CVE-2024-23935: Car owners should be vigilant! (30th Sep 2024)

Preface: ISO/SAE 21434 describes Threat Analysis and Risk Assessment (TARA) to assess the cybersecurity risks in the product. ISO/SAE 21434 stresses the importance of executive management’s commitment to cybersecurity by providing specific guidelines for those responsibilities.

Background: The iLX-F905D Alpine Halo9 is the second generation of the Halo product line, featuring a 9-inch high-resolution WXGA touchscreen that is compatible with virtually any vehicle with a 1DIN or 2DIN mounting base. Halo9 capable wireless Apple CarPlay and Android Auto (wired) compatibility, DAB+ digital radio, USB video playback, Hi-Res Audio playback, Bluetooth hands-free and audio streaming.

Vehicle Data-bus Connection – If your car is equipped with parking sensors and, you can continue to use these convenient functions with your iLX-F905D. Alpine offers many vehicle data-bus interfaces to connect your Alpine Halo9 to your vehicle’s data-bus system. This enables compatibility with your vehicle’s steering wheel control buttons, display of air conditioning settings as well parking sensor display.

Vulnerability details: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability.

The specific flaw exists within the DecodeUTF7 function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

Official announcement: Please refer to the vendor announcement for details – https://www.zerodayinitiative.com/advisories/ZDI-24-848/

CVE-2024-0132: About NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability (25th Sep 2024)

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include:

-The NVIDIA Container Runtime (nvidia-container-runtime)

-The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook)

-The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli)

The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit is a key component in enabling Docker containers to leverage the raw power of NVIDIA GPUs. This toolkit allows for the integration of GPU resources into your Docker containers.

Vulnerability details: NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5582

CVE-2024-41445: Library MDF (mdflib) v2.1 is vulnerable to a heap-based buffer overread (25-09-2024)

Preface: What is an MF4/MDF4 file? Measurement Data Format version 4 (MDF 4) is a standard file format by ASAM used by the automotive industry for storing measurement data in binary file format. It records CAN, CAN FD, LIN bus data, sensor data from an engine control unit (ECU), offering interoperability across many CAN tools.

Background: MF4 (aka MDF or Measurement Data Format) is a popular CAN bus log file format. It was designed for use in the automotive industry, primarily for the areas of ECU development, Calibration and testing.

What is ECU development? The development of an ECU involves both hardware and software required to perform the functions expected from that particular module. Automotive ECU’s are being developed following the V-model.

Can I use the MDF-LIB freely? Yes, the lib was created to encourage all software developers to use the MDF4 format.

Vulnerability details: Library MDF (mdflib) v2.1 is vulnerable to a heap-based buffer overread via a crafted mdf4 file is parsed using the ReadData function.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41445

CVE-2024-39928: Vulnerability in Apache Linkis – Spark EngineConn (25-09-2024)

Preface: Apache Linkis is a computation middleware that acts as a layer between upper-level applications and underlying engines, such as Apache Spark, Apache Hive and Apache Flink. It started as an Apache Incubator project in 2021 and graduated to a Top Level Project in January 2023.

Background: Linkis provides standardized interfaces (REST, JDBC, WebSocket etc.) to easily connect to various underlying engines (Spark, Presto, Flink, etc.), and acts as a proxy between the upper applications layer and underlying engines layer.

Ref: Py4J is a popularly library integrated within PySpark that lets python interface dynamically with JVM objects (RDD’s). Apache Spark comes with an interactive shell for python as it does for Scala. The shell for python is known as “PySpark”. To use PySpark you will have to have python installed on your machine.

Vulnerability details: In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang’s RandomStringUtils.

Remedy: Users are recommended to upgrade to version 1.6.0, which fixes this issue.

Official announcement: Please refer to the vendor announcement for details – https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw

CVE-2024-41721 – Critical vulnerability affecting FreeBSD’s bhyve hypervisor (24-09-2024)

Preface: Today, FreeBSD is used by many IT companies such as IBM, Nokia, Juniper Networks, and NetApp to build their products.

Background: bhyve, pronounced “beehive” is a hypervisor/virtual machine manager for FreeBSD that supports a wide range of guest operating systems on Intel and AMD processors that support the “POPCNT” (POPulation Count) feature, and experimentally ARM64/aarch64 processors that support the gic0: <ARM Generic Interrupt Controller v3.0> feature (visible in dmesg(8)).

bhyve supports multiple storage and networking back-ends, UEFI, FreeBSD loader, and GRUB booting, PCI Pass-Through (PPT), integrated VNC and 9pfs servers, and many more features.

As of 14.0-RELEASE, bhyve supports TPM passthrough and TPM emulation

Vulnerability details: An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.

Official announcement: Please refer to the vendor announcement for details – https://www.tenable.com/cve/CVE-2024-41721

CVE-2024-8612: A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. (23-09-2024)

Preface: When you got a valid non-NULL pointer to a memory address returned by malloc(), only the requested size of memory is allocated to your process and you’re allowed to use (read and / or write) into that much space only.

