Monthly Archives: November 2024

AI and ML, Potential Risk of CVE

CVE-2024-28028: Improper input validation in some Intel® Neural Compressor software (15-11-2024)

Leave a comment

Preface: If you talk to God, what is the difference between human and artificial intelligence? Maybe God will say that humans and A.I are incomparable. And both cannot live together in the same place.

Background: Intel Neural Compressor performs model optimization to reduce the model size and increase the speed of deep learning inference for deployment on CPUs or GPUs.

Intel Neural Compressor aims to provide popular model compression techniques such as quantization, pruning (sparsity), distillation, and neural architecture search on mainstream frameworks such as TensorFlow, PyTorch, ONNX Runtime, and MXNet, as well as Intel extensions such as Intel Extension for TensorFlow and Intel Extension for PyTorch.

Vulnerability details:

CVEID: CVE-2024-28028

Improper input validation in some Intel(R) Neural Compressor software before version v3.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Affected Products: Intel® Neural Compressor software before version 3.0.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-28028

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-38424 Use After Free in GPS (14-12-2024)

Leave a comment

Preface: There are four global satellite navigation systems, currently GPS (United States), GLONASS (Russian Federation), Beidou (China) and Galileo (European Union).

Background: Android Opensource is called HLOS. Qualcomm’s proprietary one is called non-HLOS.

The Android on Snapdragon architecture is built to allow for common feature adoption across devices with Snapdragon. It represents the software features and functionalities available on Qualcomm® reference devices and provided to OEMs for design into their Android mobile devices and tablets.

Global Navigation Satellite System ( GNSS ) refers to any satellite constellation that provides global positioning, navigation, and timing services. Several GNSS are currently available: BeiDou (China) , Galileo (EU), GPS (USA) and GLONASS (Russia). On Oct 2022, Rx Networks, Inc., a GNSS data services company, announced the availability of TruePoint.io precise location services on Qualcomm’s Snapdragon 8 Gen 1 and Snapdragon 888 5G Mobile Platforms.

Vulnerability details: Memory corruption during GNSS HAL process initialization.

Technology Area: GPS HLOS Driver

CWE-416: Use After Free

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-38424

AI and ML, Potential Risk of CVE

About AMD Ryzen™ AI Software: CVE-2024-21974, CVE-2024-21975 and CVE- 2024-21976 (13Nov 2024)

Leave a comment

Preface: A pointer is a variable that stores the memory address of another variable. Unlike typical variables that hold data like numbers or characters, pointers hold the location of where data is stored in your computer’s memory. By knowing the address, pointers can access & manipulate the data at that memory location.

Background:

1.Install NPU Drivers

2.Download the NPU driver installation package NPU Driver

3.Install the NPU drivers by following these steps:

4.Extract the downloaded “NPU_RAI1.2.zip” zip file.

5.Open a terminal in administrator mode and execute the[[.]\npu_sw_installer[.]exe] exe file.

6.Ensure that NPU MCDM driver (Version:32.0.201.204, Date:7/26/2024) is correctly installed by opening Device Manager -> Neural processors -> NPU Compute Accelerator Device.

Vulnerability details:

CVE-2024-21974 Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution.

CVE-2024-21975 Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution.

CVE-2024-21976 Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution.

Official announcement: Please refer to the official announcement for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7017.html

Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2023-40457: About BGP transitive bit be awakened (12Nov 2024)

Leave a comment

Preface: The core purpose of a BGP UPDATE is to tell another router some traffic it can (or can no longer) send to it. However, simply knowing directly what can be sent to another router is not very useful without context. Therefore, a BGP packet is divided into two parts: Network Layer Reachability Information (NLRI) data (also known as an IP address range) and attributes that help describe additional context about that reachability data.

Background:

One important flag is called the “transitive bit”:

If a BGP implementation does not understand an attribute and the transitive bit is set, it will copy it to another router. If the router does understand this attribute, it can apply its own policy. But in this way,  it allows possibly unknown information to propagate blindly through systems that do not understand the impact of what they are forwarding. 

Vulnerability details: The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is “evaluating support for RFC 7606 as a future feature” and believes that “customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.”

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2023-40457/change-record?changeRecordedOn=11/10/2024T19:15:13.817-0500

Potential Risk of CVE

CVE-2024-50262: About Linux Classic Berkeley Packet Filter bpf (11th Nov 2024)

Leave a comment

Preface: Common Use Cases for BPF

-Network Monitoring: Tools like tcpdump and Wireshark use BPF to capture and analyze network traffic.

-Security Applications: Intrusion detection systems can use BPF to filter and inspect network packets for malicious activity.

Key Features of BPF:

-Packet Filtering: BPF programs can filter network packets based on various criteria, such as IP addresses, ports, and protocols.

