All posts by admin

CVE-2024-0646: About KTLS (15th Feb 2024)

February 16, 2024 admin Leave a comment

Preface: Because when using TLS to transmit static content, the data needs to be read into user space and encrypted before the encrypted data can be transmitted. Facebook found that in the process of using TLS, it will spend 2% of the CPU processing copy from/to user space, and 10% of the CPU will be used for encryption.

Background: ktls is informed when data is queued to the socket and the strparser mechanism is used to delineate the records. Upon read request, records are retrieved from the socket and passed to decryption routine.

Linux kernel provides TLS connection offload infrastructure. Once a TCP connection is in ESTABLISHED state user space can enable the TLS Upper Layer Protocol (ULP) and install the cryptographic connection state.

ktls can operate in three modes: Software crypto mode (TLS_SW) , Packet-based NIC offload mode (TLS_HW) and Full TCP NIC offload mode (TLS_HW_RECORD)

Vulnerability details: An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official details: Please refer to the link for details –https://nvd.nist.gov/vuln/detail/CVE-2024-0646

Application Development, Potential Risk of CVE

Incorrect authorization vulnerability was identified in GitHub Enterprise Server (14 Feb-2024)

February 15, 2024 admin Leave a comment

Preface: The main difference between the products is that GitHub Enterprise Cloud is hosted by GitHub, while GitHub Enterprise Server is self-hosted. GitHub Enterprise Cloud includes an enterprise account that lets you manage multiple organizations.

Sign in to the AWS Management Console and open the Developer Tools Console: https://console[.]aws[.]amazon[.]com/codesuite/settings/connections. Select Settings > Connections, then select Make a connection. To establish a connection to an installed GitHub Enterprise Server repository, select GitHub Enterprise Server.

Background: The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes.

To modify the permission of the GITHUB_TOKEN, we can make the change at the enterprise, organisation or repository level. To do this go to settings, select Actions then General, here we will find the Workflow Permissions sections.

Vulnerability details: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1482

Potential Risk of CVE

Regarding CVE-2024-22237, VMware did not provide details. But do you think this design weakness is the similar as what you’ve seen before? (13th Feb 2023)

February 14, 2024 admin Leave a comment

Preface: CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.

Background: VMware Aria Operations for Networks is a pre-hardened and secured appliance. VMware Aria Operations for Networks is hardened against well-established and industry-accepted security benchmarks, for example: CIS. VMware Aria Operations for Networks also follows all security and privacy best practices defined by VMware Security Engineering, Communications, and Response (vSECR) team.

Vulnerability details: Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system.

Official details: Please refer to the link for details –https://docs.vmware.com/en/VMware-Aria-Operations-for-Networks/index.html

AI and ML, Potential Risk of CVE

About NVIDIA Security Bulletin – CVE-2023-31031 (12th Feb 2024)

February 13, 2024 admin Leave a comment

This NIVIDIA security bulletin was originally published on 8th Feb 2024.

CVE-2023-31031 was released by NIST on January 12, 2024. But what were the design flaws found in SBIOS? Officials stated that the flaw will lead to a stack-based buffer overflow in local access.

Preface: NVIDIA did not describe the details of this vulnerability. Do you think whether the description on attached diagram (step 4) may be related to this design flaw?

Background: Because the SBIOS update is accomplished in two phases (main SBIOS update first, followed by the Intel ME update), you will need to power cycle the server a couple of times to update all the components.

Updating the SBIOS Certificate

1.Obtain the CA certificate from the signing authority that was used to sign the SSL certificate.

2.Copy the CA certificate onto a USB thumb drive or to /boot/efi on the A100 OS.

3.Access the DGX A100 console from a locally connected keyboard and mouse or through the BMC remote console.

4.Reboot the server

Ref: Memory on the heap is dynamically allocated at runtime and typically contains program data.

Vulnerability details: NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a heap-based buffer overflow by local access. A successful exploit of this vulnerability may lead to code execution, denial of service, information disclosure, and data tampering.

Official details: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5513

AI and ML, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2023-33072: Buffer copy without checking size of Input in Core (6th Feb 2024)

February 7, 2024 admin Leave a comment

Preface: The title states that Buffer does not check the size of the input in Core when copying. But I believe it is more important to avoid unauthorized copying.

Background: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

OpenCL supports buffer and image objects (and pipe objects from OpenCL 2.0). The one-dimensional buffer objects are a natural choice for many developers due to their simplicity and flexibility, such as the support of pointers, byte-addressable access, etc. For instance, using images allows hardware to handle out-of-boundaries read automatically.

Ref: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

Vulnerability details: The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Date Reported 2022/12/20

Customer Notified Date 2023/08/07

Official details: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2024-bulletin.html

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2023-5643: Mali GPU Kernel Driver allows improper GPU memory processing operations (5th Feb 2024)

February 6, 2024 admin Leave a comment

Preface: Out-of-bounds writes, a common explanation, are the consequences of writing to memory outside the boundaries of the buffer or to invalid memory when the root cause is not sequential copying of too much data from a fixed starting position. This may include issues such as incorrect pointer arithmetic, access to invalid pointers due to incomplete initialization or memory deallocation.

Background: Arm Mali-G71 is the first high-end GPU to implement the Mali Bifrost architecture. Bifrost enables high-end mobile GPUs to provide additional computing performance. This additional performance is used to solve the increasingly complex problems of modern use cases such as VR and high-fidelity gaming.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel Driver, and if the system’s memory is carefully prepared by the user, then this in turn could write to memory outside of buffer bounds.

