Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: NVIDIA License System supports the following types of service instances:

• Cloud License Service (CLS) instance. A CLS instance is hosted on the NVIDIA Licensing Portal.
• Delegated License Service (DLS) instance. A DLS instance is hosted on-premises at a location that is accessible from your private network, such as inside your data center.

NVIDIA License System is used to serve a pool of floating licenses to NVIDIA licensed products. The NVIDIA License System is configured with licenses obtained from the NVIDIA Licensing Portal. The license server is designed to be installed at a location that is accessible from a customer’s network, and be configured with licenses obtained from the NVIDIA Licensing Portal.

Vulnerability details: NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges.

One of the possibilities: Traditional technology make use of service account concept.

Design weakness: Predefined sudo user account for a DLS virtual appliance.
Purpose: This user account has the elevated privileges required to update and upgrade the Ubuntu GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance.

Remark: This account is provided to comply with the terms of the GPL/LGPL v3 license under which some libraries in the Ubuntu operating system in the DLS virtual appliance are released.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5319

Preface: SOC → System on Chip. It is basically a cluster collection or group of different types of processor components like CPU[,GPU,Modems, DSP units and memory units.

ASIC → Application Specific Integrated Circuits. ASICs are chip that is basically hardwired to do a specific job.

Background: The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2 with SDMA (single operation DMA), ADMA1 (4 KB boundary limited DMA), and ADMA2 (ADMA2 allows data of any location and any size to be transferred in a 32-bit system memory – scatter-gather DMA) support. The core also supports up to seven functions in SD1, SD4, but does not support SPI mode. It does support SD high-speed (SDHS) and SD High Capacity (SDHC) card standards.

The Zynq®-7000 SoC family integrates the software programmability of an ARM®-based processor with the hardware programmability of an FPGA, enabling key analytics and hardware acceleration while integrating CPU, DSP, ASSP, and mixed signal functionality on a single device.

To build a custom Linux image, it’s recommended that you start with a Petalinux BSP for one of the Xilinx boards, and then customize the configuration to suit your needs.

Vulnerability details: A vulnerability has been found in Xilinx Zynq-7000 and classified as critical. On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM.

Ref: The SDIO controller is not documented in details because The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2.

Refer to the Zynq design, the ROM resets all of the interesting SDIO config registers each time it goes to send a command. Found that even though it blocks on the transaction completion. It doesn’t clear out the DMA base address register . If attacker modify the transfer data size, it can trigger a buffer overflow in this circumstance.

Official announcement: Refer the link for details – https://support.xilinx.com/s/article/76964?language=zh_CN

Preface: Apple has announced the launch of its new operating system, macOS 10.15 Catalina on October 7, 2019. In keeping with Apple’s release cycle, macOS 10.12 Sierra will no longer be receiving security updates. Sierra was replaced by High Sierra 10.13, Mojave 10.14, and the newest Catalina 10.15.

Background: SwiftNIO is Apple non-blocking networking library. It can be used to write either client libraries or server frameworks and works on macOS, iOS and Linux. Swift-nio-http2 follows SemVer 2.0.0 with a separate document declaring SwiftNIO’s Public API. The project (SwiftNIO HTTP/2) contains HTTP/2 support for Swift projects using SwiftNIO.SwiftNIO is the library to build backend servers in the Swift programming language. In SwiftNIO, you cannot model concurrent execution without at least an event loop. To execute your asynchronous code, you need to ask the EventLoopGroup for an EventLoop. You can use the method next() to get a new EventLoop, in a round-robin fashion.

Does SemVer have a size limit on the version string?
No, but use good judgment. A 255 character version string is probably overkill, for example. Also, specific systems may impose their own limits on the size of the string.

Vulnerability details:

CVE-2022-24668 – caused by a network peer sending ALTSVC or ORIGIN frames (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.
CVE-2022-24667 – caused by a network peer sending a specially crafted HPACK-encoded header block (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function.
CVE-2022-24666 – caused by a network peer sending a specially crafted HTTP/2 frame (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.

Ref.1: Security concern with HPACK – Denial of service resulting from exhausting processing or memory capacity at a decoder.

Ref2: Some regular expression engines have a feature called “backtracking”. If the token cannot match, the engine “backtracks” to a position that may result in a different token that can match.
Backtracking becomes a weakness if all of these conditions are met:

• The number of possible backtracking attempts are exponential relative to the length of the input.
• The input can fail to match the regular expression.
• The input can be long enough.

Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

Remedy: The risk can be mitigated if untrusted peers can be prevented from communicating with the service.

Preface: Did you know someone is behind your computer?

Background: WRH–300x series is wireless LAN router for microminiature hotel corresponding to 11bgn300Mbps which can enjoy the Internet with the speed of about 4 times of LTE line.

Ref: 11BGN, 11AGN, and 11AC are wireless standards supported by wireless products. Among them, 11BGN refers to the 802.11b, 802.11g, and 802.11n standards, 11AGN refers to the 802.11a, 802.11g, and 802.11n standards, and 11ac refers to the 802.11ac standard.

Vulnerability Details: Certain versions of ELECOM LAN Routers allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors.

Synopsis: The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on LAN Router. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the PATH environment variable to locate the executable file for the mount command.

Likehood: A malicious user may be able to create an arbitrary program labeled mount. Execute Hijack Execution Flow,doing Path Interception by PATH Environment Variable.
PATH variable to refer to the new mount executable. When PPPoEd checks the PATH variable to locate the executable for the mount command, it follows the PATH entry enter the new version of mount (arbitrary program labeled mount).

Affected Products: WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier

Official announcement: https://www.elecom.co.jp/news/security/20220208-02/

Preface: In addition to the traditional CVE risk level criteria, the critical level of vulnerability risk will depend on the processing technique.

