Preface: Syzbot has begun to report kernel findings to LKML in 2017. Syzbot is a continuous kernel build / fuzz / report aggregation system.
Background: Linux has two mechanisms for setting routes, one is fib, and the other is routing generated by dynamic. fib uses route (man 8 route) to specify a static route table. What net/ipv4/route[.]c does is dynamic generate routing hash to speed up route decision.
Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() . syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree .
It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result.
Preface: When I see the vulnerability it shows the date far away from now. Sometimes I lose interest. Maybe I’m missing a major technical detail. AMD officially released CVE-2023-4869 on March 7, 2024.
It happened to wake me up! Although today is May 21, 2024, it seems that my study is not late!
Background: Is MI300X better than H100? While both GPUs are capable, the MI300X has the edge in memory-intensive tasks like rendering large scenes and simulations. In comparison, the H100 excels in its AI-enhanced workflow and ray-traced rendering performance. AMD Instinct™ MI300X accelerators are designed to deliver leadership performance for Generative AI workloads and HPC applications.
Vulnerability details: Insufficient clearing of GPU memory could allow a compromised GPU kernel to read local memory values from another kernel across user or application boundaries leading to loss of confidentiality.
Official announcement: Please refer to the link for details –
Preface: What happens if a website uses a user-supplied URL in a URL fragment to redirect the logged-in user to the requested page?
Background: CWE 601 – An open redirect vulnerability occurs when an application allows the user to control redirects or forward to another URL. If the application does not validate untrusted user input, an attacker could provide a URL that redirects an unsuspecting victim from a legitimate domain to the attacker’s phishing site.
Vulnerability details: CVE-2024-23664: A URL redirection to untrusted site (‘Open Redirect’) (CWE-601) vulnerability in FortiAuthenticator may allow an attacker to redirect users to an arbitrary website via a crafted URL.
Ref: You should validate the workspace ID first. If the workspace ID is valid, you can proceed with the HTTP request and return the response. However, if the workspace ID is invalid, you should handle the error appropriately.
Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.
Background: Intel Neural Compressor is an open source Python* library that performs model compression techniques such as quantization, pruning, and knowledge distillation across multiple deep learning frameworks including TensorFlow*, PyTorch*, and ONNX* (Open Neural Network Exchange) Runtime. The model compression techniques reduce the model size and increase the speed of deep learning inference for more efficient deployment on CPUs or GPUs.
Vulnerability details: Time-of-check Time-of-use race condition in Intel® Neural Compressor software before version 2.5.0 may allow an authenticated user to potentially enable information disclosure via local access.
Ref: When calling a series of methods which require a consistent view of an object, make sure to synchronize on a monitor that will prevent any other access to the object during your operations.
If the class that you are using has a well-designed interface, then synchronizing on the object itself will prevent its state being changed inappropriately.
Preface: Intel Neural Compressor performs model optimization to reduce the model size and increase the speed of deep learning inference for deployment on CPUs or GPUs.
Background: Intel Neural Compressor is an open source Python* library that performs model compression techniques such as quantization, pruning, and knowledge distillation across multiple deep learning frameworks including TensorFlow*, PyTorch*, and ONNX* (Open Neural Network Exchange) Runtime. The model compression techniques reduce the model size and increase the speed of deep learning inference for more efficient deployment on CPUs or GPUs.
Vulnerability details: Improper input validation in some Intel® Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.
Ref: GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Official last updated on May 8, 2024. An early advisory for this vulnerability was issued on March 5, 2024.
Preface: If you recall, this design flaw was discovered in April 2021. Has it been fixed? Or it is vendors fine-tuned their vulnerability management strategies?