Affected products:

Bifrost GPU Kernel Driver: All versions from r41p0 – r45p0

Valhall GPU Kernel Driver: All versions from r41p0 – r45p0

Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r45p0

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5643

Network (Protocol, Topology & Standard), Potential Risk of CVE

Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, Security focus of CVE-2023-4523 (5th Feb 2024)

February 5, 2024 admin Leave a comment

Original article published January 2024, status update published January 23, 2024.

Preface: Supermicro is aware of a potential vulnerability known as “PixieFAIL” in the BIOS firmware. Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of UEFI. These nine vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information.

Background: The UEFI image parser is well-implemented, with a strict set of format validation requirements. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The required memory is extended by a single page so that the loader has enough space to store information about the debugging symbols. Usually this is not necessary, but depending on the linker, debugging information can be placed inside the image overlay. Because the overlay information is not loaded into memory, the UEFI loader ensures that it is available by copying it from disk to this additionally allocated page.

EDK2’s Network Package provides network modules that conform to UEFI 2.4 specification

Vulnerability details: EDK2’s Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

Ref: The subject matter expert performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.

NIST Official details: Please refer to the link for details –

https://www.supermicro.com/en/support/security_BIOS_Jan_2024

Supermicro Official details: Please refer to the link for details –

https://www.supermicro.com/en/support/security_BIOS_Jan_2024

AI and ML, Application Development, Potential Risk of CVE

About CVE-2018-1311: Security update for xerces-c provided by SUSE on Feb 2024. Why do design weakness can tolerance by HPC Operating system for long year? (02-02-2024)

February 2, 2024 admin Leave a comment

Preface: Different HPC compilers allow the coder to make use of these tools for better performance and capability. For example, using HPC compilers allow for easier coding to run a parallel job. Compilation is the process of converting C language source code into executable program code. Running is the process of executing executable code. Compilation only needs to be completed once to produce executable code. The resulting executable code can be run multiple times.

Background: XML parser for C++ determines whether an XML document is well-formed and optionally validates it against a DTD. A DTD is a Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document. The parser constructs an object tree that can be accessed through a DOM interface or operates serially through a SAX interface. SAX defines an abstract programmatic interface that models the XML information set (infoset) through a linear sequence of familiar method calls.

Validating an XML document determines whether the structure and content of the document conform to a set of rules. Xerces-C++ is a validating XML parser written in a portable subset of C++.

Remark: SAX-type parsing performance of Fast Infoset is also much faster than parsing performance of XML 1.0.

Vulnerability details: A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.

Ref: To understand the twists and turns of this story, please refer to the pictures attached to this article.

Official details: Please refer to the link for details – https://www.suse.com/support/update/announcement/2024/suse-su-20240299-1/

AI and ML, Application Development, Potential Risk of CVE

VE-2023-6780: Do not contempt his power! (1st Feb 2024)

February 1, 2024 admin Leave a comment

Preface: The GNU C Library – The project provides the core libraries for the GNU system and GNU/Linux systems. GLib is a platform library which is used by many hundreds of projects outside of GNOME.

Background: R is a language and environment for statistical programming which includes statistical computing and graphics. Python is a general-purpose programming language for data analysis and scientific computing. It is essential to know programming languages like R and Python in order to implement the whole Machine Learning process. Python and R both provide in-built libraries that make it very easy to implement Machine Learning algorithms.

What is glibc in Python? glibc provides a complete implementation of the ISO C standard library, which includes functions for file I/O, string manipulation, memory allocation, and more. This makes it easy for us to write portable and efficient code that can run on different systems.

Vulnerability details: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-6780

Potential Risk of CVE

CVE-2024-0564: A flaw was found in the Linux kernel’s memory deduplication mechanism. (30th Jan 2024)

January 31, 2024 admin Leave a comment

Preface: KVM hypervisor enables full virtualisation capabilities. It provides each VM with all typical services of the physical system, including virtual BIOS (basic input/output system) and virtual hardware, such as processor, memory, storage, network cards, etc. As a result, every VM completely simulates a physical machine.

Background: Kernel same-page Merging (KSM), used by the KVM hypervisor, allows KVM guests to share identical memory pages. These shared pages are usually common libraries or other identical, high-use data. KSM allows for greater guest density of identical or similar guest operating systems by avoiding memory duplication.

Vulnerability details: A flaw was found in the Linux kernel’s memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is “max page sharing=256”, it is possible for the attacker to time the unmap to merge with the victim’s page. The unmapping time depends on whether it merges with the victim’s page and additional physical pages are created beyond the KSM’s “max page share”. Through these operations, the attacker can leak the victim’s page.

Ref: It leaves one page unchanged, and re-maps each duplicate page to point to the same physical page, after which it releases the extra physical pages for re-use.

Mitigation: Deactivating memory deduplication will effectively mitigate all attack vectors. This measure unfortunately eliminates all the highly appreciated benefits of memory deduplication, namely the increase of operational cost-effectiveness through inter-VM memory sharing. This will cause an increase in the amount of memory required and in some situations may adversely impact performance (e.g. due to slower swap space being used). It is recommended that customers test this workaround before using it in production. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_tuning_and_optimization_guide/sect-ksm-deactivating_ksm for how to disable KSM from Red Hat Enterprise Linux 6 and newer.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-0564

Cyber security technical information