Preface: Server Side Request forgery (SSRF) in few years ago not bring IT admin attention. But when ransomware was born, SSRF vulnerability make worries because it can exploit by cyber criminals. So we should be careful when we know our web server apps contains SSRF vulnerability.

Background: GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. It brings together mature and stable open-source software projects under a consistent and easy-to-use interface allowing non-specialized users to share data and create interactive maps.

For reference:

• Django is a high-level Python web framework

• PostgreSQL / PostGIS (Vector Datasets)

• pyCSW – pycsw is an OARec and OGC CSW server implementation written in Python.

• Raster Datasets – Raster datasets represent geographic features by dividing the world into discrete square or rectangular cells laid out in a grid. Each cell has a value that is used to represent some characteristic of that location, such as temperature, elevation, or a spectral value.

• File System Raster Datasets – There are three methods to store image and raster data: as files in a file system, within a geodatabase, or managed from within the geodatabase but stored in a file system.

Vulnerability details: GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts.

Remedy: A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40017

Preface: Now that said, SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. Or are there other concerns?

Background: Node-SAML has built in support for SLO including. Signature validation. IdP initiated and SP initiated logouts. Decryption of encrypted name identifiers in IdP initiated logout. Redirect and POST SAML Protocol Bindings.

A SAML Service Provider (SP) is a system entity that receives and accepts authentication assertions in conjunction with a Single Sign-On (SSO) profile of the Security Assertion Markup Language (SAML).  For example: Gmail, Salesforce,…etc

An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service. Microsoft Active Directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication.

Vulnerability details: Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.

Remedy: This issue was patched in version 4.0.5.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40178

Preface: It is popular like Java, Python applications can run on all operating systems (Windows, Unix, Linux, Mac).

Background: What’s New in Python 3.11. One of the new module is tomllib – For parsing TOML.
I. TOML makes writing configuration files simple, straightforward, and more human-readable than many other formats, including JSON.
The TOML file used to configure the buildkitd daemon settings has a short list of global settings followed by a series of sections for specific areas of daemon configuration.
The file path is /etc/buildkit/buildkitd.toml for rootful mode, ~/.config/buildkit/buildkitd.toml for rootless mode.

II. os[.]path[.]normpath() method in Python is used to normalize the specified path. All redundant separator and up-level references are collapsed in the process of path normalization.
For example: A//B, A/B/, A/./B and A/foo/../B all will be normalized to A/B.

If your Docker setup automation programming including above I and II. You should staying alert.

Vulnerability details:

'\0' means NULL. If a path containing ‘\0’ bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first ‘\0’ byte.

In some cases, in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11 through 3.11.4.

08/23/2023 disclosed

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-41105

Background: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.

Chrome used only WebCore, and included its own JavaScript engine named V8 and a multiprocess system. Chrome for iOS continues to use WebKit because Apple requires that web browsers on that platform must do so.

Remark: Edge was originally based on Chakra but has more recently been rebuilt using Chromium and the V8 engine. V8 is written in C++, and it’s continuously improved.

Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.

06/27/2023 CVE reserved

08/17/2023 +51 days

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36787

Preface: UUID is an simple 128 bit digit which uniquely distributed across the world. Bluetooth sends data over air and all nearby device can receive it.

Background: Android “O” was officially released on August 21, 2017 under the name “Oreo”. The BluetoothHidDevice framework adds the SDP record during app registration, so that the Android device can be discovered as a Bluetooth HID Device. The related module include file “sdp_db[.]cc” was appear during this period of time. As time goes by, bluetooth module including file sdp_db[.]cc carry forward to present. So called Android Open Source Project (ASOP).

Vulnerability details: In SDP_AddAttribute of sdp_db[.]cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Severity – Critical

Type – RCE

Updated AOSP versions – 11,12,12L, 13

Official Announcement: For details, please refer to the link below:

https://android.googlesource.com/platform/packages/modules/Bluetooth/+/1e27ef69755a0735278a1c6af130c71a92b94e3f%5E%21/#F0

https://source.android.com/security/bulletin/2023-08-01

Background: What is Apache Airflow used for?

Apache Airflow is an open-source tool to programmatically author, schedule, and monitor workflows. It is one of the most robust platforms used by Data Engineers for orchestrating workflows or pipelines. You can easily visualize your data pipelines’ dependencies, progress, logs, code, trigger tasks, and success status.

