All posts by admin

CVE-2023-22387 Use of Out-of-range Pointer Offset in Qualcomm IPC (4th July 2023)

Preface: Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity. Independent of any high-level OS kernel, Gunyah runs in a higher CPU privilege level, and does not depend on any lower-privileged OS kernel/code for its core functionality.

Background: Gunyah is a product of Qualcomm Innovation Center, Inc. Gunyah is an open-source type-1 hypervisor developed by Qualcomm with an emphasis on security and other features.
There are 2 types of process:

  • Independent Processes – Processes that do not share data with other processes.
  • Cooperating Processes – Processes that shares data with other processes.
    Inter-Process Communication is the mechanism by which cooperating process share data and information.
  • Shared memory: A particular region of memory is shared between cooperating process.
  • Cooperating process can exchange information by reading and writing data to this shared region.
  • It’s faster than Memory Parsing, as Kernel is required only once, that is, setting up a shared memory . After That, kernel assistance is not required.

Vulnerability details: Arbitrary memory overwrite when VM gets compromised in TX write leading to Memory Corruption.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-22387

A hundred years later, communication was ready to receive phone call again.

Preface: When you read the newspaper, you will found some news, some prophet had prophecy alien may visit to our earth in 2023. Like a fiction. But coincidentally SITA also prepare for advance civilization communications.

MAVEN, is an orbiter dedicated to studying Mars’ atmosphere. MAVEN launched in November 2013 and arrived at Mars in September 2014.

Have you ever heard of an organization called SETI?

In 1997, scientists at the SETI Institute detected an interesting signal. Although the transmission was initially thought to be from extraterrestrial origin. It was identified as a SOHO solar research satellite later. But it did not upsad to scientists .

The SETI Institute is a non-profit organization that aims to “explore, understand and explain the origin, properties and spread of life in the universe”. SETI stands for “Search for Extraterrestrial Intelligence Initiative”. One of these plans is to use radio and optical telescopes to search for intentional signals from extraterrestrial intelligent life.

SETI arrange emulate Alien-like message sent to Earth in a test to prepare for the real thing.

The message went out on 24th May, 2023 from the ExoMars Trace Gas Orbiter, a spacecraft launched in 2016 that is currently orbiting Mars to study its atmosphere. Once received in earth three different stations, the raw data containing the message was released on the internet via Filecoin, a large decentralized storage network. For details, please refer to the link – https://edition.cnn.com/2023/06/01/world/seti-alien-message-test-scn/index.html

Generally speaking, it takes about 5 to 20 minutes for a radio signal to travel the distance between Mars and Earth, depending on planet positions. Using orbiters to relay messages will be more efficient because they are much closer to “Perseverance” than the Deep Space Network (DSN) antennas on Earth.

In 1901, engineer Nicola Tesla made the astonishing claim that he was receiving radio communications from Mars. His description was picked up and reported on broadly in the press.

Telsa coils are mounted in a tower structure and include coils, capacitors and spark gaps (equivalent to resistors). It constitutes the LCR circuit, which can generate radio frequency emission waves. Furthermore, such a coil structure is capable of receiving signals. Maybe that’s why he mentions that he’s getting an unknown strange signal from somewhere.

Tesla was a famous scientist. I strongly believe that he has enough facts to proof his findings. But it is sad that he is not in this world anymore. Perhaps we never find the final answer found by Tesla. But in our earth, there are more ancient ruins can tell. For example, Pyramid of Khufu, Bolivia Puma Punku advanced technology cutting stone blocks ruins and The Temple of Bacchus, …etc.

If you compare SETI’s method of rehearsing the test signal with the signal discovered by Nicholas Tesla in 1901, maybe you will see that the way we communicate in space today is similar to 1901 (the unknown signal discovered by Tesla) place. Perhaps the signal Telsa received was from a UFO near Earth. But the source of the signal was sent from Mars.

