Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: NSX Data Center for vSphere provides networking and security functionality for your vSphere environment, including logical switching, logical routing, Distributed Firewall, load balancer, NAT, and VPN. NSX Data Center for vSphere is installed as a plug-in to VMware vCenter Server®.

Vulnerability details: The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in the NSX Edge appliance component. A local user with access to NSX-Edge appliance (NSX-V) can pass specially crafted argument to unspecified shell utility and execute arbitrary OS commands as root.

One of the possibilities: An attacker can exploit a command injection in the NETCONF over SSH access (TCP port 830). the SSH configuration checks if the commands starts with scp and then, evaluates the command as a whole, resulting in a command injection instead of allowing scp command only.
Attacker has a chance to identified a SUID program that can be used to gain full root privileges on the system.

Official announcement: Refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0005.html

Preface: The number 2,147,483,647 (or hexadecimal 7FFF,FFFF) is the maximum positive value for a 32-bit signed binary integer.

Background: TensorFlow is an end-to-end open source platform for machine learning. It has a comprehensive, flexible ecosystem of tools, libraries and community resources that lets researchers push the state-of-the-art in ML and developers easily build and deploy ML powered applications. TensorFlow and Scikit-learn, two of the most popular words from the jargon of the Machine Learning world!

Scikit-learn (sklearn) is positioned as a general-purpose machine learning library , but TensorFlow (tf) is positioned as a deep learning library .

For easy to understand on what ways of processing data with machine learning models. See below details.
– Traditional machine learning: use feature engineering to artificially refine and clean the data
– Deep learning: using representation learning, the machine learning model itself refines the data

Vulnerability details: Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Ref: For example: If below setup is customized for agriculture yield analytic and artificial intelligence irrigation system. From design point of view, input not only limit to climatic parameters were considered in predicting the crop yield, the crop yield is influenced by many other input parameters such as irrigation, fertilizer application, pesticide application etc. Since those data will be defined as user input data (crop arguments are user controlled). In this circumstances, if such parameters does not implement maximum data input limit value or verification. As a result, it can trigger an overflow maliciously.

Impact: The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Remedy: Vendor have patched the issue in GitHub commit 0aaaae6eca5a7175a193696383f582f53adab23f.

The fix will be included in TensorFlow 2.8.0. It also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: NVIDIA License System supports the following types of service instances:

• Cloud License Service (CLS) instance. A CLS instance is hosted on the NVIDIA Licensing Portal.
• Delegated License Service (DLS) instance. A DLS instance is hosted on-premises at a location that is accessible from your private network, such as inside your data center.

NVIDIA License System is used to serve a pool of floating licenses to NVIDIA licensed products. The NVIDIA License System is configured with licenses obtained from the NVIDIA Licensing Portal. The license server is designed to be installed at a location that is accessible from a customer’s network, and be configured with licenses obtained from the NVIDIA Licensing Portal.

Vulnerability details: NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges.

One of the possibilities: Traditional technology make use of service account concept.

Design weakness: Predefined sudo user account for a DLS virtual appliance.
Purpose: This user account has the elevated privileges required to update and upgrade the Ubuntu GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance.

Remark: This account is provided to comply with the terms of the GPL/LGPL v3 license under which some libraries in the Ubuntu operating system in the DLS virtual appliance are released.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5319

Preface: SOC → System on Chip. It is basically a cluster collection or group of different types of processor components like CPU[,GPU,Modems, DSP units and memory units.

ASIC → Application Specific Integrated Circuits. ASICs are chip that is basically hardwired to do a specific job.

Background: The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2 with SDMA (single operation DMA), ADMA1 (4 KB boundary limited DMA), and ADMA2 (ADMA2 allows data of any location and any size to be transferred in a 32-bit system memory – scatter-gather DMA) support. The core also supports up to seven functions in SD1, SD4, but does not support SPI mode. It does support SD high-speed (SDHS) and SD High Capacity (SDHC) card standards.

