All posts by admin

CVE-2024-44932: idpf: fix UAFs when destroying the queues (26th Aug 2024)

August 27, 2024 admin Leave a comment

Preface: XDP, or eXpress Data Path, is a Linux networking feature that enables you to create high-performance packet-processing programs that run in the kernel

Background: idpf Linux Base Driver supports XDP (Express Data Path) and AF_XDP zero-copy. Note that XDP is blocked for frame sizes larger than 3KB. The idpf driver serves as both the Physical Function (PF) and Virtual Function (VF) driver for the Infrastructure Data-Plane Function.
This driver is only supported as a loadable module at this time. Intel
is not supplying patches against the kernel source to allow for static
linking of the drivers.

Vulnerability details: The second tagged commit started sometimes (very rarely, but possible) throwing WARNs from net/core/page_pool.c:page_pool_disable_direct_recycling(). Turned out idpf frees interrupt vectors with embedded NAPIs before freeing the queues making page_pools’ NAPI pointers lead to freed memory before these pools are destroyed by libeth. It’s not clear whether there are other accesses to the freed vectors when destroying the queues, but anyway, we usually free queue/interrupt vectors only when the queues are destroyed and the NAPIs are guaranteed to not be referenced anywhere.
Invert the allocation and freeing logic making queue/interrupt vectors be allocated first and freed last. Vectors don’t require queues to be present, so this is safe. Additionally, this change allows to remove that useless queue->q_vector pointer cleanup, as vectors are still valid when freeing the queues (+ both are freed within one function, so it’s not clear why nullify the pointers at all).

Official announcement: Please refer to the link for details –
https://nvd.nist.gov/vuln/detail/CVE-2024-44932

Potential Risk of CVE

CVE-2024-42340 –> CWE-602: Client-Side Enforcement of Server-Side Security (26th Aug 2024)

August 26, 2024 admin Leave a comment

Preface: CyberArk Identity creates a set of JavaScript objects, global variables, and global methods for each SAML user session. These objects provide information that a user map script or a custom SAML script can read and act on.

Background: Application access policies with JavaScript – If you want more specific control over when users can access your application or when they are required to provide additional authentication credentials, you can use JavaScript.
If you use a policy script, authentication rules configured in the UI will be ignored.

Vulnerability details: CyberArk – CWE-602: Client-Side Enforcement of Server-Side Security

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-42340

IoT, Potential Risk of CVE

CVE-2024-45163: The 1st time seen CVE -related to malware vulnerability. (22nd Aug 2024)

August 23, 2024 admin Leave a comment

Preface: Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

Background: The Mirai botnet connects to the CNC (command and control) server via simultaneous TCP. An unauthenticated session remains open, allowing an attacker, for example, to send a recognizable username (such as root), or to send arbitrary data.

Vulnerability details: The Mirai botnet through 2024-08-19 mishandles simultaneous TCP connections to the CNC (command and control) server. Unauthenticated sessions remain open, causing resource consumption. But the CNC server cannot adequately manage these connections, leading to resource exhaustion and server crashes.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-45163

Potential Risk of CVE, System

CVE-2023-31315: AMD SMM Lock Bypass (21-Aug-2024)

August 22, 2024 admin Leave a comment

Preface: AMD EPYC™ Processors power the highest-performing x86 servers for the modern data center, on prem and in cloud environments, across industries.

Background: Model-specific registers (MSR) are control registers provided by the processor implementation so that system software can interact with a variety of features, including performance monitoring, checking processor status, debugging, program tracing or toggling specific CPU features.

Intel and AMD may use the same MSR for the same feature, such as the IA32_LSTAR MSR register.

When it came to the Intel Pentium processor, Intel officially introduced two instructions, RDMSR and WRMSR, for reading and writing the MSR temporary register. At this time, MSR was officially introduced. When the RDMSR and WRMSR instructions were introduced, the CPUID instruction was also introduced. This instruction is used to indicate which functions are available in a specific CPU chip, or whether the MSR registers corresponding to these functions exist. The software can query a certain function through the CPUID instruction. Whether these functions are supported on the current CPU.

Vulnerability details: Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.

Ref: Researchers from IOActive have reported that it may be possible for an attacker with ring 0 access to modify the configuration of System Management Mode (SMM) even when SMM Lock is enabled.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

IoT, Potential Risk of CVE, System, Uncategorized

CVE-2023-52910 – iommu/iova: Fix alloc iova overflows issue (21-08-2024)

August 21, 2024 admin Leave a comment

Preface: Modern hardware provides an I/O memory management unit (IOMMU) that mediates direct memory accesses (DMAs) by I/O devices in the same way that a processor’s MMU mediates memory accesses by instructions.

Background: With IOMMU, when the device performs DMA access to memory, the system returns to the device driver no longer a physical address, but a virtual address. This address is generally called IOVA. When the device accesses memory, IOMMU converts this virtual address into a physical address. But when iommu bypass is used, the device can also directly use the physical address for DMA.

Vulnerability details: This issue occurs in the following two situations

-The first iova size exceeds the domain size. When initializing iova domain, iovad->cached_node is assigned as iovad->anchor. For example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, and the iova size allocated for the first time is 11M.

-The node with the largest iova->pfn_lo value in the iova domain is deleted, iovad->cached_node will be updated to iovad->anchor, and then the alloc iova size exceeds the maximum iova size that can be allocated in the domain.

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52910

Network (Protocol, Topology & Standard), Potential Risk of CVE, System

CVE-2024-44070: FRRouting (FRR) – bgpd – ensure the hash works (18th Aug 2024)

August 21, 2024 admin Leave a comment

Preface: As Time Goes By , OSS (Open Source Software) for use by cost-conscious commercial companies. It is quite popular in cloud.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

FRR’s seamless integration with native Linux/Unix IP networking stacks makes it a general purpose routing stack applicable to a wide variety of use cases including connecting hosts/VMs/containers to the network, advertising network services, LAN switching and routing, Internet access routers, and Internet peering.

