Preface: Samsung Electronics has started the development of IoT.js on 2015, a platform for IoT applications written in JavaScript, and JerryScript, a JavaScript engine for small, embedded devices.

Background: JerryScript is an ultra-lightweight JavaScript engine for the Internet of things. It is capable of executing ECMAScript 5.1 source code on devices with less than 64 KB of memory.
JerryScript Engine can be embedded into any application, providing the way to run JavaScript in a large range of environments – from desktops to low-memory microcontrollers.

Ref: IoT devices come with severe constraints in terms of CPU performance and memory footprint. Because of that, Samsung has designed the JerryScript engine to run in less than 64KB or RAM and the entire code fits in less than 200KB of ROM.

Vulnerability details: CVE-2022-22895 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion[.]c.

Why are we interested in CVE-2022-22893? Here’s why:

Stack is a linear data structure whereas Heap is a hierarchical data structure. Stack memory will never become fragmented whereas Heap memory can become fragmented as blocks of memory are first allocated and then freed. Stack accesses local variables only while Heap allows you to access variables globally.

See whether the attached diagram give you a quick idea of the vulnerability? Also, some vulnerabilities were found in jerryscript. See below for details:

CVE-2022-22894 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache[.]c.

CVE-2022-22893 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm[.]c.

CVE-2022-22891 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc[.]c.

Remedy: Please refer to Github.

Preface: Asset scan is the key function to maintain the asset management integrity. If the company structure not operating standalone. In some circumstance, the system architect will formalize a distributed architecture. However, how to scan and collecting data is a important topic. Perhaps the file size is variable because of the data content. As a result, when the file transfer go to back-end system. it will using compression technology traditionally to resolve the network bandwidth consumption. For example: ZIP file. Furthermore, software developer aim to improve the process completion time.

Background (Asset Scan in Remote AE Server): The scanned information in the Remote AE Server can be updated periodically either manually or automatically in the Central AE Server.

You can install AssetExplorer as a Central Server by choosing the server type as Central AE Server on starting the application for the first time. The application is started as the Central AE Server.

As a result, Central AE server will tracks all your newly added assets, and have a record of all the assets in the organization.

About CVE-2021-44757: An authentication bypass vulnerability that can allow a remote user to perform unauthorized actions in the server. If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary zip file on the server. 

As usual, vendor not disclose the vulnerability in details. However, referring to existing system design. It relies on compression function assistance. Perhaps the earlier version of design do not enforce the data integrity check. And therefore it provide a channel to attacker create the trouble.

Official announcement: For details, please refer to link – https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022

Preface: Even thought CVE-2021-2351 was announced on last year (21st July, 2021), however this topic still lure of my interest. As we know, web server and DB server is an important component in existing digital World. For example, Big data, IoT, automotive and mobility functions will working with front end web server. Whereby in between web server and database server relies on ODBC or JDBC form a bridge do communications to database server. In traditional attack scenario, SQL injection is very common type of attack. When incident happen, it will lost our data confidentiality.

Background: The JDBC thin client is a pure Java, Type IV driver. If you are accessing one type of database, such as Oracle, Sybase and IBM, the preferred driver type is 4.

Oracle Database provides native data network encryption and integrity to ensure that data is secure as it travels across the network. The setup offers two ways to encrypt data over the network, native network encryption and Transport Layer Security (TLS).

In order to cope with confidentiality of data in system design. Encrypting network data provides data privacy so that unauthorized parties cannot view plaintext data as it passes over the network. However, if a design weakness occurs in between devices communication? Do you think what is the exact impact to this defect?

Vulnerability details: There are two fundamental design constraints on this issue (Native Network Encryption).

• Clients that do not support native network encryption can fall back to unencrypted connections while incompatibility is mitigated.

• It provides no non-repudiation of the server connection (that is, no protection against a third-party attack).

When an insider threat occurs, the above 2 design limitations will increase the possibility of being attacked.

Attack scenario: If insider threat happens, cyber criminals do a sniffing in internal network since the reason of point 1 and 2 (refer to attached diagram). And therefore it can easily to do the session hijacking because there is no more protection. Since no need to get and install the SSL certificate CA in attacker machine to conduct the man-in-the-middle attack. Therefore he can easily receive a valid session token. As a result, he gain authorized access similar to existing victim user.

Workaround: Update the Oracle Database servers and clients to the patched versions. Enforce usage of a secured protocol version by setting the following options:

SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS=FALSE (server-side)
SQLNET.ALLOW_WEAK_CRYPTO=FALSE (client-side)

Or use TLS-based transport security instead of Native Network Encryption.

US National Vulnerability Database details announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-2351

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2[.]x compatible. MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration.

MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2.x compatible. Whereas, MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration. An unofficial consensus by IoT manufacturer that IoT Dumb devices are only provide resources/service. In broker cloud of IoT, most of them contains application logic design. MRuby fits this use case well despite performance issues.

Vulnerability details: Mruby is vulnerable to NULL Pointer Dereference. There is a NULL Pointer Dereference in prepare_singleton_class. Offical remedy said that add additional two lines of syntax in src/class[.]c will be remedied the vulnerability.

Refer to attached diagram, if the design criteria based on Ruby code compiler to Bytecode . Then install to virtual machine of IoT.
As a matter of fact, null pointer dereference happened in MRuby object class. Will it be impacted the program after compiler?

Perhaps below articles by apple developer will provides guidance.

Dereferencing a null pointer always results in undefined behavior and can cause crashes. If the compiler finds a pointer dereference, it treats that pointer as nonnull. As a result, the optimizer may remove null equality checks for dereferenced pointers.

