Security Bulletin: NVIDIA ConnectX and BlueField – October 2024 (CVE‑2024-0105 and CVE-2024-0106) – 31th Oct 2024

Preface: Nvidia BlueField is a line of data processing units (DPUs) designed and produced by Nvidia. Initially developed by Mellanox Technologies. DOCA is a consistent and essential resource across all existing and future generations of BlueField DPU and SuperNIC products.

Background: The NVIDIA cloud-native supercomputing platform leverages the NVIDIA BlueField DPU architecture with high-speed, low-latency. The DPU enables native cloud services that let multiple users securely share resources without loss in application performance. HPC and AI communication frameworks and libraries play a critical role in determining application performance. Due to their latency and bandwidth-sensitive nature, offloading the libraries from the host CPU or GPU to the BlueField DPU creates the highest degree of overlap for parallel progression of communication and computation.

Vulnerability details:

CVE-2024-0105 – NVIDIA ConnectX Firmware contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. A successful exploit of this vulnerability may lead to denial of service, data tampering, and limited information disclosure.

CVE-2024-0106 – NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit (DPU) contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. A successful exploit of this vulnerability may lead to denial of service, data tampering, and limited information disclosure.

Official announcement: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5562

About btrfs: fix uninitialized pointer free in add_inode_ref() – CVE-2024-50088 (30th Oct 2024)

Preface: The main benefit of a snapshot is that it can be created very rapidly—and frequently—allowing for a quick and straightforward way to recover files or data if something goes wrong. Data can be restored to a specific point in time when it was in a good state.

Background: Btrfs is a copy-on-write (COW) file system developed by Chris Mason. It is based on COW-friendly B-trees developed by Ohad Rodeh.

In contrast to the currently unofficial default Linux filesystem ext4, Btrfs offers some features that are generally not attributed to the functionality of a filesystem but is popular, especially in professional environments such as data centers.

Vulnerability details: The add_inode_ref() function does not initialize the “name” struct when it is declared. If any of the following calls to “read_one_inode() returns NULL, then “name[.]name” would be freed on “out” before being initialized.

If the pointer contains an uninitialized value, then the value might not point to a valid memory location. This could cause the product to read from or write to unexpected memory locations, leading to a denial of service.

This issue was reported by Coverity with CID 1526744.

Remark: In the Linux kernel, the above vulnerability has been resolved.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-50088

CVE-2024-10455 Reachable Assertion in BPv7 parser in µD3TN v0.14.0 allows attacker to disrupt service via malformed Extension Block (28 Oct 2024)

Preface: µD3TN is a free space-tested software protocol stack for delay-tolerant networks. It runs on POSIX and Linux operating systems and can easily adapt to a variety of challenging networks. The source code is available under a BSD license.

AREAS OF APPLICATION : Car-to-X Communication ,Offshore Communication , Maritime Research , Satellite Communication and Reliable One-Way Communication.

Background: µD3TN can be accessed by the application layer via plain IPC as well as TCP sockets. µD3TN can be operated on top of different lower-layer protocols. A generic interface, called a Convergence Layer Adapter, enables the Bundle Protocol to connect heterogeneous networks.

Vulnerability details: A BPv7 bundle with a malformed extension block can trigger an assertion failure that causes the service to terminate unexpectedly. This could be used by an attacker for launching a denial of service (DoS) attack.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-10455

Large solar storms can knock out electronics and affect the power grid. It also vulnerable to Super computer (28th Oct 2024)

Preface: Large solar storms can knock out electronics and affect the power grid. Why? The solar wind disturbs the outer part of the Earth’s magnetic field, which undergoes a complex oscillation. This generates associated electric currents in the near-Earth space environment, which in turn generates additional magnetic field variations — all of which constitute a “magnetic storm.”

Background: Solar maximum is expected in July 2025, with a peak of 115 sunspots. “How quickly solar activity rises is an indicator on how strong the solar cycle will be,” said Doug Biesecker, Ph. D., panel co-chair and a solar physicist at NOAA’s Space Weather Prediction Center.

Official announcement: Please refer to the following URL for details https://www.weather.gov/news/201509-solar-cycle

Vulnerability details: Modern power grid consists PLC (Programmable logic controller), SCADA and electronic integrate circuit. During magnetic storms, electronics device especially semi-conductor and integrated circuit can be damaged through the build up and discharge of static-electric charges. If those component were damage, the consequence is city will encountered power suspension.

Ref: It occurs when accumulated electrostatic charge is discharged and causes a larger current than normal to flow in a circuit, generating heat that destroys the electronic part. In other words, ESD damage does not occur without a discharge caused by static electricity.

On 21st October 2024 Broadcom issued an update to advisory CMSA-2024-0019 stating that they had determined patches released on 17th September 2024 did not fully address CVE-2024-38812 and subsequently have issued new patches. (25-10-2024)

Preface: System-Dependent IDL Preprocessor Variables The following system-dependent preprocessor variables are used in building the IDL compiler. They are all defined in:

dce-root-dir/dce/src/rpc/idl/idl_compiler/sysdep[.]h

AUTO_HEAP_STACK_THRESHOLD defines an estimate for the maximum size of a stack in a server stub. If the IDL compiler estimates that this amount will be exceeded, objects will be allocated via malloc instead of on the stack.

Background: What is dcerpc protocol VMware? DCERPC (Distributed Computing Environment/Remote Procedure Call) with Microsoft extensions (MSRPC) is used to transparently execute functions on remote servers. To facilitate this process, interfaces are defined using an interface definition language (IDL).

