All posts by admin

Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2023-40457: About BGP transitive bit be awakened (12Nov 2024)

Leave a comment

Preface: The core purpose of a BGP UPDATE is to tell another router some traffic it can (or can no longer) send to it. However, simply knowing directly what can be sent to another router is not very useful without context. Therefore, a BGP packet is divided into two parts: Network Layer Reachability Information (NLRI) data (also known as an IP address range) and attributes that help describe additional context about that reachability data.

Background:

One important flag is called the “transitive bit”:

If a BGP implementation does not understand an attribute and the transitive bit is set, it will copy it to another router. If the router does understand this attribute, it can apply its own policy. But in this way,  it allows possibly unknown information to propagate blindly through systems that do not understand the impact of what they are forwarding. 

Vulnerability details: The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is “evaluating support for RFC 7606 as a future feature” and believes that “customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.”

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2023-40457/change-record?changeRecordedOn=11/10/2024T19:15:13.817-0500

Potential Risk of CVE

CVE-2024-50262: About Linux Classic Berkeley Packet Filter bpf (11th Nov 2024)

Leave a comment

Preface: Common Use Cases for BPF

-Network Monitoring: Tools like tcpdump and Wireshark use BPF to capture and analyze network traffic.

-Security Applications: Intrusion detection systems can use BPF to filter and inspect network packets for malicious activity.

Key Features of BPF:

-Packet Filtering: BPF programs can filter network packets based on various criteria, such as IP addresses, ports, and protocols.

-Kernel Space Execution: BPF programs run in the kernel space, which allows them to process packets with minimal overhead.

-Efficiency: BPF’s design minimizes the performance impact on the system, making it suitable for high-throughput network applications.

Vulnerability details: bpf – Fix out-of-bounds write in trie_get_next_key().

Consequence: If such a write ends up in unused memory, which will never be accessed again, it will not have any consequences. In many other cases, it will just make the program crash.

Remedy: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves.

Official announcement: Please refer to the vendor announcement for details –

https://www.tenable.com/cve/CVE-2024-50262

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-38403 – Buffer Over-read in WLAN Firmware (8th Nov 2024)

Leave a comment

Preface: BSS Transition Management enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination.

Background: A STA receiving a BSS Transition Management Request frame may respond with a BSS Transition Management Response frame.

The BSS Termination Included (bit 3) field indicates that the BSS Termination Duration field is included, the BSS or the AP MLD is shutting down and the STA or the non-AP MLD will be disassociated. The AP or AP MLD sets the BSS Termination Included bit in the Request mode field to 1 to indicate that the BSS or AP MLD is shutting down.

The BSS Termination Included bit is 0 if no BSS Termination Duration information is included in the BSS Transition Management Request frame.

Vulnerability details: Transient DOS while parsing BTM ML IE when per STA profile is not included.

Official announcement: Please refer to the vendor announcement for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-38408 – Cryptographic Issues in BT Controller (7 Nov 2024)

Leave a comment

Preface: Snapdragon 8 Gen 2 SoC comes with many new features and technologies such as new tri-cluster architecture, AI improvements, ray tracing support, and more. However, one largely overlooked feature is dual Bluetooth. Now, it’s not going to revolutionize the Bluetooth experience on mobile devices, but it will actually solve some of the fundamental problems we face when using Bluetooth technology on mobile devices.

Background: The encryption key negotiation protocol is conducted between two parties as follows: the initiator proposes an entropy value N that is an integer between 1 and 16, the other party either accepts it or proposes a lower value or aborts the protocol. If the other party proposes a lower value, e.g., N − 1, then the initiator either accepts it or proposes a lower value or it aborts the protocol. At the end of a successful negotiation the two parties have agreed on the entropy value of the Bluetooth encryption key. The entropy negotiation is performed over the Link Manager Protocol (LMP), it is not encrypted and not authenticated, and it is transparent to the Bluetooth.

Vulnerability details: Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html

AI and ML, Potential Risk of CVE

About CVE-2024-0134 – NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability (5th Nov 2024)

Leave a comment

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include:

-The NVIDIA Container Runtime (nvidia-container-runtime)

-The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook)

-The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli)

The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit is a key component in enabling Docker containers to leverage the raw power of NVIDIA GPUs. This toolkit allows for the integration of GPU resources into your Docker containers.

Remark: The Podman command can be used with remote services using the –remote flag. Connections can be made using local unix domain sockets, ssh

Vulnerability details: NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5585

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

About CVE-2024-43080: So called Intent Redirection by Google (4th Nov 2024)

Leave a comment

Preface: What is intent redirection and app security in Android? An intent redirection occurs when an attacker can partly or fully control the contents of an intent used to launch a new component in the context of a vulnerable app.

Background: An Intent in the Android operating system is a software mechanism that allows users to coordinate the functions of different activities to achieve a task. One or more of your apps contain an Intent Redirection issue which can allow malicious apps to access private app components or files.