Background: When you launch a KVM-based guest, most often you would see QEMU doing the major user space heavy-lifting by providing a PC-like environment—it handles guest memory management, network cards, emulated storage devices, and so forth.

When using QEMU, all I/O travels through a single queue, which can affect performance.

Vulnerability details: In the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest.

Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak

Ref: A bounce buffer resides in memory low enough for a device to copy from and write data to. It is then copied to the desired user page in high memory. This additional copy is undesirable, but unavoidable. Pages are allocated in low memory which are used as buffer pages for DMA to and from the device.

This CVE only low risk vulnerability. However, but should staying alert.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-8612

CVE-2024-8375: A vulnerability has been found in Google Deepmind Reverb object deserialization. (20-09-2024)

Preface: As companies and researchers leave Tensorflow and move to PyTorch, Google seems interested in moving its products to JAX to solve some of Tensorflow’s pain points, such as the complexity of the API and the complexity of training in custom chips such as TPUs.

PyTorch optimizes performance by taking advantage of Python’s native support for asynchronous execution. In TensorFlow, you have to manually code and fine-tune every operation to be performed on a specific device to allow for decentralized training.

Background: TensorFlow is open-source Python library designed by Google to develop Machine Learning models and deep learning neural networks.

Reverb is an efficient and easy-to-use data storage and transport system designed for machine learning research. Reverb is primarily used as an experience replay system for distributed reinforcement learning algorithms but the system also supports multiple data structure representations such as FIFO, LIFO, and priority queues.

Vulnerability details: This is a retroactive issue for the already-fixed security vulnerability. The Reverb Server stores Tensors represented by protos. These protos contain type information as well as a string field called “tensor_content”. When the Reverb client communicates with the server, it unpacks these protos by turning them back into tensors.

Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in tensor_content to the previously mentioned pre-allocated memory, which results in the bytes in tensor_content overwriting the vtable pointers of all the objects which were previously allocated.

Reverb exposes 2 relevant gRPC endpoints: InsertStream and SampleStream. By default, neither is authenticated and there is no authorization. The attacker can insert this stream into the server’s database, then when the client next calls SampleStream they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter.

Official announcement: Please refer to the vendor announcement for details – https://www.tenable.com/cve/CVE-2024-8375

CVE-2024-45523 Resource Leak in Bravura Security Fabric API After a Failed Login Attempt (19-09-2024)

Preface: Originally founded in 1992 as M-Tech Information Technology, acquired by Hitachi, Ltd. in 2008, and acquired by the Volaris Group in 2022, Bravura Security, Inc is a leading provider of identity, privileged access, password, and passwordless solutions. Bravura Security Fabric brings together all the benefits of SaaS plus IAM & PAM into one comprehensive solution.

Background: The API Service (idapi) enables client programs to access Bravura Security Fabric workflow and provisioning features programmatically. Client programs communicate with the service using:

SOAP (Simple Object Access Protocol) – Some organizations use the SOAP API to build their own customized front-end to Bravura Security Fabric.

Vulnerability details: An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple failed login attempts through API SOAP.

Official announcement: Please refer to the vendor announcement for details –

https://www.bravurasecurity.com/cve-2024-45523-resource-leak-in-api-after-a-failed-login-attempt

CVE-2024-39926 – Vaultwarden is also plagued by XSS (17th Sep 2024)

Preface: Enables Vaultwarden’s built-in HTTPS functionality (via the Rocket web framework). Rocket’s HTTPS implementation is relatively immature and has limited functionality.

Rocket is a web framework written in Rust. It supports HTTP requests, Web Sockets JSON, templating and more. Its design was inspired by Rails, Flask, Bottle, and Yesod.

Background: Vaultwarden is an unofficial Bitwarden server implementation written in Rust that is compatible with the official Bitwarden client, making it ideal for resource-intensive self-hosted deployments where you don’t want to run the official Bitwarden client.

Vaultwarden implements the Bitwarden APIs required for most functionality, including: Web interface (equivalent to https://vault.bitwarden.com/), Event Logs, Password sharing and access control..etc

Vulnerability details: An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator’s browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.

Official announcement: Please refer to the vendor announcement for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-39926

In the Linux kernel, the CVE-2024-46713 vulnerability has been resolved. The AUX buffer is strictly a sub-buffer, serialize using aux_mutex to avoid complications.  (16Sep 2024)

Preface: A mutex is a mutual exclusion lock. Only one thread can hold the lock. Mutexes are used to protect data or other resources from concurrent access. A mutex has attributes, which specify the characteristics of the mutex.

Background: During the boot process, the console provides a lot of important information about the initial phase of the system startup. To avoid loss of the early messages the kernel utilizes what is called a ring buffer. This buffer stores all messages, including boot messages, generated by the printk() function within the kernel code. The messages from the kernel ring buffer are then read and stored in log files on permanent storage, for example, by the syslog service. The buffer mentioned above is a cyclic data structure which has a fixed size, and is hard-coded into the kernel.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-46713