All posts by admin

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-21484: About Qualcomm – Enhanced Validation of Array Index in Multi-Mode Call Processor (8th Sep 2025)

Leave a comment

Preface: PLMNs are public networks, while private networks (NPNs) serve specific users (such as enterprises). SNPNs (Standalone NPNs) are completely independent, dedicated networks that do not rely on the functionality of public PLMNs.

Background: “Qualcomm Multi-Mode Call Processor” is a component of their Modem-RF system, which is a comprehensive 5G module-RF system designed to provide multi-band, multi-mode connectivity for various devices. These integrated solutions combine the cellular modem, RF transceiver, and RF front-end components to enable 5G, 4G LTE, and legacy cellular network support in a single, cohesive platform.

Each PLMN is identified by a PLMN ID, which includes a country code and mobile network code. The UE uses this ID to distinguish between different PLMNs.

Vulnerability details:

Title – Improper Validation of Array Index in Multi-Mode Call Processor

Description – Memory corruption while selecting the PLMN from SOR failed list.

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

Best Practices
  • Always validate array indices before access.
  • Use safer memory functions or wrappers that include bounds checking.
  • Monitor heap usage and implement memory pressure handling routines.

Science

Myth and Reality (Nibiru in Sumerian Mythology to the Real Version of “3I/ATLAS”) – 5th Sep 2025

Leave a comment

Preface: In 1976, Zecharia Sitchin published The Twelfth Planet, in which Sitchin translation Sumerian texts describing the planet Nibiru.

About the Myth: According to the late Zechariah Sitchin, the planet Nibiru of Sumerian mythology and its periodic close passes by Earth is thought to orbit the sun in an elongated ellipse with a period of 3,600 years.

The earliest evidence of Sumerian civilization began around

5300 BCE, meaning from the earliest point to 2025 CE is approximately 7,325 years. However, if you are referring to the flourishing of the civilization, the period of Sumer from its beginning in the late Neolithic/early Bronze Age around 5300 BCE to its downfall around 1940 BCE was roughly 3,360 years long

Status of 3I/ATLAS (4th Sep 2025)

On September 4, 2025, the interstellar comet 3I/ATLAS was passing through the main asteroid belt, and it could be observed from Earth’s night sky with powerful space telescopes such as NASA’s Webb Space Telescope and Hubble Space Telescope, as well as large amateur telescopes equipped with specialized instruments.., and approaching its closest point to the Sun, which it will reach just inside Mars’s orbit in late October. While it will be unobservable for several weeks due to being too close to the Sun, it will reemerge in early December 2025 and continue its journey.

The Webb and Hubble teams, have observed interstellar object 3I/ATLAS and found it to be outgassing, though the process, or “outgassing,” in this case primarily involves carbon dioxide rather than water, which is a surprising and unusual finding compared to typical comets in our solar system. The team is analyzing data that confirms 3I/ATLAS is an active comet, with outgassing producing a coma of gas.

By analyzing the color of the light, specifically using spectroscopy, astronomers can determine the composition of this expelled material and learn about the object’s origin and the conditions in its home system.

End.

Uncategorized

CVE-2025-21483: About Qualcomm – Enhanced Restriction of Operations within the Bounds of a Memory Buffer

Leave a comment

(5th Sep 2025)

Official Published: 09/01/2025

Preface: The Real-time Transport Protocol (RTP) is an application-layer protocol, typically used over UDP, that facilitates the real-time transmission of media like audio and video over IP networks. While not a component of the modem’s RF (Radio Frequency) system itself, which handles the wireless signal, RTP works with 5G modem-RF systems by providing the actual media data for real-time applications like Voice over LTE (VoLTE) and 5G voice.

Background: RTP works with 5G modem-RF systems by providing the actual media data for real-time applications like Voice over LTE (VoLTE) and 5G voice.

“RTP NALU” refers to the encapsulation of Network Abstract Layer Unit (NALU) into Real-time Transport Protocol (RTP) packets, which is commonly used in H.264 video streaming to transmit data in real-time. NALU is a data unit in H.264 video compression, and RTP is used to encapsulate the NALU so that it can be transmitted over the network and reconstructed at the receiver side.

Vulnerability details: Improper Restriction of Operations within the Bounds of a Memory Buffer in Data Network Stack & Connectivity.

