All posts by admin

AI and ML, Potential Risk of CVE

The incorrect authorization described in CVE-2025-23256 may be triggered or facilitated by the underlying flaw CVE-2025-38456. (11th Sep 2025)

Leave a comment

Preface:

  • IPMI is a standardized interface for hardware management, operating via the Baseboard Management Controller (BMC).
  • It supports both in-band (local) and out-of-band (remote) access.
  • BlueField’s reliance on OpenIPMI and IPMItool makes it susceptible to kernel-level vulnerabilities.

Background: The Intelligent Platform Management Interface (IPMI) is a standard interface for hardware management used by system administrators to control the devices and monitor the sensors. For these, it is necessary the IPMI Controller called Baseboard Management Controller (BMC) and a manager software (for example, IPMItool). It provides an interface to manage IPMI functions in a local (in-band) or remote (out-of-band) system.

Vulnerability details:

This advisory explores a potential causal relationship between two recent vulnerabilities:

  • CVE-2025-23256 – A high-severity vulnerability in the NVIDIA BlueField DPU management interface, allowing local attackers to bypass authorization and modify configurations.

https://nvidia.custhelp.com/app/answers/detail/a_id/5655

  • CVE-2025-38456 – A moderate-severity vulnerability in the Linux IPMI subsystem, involving memory corruption due to mishandled pointers in ipmi_create_user().

https://nvd.nist.gov/vuln/detail/CVE-2025-38456

Recommendations

  1. Patch Kernel IPMI Subsystem: Ensure CVE-2025-38456 is mitigated in all systems running BlueField.
  2. Update BlueField Firmware: Apply NVIDIA’s latest firmware updates addressing CVE-2025-23256.
  3. Audit IPMI Access Controls: Review and restrict local access to /dev/ipmi0 and IPMItool.

Potential Risk of CVE, Under our observation

CVE-2025-9999: About TCP-based client/server Networking feature of PcVue. (9th Sep 2025)

Leave a comment

Preface: PcVue is a well-known and highly regarded SCADA solution, renowned for its innovation and user-friendliness, despite facing competition from larger, more dominant SCADA vendors. While not the most popular solution, PcVue’s strengths in user configuration, advanced HMI functionality, and integration capabilities have solidified its position in the market.

Background: Key Objectives of PcVue SCADA

Supervisory Control and Monitoring: To offer a centralized platform for operators to monitor and control complex industrial processes and large-scale infrastructure in real-time.

Data Acquisition and Analysis: To collect, process, and convert raw data into actionable information, providing operators with relevant alerts, reports, and historical data for informed decision-making.

Vulnerability details: Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in the application.

Official announcement: Please see the link for details

https://www.pcvue.com/security/#SB2025-4

How to Prevent This:

Input Validation: Never trust client input. Use strict schemas (e.g., JSON Schema).

  • Command Execution Hardening:
  • Avoid os.system() or shell execution.
  • Use safe APIs like subprocess.run() with argument lists.

Authentication & Authorization: Ensure only authorized users can send control commands.

Web Application Firewall (WAF): Detect and block suspicious payloads.

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-21484: About Qualcomm – Enhanced Validation of Array Index in Multi-Mode Call Processor (8th Sep 2025)

Leave a comment

Preface: PLMNs are public networks, while private networks (NPNs) serve specific users (such as enterprises). SNPNs (Standalone NPNs) are completely independent, dedicated networks that do not rely on the functionality of public PLMNs.

Background: “Qualcomm Multi-Mode Call Processor” is a component of their Modem-RF system, which is a comprehensive 5G module-RF system designed to provide multi-band, multi-mode connectivity for various devices. These integrated solutions combine the cellular modem, RF transceiver, and RF front-end components to enable 5G, 4G LTE, and legacy cellular network support in a single, cohesive platform.

Each PLMN is identified by a PLMN ID, which includes a country code and mobile network code. The UE uses this ID to distinguish between different PLMNs.

Vulnerability details:

Title – Improper Validation of Array Index in Multi-Mode Call Processor

Description – Memory corruption while selecting the PLMN from SOR failed list.

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

Best Practices
  • Always validate array indices before access.
  • Use safer memory functions or wrappers that include bounds checking.
  • Monitor heap usage and implement memory pressure handling routines.

