Preface: The official description of this design flaw (CVE-2023-28198) is caused by WebKit. No any other details! Do you have interested take a closer look? But don’t worry, this CVE marked reserved in March 2023. and allow for announcements on August 15, 2023 afterwards. I believe Apple has successfully handled it.

Background: WebKit, the engine, is split into different components that encapsulate its different parts.

It contains the core features of the engine (rendering, layout, platform access, HTML and DOM support, the graphics layer, etc). However, some of these ultimately depend heavily on the OS and underlying software platform in order to function. For example: how do we actually do any I/O on different platforms? How do we render onscreen? What’s the underlying multimedia platform and how does it decode media and play it?

Vulnerability details: The vulnerability allows a remote attacker to compromise vulnerable system. The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system. Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Official announcement: For details, please refer to the link – https://support.apple.com/en-us/HT213670

Preface: A system call is a way for programs to interact with the operating system. A computer program makes a system call when it makes a request to the operating system’s kernel. System call provides the services of the operating system to the user programs via Application Program Interface(API).

The ioctl() system call manipulates the underlying device parameters of special files.

Background: The AMD Ryzen™ Master Monitoring SDK is a public distribution that allows software developers to add processor and memory functions to their own utility in conjunction with AMD Ryzen™ and AMD Ryzen™ Threadripper™ processor products.

All AMD Ryzen CPUs are overclock-ready so you can skip checking if your processor supports overclocking if you have a Ryzen laptop. However, you do still need to check if your motherboard supports overclocking. Ryzen supplies its own overclocking utility called Ryzen Master.

Vulnerability details: Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD RyzenTM Master may permit a privileged attacker to perform memory reads and writes, potentially leading to a loss of confidentiality or arbitrary kernel execution.

Official announcement: For details, please refer to below links

(Amazon Linux Security Center) – https://explore.alas.aws.amazon.com/CVE-2023-20564.html

(AMD Security Bulletin) – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7004.html

Background: gRPC is a powerful open source RPC (Remote Procedure Call) framework for building scalable and fast APIs. It allows client and server applications to communicate transparently and develop connected systems. Many leading tech companies have adopted gRPC.

Vulnerability details:

Three vectors were found that allow the following DOS attacks:

– Unbounded memory buffering in the HPACK parser – Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

– The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.

– HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.

– gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

RedHat Official announcement: Openshift uses gRPC lib with Kuryr component. In Openshift, Kuryr is not configured to run the code using gRPC lib. Hence, The impact for Openshift is set to moderate. For details, please refer to the link – https://access.redhat.com/security/cve/cve-2023-33953

Preface: To be or not to be, AMD is not aware of any exploit of “CVE-2023-20569” outside of the research environment in this moment.

Background: There are 2 phenomena that enable an unprivileged attacker to leak arbitrary information on AMD Zen3 and Zen4 CPU products.

• Phantom speculation – Trigger misprediction without any branch at the source of the misprediction.
• Training in Transient Execution – Potential manipulate future mispredictions through a previous misprediction that attacker trigger.

Vulnerability details: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure. Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations.

Furthermore, AMD has disclosed a security issue affecting AMD CPUs that may allow malicious code in a guest VM to infer the contents of memory belonging to other processes running on the same CPU core.  Although this is not an issue in the Citrix Hypervisor product itself, AMD have included product changes and updated microcode to mitigate this CPU hardware issue.

Remark: Citrix XenServer is an open source server virtualization platform based on the Xen hypervisor.

Official announcement: Citrix Hypervisor Security Bulletin for CVE-2023-20569. For details, please refer to the link – https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982

Preface: Android security bulletin published on 7th Aug 2023, CVE-2023-21287 may causes remote code execution.
Officials did not disclose specific details. But what is the design weaknesses?

Background: The Android security update is available for all Android versions that still receive regular updates (Android 11, 12, and 13). If you are using Android 10 or below, On March 2023, Android 10 end of life, so it do not provides security update anymore.
FreeType is a freely available software library to render fonts.
It is written in C, designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats.
Some products that use FreeType for rendering fonts on screen or on paper, either exclusively or partially:

• GNU/Linux and other free Unix operating system derivates like FreeBSD or NetBSD;
• Platforms for smart devices, including Android, Tizen, and Roku;
• iOS, Apple’s mobile operating system for iPhones and iPads;

Vulnerability details: A vulnerability in Framework that could allow for remote code execution.

