All posts by admin

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-21468 – iommu: Fix missing return check of arm_lpae_init_pte (8th Apr 2024)

Leave a comment

Preface: This vulnerability was posted on April 1 2024. For details, please refer to the Qualcomm April 2024 Security Bulletin.

Background: EL1 can access most system registers, EL2 has additional privileges, and EL3 has all privileges. The only way that the processor can change from one exception level to a higher level is when an exception occurs.

In computing, an input–output memory management unit is a memory management unit connecting a direct-memory-access–capable I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses to physical addresses.

Qualcomm “B” family devices which are not compatible with arm-smmu have a similar looking IOMMU but without access to the global register space, and optionally requiring additional configuration to route context irqs to non-secure vs secure interrupt line.

Vulnerability details: Use After Free in Kernel. UAF scenario may occur in clients with EL1 privileges for iova mappings when we miss to check the return value of arm_lpae_init_pte which may lead to an PTE be counted as it was set even if it was already existing. This can cause a dangling IOMMU PTE to be left mapped pointing to a freed object and cause UAF in the client if the dangling PTE is accessed after a failed unmap operation.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2024-bulletin.html

AI and ML, Potential Risk of CVE

CVE‑2024-0072 and CVE-2024-0076: Supercomputer and AI development Interlude (4th Apr 2024)

Leave a comment

Preface: A CUDA binary (also referred to as cubin) file is an ELF-formatted file which consists of CUDA executable code sections as well as other sections containing symbols, relocators, debug info, etc. By default, the CUDA compiler driver nvcc embeds cubin files into the host executable file.

Background: To dump cuda elf sections in human readable format from a cubin file, use the following command: cuobjdump -elf <cubin file>

nvdisasm extracts information from standalone cubin files and presents them in human readable format. The output of nvdisasm includes CUDA assembly code for each kernel, listing of ELF data sections and other CUDA specific sections.

–base-address <value>

–base

Desc: Specify the logical base address of the image to disassemble. This option is only valid when disassembling a raw instruction binary (see option –binary), and is ignored when disassembling an Elf file. Default value: 0.

Vulnerability details: CVE‑2024‑0072 and CVE-2024-0076: NVIDIA CUDA toolkit for all platforms contains a vulnerability in cuobjdump and nvdisasm where an attacker may cause a crash by tricking a user into reading a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5517

Potential Risk of CVE

CVE-2024-22246: Vulnerability in VMware SD-WAN Edge, whether relies reverse shell again? (2nd April 2024)

Leave a comment

Preface: SD-WAN (Software-Defined WAN) is a service that overlays the hybrid network infrastructure, including SD-WAN routing. An intelligent software layer manages both MPLS WAN and other connections.

Both 5G and SD-WANs are independent technologies, but together they allow businesses to access their vital applications with the reliability, coverage, and speed that 5G provides.

Background: SD-WAN Edges perform deep application recognition, application and packet steering, performance metrics and end to end quality of service in addition to hosting virtual network function (VNF) services.

Vulnerability details: Unauthenticated Command Injection vulnerability in SD-WAN Edge (CVE-2024-22246)

VMware SD-WAN Edge contains an unauthenticated command injection vulnerability potentially leading to remote code execution. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4.

Known Attack Vectors -A malicious actor with local access to the Edge Router UI during activation may be able to perform a command injection attack that could lead to full control of the router.

Official announcement: Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2024-0008.html

AI and ML, Potential Risk of CVE

CVE-2024-3135: Missing CSRF token vulnerability in localAI (April 1, 2024)

Leave a comment

Preface: Imagine that you are training your application to differentiate between two types of cars (Ferrari and Porsche). You show the app numerous images of both cars, from appearance to features to engine design. Over time, apps begin to recognize the unique features that distinguish each other. At this point, the application can tell the difference between the two without help, which is basically what your Machine Learning model is used for. We call this phase training.

Background: LocalAI is a drop-in replacement REST API compatible with OpenAI API specifications for local inferencing. It allows to run models locally or on-prem with consumer grade hardware (No need for expensive cloud services or GPUs), supporting multiple models families compatible with the ggml format.

Vulnerability details: The web server lacked CSRF tokens allowing an attacker to host malicious JavaScript on a host that when visited by a LocalAI user, could allow the attacker to fill disk space to deny service or abuse credits.

Ref: Why missing CSRF looks common? This can be caused by ad- or script-blocking plugins or extensions and the browser itself if it’s not allowed to set cookies.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-3135

AI and ML, Potential Risk of CVE

CVE‑2024‑0082 – Design weakness of NVIDIA ChatRTX for Windows (26-03-2024)

Leave a comment

Preface: Unlike OpenAI’s ChatGPT, Chat with RTX doesn’t remember the context of prompts. Asking Chat with RTX to give examples of fishes in one prompt and then asking for a description of “the fishes” in the next prompt will result in a blank – users will need to spell out everything explicitly.

Background: Chat with RTX defaults to AI startup Mistral’s open-source model but supports other text-based models, including Meta’s Llama 2, which is also open-source.

Chat with RTX is a demo app that lets you personalize a GPT large language model (LLM) connected to your own content—docs, notes, videos, or other data. Leveraging retrieval-augmented generation (RAG), TensorRT-LLM, and RTX acceleration, you can query a custom chatbot to quickly get contextually relevant answers. And because it all runs locally on your Windows RTX PC or workstation.