Background: NVIDIA vGPU software is a graphics virtualization platform that provides virtual machines (VMs) access to NVIDIA GPU technology. In order to fulfill design objective, it is necessary enable an GPUDirect RDMA connection to NVIDIA GPUs on Linux. GPUDirect RDMA is a technology introduced in Kepler-class GPUs and CUDA 5.0 that enables a direct path for data exchange between the GPU and a third-party peer device using standard features of PCI Express. Examples of third-party devices are: network interfaces, video acquisition devices, storage adapters.

To add GPUDirect RDMA support to a device driver, a small amount of address mapping code within the kernel driver must be modified. This code typically resides near existing calls to get_user_pages().

Vulnerability details: NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia[.]ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

In computing, remote direct memory access (RDMA) is a direct memory access from the memory of one computer into that of another without involving either one’s operating system. It is assumed that the software does not restrict or erroneously restrict access to resources by unauthorized actors. As a result, it allows vulnerabilities to occur. For more details, please refer to the attached diagram.

Impact: Affected Vendor/Software: URL Logo NVIDIA – NVIDIA Virtual GPU Software and NVIDIA Cloud Gaming version vGPU version 13.x (prior to 13.2), version 11.x (prior to 11.7) and version 8.x (prior 8.10).

Preface: The traditional content distribution network (CDN) can no longer meet the specifications of 5G networks because it requires high bandwidth, low latency and on demand massive connections. The bottlenecks of traditional CDN cannot been resolved the rapidly growth in video traffic, rate, and cost.

Background: Apache Traffic Server™ software is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server. Traffic Control is a control plane for a CDN (Content Delivery Network).
In addition to being an HTTP proxy, Apache Traffic Server™ is also an HTTP cache. Traffic Server can cache any octet stream, although it currently supports only those octet streams delivered by the HTTP protocol. When such a stream is cached (along with the HTTP protocol headers) it is termed an object in the cache. Each object is identified by a globally unique value called a cache key.

Traffic Ops is the tool for administration (configuration and monitoring) of all components in a Traffic Control CDN. Traffic Portal uses the Traffic Ops API to manage servers, Cache Groups, Delivery Services, etc.

Vulnerability details: In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Weakness Enumeration: CWE-918: Server-Side Request Forgery (SSRF). For possible ways to trigger the specified vulnerability, please refer to the attached image.

Official announcement: https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f

Preface: If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

Background: Django itself is web framework used for developing web applications based on python. Which is used for making development proccess more simple and easy. It provides various built in things such as Django ORM, Forms, Security, Authentication, Admin and many third party packages that are available on django packages.

MultiPartParser

• It parses the incoming request form contents into QueryDict.
• It is used if “Content-Type” is set to “multipart/form-data”.
• request.data will be a QueryDict containing all the form parameters.
• request.files will be a QueryDict containing all the form files.
• FormParser and MultiPartParser together used for full support of HTML form data.

Vulnerability details: In below operating process sequence, a design weakness occurs . For more details, please see below:
Factors that expose this vulnerability. Content-Type should contain multipart and the boundary information.

• Step 1. UploadHandler instance that performs operations on the uploaded data.
• Step 2. Parse the header to get the boundary to split the parts.
• Step 3. Whether or not to signal a file-completion at the beginning of the loop.
• Step 4. If step 3 is negative, it cannot be sure a file is complete until it hit the next boundary/part of the multipart content. Loop will continue to run until the Boolean expression is TRUE.

Impact: An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Remedy: Fixed CVE-2022-23833 (Fixed DoS possiblity in file uploads). Please refer to the link for details – https://github.com/django/django/blob/main/django/http/multipartparser.py

Preface: If you are a Kubernetes administrator, doing the resources distribution, may be it is a daily routine job. Regarding to this vulnerability, have you resolve yet?

Background: Namespaces are one of the main features of the Linux kernel – they carry out the distinction between kernel resources. It makes sure that a process can only see the specified set of resources. Examples of resources are process IDs, hostnames, files, usernames, network access names, and inter-process communications.

Vulnerability details: kernel/ucount[.]c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.

Ref: Ordinary ucount references exist in places that also have a reference to the user namspace, but in POSIX message queues, the SysV shm code,and the SIGPENDING code there is no independent user namespace reference.

Inspection of the the user_namespace show no instance of circular references between struct ucounts and the user_namespace. So hold a reference from struct ucount to i’s user_namespace to resolve this problem.

Remediation: Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f9d87929d451d3e649699d0f1d74f71f77ad38f5

Preface: If no open source software concept in our world, technology is hard to become common. Even though you concern cyber security. They can fixed it when there is vulnerability occurs.

Background: pfSense is an open source firewall and routing platform based on FreeBSD. pfSense can be installed on physical computers or virtual machines, and can act as an independent firewall and router in the network. It is equipped with a Web user interface for administrative tasks such as setting and updating, which makes it easier to use.

Vulnerability details: If you accept QNAP solution turn your NAS into a virtual router. This vulnerability found on pfSense this time remind you should stay alert. The following vulnerability was found:/usr/local/www/pkg[.]php in pfSense through 2.5.2 uses $_REQUEST[‘pkg_filter’] in a PHP echo call.
The main reason using $_REQUEST is that parameter can get transferred in $_POST or $_GET. By accessing $_REQUEST you don’t have to check both $_GET and $_POST it the value is set.
If you are passing $_GET (or $_POST) parameters to your queries, make sure that they are cast to strings first. Attacker can insert associative arrays in GET and POST requests, which could then become unwanted $-queries.

Official article, what remedies they did: Please refer to the link – Please refer to the link – https://github.com/pfsense/pfsense/commit/5d82cce0d615a76b738798577a28a15803e59aeb