Preface: A Pod represents a single instance of a running process in your cluster. Pods contain one or more containers, such as Docker containers. When a Pod runs multiple containers, the containers are managed as a single entity and share the Pod’s resources.

Background: Containerd was designed to be used by Docker and Kubernetes as well as any other container platform that wants to abstract away syscalls or OS specific functionality to run containers on linux, windows, solaris, or other operation system. Kubernetes is removing support for Docker as a container runtime. Kubernetes does not actually handle the process of running containers on a machine. Instead, it relies on another piece of software called a container runtime. CRI is a containerd plugin implementation of Kubernetes container runtime interface (CRI). With it, you could run Kubernetes using containerd as the container runtime.

Vulnerability details: On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files.

Additional: Simple conceptual diagram attached.

Remediation: This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

Reference: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c

Preface: You cannot connect to a virtual machine’s CD/DVD-ROM device with the Administrator role. By default setting, the Administrator role does not have permission to access a virtual machine’s CD/DVD-ROM device.

Background: Most of the files stored on a VMFS volume, though, are large files – virtual disk files, swap files, installation image files. VMFS operates on disks attached to ESXi servers but not on computers running VMware Workstation or VMware Player.VMFS 6 was released in vSphere 6.5 and is used in vSphere 6.7, vSphere 7.0, and newer versions such as vSphere 7.0 Update 3.

Vulnerability details: VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

VMware released security advisory for ESXi hosts. Remedy for ESXi 6.5 and 6.7 are ready. However, 7.0 there only provides workaround. For more details, please refer to the link – https://kb.vmware.com/s/article/87249

Official announcement: https://www.vmware.com/security/advisories/VMSA-2022-0001.html

Additional: Because the supplier wants to keep it confidential. So the details have not been announced yet. My observations of this vulnerability are drawn in the attached drawings.

Preface: The specifics vulnerability (CVE-2021-1918) has notified customer on 06/07/2021. But vendor security advisory was released on 6th December, 2022. Finally, US-CERT release the details on 3rd Jan, 2021. As a researcher or end user, it is not an issue.

Background: Snapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc. The Snapdragon’s central processing unit (CPU) uses the ARM architecture. In Snapdragon SoCs, three components are used to provide access control: Virtual Master ID Mapping Table (VMIDMT), External Protection Unit (XPU), and System Memory Management Unit (SMMU). VMIDMT and XPU work together. The SMMU is a hardware component that performs address translation and access control for bus initiators outside of the CPU.

Vulnerability details: Certain versions of Snapdragon Consumer IOT Snapdragon Industrial IOT Snapdragon Mobile from Qualcomm Inc. contain the following vulnerability:
Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile.

My observation: Since vendor not providing the technical details. According to Snapdragon design, a well know attack surface will be on SMMU. For the possibilities of cyber attack details, please refer to attached diagram for reference.

Vendor announcement: Additional vulnerability are also released by vendor on December, 2021. Please refer to link for details – https://www.qualcomm.com/company/product-security/bulletins/december-2021-bulletin#_cve-2021-1918

Preface: Golang is useful for carrying out programming for scalable servers and large software systems. The Golang programming language was built to fill in the gaps of C++ and Java that Google came across while working with its servers and distributed systems.

Not limited to Google, well-known cloud businesses such as Dropbox, Terraform, Kubernetes, and Docker also develop applications for the Go programming language.

Go as a language is more similar to C, however in addition to C features, Go offers memory safety, garbage collection, structural typing, and CSP-Style concurrency.

Background: There is a function in syscall package, func ForkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error) that forks and execs a given process with given arguments and additional ProcAttr in which you can define environment and open files. It handles most of the stuff, even the user/group namespaces.

Vulnerability details: There’s a flaw in golang’s syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall[.]ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall[.]ForkExec().

Reference: Fedora has released a security update for golang to fix the vulnerabilities (Affected OS:Fedora 35) – https://bodhi.fedoraproject.org/updates/FEDORA-2021-29943703de

Preface: Maybe users who use SharePoint have similar feelings to me. Although SharePoint user permissions are complicated. In addition, the details of the vulnerability also give users a complex feeling!

Background: CVE-2021-43976 was published 30th Dec, 2021. However, the vulnerability details has been released by Microsoft on 16th Nov, 2021. Perhaps, official details not described in details of the vulnerability. But we can find the hints for the official article. Since CVE-2021-43976 consists of multiple vulnerabilities to the SharePoint products. But CVE-2021-42309 is a navigation to let us know what is happening of the matter.

Vulnerability details: CVE-2021-43976 – Certain versions of Microsoft SharePoint Enterprise Server from Microsoft contain the following vulnerability: Microsoft SharePoint Elevation of Privilege Vulnerability. Because Microsoft did not provide technical details. I believe that the specific CVE record is similar to the following scenario.

The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474.

