All posts by admin

CVE-2024-28862: The Ruby One Time Password library (ROTP) Affected versions had overly permissive default permissions (18-03-2024)

Preface: In this rushed, demanding digital world, people don’t think about what the back-end platform or its design is. Therefore, vulnerability management actually relies on vendors and software developers.

Background: Ruby on Rails is forming a niche as it is used by millions of websites, which includes well-known companies like Github, Shopify, Airbnb, Fiverr and more.

ROTP is a gem used to generate and verify TOTP (Time-Based One Time Password), rqrcode gem generates QR code SVG based on the generated TOTP.

Vulnerability details: The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions (CWE-276 – Incorrect Default Permissions).

When file has 666 permissions, which grants read and write permission to everyone. This CVE hits this matter.

Workaround: Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

Official announcement: Please refer to the link below for details –https://nvd.nist.gov/vuln/detail/CVE-2024-28862

CVE-2024-2193: Specter v1 variant inheriting the Specter v1 vulnerability. So called GhostRace. AMD believes the previous guidance remains applicable to mitigate this vulnerability (15-03-2024)

AMD made this announcement on March 12, 2024.

Preface: Spectre variant 1 attacks take advantage of speculative execution of conditional branches, while Spectre variant 2 attacks use speculative execution of indirect branches to leak privileged memory.

Background: Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. Speculative execution includes instruction or data pre-fetch, branch prediction, or any operation performed speculatively based on the prediction of program/system behavior.

Vulnerability details: A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Security researchers have labeled this variant of the Spectre v1 vulnerability “GhostRace”, for ease of communication.

Official announcement: Please refer to the following link for details –

CPU hardware utilizing speculative execution may be vulnerable to speculative race conditionshttps://www.kb.cert.org/vuls/id/488902

AMD official article https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html

About CVE-2023-39368: The machine learning process requires CPUs and GPUs. Does bus lock regulator mechanism impact this area? Glad to tell, the problem fixed. (14-03-2024)

CVE-2023-39368 was published on 13th March 2024. In fact, Intel solve this problem since the end of 2020. Maybe hesitant about this design weakness. So it wasn’t announced until this month.

Preface: What is Intel E core? While P cores are focused on delivering peak performance for intensive workloads, E cores ensure that the system runs efficiently during regular use.

Background: What is the lock prefix in Intel? The LOCK prefix is typically used with the BTS instruction to perform a read-modify-write operation on a memory location in shared memory environment. The integrity of the LOCK prefix is not affected by the alignment of the memory field. Memory locking is observed for arbitrarily misaligned fields.

Vulnerability details: CVE-2023-39368 – A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.

Official announcement: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html

Could CVE-2022-2637 and CVE-2023-38575 be the same? (13th March 2024)

Preface: In August 2022, CVE-2022-26373 told that Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. It looks that same vulnerability with new CVE reference number. What’s going on?  CVE-2023-38575 was published on 13th March 2024.

Background: Fundamentally, branch prediction unit can reduce pipeline stalls and keep the CPU executing instructions. However, if the prediction has fault, the CPU may have to flush the pipeline, as a result it has performance penalty.

Operating systems have a process or task scheduler, which schedules the execution of various available tasks by allocating the CPU time. Furthermore, each process stores information about its state, which we call its context.

Vulnerability details: CVE-2023-38575 – Non-transparent sharing of return predictor targets between contexts in some Intel Processors may allow an authorized user to potentially enable information disclosure via local access.

Remark: Updating your microcode can help to mitigate certain potential security vulnerabilities in CPUs as well as address certain functional issues.

Official announcement: Please refer to the link for details – https://www.suse.com/security/cve/CVE-2023-46839.html

CVE-2023-46839: Fixed memory access through PCI device with phantom functions (XSA-449) 12th Mar 2024

Preface: SUSE’s partnership with HPE Cray dates back to the early 1990s, pre HPE’s acquisition of Cray, and the entire time SUSE has been collaborating on Cray OS – a specialized version of SUSE Linux Enterprise Server.

Background: The hypervisor needs to manipulate the interaction between the guest OS and the associated physical device.

PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated.  This allows a device to extend the number of outstanding requests.

Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned.  Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain.

Vulnerability details: Under certain circumstances a malicious guest assigned a PCI device with phantom functions may be able to access memory from a previous owner of the device.

CVE-2023-46839: Fixed memory access through PCI device with phantom functions (XSA-449) (bsc#1218851).