But uncertainty related to above topic not found hints on internet. So, it still need to observed.

Remedy: The official announcement can be found at the following link: https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca

Preface: Pluto is an IKE (“IPsec Key Exchange”) daemon. Pluto is an implementation of IKE. It runs as a daemon on a network node. Currently, this network node must be a LINUX system running the KLIPS
or NETKEY implementation of IPsec, or a FreeBSD/NetBSD/Mac OSX system running the KAME implementation of IPsec.

Background: Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using “IPsec” and the Internet Key Exchange (“IKE”). Most IPsec deployments fall into two types of deployment. The first type is the Remote Access, where roaming users (phones, laptops) connect to the corporate network. The second type of IPsec network is where two or more IPsec gateways connects different networks together.

Is Libreswan safe? This open-source VPN is secure if you’re a Linux user since it uses a built-in “XFRM” IPsec stack and DDNS crypto library. The VPN is compatible with Linux distribution such as RHEL/EPEL, Arch Linux, and Fedora.

What is xfrm interface?
The design of virtual xfrm interfaces interfaces was discussed at the Linux IPsec workshop 2018. This patchset implements these interfaces as the IPsec userspace and kernel developers agreed. The purpose of these interfaces is to overcome the design limitations that the existing (Virtual Tunnel Interfaces) VTI devices have.

Vulnerability details: According to vendor announcement. Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1[.]c wrongly expects that a state object exists.
Observation: Are the consequences of NULL pointer dereference due to vmalloc in the specified function?

Mitigation: If all configured connections are using IKEv2, the IKEv1 subsystem can be disabled by adding the option ikev1-policy=drop to the “config setup” section of ipsec[.]conf. Alternatively, libreswan can be compiled with USE_IKEv1=false.

OR Install version 4.6.

Official announcement: For details of the official announcement, please see the homepage – https://libreswan.org/

Preface: Virtual memory settings can often be controlled through the OS. In addition, RAM uses swapping techniques, while virtual memory uses paging. While physical memory is limited to the size of the RAM chip, virtual memory is limited by the size of the hard disk.

Background: When you create a VM, a fixed amount of memory is allocated to the VM. You can use Dynamic Memory Control (DMC) to improve the utilization of physical memory in your Citrix Hypervisor environment. DMC is a memory management feature that enables dynamic reallocation of memory between VMs.

The QEMU component is a superset of the QEMU device model present in Xen. In KVM, the QEMU binary directly takes care of talking to the hypervisor to create the guest domain. In Xen, the QEMU binary merely provides the I/O emulation, while XenD takes care of actually creating the domain.

DomU, it is an unprivileged domain with (by default) no access to the hardware. It must run a FrontendDriver for multiplexed hardware it wishes to share with other domains. In Dom0, the kernel for a DomU comes from Dom0’s filesystem, not from the filesystem exported to the DomU.

Vulnerability details: Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to the link – https://support.citrix.com/article/CTX335432

Preface: HTTP[.]sys is mature technology that protects against many types of attacks and provides the robustness, security, and scalability of a full-featured web server. IIS itself runs as an HTTP listener on top of HTTP[.]sys.

Background: HTTP/1.1 specifies that a response sent as Transfer-Encoding: chunked can include optional trailers (ie. what would normally be sent as headers, but for whatever reason can’t be calculated before the content, so they can be appended to the end).

The http 1.1 specification, which lays out how chunking works. Specifically section 3.6.1.
The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields. This allows dynamically produced content to be transferred along with the information necessary for the recipient to verify that it has received the full message.

Vulnerability details: This vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability.

Ref (1): The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent. No package install is needed if you use the (xref:)Microsoft[.]AspNetCore[.]All metapackage.

The Microsoft[.]AspNetCore[.]Server[.]HttpSys package is included in the metapackage.

Ref (2): Call the UseHttpSys extension method on WebHostBuilder in your Main method, specifying any HTTP[.]sys options that you need.

Mitigations: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907

Preface: For security reasons, SAP will not disclose the details of the vulnerability. Security bulletin issued yesterday. However, the end user only needs to tinker. But we don’t know what happened? So my purpose of this topic is to try to dig out details an interest that appeals to you. If , my findings didn’t precise find the reason of this vulnerability. No worries. Since, the weaknesses in client-side JavaScript security in SAPUI5 applications may be ubiquitous. It is easily find the details somewhere.

Background: F0743 (Create Single Payment) is a SAP S/4HANA Transactional app used by a Accounts Payable Accountant through user interface (UI) technology SAP Fiori (SAPUI5). With this app you can make a direct payment to a supplier when no invoice exists and you can pay open supplier line items. When you make a direct payment to a supplier without an invoice, you specify the supplier details, the bank details, and the amount to be paid, then create the payment.

Vulnerability details: Official announcement stated that Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA.

Results are based on my observations: SAPUI5 is Hybrid app (Because of HTML5). Therefore, SAPUI5 is technology whereas Fiori is a methodology. Fiori focus mainly on mobility. Fiori uses SAPUI5 for frontend and it uses odata to get back end data. Based on the theory above apps built using SAPUI5 are responsive across browsers and devices. They can run on smartphones, tablets, and desktops.If not properly used, SAPUI5 framework is susceptible to various types of security vulnerabilities that usually affect client side JavaScript frameworks.

Static Application Security Testing shown that SAPUI5 contains DOM Based Cross Site Scripting & Code injection loophole. For example (type-0 XSS), vulnerable document.write() sink method that reflects user input directly in the web page DOM structure from the user input textbox retrieved from getValue() method from vulnerable SAPUI5 application.

Impact: It increases the likelihood that client code will behave in an “unexpected” way.

Official announcement: Please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035