End of article

R.I.P Titan submarine tragedy on Jun 2023. One of the victim Dawood was a passionate champion for the environment. He is also a trustee at the SETI Institute. Include another four victims, it is a regret news in 2023!

CVE-2023-2728: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin (3rd Jul 2023)

Preface: When you know there is a vulnerability on the tool. Perhaps, your security awareness level will decrease. Maybe that makes sense, if you don’t use the tool, the risk is nullified.
But sometimes it’s exceptions and coincidences. Something similar happens in the Kubernetes environment as well.

Background: Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications.
Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn’t include debugging utilities.

In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster.

  • IPC namespaces contain a specific kind of IPC objects known as “POSIX IPC” and “SysV IPC” – shared memory areas, message queues, and semaphores.
  • Mount (MNT) namespaces are a powerful tool for creating per-process file system trees, thus per-process root filesystem views.
    Linux maintains a data structure for all the different filesystems mounted on the system. This structure is a per-process attribute and also per-namespace.

Vulnerability details: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified
in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes[.]io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Official announcement: For details please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2728

NVIDIA empower Artificial Intelligence competence. At the same time, vendor urge staying alert for product vulnerability (2nd Jul 2023)

Preface: The A800 has a data transfer rate of 400GB/s and the A100 is 600GB/s, and as such complies with the 600GB/s or less.

Background: What is SMM? It turned out to be SM in the Fermi era and SMX in the Kepler era. If you enlarge the SMX core of Kepler, you will see more LD/ST access units than Fermi, which also means that
the number of execution threads processed by Kepler in a single cycle is higher than that of Fermi.
Streaming Multiprocessor composed of CUDA Core, PolyMorph Engine and other units.
Simply put, it is to fine-tune the number of CUDA Cores built in the SMM unit from 192 to 128. The SMM is divided into 4 small blocks,
and each block has an independent control logic (Control Logic). In the past, these control logics needed to be responsible for a large number of CUDA Cores. Through small blocks.

Vulnerability details:
CVE‑2023‑25521: The NVIDIA DGX A100 and A800 systems contain a vulnerability in SBIOS, where improper validation of an input parameter
may lead to code execution, escalation of privileges, denial of service, information disclosure, and data tampering.
CVE-2023-25522: The NVIDIA DGX A100 and A800 systems contain a vulnerability in SBIOS, where information that is provided
in an unexpected format may cause improper validation of an input parameter, which may lead to denial of service, information disclosure, and data tampering.

Best practice: Disable all features in the UEFI and OS, that are not used. This reduces the attack surface.
Configure your system to only execute signed code and signed kernel modules, if possible.

Official announcement: For details, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5461

CVE-2023-22886: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider (30th June 2023)

Preface: Airflow is a platform to programmatically author, schedule, and monitor workflows. Specifically, it is used in Machine Learning to create pipelines.

Background: Apache Airflow™ is an open-source platform for developing, scheduling, and monitoring batch-oriented workflows. This open-source platform most suitable for pipelines that change slowly, are related to a specific time interval, or are pre-scheduled. It’s a popular solution that many data engineers rely on for building their data pipelines. Data pipelines work with ongoing data streams in real time. It’s been used to run SQL, machine learning models, and more.

Apache Airflow is a Python-based platform to programmatically author, schedule and monitor workflows. It is well-suited to machine learning for building pipelines, managing data and training models.

You can use Apache Airflow to schedule pipelines that extract data from multiple sources, and run Spark jobs or other data transformations. Machine learning model training.

Vulnerability details: Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission. This issue affects Apache Airflow JDBC Provider: before 4.0.0.

Recommendation: For security purposes, you should avoid building the connection URLs based on user input. For user name and password values, use the connection property collections. Restrict direct usage of driver params via extras for JDBC connection.