Vulnerability details: The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

On 21st October 2024 Broadcom issued an update to advisory CMSA-2024-0019 stating that they had determined patches released on 17th September 2024 did not fully address CVE-2024-38812 and subsequently have issued new patches. 

Official announcement: Please refer to the link for details –

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

About CVE-2024-0127 and CVE-2024-0128 (24-10-2024)

Preface: GPUs are efficient at performing parallel processing tasks, making them ideal for artificial intelligence and machine learning applications. CPUs are better suited for tasks that require single-threaded performance or large amounts of memory access.

Background: NVIDIA vGPU software can be used in several ways. Guest VMs use NVIDIA vGPUs in the same manner as a physical GPU that has been passed through by the hypervisor: an NVIDIA driver loaded in the guest VM provides direct access to the GPU for performance-critical fast paths, and a paravirtualized interface to the NVIDIA Virtual GPU Manager is used for non-performant management operations.

Each NVIDIA vGPU is analogous to a conventional GPU, having a fixed amount of GPU framebuffer, and one or more virtual display outputs or “heads”. The vGPU’s framebuffer is allocated out of the physical GPU’s framebuffer at the time the vGPU is created, and the vGPU retains exclusive use of that framebuffer until it is destroyed.

All vGPUs resident on a physical GPU share access to the GPU’s engines including the graphics (3D), video decode, and video encode engines.

Vulnerability details:

CVE-2024-0127: NVIDIA vGPU software contains a vulnerability in the GPU kernel driver of the vGPU Manager for all supported hypervisors, where a user of the guest OS can cause an improper input validation by compromising the guest OS kernel. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.

CVE-2024-0128: NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager that allows a user of the guest OS to access global resources. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and escalation of privileges.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5586

CVE-2024-50311: A denial of service (DoS) vulnerability was found in OpenShift (23rd Oct 2024)

Preface: Typical REST APIs exhibit a few issues that we can solve with GraphQL. One of the most prominent is over fetching, which occurs when a client fetches too much data from the server. When OpenShift Console is fetching a lot of data, it leverages chunked responses introduced in k8s 1.9. Fetching is split into separate HTTP requests, which improves the responsiveness of the UI with results shown incrementally.

Background: GraphQL is a web service technology. It is a query language and server-side runtime for application programming interfaces (APIs) that gives API clients exactly the data they requested. As an alternative to REST, GraphQL allows developers to make requests to fetch data from multiple data sources with a single API call.

GraphQL technology is becoming the new standard for communication between front-end and back-end. Get started using GraphQL in OpenShift Console 4.6.

Vulnerability details: A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-50311

CVE-2024-49861: bpf (Fix helper writes to read-only maps) – 22 Oct 2024

Preface: BPF is a highly flexible and efficient virtual machine-like construct in the Linux kernel allowing to execute bytecode at various hook points in a safe manner. It is used in a number of Linux kernel subsystems, most prominently networking, tracing and security (e.g. sandboxing).

Background: BPF does not define itself by only providing its instruction set, but also by offering further infrastructure around it such as maps which act as efficient key / value stores, helper functions to interact with and leverage kernel functionality, tail calls for calling into other BPF programs, security hardening primitives, a pseudo file system for pinning objects (maps, programs), and infrastructure for allowing BPF to be offloaded, for example, to a network card.

Vulnerability details : This affects the check_func_arg function of the bpf component. Because of the manipulation with an unknown input value leads to a denial of service vulnerability.

In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds.

The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it’s okay to pass a pointer to uninitialized memory as the memory is written to anyway.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-49861

AMD’s response to the research paper that their technical details do not demonstrate any new security vulnerabilities in AMD prefetchers. (18 Oct 2024)

Preface: A hardware prefetcher is a data prefetching technique implemented as a hardware component in a processor, aimed at improving performance by fetching data before it is actually needed. Let’s take a closer look at prefetching. And speculate what kind of prefetching will approach this discussion.

Background: A research paper titled ‘ShadowLoad: Injecting State into Hardware Prefetchers’ was provided to AMD in February 2024. 

The paper discusses the possibility for prefetchers to be used to inject cache loads using a technique referred to as ”ShadowLoad”. The technique can potentially  expand the attack surface of existing attacks. 

Using a framework referred to as ”StrideRE” the researchers  automatically reverse engineer parameters required for hardware stride-prefetch attacks. The paper describes how this stride prefetcher can be used to leak offsets for stride patterns across contexts, possibly creating a covert channel. 

Official announcement: AMD has evaluated the paper and has determined that the researchers did not identify any AMD prefetchers that have not already been publicly disclosed in the referenced Software Optimization Guide and did not identify any new security implications with AMD prefetchers.

Official details: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7023.html

VMware HCX resolves CVE-2024-38814 vulnerability (18-10-2024)

Preface: T-SQL is widely used in SQL Server environments. For instance, communication between an app and a SQL Server instance involves sending T-SQL statements to the server.

Background: VMware HCX streamlines migration, helps rebalance workloads, helps protect data, and optimizes disaster recovery processes for both on-premises data centers and cloud servers.

HCX Connector or Cloud Manager must be registered with vCenter server and NSX manager.
The registration is done through HCX 9443 Admin UI and only ONE vCenter & ONE NSX can be registered at any given time.

To access HCX Admin UI Page: https://<HCX_Manager_IP>:9443

Vulnerability details: An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager. 

Official announcement: Please refer to the vendor announcement for details – https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25019