Background: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.
Chrome used only WebCore, and included its own JavaScript engine named V8 and a multiprocess system. Chrome for iOS continues to use WebKit because Apple requires that web browsers on that platform must do so.
Remark: Edge was originally based on Chakra but has more recently been rebuilt using Chromium and the V8 engine. V8 is written in C++, and it’s continuously improved.
Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.
Preface: UUID is an simple 128 bit digit which uniquely distributed across the world. Bluetooth sends data over air and all nearby device can receive it.
Background: Android “O” was officially released on August 21, 2017 under the name “Oreo”. The BluetoothHidDevice framework adds the SDP record during app registration, so that the Android device can be discovered as a Bluetooth HID Device. The related module include file “sdp_db[.]cc” was appear during this period of time. As time goes by, bluetooth module including file sdp_db[.]cc carry forward to present. So called Android Open Source Project (ASOP).
Vulnerability details: In SDP_AddAttribute of sdp_db[.]cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity – Critical
Type – RCE
Updated AOSP versions – 11,12,12L, 13
Official Announcement: For details, please refer to the link below:
Apache Airflow is an open-source tool to programmatically author, schedule, and monitor workflows. It is one of the most robust platforms used by Data Engineers for orchestrating workflows or pipelines. You can easily visualize your data pipelines’ dependencies, progress, logs, code, trigger tasks, and success status.
What is the difference between extras and providers in Airflow?
Extras are standard Python setuptools feature that allows to add additional set of dependencies as optional features to “core” Apache Airflow. One of the type of such optional features are providers packages, but not all optional features of Apache Airflow have corresponding providers.
Providers can contain operators, hooks, sensor, and transfer operators to communicate with a multitude of external systems, but they can also extend Airflow core with new capabilities. You can install those provider packages separately in order to interface with a given service.
What is deployment Mode in Apache Spark?
Client mode – As the behavior depends on the driver component, so here job will run on the machine from which job is submitted. So this mode is client mode.
Cluster mode – Here driver component of spark job will not run on the local machine from which job is submitted, so this mode is cluster mode.
Vulnerability Details: Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.
Affected versions: Apache Airflow Spark Provider before 4.1.3
Background: VMware VMXNET3 is a para-virtual(Hypervisor aware) network driver. The goal to designed and developed to address the network complexities in a virtualized infrastructure. A para-virtual driver is a high-performance driver that significantly reduces the overhead caused by the emulation of the corresponding physical device. VMXNET3 is aware of the hypervisor and does not require an emulation layer, thereby enhancing the performance by almost 20% and reducing the overall CPU consumption.
Vulnerability details: A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv[.]c in VMware’s vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.
Mitigation: Mitigation for this issue is to skip loading the affected module “vmxnet3” onto the system until the fix is available, this can be done by a blacklist mechanism which will ensure the driver is not loaded at the boot time.
Preface: The official description of this design flaw (CVE-2023-28198) is caused by WebKit. No any other details! Do you have interested take a closer look? But don’t worry, this CVE marked reserved in March 2023. and allow for announcements on August 15, 2023 afterwards. I believe Apple has successfully handled it.
Background: WebKit, the engine, is split into different components that encapsulate its different parts.
It contains the core features of the engine (rendering, layout, platform access, HTML and DOM support, the graphics layer, etc). However, some of these ultimately depend heavily on the OS and underlying software platform in order to function. For example: how do we actually do any I/O on different platforms? How do we render onscreen? What’s the underlying multimedia platform and how does it decode media and play it?
Vulnerability details: The vulnerability allows a remote attacker to compromise vulnerable system. The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system. Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Available for: macOS Ventura
Impact: Processing web content may lead to arbitrary code execution
Preface: A system call is a way for programs to interact with the operating system. A computer program makes a system call when it makes a request to the operating system’s kernel. System call provides the services of the operating system to the user programs via Application Program Interface(API).
The ioctl() system call manipulates the underlying device parameters of special files.
