Preface: Times have changed, and people’s concerns about data security are compared with the past three decades. it looks important. The basis of the design goals of the http protocol in the 90s was to focus on network connections. Because the computing technology at that time was very simple. It does not have the concepts of virtual machines and cloud computing. As of now, man-in-the-middle attacks are easily triggered by network analysis tools, especially wireshark and open source application penetration testing tools. So the http protocol looks even less secure. Maybe you say, I work on the intranet. Or the data fo through network do not have confidential data. However, for modern technology of virtual machine and container architecture, it will be also influenced by http protocol.

Background: OpenShift Container Platform is a cloud-based Kubernetes container platform. The foundation of OpenShift Container Platform is based on Kubernetes and therefore shares the same technology.
For system management and developments. Developers and admins can through the control plane manages the worker nodes and the pods in your cluster. You can configure nodes with the use of machine config pools (MCPs). MCPs are groups of machines, such as control plane components or user workloads. In normal circumstances, it is hard to avoid the network connectivities consists of insecure practice of redirecting users from http:// to https:// URLs.
HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.
The following are common scenarios where a man-in-the-middle attack occurs.

• User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker.
• Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP.
• A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate.

Vulnerability details: Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.

Official announcement: Please refer to the link for details : https://nvd.nist.gov/vuln/detail/CVE-2022-3259

Preface: As of version 1.23, Kubernetes requires runtimes to be CRI compatible. It means that dockershim is now deprecated, and Docker Engine is no longer supported as a runtime. However, Kubernetes can still communicate with Docker via containerd, which can be CRI compliant with a plugin.

History:

• In October 2014, Docker released the first version.
• In July 2015, the first version of K8s was released, using Docker as the container runtime.
• In December 2016, K8s introduced the CRI architecture in v1.5, and separated the logic related to operating Docker to introduced Dockershim.
  The Dockershim is the CRI compliant layer between the Kubelet and the Docker daemon.
• In May 2022, K8s announces separation from Dockershim
  Remark: Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

“To not want a Buddhist monk after the ritual is finished”. Reality tells us that in the business world, this situation is not uncommon.

Background: The kubelet is the primary “node agent” that runs on each node. It can register the node with the apiserver using one of: the hostname; a flag to override the hostname; or specific logic for a cloud provider. The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object that describes a pod.
Cri-containerd is an implementation of CRI for containerd. It operates on the same node as the Kubelet and containerd. Layered between Kubernetes and containerd, cri-containerd handles all CRI service requests from the Kubelet and uses containerd to manage containers and container images.

Vulnerability details:
A bug was found in containerd’s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested.
If the user’s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak.
Ref: Kubernetes and crictl can both be configured to use containerd’s CRI implementation and the stream server is used for handling container IO.

Observation: The source file (httpstream.go) in line 127 has description (supportsTerminalResizing returns false because v1ProtocolHandler doesn’t support it). The remedy append the “context” function. Context is used to solve the functions of exit notification and metadata transfer between goroutines.
Another hints provided by software developers state the following. To avoid leaking this routine, exit if the http request finishes. This path would generally be hit if starting the process fails and nothing is started to ingest these resize events.
I speculated that this the additional details of this design weakness.

Resolution: This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
Remark: containerd is a container runtime and Docker is a container engine

Official announcement: Please refer to the link for details :
https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0

Preface: A Xen guest typically has access to one or more paravirtualised (PV) network interfaces. These PV interfaces enable fast and efficient network communications for domains without the overhead of emulating a real network device.

Background: XenServer can directly installs on bare-metal hardware without any restriction, overhead charge and performance obstacles of an Operating System. Device drivers from Linux kernel are used by means of XenServer. As the performance and production, it is capable to run on a wide range of storage devices and hardware. Remark: [/]drivers/[/]net[/]xen-netback[/]netback[.]c , Back-end of the driver for virtual network devices. This portion of the driver exports a ‘unified’ network-device interface that can be accessed by any operating system that implements a compatible front end.

Vulnerability details:
The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328).
Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).

IMPACT – A malicious guest could cause Denial of Service (DoS) of the host via the paravirtualized network interface.

RESOLUTION: Applying the attached patch resolves this issue (xsa424-linux.patch Linux 6.0, 6.1-rc).

Official announcement: Please refer to the link for details – http://xenbits.xen.org/xsa/advisory-424.html

Preface: When I read this CVE details. I found a gap between official “node JS” site announcements and security forums, including popular sites that post CVEs on a daily basis. In fact, if an attacker wants to trigger this vulnerability, it should meet the following requirements. That’s why I discuss this topic.

