Preface: What is a malformed URI? The JavaScript exception “malformed URI sequence” occurs when URI encoding or decoding wasn’t successful.
Background: URI definition In computer terms, a Uniform Resource Identifier (URI) is a string used to identify the name of a certain network resource. This identification allows users to interact with any resource (including local and Internet) through specific protocols.
URI is either an absolute URI whose scheme-specific part begins with a slash character, or a relative URI, that is, a URI that does not specify a scheme.
Vulnerability details: In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Official announcement: Please refer to the vendor announcement for details –
Preface: In session hijacking, an attacker gets hold of a valid user session to gain unauthorized access to the account. This is typically done through three methods:
Brute force: The attacker keeps trying session IDs until they are successful.
Calculation: If the session IDs are generated in a non-random manner, the attacker can calculate them.
Theft: The attacker acquires the session ID through techniques like session sniffing, session fixation, and cross-site scripting.
Background: FortiSOAR helps IT/OT security teams thwart attacks by centralizing incident management and automating the myriad of analyst activities required for effective threat investigation and response.
Vulnerability details: An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
Official announcement: Please refer to the vendor announcement for details –
Preface: A stack is not flexible, the memory size allotted cannot be changed whereas a heap is flexible, and the allotted memory can be altered.
Background:Escargot is a memory optimized JavaScript engine for mid-range devices such as mobile phone, tablet and TV. C++. •. GNU Lesser General Public License v2.1. Memory Efficiency: The engine is designed with memory constraints in mind, making it suitable for devices with limited RAM and storage. Performance Optimization: Escargot implements various optimization techniques to ensure fast execution of JavaScript code, even on low-power devices.
Vulnerability details: Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0.
Ref: The memory allocated by malloc() not only includes the user requested block but also the data used to manage the heap (size of the block, pointer to other blocks and the like). The vulnerability is that a heap variable can be overflowed to overwrite those management data.
Official announcement: Please refer to the vendor announcement for details –
Preface: In computer programming, transient is a property of any element in the system that is temporary. The term applies to transient applications.
Background: Within frequency, In-band discovery is used for communication between 6 GHz devices. There are three in-band discovery methods: Fast Initial Link Setup (FILS) and Unsolicited Probe Response (UPR) frames are passive in-band discovery methods. Choose one of FILS and UPR and cannot use them at the same time. The 6 GHz discovery frame is only required when 6 GHz is the only operable radio frequency band. Preferred Scan Channel (PSC) is an active in-frequency discovery method. Wireless clients will only probe PSC channels; if detecting from the RNR, non-PSCs will be scanned.
Vulnerability details: Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.
Ref: The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Preface: Veeam ONE agent is a component that enables communication with Veeam Backup & Replication servers, performs collection of logs, and sends remediation commands. It is recommended to install Veeam ONE agent to improve data collection performance in large-scale Veeam Backup & Replication infrastructures.
Background: Veeam ONE supports two deployment scenarios:
• All-in-one
The all-in-one deployment scenario is ideal if you want to consolidate the entire product functionality in one place by installing all product architectural components on a single machine. This scenario is preferable for small- to medium-scale deployments.
• Custom
The custom deployment scenario is more suitable if you want to separate client/server roles and install product architectural components on different machines. This scena rio is recommended for large-scale deployments.
Vulnerability details: A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed.
Preface: The world’s first web-speed, internet-scale public blockchain. At the virtual event launching Sodium on September 30, 2022, the DFINITY Foundation will launch the Network Nervous System, an open algorithmic governance system that controlling the Internet computer. The event will also showcase in-depth technical material on advanced cryptography, consensus protocols, and token economics.
Background: Inter–canister calls can be used to update information between two or more canisters.
ic-cdk : Inter-canister calls for the ICRC-1 ledger.
ledger-icrc-js : A library for interfacing with ICRC-1 ledger on the Internet Computer.
When you deploy the WebAssembly module that contains your program on the Internet Computer blockchain, the program is executed inside a conceptual computational unit called a canister. Canisters can be developed in various programming languages.
With respect to update calls, canisters are “software actors” and may only contain a single thread of execution at any time, obviating the need for concurrency primitives such as mutexes. However, when update calls block on cross-canister calls to other canisters, other update calls can be started or continued, allowing for interleaving.