Science

Myth and Reality (Nibiru in Sumerian Mythology to the Real Version of “3I/ATLAS”) – 5th Sep 2025

Leave a comment

Preface: In 1976, Zecharia Sitchin published The Twelfth Planet, in which Sitchin translation Sumerian texts describing the planet Nibiru.

About the Myth: According to the late Zechariah Sitchin, the planet Nibiru of Sumerian mythology and its periodic close passes by Earth is thought to orbit the sun in an elongated ellipse with a period of 3,600 years.

The earliest evidence of Sumerian civilization began around

5300 BCE, meaning from the earliest point to 2025 CE is approximately 7,325 years. However, if you are referring to the flourishing of the civilization, the period of Sumer from its beginning in the late Neolithic/early Bronze Age around 5300 BCE to its downfall around 1940 BCE was roughly 3,360 years long

Status of 3I/ATLAS (4th Sep 2025)

On September 4, 2025, the interstellar comet 3I/ATLAS was passing through the main asteroid belt, and it could be observed from Earth’s night sky with powerful space telescopes such as NASA’s Webb Space Telescope and Hubble Space Telescope, as well as large amateur telescopes equipped with specialized instruments.., and approaching its closest point to the Sun, which it will reach just inside Mars’s orbit in late October. While it will be unobservable for several weeks due to being too close to the Sun, it will reemerge in early December 2025 and continue its journey.

The Webb and Hubble teams, have observed interstellar object 3I/ATLAS and found it to be outgassing, though the process, or “outgassing,” in this case primarily involves carbon dioxide rather than water, which is a surprising and unusual finding compared to typical comets in our solar system. The team is analyzing data that confirms 3I/ATLAS is an active comet, with outgassing producing a coma of gas.

By analyzing the color of the light, specifically using spectroscopy, astronomers can determine the composition of this expelled material and learn about the object’s origin and the conditions in its home system.

End.

Uncategorized

CVE-2025-21483: About Qualcomm – Enhanced Restriction of Operations within the Bounds of a Memory Buffer

Leave a comment

(5th Sep 2025)

Official Published: 09/01/2025

Preface: The Real-time Transport Protocol (RTP) is an application-layer protocol, typically used over UDP, that facilitates the real-time transmission of media like audio and video over IP networks. While not a component of the modem’s RF (Radio Frequency) system itself, which handles the wireless signal, RTP works with 5G modem-RF systems by providing the actual media data for real-time applications like Voice over LTE (VoLTE) and 5G voice.

Background: RTP works with 5G modem-RF systems by providing the actual media data for real-time applications like Voice over LTE (VoLTE) and 5G voice.

“RTP NALU” refers to the encapsulation of Network Abstract Layer Unit (NALU) into Real-time Transport Protocol (RTP) packets, which is commonly used in H.264 video streaming to transmit data in real-time. NALU is a data unit in H.264 video compression, and RTP is used to encapsulate the NALU so that it can be transmitted over the network and reconstructed at the receiver side.

Vulnerability details: Improper Restriction of Operations within the Bounds of a Memory Buffer in Data Network Stack & Connectivity.

Description: Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.

Technology Area: Data Network Stack & Connectivity.

Vulnerability Type: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer.

Why the 5G Modem-RF System Is Involved?

  • The modem firmware handles real-time media transport, including RTP for VoLTE and 5G voice.
  • RTP/NALU reassembly is part of the low-level packet processing pipeline in the modem.
  • Since this is firmware-level code, it uses manual memory management (C/C++).
  • The vulnerability allows attackers to send malformed RTP packets that overflow the buffer, leading to remote code execution at the kernel level.

Official announcement: Please see the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

AI and ML, Potential Risk of CVE

CVE-2025-23257 and CVE-2025-23258: About NVIDIA DOCA  (4th Sep 2025)

Leave a comment

Preface: An NVIDIA endless “collect-export” loop refers to the standard, continuous operation of the DOCA Telemetry Service (DTS), where telemetry data is perpetually collected and then exported. While high-frequency telemetry (HFT) offers an external, triggered alternative, the standard DTS flow is designed to run indefinitely, collecting data from the Sysfs provider and potentially exporting it via Prometheus or Fluent Bit.