Background: The AMD Ryzen™ Master Monitoring SDK is a public distribution that allows software developers to add processor and memory functions to their own utility in conjunction with AMD Ryzen™ and AMD Ryzen™ Threadripper™ processor products.
All AMD Ryzen CPUs are overclock-ready so you can skip checking if your processor supports overclocking if you have a Ryzen laptop. However, you do still need to check if your motherboard supports overclocking. Ryzen supplies its own overclocking utility called Ryzen Master.
Vulnerability details: Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD RyzenTM Master may permit a privileged attacker to perform memory reads and writes, potentially leading to a loss of confidentiality or arbitrary kernel execution.
Official announcement: For details, please refer to below links
Background: gRPC is a powerful open source RPC (Remote Procedure Call) framework for building scalable and fast APIs. It allows client and server applications to communicate transparently and develop connected systems. Many leading tech companies have adopted gRPC.
Vulnerability details:
Three vectors were found that allow the following DOS attacks:
– Unbounded memory buffering in the HPACK parser – Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.
The unbounded memory buffering bugs:
– The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
– HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
– gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
RedHat Official announcement: Openshift uses gRPC lib with Kuryr component. In Openshift, Kuryr is not configured to run the code using gRPC lib. Hence, The impact for Openshift is set to moderate. For details, please refer to the link – https://access.redhat.com/security/cve/cve-2023-33953
Preface: To be or not to be, AMD is not aware of any exploit of “CVE-2023-20569” outside of the research environment in this moment.
Background: There are 2 phenomena that enable an unprivileged attacker to leak arbitrary information on AMD Zen3 and Zen4 CPU products.
Phantom speculation – Trigger misprediction without any branch at the source of the misprediction.
Training in Transient Execution – Potential manipulate future mispredictions through a previous misprediction that attacker trigger.
Vulnerability details: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure. Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations.
Furthermore, AMD has disclosed a security issue affecting AMD CPUs that may allow malicious code in a guest VM to infer the contents of memory belonging to other processes running on the same CPU core. Although this is not an issue in the Citrix Hypervisor product itself, AMD have included product changes and updated microcode to mitigate this CPU hardware issue.
Remark: Citrix XenServer is an open source server virtualization platform based on the Xen hypervisor.
Preface: Android security bulletin published on 7th Aug 2023, CVE-2023-21287 may causes remote code execution. Officials did not disclose specific details. But what is the design weaknesses?
Background: The Android security update is available for all Android versions that still receive regular updates (Android 11, 12, and 13). If you are using Android 10 or below, On March 2023, Android 10 end of life, so it do not provides security update anymore. FreeType is a freely available software library to render fonts. It is written in C, designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats. Some products that use FreeType for rendering fonts on screen or on paper, either exclusively or partially:
GNU/Linux and other free Unix operating system derivates like FreeBSD or NetBSD;
Platforms for smart devices, including Android, Tizen, and Roku;
iOS, Apple’s mobile operating system for iPhones and iPads;
Vulnerability details: A vulnerability in Framework that could allow for remote code execution.
Preface: A message can be considered a packet of data conforming to a specific protocol that contains information in well defined fields.
Background: MSMQ(Microsoft Message Queuing) provides a distributed and decoupled way of sending and receiving messages between applications. MSMQ acts as a queue manager that easily decides when applications should be isolated and work even if other applications they interact with are down or unavailable.
The Code Block Component is used to extend the functionality of the XML comments <code> tag.
Syntax highlighting of code blocks in <code> tags. Languages supported include C#, VB[.]NET, JScript[.]NET, C++, J#, C, JavaScript, VBScript, XAML, XML, HTML, SQL script, Python, PowerShell script, and batch file script.
Vulnerability details: A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. However, in order to exploit this flaw, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, it runs under the service name “Message Queuing” and is listening on TCP port 1801.
Messages can have no more than 4 MB of data. This restriction is due to the memory mapped files used by Message Queuing to store the message data. These memory-mapped files are stored in the MSMQ\Storage folder on the computer where the queue resides.
