All posts by admin

CVE-2024-22476: Improper input validation in some Intel® Neural Compressor software. Intel fixes exploited bugs. (16th May 2024)

Preface: Intel Neural Compressor performs model optimization to reduce the model size and increase the speed of deep learning inference for deployment on CPUs or GPUs.

Background: Intel Neural Compressor is an open source Python* library that performs model compression techniques such as quantization, pruning, and knowledge distillation across multiple deep learning frameworks including TensorFlow*, PyTorch*, and ONNX* (Open Neural Network Exchange) Runtime. The model compression techniques reduce the model size and increase the speed of deep learning inference for more efficient deployment on CPUs or GPUs.

Vulnerability details: Improper input validation in some Intel® Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.

Ref: GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Official details: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01109.html

About CVE-2024-22252: Recently, Broadcom VMware has often repeated previous CVE posts. Maybe it’s a new company policy or necessary? (14-May-2024)

Official last updated on May 8, 2024. An early advisory for this vulnerability was issued on March 5, 2024.

Preface: If you recall, this design flaw was discovered in April 2021. Has it been fixed? Or it is vendors fine-tuned their vulnerability management strategies?

Background: A Transfer Ring is an array of Transfer Request Blocks (TRBs). Each TRB points to a block of contiguous data (up to 64 KB) that will be transferred between hardware and memory as a single unit. The xHCI does not require this constraint. Any buffer pointed to by a Normal, Data Stage, or Isoch TRB in a TD may be any size between 0 and 64K bytes in size. For instance, if when an OS translates a virtual memory buffer into a list of physical pages, some of the entries in the list reference multiple contiguous pages, the flexible Length fields of TRBs allow a 1:1 mapping of list 68 entries to TRBs, i.e. a multi-page list entry does not need to be defined as multiple page sized TRBs.

Vulnerability details: VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Official announcement: Please refer to the link for details – https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24266

CVE-2024-21474: Qualcomm did not disclose technical details. Could this situation cause this problem? (6th May 2024)

Preface: The Qualcomm Snapdragon X65 5G Modem is the baseband chipset used in the iPad Pro (11-inch) (4th generation), iPad Pro (12.9-inch) (6th generation), iPhone 14, iPhone 14 Plus, iPhone 14 Pro and iPhone 14 Pro Max.

Background: A power management integrated circuit (PMIC) is used to manage power on an electronic devices or in modules on devices that may have a range of voltages. The PMIC manages battery power charging and sleep modes, DC-to-DC conversion, scaling of voltages down or up, among others.

Vulnerability details: Memory corruption when size of buffer from previous call is used without validation or re-initialization.

Vulnerability Type: CWE-121 Stack-based Buffer Overflow

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2024-bulletin.html

https://nvd.nist.gov/vuln/detail/CVE-2024-21474

About VMware Enhanced Authentication Plug-in (EAP): VMware urges customers to remain alert for CVE-2024-22245 and CVE-2024-22250. (May 7, 2024)

This announcement original published on 20th Feb 2024

Preface: When two components have problems in the same place. If vendor did not specify the details in clear. In this circumstances, the design weakness looks the same.

Background: The Enhanced Authentication Plugin (EAP) is an extra software package that doesn’t come pre-installed. Administrators need to install it on client computers used for administration to allow direct login when using the VMware vSphere Client through a web browser.

The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.

Vulnerability details:

Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250) – The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245) – The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Official announcement: Please refer to the link for details:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24257

https://nvd.nist.gov/vuln/detail/CVE-2024-22250

https://nvd.nist.gov/vuln/detail/CVE-2024-22245

Android Security Bulletin – May 2024 There’s a lot you can explore (9 May 2024)

Preface: Heard that Long-term support (LTS) for Linux kernels is being reduced from six to two years now.

Background: Greg Kroah-Hartman is a major Linux kernel developer. As of April 2013, he is the Linux kernel maintainer for the -stable branch, the staging subsystem, USB, driver core, debugfs, kref, kobject, and the sysfs kernel subsystems, Userspace I/O, and TTY layer.

What will be the next LTS kernel?

But in any event Greg Kroah-Hartman has decided to go ahead and declare Linux 6.6 as the newest LTS kernel. Kernel.org has been updated to reflect Linux 6.6 LTS. The current plan is for Linux 6.6 to be maintained until going end-of-life in December 2026: the same time Linux 6.1, 5.15, and 5.10 will reach end-of-life.

Android Security Bulletin—May 2024 (Published May 6, 2024)

The diagram above shows that kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch. Please refer to the following link for details:

https://source.android.com/docs/security/bulletin/2024-05-01

CVE-2024-1067: Mali GPU Kernel Driver allows improper GPU memory processing operations (8 May 2024)

Date of issue: 3rd May 2024

Preface: The Mali-G720 and Mali-G620 GPUs complete the world-class GPU portfolio for a wide range of consumer devices. After four generations of GPUs on the fourth-generation Valhall architecture, the latest Arm GPUs are built on a new fifth-generation GPU architecture (called Gen 5).