Vulnerability details: NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause improper privilege management by sending open file requests to the application. A successful exploit of this vulnerability might lead to local escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5532

Potential Risk of CVE

CVE-2024-2885: Use after free in Dawn in Google Chrome (26th Mar 2024)

Leave a comment

Preface: WebGPU is a JavaScript API provided by a web browser that enables webpage scripts to efficiently utilize a device’s graphics processing unit (GPU). Google has enabled WebGPU support by default in Chrome 121, the latest version of its Chrome browser.

Background: WebGPU sees physical GPU hardware as GPUAdapters. It provides a connection to an adapter via GPUDevice, which manages resources, and the device’s GPUQueues, which execute commands.

Vulnerability details: Use after free in Dawn in Google Chrome prior to 123[.]0[.]6312[.]86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-2885

Potential Risk of CVE, Science, Under our observation

To be new or it was former: Rowhammer Attacks on AMD Zen-Based Platforms. So called ZenHammer (25-03-2024)

Leave a comment

Preface: It is possible to trigger Rowhammer bit flips on DDR4 devices on AMD Zen 2 and Zen 3 systems despite deployed TRR mitigations, said researchers at ETH Zurich.

Background: When high-energy charged particles pass through the crystal lattice of a silicon wafer, their charges can interfere with the electrons within the lattice itself and provide energy. If the lattice is moved closer together within the wafer, this disturbed electron trajectory can create a temporary highly conductive path that did not exist before. The effect of this trace is similar to running a very thin wire across the wafer in random directions. If the particle’s path crosses a feature within the die, such as a floating MOSFET gate or an NMOS DRAM cell, the result may be a flipped bit.

Vulnerability details: On February 26, 2024, AMD received new research related to an industry-wide DRAM issue documented in “ZENHAMMER: Rowhammering Attacks on AMD Zen-based Platforms” from researchers at ETH Zurich. The research demonstrates performing Rowhammer attacks on DDR4 and DDR5 memory using AMD “Zen” platforms. Given the history around Rowhammer, the researchers do not consider these rowhammering attacks to be a new issue.

Mitigation: Please see the following official announcement for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7021.html

Potential Risk of CVE

CVE-2024-29059  – [.]NET Framework Information Disclosure Vulnerability (24th Mar 2024)

Leave a comment

Preface: Microsoft did not tell the details of the vulnerability! What happened to the .NET Framework? Can we guess what happened?

[.]NET is a platform framework. Currently, there are two types: the [.]NET Framework exclusive to the Windows platform and the cross-platform .NET Core.

Background: The [.]NET Framework works with applications developed in C#, F#, or Visual Basic and compiled to Common Intermediate Language (CIL). The Common Language Runtime (CLR) runs [.]NET applications on a given machine, converting the CIL to machine code.

The Common Language Runtime (CLR), the virtual machine component of Microsoft .NET Framework, manages the execution of .NET programs

Vulnerability details: [.]NET Framework Information Disclosure Vulnerability

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-29059

If you are interested in my speculation, please see the attached picture.

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

What are the security updates for 17.4.1? Apple, as always, won’t tell you the details of the vulnerability! (22-03-2024)

Leave a comment

Preface: iPhone XS is powered by the A12 Bionic processor. iPhone 13 and iPhone 13 Mini use the Apple-designed A15 Bionic chip system. Additionally, the iPhone 15 is powered by a six-core Apple A16 Bionic processor. All above Bionic processors have common point. They are 64-bit ARM-based system on a chip (SoC) designed by Apple Inc.

Speculation: If you remember, a vulnerability related to AMD on 15th Mar, 2024.(CVE-2024-21930) Specter v1 variant inheriting the Specter v1 vulnerability. So called GhostRace. But this design weakness not only to AMD. For example, ARM Limited do not announce they do not impact with this vulnerability. So, do you think, Apple Inc. might worries about this vulnerability thus in priority to update Firmware and Linux base OS to mitigate this risk?

Official announcement: Please refer to the link for details  – https://support.apple.com/en-us/HT201222

CPU hardware utilizing speculative execution may be vulnerable to speculative race conditionshttps://www.kb.cert.org/vuls/id/488902

Potential Risk of CVE

CVE-2024-22019: About Node.js HTTP module(21st Mar 2024)

Leave a comment

Preface: Express framework is built on top of the Node.js HTTP module and provides us, with a clean way to write the backend.

Background: The HTTP module extends two built-in classes:

Net module: Provides network API for creating stream-based TCP servers or clients.

Events module: Provides an event-driven architecture using EventEmitter class.

Ref: Chunked transfer encoding is a streaming data transfer mechanism available in Hypertext Transfer Protocol (HTTP) version 1.1, defined in RFC 9112#section-7.1. In chunked transfer encoding, the data stream is divided into a series of non-overlapping “chunks”. The chunks are sent out and received independently of one another.

Each chunk is preceded by its size in bytes. The transmission ends when a zero-length chunk is received. The chunked keyword in the Transfer-Encoding header is used to indicate chunked transfer.

Vulnerability details: A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

Official announcement: Please see the link below for details:

https://nvd.nist.gov/vuln/detail/CVE-2024-22019