Preface: In smartphone, a GPU is similar a graphic card. Meanwhile, it’s the GRAPHICS PROCESSING UNIT which is similar to the CPU processor but instead it’s specifically dedicated for rendering 3D graphics. If your phone does not have one, then you will not be able to play any 3D games.
Background: Whenever a user space application requests a memory allocation for graphics processing, existing technology will seek to allocated nearest order pages from system memory (initially) to map to the GPU. A patent design KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device. Whenever a user space application requests a memory allocation for graphics processing, existing design will seek to allocated nearest order pages from system memory (initially) to map to the GPU. Once the application is done with its work, it releases those pages back to the KGSL pool as free for another allocation. the KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device.
Vulnerability details: Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool.
Preface: NVIDIA DGX-1 is an integrated deep learning workstation with a large computing capacity, which can be used to run demanding deep learning workloads. It provides GPU computing power of 1 PetaFLOPS (1 quadrillion floating-point operations per second).
Background: Historically, both vendors and attackers have overlooked (pre)EFI boot process (in)security; pre-EFI Initialization (PEI) boot stage opens many doors and offers flexibility to attackers. The Pre-EFI Initialization (PEI) phase provides a standardized method of loading and invoking specific initial configuration routines for the processor, chipset, and system board. The PEI phase occurs after the Security (SEC) phase. The primary purpose of code operating in this phase is to initialize enough of the system to allow instantiation of the Driver Execution Environment (DXE) phase. The Driver Execution Environment (DXE) phase is where most of the system initialization is performed. Pre-EFI Initialization (PEI), the phase prior to DXE, is responsible for initializing permanent memory in the platform so that the DXE phase can be loaded and executed.
Note: Security (SEC) and Pre-EFI (PEI) phases – both are controlled by the firmware vendor. SEC – Init CPU, clear caches, load BIOS ROM PEI – Initialize chipset, RAM, devices, Secure Boot (Record Secure Boot in PCR 7)
Vulnerability details: NVIDIA DGX-1 SBIOS contains a vulnerability in the Uncore PEI module, where authentication of the code executed by SSA is missing, which may lead to arbitrary code execution, denial of service, escalation of privileges, information disclosure, data tampering, and SecureBoot bypass.
Preface: The NFS 4.1 design flaw was released in August 2019 because it only affected the Linux operating system kernel at the time. It was hard to predict, and now it is going to the Windows platform!
Background: Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux or UNIX. NFS in Windows Server includes Server for NFS and Client for NFS. A computer running Windows Server can use Server for NFS to act as a NFS file server for other non-Windows client computers. Client for NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.
Vulnerability detail: Windows Network File System Remote Code Execution Vulnerability
Since vendor do not disclose the technical details. My speculation is shown as below:
Point 1 – Network File System (NFS) Protocol uses Open Network Computing (RPC) to exchange control messages. The design weakness occurs due to incorrect calculation of the size of response messages. Point 2 – The server calls a function to calculate the size of each opcode response, though it does not include the size of the opcode itself. Due to this, the response buffer becomes too small and an overflow may happen.
When the source Linux server is invaded by the NFS4.1 vulnerability, the attacker will rely on point 1 and point 2 design weakness to attack the target Windows OS server.
Workaround: This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1.
Preface: The vulnerability was fixed in Aug 2022. This is not a zero day and therefore published this month.
Background: ext4 is the default file system for many Linux distributions including Debian and Ubuntu. Furthermore, ext4 is the default file system for DigitalOcean Volumes Block Storage. Also, Google has used Ext4 on Android since Android 2.3.
To create files on Ext4, you need to format the partition with the Ext4 file system using the mkfs.ext4 command:
mke4fs -t ext4 blockdevice
Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.
Preface: The 2012 Mayans doomsday prophecy perhaps is a joke. However the poor weather havoc and unpredictable. The sudden weather change become more destructive. As a matter of fact, scientists urge that this extreme change of weather related to current environment. What’s more, the prophecy does not record how nature will change immediately. Nor does it say that the specified date will be over on the same day.
Background: AI inventions, similar advent of the atomic bomb, will completely change the world, said Warren Buffett. Going back two years, some speakers at the workshop said not to worry. AI won’t affect your job. In fact, artificial intelligence will replace low-level labor in the next few years. It does not substitute 100% immediately within the specified time. Buffett said that Microsoft founder Bill Gates once showed him the latest version of ChatGPT, in which the program can check all legal opinions in a very short time, which impressed him. He believes the power of AI technology should be cause for concern.
Common Open Source AI Software: Before AI knows how to use his intelligence to protect itself well without relying on people. We should know who he is and receive a basic understand to him.
