CVE-2023-52922 : Fix Use-After-Free in bcm_proc_show()  (29 Nov 2024)

Preface: A zero-day exploit targeting a use-after-free (UAF) vulnerability in the Linux Kernel. Staying Alert!

Slabuseafterfree vulnerabilities occur when memory that’s been previously freed is accessed again, often leading to unpredictable behavior or system crashes. KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to find out-of-bound and useafterfree bugs.

Background: The Controller Area Network (CAN bus) is a message-based protocol designed to allow the Electronic Control Units (ECUs) found in today’s automobiles, as well as other devices, to communicate with each other in a reliable, priority-driven fashion.

The Broadcast Manager protocol provides a command based configuration interface to filter and send (e.g. cyclic) CAN messages in kernel space. Filtering messages in kernel space may significantly reduce the load in an application. A BCM socket is not intended for sending individual CAN frames.

Vulnerability details: KernelAddressSANitizer (KASAN) is a dynamic memory error detector. It provides a fast and comprehensive solution for finding use-after-free and out-of-bounds bugs.

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862.

Please refer to the official announcement for details

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-52922

CVE-2024-0139 – NVIDIA Base Command Manager and Bright Cluster Manager for Linux contain an insecure temporary file vulnerability (28 Nov 2024)

Preface: Nvidia acquires Bright Computing, maker of Bright Cluster Manager software that controls the configuration of clustered HPC systems, including Nvidia’s own DGX servers and HGX systems manufactured by OEMs and ODMs, as well as clusters from other manufacturers.

Background: NVIDIA Base Command Manager provides cluster management software for streamlining cluster provisioning, workload management, and infrastructure monitoring. It provides all the tools for deploying and managing an AI data center.

Note: Base Command Manager 10 is licensed on a per-GPU base. This differs from the node-base licensing model of Bright Cluster Manager. Customers with active support subscriptions using Bright Cluster Manager 9.2 and earlier can upgrade to Base Command Manager 10 by exchanging their current licenses for GPU-based Base Command Manager 10 licenses at no cost.

Slurm is an open source, fault-tolerant, and highly scalable cluster management and job scheduling system for large and small Linux clusters. SLURM is a vital component of a parallel computer for executing parallel jobs. It simplifies the job execution by hiding all the complexities.

Vulnerability details: NVIDIA Base Command Manager and Bright Cluster Manager for Linux contain an insecure temporary file vulnerability. A successful exploit of this vulnerability might lead to denial of service.

Official announcement: Please see the link below for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5600

CVE-2024-0130: About design weakness on NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI (27 Nov 2024)

Preface: Artificial intelligence penetrates into different industries. Perhaps the expansion of some HPC supercomputers is not limited to regions. They can be run on a blockchain network to build a matrix.

Background: In today’s high-performance computing (HPC) landscape, network interconnect technology is essential in linking compute nodes to ensure efficient data transfer. Among the interconnect technologies, NVIDIA’s NVLink and InfiniBand stand offers diverse advantages for specific use cases.

UFM (Unified Fabric Manager) Server is a server on which UFM is installed and has complete visibility over the fabric to manage routing on all devices.

NVIDIA® UFM® Cyber-AI is packaged in a tar le. The tar le consists of several docker images and an installation script. The script will load the docker images and create a UFM Cyber-AI service. UFM Cyber-AI should be installed on UFM Cyber-AI appliance.

In addition to the REST API used for Cyber AI management, Cyber AI software provides several command-line tools (CLI) for managing the Cyber AI system.

Vulnerability details: NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, and information disclosure.

Official announcement: Please see the link below for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5584

CVE-2024-52811 : Fix heap buffer overflow writing not validated ACK to qlog (25 Nov 2024)

Preface: Most of Google’s traffic already goes through QUIC. Several other well-known companies have also begun developing their own implementations, such as Microsoft, Facebook, CloudFlare, Mozilla, Apple, Akamai,…etc

Background: By combining the best of TCP and UDP, along with encryption and better handling of modern network conditions, QUIC is set to become the foundation of faster, more secure, and more reliable internet experiences. ngtcp2 project is an effort to implement RFC9000 QUIC protocol.

