Preface: Vulnerability management is included in the security development life cycle. Maybe you’ll be concerned about vulnerabilities. In fact, computer products (software and hardware) are hard to avoid without design flaws. This is the reality.

Background: Fastjson is Alibaba’s open source JSON parsing library, based on the Java language, which supports the conversion between JSON-formatted strings and JavaBeans. It uses an “assumed ordered fast matching” algorithm to maximize the performance of JSON Parse. Furthermore, fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object.

The fastjson does not use Java’s original serialization mechanism in the process of serialization and deserialization . It is a set of proprietary mechanisms.

Because the interface is simple and easy to use, it has been widely used in various application scenarios such as cache serialization, protocol interaction, and web output.

Vulnerability details: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers.

Workaround: If upgrading is not possible, you can enable [safeMode] – https://github.com/alibaba/fastjson/wiki/fastjson_safemode

Official announcement: Autotype bug fix, please refer to the link – https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15

Preface: Hard to speculate that what is this technique (Ill-formed headers). Whether we can apply the following method that google experts exploited before.

Background: Istio enables organizations to secure, connect, and monitor microservices, so they can modernize their enterprise apps more swiftly and securely. Istio manages traffic flows between services, enforces access policies, and aggregates telemetry data, all without requiring changes to application code.

How a service mesh works?
Web services typically exchange data directly through APIs.
A service mesh architecture layer decouples communications from the application logic and uses a proxy or sidecar to manage communication between services and control plane.

Vulnerability details: Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing.

Reference: Hard to speculate that what is this technique (Ill-formed headers). Whether we can apply the following method that google experts exploited before.

Sent multiple large requests with techniques display below:

• Have multiple requests, each with allocations that are ≈8kb.
• Sending large bodies in the request that are ≈8kb.
• We also had prior knowledge that Envoy’s HeaderMapImpl would malloc buffers to fit request header values, so using large headers could also force such allocations.

Populated with ASCII A (0x41) in the method header and ASCII B (0x42) in the data payload, set a breakpoint on the firing ASSERT and inspected memory contents under gdb.

Remedy: This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1.

Workarounds: Users are advised to upgrade. There are no known workarounds for this issue.

Preface: It is not uncommon to rewrite the bootloader during a cyber attack, malicious code present in the bootloader will be executed after restart. After this, the code will hijack the Linux boot process in memory and then download and execute the malware with root privileges. Finally, the downloaded program attacks other devices through password scanning or remote code execution vulnerabilities.
The above scenario is capable of infecting various types of IoT devices, including ARM and MIPS architectures. The target victim device uses Uboot[1] as the bootloader and Linux as the operating system.

Background: Das U-Boot (Normally shortened to U-Boot), us a universal bootloader designed for used with a variety of embedded device. It is commonly used in IoT devices to manage the booting process into the main operating system. U-Boot bootloader allows you to update the firmware of your device over Ethernet. U-Boot uses the TFTP protocol to get the firmware images from a TFTP server running on your computer and programs them onto the eMMC of the device.

Vulnerability details: Hole Descriptor Overwrite in U-Boot IP Packet Defragmentation Leads to Arbitrary Out of Bounds Write Primitive (CVE-2022-30790).

Impact: The U-Boot implementation of RFC815 IP DATAGRAM REASSEMBLY ALGORITHMS is susceptible to a Hole Descriptor overwrite attack which ultimately leads to an arbitrary write primitive.

Remedy: This bug was disclosed to U-Boot support team and will be fixed in an upcoming patch. Update to the latest master branch version once the fix has been committed.

For more information on this vulnerability, see the following link – https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/

Preface: According to the information provided by the supplier. This vulnerability was reported on April 5, 2022. But we didn’t see that record until this month.

Background: Samsung Kies is the official tool from Samsung for Android devices. Using Samsung Kies, you can view apps in full screen on your Windows, no matter what network you’re on. You can personalise services too, simply by becoming a Samsung Apps member or registering your mobile phone. If transferring data from Samsung device to PC is your prime intention then Samsung Kies would be a good choice.
Additional reference: The new version of Smart Switch let you move data from your old device to your new Galaxy device quickly and easily.

Vulnerability details: DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code. The patch changes to load default DLL in Windows. Since the vendor hasn’t released details yet, therefore our speculating based on the app design.

According to my observations. The following details may be related to such vulnerabilities. But I think MSCOREE[.]dll will be closely related to this.

“C:\Program Files (x86)\Samsung\Kies\KiesAgent[.]exe”
USER32[.]DLL
SHELL32[.]DLL
ADVAPI32[.]DLL
KERNEL32[.]DLL

“C:\Program Files (x86)\Samsung\Kies\Kies[.]exe”
MSCOREE[.]DLL

So, it is possible for cyber criminal exploit this design weakness by Reflective Code Loading.

About Reflective code loading: Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.

Remedy: Install version 2.6.4.22043_1

For details, please refer to the official announcement – https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=6

Preface: Packet filtering are divided into two categories :

• Stateless (Packet filtering) – Stateless is the polar opposite of stateful
• Stateful (Packet filtering)
  Stateless (Packet filtering): It is also known as an access control list (ACL), does not store information on the connection state. Stateless ACLs are applicable to the network and physical layers, and sometimes the transport layer to find out the source and destination port numbers. When the sender sends a packet and gets filtered through a filter, the device checks for matches to any of the ACL rules that are configured in the filter and then drops or rejects the packet accordingly.

Background: Netfilter is an infrastructure; it is the basic API that the Linux 2.4 kernel offers for applications that want to view and manipulate network packets. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation.

Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s Netfilter subsystem in net/netfilter/nf_tables_api[.]c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
Remark: nft_expr_init() calls expr->ops->init() first, then check for NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful lookup expressions which points to a set, which might lead to UAF since the set is not properly detached from the set->binding for this case. The specific debugging method is shown in the attached drawing.

Red Hat Bugzilla – Bug 2092427
Bug 2092427 (CVE-2022-1966) – CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
Please refer to the link for details – https://bugzilla.redhat.com/show_bug.cgi?id=2092427

Preface: Move the TCP hashtable functions/structs to inet_hashtables.[ch] , it was happened 17 years ago.
On April 27, 2022, in an unpublished paper, report that clients can be accurately identified by forcing them to issue 40 times more connections than the number of entries in table_perturb[ ] Table, indexed by hash-joined tuples.
The current 2^8 setup allows them to perform this attack using only 10k connections, which is not hard to do in seconds.

Background: TCP – dynamically allocate the perturb table used by source ports. The kernel keeps the INET socket in a hash table so that the lookup operation is reasonably fast .

The vulnerability will be triggered under below circumstances.
Stochastic Fair Queuing: This queuing mechanism is based on fair queuing algorithm and proposed by John Nagle in 1987. Because it is impractical to have one queue for each conversation SFQ uses a hashing algorithm which divides the traffic over a limited number of queues. It is not so efficient than other queues mechanisms but it also requires less calculation while being almost perfectly fair. It is called “Stochastic” due to the reason that it does not actually assign a queue for every session; it has an algorithm which divides traffic over a restricted number of queues using a hashing algorithm. SFQ assigns a pretty large number of FIFO queues.

Ref: Stochastic Fairness Queueing is a classless queueing discipline available for traffic control with the tc(8) command. Example: man sfq

Vulnerability details: The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.

RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
tcp: dynamically allocate the perturb table used by source ports. Note that we use 32bit integers (vs RFC ‘short integers’) because 2^16 is not a multiple of num_ephemeral and this property might be used by clever attacker.

Remedy: The solution is increasing the perturb table from 2^8 to 2^16 so that the same precision now requires 2.6M connections, which is more difficult in this time frame and harder to hide as a background activity. The impact is that the table now uses 256 kB instead of 1 kB, which could mostly affect devices making frequent outgoing connections. However such components usually target a small set of destinations (load balancers, database clients, perf assessment tools), and in practice only a few entries will be visited. Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5

Preface: The official release of the vulnerability did not elaborate. So we don’t know what happened? Maybe you can use speculation. Even if you can’t figure out the root cause, it will let you know more about your Edge browser.

