All posts by admin

CVE-2022-41340 – A security issue in ECDSA verify (25th Sep 2022)

Preface: The term vanilla script is used to refer to the pure JavaScript (or we can say plain JavaScript) without any type of additional library.

Background: Pure JS implementation of secp256k1 signing, verification, recovery ECDSA. The code works as-is both in browsers and NodeJS, without the need of a bundler. See this link for details – https://github.com/lionello/secp256k1-js

Vulnerability details: The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. See this link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-41340

Ref: Signature forgery – a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret.

Design defect: The ecverify function does not check sig[.]r = sig[.]s = 0, which leads an attacker can construct a malicious signature (0, 0) that passes arbitrary checks.

Remedy: Upgrading to version 1.1.0 resolved the issue

Current possibility of exploitation: No technical details available. The vulnerability is less known than average, and there are no exploits available.

Observation: Can hacker crack the private key from the public key”? Well, the answer is always, “No”, unless there’s a weakness in the implementation.

CVE-2022-39224: arr-pm versions prior to 0.0.12 are subject to this vulnerability (22nd Sep 2022)

Preface: Companies like SlideShare, Airbnb, CrunchBase, Bloomberg, Dribble, Shopify, and GitHub have trusted Ruby on Rails and used the framework in their applications.

Background: Ruby is an open source, object oriented language that was developed in the mid-90s. Since it is a scripting language. Ruby doesn’t talk to the hardware directly. Rather, it is written in a text file and parsed by an interpreter before it can be turned into code.
The library (arr-pm) allows to you to read and write rpm packages. It is written in pure ruby because librpm is not available on all systems.
This programming language is also used in automation, website deployment, and DevOps.

Vulnerability details: Vulnerability details: Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious “payload compressor” field. This vulnerability impacts the extract and files methods of the RPM::File class of this library.

Additional: The vulnerability may impact fpm only when using the flag -s rpm or –input-type rpm to convert a malicious rpm to another format. It does not impact creating rpms.

gem is a command provided by a the Ruby packaging system called rubygems. This allows you to install, and later upgrade, fpm.
So when you do the installation : gem install -no-ri –nordoc fpm
You can see the installation process fetching arr-pm-.0.0.xx[.]gem

This is the problem that arises in this design weakness.

Solution: It is recommended to upgrade your arr-pm to 0.0.12.

09/02/2022 CVE reserved
09/22/2022 +20 days Advisory disclosed

About CVE-2022-41218 – The vendor who sharing this technology, you should fix immediately. Otherwise, you will be headache! 21st Sep 2022.

Preface: In 2021, Linux has been one of the most popular software packages for client devices. According to Digital TV Europe, 800 million set-top boxes are powered by this platform worldwide.

Background: The LinuxTV project is an informal group of volunteers who develop software regarding digital television for the Linux kernel-based operating systems. The community develops and maintains the Digital Video Broadcasting (DVB) driver subsystem which is part of the Linux kernel since version 2.6. x.

Vulnerability details: In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.

Ref: In computer world, reference counting is a programming technique of storing the number of references, pointers, or handles to a resource, such as an object, a block of memory, disk space, and others.
Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
An invalid pointer reference occurs when a pointer’s value is referenced even though the pointer doesn’t point to a valid block.

My observation:
The reference counting is a programming technique of storing the number of references, pointers, or handles to a resource. Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed. The vulnerability will occurs a use-after-free caused by refcount races. Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The driver is located in ring 0 (kernel). If attacker know how to exploit this bug in user space. Therefore, the risk will be significant higher.

Solution and official details: Please refer to this link – https://nvd.nist.gov/vuln/detail/CVE-2022-41218

CVE-2022-32917, CVE-2022-32912 & CVE-2022-32788 – Bounds check design weakness require improve in IOS (affecting iOS 16 Beta 9 and previous versions). Apple claimed that it fixed now.(20th Sep 2022)

Preface: Bounds checking is a compiler-based technique that adds run-time bounds information for each allocated block of memory, and checks all pointers against those at run- time. For C and C++, bounds checking can be performed at pointer calculation time or at dereference time.

Background: The calloc () function allocates memory for an array of nmemb elements of size bytes each and returns a pointer to the allocated memory. The memory is set to zero. If nmemb or size is 0, then calloc () returns either NULL, or a unique pointer value that can later be successfully passed to free ().
The Difference Between Malloc and Calloc is that calloc allocates the memory and initializes every byte in the allocated memory to 0. In contrast, malloc allocates a memory block of a given size and doesn’t initialize the allocated memory.
Mach Kernel Abstractions:
Mach provides a small set of abstractions that have been designed to be both simple and powerful. These are the main kernel abstractions:

  • Tasks. The units of resource ownership; each task consists of a virtual address space, a port right namespace, and one or more threads. (Similar to a process.)
  • Threads. The units of CPU execution within a task.
  • Address space. In conjunction with memory managers, Mach implements the notion of a sparse virtual address space and shared memory.
  • Memory objects. The internal units of memory management. Memory objects include named entries and regions; they are representations of potentially persistent data that may be mapped into address spaces.
  • Ports. Secure, simplex communication channels, accessible only via send and receive capabilities (known as port rights).
  • IPC. Message queues, remote procedure calls, notifications, semaphores, and lock sets.
  • Time. Clocks, timers, and waiting.