The Zynq®-7000 SoC family integrates the software programmability of an ARM®-based processor with the hardware programmability of an FPGA, enabling key analytics and hardware acceleration while integrating CPU, DSP, ASSP, and mixed signal functionality on a single device.

To build a custom Linux image, it’s recommended that you start with a Petalinux BSP for one of the Xilinx boards, and then customize the configuration to suit your needs.

Vulnerability details: A vulnerability has been found in Xilinx Zynq-7000 and classified as critical. On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM.

Ref: The SDIO controller is not documented in details because The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2.

Refer to the Zynq design, the ROM resets all of the interesting SDIO config registers each time it goes to send a command. Found that even though it blocks on the transaction completion. It doesn’t clear out the DMA base address register . If attacker modify the transfer data size, it can trigger a buffer overflow in this circumstance.

Official announcement: Refer the link for details – https://support.xilinx.com/s/article/76964?language=zh_CN

Preface: Apple has announced the launch of its new operating system, macOS 10.15 Catalina on October 7, 2019. In keeping with Apple’s release cycle, macOS 10.12 Sierra will no longer be receiving security updates. Sierra was replaced by High Sierra 10.13, Mojave 10.14, and the newest Catalina 10.15.

Background: SwiftNIO is Apple non-blocking networking library. It can be used to write either client libraries or server frameworks and works on macOS, iOS and Linux. Swift-nio-http2 follows SemVer 2.0.0 with a separate document declaring SwiftNIO’s Public API. The project (SwiftNIO HTTP/2) contains HTTP/2 support for Swift projects using SwiftNIO.SwiftNIO is the library to build backend servers in the Swift programming language. In SwiftNIO, you cannot model concurrent execution without at least an event loop. To execute your asynchronous code, you need to ask the EventLoopGroup for an EventLoop. You can use the method next() to get a new EventLoop, in a round-robin fashion.

Does SemVer have a size limit on the version string?
No, but use good judgment. A 255 character version string is probably overkill, for example. Also, specific systems may impose their own limits on the size of the string.

Vulnerability details:

CVE-2022-24668 – caused by a network peer sending ALTSVC or ORIGIN frames (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.
CVE-2022-24667 – caused by a network peer sending a specially crafted HPACK-encoded header block (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function.
CVE-2022-24666 – caused by a network peer sending a specially crafted HTTP/2 frame (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.

Ref.1: Security concern with HPACK – Denial of service resulting from exhausting processing or memory capacity at a decoder.

Ref2: Some regular expression engines have a feature called “backtracking”. If the token cannot match, the engine “backtracks” to a position that may result in a different token that can match.
Backtracking becomes a weakness if all of these conditions are met:

• The number of possible backtracking attempts are exponential relative to the length of the input.
• The input can fail to match the regular expression.
• The input can be long enough.

Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

Remedy: The risk can be mitigated if untrusted peers can be prevented from communicating with the service.

Preface: Did you know someone is behind your computer?

Background: WRH–300x series is wireless LAN router for microminiature hotel corresponding to 11bgn300Mbps which can enjoy the Internet with the speed of about 4 times of LTE line.

Ref: 11BGN, 11AGN, and 11AC are wireless standards supported by wireless products. Among them, 11BGN refers to the 802.11b, 802.11g, and 802.11n standards, 11AGN refers to the 802.11a, 802.11g, and 802.11n standards, and 11ac refers to the 802.11ac standard.

Vulnerability Details: Certain versions of ELECOM LAN Routers allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors.

Synopsis: The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on LAN Router. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the PATH environment variable to locate the executable file for the mount command.

Likehood: A malicious user may be able to create an arbitrary program labeled mount. Execute Hijack Execution Flow,doing Path Interception by PATH Environment Variable.
PATH variable to refer to the new mount executable. When PPPoEd checks the PATH variable to locate the executable for the mount command, it follows the PATH entry enter the new version of mount (arbitrary program labeled mount).

