All posts by admin

Potential Risk of CVE

CVE-2024-22250 and CVE-2024-22245: VMware Enhanced Authentication Plug-in (EAP). The aftermath is not over yet. (23rd Feb 2024)

Leave a comment

This announcement original published on 20th Feb 2024

Preface: When two components have problems in the same place. If vendor did not specify the details in clear. In this circumstances, the design weakness looks the same.

Background: The Enhanced Authentication Plugin (EAP) is an extra software package that doesn’t come pre-installed. Administrators need to install it on client computers used for administration to allow direct login when using the VMware vSphere Client through a web browser.

The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.

Vulnerability details:

Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250) – The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245) – The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Official announcement: Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2024-0003.html

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2023-49100: TF-A before 2.10 has a potential read out-of-bounds in the SDEI service (21-02-2024)

Leave a comment

Preface: Trusted Firmware-A (TF-A) provides a reference implementation of secure world software for Armv7-A, Armv8-A and Armv9-A, including a Secure Monitor executing at Exception Level 3 (EL3) and a Secure Partition Manager running at Secure EL2 (S-EL2) of the Arm architecture.

Background: Software Delegated Exception Interface (SDEI) provides a mechanism for registering and servicing system events from system firmware. This specification defines a standard interface that is vendor-neutral, interoperable, and software portable. The interface is offered by a higher Exception level to a lower Exception level, in other words, by a Secure platform firmware to hypervisor or hypervisor to OS or both.

System events are high priority events, which must be serviced immediately by an OS or hypervisor. These events are often orthogonal to normal OS operation and the events can be handled, even when the OS is executing within its own critical section with interrupts masked. System events can be provided to support: Platform error handling (RAS), Software watchdog timer, Sample-based profiling & Kernel debugger.

Vulnerability details: Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-49100

Potential Risk of CVE

CVE-2023-52439 Fix use-after-free in uio_open (20th Feb 2024)

Leave a comment

Preface: Do you think this design flaw is risky? Yes, I think so.

Background: The UIO is a general purpose kernel driver that can be accessed from user space. The purpose of the driver is to act as a thin layer between user space programs and the hardware.

Since Linux uses a virtual address system, you cannot directly access the physical addresses of devices. You can gain a virtual address pointer to the device by using mmap() on the UIO device file for the device.

Vulnerability details:

There are two cores (processors) on a single chip, a SMP Kernel and RAM.

In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1.

But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then:

After core-1 kfree idev, the core-2 will do use-after-free for idev.

When core-2 do uio_release and put_device, the idev will be double freed.

Remedy: To address this issue, we can get idev atomic & inc idev reference with minor_lock. For details, please refer to https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0c9ae0b8605078eafc3bea053cc78791e97ba2e2

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52439

Ref: mutex_unlock() returns 0 after successful operation. If any of the following conditions are detected, mutex_unlock() will fail and return the corresponding value.

EFAULT Description: The address pointed to by mp is illegal.

EPERM Description: The calling thread does not own the mutex lock.

IoT, Potential Risk of CVE

CVE-2024-1633: Do not contempt! (19th Feb 2024)

Leave a comment

Preface: A two-stage bootloader actually consists of two bootloaders after each other. The first being small with the sole purpose of loading the second one. The second one can then contain all the code needed for loading the kernel.

Background: Secure boot is a security standard developed to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the device starts, the firmware checks the signature of each piece of boot software. If the signatures are valid, the device boots, and the firmware gives control to the operating system.

Vulnerability details: During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot.

Reference:

An integer overflow occurs when you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold.

A 32-bit unsigned integer. It has a minimum value of 0 and a maximum value of 4,294,967,295 (inclusive).

Official details: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-1633

Potential Risk of CVE

CVE-2024-20953: Since Oracle did not reveal the details. But we can dig out details for existing design to see does it related to this vulnerability? (18th Feb 2024)

Leave a comment

Preface: At the most fundamental level, product lifecycle management (PLM) is the strategic process of managing the complete journey of a product from initial ideation, development, service, and disposal.

Background: Agile product lifecycle management (PLM) applies agile principles and methodologies to product management. It is often utilized in software development and its ongoing refinements, improvements, and variations. Critically, Agile methodology breaks down a development project into smaller cycles, called iterations.

Core PLM for discrete industries covers key capabilities like product data management, bill of materials management, engineering change management, and more.