Vulnerability details:
CVE-2022-32917 The issue was addressed with improved bounds checks – https://nvd.nist.gov/vuln/detail/CVE-2022-32917
CVE-2022-32912 An out-of-bounds read was addressed with improved bounds checking – https://www.tenable.com/cve/CVE-2022-32912
CVE-2022-32788 A buffer overflow was addressed with improved bounds checking – https://nvd.nist.gov/vuln/detail/CVE-2022-32788

About the September 2022 Trend Micro Critical Security Bulletin (20th Sep 2022)

Quote: A technical discussion on devblogs.microsoft.com – https://devblogs.microsoft.com/oldnewthing/20200113-00/?p=103322
This is not a vulnerability. In Windows, you can put a file in a directory that the user does not have access to, but if the user can produce the name of the file, they can still access it. This works because Windows by default enables “bypass traversal checks”, which means that you can access anything you can name.

Background: Trend Micro Apex One as a Service is a centrally managed anti-malware solution that protects endpoints (servers, desktops, and portable endpoints) from a wide variety of Internet threats.
– CVE-2022-40139: Improper Validation of Rollback Mechanism Components RCE Vulnerability
– CVE-2022-40140: Origin Validation Error Denial-of-Service Vulnerability
– CVE-2022-40141: Information Disclosure Vulnerability
– CVE-2022-40142: Agent Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40143: Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40144: Login Authentication Bypass Vulnerability
On this discussion, I am focusing on CVE-2022-40144. On 2019, Directory Traversal Vulnerability discovered in Trend Micro Apex One, OfficeScan and Worry-Free Business Security. Since the vulnerability details annouce by vendor lure my interested. Perhaps there is no offical details annonucment. However, it might have Directory Traversal Vulnerability awaken again in CVE-2022-40144. The design weakness will be on web console.

Vulnerability details: CVE-2022-40144 – A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product’s login authentication by falsifying request parameters on affected installations.

Remark: Trend Micro has released a new Service Pack for Trend Micro Apex One (On Premise) and Critical Patches for Apex One as a Service (SaaS) that resolve multiple vulnerabilities in the product.
Zero-Day-Initiative – CVE-2022-40140, CVE-2022-40142 and CVE-2022-40143

Remedy: To address multiple vulnerabilities in their product, follow their recommendations for fixes. For details, please refer to the following link for reference.
https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US

CVE-2022-40768 – drivers/scsi/stex[.]c in the Linux kernel through 5[.]19[.]9 allows local users to obtain sensitive information from kernel memory (18th Sep 2022)

Preface: iSCSI is popular in the implementation of SAN systems because of their block level storage structure. When data arrives at its destination the iSCSI protocol separates the SCSI commands so that the Operating System will see the storage as a local device and allow formatting as usual.

Background: iSCSI is a block protocol for storage networking and runs the very common SCSI storage protocol across a network connection which is usually Ethernet. iSCSI, like Fibre Channel, can be used to create a Storage Area Network (SAN). iSCSI traffic can be run over a shared network or a dedicated storage network.

Design concept:

Initiator – The SCSI layer generates command descriptor blocks (CDBs) and transfers them to the iSCSI layer. The iSCSI layer generates iSCSI protocol data units (PDUs) and send them to the targer over an IP network.
Target – The iSCSI layer receives PDUs and sends CDBs to the SCSI layer.The SCSI layer interprets CDBS and gives responses when necessary.

Vulnerability details: A vulnerability was found in Linux Kernel up to 5[.]19[.]9. The design weakness occurs in the function stex_queuecommand_lck of the file drivers/scsi/stex[.]c. The manipulation leads to information disclosure.

Remedy: The passthrough structure is declared off of the stack, so it needs to be zeroed out before copied back to userspace to prevent any unintentional data leakage.

References to Advisories – Please refer to the link for details:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/scsi/stex.c
https://lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org/
https://www.openwall.com/lists/oss-security/2022/09/09/1

CVE-2022-40476: If you use io_uring to optimize your Redis, you should stay alert! (15th Sep 2022)

Preface: Dereferencing a null pointer is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code.

Background: io_uring (previously known as aioring) is a Linux kernel system call interface for storage device asynchronous I/O operations addressing performance issues with similar interfaces provided by functions like read()/write() or aio_read()/aio_write() etc. for operations on data accessed by file descriptors.

Vulnerability details: A null pointer dereference issue was discovered in fs/io_uring[.]c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.