-Kernel Space Execution: BPF programs run in the kernel space, which allows them to process packets with minimal overhead.

-Efficiency: BPF’s design minimizes the performance impact on the system, making it suitable for high-throughput network applications.

Vulnerability details: bpf – Fix out-of-bounds write in trie_get_next_key().

Consequence: If such a write ends up in unused memory, which will never be accessed again, it will not have any consequences. In many other cases, it will just make the program crash.

Remedy: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves.

Official announcement: Please refer to the vendor announcement for details –

https://www.tenable.com/cve/CVE-2024-50262

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-38403 – Buffer Over-read in WLAN Firmware (8th Nov 2024)

Leave a comment

Preface: BSS Transition Management enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination.

Background: A STA receiving a BSS Transition Management Request frame may respond with a BSS Transition Management Response frame.

The BSS Termination Included (bit 3) field indicates that the BSS Termination Duration field is included, the BSS or the AP MLD is shutting down and the STA or the non-AP MLD will be disassociated. The AP or AP MLD sets the BSS Termination Included bit in the Request mode field to 1 to indicate that the BSS or AP MLD is shutting down.

The BSS Termination Included bit is 0 if no BSS Termination Duration information is included in the BSS Transition Management Request frame.

Vulnerability details: Transient DOS while parsing BTM ML IE when per STA profile is not included.

Official announcement: Please refer to the vendor announcement for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-38408 – Cryptographic Issues in BT Controller (7 Nov 2024)

Leave a comment

Preface: Snapdragon 8 Gen 2 SoC comes with many new features and technologies such as new tri-cluster architecture, AI improvements, ray tracing support, and more. However, one largely overlooked feature is dual Bluetooth. Now, it’s not going to revolutionize the Bluetooth experience on mobile devices, but it will actually solve some of the fundamental problems we face when using Bluetooth technology on mobile devices.

Background: The encryption key negotiation protocol is conducted between two parties as follows: the initiator proposes an entropy value N that is an integer between 1 and 16, the other party either accepts it or proposes a lower value or aborts the protocol. If the other party proposes a lower value, e.g., N − 1, then the initiator either accepts it or proposes a lower value or it aborts the protocol. At the end of a successful negotiation the two parties have agreed on the entropy value of the Bluetooth encryption key. The entropy negotiation is performed over the Link Manager Protocol (LMP), it is not encrypted and not authenticated, and it is transparent to the Bluetooth.

Vulnerability details: Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html

AI and ML, Potential Risk of CVE

About CVE-2024-0134 – NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability (5th Nov 2024)

Leave a comment

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include:

-The NVIDIA Container Runtime (nvidia-container-runtime)

-The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook)

-The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli)

The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit is a key component in enabling Docker containers to leverage the raw power of NVIDIA GPUs. This toolkit allows for the integration of GPU resources into your Docker containers.

Remark: The Podman command can be used with remote services using the –remote flag. Connections can be made using local unix domain sockets, ssh

Vulnerability details: NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5585

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

About CVE-2024-43080: So called Intent Redirection by Google (4th Nov 2024)

Leave a comment

Preface: What is intent redirection and app security in Android? An intent redirection occurs when an attacker can partly or fully control the contents of an intent used to launch a new component in the context of a vulnerable app.

Background: An Intent in the Android operating system is a software mechanism that allows users to coordinate the functions of different activities to achieve a task. One or more of your apps contain an Intent Redirection issue which can allow malicious apps to access private app components or files.

Vulnerability details: CVE-2024-43080: This vulnerability could lead to privilege escalation. Please refer to the official announcement for details – https://source.android.com/docs/security/bulletin/2024-11-01

IoT, Potential Risk of CVE

CVE-2024-7883 – CMSE secure state may leak from stack to floating-point registers (3rd Nov 2024)

Leave a comment

Preface: The Cortex-M stands for the Microcontroller which is used in most of our daily life applications also starting from the automation to DSP applications, sensors, smart displays, IoT applications ,etc.

Background: In April of 2024, Arm Limited published a Cortex-M Security Extensions (CMSE) Security Bulletin that identifies a potential software security issue in code that uses CMSE. The security vulnerability allows an attacker to pass out-of-range values to code executing in Secure state to cause incorrect operation in Secure state. This security vulnerability is present in compilers that are not compliant with version 1.4 of the Arm v8-M Security Extensions Requirements on Development Tools.

Vulnerability details: When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.

LLVM and the GNU Compiler Collection (GCC) are both compilers. The difference is that GCC supports a number of programming languages while LLVM isn’t a compiler for any given language. LLVM is a framework to generate object code from any kind of source code.

Official announcement: For more information about the vulnerability, please see the link –

https://nvd.nist.gov/vuln/detail/CVE-2024-7883

https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability