Preface: ONTAP or Data ONTAP or Clustered Data ONTAP or Data ONTAP 7-Mode is NetApp’s proprietary operating system used in storage disk arrays such as NetApp FAS and AFF, ONTAP Select and Cloud Volumes ONTAP. RHEL 6.3 and later can be used with NetApp Clustered Data ONTAP. This setup integrate with SUNPRC UNIX Network Programming.
Remark: RHEL 6.3 end of life on November 30, 2020. Additionally, Extended Lifecycle Support will end on June 30, 2024.

Background: Remote Procedure Call (SunRPC) protocol provides access to run procedures on remote machine. RPC is used heavily in UNIX to implement many protocols, for example NFS and NIS. RPC protocol is designed to be machine, operating system, network architecture, and transport protocol independent.
Sun RPC does not have a network-wide binding service. Instead it provides a local binding service called the port mapper which runs on every computer. Each instance of a port mapper records the port in use by each service running locally. The port mapper assigns a unique TCP/UDP protocol port number to an RPC program. Upon starting, the Network File System uses a port map to listen to and send data to specific ports.

Vulnerability details: The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.

Highlight one of the technical issues – In the C programming language, the instruction malloc() is used to allocate memory space of the requested size for use by the program. When a program needs to read or write data in memory, it uses pointers. When the program is done using the data, it can use the function free() to free the memory.
It’s important to note that free() just marks the block of memory as free and available for use. It does not clear any data stored in the memory block, nor does it free or clear the pointers that the program uses to refer to the memory block.

Remedy: Ensure we flush any closed sockets before xs_xprt_free().

For solution details, please refer to the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a3b1bba7c7a5eb8a11513cf88427cb9d77bc60a

Preface: In fact, when the details of a vulnerability were announced. It’s hard to guess when it first happened. This is a well-known fact in the cybersecurity community. However, security analysts and researchers don’t mind the delay. Since the goal is to fix the problem and avoid a similar vulnerability in another product.
For example, the details of the fix for this vulnerability were released on February 18, 2022. But details of the vulnerability just revealed this week.

Background: Currently, there are three technologies that support RDMA: InfiniBand, Ethernet RoCE and Ethernet iWARP. All three technologies share a common user API which is defined in this docu- ment, but have different physical and link layers.
InfiniBand (IB) is a computer network communication standard for high-performance computing with extremely high throughput and low latency. Six of the top ten high-performance computing (HPC) and artificial intelligence (AI) supercomputers on June 2019 TOP500 list. They deployed infiniBand technology.

Vulnerability details: CVE-2022-29156 – drivers/infiniband/ulp/rtrs/rtrs-clt[.]c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.

Traditionally, the kfree( ) function is generally paired with the kmalloc( ) function to free a section of memory starting at address objp.
What is objp? The memory address, usually the return value of the kmalloc( ) function, that is, the address pointer to the starting address of the allocated memory block.

In practice, double-freeing a block of memory will corrupt the state of the memory manager, which might cause existing blocks of memory to get corrupted or for future allocations to fail in bizarre ways (for example, the same memory getting handed out on two different successive calls of malloc). Double frees can happen in all sorts of cases.

• kmalloc() can be called only in kernel-space
• malloc() can be called in user-space and kernel-space

Reason (Official announcement): Callback function rtrs_clt_dev_release() for put_device() calls kfree(clt) to free memory. We shouldn’t call kfree(clt) again, and we can’t use the clt after kfree too.

Solution: Replace device_register() with device_initialize() and device_add() so that dev_set_name can() be used appropriately. Move mutex_destroy() to the release function so it can be called in the alloc_clt err path.

Do mutexes need to be destroyed? Implementations are required to allow an object to be destroyed and freed and potentially unmapped immediately after the object is unlocked.

Below version of rtrs-clt[.]c was fixed this vulnerability.
v5.18-rc2 v5.18-rc1 v5.17 v5.17-rc8 v5.17-rc7 v5.17-rc6

Preface: Public Key Infrastructure is the proven solution for authentication, encryption and data integrity. DigiCert PKI solutions are built on trust. Public trust. Private trust. And the world’s most trusted roots. XenMobile Server GPKI support includes DigiCert Managed PKI, also referred to as MPKI.

Background: XenMobile Server GPKI support includes DigiCert Managed PKI, also referred to as MPKI. The requirements are including Windows Server 2012 R2 server with the following components installed.

– Java
– Apache Tomcat (Install Apache Tomcat on Windows Server)
– DigiCert PKI Client
– Portecle

Vulnerability details: CVE-2022-26151 – The underlying operating system in Citrix XenMobile Server allows unauthorized root access. For official announcement of details, please refer to Citrix Endpoint Management (XenMobile Server) Security Bulletin for CVE-2021-44519, CVE-2021-44520, and CVE-2022-26151. The url is shown as below:

https://support.citrix.com/article/CTX370551

CVE-2022-26151

Unauthorized root access to the underlying OS

CWE-20: Improper Input Validation

Admin access to XenMobile Server CLI

Speculation: Vendor did not provide vulnerability details. But the problem can happen in the following area:

XenMobile server (that is, localhost).

This Tomcat server allows callers to execute a variety of commands that should not be available to unauthenticated users. For example:

• Change the administrator password (/admin_user/cli/reset_password)
• Create a new administrator (/admin_user/ui/create1)
• Decrypting passwords (/sftu/crypto/dec)
• Dropping firewall rules (/firewall/iptables_stop)

Workaround: Mitigated by the internal firewall that limits access to configuration services to localhost.

Remedy:

CVE-2021-44519, CVE-2021-44520 – Medium severity:
XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0
XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0

CVE-2022-26151 – Low severity:
XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0
XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0

Preface: Several vulnerabilities in VMware products (CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, and CVE-2022-22958) are reported to be at high risk of being exploited. System administrators should immediately install patches to affected systems to reduce the risk of cyber-attacks.

Background: VMware Workspace ONE is an intelligence-driven digital workspace platform that enables you to simply and securely deliver and manage any app on any device, anywhere. You can add Web applications to the Workspace ONE Access catalog and assign them to users and groups to provide users access to these applications from the Workspace ONE Intelligent Hub app and portal. You configure single sign-on (SSO) to the applications by using a federation protocol such as SAML 2.0 to configure the applications.

Vulnerability details: CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. You can create a template to enable a group of clients to register dynamically with the VMware Identity Manager service to allow users access to a specific application.

Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.

Remedy:

HW-154129 – Patch instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 in Workspace ONE Access Appliance (VMware Identity Manager) (88099) – https://kb.vmware.com/s/article/88099

HW-154129 – Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098) – https://kb.vmware.com/s/article/88098

Preface: JBD2 is the kernel thread of the ext4 file system. It often experiences the shadow (BH_Shadow) state during its use, which can affect the system performance. To solve this problem, Alibaba Cloud Linux 2 provides an interface in version 4.19. 81-17.

Background:

• Ext3 would call an allocator for each block
  A 100MB file would need to call the allocator 25600 times for each individual block in Ext3
• Ext4 only calls the allocator once for each file
  In Ext4, the allocator is called only once to allocate the 25600 blocks

Ext4 uses 48-bit internal addressing, making it theoretically possible to allocate files up to 16 TiB on filesystems up to 1,000,000 TiB (1 EiB). Early implementations of ext4 were still limited to 16 TiB filesystems by some userland utilities, but as of 2011, e2fsprogs has directly supported the creation of >16TiB ext4 filesystems. As one example, Red Hat Enterprise Linux contractually supports ext4 filesystems only up to 50 TiB and recommends ext4 volumes no larger than 100 TiB.

Lustre is an open source parallel distributed file system (DFS) specialized for large-scale cluster computing. The name is a portmanteau of Linux and cluster. Lustre is used by many supercomputers and large multi-cluster sites. A large precent of supercomputers use Lustre file systems. LCOC (Lustre Cache on Client) provides a group of local cache. Each client has its own local cache based on SSD. For example, LCOC uses Ext4 (Samsung SSD 850 EVO 500GB) as local cache.

Vulnerability details: CVE-2022-28796 – jbd2_journal_wait_updates in fs/jbd2/transaction[.]c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

In the case of traditional (use-after-free) vulnerabilities. Due to an absence of a locking mechanism, an attacker is able to create a race condition in the device mechanism and trigger a Use After Free vulnerability. But the developers discovered the following reasons.
jbd2_journal_wait_updates() is called with j_state_lock held in normal circumstances. But if there is a commit in progress, then this transaction might get committed by function (jbd2_journal_commit_transaction()). Finally freed via this function (jbd2_journal_free_transaction()) release j_state_lock.

Solution: Upgrade to 5.18-rc2

Preface: President Biden’s Executive Order is modernizing the Federal Government defenses and improving the security of widely-used technology. On March 2022, he urged U.S. companies operating critical infrastructure, including in the energy sector, to harden their digital defenses.

Background: CODESYS, formerly known as CoDeSys, is an acronym for Controller Development System, an Integrated Development Environment for Programmable Logic Controller applications, compliant with the IEC 61131-3 standard, a hardware and manufacturer-independent integrated development environment . IEC 61131-3:2013 specifies the syntax and semantics of a unified suite of programming languages for programmable controllers (PCs).The product CODESYS Control RTE SL is a real-time software PLC for PC-based industrial controllers under Windows. The CODESYS Control RTE SL product is a real-time soft PLC used to develop industrial controllers under the Windows operating system on the PC side. The runtime system has its own real-time kernel: in the absence of other hardware components or OS extensions, the system jitter value can remain in the μs range.

Vulnerability details: A remote, authenticated attacker can send a specific crafted HTTP or HTTPS requests causing CODESYS V3 runtime systems (CmpWebServer) encounter buffer-over-read.
A buffer overread is like a buffer overflow, except that it occurs during a read operation. While reading from a buffer, the program goes over the buffer boundary and reads adjacent memory.
In languages like C, programs are free to access data in any part of the virtual memory via a pointer. Because of this, buffer overread issues can occur when pointers or their indexes are incremented beyond the bounds of the buffer (when iterating an array or reading a string), or when pointer arithmetics yields a result outside a valid memory address.

Impact: maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone.

Official announcement: For details, please refer to the link – https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17094&token=2fb188e2213c74194e81ba61ff99f1c68602ba4d&download=

Preface: If the workstation is running in Linux kernel 5.17.1, due to this vulnerability (CVE-2022-28390). The adjacent communications peer device will be at risk. As a result, it allowing an attacker to execute arbitrary code to adjacent communications peer device.

Background: The CANbus USB adapter connects a CANbus to the USB port of a PC or notebook, which also supplies the power to the adapter (no power supply needed). The CAN/USB Data Converter allows a personal computer to act as a diagnostic analyzer during development and testing of an automotive ECU (electronic control unit) or industrial field bus system that supports the CAN communications protocol.

Vulnerability details: ems_usb_start_xmit in drivers/net/can/usb/ems_usb[.]c in the Linux kernel through 5.17.1 has a double free. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

According to Developer (Hangyu Hua) explanation. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes the original skb and can_free_echo_skb() deletes the cloned skb.

Known Limitations: dev_kfree_skb() is just a macro that simply calls kfree_skb(). kfree_skb bypasses the reference count of skb. Generally speaking, adding “” before the function name in the kernel prompts to be used with caution, that is, some checks are omitted, so check before calling such functions.

Solution: upgrade to v5.18-rc1.

Preface: Chromium is a free and open-source web browser project, principally developed and maintained by Google. This codebase provides the vast majority of code for the Google Chrome browser, which is proprietary software and has some additional features. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.

Background: The story begin: Due to the on-demand market trend, Microsoft decided to use the Chromium and Blink rendering engines in 2018. With Microsoft moving away from EdgeHTML. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS. Chrome based browser in their way to expand the market share. As a result, when chrome have design weakness occurs, it might impact the partner products.

Vulnerability details: CVE-2022-26912 – Microsoft Edge privilege escalation
Microsoft Edge could allow a remote attacker to gain elevated privileges on the system. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
Important – The remote host has an web browser installed that is affected by multiple vulnerabilities.