Vulnerability details: An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.

Official announcement: For details, please refer to link – https://www.tenable.com/cve/CVE-2024-44070

AI and ML, Potential Risk of CVE, System

CVE-2024-43855: md/raid5 – recheck if reshape has finished with device_lock held. From technical point of view, it also impact RedHat cluster. (18 Aug 2024)

August 19, 2024 admin Leave a comment

Preface: LVM version 2, or LVM2, is the default for Red Hat Enterprise Linux, which uses the device mapper driver contained in the 2.6 kernel. LVM2, which is almost completely compatible with the earlier LVM1 version, can be upgraded from versions of Red Hat Enterprise Linux running the 2.4 kernel.

The Clustered Logical Volume Manager (CLVM) is a set of clustering extensions to LVM. These extensions allow a cluster of computers to manage shared storage (for example, on a SAN) using LVM.

Background: In the Mutex concept, when the thread is trying to lock or acquire the Mutex which is not available then that thread will go to sleep until that Mutex is available. Whereas in Spinlock it is different. The spinlock is a very simple single-holder lock. If a process attempts to acquire a spinlock and it is unavailable, the process will keep trying (spinning) until it can acquire the lock. This simplicity creates a small and fast lock.

Vulnerability details: Deadlock occurs when mddev is being suspended while some flush bio is in progress. It is a complex issue.

T1. the first flush is at the ending stage, it clears ‘mddev->flush_bio’ and tries to submit data, but is blocked because mddev is suspended by T4.

T2. the second flush sets ‘mddev->flush_bio’, and attempts to queue md_submit_flush_data(), which is already running (T1) and won’t execute again if on the same CPU as T1.

T3. the third flush inc active_io and tries to flush, but is blocked because ‘mddev->flush_bio’ is not NULL (set by T2).

T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc by T3.

The root issue is non-atomic inc/dec of active_io during flush process.

Official announcement: For details, please refer to link –

https://nvd.nist.gov/vuln/detail/CVE-2024-43855

AI and ML, Potential Risk of CVE

CVE-2024-5914 Cortex XSOAR: Improper Neutralization of Special Elements used in a Command (16th Aug 2024)

August 16, 2024 admin Leave a comment

Preface: You can hold YAML content in files with any extension: .yml, .yaml or indeed anything else.

Background: Cortex XSOAR combines security orchestration, incident management, and interactive investigation into a seamless experience. The orchestration engine is designed to automate security product tasks and weave in human analyst tasks and workflows. Cortex XSOAR is powered by DBot, which learns from real-life analyst interactions and past investigations to help SOC teams with analyst assignment suggestions, playbook enhancements, and best next steps for investigations. With Cortex XSOAR, security teams can build future-proof security operations to reduce MTTR, create consistent and audited incident management process, and increase analyst productivity.

Remark: dBot is the Databank’s new AI-Powered Assistant.

Common Scripts are scripts that contain common code (functions, variables, etc.) to be used across scripts which can be embedded when writing your own Automation scripts and Integrations. The common scripts appear in the Automation page, but are used to enhance the API in other scripts and integrations.

Vulnerability details: A command injection issue in Palo Alto Networks Cortex XSOAR CommonScripts Pack allows an unauthenticated attacker to execute arbitrary commands within the context of an integration container.

Official announcement: Please refer to the website for details – https://security.paloaltonetworks.com/CVE-2024-5914

AI and ML, Potential Risk of CVE, System

CVE-2024-21969: (AMD security focus) Whispering Pixels – Exploiting Uninitialized Register Accesses in Modern GPUs (14th Aug 2024)

August 15, 2024 admin Leave a comment

Preface: The new AMD Radeon Instinct MI50 hints at the capabilities of AMD’s future GPUs. A study proof MI50 is capable scientific and ML applications.

Background: The proliferation of graphics processing units (GPUs) has brought unprecedented computing power.

Multiple register-based vulnerabilities found across different GPU implementations.

So-called whisper pixels. The vulnerability poses unique challenges to an adversary due to opaque scheduling and register remapping algorithms present in the GPU firmware, complicating the reconstruction of leaked data.

GPU Programming: An application has to use vendor- provided libraries in order to translate a shader from its high-level source code to an architecture-dependent binary code. Vendors provide these libraries for a variety of high-level languages.

Vulnerability details: Improper clearing of GPU registers could allow a malicious shader to read left-over pixel data leading to loss of confidentiality.

Mitigation: AMD plans to create a new operating mode designed to prevent processes from running in parallel on the GPU, and to clear registers between processes on supported products.

Official announcement: Please refer to the website for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6013.html

Potential Risk of CVE, System

CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability (13th Aug 2024)

August 14, 2024 admin Leave a comment

Preface: A HEAP-Based buffer overflow vulnerability occurs when a program writes more data to a heap-allocated memory buffer than the buffer is designed to hold.

Background: Microsoft provides network virtualization in Hyper-V with Windows Server 2016 and 2019. With this feature, workloads on Hyper-V can connect to virtualized Layer 2 networks and traffic is routed between virtual networks in Hyper-V or to and from the physical network via gateways.

Vulnerability details: Windows Network Virtualization Remote Code Execution Vulnerability.

My speculation: The new SDN features starting from windows server 2016. Because Network Controller uses Representational State Transfer (REST) on its northbound interface with JavaScript Object Notation (JSON) payloads.

As a matter of fact, it is possible to exploit heap overflow techniques in the JavaScript interpreter. Are the vulnerabilities reported by Microsoft related to this factor?

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2024-38160

Cyber security technical information