What is the difference between extras and providers in Airflow?

Extras are standard Python setuptools feature that allows to add additional set of dependencies as optional features to “core” Apache Airflow. One of the type of such optional features are providers packages, but not all optional features of Apache Airflow have corresponding providers.

Providers can contain operators, hooks, sensor, and transfer operators to communicate with a multitude of external systems, but they can also extend Airflow core with new capabilities. You can install those provider packages separately in order to interface with a given service.

What is deployment Mode in Apache Spark?

• Client mode – As the behavior depends on the driver component, so here job will run on the machine from which job is submitted. So this mode is client mode.
• Cluster mode – Here driver component of spark job will not run on the local machine from which job is submitted, so this mode is cluster mode.

Vulnerability Details: Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

Affected versions: Apache Airflow Spark Provider before 4.1.3

Remedy: Patched versions 4.1.3

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-40272

Background: VMware VMXNET3 is a para-virtual(Hypervisor aware) network driver. The goal to designed and developed to address the network complexities in a virtualized infrastructure. A para-virtual driver is a high-performance driver that significantly reduces the overhead caused by the emulation of the corresponding physical device. VMXNET3 is aware of the hypervisor and does not require an emulation layer, thereby enhancing the performance by almost 20% and reducing the overall CPU consumption.

Vulnerability details: A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv[.]c in VMware’s vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.

Mitigation: Mitigation for this issue is to skip loading the affected module “vmxnet3” onto the system until the fix is available, this can be done by a blacklist mechanism which will ensure the driver is not loaded at the boot time.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-4387

Preface: The official description of this design flaw (CVE-2023-28198) is caused by WebKit. No any other details! Do you have interested take a closer look? But don’t worry, this CVE marked reserved in March 2023. and allow for announcements on August 15, 2023 afterwards. I believe Apple has successfully handled it.

Background: WebKit, the engine, is split into different components that encapsulate its different parts.

It contains the core features of the engine (rendering, layout, platform access, HTML and DOM support, the graphics layer, etc). However, some of these ultimately depend heavily on the OS and underlying software platform in order to function. For example: how do we actually do any I/O on different platforms? How do we render onscreen? What’s the underlying multimedia platform and how does it decode media and play it?

Vulnerability details: The vulnerability allows a remote attacker to compromise vulnerable system. The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system. Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Official announcement: For details, please refer to the link – https://support.apple.com/en-us/HT213670

Preface: A system call is a way for programs to interact with the operating system. A computer program makes a system call when it makes a request to the operating system’s kernel. System call provides the services of the operating system to the user programs via Application Program Interface(API).

The ioctl() system call manipulates the underlying device parameters of special files.

Background: The AMD Ryzen™ Master Monitoring SDK is a public distribution that allows software developers to add processor and memory functions to their own utility in conjunction with AMD Ryzen™ and AMD Ryzen™ Threadripper™ processor products.

All AMD Ryzen CPUs are overclock-ready so you can skip checking if your processor supports overclocking if you have a Ryzen laptop. However, you do still need to check if your motherboard supports overclocking. Ryzen supplies its own overclocking utility called Ryzen Master.

Vulnerability details: Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD RyzenTM Master may permit a privileged attacker to perform memory reads and writes, potentially leading to a loss of confidentiality or arbitrary kernel execution.

Official announcement: For details, please refer to below links

(Amazon Linux Security Center) – https://explore.alas.aws.amazon.com/CVE-2023-20564.html

(AMD Security Bulletin) – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7004.html

Background: gRPC is a powerful open source RPC (Remote Procedure Call) framework for building scalable and fast APIs. It allows client and server applications to communicate transparently and develop connected systems. Many leading tech companies have adopted gRPC.

Vulnerability details:

Three vectors were found that allow the following DOS attacks:

– Unbounded memory buffering in the HPACK parser – Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

– The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.

– HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.

– gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

RedHat Official announcement: Openshift uses gRPC lib with Kuryr component. In Openshift, Kuryr is not configured to run the code using gRPC lib. Hence, The impact for Openshift is set to moderate. For details, please refer to the link – https://access.redhat.com/security/cve/cve-2023-33953