All posts by admin

In the Linux kernel, CVE-2024-26921 vulnerability has been resolved. openvswitch is safe again. (19th Apr 2024)

Preface: Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.  It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag).  In addition, it is designed to support distribution across multiple physical servers similar to VMware’s vNetwork distributed vswitch or Cisco’s Nexus 1000V.

Background: The buffers used by the kernel to manage network packets are referred to as sk_buffs in Linux. The buffers are always allocated as at least two separate components: a fixed size header of type struct sk_buff; and a variable length area large enough to hold all or part of the data of a single packet.

Vulnerability details: The vulnerability details involve 4 key files. The explanation may refer to CVE details. Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-26921

Security Focus: A relevant old patch about the issue was : 8282f27449bf (“inet: frag: Always orphan skbs inside ip_defrag()”) [..] net/ipv4/ip_output[.]c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used.

TX: skb->sk might have been passed as argument to dst->output and must remain valid until tx completes. Move sk to reassembled skb and fix up wmem accounting.

CVE-2024-31580 – PyTorch before v2.2.0 contain a heap buffer overflow vulnerability (18th Apr 2024)

Preface: Using the C++ new operator, we can allocate memory at the runtime. The new operator in C++ is used for the dynamic memory allocation; It is used to allocate the memory at runtime on heap memory.

Background: PyTorch is a deep learning framework open sourced by Facebook in early 2017. It is built on Torch and is advertised as Python First. It is tailor-made for the Python language. PyTorch is unique in that it fully supports GPUs and uses reverse-mode automatic differentiation technology, so the computational graph can be modified dynamically. This makes it a popular choice for rapid experimentation and prototyping.

Vulnerability details: PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-31580

CVE-2024-27086: MSAL.NET applications susceptible to local denial of service in authentication flows (17th April 2024)

Preface: Upgrade from Xamarin to [.]NET, Microsoft support for Xamarin will end on May 1, 2024 for all Xamarin SDKs including Xamarin.Forms.

Background: The Microsoft Authentication Library (MSAL) enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.

-Xamarin is an open-source platform for building modern and performant applications for iOS, Android, and Windows with [.] NET. Xamarin is an abstraction layer that manages communication of shared code with underlying platform code.

-NET Multi-platform App UI (. NET MAUI) apps can be written for the following platforms: Android 5.0 (API 21) or higher is required. iOS 11 or higher is required.

Vulnerability details: The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL[.}NET applications targeting Xamarin Android and [.]NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability. A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL[.]NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.

Solution: MSAL[.]NET version 4.60.1 includes the fix.

Workaround: developer may explicitly mark the MSAL[.]NET activity non-exported.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-27086

CVE-2024-3092: DevOps deploy GitLab staying alert! (16-04-2024)

Original article published 5 days ago (April 11, 2024)

Preface: Considering the difference in security points of GitHub and GitLab, GitLab is more secure than GitHub, while GitHub is less secure because it does not have authorization compliance. Another difference between GitLab and GitHub is that GitLab is a cloud-native application while GitHub is used for sharing work in public. If you are on a private project, GitLab is a better fit since it provides more robust tools for private repositories and a higher level of control over user access.

Background: Diff Viewers, which can be found on models/diff_viewer/* are classes used to map metadata about each type of Diff File. It has information whether it’s a binary, which partial should be used to render it or which File extensions this class accounts for.

Vulnerability details: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-3092

CVE-2024-24862: In function pci1xxxx_spi_probe, there is a potential null pointer weakness found. (15-04-2024)

Preface: Ref: ENOMEM – no memory can be allocated by a function in the library. Note that malloc, calloc, and realloc do not set errno to ENOMEM on failure, but other library routines (the remedy display on diagram) may set errno to ENOMEM when memory allocation fails.

Technical reference: What is the function of probe in kernel driver?

The probe() entry is called in task context, with the bus’s rwsem locked and the driver partially bound to the device. Drivers commonly use container_of() to convert “dev” to a bus-specific type, both in probe() and other routines. That type often provides device resource data, such as pci_dev.

Vulnerability details: In function pci1xxxx_spi_probe, there is a potential null pointer that may be caused by a failed memory allocation by the function devm_kzalloc. Hence, a null pointer check needs to be added to prevent null pointer dereferencing later in the code. To fix this issue, spi_bus->spi_int[iter] should be checked. The memory allocated by devm_kzalloc will be automatically released, so just directly return -ENOMEM without worrying about memory leaks.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-24862

In the Linux kernel, the vulnerability (CVE-2024-26817) has been resolved (14-April-2024)

Preface: AMD already uses APUs in a variety of retail chips under the Ryzen and Threadripper brandings, such as “Opteron” server chips, as well as mobile and ultramobile chips designed for laptops and other low-power devices.

Background: As of 2022, AMD Kernel Fusion Driver (KFD) is now integrated in this one kernel module. AMD KFD development at AMD is part of ROCm, under the ROCk project.

ROCm is an Advanced Micro Devices (AMD) software stack for graphics processing unit (GPU) programming. ROCm spans several domains: general-purpose computing on graphics processing units (GPGPU), high performance computing (HPC), heterogeneous computing. It offers several programming models: HIP (GPU-kernel-based programming), OpenMP/Message Passing Interface (MPI) (directive-based programming), and OpenCL.