Background: CUDA (Compute Unified Device Architecture) and DOCA (Data Center Infrastructure-on-a-Chip Architecture) are both NVIDIA SDKs, but they serve distinct purposes and target different hardware.

CUDA SDK: Primarily designed for general-purpose computing on NVIDIA GPUs. It enables developers to program accelerated computing applications by leveraging the parallel processing power of GPUs.

DOCA SDK: Built specifically for NVIDIA BlueField Data Processing Units (DPUs) and SuperNICs, aiming to accelerate data center infrastructure tasks. It enables offloading infrastructure-related workloads from the host CPU to the DPU.

DOCA Telemetry Service (DTS) is a DOCA Service for collecting and exporting telemetry data. It can run on hosts and BlueField, collecting data from built-in providers and external telemetry applications. The service supports various providers, including sysfs, ethtool, ifconfig, PPCC, DCGM, NVIDIA SMI, and more.

Ref: The binary data can be read using the /opt/mellanox/collectx/bin/clx_read app, packaged in collectx-clxapidev , a DOCA dependency package.

Vulnerability details:

CVE-2025-23257: NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

CVE-2025-23258: NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5655

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-9671 through CVE-2025-9675 are related to AndroidManifest[.]xml. Are they dangerous? (3rd Sep 2025)

Leave a comment

NVD Published Date: 08/29/2025

NVD Last Modified: 08/29/2025

Preface: If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.

Background: In the AndroidManifest.xml, components can declare the android:exported attribute. If this attribute is set to true (or implicitly true in older Android versions or without explicit declaration for components with intent filters), it allows other applications to launch or interact with that component. If this is not properly restricted, it can become a vulnerability.

Vulnerability details: See below –

CVE-2025-9671 (CVSS 5.3) UAB Paytend App (≤ 2.1.9)   

– Improper export of components via AndroidManifest.xml.

– Exploitable locally

– CWE-926

CVE-2025-9672 (CVSS 5.3)Rejseplanen App (≤ 8.2.2)

-Local attack exploiting exported components.     

-CWE-926

CVE-2025-9673 (CVSS 5.3) Kakao Hey Kakao App (≤ 2.17.4)

– Local manipulation of manifest leads to exposed components.

-CWE-926

CVE-2025-9674 (CVSS 5.3) Transbyte Scooper News App (≤ 1.2)

-Manifest misconfiguration allows component export.

-CWE-926

CVE-2025-9675 (CVSS 5.3) Voice Changer App (≤ 1.1.0)

-Local exploit due to improperly exported components.

-CWE-926

Official announcement: Please see the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-9671

https://nvd.nist.gov/vuln/detail/CVE-2025-9672

https://nvd.nist.gov/vuln/detail/CVE-2025-9673

https://nvd.nist.gov/vuln/detail/CVE-2025-9674

https://nvd.nist.gov/vuln/detail/CVE-2025-9675

Potential Risk of CVE

CVE-2025-6203: Vault Community Edition and Vault Enterprise , staying alert! (2nd Sep 2025)

Leave a comment

Published: 2025-08-28

Updated: 2025-08-28

Preface: Credentials stores are common, largely due to SAML. SAML’s effectiveness stems from centralizing authentication and authorization, allowing a single Identity Provider (IdP) to manage user credentials instead of each Service Provider (SP) storing them individually. This not only boosts security by reducing the attack surface but also streamlines the user experience by enabling Single Sign-On (SSO), where users log in once to access multiple applications.

Background: Organizations with strict security and operational requirements for production will typically use Vault Enterprise or the managed HashiCorp Cloud Platform (HCP). Vault Enterprise is a paid product for large organizations with advanced capabilities such as disaster recovery (DR), cross-datacenter replication, Sentinel policy enforcement, and namespaces for better tenant isolation and governance. Enterprise also provides dedicated support and features for complex, mission-critical environments with stringent compliance needs.

The community version effectively handles fundamental secrets management in CI/CD, but it lacks the advanced features that larger enterprises need for scalability, compliance, and reliability.

Vault Community Edition is a free, self-managed secret management tool offering core features for small-scale deployments.