Description: Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.

Technology Area: Data Network Stack & Connectivity.

Vulnerability Type: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer.

Why the 5G Modem-RF System Is Involved?

  • The modem firmware handles real-time media transport, including RTP for VoLTE and 5G voice.
  • RTP/NALU reassembly is part of the low-level packet processing pipeline in the modem.
  • Since this is firmware-level code, it uses manual memory management (C/C++).
  • The vulnerability allows attackers to send malformed RTP packets that overflow the buffer, leading to remote code execution at the kernel level.

Official announcement: Please see the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

AI and ML, Potential Risk of CVE

CVE-2025-23257 and CVE-2025-23258: About NVIDIA DOCA  (4th Sep 2025)

Leave a comment

Preface: An NVIDIA endless “collect-export” loop refers to the standard, continuous operation of the DOCA Telemetry Service (DTS), where telemetry data is perpetually collected and then exported. While high-frequency telemetry (HFT) offers an external, triggered alternative, the standard DTS flow is designed to run indefinitely, collecting data from the Sysfs provider and potentially exporting it via Prometheus or Fluent Bit.

Background: CUDA (Compute Unified Device Architecture) and DOCA (Data Center Infrastructure-on-a-Chip Architecture) are both NVIDIA SDKs, but they serve distinct purposes and target different hardware.

CUDA SDK: Primarily designed for general-purpose computing on NVIDIA GPUs. It enables developers to program accelerated computing applications by leveraging the parallel processing power of GPUs.

DOCA SDK: Built specifically for NVIDIA BlueField Data Processing Units (DPUs) and SuperNICs, aiming to accelerate data center infrastructure tasks. It enables offloading infrastructure-related workloads from the host CPU to the DPU.

DOCA Telemetry Service (DTS) is a DOCA Service for collecting and exporting telemetry data. It can run on hosts and BlueField, collecting data from built-in providers and external telemetry applications. The service supports various providers, including sysfs, ethtool, ifconfig, PPCC, DCGM, NVIDIA SMI, and more.

Ref: The binary data can be read using the /opt/mellanox/collectx/bin/clx_read app, packaged in collectx-clxapidev , a DOCA dependency package.

Vulnerability details:

CVE-2025-23257: NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

CVE-2025-23258: NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5655

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-9671 through CVE-2025-9675 are related to AndroidManifest[.]xml. Are they dangerous? (3rd Sep 2025)

Leave a comment

NVD Published Date: 08/29/2025

NVD Last Modified: 08/29/2025

Preface: If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.

Background: In the AndroidManifest.xml, components can declare the android:exported attribute. If this attribute is set to true (or implicitly true in older Android versions or without explicit declaration for components with intent filters), it allows other applications to launch or interact with that component. If this is not properly restricted, it can become a vulnerability.

Vulnerability details: See below –

CVE-2025-9671 (CVSS 5.3) UAB Paytend App (≤ 2.1.9)   

– Improper export of components via AndroidManifest.xml.

– Exploitable locally

– CWE-926

CVE-2025-9672 (CVSS 5.3)Rejseplanen App (≤ 8.2.2)

-Local attack exploiting exported components.     

-CWE-926

CVE-2025-9673 (CVSS 5.3) Kakao Hey Kakao App (≤ 2.17.4)

– Local manipulation of manifest leads to exposed components.

-CWE-926

CVE-2025-9674 (CVSS 5.3) Transbyte Scooper News App (≤ 1.2)

-Manifest misconfiguration allows component export.

-CWE-926

CVE-2025-9675 (CVSS 5.3) Voice Changer App (≤ 1.1.0)

-Local exploit due to improperly exported components.

-CWE-926

Official announcement: Please see the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-9671

https://nvd.nist.gov/vuln/detail/CVE-2025-9672

https://nvd.nist.gov/vuln/detail/CVE-2025-9673

https://nvd.nist.gov/vuln/detail/CVE-2025-9674

https://nvd.nist.gov/vuln/detail/CVE-2025-9675

Potential Risk of CVE

CVE-2025-6203: Vault Community Edition and Vault Enterprise , staying alert! (2nd Sep 2025)

Leave a comment

Published: 2025-08-28

Updated: 2025-08-28

Preface: Credentials stores are common, largely due to SAML. SAML’s effectiveness stems from centralizing authentication and authorization, allowing a single Identity Provider (IdP) to manage user credentials instead of each Service Provider (SP) storing them individually. This not only boosts security by reducing the attack surface but also streamlines the user experience by enabling Single Sign-On (SSO), where users log in once to access multiple applications.