Vulnerability details: CVE-2024-43080: This vulnerability could lead to privilege escalation. Please refer to the official announcement for details – https://source.android.com/docs/security/bulletin/2024-11-01

IoT, Potential Risk of CVE

CVE-2024-7883 – CMSE secure state may leak from stack to floating-point registers (3rd Nov 2024)

Leave a comment

Preface: The Cortex-M stands for the Microcontroller which is used in most of our daily life applications also starting from the automation to DSP applications, sensors, smart displays, IoT applications ,etc.

Background: In April of 2024, Arm Limited published a Cortex-M Security Extensions (CMSE) Security Bulletin that identifies a potential software security issue in code that uses CMSE. The security vulnerability allows an attacker to pass out-of-range values to code executing in Secure state to cause incorrect operation in Secure state. This security vulnerability is present in compilers that are not compliant with version 1.4 of the Arm v8-M Security Extensions Requirements on Development Tools.

Vulnerability details: When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.

LLVM and the GNU Compiler Collection (GCC) are both compilers. The difference is that GCC supports a number of programming languages while LLVM isn’t a compiler for any given language. LLVM is a framework to generate object code from any kind of source code.

Official announcement: For more information about the vulnerability, please see the link –

https://nvd.nist.gov/vuln/detail/CVE-2024-7883

https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability

AI and ML, Potential Risk of CVE

AMD 000036938 – Potential Vulnerabilities When Deviating from ARM AXI Standard Protocol (1st Nov 2024)

Leave a comment

Preface: Sandia’s Astra is the world’s fastest Arm-based supercomputer according to the technical article, the supercomputer industry’s standard. With a speed of 1.529 petaflops, Astra placed 203rd on a ranking of top computers announced at SC18, the International Conference for High Performance Computing, Networking, Storage, and Analysis, in Dallas.

Background: A crossbar network is a switching network that allows multiple processors to connect and communicate simultaneously without contention. It enables one-to-one interconnections between processors and memory units, and is commonly used in the design of high-performance multiprocessors and network routers.

The AXI Interconnect core allows any mixture of AXI master and slave devices to be connected to it, which can vary from one another in terms of data width, clock domain and AXI sub-protocol (AXI4, AXI3, or AXI4-Lite). When the interface characteristics of any connected master or slave device differ from those of the crossbar switch inside the interconnect, the appropriate infrastructure cores are automatically inferred and connected within the interconnect to perform the necessary conversions.

Vulnerability details: Researchers from ETH Zurich, UC San Diego and RPTU Kaiserslautern-Landau shared a paper with AMD titled “EXPECT: On the Security Implications of Violations in AXI Implementations” which explores methods for exposing vulnerabilities related to the AXI interface when utilizing the AMD AXI Crossbar IP in Vivado™ designs. 

Official announcement: Please refer to the link for details –https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8005.html

AI and ML, Potential Risk of CVE

Security Bulletin: NVIDIA ConnectX and BlueField – October 2024 (CVE‑2024-0105 and CVE-2024-0106) – 31th Oct 2024

Leave a comment

Preface: Nvidia BlueField is a line of data processing units (DPUs) designed and produced by Nvidia. Initially developed by Mellanox Technologies. DOCA is a consistent and essential resource across all existing and future generations of BlueField DPU and SuperNIC products.

Background: The NVIDIA cloud-native supercomputing platform leverages the NVIDIA BlueField DPU architecture with high-speed, low-latency. The DPU enables native cloud services that let multiple users securely share resources without loss in application performance. HPC and AI communication frameworks and libraries play a critical role in determining application performance. Due to their latency and bandwidth-sensitive nature, offloading the libraries from the host CPU or GPU to the BlueField DPU creates the highest degree of overlap for parallel progression of communication and computation.

Vulnerability details:

CVE-2024-0105 – NVIDIA ConnectX Firmware contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. A successful exploit of this vulnerability may lead to denial of service, data tampering, and limited information disclosure.

CVE-2024-0106 – NVIDIA ConnectX Host Firmware for the BlueField Data Processing Unit (DPU) contains a vulnerability where an attacker may cause an improper handling of insufficient privileges issue. A successful exploit of this vulnerability may lead to denial of service, data tampering, and limited information disclosure.

Official announcement: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5562

Potential Risk of CVE

About btrfs: fix uninitialized pointer free in add_inode_ref() – CVE-2024-50088 (30th Oct 2024)

Leave a comment

Preface: The main benefit of a snapshot is that it can be created very rapidly—and frequently—allowing for a quick and straightforward way to recover files or data if something goes wrong. Data can be restored to a specific point in time when it was in a good state.

Background: Btrfs is a copy-on-write (COW) file system developed by Chris Mason. It is based on COW-friendly B-trees developed by Ohad Rodeh.

In contrast to the currently unofficial default Linux filesystem ext4, Btrfs offers some features that are generally not attributed to the functionality of a filesystem but is popular, especially in professional environments such as data centers.

Vulnerability details: The add_inode_ref() function does not initialize the “name” struct when it is declared. If any of the following calls to “read_one_inode() returns NULL, then “name[.]name” would be freed on “out” before being initialized.

If the pointer contains an uninitialized value, then the value might not point to a valid memory location. This could cause the product to read from or write to unexpected memory locations, leading to a denial of service.

This issue was reported by Coverity with CID 1526744.

Remark: In the Linux kernel, the above vulnerability has been resolved.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-50088