Vulnerability details: A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Official announcement: Please refer to the link for more details –

https://nvd.nist.gov/vuln/detail/CVE-2025-6203

Potential Risk of CVE

Gmail suffered a 2 million data breach – SSO situation sometimes ambush from all sides (1st Sep 2025)

Leave a comment

Quote: Google warns 2.5B Gmail users to update passwords after data breach of one of its databases – https://nypost.com/2025/08/27/business/google-warns-2-5-billion-gmail-users-to-update-passwords-after-hackers-complete-successful-intrusions/

Preface: More than 2.5 billion Gmail users could be at risk following a massive cyberattack that compromised a Google database managed through Salesforce’s cloud platform. The attack, which began in June 2025, relied on social engineering tactics. According to Google’s Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate contact details, business names, and related notes. (Source: Trend Micro) – https://news.trendmicro.com/2025/08/26/google-data-breach-gmail/

Background: BeyondCorp® is a cybersecurity architecture developed at Google that shifts access control from the traditional network perimeter to individual devices and users. The goal is to enable users to securely work anytime, anywhere and on any device without having to use a virtual private network, or VPN, to access an organization’s resources.

Google uses OpenID Connect (OIDC) for its “Sign in with Google” functionality, as it is an OpenID Connect Provider that issues OIDC-formatted JSON Web Tokens (JWTs) to authenticate users and share identity information with client applications. This allows users to log into other websites and applications using their Google account, benefiting from a simplified and more secure single sign-on (SSO) experience.

OAuth 2.0 is an authorization framework, OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 to provide user authentication and identity information. OAuth 2.0 focuses on granting access to protected resources, while OIDC extends it to verify a user’s identity and share their profile information with third-party applications.

About the title: Please see the attached diagram.

Ref: Gmail utilizes a protocol called OpenID Connect (OIDC) for authentication, which is built on top of the OAuth 2.0 authorization framework. This protocol allows users to log in to various applications by authenticating with their Google Account without sharing their passwords directly, enabling both authentication (verifying identity) and authorization (granting access to specific data). For Gmail access, OAuth 2.0 is used for authorization, while OIDC provides the user authentication mechanism, returning an ID Token in addition to an access token for identity verification.

System

IEC 62351 is the official security extension for IEC 60870-5-104. How OpenSSL assists. (29th Aug 2025)

Leave a comment

Preface: Two of the most often used protocols in SCADA networks are Modbus and IEC 60870 – 5. A communication protocol is a collection of rules that enable two or more networked entities to interact with each other. Both the transmitter and the recipient of the information must agree on the protocol.

Background: In IEC 60870-5-104 (IEC-104) specifications, the Protocol Control Information (PCI) sequence number is a 15-bit value found in the Control field of frames to manage ordered information transfer. There are two types of sequence numbers: the Send Sequence Number (SSN), which the sending station increments for each I-frame sent, and the Receive Sequence Number (RSN), which acknowledges the last SSN received. The RSN effectively acknowledges all frames from the previously received SSN up to the current one

1.If a station sends an I-frame with SSN 0, it would then set the RSN to 1 in that frame. 

2.If the receiving station receives this frame and then sends its own frame, the RSN in that outgoing frame would be 2, acknowledging both the frame with SSN 0 and the subsequent frames.

Cyber-security focus: The IEC 60870-5-104 protocol, while widely used in industrial control systems, lacks built-in authentication and encryption, which makes it susceptible to several types of attacks, including: IP spoofing , Session hijacking, Replay attacks and Unauthorized command injection.

How to Mitigate?

To secure IEC 60870-5-104, consider the following industry best practices:

1. Use IEC 62351 – This standard adds TLS encryption, authentication, and integrity checks to IEC protocols.

    It’s the official security extension for IEC 60870-5-104.

2. Network Segmentation – Isolate control networks from corporate or public networks.

    Use firewalls and VLANs to restrict access.

3. IP Whitelisting and Port Hardening – Only allow known IP addresses to connect to the IEC server.

    Use non-default ports and monitor for unusual traffic.

4. Deep Packet Inspection (DPI) – Use industrial firewalls or intrusion detection systems (IDS) that understand IEC 104 traffic.

    Detect anomalies in SSN/RSN behavior or unauthorized commands.

5. Secure Boot and Firmware Validation – Ensure that devices running IEC 104 are not compromised at the firmware level.

End of topic.