Background: The New 5th Gen Arm GPU Architecture

The 5th Gen GPU architecture introduces a key feature called Deferred Vertex Shading (DVS), which revolutionizes data flow within the GPU and expands the number of GPU cores, reaching up to 16 cores for enhanced performance.

The Arm 5th Gen GPU architecture is the most efficient GPU architecture Arm has ever created, designed with CPU and system architecture in mind. It redefines parts of the graphics pipeline to significantly reduce memory bandwidth, thus improving total system efficiency and power.

Technical reference: It solves the bandwidth problem of the traditional model because the fragment shader reads a small block each time and puts it on the chip. It does not need to read the memory frequently until the final operation is completed and then writes it to the memory. You can even further reduce memory reads and writes by compressing tiles. In addition, when some areas of the image are fixed, the function can be called to determine whether the tiles are the same to reduce repeated rendering.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. On Armv8.0 cores, there are certain combinations of the Linux Kernel and Mali GPU kernel driver configurations that would allow the GPU operations to affect the userspace memory of other processes.

Ref: Arm did not provide details. Is the senario on attached diagram similar to this CVE?

Resolution: This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r48p0. Users are recommended to upgrade if they are impacted by this issue.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1067

CVE-2024-33602: Name Service Cache Daemon’s (nscd) design limitation (6 May 2024)

Preface: Kubernetes creates DNS records for Services and Pods. You can contact Services with consistent DNS names instead of IP addresses. Kubernetes publishes information about Pods and Services which is used to program DNS. Kubelet configures Pods’ DNS so that running containers can lookup Services by name rather than IP.

Background: When nscd enabled, this function allows your Linux computer to retrieve DNS messages locally. Since the Linux operating system have additional function collects the browser cache and DNS cache (instead of waiting for a public DNS resolver). Therefore, your frequently visited sites will load much faster than other sites.

Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd[.] conf, determines the behavior of the cache daemon.

DNS domain name resolution in Kubernetes cluster often has problems for various reasons, including kernel problems and load problems. You can use nscd in Kubernetes cluster to improve the lookup efficiency.

Vulnerability details: nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon’s (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-33602

Starting from CVE-2024-34476, other design flaws have also been found, please use non-vulnerable Open5GS versions for development. (4-May-2024)

Preface: The two prerequisites for running Open5GS are the Open5GS core and MongoDB. The MongoDB, a document-based database, for user equipment registration. MongoDB uses some weird special processor instruction, which is not provided in intel Celeron processor.

Background: The Access and Mobility Management Function (AMF) is one of the control plane network functions (NF) of the 5G core network (5GC). The control plane in 5G Network Architecture contains the AMF which is the first node in the control plane that connects to the gNB. And it is responsible for the access and mobility management. The SMF, that is responsible for session management.

Authentication messages are a set of NAS message involved in Athenticating UE to 5G RAN and Core Network. Mainly three NAS messages are involved : AuthenticationRequest, AuthenticationResponse. Important Information of RegistrationRequest are : Authentication Key Information.

Vulnerability details: Open5GS before 2.7.1 is vulnerable to a reachable assertion that can cause an AMF crash via NAS messages from a UE: ogs_nas_encrypt in lib/nas/common/security[.]c for pkbuf->len.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-34476

Will such scenario be similar to the CVE-2024-0087 mentioned? (3May 2024)

Preface: NVIDIA Triton Inference Server, part of the NVIDIA AI platform and available with NVIDIA AI Enterprise, is open-source software that standardizes AI model deployment and execution across every workload.

Background: The Triton Inference Server is available as a pre-built Docker container or you can build it from source.The Triton Docker container is available on the NVIDIA GPU Cloud (NGC). For best performance the Triton Inference Server should be run on a system that contains Docker, nvidia-docker, CUDA and one or more supported GPUs.

Vulnerability details: NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Ref: . LFI (Local File Inclusion) is a web vulnerability that allows an attacker to access server files by manipulating paths in HTTP requests.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5535

Regarding CVE-2024-4058: Closer Look and Speculation at Google Chrome Design Flaw (01-May-2024)

Preface: Type confusion vulnerability can be powerful. According to Common Weakness Enumeration (CWE) The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access.

Background: Chrome uses ANGLE not only for WebGL, but also for its implementation of the 2D HTML5 canvas and for the graphics layer of the Google Native Client(which is OpenGL ES 2.0 compatible). Safari web browser uses ANGLE as basis for its WebGL implementation. Firefox uses ANGLE as the default WebGL backend on Windows.

ANGLE provides OpenGL ES 2.0 and EGL 1.4 libraries and dlls. You can use these to build and run OpenGL ES 2.0 applications on Windows, Linux, Mac and Android.

Vulnerability details: Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Official announcement: Please refer to the link for details – https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html