Remedy: To configure driver parameters (driver path and driver class), you can use the following methods:

  1. Supply them as constructor arguments when instantiating the hook.
  2. Set the “driver_path” and/or “driver_class” parameters in the “hook_params” dictionary when creating the hook using SQL operators.
  3. Set the “driver_path” and/or “driver_class” extra in the connection and correspondingly enable the “allow_driver_path_in_extra” and/or “allow_driver_class_in_extra” options in the “providers[.jdbc” section of the Airflow configuration.
  4. Patch the “JdbcHook.default_driver_path” and/or “JdbcHook.default_driver_class” values in the “local_settings[.]py” file.

Official announcement: For details, please refer to the link – https://github.com/advisories/GHSA-mm87-c3x2-6f89

CVE-2023-21220: Outdated communication methods burden modern Androids (29th June 2023)

Preface: Since the official announcement did not contain details. Perhaps the situation describe here is one of the possible reasons for encountering such vulnerabilities.

Background: SMS messages are sent in plain text. Rich Communications Services (RCS) is a communication protocol that will ultimately replace MMS and SMS messages on Android devices.
Android Pie (codenamed Android P during development), also known as Android 9 (API 28) is the ninth major release and the 16th version of the Android mobile operating system. It was first released as a developer preview on March 7, 2018, and was released publicly on August 6, 2018.
Android 8.0 places limitations on what apps can do while users aren’t directly interacting with them. Apps are restricted in two ways:
Background Service Limitations and Broadcast Limitations.
On the other hand, The system distinguishes between foreground and background apps. Foreground app is connected to the app, either by binding to one of its services or by making use of one of its content providers. For example, the app is in the foreground if another app binds to its: Voice or text service.
So, if Android users forget to turn on the RCS function. Their text messages will be read through a man-in-the-middle attack.

Vulnerability details: there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264590585References: N/A

Official announcement: For details, please refer to the link – https://source.android.com/security/bulletin/pixel/2023-06-01

Can you foresee how much AI and machine learning infrastructure there will be in the next few years? (28th June 2023)

Preface: ChatGPT Memory uses the Redis vector database to store an embedded conversation history of past user-bot interactions.
The first interaction between the user and bot is critical to the user experience, said Microsoft.
There are 1482 Companies currently using OpenAI, it also include Adobe and Schneider Electric.

Background: ChatGPT, the full name of Chat Generation Pre-training Converter, is an artificial intelligence chat robot program developed by OpenAI, which will be launched in November 2022. The program uses large language models based on the GPT-3.5 and GPT-4 architectures and is trained with reinforcement learning.
OpenAI is a suite of artificial intelligence (AI) models designed for application developers. It enables users to create AI applications to understand natural-language semantics and generate natural text, translate natural language into programming code, create images from text captions, and classify images.

FastAPI is a Python web framework based on the Starlette microframework. With deep support for asyncio, FastAPI is indeed very fast.
FastAPI also distinguishes itself with features like automatic OpenAPI (OAS) documentation for your API, easy-to-use data validation tools, and more.
Integrating OpenAI APIs into FastAPI applications to facilitate calling them using the Swagger UI.
FastAPI is a modern Python web framework for building APIs quickly and efficiently. By leveraging FastAPI’s features and integrating OpenAI’s APIs,
developers can build applications with powerful AI capabilities such as language translation, sentiment analysis, text summarization, question-answering, and more.

How to install OpenAI in python
Step 1: Sign up for an OpenAI API key: You will visit the link to register for an account and if you already have an active account using Chat-Gpt 3, you can use the same account to sign in.
If you are a Linux user, have a good try.
How to Install OpenAI on Linux?
Step 2 : upgrade pip and install the openai library.
python3 -m pip install –upgrade pip
python3 -m pip install –upgrade openai

….
For details, please refer to the official linkhttps://openai.com/

CVE-2023-20892, CVE-2023-20893, CVE-2023-20894 and CVE-2023-20895, CVE-2023-20896: Double confirm to your admin, vcenter server has patch applied. (27th June 2023)

Preface: VMware published multiple vulnerabilities on 22nd June 2023. It make the reader dazzled. Since the actual attack exploit technique did not released by VMware.
However they told vulnerability caused by DCEPRC. So, let us take a closer look of DCEPRC protocol. See whether it will lure your interest?