Background: Organizations with strict security and operational requirements for production will typically use Vault Enterprise or the managed HashiCorp Cloud Platform (HCP). Vault Enterprise is a paid product for large organizations with advanced capabilities such as disaster recovery (DR), cross-datacenter replication, Sentinel policy enforcement, and namespaces for better tenant isolation and governance. Enterprise also provides dedicated support and features for complex, mission-critical environments with stringent compliance needs.

The community version effectively handles fundamental secrets management in CI/CD, but it lacks the advanced features that larger enterprises need for scalability, compliance, and reliability.

Vault Community Edition is a free, self-managed secret management tool offering core features for small-scale deployments.

Vulnerability details: A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Official announcement: Please refer to the link for more details –

https://nvd.nist.gov/vuln/detail/CVE-2025-6203

Potential Risk of CVE

Gmail suffered a 2 million data breach – SSO situation sometimes ambush from all sides (1st Sep 2025)

Leave a comment

Quote: Google warns 2.5B Gmail users to update passwords after data breach of one of its databases – https://nypost.com/2025/08/27/business/google-warns-2-5-billion-gmail-users-to-update-passwords-after-hackers-complete-successful-intrusions/

Preface: More than 2.5 billion Gmail users could be at risk following a massive cyberattack that compromised a Google database managed through Salesforce’s cloud platform. The attack, which began in June 2025, relied on social engineering tactics. According to Google’s Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate contact details, business names, and related notes. (Source: Trend Micro) – https://news.trendmicro.com/2025/08/26/google-data-breach-gmail/

Background: BeyondCorp® is a cybersecurity architecture developed at Google that shifts access control from the traditional network perimeter to individual devices and users. The goal is to enable users to securely work anytime, anywhere and on any device without having to use a virtual private network, or VPN, to access an organization’s resources.

Google uses OpenID Connect (OIDC) for its “Sign in with Google” functionality, as it is an OpenID Connect Provider that issues OIDC-formatted JSON Web Tokens (JWTs) to authenticate users and share identity information with client applications. This allows users to log into other websites and applications using their Google account, benefiting from a simplified and more secure single sign-on (SSO) experience.

OAuth 2.0 is an authorization framework, OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 to provide user authentication and identity information. OAuth 2.0 focuses on granting access to protected resources, while OIDC extends it to verify a user’s identity and share their profile information with third-party applications.

About the title: Please see the attached diagram.

Ref: Gmail utilizes a protocol called OpenID Connect (OIDC) for authentication, which is built on top of the OAuth 2.0 authorization framework. This protocol allows users to log in to various applications by authenticating with their Google Account without sharing their passwords directly, enabling both authentication (verifying identity) and authorization (granting access to specific data). For Gmail access, OAuth 2.0 is used for authorization, while OIDC provides the user authentication mechanism, returning an ID Token in addition to an access token for identity verification.

System

IEC 62351 is the official security extension for IEC 60870-5-104. How OpenSSL assists. (29th Aug 2025)

Leave a comment

Preface: Two of the most often used protocols in SCADA networks are Modbus and IEC 60870 – 5. A communication protocol is a collection of rules that enable two or more networked entities to interact with each other. Both the transmitter and the recipient of the information must agree on the protocol.

Background: In IEC 60870-5-104 (IEC-104) specifications, the Protocol Control Information (PCI) sequence number is a 15-bit value found in the Control field of frames to manage ordered information transfer. There are two types of sequence numbers: the Send Sequence Number (SSN), which the sending station increments for each I-frame sent, and the Receive Sequence Number (RSN), which acknowledges the last SSN received. The RSN effectively acknowledges all frames from the previously received SSN up to the current one

1.If a station sends an I-frame with SSN 0, it would then set the RSN to 1 in that frame. 

2.If the receiving station receives this frame and then sends its own frame, the RSN in that outgoing frame would be 2, acknowledging both the frame with SSN 0 and the subsequent frames.

