CVE-2024-4610: Arm was recently aware of this vulnerability being exploited in the wild (17 June 2024)

Arm has released limited details about the vulnerability. Do you think the following is similar to CVE-2024-4610?

Preface: Arm was recently aware of reports of this vulnerability being exploited in the wild, but this exploit was a local attack. Perhaps, cybercriminals should help via email phishing or SMS functionality. Therefore, it attracted the attention of manufacturers.

Background: The Mali Bifrost architecture – implemented by the Mali-G3x, Mali-G5x, and Mali-G7x family of products, is the successor to the Midgard architecture and the predecessor of the Valhall architecture.

The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Bifrost family.

There are many ways to communicate with IPC, such as: Shared Memory, Message Queue, PIPE, FIFO, Unix Socket, etc. A process cannot access another process’s memory. However, the kernel has control over all processes and therefore can expose an interface that enables IPC. In Binder, this interface is the /dev/binder device, which is implemented by the Binder kernel driver.

Ref: A Mutex is a Mutually exclusive flag. It acts as a gate keeper to a section of code allowing one thread in and blocking access to all others.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-4610

CVE-2023-20597: AGESA™ firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. Release 2nd round of remedy.(13-June-2024)

Preface: June 2024 Update – After additional analysis, AMD believes that the Client AGESA™ firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. This security bulletin has been updated with new Client AGESA™ firmware versions that contain updated mitigations.

Background: The DXE drivers are responsible for initializing the processor, chipset, and platform components as well as providing software abstractions for system services, console devices, and boot devices.

Vulnerability details:

CVE-2023-20594Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
CWE-665 Improper Initialization

CVE-2023-20597 Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
CWE-665 Improper Initialization

Published Date: Sep 20, 2023
Last updated date: Jun 11, 2024

Official announcement: For detail, please refer to link –
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4007.html

CVE-2024-35253: Microsoft Azure File Sync Elevation of Privilege Vulnerability (11 Jun 2024)

Preface: That is by design. If a file is created with the name of a just-deleted file, timestamps, attributes, and security are carried forward.

Background: To immediately sync files that are changed in the Azure file share, the Invoke-AzStorageSyncChangeDetection PowerShell cmdlet can be used to manually initiate the detection of changes in the Azure file share.

This cmdlet is intended for scenarios where some type of automated process is making changes in the Azure file share or the changes are done by an administrator (like moving files and directories into the share). For end user changes, the recommendation is to install the Azure File Sync agent in an IaaS VM and have end users access the file share through the IaaS VM. This way all changes will quickly sync to other agents without the need to use the Invoke-AzStorageSyncChangeDetection cmdlet.

Vulnerability details: Microsoft Azure File Sync Elevation of Privilege Vulnerability

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-35253

Repost CVE-2024-5274: Google Chrome fixed remote code execution vulnerability (11-06-2024)

CVE Release date: May 24, 2024

Preface: Every time I start learning CVE. It helps me enrich my knowledge.  Even though it was released months ago.

Background: Around the world in 2024, over 4450 companies have started using Chrome as Site Search tool.

V8 is a JavaScript and WebAssembly engine developed by Google for its Chrome browser. Each WebAssembly module executes within a sandboxed environment separated from the host runtime using fault isolation techniques.

Ref: wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.

Vulnerability details: This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.

Official announcement: For detail, please refer to link – https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html?m=1

Regarding CVE-2024-0099 and CVE-2024-0084: Is this a renewed focus on vulnerabilities discovered in 2021? 10-June-2024

Original posted 06/06/2024

Preface: Oracle and Citrix have large customer bases and use Xen as their primary hypervisor. Red Hat, SUSE, and Canonical support KVM as a virtualization option in their Linux versions. When it comes to cloud computing, administrators face a similar decision: Citrix and Oracle offer Xen-based offerings rather than Google’s KVM.

Background: In a hypervisor command shell, such as the Citrix Hypervisor dom0 shell or the VMware ESXi host shell. You can do the following command to verify your NVIDIA virtual GPU software version.

[root@vgpu ~]# nvidia-smi

|NVIDIA-SMI 550[.]90[.]05                Driver Version: 550[.]90[.]05

NVIDIA vGPU software can be used in a variety of ways. The method we mentioned here is related to this vulnerability. In GPU pass-through mode, an entire physical GPU is directly assigned to one VM, bypassing the NVIDIA Virtual GPU Manager. In this mode of operation, the GPU is accessed exclusively by the NVIDIA driver running in the VM to which it is assigned. The GPU is not shared among VMs.

Exploiting a buffer overflow vulnerability often involves manipulating pointers to redirect program execution or inject malicious code. By overwriting the return address of a function, an attacker can divert the control flow to a different section of the program where their code is placed.

Vulnerability details:

CVE‑2024‑0099 NVIDIA vGPU software for Linux contains a vulnerability in the Virtual GPU Manager, where the guest OS could cause buffer overrun in the host. A successful exploit of this vulnerability might lead to information disclosure, data tampering, escalation of privileges, and denial of service.

CVE‑2024‑0089 NVIDIA vGPU software for Linux contains a vulnerability in the Virtual GPU Manager, where the guest OS could execute privileged operations. A successful exploit of this vulnerability might lead to information disclosure, data tampering, escalation of privileges, and denial of service.

