Monthly Archives: June 2025

AI and ML, Potential Risk of CVE

CVE-2025-0036: A potential vulnerability exists with the configuration of the SSS (Secure Stream Switch) – 5th Jun 2025

Leave a comment

Preface: AMD’s Versal Adaptive SoCs are designed for high-performance computing, offering a blend of programmable logic, processing system, and AI engines, along with advanced memory and interfaces. They excel in cloud, network, and edge applications by combining heterogeneous compute with a wide range of hard IP. This architecture enables outstanding performance/watt and adapts to changing requirements, making them suitable for various applications like AI, data centers, and network acceleration.

Background: In Versal™ Adaptive SoC devices, the Platform Loader and Manager (PLM) implements runtime (post-boot) software services that allows a remote processor to command the PLM to execute cryptographic operations – including AES, SHA3, RSA, ECDSA – on behalf of the remote processor. These operations require the Secure Stream Switch (SSS) to be configured such that the Direct Memory Access (DMA) hardware can send data to and read from these cryptographic engines.

Ref: Some crypto engines (like AES, SHA3) are integrated into the PMC for secure boot and runtime services. Others may be instantiated in the PL for custom cryptographic acceleration.

Vulnerability details: A potential vulnerability exists with the configuration of the SSS because the PLM does not clear the SSS configuration after a cryptographic operation completes. This allows an improper SSS configuration when setting up the SSS for any following cryptographic command.

Official announcement: For more details, please refer to the following link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8011.html

Potential Risk of CVE, Under our observation

Cache-based Side-Channel Attack Against SEV (4th Jun 2025)

Leave a comment

Originally posted by AMD 3rd Feb 2025

2025-02-17 – Updated Acknowledgement

2025-06-03 Update:A subsequent report of the same attacks was received from researchers at Graz University of Technology.

Preface: FIPS 186-5 removes DSA as an approved digital signature algorithm “due to a lack of use by industry and based on academic analyses that observed that implementations of DSA may be vulnerable to attacks if domain parameters are not properly generated.

February 3, 2023 – NIST published Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS), along with NIST Special Publication (SP) 800-186, Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters.  

Background: The SEV feature relies on elliptic-curve cryptography for its secure key generation, which runs when a VM is launched. The VM initiates the elliptic-curve algorithm by providing points along its NIST (National Institute of Standards and Technology) curve and relaying the data based on the private key of the machine.

Vulnerability details: AMD has received a report from researchers at National Taiwan University detailing cache-based side-channel attacks against Secure Encrypted Virtualization (SEV).

Remedy: AMD recommends software developers employ existing best practices for prime and probe attacks (including constant-time algorithms) and avoid secret-dependent data accesses where appropriate.  AMD also recommends following previously published guidance regarding Spectre type attacks (refer to the link in the reference section below), as it believes the previous guidance remains applicable to mitigate these vulnerabilities.

Supplement: The lack of authentication in the memory encryption is one major drawback of the Secure Memory Encryption (SME) design, which has been demonstrated in fault injection attacks. SEV inherits this security issue. Therefore, a malicious hypervisor may alter the ciphertext of the encrypted memory without triggering faults in the guest VM.

Office announcement: Please refer to the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3010.html

Potential Risk of CVE

CVE-2025-27029 – Buffer Over-read in WLAN HAL (3rd Jun 2025)

Leave a comment

Preface: Google has been transitioning HALs from HIDL to AIDL since Android 11, and by Android 13 and 14, most major HALs—including Wi-Fi (WLAN), Audio, Bluetooth, and Telephony—have adopted AIDL as the standard interface definition language.

Background: In Android, defining and managing buffers in the WAN HAL (Wide Area Network Hardware Abstraction Layer) isn’t a standard or commonly documented component like the Camera HAL or Audio HAL. However, if you’re referring to buffer management in a HAL module (such as for networking or other hardware interfaces), the general approach follows Android’s HAL architecture principles.

The WLAN HAL (Hardware Abstraction Layer) allows the Android operating system to interact with Wi-Fi hardware by providing a standardized, hardware-independent interface. This interface, specified by HIDL (Hardware Interface Definition Language) in Android 8.0 and above, enables the Android framework to control Wi-Fi functionalities like scanning, connecting, and sending/receiving data, regardless of the specific Wi-Fi chipset used by the device.

Vulnerability details: Transient DOS while processing the tone measurement response buffer when the response buffer is out of range.

Official Announcement: Please see the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

IoT, Potential Risk of CVE

CVE-2025-21479: Incorrect Authorization in Graphics (2nd June 2025)

Leave a comment

Preface: Snapdragon chipsets, which are a type of System-on-a-Chip (SoC), often include memory components, such as RAM (Random Access Memory) and ROM (Read-Only Memory), within the chip itself. This integrated approach allows for faster and more efficient data processing within the device.

Background: In Qualcomm Snapdragon SoCs, the Adreno GPU is responsible for graphics and compute tasks. The GPU is managed through a combination of firmware, drivers (like KGSL on Android), and secure execution environments. Authorized memory operations are typically handled as follows:

1. Initialization Phase

  • The GPU driver (KGSL) initializes the GPU and sets up memory mappings.
  • The TrustZone or Secure Execution Environment (SEE) may be involved in verifying firmware and boot integrity.

2. Command Submission

  • Memory operations (e.g., buffer allocation, mapping, copying) are submitted via command buffers.
  • These buffers are managed by the GPU Command Processor (CP) and passed through the Ringbuffer.

3. Permission Check

  • Before execution, the GPU driver and firmware perform permission checks:
    • Is the memory region accessible to the current process?
    • Is the memory marked as GPU-accessible?
    • Are the command buffers properly signed or validated?
  • These checks may involve IOMMU (Input-Output Memory Management Unit) to ensure memory isolation and protection.

Ref: The IOMMU (Input-Output Memory Management Unit) is responsible for managing DMA (Direct Memory Access) from I/O devices and ensuring that these devices can only access the memory they are authorized to. A problem where the IOMMU is not checking permissions would mean that I/O devices could potentially access memory they shouldn’t, leading to security vulnerabilities and system instability.

Vulnerability details: Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.

Official announcement: Please see the link for details

https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

Potential Risk of CVE

CVE-2025-1763: About GitLab EE (2nd Jun 2025)

Leave a comment

Preface: The computer industry favors GitLab because it provides a comprehensive, integrated software development platform that covers everything from planning and code management to continuous integration and deployment. This “full operation and maintenance” approach simplifies the software development life cycle and promotes collaboration between different teams. GitLab’s open source nature, free basic version, and strong community have further enhanced its popularity.

Background: GitLab Enterprise Edition (EE) is the self-hosted, open-core version of the GitLab platform. It builds upon the core features of GitLab Community Edition (CE) and offers additional features, support, and licensing options designed for enterprise users. EE is not a free-to-use version but offers a free tier for initial self-hosting and then provides paid subscription levels (Core, Starter, Premium, and Ultimate) for enhanced features and support.

Vulnerability details: An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user’s browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.

My Speculation: The issue stems from improper sanitization of user-controllable input, which is then rendered in a web page. This is a classic DOM-based XSS scenario, where the browser executes injected scripts due to insufficient input validation and output encoding.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-1763