of nodes resource.If a malicious user takes control of a worker node, by default the “hwameistor-local-disk-manager” pod will run on that node and he/she can use that pod to patch/update other nodes and force kruise’s pod to run on the malicious worker node. Then, he/she can stole the token.
  2. Use the obtained token information to authenticate with the API Server. By including the token in the request, attacker can be recognized as a legitimate user with the ServiceAccount and gain all privileges associated with the ServiceAccount.
  3. Use the privileges to access all Secrets in the cluster.
  4. Use the sensitive information in the Secrets to elevate privileges and explore other sensitive resources, and eventually take over the entire cluster.

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36532

CVE-2024-36680: Improper neutralization of SQL parameter in Promokit[.]eu – Facebook module for PrestaShop (20-June-2024)

Preface: PrestaShop is an open source e-commerce platform that emerged in 2007. It’s still widely used today—more than 250,000 devices are powered by it. The goal of PrestaShop Facebook is to promote e-commerce sales on Facebook and Instagram social networks.

Background: E-commerce web designers need to create our modules folder in the root directory of the folder called “modules”. This folder contains all the modules in PrestaShop. Even basic modules such as the website’s shopping cart can be found in this place.

How do I install Prestashop on my local computer?

  1. XAMPP is an easy to install Apache distribution containing MariaDB, PHP, and Perl. Just download and start the installer.
  2. Go to official website of XAMPP and download it – Download XAMPP
  3. Install XAMPP at any location, we install at c drive.
  4. Create project folder in the following htdocs directory.
  5. Create project folder in the following htdocs directory
  6. Put the downloaded prestashop file in this project folder.
  7. Prestashop installation process:

Download the Prestashop.

-Create the Database.

-Upload the downloaded file to the server.

-Delete archive folder and install folder.

Vulnerability details: In the module “Facebook” (pkfacebook) <=1.0.1 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36680

CVE-2024-36977: usb: dwc3: Wait unconditionally after issuing EndXfer command (19 June 2024)

Preface: The DWC3 is Synopsys IP providing a SuperSpeed USB 3.0 controller. This Synopsys DesignWare USB3 controller IP has proved to be very popular and is in use ranging from various Arm SoCs from Samsung and TI to Qualcomm platforms. DWC3 is also used by various platforms from both Intel and AMD.

Background:

EN_ENDXFER_ON_RJCT_STRM: Enable bit for new reject stream flow. On receiving a reject stream(FFFF) on USB side, Controller updates the application SW with STREAMEVT_NOTFOUND with streamid as FFFF, On decoding this event application SW needs to apply an ENDXFER command which flushes all FIFO’s .

Until an ENDXFER is issued, Any stream packet received(on USB) will not lead to search of available streams in cache and release of ERDY. Controller writes STREAM_NOT_FOUND events until ENDXFER completion.

[ – 0: Feature disabled. No Reject status is updated to application SW.] 

[ – 1: Feature enabled, Reject status is updated on receiving a reject stream(on USB).Decoding this event application SW needs to apply an ENDXFER.]

Note: By default, this bit is set to 0.

Vulnerability details: usb: dwc3: Wait unconditionally after issuing EndXfer command Currently all controller IP/revisions except DWC3_usb3 >= 310a wait 1ms unconditionally for ENDXFER completion when IOC is not set.

Severity: Critical

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36977

CVE-2024-37079 and CVE-2024-37080: vCenter Server contains a heap-overflow vulnerability. Is this a prior incident? (18-June-2024)

Preface: The DCE/RPC protocol is the protocol for remote procedure calls. It is widely used in the modern Internet. Because the proper functioning of DCE/RPC protocols is critical to modern infrastructure and society, it is important to verify the reliability of DCE/RPC implementations.

Background: This type of vulnerability can be particularly dangerous because it could allow an attacker to write data outside of the allocated memory buffer, potentially leading to remote code execution. Such a vulnerability could provide an attacker with unauthorized control of vCenter Server, posing a significant risk to the security and integrity of the virtualized environment managed by vCenter.

Vulnerability details:

CVE-2024-37079: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CVE-2024-37080: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Official announcement: For detail, please refer to link –

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

CVE-2024-21478 – Automotive manufacturer staying alert! (18 June 2024)

Preface: For example, if your app defines a fence for headphones, it gets callbacks when the headphones are plugged in and when they’re unplugged.

Background: Automotive infotainment is an in-car system that combines entertainment such as radio and music playing with driving information, including navigation, ADAS, and vehicle settings.

The SA8255P delivers next-generation Qualcomm Snapdragon automotive infotainment SoC. Developed with SEooC targeting ASIL B use cases, the SAM8255P empowers automakers with scalable solutions that are connected, smart, and aware.

Vulnerability details: NULL Pointer Dereference in Graphics,

transient DOS when setting up a fence callback to free a KGSL memory entry object during DMA.

Affected Chipsets: QAM8255P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, SA8255P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1M.

Official announcement: For detail, please refer to link – https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html

CVE-2024-4610: Arm was recently aware of this vulnerability being exploited in the wild (17 June 2024)

Arm has released limited details about the vulnerability. Do you think the following is similar to CVE-2024-4610?

Preface: Arm was recently aware of reports of this vulnerability being exploited in the wild, but this exploit was a local attack. Perhaps, cybercriminals should help via email phishing or SMS functionality. Therefore, it attracted the attention of manufacturers.

Background: The Mali Bifrost architecture – implemented by the Mali-G3x, Mali-G5x, and Mali-G7x family of products, is the successor to the Midgard architecture and the predecessor of the Valhall architecture.

The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Bifrost family.

There are many ways to communicate with IPC, such as: Shared Memory, Message Queue, PIPE, FIFO, Unix Socket, etc. A process cannot access another process’s memory. However, the kernel has control over all processes and therefore can expose an interface that enables IPC. In Binder, this interface is the /dev/binder device, which is implemented by the Binder kernel driver.

Ref: A Mutex is a Mutually exclusive flag. It acts as a gate keeper to a section of code allowing one thread in and blocking access to all others.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-4610