Cyber-security focus: The IEC 60870-5-104 protocol, while widely used in industrial control systems, lacks built-in authentication and encryption, which makes it susceptible to several types of attacks, including: IP spoofing , Session hijacking, Replay attacks and Unauthorized command injection.

How to Mitigate?

To secure IEC 60870-5-104, consider the following industry best practices:

1. Use IEC 62351 – This standard adds TLS encryption, authentication, and integrity checks to IEC protocols.

    It’s the official security extension for IEC 60870-5-104.

2. Network Segmentation – Isolate control networks from corporate or public networks.

    Use firewalls and VLANs to restrict access.

3. IP Whitelisting and Port Hardening – Only allow known IP addresses to connect to the IEC server.

    Use non-default ports and monitor for unusual traffic.

4. Deep Packet Inspection (DPI) – Use industrial firewalls or intrusion detection systems (IDS) that understand IEC 104 traffic.

    Detect anomalies in SSN/RSN behavior or unauthorized commands.

5. Secure Boot and Firmware Validation – Ensure that devices running IEC 104 are not compromised at the firmware level.

End of topic.

AI and ML, Potential Risk of CVE

CVE-2025-23307: NVIDIA NeMo Curator for all platforms contains a vulnerability (28th Aug 2025)

Leave a comment

Preface: NeMo Curator, part of the NVIDIA NeMo software suite for managing the AI agent lifecycle, is a Python library specifically designed for fast and scalable data processing and curation for generative AI use cases such as foundation language model pretraining, text-to-image model training, domain-adaptive pretraining (DAPT), supervised fine-tuning (SFT) and parameter-efficient fine-tuning (PEFT).

Background: To install the NeMo Curator library, run the following command:

  • git clone https://github[.]com/NVIDIA/NeMo-Curator[.]git
  • cd NeMo-Curator
  • pip install –extra-index-url https://pypi[.]nvidia[.]com “.[cuda12x]”

Data download: downloading pipeline in NeMo Curator consists of the following classes:

  • DocumentDownloader: Abstract class for downloading remote data to disk.
  • DocumentIterator: Abstract class for reading dataset raw records from the disk.
  • DocumentExtractor: Abstract class for extracting text records, as well as any relevant metadata from the records on the disk.

Vulnerability details: NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Ref: The vulnerability arises when malicious files—such as JSONL files—are loaded by NeMo Curator. If these files are crafted to exploit weaknesses in how NeMo Curator parses or processes them, they can inject executable code. This aligns with your description of:

  • Embedded malicious payloads in JSONL files.
  • JSON injection attacks exploiting parsing logic.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5690

Potential Risk of CVE

CVE-2025-9386: It impacts any deployment of AppNeta’s tcpreplay tool (27thAug 2025)

Leave a comment

Preface: AppNeta, now part of Broadcom, is a SaaS-based network performance monitoring solution that provides IT and network operations teams with end-to-end visibility into application performance and network issues from the end-user perspective.

Why do developers need to customize Tcpreplay?

  • Testing Firewalls and IDS/IPS: Tcpreplay allows you to replay captured traffic through network devices like firewalls and intrusion detection/prevention systems.
  • Tuning Flow Expiry: You can optimize flow timeout settings to improve the accuracy of flow analysis and tuning for flow-based products.

Background: Tcpreplay is a suite of free, open-source command-line tools for replaying and editing network traffic captured in pcap files, which are created by tools like tcpdump and Wireshark. It’s used to test network devices such as intrusion detection systems (IDS), routers, and firewalls by replaying real-world traffic at specific speeds, or to simulate traffic for debugging and performance analysis.

AppNeta, on the other hand, is a commercial network performance monitoring solution. While AppNeta provides a comprehensive suite of features for network monitoring, including bandwidth monitoring, application management, and capacity management, its relationship with Tcpreplay is notable.

Vulnerability details: A vulnerability has been found in appneta tcpreplay up to 4.5.1. The impacted element is the function get_l2len_protocol of the file get.c of the component tcprewrite. Such manipulation leads to use after free. The attack must be carried out locally. The exploit has been disclosed to the public and may be used.

Remedy: Upgrading to version 4.5.2-beta3 is sufficient to resolve this issue. You should upgrade the affected component.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-9386