Additional information: For a successful attack, the attacker needs SPBasePermissions.ManageLists permissions for a SharePoint site. By default, authenticated SharePoint users can create sites/subsites and will have all necessary permissions.   

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43876

Happy new year and good luck. Bye, 2021.

Preface: Traditional, there is service ID account installed in web server side since it require connecting to DB server and update the data into database.

Background: Apache log4j vulnerability wide spread in digital world. Additionally, industry area also involved to this design flaw. Enterprise industrial manufacturer Siemens published security advisory that Apache Log4j Vulnerability (CVE-2021-44832) combine usage of JDBC Appender might impact to their customer. The announcement is shown in the link below.

https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf

This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities,
the impact of which is documented in SSA-661247 [2]. The announcement is shown in the link below.

https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt

CVE-2021-44832 -Vulnerability details: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

When an attacker exploits these vulnerabilities, the following requirements need to be met.

The JDBC Appender configured with a DataSource requires JNDI support so as of release 2.17.1 this appender will not function unless log4j2[.]enableJndiJdbc=true is configured as a system property or environment variable.

Remedy: This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. The announcement is shown in the link below.

https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16

Preface: The main advantage of object storage is that you can group devices into large storage pools, and distribute those pools across multiple locations.

Background: Object storage is a technology that manages data as objects. All data is stored in one large repository which may be distributed across multiple physical storage devices, instead of being divided into files or folders. An “object” includes the data itself, some metadata, and a unique identifier. This data can be immediately accessed through APIs or http/https. In this way, the object storage safeguards the data. This data can also be replicated to multiple datacenters if needed.

MinIO offers high-performance, S3 compatible object storage. Native to Kubernetes, MinIO is the only object storage suite available on every public cloud, every Kubernetes distribution, the private cloud and the
edge. MinIO is software-defined and is 100% open source under GNU AGPL v3.

Vulnerability details: The user create API endpoint was accepting a policy field. This API is used to update a user’s secret key and account status, and allows a regular user to update their own secret key. The policy update is also applied though does not appear to be used by any existing client side functionality.

Workaround: Changing passwords can be disabled as a workaround for this issue by adding an explicit “Deny” rule to disable the API
for users.

Remedy: Users are advised to upgrade to RELEASE.2021-12-27T07-23-18Z – https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z

Preface: When the Gamer PC is invaded by an attacker. The inherent risk is not limited to the local PC itself. From a technical point of view, the victim site will be transformed into a weapon to attack other peers.

Background: GeForce Experience is the companion application to your GeForce graphics card. It keeps your drivers up to date, automatically optimizes your game settings, and let you share your gaming moments with friends. GeForce Experience makes it easy to live broadcast gameplay from your entire PC library using the live streaming service of your choice. GeForce Experience supports live broadcasting with Facebook Live, YouTube Live, and Twitch.

GameStream gives you the power to access your favorite games from your GeForce® GTX-powered PC on your SHIELD TV or SHIELD Tablet. Jump directly into Steam® Big Picture mode from the Steam app on SHIELD.

Vulnerability details: The vulnerability allows a local user to escalate privileges on the system. The flaw exists due to improper access restrictions where GameStream does not correctly apply individual user access controls for users on the same device. A local user can run a specially crafted program to escalate privileges on the system. GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service.

Official announcement: https://nvidia.custhelp.com/app/answers/detail/a_id/5295

Preface: In 2021, there are more than 10 billion active IoT devices.WiFi connection is part of the IoT device.It cannot lack this feature.

Background: The Realtek RTL8195AM is a highly integrated single-chip with a low-power-consumption mechanism ideal for IoT (Internet of Things) applications. It combines an ARM®Cortex™-M3 MCU, WLAN MAC, a 1T1R capable WLAN baseband /RF and NFC in a single chip. It provides useful high-speed connectivity interfaces, such as USB 2.0 host, USB 2.0 device, SDMMC HS, SDIO device, and Ethernet MII/RMII interfaces.

To get started with using MQTT, you can follow the basic example guide here for the RTL8195 development board. This example uses the MQTT protocol to allow for control of an LED over the internet. Source code for the example can be found at AmebaIoT’s GitHub repository.

Vulnerability details: A stack buffer overflow was discovered on Realtek RTL8195AM device before 2.0.10, it exists in the client code when an attacker sends a big size Authentication challenge text in WEP security.

Official announcement: https://www.amebaiot.com/en/security_bulletin/cve-2021-39306/

Reference 1: In Shared Key authentication, the WEP key is used for authentication in a four-step challenge-response handshake:

1.The client sends an authentication request to the Access Point.
2.The Access Point replies with a clear-text challenge.
3.The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
4.The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.

Reference 2: The access point responds by generating a sequence of characters called a challenge text for the computer.
The computer encrypts the challenge text with its WEP key and transmits the “message” back to the access point.