Since Microsoft did not explain the details, symptoms similar to CVE-2022-26912 may appear in this case. Perhaps the following information will attract your interest in digging for more information.
CSS Animations is a module of CSS that lets you animate the values of CSS properties over time, using keyframes. The behavior of these keyframe animations can be controlled by specifying their timing function, duration, their number of repetitions, and other attributes.
As early as 2007, WebKit had announced its intent to include CSS animation, transitions, and transforms as features of WebKit.
Use after free errors occur when a program continues to use a pointer after it has been freed. Under CSS animation circumstance, there is no way to explicitly ask the browser to collect garbage.
Example: Use-After-Free when Array.sort() is called with a comparator function. The two arguments are untracked by the garbage collector.

Solutions: Apply fixes issued by the vendor: Update to version 100.0.1185.29

Preface: IEEE 802.2 provides two connectionless and one connection-oriented operational modes:
– Type 1 is an unacknowledged connectionless mode for a datagram service.
– Type 2 is a connection-oriented operational mode.
– Type 3 is an acknowledged connectionless service. It supports point-to-point communication only.

Background: af_llc[.]c (LLC User Interface SAPs):
Description: Functions in this module are implementation of socket based llc communications for the Linux operating system. Support of llc class one and class two is provided via SOCK_DGRAM and SOCK_STREAM respectively.
General speaking, TCP almost always uses SOCK_STREAM and UDP uses SOCK_DGRAM.

Vulnerability details: In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc[.]c. Refcount bugs happen when there is a mismatch between refcount inc instructions and dec instructions (see below).
The inc and dec instructions use the following syntax:
– inc( mem/reg );
– dec( mem/reg );
However, when to perform dec instructions largely depends on the purpose of the developers and the usage of the tracked object.
The single operand can be any legal 8-bit, 16-bit, or 32-bit register or memory operand. The inc instruction will add 1 to the specified operand, and the dec instruction will subtract 1 from the specified operand.

Reminder: Whenever llc_ui_bind() and/or llc_ui_autobind() took a reference on a netdevice but subsequently fail, they must properly release their reference.

Synopsis by developer findings: unregister_netdevice: waiting for eth0 to become free. Usage count = 3
Result: The bug encountered the following symptom. It dismantled the device and messaging his handlers saying he had pulled out. So called a refcount leak bug occured.

Resolution: Upgrade to “Linux-2.6.12-rc2”

Preface: You use a method that takes an array of bytes. But you don’t know how big this array is, but it’s controlled by the code calling the method. Let’s assume it is 500 bytes long. Then you read an integer from somewhere else, let’s assume 1000 is read.
As a result, you attempt to read 1000 bytes into an array that can only hold 500 bytes, you perform no checking to make sure your array is it big enough, nor do you attempt to read in chunks and concatenate if it’s not big enough. So an error display in log event activtites. Whereby, the system halted.

Background: KVM (Kernel-based Virtual Machine) is a FreeBSD and Linux kernel module that allows a user space program access to the hardware virtualization features of various processors, with which QEMU is able to offer virtualization for x86, PowerPC, and S/390 guests.
Virtio is a virtualization standard for network and disk device drivers where just the guest’s device driver “knows” it is running in a virtual environment, and cooperates with the hypervisor. As a physical NIC, the virtio device supports features such as many offloadings, and can let the real host’s device do them. To send a packet, the driver sends to the device a buffer that includes metadata information such as desired offloadings for the packet, followed by the packet frame to transmit.

Vulnerability details: An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official announcement – about their troubleshooting: The added ‘c->off > size’ test in that commit will be done as an unsigned comparison on 32-bit (safe due to not being signed).
On a 64-bit platform, it will be done as a signed comparison, but in that case the comparison will be done in 64-bit, and ‘c->off’ being an
u32 it will be valid thanks to the extended range (ie both values will be positive in 64 bits).
So this was a real bug, but it was already addressed and marked for stable. For more details, please refer to the link – https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/

Reference: Primitive Type u32 – The 32-bit unsigned integer type.
size_t type is a base unsigned integer type of C/C++ language. It is the type of the result returned by size of operator. The type’s size is chosen so that it can store the maximum size of a theoretically possible array of any type. On a 32-bit system size_t will take 32 bits, on a 64-bit one 64 bits.