Background: Node[.] js can handle many concurrent requests. This is the main reason it quickly became popular among developers and large companies. Node js is faster than traditional  java because it uses an asynchronous event-driven I/O model and does not have the overhead of the Java runtime environment. Node[.]js is a back-end JavaScript runtime environment. Node[.] js for Mobile Apps is a Node. js runtime that runs on Android and iOS, using the V8 JavaScript engine.

Ref: One of the most popular types of APIs for building microservices applications is known as “RESTful API” or “REST API.” Node[.]js runs on the V8 JavaScript Engine and executes JavaScript code outside a web browser. (Node[. ]js) propels communication among the parts of the applications (APIs of microservices) making it run faster.

Vulnerability details: When the environment in below circumstance it may trigger the vulnerability.

The Node[.]js rebinding protector for –inspect still allows invalid IP address, specifically, the octal format. An example of an octal IP address is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8 number system. Browsers such as Firefox (tested on latest version m105) will still attempt to resolve this invalid octal address via DNS. When combined with an active –inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code.

Impacts: All versions of the 18.x, 16.x, and 14.x releases lines.

Official announcement: Please refer to the link for details – https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/

Preface: Character combinations consisting of a backslash (\) followed by a letter or by a combination of digits are called “escape sequences.”

Background: SwiftTerm uses the Swift Package Manager for its build, and you can add the library to your project by using the url for this project.

SwiftTerm is a VT100/Xterm terminal emulator library for Swift applications that can be embedded into macOS, iOS applications, text-based, headless applications or other custom scenarios.

Ref: If you are using Xcode, there are two top level projects, one for Mac and one for iOS in the TerminalApp directory, one called “iOSTerminal.xcodeproj” and one called “MacTerminal.xcodeproj”.

Vulnerability details: Prior to commit a94e6b24d24ce9680ad79884992e1dff8e150a31, an attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user’s terminal. When the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-23465

Preface: DevOps philosophy by practices, and tools that improve an organisation’s ability to deliver applications and services. This enables products to be developed and improved at a faster rate than organisations using traditional software development and infrastructure management processes. Efficiency, fast is the slogan of business. Step next phase after digital transformation. DevOps is important because it’s a software development and operations approach that enables faster development of new products and easier maintenance of existing deployments. Meanwhile, high efficiency boots-up productivity. Side effect is that electricity consumption will be increasing. A chain effect driver everything including natural resources. As a result in such a way of this chain effect generation the environment pollution. Our overall temperate become high and high annually. If an entrepreneur can let industry progress in our world slow down. He can rescue the world.

Background: Snyk (pronounced sneak) is a developer security platform for securing code, dependencies, containers, and infrastructure as code. You can use Snyk products to scan the following: Open source vulnerabilities, Source code, Container images and Kubernetes application, configuration code and Cloud infrastructure. Furthermore you can access your Snyk product in following ways: Web, CLI, IDEs and API.
IDE integrations allow you to use the functionality of Snyk in your Integrated Development Environment.

Vulnerability details: The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering – to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable.

REF: Exploit vulnerability requirements: Force an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled.
Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable.

Remark: The impact level will be decide your implementation of Snyk. Because you can decide to implement either Git repository, or CI/CD, or both.
Like this diagram, if your infrastructure using CI/CD integration. Perhaps it will mitigate or reduce the risk.

Solution: Upgrading to a fixed version for this addresses that issue as well. Refer to official announcement for details.

Official announcement: Please refer to the link for details – https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871

Preface: Logitech revenue worldwide 2016-2022, by segment
News update in Aug 15, 2022.
In 2022, the computer peripherals producer Logitech reported sales revenues of 5.48 billion U.S. dollars, of which 1.45 billion U.S. dollars was generated by its gaming segment. A further 967.3 million U.S. dollars in revenue was made from keyboard and keyboard-and-mouse combination (combo) sales.

Background: Linux led controller ( g810-led) for Logitech G213, G410, G413, G512, G513, G610, G810, G815, G910 and GPRO Keyboards. Furthermore it was included compatible keyboard by other vendor.

Versions of packages g810-led depends on:
– libc6 2.31-13+deb11u4
– libg810-led0 0.4.2-2.1
– libgcc-s1 10.2.1-6
– libstdc++6 10.2.1-6

Ref: G810-led is a configuration tool for the LEDs on Logitech Gx10 gaming keyboards: G213, G410, G413, G512, G513, G610, G810, G815, G910, and G Pro.