Vulnerability details: The ngtcp2 project is an effort to implement IETF QUIC protocol in C. In affected versions acks are not validated before being written to the qlog leading to a buffer overflow.

In `ngtcp2_conn::conn_recv_pkt` for an ACK, there was new logic that got added to skip `conn_recv_ack` if an ack has already been processed in the payload. However, this causes us to also skip `ngtcp2_pkt_validate_ack`. The ack which was skipped still got written to qlog.

The bug occurs in `ngtcp2_qlog::write_ack_frame`. It is now possible to reach this code with an invalid ack, suppose `largest_ack=0` and `first_ack_range=15`. Subtracting `largest_ack – first_ack_range` will lead to an integer underflow which is 20 chars long. However, the ngtcp2 qlog code assumes the number written is a signed integer and only accounts for 19 characters of overhead (see `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`).

Therefore, we overwrite the buffer causing a heap overflow. This is high priority and could potentially impact many users if they enable qlog.

Remark: qlog is disabled by default. Due to its overhead, it is most likely used for debugging purpose, but the actual use is unknown.

Remedy: ngtcp2 v1.9.1 fixes the bug and users are advised to upgrade. Users unable to upgrade should not turn on qlog.

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/CVE-2024-52811

CVE-2024-11393 – Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability (25 Nov 2024)

Preface: What is the difference between Hugging Face and transformers?

Transformers is a library that contains various state-of-the-art machine learning models, as well as a Trainer API which can be used to train models. Huggingface_hub is a library to programmatically integrate with the hub.

Backgound: Masks are often used in segmentation tasks, where they provide a precise way to isolate the object of interest for further processing or analysis.

MaskFormer is based on the DETR architecture, which uses a transformer decoder to predict masks for each object in an image. MaskFormer has been shown to be effective for both semantic segmentation and panoptic segmentation. However, it has not been as successful for instance segmentation.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files.

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/CVE-2024-11393

CVE-2024-10382 – a code execution vulnerability in the Car App Android Jetpack Library (22 Nov 2024)

Preface: Android Auto is a platform running on the user’s phone, projecting the Android Auto user experience to a compatible in-vehicle infotainment system over a USB connection. Android Auto supports apps designed for in-vehicle use.

Background: The Android for Cars App Library lets you bring your navigation, point of interest (POI), and internet of things (IOT) apps to the car.

Android[.]car[.]app

Interfaces

OnDoneCallback – A host-side interface for handling success and failure scenarios on calls to the client.

OnRequestPermissionsListener – A listener with the results from a permissions request.

OnScreenResultListener – A listener to provide the result set by a Screen.

SurfaceCallback – A callback for changes on the SurfaceContainer and its attributes.

Vulnerability details: There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/cve-2024-10382

CVE-2024-0122: About design weakness in NVIDIA Delegated Licensing Service (21nd Nov 2024)

Preface: NVIDIA Delegated License Service (DLS) is a component of NVIDIA License System that serves licenses to licensed clients. A DLS instance is hosted on-premises at a location that is accessible from your private network, such as inside your data center.

Background: For deployment in a virtual machine, the Delegated License Server (DLS) component of the NVIDIA License System is supplied as a virtual appliance. The virtual appliance must be installed on a supported hypervisor software release.