Acumos AI: Based on Linux, to help integrate other frameworks and develop cloud-based AI apps. ClearML: ClearML announced a free hosted plan to give data scientists the freedom to manage AI/ML experiments and orchestrate workloads without investing in additional resources. H2O.ai: Integration with Hadoop and Spark for big data-based AI modeling. Library of ML algorithms including supervised and unsupervised learning Mycroft.ai: Mycroft powers various elements of the voice stack using open source AI technology. There is a large community of users, developers, and translators, to constantly improve the AI algorithms. OpenCV: Proven applications across a variety of use cases, including facial recognition, human-computer interactions, object detection, motion tracking, and more. ML library containing algorithms for decision tree learning, k-nearest neighbor algorithm, artificial neural networks, random forest, and deep neural networks (DNN), among others. OpenNN: OpenNN is an open source AI software library for implementing neural networks and ML. PyTorch: A production-ready environment powered by TorchServe for quickly deploying models. A distributed backend architecture to enable distributed training and performance optimization. Rasa (Open Source): Natural language understanding to convert messages into structured data and analyze intent. TensorFlow: Support for multiple languages, including JavaScript, which is relatively rare in the open source AI space. Tesseract OCR: Tesseract is an OCR engine originally developed by Hewlett Packard as a proprietary technology in the 1980s. It launched as an open source AI software with sponsorship from Google in 2006. Its primary implementation is meant for unstructured data processing and text from image extraction, executed entirely from a common line interface.
Preface: TEE is an area on the chipset that works like a TPM, but is not physically isolated from the rest of the chip.
Background: The Trusted Execution Environment (TEE) is a secure area within the main processor. As an isolation environment, it ensures that the code and data loaded in the TEE are protected from software attacks and vulnerabilities in the Rich Execution Environment (REE). How Samsung Blockchain Keystore leverages TEE? Samsung Blockchain Keystore SDK allows your Android DApp to communicate directly with Samsung Blockchain Keystore, a preloaded feature on selected Galaxy devices. Developers can use an API provided by the Samsung Blockchain Keystore to check if a user is ready to use Samsung Blockchain Keystore. If the user has not created a wallet yet, developers can direct the user to create a new wallet to leverage Samsung Blockchain Keystore features.
Vulnerability details: Out-of-bounds Read vulnerability while processing CMD_COLDWALLET_BTC_SET_PRV_UTXO in bc_core trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.
Preface: In former design weakness, attacker can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system. This article a speculation, since vendor do not have technical details provided in this CVE record.
Background: FortiADC is an advanced Application Delivery Controller (ADC) that ensures application availability, application security, and application optimization.
For example: Configure a SAML service provider To configure an SP, you must have the required IDP metadata file imported into FortiADC ahead of time.
Click User Authentication > SAML.
Select the SAML Service Providers tab, if it is not selected.
Click Create New to open the SAML Service Providers configuration editor.
Configure the settings.
Vulnerability details: An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 through 7.1.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
Preface: The product does not sufficiently track and release allocated memory after it has been used. Such design weakness will belongs to CWE-401.
Background: Snapdragon Heterogeneous Compute SDK: provides developers with the ability to allocate work to any of the three processors on Snapdragon. The SDK provides C++ API’s for the Kryo CPU and Adreno GPU, the latter of which interacts through OpenGL and OpenCL calls.
Vulnerability details: Improper Release of Memory Before Removing Last Reference (`Memory Leak`) in Graphics.
Preface: In order to avoid vulnerabilities, cloud service providers have their hands full!
Background: It will be open-sourced under the name of StreamX in April 2021, renamed StreamPark in August 2022, and then formally become an incubation project of the Apache Open Source Software Foundation through voting in September. StreamPark is a streaming application development framework. Aimed at ease building and managing streaming applications, StreamPark provides development framework for writing streaming process application with Apache Flink and Apache Spark. Apache Spark and Apache Flink are two of the most popular tools used for machine learning and data science. Known for its speed and scalability, Apache Spark can handle a wide variety of workloads, including batch processing, stream processing, and machine learning. On the other hand, Apache Flink is designed for real-time data processing and optimized for low latency and high throughput.
Preface: Open source software fosters collaboration. As such, open source software will continue to play a key role in modern software development.
Background: cloud-init is a software package that automates the initialization of cloud instances during system boot. You can configure cloud-init to perform a variety of tasks. Cloud-init is a service used for customizing Linux-based operating systems in the cloud. Cloud-init is the service that is installed inside the instance and cloud-config are a set of scripts that are executed as soon as the instance is started. Cloud-config is the language of the scripts that cloud-init knows to execute. cloud-init is developed and released as free software under both the GPLv3 open source license and the Apache License version 2.0.
Vulnerability details: Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. (CVE-2023-1786)
Reference: With structured logging, your logs are relational data sets, like key/value pairs, rather than just text. Structured logging has the advantage of being more easily searched and analyzed. It can also help with keeping sensitive data out of your logs. The most common structured logging format is JSON since it is the standard message format for every message parsing between systems and within applications. Understand that, it is require tool convert Common Event Format (CEF) to JSON . Perhaps there is other solution it can help. For example: Fix log file permissions.
