Preface: The easter hoilday in 2nd week of April. So this news may have late. On 03/31/2023 03:00 PM, NVIDIA has released a software update for NVIDIA® Data Center GPU Manager (DCGM). The update addresses security issues that may lead to denial of service and data tampering.
Be my guest, see wether you will be interested?

Background: NVIDIA Data Center GPU Manager (DCGM) is a suite of tools for managing and monitoring NVIDIA datacenter GPUs in cluster environments. It includes active health monitoring, comprehensive diagnostics, system alerts and governance policies including power and clock management.
DCGM provides several mechanisms for understanding GPU topology both at a verbose device-level view and non-verbose group-level view. These views are designed to give a user information about connectivity to other GPUs in the system as well as NUMA/ affinity information.

Ref: Non-uniform memory access is a computer memory design used in multiprocessing, where the memory access time depends on the memory location relative to the processor. Under NUMA, a processor can access its own local memory faster than non-local memory.

Vulnerability details: NVIDIA DCGM for Linux contains a vulnerability in HostEngine (server component) where a user may cause a heap-based buffer overflow through the bound socket. A successful exploit of this vulnerability may lead to denial of service and data tampering.

Official announcement: For details, please refer to the official announcement – https://nvidia.custhelp.com/app/answers/detail/a_id/5453

Preface: memcpy() function is is used to copy a specified number of bytes from one memory to another. memmove() function is used to copy a specified number of bytes from one memory to another or to overlap on same memory.

Background: WebKit is the part of Apple’s browser engine that sits underneath absolutely all web rendering software on Apple’s mobile devices.
Found use-after-free and input validation issue in apple iOS ,macOS and Safari software product. Proof of concept released to public shown the design weakness.
A proof-of-concept (PoC) exploit for the CVE-2023-28206 flaw,  revealing an out-of-bounds memory move in IosaColorManagerMSR8::getHDRStats_gatedContext.
CVE-2023-28206: IOSurfaceAccelerator – An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
CVE-2023-28205: WebKit – Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Ref: WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as all web browsers on iOS and iPadOS.

Vulnerability details:
CVE_2023-28205: A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVE-2023-28206: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Big Sur 11.7.6, macOS Ventura 13.3.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Official announcement – For details, please refer to the link – https://support.apple.com/en-us/HT213720

Preface: In computing, a segmentation fault (often shortened to segfault) or access violation is a fault, or failure condition, raised by hardware with memory protection, notifying an operating system (OS) the software has attempted to access a restricted area of memory (a memory access violation).

Background: NJS is a subset of the JavaScript language that allows extending NGINX functionality. njs is created in compliance with ECMAScript 5.1 (strict mode) with some ECMAScript 6 and later extensions.
To use njs in nginx:

• install njs scripting language
• create an njs script file
• in the nginx[.]conf file, enable ngx_http_js_module module and specify the js_import directive with the http[.]js script file.
  Example: load_module modules/ngx_http_js_module.so

Vulnerability details: Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function[.]h.
Observation: One of the possible ways. If the data being passed to the variable is user-controlled, it can lead to stack-based buffer overflow attacks. Sometimes, it will hit a error due to a security feature called stack cookies.

Official Announcement – Please refer to this link – https://nvd.nist.gov/vuln/detail/CVE-2023-27727

My comments below:
As a matter of fact, it is hard to detect. However the Trigger of exploitation to bug is only few seconds to minute. If it is successful, SoC event correlation may found this suspicious activity.
So, SoC is important today!

Preface: Combining kTLS and sendfile() means data is encrypted directly in kernel space, before being passed to the network stack for transmission.

Background: improving web server on freebsd Linux performance with kernel tls (ktls).
Kernel TLS operation – Linux kernel provides TLS connection offload infrastructure. Once a TCP connection is in ESTABLISHED state user space can enable the TLS Upper Layer Protocol (ULP) and install the cryptographic connection state.
ktls can operate in three modes:
– Software crypto mode (TLS_SW)
– Packet-based NIC offload mode (TLS_HW)
– Full TCP NIC offload mode (TLS_HW_RECORD)

Vulnerability details: A use-after-free flaw was found in the Linux kernel’s TLS protocol functionality in how a user installs a tls context (struct tls_context) on a connected TCP socket. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Resolution
– In order to prevent kernel modules loading during boot, the module name must be added to a configuration file for the “modprobe” utility. This file must reside in /etc/modprobe[.]d .
– Ensure the module is not configured to get loaded in either /etc/modprobe[.]conf, /etc/modprobe[.]d/*, /etc/rc[.]modules, or /etc/sysconfig/modules/* before making the following modifications.

For details, please refer to the link – https://access.redhat.com/solutions/41278

Preface: Vendor did not describe in details, see whether this is the vulnerability they found?

Background: The Android Runtime (ART) and managed core library (libcore) were part of the Runtime module effort in Android 10 along with the native runtime (Bionic) and ICU.
In Android 11, ART and libcore are packaged as non-updateable APEX. Bionic and ICU (code and data) remain on the platform and are separated from ART to improve updatability.

Vulnerability details: Google has started rolling out April 2023 security update for its mobile operating system platform to address a total of 69 new security vulnerabilities affecting Android devices, 6 of which have been rated critical in severity.
This topic we focus to the following vulnerabilities CVE-2023-21085 and CVE-2023-21096.