Background: (DCERPC) Distributed Computing Environment / Remote Procedure Calls, is the remote procedure call system developed for the Distributed Computing Environment (DCE) Networking. The usage of this protocol including Common Binding Services, Common Interface Registry Services, RPC Nameservice Interface, Call Thread Services, Clock and Timer Services,…
Remote Procedure Call (RPC) protocol is generally used to communicate between processes on different workstations. However, RPC works just as well for communication between different processes on the same workstation.
Microsoft server technique also based on RPC technique. RPC uses the client and server model. Bruce Jay Nelson is generally credited with coining the term “remote procedure call” in 1981. Remote procedure calls used in modern operating systems trace their roots back to the RC 4000 multiprogramming system, which used a request-response communication protocol for process synchronization.
Some experts has concern of RPC. The reason is that there is no uniform standard for RPC; it can be implemented in a variety of ways.

In traditional way, the RPC runtime library maintains numerous lists, and provides a common list management mechanism used by several runtime components, principally the Name Service Interface and the connection-oriented RPC protocol service.
The file rpclist[.]h defines the structure of a list element and a list, and provides macros used for manipulating these lists. The underlying list management routines in rpclist[.]c should not, as a rule, be called directly. When addition of a new element would cause a list to exceed its maximum allowable size, the element is returned to heap storage instead.

Vulnerability details: Please refer below links for reference.
Advisory ID: VMSA-2023-0014
https://www.vmware.com/security/advisories/VMSA-2023-0014.html

Applying individual product updates to VMware Cloud Foundation environments using Async Patch Tool (AP Tool) (88287)
https://kb.vmware.com/s/article/88287

About CVE-2023-32434, CVE-2023-32435 and CVE-2023-32439: When those vulnerabilities details shown, it made me think of a software (Redux) (25th June 2023)

Preface: The state in Redux is stored in memory. This means that, if you refresh the page the state gets wiped out. The state in redux is just a variable that persists in memory because it is referenced by all redux functions.

Background: Safari is a web browser developed by Apple. It is built into Apple’s operating systems, including macOS, iOS, and iPadOS, and uses Apple’s open-source browser engine WebKit, which was derived from KHTML.
The rendering engine is used to display the requested content on the user interface and the browser engine marshalling actions between the UI and the rendering engine.
Redux is a predictable state container for JavaScript apps. It helps you write applications that behave consistently.
Refer to my speculation (see attached picture). Due to such operation and design. I speculate that these three vulnerabilities are caused by Redux JavaScript library located in browser.

Vulnerability details:
According to CVE-2023-32434, the vulnerability details indicated that a design weakness in input validation.
Thereby, an integer overflow was triggered (CVE-2023-32439), due to weakness of input validation. As a result, a memory corruption issue was happened due to state management weakness (CVE-2023-32435).

https://nvd.nist.gov/vuln/detail/CVE-2023-32434
https://nvd.nist.gov/vuln/detail/CVE-2023-32435
https://nvd.nist.gov/vuln/detail/CVE-2023-32439

CVE-2023-2431: Bypass of seccomp profile enforcement.About access control logic on cloud (22nd Jun 2023)

Preface: Information security driven role base access control. But when cloud service provider design or implement access control. It will be sophisticated. If access control include virtual machine technology under hierarchical structure. In order to harden the effectiveness of the control.
Cloud resources are organised hierarchically, where the organisation node is the root node in the hierarchy, the projects are the children of the organisation, and the other resources are descendants of projects. You can set allow policies at different levels of the resource hierarchy.

Background: Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container.
The seccomp() system call operates on the seccomp state of the calling process.
You can use this feature to restrict your application’s access.
This feature is available only if Docker has been built with seccomp and the kernel is configured with CONFIG_SECCOMP enabled.

Vulnerability details: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2431