Background: The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.
The chrome engine is used for Microsoft edge chromium. The features of Microsoft edge chromium are not stable as they keep on changing. The Microsoft edge chromium offers many types of user interfaces. From customer point of view, Microsoft Edge is still developing till now.

Microsoft, in true maverick fashion, built its Edge browser with its own EdgeHTML browser engine and Chakra JavaScript Engine. With the Edge 79 release, Microsoft is switching to Blink browser engine with V8 JavaScript engine.

According to Stable Channel Update for Desktop issued on Tuesday, April 26, 2022. A Type Confusion vulnerability found on V8 Javascript Engine.

Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30128.

Based on the attached diagram and the above details, I speculate that CVE-2022-30127 is related to a javascript Engine design flaw. The technical problem that occurs will be a type confusion vulnerability.

Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of application software itself. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution and Elevation of Privilege.

Official announcement: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30127

Preface: Login with key is safer than password login, and password login is easily intercepted.

Background: Net Framework is a software development platform developed by Microsoft for building and running Windows applications. The . Net framework consists of developer tools, programming languages, and libraries to build desktop and web applications. It is also used to build websites, web services, and games.

The .NET as a framework collobrate all the stuff it has under the hood for dealing with network connections. You can do peer to peer, FTP, HTTP, and direct socket connections, along with much more. However, there is no built-in support for is SSH.

SSH[.]NET is a Secure Shell (SSH) library for [.]NET, optimized for parallelism and with broad framework support.

Vulnerability details: SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an X25519 key exchange, the client’s private key is generated with System.Random. System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes. When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be brute forced. This allows an attacker who is able to eavesdrop on the communications to decrypt them.

Remedy: Version 2020.0.2 contains a patch for this issue – https://github.com/sshnet/SSH.NET/releases/tag/2020.0.2

Workaround: As a workaround, one may disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms.

Preface: mruby or mruby/c, mruby / c is an implementation of mruby that inherits the features of Ruby and consumes less memory than the conventional mruby (lightweight Ruby for embedded systems developed in Fukuoka).

Dassai｜Asahishuzo – (日本獺祭（旭酒造）) also uses mruby/c to develop winery-related monitoring equipment.

Background: mruby is a Fukuoka-developed programming language for embedded software. It’s a version of the high-efficiency development language “Ruby” that has been lightened in order to use less memory, making it suitable for embedded software.
It works using 1/4 the amount of code that C languages do and because it is also highly readable, some of its strengths are high productivity, easy trial-and-error debugging and maintenance, and it’s simple to learn.

Vulnerability details: Mruby/mruby prior to 3.2 contain Use After Free vulnerability. Use-After-Free in function hash_new_from_values in Mruby/mruby.

Remedy: The impact of this vulnerability is unclear. Upgrading to version 3.2 eliminates this vulnerability.

Official announcement: https://github.com/mruby/mruby/commit/aa7f98dedb68d735a1665d3a289036c88b0c47ce

Preface: A CVE with similar symptoms occurred in March 2022.
CVE-2022-22633 – A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

Background: The IOMMU (Input–Output Memory Management Unit) is a feature that is commonly present in 64-bit x86 processors as well as other architectures. Linux’ support for IOMMU has been a relatively disorganized development process, with several obscurities along the way. This is quite remarkable given that it’s part of the kernel’s memory management — a central role in the kernel’s functionality.

Quote:
macOS 12.3 (21E230) – Kernel stack memory corruption detected ‘ restart problem in the past.
A end user in apple community reporting that he encountered Kernel stack memory corruption when he use PCIe-4 card being used in a PCIe-3 external Thunderbolt-3 drive for the boot device.
My concept is based on Enable IOMMU kernel support, Append amd_iommu=on to the kernel command line in /boot/grub/grub.conf so that AMD IOMMU specifications are enabled at boot.
My assumptoon is that attacker write a malicious Linux PCI Drivers, once it has successfully modified the IOMMU configuration so that it can make read/write accesses to kernel memory.

Vulnerability details: A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4. An application may be able to execute arbitrary code with kernel privileges. For more details, please refer to the link – https://support.apple.com/en-us/HT213257