Preface: Looking back, a vulnerability was discovered in NVIDIA GPU Display Driver on 2016. A flaw exists in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape IDs 0x600000E, 0x600000F, and 0x6000010 due to improper validation of user-supplied input that is used as an index to an internal array. A local attacker can exploit this to corrupt memory, resulting in a denial of service condition or an escalation of privileges.

Background: NVIDIA GPU Display Driver support 2 different operation systems. So called the kernel mode layer (nvlddmkm.sys for Windows or nvidia.ko for Linux).

Vulnerability details: NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering. IOCTL in Linux is referred to as Input and Output Control, which is used to talking to device drivers. This system call, available in most driver categories.

Conjecture : Attacker need to know PML4 The actual physical address of the table (CR3 Value) , Otherwise, attacker will not be able to remap the target virtual address to the address he want to control.

There are other ideas.Use Paging table Primitives to destroy bitmaps , And use it GDI Primitive language to restore our relevant mmPfnDatabase entry .

Ref: x64 Used 4 Level page table to map physical memory and virtual memory. This 4 levels are PML4（Page Map Level 4),（Common name ：PXE）,PDPT（Page Directory Pointers）,PD（Page Directory）as well as PT（Page Table）, CR3（ Control register ）that holds the current process PML4 Base address（Physical address).

CR3 enables the processor to translate linear addresses into physical addresses by locating the page directory and page tables for the current task.

Vendor announcement: Security Bulletin: NVIDIA GPU Display Driver – May 2022 – https://nvidia.custhelp.com/app/answers/detail/a_id/5353

Preface: There’s no needle with both ends pointed. The baseline requirements of ETSI EN 303 645 specifically have timely, automatic updates as one of its requirements. So the first step in best practice is to ensure that software updates can be delivered to your system, preferably automatically and over-the-air (OTA).

Background: Traditionally, U-Boot is the most popular boot loader in linux based embedded devices. Das U-Boot is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device’s operating system kernel.
Numerous features and modes of operation can be selected by adding definitions to the board-configuration file. Below example is a partial configuration header file.

define CONFIG_COMMANDS (CONFIG_CMD_DFL & ~CFG_CMD_NFS)

Vulnerability details: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_lookup_reply.
nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow.

Remark: When you call memcpy you need to pass it two pointers, and the size of the object to copy.

Remedy: Please refer to the link for details – https://github.com/u-boot/u-boot/commit/5d14ee4e53a81055d34ba280cb8fd90330f22a96

Doubt: Once the operating system is loaded, the boot loader transfers control to it and is no longer needed. The operating system will initialize itself, configure the system hardware (e.g., set up memory management, set timers, set interrupts), and load device drivers, if needed.
If there is buffer overflow vulnerability happen in a bootloader. My idea is that the risk rating or impact all depends on the device whether accepted remote process service or accept Updating the Bootloader Over-the-Air (OTA).
In theory, in the out-of-bounds write vulnerability, the software writes data past the end, or before the beginning, of the intended buffer, which can result in the corruption of data, a crash, or code execution.
But in what way to trigger this vulnerability? I have no idea in the moment.

Preface: Traditionally, the only way to enable that syscall in Linux was to enable CONFIG_CHECKPOINT_RESTORE. However, since Linux v5.10.20 and v5.11.3, a new CONFIG_KCMP has been added to Linux to allow enabling sys_kcmp without having to enable CONFIG_CHECKPOINT_RESTORE!

Background: Secure computing mode ( seccomp ) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access. Syscalls are system calls, and they’re the way that you can make requests from user space into the Linux kernel.

In practical, we use syscalls a lot, because even everyday activities like making files or changing directories involve syscalls on Linux.

Vulnerability details: The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.

Vulnerability found permission checks were done on the PTRACE_SETOPTIONS path. However the PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
The vulnerability move the permissions checks out into a helper function and let both ptrace_attach() and ptrace_setoptions() call it.

Official announcement (For details, please refer to the official announcement) – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee1fee900537b5d9560e9f937402de5ddc8412f3

Preface: Hardware debug modes and processor INIT setting that allow override of locks for some Intel(R) Processors in Intel(R) Boot Guard and Intel(R) TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

Background: Protection Class “Public” (historically also known as “Green” or “Locked”) is where all sets of debuggers can use the available debug capabilities given by this class. No access mechanisms are used by the debugger and the privilege level on the debug capabilities (i.e., Basic Enabling) are considered public and available to everyone.

Intel specified CPU products can utilize two different ways to access the entity debug mechanism to enable access and to gain privileges for debug capabilities. For example: unlock. But the debugger must authenticate and unlock using Intel’s authentication key.

