Preface: To be or not to be, AMD is not aware of any exploit of “CVE-2023-20569” outside of the research environment in this moment.

Background: There are 2 phenomena that enable an unprivileged attacker to leak arbitrary information on AMD Zen3 and Zen4 CPU products.

• Phantom speculation – Trigger misprediction without any branch at the source of the misprediction.
• Training in Transient Execution – Potential manipulate future mispredictions through a previous misprediction that attacker trigger.

Vulnerability details: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure. Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations.

Furthermore, AMD has disclosed a security issue affecting AMD CPUs that may allow malicious code in a guest VM to infer the contents of memory belonging to other processes running on the same CPU core.  Although this is not an issue in the Citrix Hypervisor product itself, AMD have included product changes and updated microcode to mitigate this CPU hardware issue.

Remark: Citrix XenServer is an open source server virtualization platform based on the Xen hypervisor.

Official announcement: Citrix Hypervisor Security Bulletin for CVE-2023-20569. For details, please refer to the link – https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982

Preface: Android security bulletin published on 7th Aug 2023, CVE-2023-21287 may causes remote code execution.
Officials did not disclose specific details. But what is the design weaknesses?

Background: The Android security update is available for all Android versions that still receive regular updates (Android 11, 12, and 13). If you are using Android 10 or below, On March 2023, Android 10 end of life, so it do not provides security update anymore.
FreeType is a freely available software library to render fonts.
It is written in C, designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats.
Some products that use FreeType for rendering fonts on screen or on paper, either exclusively or partially:

• GNU/Linux and other free Unix operating system derivates like FreeBSD or NetBSD;
• Platforms for smart devices, including Android, Tizen, and Roku;
• iOS, Apple’s mobile operating system for iPhones and iPads;

Vulnerability details: A vulnerability in Framework that could allow for remote code execution.

Official announcement: For detail, please refer to the link – https://android.googlesource.com/platform/external/freetype/+/a79e80a25874dacaa266906a9048f13d4bac41c6

Preface: A message can be considered a packet of data conforming to a specific protocol that contains information in well defined fields.

Background: MSMQ(Microsoft Message Queuing) provides a distributed and decoupled way of sending and receiving messages between applications. MSMQ acts as a queue manager that easily decides when applications should be isolated and work even if other applications they interact with are down or unavailable.

The Code Block Component is used to extend the functionality of the XML comments <code> tag.

Syntax highlighting of code blocks in <code> tags. Languages supported include C#, VB[.]NET, JScript[.]NET, C++, J#, C, JavaScript, VBScript, XAML, XML, HTML, SQL script, Python, PowerShell script, and batch file script.

Vulnerability details: A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. However, in order to exploit this flaw, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, it runs under the service name “Message Queuing” and is listening on TCP port 1801.

Messages can have no more than 4 MB of data. This restriction is due to the memory mapped files used by Message Queuing to store the message data. These memory-mapped files are stored in the MSMQ\Storage folder on the computer where the queue resides.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-35385

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35385

Preface: Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal. The KDC has three main components: An authentication server that performs the initial authentication and issues ticket-granting tickets for users.

Background: Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.

Ref: The patch adds Privileged Attribute Certificate (PAC) signatures to the Kerberos PAC buffer. A PAC is an extension to a Kerberos ticket that contains information about a user’s privileges.

What are the changes in Kerberos October 2023?

October 10, 2023 – Full Enforcement phase

Removes support for the registry subkey KrbtgtFullPacSignature. Removes support for Audit mode. All service tickets without the new PAC signatures will be denied authentication.

Vulnerability details: lib/kadm5/kadm_rpc_xdr[.]c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-36054

Preface: NET 5 and [.] NET 6 are supported on multiple operating systems, including Windows, Linux, Android, iOS /tvOS, and macOS. The only difference is that[ .] NET 6 is further supported on Windows Arms64 and macOS Apple Silicon while .

Background: ASP[.]NET Core 6 is built on top of the [.] NET Core runtime and allows you to build and run applications on Windows, Linux, and macOS. ASP[.]NET Core 6 combines the features of Web API and MVC.

Red Hat Enterprise Linux (RHEL) 8 and later .NET 6 is capable for the IBM Z and LinuxONE (s390x) architectures, along with AMD and Intel (x64_64) and ARM (aarch64). IBM Z and LinuxONE is fully enabled throughout all .NET core components with the Mono runtime available (currently no CoreCLR support).

Vulnerability details: A vulnerability was found in dotNET applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords and bypass security restrictions. This flaw allows a remote attacker to bypass security features, causing an impact on confidentiality, integrity, and availability.