Official announcement: For details, please refer to the link – https://source.android.com/docs/security/bulletin/2023-04-01

Preface: On Dec 2022, Microsoft has warned that malicious hackers were able to get the software giant to digitally sign their code so it could be used in attacks, such as the deployment of ransomware.

Background: The newest update to AMD’s P-State EPP Linux driver hit today, offering better Ryzen & EPYC performance & better power control on CPUs.
AMD P-State EPP can further help tune the performance and power efficiency of AMD Linux systems beyond the existing basic AMD P-State driver support and address some existing deficiencies.
AMD EPYC processors are the only x86 server CPUs with an integrated, embedded security processor that is “hardened at the core” to help secure customer data whether in a central data center or distributed across locations at the network edge.

Observation of the subject: AMD confirms Ryzenfall vulnerabilities, but says they’ll be fixed soon via routine BIOS updates on 2018. From earlier stage, AMD has neither confirmed nor denied whether the attacks can be executed remotely, or require local access.
AMD has recently released a BIOS update that supposedly allows users disable the Secure Processor, but this feature works only partially and does not stop the RYZENFALL attacks. But some experts say this is not an effective mitigation measure.

What do you think? Do you think the specify design weakness still valid or it has fixed by vendor?

Prefect: The Lord taught Enoch that those who build their lives upon the Savior would never fall.
Don’t mind about it was really had Lord or advanced civilization, human being go to digitization. In bible it mention about Lucifer. It is similar to cyber threat actor.

Background: Technology trends from on-premises to cloud. Cloud-based attack most likely through below ways
– Compromised Laptop via Phishing Emails – The RansomCloud attack is a relatively new type of ransomware that targets cloud-based email services such as Office 365.
– Compromised Server via Unpatched Vulnerabilities
Based on cyber defense capabilities, we believe that major cloud service providers will have effective ways to deal with disruptions caused by cyber attacks.

However , more and more native applications rely on CSPs’ API. For example: Push notification, push messages, or notifications, through its cloud messaging service. However Applications running on mobile devices, browsers or IoT devices can use push technology. For example: application-to-application (A2A) and application-to-person (A2P) communication.
A2A provides high-throughput, push-based, many-to-many messaging between distributed systems, microservices, and event-driven serverless applications.
Push notifications can be cloud-based or app-based, and are built to work with a server that provides the notification. An API can enable push notifications from cloud services as app and web push services. Once an organization requests a push notification, an API calls this service and sets the message in place to be delivered.
Push API can use these capabilities in order to spread fake or deceptive messages, flood the user’s device with spam, and trick people into installing malicious apps.
Remark: Push API is the general term for all push APIs.

Ref: Push notifications can be cloud-based or app-based, and are built to work with a server that provides the notification. An API can enable push notifications from cloud services as app and web push services. Once an organization requests a push notification, an API calls this service and sets the message in place to be delivered.

Technical details: My friend Enoch (CCIE) recommend Kubernetes Hardening Guide last week. In my view that it is good for preventive control. Since it is a lot of uncertainty in digital world. Be my guest, you can download on this official link.

https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

Preface: The Android operating system is mainly based on Linux, and its kernel is written in C language. Some modifications may have been done using the C++ language.

Background:
Get Group State – Different software uses different way (see below):

• only need to input the queried union information unionID
• need unionID and zoneID; query information about the state of the union binding the group Return information and result:

static void GetGroupState (String unionID, String zoneID = “”, String extraJson = “”) ;

Vulnerability details: In getGroupState of GrantPermissionsViewModel.kt, there is a possible way to keep a one-time permission granted due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

If a permission is split, all permissions the original permission is split into are affected.
For <= N_MR1 apps all permissions of the groups of the requested permissions are affected

Affected Products: AndroidVersions: Android-12 Android-12L Android-13Android

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2023-20947

Preface: WebKitGTK is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.

Background: There is no Webkit. framework in Cocoa Touch. The webkit framework is only available on OS X. For iOS, just use UIWebview.
The Core OS Layer is the last layer of the iOS stack and sits directly on top of the device hardware. This layer provides a variety of services including low level networking, access to external accessories and the usual fundamental operating system services such as memory management, file system handling and threads.

Vulnerability details: A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

My observation: Since the vulnerability not described in details! My speculation, does vendor found attacker exploit below design weakness (see belwo):
%rbx is a callee save register , we know that some callee of JITCode::execute() must have modified %rbx and failed to restore it before returning. JSC does have code to save and restore callee save registers in LLInt interpreter and Just-In-Time (JIT) compiler generated code.
Perhaps the vulnerability enhancement is going to correctly caller-save return address register.

Official announcement: For details, please refer to the link https://nvd.nist.gov/vuln/detail/CVE-2023-23529

Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Background: tcindex, traffic control index filter. This filter allows to match packets based on their tcindex field value, i.e. the combination of the DSCP and ECN fields as present in IPv4 and IPv6 headers.
SYNOPSIS:
tc filter … tcindex [ hash SIZE ] [ mask MASK ] [ shift SHIFT ] [ pas_on | fall_through ] [ classid CLASSID] [ action ACTION_SPEC ]

Vulnerability details: A use-after-free vulnerability was found in the traffic control index filter (tcindex) in the Linux kernel. The imperfect hash area can be updated while packets are traversing. This issue could allow a local attacker to cause a use-after-free problem, leading to privilege escalation.

Solution: How do I blacklist a kernel module to prevent it from loading automatically?
https://access.redhat.com/solutions/41278