Preface: Ubuntu Server 22.04 ships with NVIDIA BlueField DPUs as commercial-grade Linux distribution with continuous OS and security updates. DOCA software is available on every leading operating system as a standalone package without a bundled OS for Arm® and x86 architectures.
Background: The NVIDIA cloud-native supercomputing platform leverages the NVIDIA BlueField DPU architecture with high-speed, low-latency. The DPU enables native cloud services that let multiple users securely share resources without loss in application performance. HPC and AI communication frameworks and libraries play a critical role in determining application performance. Due to their latency and bandwidth-sensitive nature, offloading the libraries from the host CPU or GPU to the BlueField DPU creates the highest degree of overlap for parallel progression of communication and computation.
Vulnerability details: NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit contains a vulnerability where a restricted host may cause an incorrect user management error. A successful exploit of this vulnerability may lead to escalation of privileges.
CWE-286 Incorrect User Management
Official announcement: For details, please refer to the link –
Preface: Technicians tend to focus on zero-day vulnerability status. Makes sense. However, the computer world expands from workstations and intranets into the IoT world. The Internet of Things master put the workstation project into the IoT catalog early on. At the same time, software includes operating system platform and programming language design, and is not limited to Microsoft software product platforms. Therefore, any alleged vulnerability will be exploited by cybercriminals against real situations. Today, my focus in this brief topic is not on the severity of design flaws. The case was discovered in March last year. But there are still status updates today.
Background: The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.
The /etc/nsswitch[.] conf file is used to configure which services are to be used to determine information such as hostnames, password files, and group files.
The Name Service Switch (NSS) configuration file, /etc/nsswitch[.]conf, is used by the GNU C Library.
Vulnerability details: A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch[.]conf is configured with SUCCESS=continue or SUCCESS=merge.
Preface: Apple releases new iOS 15.7.9 and 16.6.1update for iPhone. iOS 15.7.9 and 16.6.1 like many of its predecessors, is a point upgrade and it patches up a security issue. But it doesn’t provides bug fixes technical details!
Background: The Core Graphics framework is based on the Quartz advanced drawing engine. It provides low-level, lightweight 2D rendering with unmatched output fidelity. You use this framework to handle path-based drawing, transformations, color management, offscreen rendering, patterns, gradients and shadings, image data management, image creation, and image masking, as well as PDF document creation, display, and parsing.
In macOS, Core Graphics also includes services for working with display hardware, low-level user input events, and the windowing system.
Vulnerability details: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.9, macOS Big Sur 11.7.10, macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, iOS 15.7.9 and iPadOS 15.7.9. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
My speculation about this vulnerability: I observe that design weakness might happens when Quartz handle the CGdata. What is Quartz? The Core Graphics framework is based on the Quartz advanced drawing engine. Quartz handle path-based drawing, antialiased rendering, gradients, images, color management, PDF documents, and more.
When the CGDataProvider is finished using the memory buffer, it will call the routine pointer, giving your application the opportunity to release that buffer. In addition to the routine pointer, CGDataProviderCreateWithData accepts a pointer value that the computer will pass to the routine. If your application does not want to use the routine pointer, you can simply pass NULL for both of these parameters.
However, core services itself have the following guideline. after you’re finished with buffers that have have their own memory allocation, it’s important that you free the memory allocated to them:
sourceBuffer[.]free() destinationBuffer[.]free()
So, whether the weakness happen in this function. Refer to point 5 and 6 in attached diagram? Since the core service (point 6) buffer require define syntax to clear up. If not defined, a buffer overflow issue might occur!
Ref: There are a number of services in the operating system that can return CGImages to your application. The most obvious source is Core Graphics, which offers a number of routines for creating CGImages from various data sources. However, in addition to Quartz, you can obtain CGImages from other operating system services. For example, QuickTime provides the routine GraphicsImportCreateCGImage, which can create a CGImage from a QuickTime Graphics importer.
Preface: When technology world relies on cloud computing. Meanwhile fast switching includes high speed backbone will be counted. The technology shift physical network device go to virtual computing platform. That said, the traditional design goal one software installs to one hardware unit. For instance, a single operating system install on one hardware device has been change. The actual example are Cumulus Linux and Cisco IOS. Both are major players in cloud computing network switching technology.
Background: VXLAN is an encapsulation protocol that provides data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network. The VXLAN encapsulation mechanism encapsulates the IPv6 packets in the overlay as IPv4 UDP packets and uses IPv4 routing to transport the VXLAN encapsulated traffic. A switch virtual interfaces (SVI) or VLAN interface, is a virtual routed interface that connects a VLAN on the device to the Layer 3 router engine on the same device.
Remark: Virtual routing and forwarding (VRF) is an IP-based computer network technology that enables the simultaneous co-existence of multiple virtual routers (VRs) as instances or virtual router instances (VRIs) within the same router.
Vulnerability details: NVIDIA Cumulus Linux contains a vulnerability in forwarding where a VxLAN-encapsulated IPv6 packet received on the SVI interface with DMAC/DIPv6 set to the link-local address of the SVI interface may be incorrectly forwarded. A successful exploit may lead to information disclosure.
My observation: The inner IPv4/IPv6 packet is not really bound to any receiving interface and thus the End.DT4/DT6 sets the VRF (associated with the corresponding routing table) as the *receiving* interface. In other words, the End.DT4/DT6 processes a packet as if it has been received directly by the VRF (and not by one of its slave devices, if any). In this way, the VRF interface is used for routing the IPv4/IPv6 packet in according to the routing table configured by the End.DT4/DT6 instance.
*Vendors publish design limitations. But the impact could go beyond information leakage?