Background: A Transfer Ring is an array of Transfer Request Blocks (TRBs). Each TRB points to a block of contiguous data (up to 64 KB) that will be transferred between hardware and memory as a single unit. The xHCI does not require this constraint. Any buffer pointed to by a Normal, Data Stage, or Isoch TRB in a TD may be any size between 0 and 64K bytes in size. For instance, if when an OS translates a virtual memory buffer into a list of physical pages, some of the entries in the list reference multiple contiguous pages, the flexible Length fields of TRBs allow a 1:1 mapping of list 68 entries to TRBs, i.e. a multi-page list entry does not need to be defined as multiple page sized TRBs.
Vulnerability details: VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi.
Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Preface: The Qualcomm Snapdragon X65 5G Modem is the baseband chipset used in the iPad Pro (11-inch) (4th generation), iPad Pro (12.9-inch) (6th generation), iPhone 14, iPhone 14 Plus, iPhone 14 Pro and iPhone 14 Pro Max.
Background: A power management integrated circuit (PMIC) is used to manage power on an electronic devices or in modules on devices that may have a range of voltages. The PMIC manages battery power charging and sleep modes, DC-to-DC conversion, scaling of voltages down or up, among others.
Vulnerability details: Memory corruption when size of buffer from previous call is used without validation or re-initialization.
This announcement original published on 20th Feb 2024
Preface: When two components have problems in the same place. If vendor did not specify the details in clear. In this circumstances, the design weakness looks the same.
Background: The Enhanced Authentication Plugin (EAP) is an extra software package that doesn’t come pre-installed. Administrators need to install it on client computers used for administration to allow direct login when using the VMware vSphere Client through a web browser.
The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.
Vulnerability details:
Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250) – The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245) – The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.
Official announcement: Please refer to the link for details:
Preface: Heard that Long-term support (LTS) for Linux kernels is being reduced from six to two years now.
Background: Greg Kroah-Hartman is a major Linux kernel developer. As of April 2013, he is the Linux kernel maintainer for the -stable branch, the staging subsystem, USB, driver core, debugfs, kref, kobject, and the sysfs kernel subsystems, Userspace I/O, and TTY layer.
What will be the next LTS kernel?
But in any event Greg Kroah-Hartman has decided to go ahead and declare Linux 6.6 as the newest LTS kernel. Kernel.org has been updated to reflect Linux 6.6 LTS. The current plan is for Linux 6.6 to be maintained until going end-of-life in December 2026: the same time Linux 6.1, 5.15, and 5.10 will reach end-of-life.
Android Security Bulletin—May 2024 (Published May 6, 2024)
The diagram above shows that kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch. Please refer to the following link for details:
Preface: The Mali-G720 and Mali-G620 GPUs complete the world-class GPU portfolio for a wide range of consumer devices. After four generations of GPUs on the fourth-generation Valhall architecture, the latest Arm GPUs are built on a new fifth-generation GPU architecture (called Gen 5).
Background: The New 5th Gen Arm GPU Architecture
The 5th Gen GPU architecture introduces a key feature called Deferred Vertex Shading (DVS), which revolutionizes data flow within the GPU and expands the number of GPU cores, reaching up to 16 cores for enhanced performance.
The Arm 5th Gen GPU architecture is the most efficient GPU architecture Arm has ever created, designed with CPU and system architecture in mind. It redefines parts of the graphics pipeline to significantly reduce memory bandwidth, thus improving total system efficiency and power.
Technical reference: It solves the bandwidth problem of the traditional model because the fragment shader reads a small block each time and puts it on the chip. It does not need to read the memory frequently until the final operation is completed and then writes it to the memory. You can even further reduce memory reads and writes by compressing tiles. In addition, when some areas of the image are fixed, the function can be called to determine whether the tiles are the same to reduce repeated rendering.
Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. On Armv8.0 cores, there are certain combinations of the Linux Kernel and Mali GPU kernel driver configurations that would allow the GPU operations to affect the userspace memory of other processes.
Ref: Arm did not provide details. Is the senario on attached diagram similar to this CVE?
Resolution: This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r48p0. Users are recommended to upgrade if they are impacted by this issue.