Official announcement: For detail, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5551

CVE-2024-31335 GPU – PowerVR: Wrong order of operations in DevmemIntUnmapPMR2 may lead to temporarily dangling PTEs.AI accelerators called Neural Network Accelerator (NNA) staying alert! (7 June 2024)

Official Posted: 31st May 2024

Preface: PowerVR not limited 2D and 3D rendering, and for video encoding, decoding, associated image processing. It also develops AI accelerators called Neural Network Accelerator (NNA). The IMG Series4 is a revolutionary neural network accelerator (NNA) for the automotive industry that enables ADAS and autonomous driving.

PowerVR accelerators are not manufactured by PowerVR, but instead their IP blocks of integrated circuit designs and patents are licensed to other companies.

Remark: An IP block is a reusable unit of logic, cell, or chip layout design and can be used as building block for various chip- and logic designs. By making this technology available NXP is opening up the opportunity for chip designers to leverage our building blocks in a wide assortment of on-chip solutions.

Background: What is DDK? To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. For Android 14+, Kleaf is strongly recommended. One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: CVE-2024-31335 – GPU – PowerVR: Wrong order of operations in DevmemIntUnmapPMR2 may lead to temporarily dangling PTEs.

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.

Official announcement: For detail, please refer to link –

https://www.imaginationtech.com/gpu-driver-vulnerabilities/#may24

CVE-2024-26926: Kernel – The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed (6 Jun 2024)

Preface: In linux distributions the term ‘upstream’ (also applied to kernel) refers to the original version (as is released by software developers) of a program/software (kernel in your case) while ‘downstream’ refers to the software provided by linux distribution.

Background: There are many ways to communicate with IPC, such as: Shared Memory, Message Queue, PIPE, FIFO, Unix Socket, etc. A process cannot access another process’s memory. However, the kernel has control over all processes and therefore can expose an interface that enables IPC. In Binder, this interface is the /dev/binder device, which is implemented by the Binder kernel driver.

Ref: A Mutex is a Mutually exclusive flag. It acts as a gate keeper to a section of code allowing one thread in and blocking access to all others.

Vulnerability details:

Kernel -The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed.

Official announcement: For detail, please refer to link –

https://source.android.com/docs/security/bulletin/2024-06-01

CVE-2024-22476: Improper input validation in some Intel® Neural Compressor software (5 June 2024)

Original article published on 14-05-2024

Preface: Ancient humans hunted for survival. As times goes by, the evolution make them become intelligence biology. This pursuit of progress divided into different level of human. Human want is never ending. When Artificial Intelligence has born. It is the creator’s final blessing to human.

Background: Intel Neural Compressor performs model optimization to reduce the model size and increase the speed of deep learning inference for deployment on CPUs or GPUs.

Intel Neural Compressor aims to provide popular model compression techniques such as quantization, pruning (sparsity), distillation, and neural architecture search on mainstream frameworks such as TensorFlow, PyTorch, ONNX Runtime, and MXNet, as well as Intel extensions such as Intel Extension for TensorFlow and Intel Extension for PyTorch.

Vulnerability details:

CVEID:  CVE-2024-22476

Description: Improper input validation in some Intel® Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

Intel® Neural Compressor software before version 2.5.0.

Official announcement: For detail, please refer to link –

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01109.html

CVE-2024-1086 : A use-after-free vulnerability in the Linux kernel’s netfilter. The IoT world remins vigilant. 4 June 2024

Preface: By default, OpenWrt builds the kernel with a useful set of netfilter capabilities for a robust router. NAT. REJECT. REDIRECT. CONNTRACK. LOG.

OpenWrt is a Linux distribution suitable for embedded devices. Currently, many embedded hardware platforms on the market use OpenWrt as their basis, such as routers, network gateways or industrial use computer

Background: Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

Netfilter represents a set of hooks inside the Linux kernel, allowing specific kernel modules to register callback functions with the kernel’s networking stack. Those functions, usually applied to the traffic in the form of filtering and modification rules, are called for every packet that traverses the respective hook within the networking stack.

Vulnerability details: CVE-2024-1086 A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Official announcement: For detail, please refer to link – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086

About CVE-2024-36843: libmodbus v3.1.6 design weakness (3 June 2024)

Preface: Modbus is a communication protocol widely used in the field of industrial automation. It provides a standardized method for devices to communicate with each other over the network, making it an important tool for connecting and controlling various industrial equipment.

Background: libmodbus supports the following functions:

  • Support Modbus-RTU and Modbus-TCP
  • Support common function codes, such as 01/02/03/04/05/06/07/0F/10/11/16/17 Support coil type reading and writing, register reading and writing, discrete quantity reading, etc.
  • Support broadcast address 0, slave address 1-247
  • Support floating point and integer data conversion, big endian and small endian and other modes
  • Parameters are designed according to the official standard document Modbus_Application_Protocol_V1_1b.pdf, such as the maximum number of read and write coils, the maximum number of read and write registers, etc.
  • The source code is written in C, which is convenient for porting on various platforms, with only 11 files.

Vulnerability details: libmodbus v3.1.6 was discovered to contain a heap overflow via the modbus_mapping_free() function.

Official announcement: For detail, please refer to link –https://www.tenable.com/cve/CVE-2024-36843