On CVE-2018-3659 and CVE-2018-3643 description does not mention DAM explicitly.
It is well known that DAM does not require authorization from Intel or the system manufacturer but requires the consent of the owner. The consent can be set in the following way:
• On CNP based platform, by physically connecting to Intel® Direct Connect Interface (Intel® DCI) over a USB3 port supporting a dedicated protocol and device for debugging, aka Intel® DCI OOB.
• Having BIOS set consent.
• Setting DCI enable bit in SPI descriptor, i.e. a configuration option that enable/disable automatic debug consent if the system is before EOM. This can be set using Intel Flash Image Tool (FIT).

Vulnerability details and remedy: For details, please refer to the official article (2022.1 IPU – Intel® Boot Guard and Intel® TXT Advisory) – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00613.html

My observation: According to Risk Rating, Adjacent Network, Authenticated CVSS score of 7.3. Additionally, the unauthenticated physical CVSS score is 7.3. Therefore, undisclosed details of the design weakness include both local and remote access. Attackers exploit remote access to think it is running on a management application. For example, it is the Intel Converged Security and Management Engine (CSME).

In the initialization of the x86-64 multi-core system, one core is required as the bootstrap processor (BSP). Each processor first performs a processor self-test (BIST – Built In Self Test), and if the self-test passes, it has the qualification to become a BSP. Each processor that is expected to become a BSP will send a special cycle of NOP to the bus, with the purpose of reaching the end point as quickly as possible. If a processor successfully sends a NOP first, it becomes a BSP. Vendor recommends updating the Intel Converged Security and Management Engine (CSME) to the latest version, disabling the CPU debug feature when Boot Guard is enabled, and disabling the BSP (Bootstrap Processor) INIT (DBI) bit. Refer to above details, did you speculate what is the fact causes bug happen?

Preface: KVM (Kernel based Virtual Machine) is an open source Linux kernel virtualization infrastructure2 which relies on the hardware virtualization technologies, fully integrated in the Linux kernel. Its first version was introduced in the 2.6.20 Linux kernel tree (released in February 2007). KVM developers are primarily funded by a technology startup called Qumranet, now owned by RedHat. Developers had an original approach. Instead of creating major portions of an operating system kernel themselves, they choose to use the Linux kernel itself as a basis for a hypervisor.

KVM stands for Kernel-based Virtual Machine. Being an open-source virtualization software that’s embedded into Linux, KVM does two things:

• Makes Linux a hypervisor
• Enables Linux to run multiple, isolated virtual environments

KVM initially supported x86 platform processors and was subsequently ported to S/390, PowerPC, and IA-64 platforms

Background: AMD EPYC 7002 Processors – A dual-socket AMD EPYC workstation or server is idea for compute intensive tasks such as high performance computing (HPC) and artificial intelligence (AI) applications thanks to their huge memory bandwidth, memory capacity and outstanding I/O. AMD EPYC Processors with improved execution pipelines, higher clock rates, and up to 4x the shared Level 3 cache. A Level 3 (L3) cache is a specialized cache that that is used by the CPU and is usually built onto the motherboard and, in certain special processors, within the CPU module itself.

The AMD EPYC 7002 Series Processor is the latest generation of the AMD64 System-on-Chip (SoC) processor family. It is based on the Zen 2 microarchitecture introduced in 2019, supporting up to 64 cores (128 threads) and 8 memory channels per socket. AMD’s CCD is actually an abbreviation of Core Chiclet Die.The Zen 2 architecture processor is not a large core packaged together, but is divided into two parts: the CCD core and the I/O core, of which the CCD core is a pure computing The core contains two CCXs, that is, each CCD has 8 cores and 16 threads.

Vulnerability details: An attacker with access to a malicious hypervisor may be able to infer data values used in a SEV guest on AMD CPUs by monitoring ciphertext values over time.

Speculation based on vulnerabilities: If important data is encrypted at rest or in transit, it’s often best to try to steal the data when it’s not encrypted by monitoring the memory space of the process performing the encryption and any calls to cryptographic libraries.

Official announcement: AMD provides preventive and corrective controls, please refer to the link for more details. https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033

My comment: Due to this design flaw, the vendor (AMD) recommend to do a series of preventive and corrective control. In my personal point of view, the first step should dicuss with system architect and software development how to integrate below concept of Linux clear cache command into the work flow.
Drop all caches – Below Linux command:
sync; echo 3 > /proc/sys/vm/drop_caches

Preface: Google Pixel is a brand of consumer electronic devices developed by Google that run either Chrome OS or the Android operating system. The Pixel brand was introduced in February 2013 with the first-generation Chromebook Pixel. The Pixel line includes laptops, tablets, and smartphones, as well as several accessories.

Background: The Google Pixel is one of the smartphones on the market today. The Google Pixel also works with digital camera products.