Vulnerability details: Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Official details: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-20953

Potential Risk of CVE

CVE-2024-0646: About KTLS (15th Feb 2024)

Leave a comment

Preface: Because when using TLS to transmit static content, the data needs to be read into user space and encrypted before the encrypted data can be transmitted. Facebook found that in the process of using TLS, it will spend 2% of the CPU processing copy from/to user space, and 10% of the CPU will be used for encryption.

Background: ktls is informed when data is queued to the socket and the strparser mechanism is used to delineate the records. Upon read request, records are retrieved from the socket and passed to decryption routine.

Linux kernel provides TLS connection offload infrastructure. Once a TCP connection is in ESTABLISHED state user space can enable the TLS Upper Layer Protocol (ULP) and install the cryptographic connection state.

ktls can operate in three modes: Software crypto mode (TLS_SW) , Packet-based NIC offload mode (TLS_HW) and Full TCP NIC offload mode (TLS_HW_RECORD)

Vulnerability details: An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official details: Please refer to the link for details –https://nvd.nist.gov/vuln/detail/CVE-2024-0646

Application Development, Potential Risk of CVE

Incorrect authorization vulnerability was identified in GitHub Enterprise Server (14 Feb-2024)

Leave a comment

Preface: The main difference between the products is that GitHub Enterprise Cloud is hosted by GitHub, while GitHub Enterprise Server is self-hosted. GitHub Enterprise Cloud includes an enterprise account that lets you manage multiple organizations.

Sign in to the AWS Management Console and open the Developer Tools Console: https://console[.]aws[.]amazon[.]com/codesuite/settings/connections. Select Settings > Connections, then select Make a connection. To establish a connection to an installed GitHub Enterprise Server repository, select GitHub Enterprise Server.

Background: The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes.

To modify the permission of the GITHUB_TOKEN, we can make the change at the enterprise, organisation or repository level. To do this go to settings, select Actions then General, here we will find the Workflow Permissions sections.

Vulnerability details: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1482

Potential Risk of CVE

Regarding CVE-2024-22237, VMware did not provide details. But do you think this design weakness is the similar as what you’ve seen before? (13th Feb 2023)

Leave a comment

Preface: CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.

Background: VMware Aria Operations for Networks is a pre-hardened and secured appliance. VMware Aria Operations for Networks is hardened against well-established and industry-accepted security benchmarks, for example: CIS. VMware Aria Operations for Networks also follows all security and privacy best practices defined by VMware Security Engineering, Communications, and Response (vSECR) team.

Vulnerability details: Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system.

Official details: Please refer to the link for details –https://docs.vmware.com/en/VMware-Aria-Operations-for-Networks/index.html

AI and ML, Potential Risk of CVE

About NVIDIA Security Bulletin – CVE-2023-31031 (12th Feb 2024)

Leave a comment

This NIVIDIA security bulletin was originally published on 8th Feb 2024.

CVE-2023-31031 was released by NIST on January 12, 2024. But what were the design flaws found in SBIOS? Officials stated that the flaw will lead to a stack-based buffer overflow in local access.

Preface: NVIDIA did not describe the details of this vulnerability. Do you think whether the description on attached diagram (step 4) may be related to this design flaw?

Background: Because the SBIOS update is accomplished in two phases (main SBIOS update first, followed by the Intel ME update), you will need to power cycle the server a couple of times to update all the components.

Updating the SBIOS Certificate

1.Obtain the CA certificate from the signing authority that was used to sign the SSL certificate.

2.Copy the CA certificate onto a USB thumb drive or to /boot/efi on the A100 OS.

3.Access the DGX A100 console from a locally connected keyboard and mouse or through the BMC remote console.

4.Reboot the server

Ref: Memory on the heap is dynamically allocated at runtime and typically contains program data.

Vulnerability details: NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a heap-based buffer overflow by local access. A successful exploit of this vulnerability may lead to code execution, denial of service, information disclosure, and data tampering.

Official details: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5513

AI and ML, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2023-33072: Buffer copy without checking size of Input in Core (6th Feb 2024)

Leave a comment

Preface: The title states that Buffer does not check the size of the input in Core when copying. But I believe it is more important to avoid unauthorized copying.

Background: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

OpenCL supports buffer and image objects (and pipe objects from OpenCL 2.0). The one-dimensional buffer objects are a natural choice for many developers due to their simplicity and flexibility, such as the support of pointers, byte-addressable access, etc. For instance, using images allows hardware to handle out-of-boundaries read automatically.

Ref: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

Vulnerability details: The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Date Reported        2022/12/20

Customer Notified Date   2023/08/07

Official details: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2024-bulletin.html