Preface: CWE-125 Out-of-Bounds Read is a type of software error that can occur when reading data from memory. This can happen if the program tries to read beyond the end of an array, for example. Out of bounds reads can lead to crashes or other unexpected vulnerabilities, and may allow an attacker to read sensitive information that they should not have access to.
Background: The Exynos DSP driver implements two distinct ioctl calls that are used to load images and graphs and boot the device. The DSP_IOC_BOOT ioctl loads the dsp’s firmware images, common libraries, an xml global kernel descriptor file and a linker file for linking libraries. In February 2021 Samsung made some changes in one of its low level drivers : the Digital Signal Processor (DSP) Linux driver. They removed one feature : the ability for untrusted apps to load a custom DSP firmware of their choice.
Vulnerability details: An issue was discovered in Exynos Mobile Processor 980 and 2100. An integer overflow at a buffer index can prevent the execution of requested services via a crafted application.
Preface: Redis is a standard key-value store, like a dictionary, containing multiple keys, each with its unique value that can be retrieved or pinned. It is similar to a data structure server that relies on various key values. Redis has built-in replica functionality. It can hold keys to 512MB.
Background: The Redis SORT_RO command is a read-only variant of the SORT command. It allows us to sort lists, sets, and sorted sets. The SORT command enables us to have the sorted elements returned to the client, or stored in a separate key. But the SORT_RO command only allows us to have them returned to the client.
Vulnerability details: Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Preface: The Qualcomm Neural Processing SDK is designed to help developers run one or more neural network models trained in TensorFlow, PyTorch,…
Background: Deep neural network (DNN) models can address these limitations of matrix factorization. DNNs can easily incorporate query features and item features (due to the flexibility of the input layer of the network), which can help capture the specific interests of a user and improve the relevance of recommendations.
• Network is a collection of connected layers
• DNN models are stored in DLC files
According to Qualcomm, the Qualcomm® QCS605 SoC is a high performance IoT System-on-Chip (SoCs) that incorporates key features for building advanced use cases encompassing machine learning, edge computing, sensor processing, voice UI enablement and integrated wireless connectivity.
Vulnerability details: A malformed DLC can trigger Memory Corruption in SNPE library due to out of bounds read, such as by loading an untrusted model (e.g. from a remote source).
Preface: The first-level (L1) cache is small enough to provide a one- or two-cycle access time. The second-level (L2) cache is also built from SRAM but is larger, and therefore slower, than the L1 cache. The processor first looks for the data in the L1 cache. If the L1 cache misses, the processor looks in the L2 cache.
Background: Refer to diagram. If a multiple request on point 2 and 3. In normal circumstances, the ID number will be added each time the number is found. Therefore, the URL field might end up looking like example shown below:
2,2,2,4,7,8,8,8,8,8,9,9
So above result has a significant influence on the performance of an algorithm, but in Java You have close to no control over how your data is arranged in memory. If this issue happen in CPU. The processor first looks for the data in the L1 cache. If CPU manufacturer do not focus this matter in design phase. Perhaps it will hit this vulnerability.
Vulnerability details:
CVE-2023-38468 – In urild service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed
CVE-2023-38467 – In urild service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed
Preface: Xiaomi and Samsung are MediaTek’s biggest clients
Background: MediaTek 8188 (MT8188) is a 64-bit ARM SoC introduced by MediaTek in 2022. The chip incorporates eight cores – six Cortex-A55 little cores and two Cortex-A78. Cortex-A78 can operate at up to 2.6 GHz. Cortex-A55 can operate at up to 2.0 GHz.
STC(Store Coprocessor Registers) writes a coprocessor register to memory (or multiple). It is unlikely to get much use out of the STC instruction without some custom coprocessor to use it on, since the behaviour and meaning of the generic coprocessor instructions is defined by the coprocessor itself.
Vulnerability details: In stc, there is a possible out of bounds read due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.
Remark: According to my observation (predicting the possible cause of this vulnerability), please refer to the attached picture.
Reference I:
STC is available in all versions of the ARM architecture. STC2 is available in ARMv5T and above.
Reference II:
Race conditions are most commonly associated with computer science and programming. They occur when two computer program processes, or threads, attempt to access the same resource at the same time and cause problems in the system. Race conditions are considered a common issue for multithreaded applications.
Preface: AI (Artificial intelligence) moves from big data normalization to learning to understand data, so called trained. It require large amount of computer processing resources.
The machine learning process requires CPUs and GPUs. GPUs are used to train large deep learning models, while CPUs are good for data preparation, feature extraction, and small-scale models. For inference and hyperparameter tweaking, CPUs and GPUs may both be utilized.
Background: The NVIDIA Hopper architecture will supersede the already powerful NVIDIA Ampere architecture.
The NVIDIA DGX H100 System is the universal system purpose-built for all AI infrastructure and workloads, from analytics to training to inference. The system is built on eight NVIDIA H100 Tensor Core GPUs. If you want to run Java programs, but not develop them, download the Java Runtime Environment, or JRE.
BMC uses JViewer to view the console. Launch JViewer – This is an OS-independent plug-in which can be used in Windows as well as Linux with the help of Java Runtime Environment (JRE).
Vulnerability details:
CVE-2023-25528 – NVIDIA DGX H100 baseboard management controller (BMC) contains a vulnerability in a web server plugin, where an unauthenticated attacker may cause a stack overflow by sending a specially crafted network packet. A successful exploit of this vulnerability may lead to arbitrary code execution, denial of service, information disclosure, and data tampering.
CVE-2023-25533 – NVIDIA DGX H100 BMC contains a vulnerability in the web UI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to information disclosure, code execution, and escalation of privileges.