Affected Products: WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier

Official announcement: https://www.elecom.co.jp/news/security/20220208-02/

Preface: In addition to the traditional CVE risk level criteria, the critical level of vulnerability risk will depend on the processing technique.

Background: NVIDIA vGPU software is a graphics virtualization platform that provides virtual machines (VMs) access to NVIDIA GPU technology. In order to fulfill design objective, it is necessary enable an GPUDirect RDMA connection to NVIDIA GPUs on Linux. GPUDirect RDMA is a technology introduced in Kepler-class GPUs and CUDA 5.0 that enables a direct path for data exchange between the GPU and a third-party peer device using standard features of PCI Express. Examples of third-party devices are: network interfaces, video acquisition devices, storage adapters.

To add GPUDirect RDMA support to a device driver, a small amount of address mapping code within the kernel driver must be modified. This code typically resides near existing calls to get_user_pages().

Vulnerability details: NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia[.]ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

In computing, remote direct memory access (RDMA) is a direct memory access from the memory of one computer into that of another without involving either one’s operating system. It is assumed that the software does not restrict or erroneously restrict access to resources by unauthorized actors. As a result, it allows vulnerabilities to occur. For more details, please refer to the attached diagram.

Impact: Affected Vendor/Software: URL Logo NVIDIA – NVIDIA Virtual GPU Software and NVIDIA Cloud Gaming version vGPU version 13.x (prior to 13.2), version 11.x (prior to 11.7) and version 8.x (prior 8.10).

Preface: The traditional content distribution network (CDN) can no longer meet the specifications of 5G networks because it requires high bandwidth, low latency and on demand massive connections. The bottlenecks of traditional CDN cannot been resolved the rapidly growth in video traffic, rate, and cost.

Background: Apache Traffic Server™ software is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server. Traffic Control is a control plane for a CDN (Content Delivery Network).
In addition to being an HTTP proxy, Apache Traffic Server™ is also an HTTP cache. Traffic Server can cache any octet stream, although it currently supports only those octet streams delivered by the HTTP protocol. When such a stream is cached (along with the HTTP protocol headers) it is termed an object in the cache. Each object is identified by a globally unique value called a cache key.

Traffic Ops is the tool for administration (configuration and monitoring) of all components in a Traffic Control CDN. Traffic Portal uses the Traffic Ops API to manage servers, Cache Groups, Delivery Services, etc.

Vulnerability details: In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Weakness Enumeration: CWE-918: Server-Side Request Forgery (SSRF). For possible ways to trigger the specified vulnerability, please refer to the attached image.

Official announcement: https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f

Preface: If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

Background: Django itself is web framework used for developing web applications based on python. Which is used for making development proccess more simple and easy. It provides various built in things such as Django ORM, Forms, Security, Authentication, Admin and many third party packages that are available on django packages.

MultiPartParser

• It parses the incoming request form contents into QueryDict.
• It is used if “Content-Type” is set to “multipart/form-data”.
• request.data will be a QueryDict containing all the form parameters.
• request.files will be a QueryDict containing all the form files.
• FormParser and MultiPartParser together used for full support of HTML form data.

Vulnerability details: In below operating process sequence, a design weakness occurs . For more details, please see below:
Factors that expose this vulnerability. Content-Type should contain multipart and the boundary information.

• Step 1. UploadHandler instance that performs operations on the uploaded data.
• Step 2. Parse the header to get the boundary to split the parts.
• Step 3. Whether or not to signal a file-completion at the beginning of the loop.
• Step 4. If step 3 is negative, it cannot be sure a file is complete until it hit the next boundary/part of the multipart content. Loop will continue to run until the Boolean expression is TRUE.

Impact: An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Remedy: Fixed CVE-2022-23833 (Fixed DoS possiblity in file uploads). Please refer to the link for details – https://github.com/django/django/blob/main/django/http/multipartparser.py