The calloc() function allocates memory and initializes all bits to zero.

kcalloc — allocate memory for an array. The memory is set to zero.

Vulnerability details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-26817

CVE-2024-31861: Improper Control of Generation of Code (Code Injection) vulnerability in Apache Zeppelin. (12-April-2024)

Preface: Training is the most important step in machine learning. In training, you pass the prepared data to your machine learning model to find patterns and make predictions. It results in the model learning from the data so that it can accomplish the task set.

Background: What is Apache Zeppelin? Apache Zeppelin is an open-source, web-based notebook that enables data visualization, data exploration, and collaborative data analytics. Apache Zeppelin interpreter supports several language backends, including Apache Spark, Python, R, JDBC, Apache Flink, Markdown, and Shell.

By integrating submarine in zeppelin, we use zeppelin’s data discovery, data analysis and data visualization and collaboration capabilities to visualize the results of algorithm development and parameter adjustment during machine learning model training.

Vulnerability details: Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin. The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which doesn’t have Shell interpreter by default.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-31861

Why does Arm not affected by CVE-2024-2201? (11-Apr-2024)

Preface: I believed that similar type of design weakness known last year by Arm (Feb 2023). May be it fixed it already.

Background: Linux kernel on Intel systems is susceptible to Spectre v2 attacks. CVE-2022-0001 explained Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. On 9th April, 2024 Dr. Elke Drennan published an article focus an attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget. When you read the details, you will find that AMD and ARM are not affected. Why?

Vulnerability details: An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget.

Solution: Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.

Official announcement: Please refer to the link for details- https://www.kb.cert.org/vuls/id/155143

When Intel met Heckle – hypervisor’s interrupt injection behavior on Intel TDX  (10th April 2024)

Technical report shared by ETH Zurich on 4th April 2024: Please refer to the link for details – https://arxiv.org/html/2404.03387v1

Background: Intel CPU’s inbuilt TDX Module provides an interface for the hypervisor to manage VMs indirectly and offers new instructions, VMLAUNCH-VMX and VMRESUME, for starting and resuming a VM. Instead of keeping track of the owner for each memory page on a system wide basis, TDX relies on keeping one shared extended page table for the hypervisor and multiple private extended page tables for each virtual machine (called TD by Intel).

Reference: int means interrupt, and the number 0x80 is the interrupt number. An interrupt transfers the program flow to whomever is handling that interrupt, which is interrupt 0x80 in this case. In Linux, 0x80 interrupt handler is the kernel, and is used to make system calls to the kernel by other programs.

The kernel is notified about which system call the program wants to make, by examining the value in the register %eax (AT&T syntax, and EAX in Intel syntax). Each system call have different requirements about the use of the other registers. For example, a value of 1 in %eax means a system call of exit(), and the value in %ebx holds the value of the status code for exit().

Vulnerability details: The test implement a kernel module in 150 LoC to inject interrupts into the TDX VM. Our host module uses kernel hooks to call a function in KVM that is used to deliver int 0x80 interrupts to TDX VMs. Unlike SEV-SNP, TDX does not expose the Virtual Machine Control Structure (VMCS) or the virtual APIC pages to the untrusted hypervisor. Instead, it expects the hypervisor to write into a Posted Interrupt Request (PIR) buffer. This buffer is used by hardware to inject interrupts into TDX VMs through the virtual APIC [34]. We inject two interrupts into two different cores of the CVM with this mechanism, one to gain login into the TDX VM with OpenSSH and another to get root access with sudo. During these two injects, the guest kernel does not acknowledge the interrupts. While this does not stop our attacks, it does leave the APIC with an elevated Task-Priority-Register (TPR), blocking all lower-priority interrupts on the affected vCPU. This may break CVM functionality that is noticeable by the user. To evade such detection, we implement a guest kernel module (kern_ack) that resets the APIC state. We inject this kernel module into the TDX VM as the last part of our attack after gaining root access.

AMD response to technical article (Heckler – Disrupting AMD SEV-SNP with interrupts) (9th Apr 2024)

Preface: AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) is a feature of AMD EPYC processors that adds strong memory integrity protection to help prevent malicious hypervisor-based attacks in order to create an isolated execution environment.

Background: Fundamentally, int means interrupt, and the number 0x80is the interrupt number. An interrupt transfers the program flow to whomever is handling that interrupt, which is interrupt 0x80 in this case. In Linux, 0x80 interrupt handler is the kernel, and is used to make system calls to the kernel by other programs.

In current Linux, 32-bit syscalls (including int 0x80 from 64-bit) eventually end up indo_syscall_32_irqs_on(struct pt_regs *regs). It dispatches to a function pointer ia32_sys_call_table, with 6 zero-extended args. This maybe avoids needing a wrapper around the 64-bit native syscall function in more cases to preserve that behaviour, so more of the ia32 table entries can be the native system call implementation directly.

Vulnerability details: Researchers from ETH Zurich have shared with AMD a paper titled “Heckler: Disrupting AMD SEV-SNP with Interrupts.”

In their paper, the researchers report that a malicious hypervisor can potentially break confidentiality and integrity of Linux® SEV-SNP guests by injecting interrupts. 

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html