The LEDs can be configured in a variety of ways, depending on the keyboards’ capabilities.

Vulnerability details: g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data.

Remark: In fact, G810-led is a configuration tool for the Logitech Gx10 Gaming Keyboard LEDs. Sometimes keyboards with this feature are accidentally misused in key areas. If it is like this. It is recommended not to use similar keyboard models, and wait for the official manufacturer to release a remedy.

Official announcement: Please refer to the link for details – https://github.com/MatMoul/g810-led/pull/297

Preface: In the ARM architecture, synchronous control is transferred between the normal Non-secure state to Secure state through System Monitor Call exceptions

Background: TEE provides an isolated environment to ensure code/data integrity and confidentiality. A typical embedded system running Linux or Android has vulnerabilities in both the kernel and userspace. Vulnerabilities could allow attackers to access sensitive information or implant malware. TEEs add an extra layer of security where code/data running on TEEs cannot be accessed or tampered with from Linux or Android operating systems.
OP-TEE is designed primarily to rely on the Arm TrustZone technology as the underlying hardware isolation mechanism. However, it has been structured to be compatible with any isolation technology suitable for the TEE concept and goals, such as running as a virtual machine or on a dedicated CPU. The main design goals for OP-TEE are isolation, small footprint and portability.

Vulnerability details:

1. The function cleanup_shm_refs() is called by both entry_invoke_command() and entry_open_session().
2. The commands OPTEE_MSG_CMD_OPEN_SESSION and OPTEE_MSG_CMD_INVOKE_COMMAND can be executed from the normal world via an OP-TEE SMC.
3. This function is not validating the num_params argument, which is only limited to OPTEE_MSG_MAX_NUM_PARAMS (127) in the function get_cmd_buffer().
4. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in cleanup_shm_refs and potentially freeing of fake-objects in the function mobj_put().

Solution: fix array out of bounds check in cleanup_shm_refs(). Version 3.19.0 contains a fix for this issue. There are no known workarounds.

Official announcement: Please refer to the link for details – https://github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c

Preface:For over two decades, developers at some of the world’s most prominent Fortune 500 and Global 2000 companies have trusted Callback Technologies’ components and system drivers to build secure file storage solutions and virtual filesystems. Some of our clients include Amazon, Microsoft, Adobe, Intel, LG, etc.

Background: CBFS Filter allows you to intercept and react to filesystem, registry, and process manager operations as they occur.

ABout CBFS Filter design structure: IOCTL also divides the Buffer into two parts, Input and Output. A single command operation can complete the reading and writing action. The properties of the Buffer also need to be set before it can be used. There are three setting methods: Buffered, Direct and Neither.

If it is for data transmission, it is recommended to use IRP_MJ_READ and IRQP_MJ_WRITE, and for control application, it is recommended to use IRP_MJ_DEVICE_CONTROL.

Ref: Any intermediate driver layered between a file system driver and a removable-media device driver must set up the next-lower-level driver’s I/O stack location in IRPs. From incoming IRP_MJ_READ, IRP_MJ_WRITE, and IRP_MJ_DEVICE_CONTROL requests, the intermediate driver must copy its own I/O stack location Flags into the next-lower-level driver’s I/O stack location when it sets up the I/O stack location for the lower driver, Microsoft said.

Vulnerability details: Cisco Talos found the following. A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

Official announcement: Please refer to the link for details – https://talosintelligence.com/vulnerability_reports/TALOS-2022-1649

Preface: For example, if an integer data type allows integers up to two bytes or 16 bits in length (or an unsigned number up to decimal 65,535), and two integers are to be added together that will exceed the value of 65,535, the result will be integer overflow.

Background: L2CAP is used within the Bluetooth protocol stack. It passes packets to either the Host Controller Interface (HCI) or, on a hostless system, directly to the Link Manager/ACL link. L2CAP’s functions include: Multiplexing data between different higher layer protocols.In order to provide several data streams, L2CAP uses channels, which are represented by the l2cap_cha structure (include/net/bluetooth/l2cap.h). Current implementation of l2cap_build_conf_req() adding. L2CAP_CONF_RFC(0x04) option to initial configure request sent by the Linux host.

Vulnerability details: A vulnerability was found in Linux Kernel up to 6.0.10 (Operating System). It has been declared as critical. An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.

Solution: Applying a patch should eliminate this problem.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-45934