The following hypervisor software releases are supported:

Citrix Hypervisor 8.2

Linux Kernel-based Virtual Machine (KVM) hypervisors with one of the following QEMU releases:

QEMU 4.2.0

QEMU 2.12.0 (qemu-kvm-2.12.0-64.el8.2.27782638)

Microsoft Windows Server with Hyper-V 2019 Datacenter edition

Red Hat Enterprise Linux Kernel-based Virtual Machine (KVM) 9.2, 9.1, 9.0, and 8.8

Red Hat Virtualization 4.3

Ubuntu Hypervisor 22.04

VMware vSphere Hypervisor (ESXi) ) 8.0.3, 8.0.2, 8.0.1, 8.0, 7.0.3, 7.0.2, and 7.0.1

Supported Container Orchestration Platforms

For deployment on a supported container orchestration platform, the Delegated License Server (DLS) component of the NVIDIA License System is supplied as a containerized software image.

The following container orchestration platform releases are supported:

Docker 27.1.1 with Docker Compose 2.29.1

Kubernetes 1.23.8

Red Hat OpenShift Container Platform 4.10.67 with Kubernetes 1.23.17

Podman 4.4.2 with Podman Compose 1.0.7

VMware Tanzu Application Platform 1.1 with Kubernetes 1.23.6

Vulnerability details: CVE-2024-0122 – NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an attacker may cause an unauthorized action. A successful exploit of this vulnerability may lead to partial denial of service and confidential information disclosure.

Official announcement: Please refer to the link for details

https://nvidia.custhelp.com/app/answers/detail/a_id/5570

CVE-2024-0138: NVIDIA Base Command Manager contains a missing authentication vulnerability in the CMDaemon component.

(Updated 11/18/2024 04:12 PM)

Preface: Nvidia acquires Bright Computing, maker of Bright Cluster Manager software that controls the configuration of clustered HPC systems, including Nvidia’s own DGX servers and HGX systems manufactured by OEMs and ODMs, as well as clusters from other manufacturers.

Background: NVIDIA Base Command Manager provides cluster management software for streamlining cluster provisioning, workload management, and infrastructure monitoring. It provides all the tools for deploying and managing an AI data center.

Note: Base Command Manager 10 is licensed on a per-GPU base. This differs from the node-base licensing model of Bright Cluster Manager. Customers with active support subscriptions using Bright Cluster Manager 9.2 and earlier can upgrade to Base Command Manager 10 by exchanging their current licenses for GPU-based Base Command Manager 10 licenses at no cost.

Vulnerability details: CVE-2024-0138

NVIDIA Base Command Manager contains a missing authentication vulnerability in the CMDaemon component. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.      

Official announcement: For more details please see link – https://nvidia.custhelp.com/app/answers/detail/a_id/5595

CVE-2024-52316 : Unchecked Error Condition vulnerability in Apache Tomcat (19th Nov 2024)

Preface: Apache Tomcat is one of the top technologies in Java developers’ tech stacks—and for good reason. According to the 2024 Java Developer Productivity Report, 36% of Java developers use Apache Tomcat as their application server. 

Background: Apache Tomcat (called “Tomcat” for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. Jakarta is one of their project under which they have developed tomcat servlet container. Jakarta Authentication defines a general low-level SPI for authentication mechanisms, which are controllers that interact with a caller and a container’s environment to obtain the caller’s credentials, validate these, and pass an authenticated identity (such as name and groups) to the container.

Vulnerability details: Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

Affected version : This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-52316

CVE-2024-9413 – A vulnerability has been discovered in SCP-Firmware (18 Nov 2024)

Preface: The Cortex-M3 processor is specifically developed for high-performance, low-cost platforms for a broad range of devices including microcontrollers, automotive body systems, industrial control systems and wireless networking and sensors.

Background: SCP Firmware provides a software reference implementation for the System Control Processor (SCP) and Manageability Control Processor (MCP) components found in several Arm Compute Sub-Systems. Functionality.

Description. Initialization. Initialization of the system to enable application core boot.

Power Control System Architecture (PCSA) defines the concept of a System Control Processor (SCP), a specialized processor that abstracts power and system management tasks from the application processor.

Vulnerability details: The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.

Official announcement: For detail, please refer to link –

https://nvd.nist.gov/vuln/detail/CVE-2024-9413