How do you identify a Pixel device? The simple way is to go through the settings menu. → Settings → About Phone → Model Number. The display will tell you the make and model number of your device alongside the IMEI Number, serial number and also the version of Android you are running.

How do I get into bootloader? Follow below steps:

• Ensure the phone is turned off.
• Press and hold the VOLUME DOWN button.
• Press the POWER button.
• Continue to hold VOLUME DOWN until the Download mode is displayed.
• Press VOLUME DOWN to go to Reboot to bootloader.
• Press the POWER button.

Vulnerability details: With just a few minutes of physical access and a USB cable, attackers can silently and invisibly compromise unpatched devices. The exact details of the vulnerability have not been disclosed. Do you think the key factor whether similar to steps displayed in attached diagram?

Official announcement (Pixel Update Bulletin—May 2022): Please refer to the link for details – https://source.android.com/security/bulletin/pixel/2022-05-01#pixel

Preface: If you look into a Mainframe computer system, you will find Brocade SANS storage made use of Ficon connection. As times goes by, Hi-end supercomputer system still using this solution.
Furthermore, Brocade products not limit the usage in supercomputer. The Fibre Channel storage networking and management solution are expanded to cloud computing. Becuase the Fibre Channel storage networking solutions are the most trusted.

Background: SANnav Management Portal supports an application programming interface (API) for managing Brocade® storage area network (SAN) fabrics. The REST API provides you with a web-services interface for accessing the SANnav Management Portal server system. The REST APIs are organized into various services, such as Login, Discovery,FCR, Fault, Inventory, and Northbound Streaming. You can use the REST API to build your own SANnav clients.

Vulnerability details: A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests.

Important notice – If you add a service principal to a group, and then assign an app role to that group, it does not add the roles claim to tokens it issues. Vice versa, if client side using stateless authentication, it has possibilities that it allow remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform.

Reference (see below):

• With stateful authentication, a unique session id is generated when the user logs in. In subsequent requests, this session ID serves as a reference to the user details stored on the server. The session ID is opaque; it doesn’t contain any user data.
• With stateless authentication, all user-identifying information is stored in a client-side token. The token can be passed to any server or micro service, eliminating the need to maintain session state on the server. Stateless authentication is often factored out to an authorization server, which produces, signs, and optionally encrypts the token upon user login.

Affected Products – Brocade SANnav before 2.2.0
Remedy: Fixed in Brocade SANnav 2.2.0

Official announcement: Please refer to the link for details – https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844

Additional details: According to above principles. One of the remedy solution can be used to implement claim-based authorization. App roles can be assigned to a user or a group of users. App roles can also be assigned to the service principal for another application, or to the service principal for a managed identity.

Preface: A distributed hypermedia architect has only three fundamental options: 1) render the data where it is located and send a fixed-format image to the recipient; 2) encapsulate the data with a rendering engine and send both to the recipient; or, 3) send the raw data to the recipient along with metadata that describes the data type, so that the recipient can choose their own rendering engine.

Background: F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is an advisory for CVE-2022-1388, which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system.

Please refer to the link for details – https://support.f5.com/csp/article/K23605346#proc3

Vendor reminded that restricting access to the management interface by IP address in httpd is not a viable mitigation for this issue. It should add “Connection: close” header. Why?

My speculation: According to the above situation. My thoughts are as follows:

Whether add “Connection: close” header to custom HTTP/1.1 responses avoid the max request body size is exceeded.

The recommended actions to do the remedy by vendor is that client should manually add a “Connection: close” header in httpd configuration files. In normal circumstances, when the app writes a custom response and the max request body size has been exceeded. Without this header, the attacker might try to reuse the connection.

Preface: If you do a resources plan in large data center. Maybe you use nmap. E.g: Performs a list scan on the provided ranges and returns an NmapReport object including in your MIS report.

Background: libnmap is a python library to parse nmap xml data. It supports python 3.6+.
libnmap is a python library enabling python developers to manipulate nmap data. The libnmap targets are as follows:

• manipulate nmap scans results to do reporting
• compare and diff nmap scans to generate graphs
• batch process scan reports

How to install? pip install python-libnmap

Vulnerability details: In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments).

My imagination. Refer to attached diagram. If attacker have a way to do a re-engineering to the file (hostname-discovery.py) and replace the original file.See add on command syntax in red box in the diagram.
The file replaced by the attacker (hostname-discovery.py) will execute the command syntax to upload the file (rev.nse) over http.Therefore, it can execute an NSE reverse shell on the target system.

Preventive control and protective control: Please refer to the link for details – https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Expert findings and Proof of concept: Please refer to the link for details – https://www.swascan.com/security-advisory-libnmap-2/