Reminder: In the moment, open source developer did not had good way to completely fix the destructive RMW (unless we go full scrub for each partial write), But the fix thet test can be limited the damage .

Software developer announcement:
Although we have no good way to completely fix the destructive RMW (unless we go full scrub for each partial write), we can still limit the damage.
With patch “btrfs: only write the sectors in the vertical stripe which has data stripes” now we won’t really submit the P/Q of unrelated vertical stripes, so the on-disk P/Q should still be fine.

Remark:

  • btrfs is a modern copy on write (CoW) filesystem for Linux aimed at implementing advanced features while also focusing on fault tolerance or repair.
  • destructive read-modify-write (RMW)

Related details reference link:

Causes CVE-2022-34718, does it happen in this case? (15th Sep 2022)

Preface: Whether it is correct or not, this is a spirit for learning.

Background: The critical CVE (CVE-2022-34718 ) impacts Windows TCP/IP, allowing an unauthenticated attacker to send a specially crafted IPv6 packet to Windows node where IPSec is enabled. But the supplier didn’t reveal too many details.

My observation: CVE-2021-24074 and CVE-2021-24094 occurred in 2021.The RCE vulnerability is more complex, and it is more difficult to initiate exploit, and it will not happen in a short period of time.
In response to CVE-2021-24074, Microsoft recommends turning off Source Routing to defend against, which is already turned off by default in Windows.
For CVE-2021-24094, Microsoft recommends turning off packet reassembly to block IPv6 packet fragmentation, but this may also affect services that rely on IPv6.
Essentially, fragments are reassembled in IP Filter mechanism. So, Disable fragment reassembly is a workaround.

VPN support IPv6 protocol. Meanwhile the VPN support reassembly features. If unautheticated attacker send a specially crafted IPv6 packet to Windows node where IPSec is enabled. As a result, if WFP still support packet reassembly, the TCP RCE vulnerability (CVE-2021-24074 and CVE-2021-24094) will appears again.

Official detail:Please go to the link for details https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718

CVE-2022-35836 – Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability (13th Sep 2022)

Preface: Failures happen all the time, it’s important to see how to deal with them.

Background: Background: The new OLE DB provider is called the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL). The Microsoft OLE DB Provider for SQL Server (SQLOLEDB) still ships as part of Windows Data Access Components. It isn’t maintained anymore and it isn’t recommended to use this driver for new development. When developing an application that uses the OLE DB Driver for SQL Server library, developer is able to use ADO with OLE DB Driver for SQL Server.

Vulnerability details: Certain versions of Windows from Microsoft contain the following vulnerability:
Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, & CVE-2022-35840.

My observation: Because Microsoft did not disclose the reason. I guess that one of the possibility will be triggered by ADO with OLE DB Driver for SQL Server. My speculation is shown on diagram. Let’s recall CVE-2019-0888.

A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with the victim user’s privileges. An attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website. The security update addresses the vulnerability by modifying how ActiveX Data Objects handle objects in memory.

Even if my speculation not a correct story, long story short. We should do a patch.

Official announcement – Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35836

Take a closer look at CVE-2022-40307 – a design flaw in capsule-loader[.]c in Linux (13th Sep 2022)

Preface: Not sure if this vulnerability affects all linux brands. However, Debian has solved this problem. Maybe when you turned on your linux yesterday. A critical update will cover this issue.
Remark: Debian Linux’s mainline kernel has been ported bare-metal to the Apple M1 SoC, opening up the way for a Linux ecosystem replacing MacOS.

Background: BIOS uses the Master Boot Record (MBR) to save information about the hard drive data while UEFI uses the GUID partition table (GPT). Compared with BIOS, UEFI is more powerful and has more advanced features. It is the latest method of booting a computer, which is designed to replace BIOS.UEFI is the replacement for BIOS. EFI is the storage partition used with UEFI.
Unified Extensible Firmware Interface is a personal computer system specification that defines the software interface between the operating system and system firmware as an alternative to BIOS. The extensible firmware interface is responsible for POST, contacting the operating system, and providing the interface between the operating system and the hardware. The predecessor of UEFI was the Intel Boot Initiative, which was developed by Intel in 1998, and was later renamed the Extensible Firmware Interface.

Introducing a kernel module to expose capsule loader interface (misc char device file note) for user to upload capsule binaries. This option exposes a loader interface “/dev/efi_capsule_loader” for user to load EFI capsule binary and update the EFI firmware through system reboot. It expose a misc char interface for user to upload the capsule binary and calling efi_capsule_update() API to pass the binary to EFI firmware. The steps to update efi firmware are:
1) cat firmware[.]cap > /dev/efi_capsule_loader
2) reboot

Vulnerability details: An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader[.]c has a race condition with a resultant use-after-free.

NVD Published Date:09/09/2022
NVD Last Modified:09/09/2022

Official announcementhttps://nvd.nist.gov/vuln/detail/CVE-2022-40307