Ref: In most cases, you use dfx canister subcommands after you compile a program to manage the canister lifecycle and to perform key tasks such as calling program functions. The basic syntax for running dfx canister commands is: dfx canister <subcommand> [options]
Vulnerability details: When a canister method is called via ic_cdk::call* , a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister’s heap and thus causing a memory leak. Impact Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker.
Preface: The AMD Radeon Instinct™ MI50 server accelerator designed on the world’s First 7nm FinFET technology process brings customers a full-feature set based on the industry’s newest technologies. The MI50 is AMD’s workhorse accelerator offering that is ideal for large scale deep learning. Delivering up to 26.5 TFLOPS of native half-precision (FP16) or up to 13.3 TFLOPS single-precision (FP32) peak floating point performance and INT8 support and combined with 16GB or 32GB of high-bandwidth HBM2 ECC memory, the AMD Radeon Instinct™ MI50 brings customers finely balanced performance needed for enterprise-class, mid-range compute capable of training complex neural networks for a variety of demanding deep learning applications in a cost effective design.
Background: The drm/amdgpu driver supports all AMD Radeon GPUs based on the Graphics Core Next (GCN), Radeon DNA (RDNA), and Compute DNA (CDNA) architectures.
CDNA (Compute DNA) is a compute-centered graphics processing unit (GPU) microarchitecture designed by AMD for datacenters.
AMD CDNA architecture is supported by AMD ROCm™, an open software stack that includes a broad set of programming models, tools, compilers, libraries, and runtimes for AI and HPC solution development targeting AMD Instinct accelerators.
Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Forward soft recovery errors to userspace As we discussed before[1], soft recovery should be forwarded to userspace, or we can get into a really bad state where apps will keep submitting hanging command buffers cascading us to a hard reset. 1: https://lore.kernel.org/all/bf23d5ed-9a6b-43e7-84ee-8cbfd0d60f18@froggi.es/ (cherry picked from commit 434967aadbbbe3ad9103cc29e9a327de20fdba01)
Preface: Use after free errors sometimes have no effect and other times cause a program to crash. While it is technically feasible for the freed memory to be re-allocated and for an attacker to use this reallocation to launch a buffer overflow attack.
Background: When the GPU returns ownership of the buffer to the CPU, the driver needs to treat imported and non-imported memory differently. The first case to consider is non-imported sub-regions at the beginning of the first page and at the end of last page. For these sub-regions: CPU cache shall be committed with a clean+invalidate, in order to keep the last CPU write. Imported region prefers the opposite treatment: this memory has been legitimately mapped and used by the GPU, hence GPU writes shall be committed to memory, while CPU cache shall be invalidated to make sure that CPU reads the correct memory content.
Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.
Impact: This issue affects Bifrost GPU Kernel Driver: from r43p0 through r49p0; Valhall GPU Kernel Driver: from r43p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r43p0 through r49p0.
Preface: Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc.
Background: The Qualcomm Type 1 Hypervisor facilitates the hosting of multiple trusted execution environments for secure use cases. The figure shows the architecture of the Qualcomm Hypervisor software stack, its components, and virtual machines (VM). This figure includes an example of one guest VM using the Linux kernel.
Interprocess communication (IPC), This includes shared memory, message passing (IPC) APIs, and virtual interrupts. The ioctl function performs the generic I/O operation command on filedes . A third argument is usually present, either a single number or a pointer to a structure.
Ref: EL2 provides support for virtualization
Vulnerability details: Use After Free in Qualcomm IPC, Memory corruption while processing concurrent IOCTL calls.
Preface: When an out-of-bounds read occurs, typically the product has already made a separate mistake, such as modifying an index or performing pointer arithmetic that produces an out-of-bounds address.
Background: MediaTek JPEG Decoder is the JPEG decode hardware present in MediaTek SoCs. The jpeg decoder hardware device node which should be added as subnodes to the main jpeg node.
IOMMU is the so-called SMMU, which can organize discontinuous physical memory into a continuous virtual memory (this makes sense for many drivers).
Vulnerability details:
CVE-2024-20084 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-20085 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