Official announcement: For detail, please refer to the link – https://android.googlesource.com/platform/external/freetype/+/a79e80a25874dacaa266906a9048f13d4bac41c6

Preface: A message can be considered a packet of data conforming to a specific protocol that contains information in well defined fields.

Background: MSMQ(Microsoft Message Queuing) provides a distributed and decoupled way of sending and receiving messages between applications. MSMQ acts as a queue manager that easily decides when applications should be isolated and work even if other applications they interact with are down or unavailable.

The Code Block Component is used to extend the functionality of the XML comments <code> tag.

Syntax highlighting of code blocks in <code> tags. Languages supported include C#, VB[.]NET, JScript[.]NET, C++, J#, C, JavaScript, VBScript, XAML, XML, HTML, SQL script, Python, PowerShell script, and batch file script.

Vulnerability details: A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. However, in order to exploit this flaw, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, it runs under the service name “Message Queuing” and is listening on TCP port 1801.

Messages can have no more than 4 MB of data. This restriction is due to the memory mapped files used by Message Queuing to store the message data. These memory-mapped files are stored in the MSMQ\Storage folder on the computer where the queue resides.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-35385

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35385

Preface: Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal. The KDC has three main components: An authentication server that performs the initial authentication and issues ticket-granting tickets for users.

Background: Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.

Ref: The patch adds Privileged Attribute Certificate (PAC) signatures to the Kerberos PAC buffer. A PAC is an extension to a Kerberos ticket that contains information about a user’s privileges.

What are the changes in Kerberos October 2023?

October 10, 2023 – Full Enforcement phase

Removes support for the registry subkey KrbtgtFullPacSignature. Removes support for Audit mode. All service tickets without the new PAC signatures will be denied authentication.

Vulnerability details: lib/kadm5/kadm_rpc_xdr[.]c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-36054

Preface: NET 5 and [.] NET 6 are supported on multiple operating systems, including Windows, Linux, Android, iOS /tvOS, and macOS. The only difference is that[ .] NET 6 is further supported on Windows Arms64 and macOS Apple Silicon while .

Background: ASP[.]NET Core 6 is built on top of the [.] NET Core runtime and allows you to build and run applications on Windows, Linux, and macOS. ASP[.]NET Core 6 combines the features of Web API and MVC.

Red Hat Enterprise Linux (RHEL) 8 and later .NET 6 is capable for the IBM Z and LinuxONE (s390x) architectures, along with AMD and Intel (x64_64) and ARM (aarch64). IBM Z and LinuxONE is fully enabled throughout all .NET core components with the Mono runtime available (currently no CoreCLR support).

Vulnerability details: A vulnerability was found in dotNET applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords and bypass security restrictions. This flaw allows a remote attacker to bypass security features, causing an impact on confidentiality, integrity, and availability.

CVE-2023-33170 – Security Feature Bypass – Race Condition in ASP.NET Core SignInManager PasswordSignInAsync Method.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-33170

Preface: future 0.18.2 – Easy, safe support for Python 2/3 compatibility “future“ is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.

Background: Red Hat Satellite 6 is the evolution of Red Hat’s life cycle management platform. It provides the capabilities that administrators have come to expect in a tool focused on managing systems and content for a global enterprise.

Red Hat Satellite 6 is based upon several open source projects.

• future is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
• Foreman contain rubygem-safemode.

Vulnerability details:

• An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server (CVE-2022-40899)
• foreman: Arbitrary code execution through templates. (CVE-2023-0118)

Ref: To send cookies to the server in the request header, you need to add the “Cookie: name=value” HTTP header to the request. To send multiple cookies in one Cookie header, you must separate them with semicolons. Servers store cookies in the client browser by returning “Set-Cookie: name=value” HTTP headers in the response.

Official details: Please refer to the link – https://access.redhat.com/errata/RHSA-2023:4466

Preface: Encryption uses a key to ensure the ciphertext cannot be deciphered by anyone but the authorized recipient. Signing of data works to authenticate the sender of the data and tends to implement a form of encryption in its process.

Background: JSON Object Signing and Encryption (JOSE) is the set of software technologies standardized by the IETF to represent encrypted and/or sign content as JSON data. The technologies include JSON Web Signatures (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA).

Vulnerability details: OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication II Tag provided in the JWE. The following are spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

Remediation: Users should upgrade to a version >= 0.6.2.2

Official announcement: For details, please refer to the link – https://access.redhat.com/errata/RHSA-2023:4410