Official announcement: Please refer to the link for details – https://www.suse.com/security/cve/CVE-2023-46839.html

CVE-2024-23278: An app may be able to break out of its sandbox (11thMar 2024)

Vulnerability CVE-2024-23278 was released on March 7, 2024. Apple didn’t reveal specific details, so let’s see if we can dig out any clues.

Preface: XPC has a sizeable portion of undocumented functionality, including its implementation (for example, the main project libxpc is closed source). XPC provides a public API at two levels: low-level and Foundation wrappers.

Background: XPC is the enhanced IPC framework used in macOS/iOS. Since its introduction in version 10.7/5.0, its use has exploded. XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). XPC provides public APIs on two levels: the low level and the Foundation wrappers.

Vulnerability details: The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23278

International Space Station slipping across the Moon’s face as it flies by at 8 kilometers per second (8th Mar 2024)

The moon and the earth rotate synchronously, so people on Earth can only see the same side of the moon throughout their lives. Because the moon also rotates, people on Earth cannot see the other side (see Figure L1a). There are also days when the moon faces away from the sun. It was pitch black at this time. Even if the International Space Station orbited the moon, it was pitch dark for part of the time because it faced away from the sun.

The gravitational force of two large masses is equal to the centripetal force required for small objects to move accordingly. Therefore, the moon falls at the Lagrangian point between the sun and the earth (L1, L1a & L3). NASA announce (James Webb) The Abel Space Telescope is also a Lagrangian point. (See attached picture L1, L2 & L3). I wonder if there is a chance to see the other side of the moon?


Ref: Please refer to the link for details – https://www.facebook.com/groups/355731256819830/permalink/421271603599128/

CVE-2023-28582 Buffer Copy Without Checking Size of Input in Data Modem (8th Mar 2024)

This issue was fixed on 2023/09/04. But the vendor did not announce the vulnerability until today (March 8, 2024).

Preface: Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery.

Background: 5G security standards bring enhancements to air interface and transport security mechanisms used in 4G.

In terms of transport security, the N2/N3 interfaces connecting the access and core networks and Xn interfaces connecting base stations use IPsec in 4G for transport security. 5G additionally supports Datagram Transport Layer Security (DTLS) over Stream Control Transmission Protocol (SCTP) to secure signaling transmission on the control plane, ensuring transport security between RANs and core networks. Operators can select a transport security protection scheme based on security requirements to prevent data breach and attacks on the transport network.

Vulnerability details: Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.

Official announcement: https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2024-bulletin.html

CVE-2024-27307: Not only machine learning, other system should staying alert because zOS Connect Designer uses JSONata, an open source expression language that is used for querying and transforming JSON data. (7thMar 2024)

Preface: What is declarative machine learning? Declarative machine learning enables users to specify what they want, and let the software figure out how to do it. Declarative ML is similar to AutoML tools that also make default selections and automate part or all of the ML lifecycle.

Background: JSONata is a JSON query and transformation language that is inspired by the location path semantics of XPath 3.1. XPath 3.1 is an expression language that allows the processing of values conforming to the data model defined in [XQuery and XPath Data Model (XDM) 3.1].

The JSONata reference is implemented in JavaScript and ships via NPM. There are also implementations available in Rust, Go, Java, Python, and .NET, some of which use JavaScript interpreters to ensure compatibility.

Vulnerability details: JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.

Remedy: This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Official announcement: Please refer to the link for details https://nvd.nist.gov/vuln/detail/CVE-2024-27307

Android has released vulnerability information about CVE-2024-0039, However, with limited details. Take a closer look to see if it can dig out the details. (6th Mar 2024)

Preface: Android devices that act as both peripheral and central devices can communicate with other BLE peripherals while sending advertisements in peripheral mode. Devices supporting Bluetooth 4.1 and earlier can only use BLE in central mode. Older device chipsets may not support BLE peripheral mode.

Background: A BLE device sends out a repetitive packet of information over one of three channels with random delays of up to 10 milliseconds. The repetition period between each packet of information is called the ‘advertising interval’.

For Bluetooth 4.0, the BLE Radio is capable of transmitting 1 symbol per microsecond and one bit of data can be encoded in each symbol. This gives a raw radio bitrate of 1 Megabit per second (Mbps).

Vulnerability details: Fix an OOB write bug in “attp_build_value_cmd”.

Official announcement: Please refer to the link for details https://source.android.com/docs/security/bulletin/2024-03-01