CVE-2023-33170 – Security Feature Bypass – Race Condition in ASP.NET Core SignInManager PasswordSignInAsync Method.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-33170

Preface: future 0.18.2 – Easy, safe support for Python 2/3 compatibility “future“ is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.

Background: Red Hat Satellite 6 is the evolution of Red Hat’s life cycle management platform. It provides the capabilities that administrators have come to expect in a tool focused on managing systems and content for a global enterprise.

Red Hat Satellite 6 is based upon several open source projects.

• future is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
• Foreman contain rubygem-safemode.

Vulnerability details:

• An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server (CVE-2022-40899)
• foreman: Arbitrary code execution through templates. (CVE-2023-0118)

Ref: To send cookies to the server in the request header, you need to add the “Cookie: name=value” HTTP header to the request. To send multiple cookies in one Cookie header, you must separate them with semicolons. Servers store cookies in the client browser by returning “Set-Cookie: name=value” HTTP headers in the response.

Official details: Please refer to the link – https://access.redhat.com/errata/RHSA-2023:4466

Preface: Encryption uses a key to ensure the ciphertext cannot be deciphered by anyone but the authorized recipient. Signing of data works to authenticate the sender of the data and tends to implement a form of encryption in its process.

Background: JSON Object Signing and Encryption (JOSE) is the set of software technologies standardized by the IETF to represent encrypted and/or sign content as JSON data. The technologies include JSON Web Signatures (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA).

Vulnerability details: OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication II Tag provided in the JWE. The following are spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

Remediation: Users should upgrade to a version >= 0.6.2.2

Official announcement: For details, please refer to the link – https://access.redhat.com/errata/RHSA-2023:4410

Preface: AMD explain this design flaw. Do you have any queries?

Background: Ryzen is multi-core X86 (64) microprocessors. AMD made its own as an extension of the x86 instruction set. In some AMD processors using frequency scaling .

CPU Frequency Scaling is a feature that enables the operating system to scale the CPU frequency up or down to save power. Depending on the system load the CPU frequencies can be scaled automatically, this is in response to the ACPI events. It can also be manually done by using some programs.

Vulnerability details: A potential power side-channel vulnerability in AMD processors may allow an authenticated attacker to monitor the CPU power consumption as the data in a cache line changes over time potentially resulting in a leak of sensitive information.

Ref: Hertzbleed is a hardware security attack which describes exploiting dynamic frequency scaling to reveal secret data. The attack is a kind of timing attack, bearing similarity to previous power analysis vulnerabilities. Hertzbleed is more dangerous than power analysis, as it can be exploited by a remote attacker.

Official announcement: For details, please refer to the link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7006.html

Preface: RCS enables more dynamic and secure conversations than SMS and MMS. It allows users to share high-resolution photos and videos up to 100MB in size.

Background: About one year ago, Google’s next-generation flagship Pixel 7 series appears in the Android 13 developer preview, using Samsung’s baseband chip, model g5300b.

RCS is the successor to the old SMS standard, and Google has been pushing this feature hard over the past few years. Now, at Google I/O, the company confirmed that over 800 million people now have RCS on their phones.

To check if a user’s device is RCS-enabled and capable of communicating with an RBM agent, you can request the device’s capabilities. Identifying which features a device supports, if any at all, allows your agent to tailor the conversation to the device’s capabilities and avoid presenting interactions that are difficult or impossible for the user to complete.

Vulnerability details: An issue was discovered in the Shannon RCS component in Samsung Exynos Modem 5123 and 5300. An incorrect default permission can cause unintended querying of RCS capability via a crafted application.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-31116

Preface: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set “\t\n\f\r\u0020\u2028\u2029” in JavaScript contexts that also contain actions may not be properly sanitized during execution (CVE-2023-24540)

Background: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

OADP backs up Kubernetes/OpenShift objects and internal images by saving them as an archive file on object storage. OADP backs up persistent volumes (PVs) by creating snapshots. You can restore all objects in a backup or filter the restored objects by namespace, PV, or label. You can schedule backups at specified intervals.

The default OADP plugins enable Velero, a tool that’s used to integrate with certain cloud providers and to back up and restore OpenShift Container Platform resources.

Security Fix(es) from Bugzilla:

• golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)

Affected Products

• OpenShift API for Data Protection 1 x86_64

Fixes

• BZ – 2196027 – CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
• OADP-1504 – oadp-1.0: Restoring pod using image from openshift build randomly ImagePullBackoff