Category Archives: Application Development

AI and ML, Application Development, Potential Risk of CVE

Regarding CVE-2024-0108: The manufacturer did not describe much. Is the situation below exactly what CVE mentioned? (25/07/2024)

Leave a comment

Preface: What is an example of autonomous AI?

Autonomous intelligence is artificial intelligence (AI) that can act without human intervention, input, or direct supervision. It’s considered the most advanced type of artificial intelligence. Examples may include smart manufacturing robots, self-driving cars, or care robots for the elderly.

Background: What is Jetson AGX Xavier used for?

As the world’s first computer designed specifically for autonomous machines, Jetson AGX Xavier has the performance to handle the visual odometry, sensor fusion, localization and mapping, obstacle detection, and path-planning algorithms that are critical to next-generation robots.

Vulnerability details: NVIDIA Jetson Linux contains a vulnerability in NvGPU where error handling paths in GPU MMU mapping code fail to clean up a failed mapping attempt. A successful exploit of this vulnerability may lead to denial of service, code execution, and escalation of privileges.

Official announcement: Please refer to the official announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5555

AI and ML, Application Development, Potential Risk of CVE

CVE-2024-6960: H2O Model Deserialization RCE (21st July 2024)

Leave a comment

Preface: TensorFlow provides a flexible framework for deep learning tasks, but may not be as optimized as H2O for handling large datasets.

Background: H2O uses Iced classes as the primary means of moving Java Objects around the cluster.

Auto-serializer base-class using a delegator pattern (the faster option is to byte-code gen directly in all Iced classes, but this requires all Iced classes go through a ClassLoader).

Iced is a marker class, and Freezable is the companion marker interface. Marked classes have 2-byte integer type associated with them, and an auto-genned delegate class created to actually do byte-stream and JSON serialization and deserialization. Byte-stream serialization is extremely dense (includes various compressions), and typically memory-bandwidth bound to generate.

Vulnerability details: The H2O machine learning platform uses “Iced” classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-6960

AI and ML, Application Development, IoT, Potential Risk of CVE

A critical step in exploiting a buffer overflow is determining the offset where important program control information is overwritten. In the Linux kernel, the (CVE-2024-41011) vulnerability has been resolved. (18-07-2024)

Leave a comment

Preface: The PAGE_SIZE macro defined in the Linux kernel source determines the page size. Its definition is in the kernel header file /usr/src/kernels/5.14[.] 0-22. el9[.] x86_64/include/asm-generic/page.

Background: MMIO stands for Memory-Mapped Input/Output. In Linux, MMIO is a mechanism used by devices to interface with the CPU that involves mapping their control registers and buffers directly into the processor’s memory address space.

This enables the CPU to access device registers and exchange data with devices using load and store instructions, just as if they were conventional memory locations. Graphics cards, network interfaces, and storage controllers all employ MMIO to effectively conduct input and output tasks.

Vulnerability details: drm/amdkfd: don’t allow mapping the MMIO HDP page with large pages We don’t get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41011

AI and ML, Application Development, Potential Risk of CVE, Science

CVE-2024-0102:  About NVIDIA® CUDA® Toolkit. If you remember, a similar incident happened in April of this year. Believe this is a weakness of similar designs. (11 July 2024)

Leave a comment

Preface: OpenAI revealed that the project cost $100 million, took 100 days, and used 25,000 NVIDIA A100 GPUs. Each server equipped with these GPUs uses approximately 6.5 kW, so an estimated 50 GWh of energy is consumed during training.

Background: Parallel processing is a method in computing of running two or more processors (CPUs) to handle separate parts of an overall task. Breaking up different parts of a task among multiple processors will help reduce the amount of time to run a program. GPUs render images more quickly than a CPU because of its parallel processing architecture, which allows it to perform multiple calculations across streams of data simultaneously. The CPU is the brain of the operation, responsible for giving instructions to the rest of the system, including the GPU(s).

NVIDIA CUDA provides a simple C/C++ based interface. The CUDA compiler leverages parallelism built into the CUDA programming model as it compiles your program into code.
CUDA is a parallel computing platform and programming interface model created by Nvidia for the development of software which is used by parallel processors. It serves as an alternative to running simulations on traditional CPUs.

Vulnerability details: NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm, where an attacker can cause an out-of-bounds read issue by deceiving a user into reading a malformed ELF file. A successful exploit of this vulnerability might lead to denial of service.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5548

AI and ML, Application Development, Blockchain, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), Potential Risk of CVE

Get closer look CVE-2024-39920: About “SnailLoad” issue (5-Jul-2024)

Leave a comment

NVD Published Date: 07/03/2024

Preface: How is RTT measured in TCP? Measures the time from sending a packet to getting an acknowledgment packet from the target host.

Background: A new technology standard called “RFC 9293” was released on August 18, 2022.

Highlight:

-Acknowledgment Number:  32 bits – If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive.  Once a connection is established, this is always sent.

-There are also methods of “fingerprinting” that can be used to infer the host TCP implementation (operating system) version or platform
information. These collect observations of several aspects, such as
the options present in segments, the ordering of options, the
specific behaviors in the case of various conditions, packet timing,
packet sizing, and other aspects of the protocol that are left to be
determined by an implementer, and can use those observations to
identify information about the host and implementation.

Vulnerability details: The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39920

AI and ML, Application Development, IoT, Potential Risk of CVE

CVE-2024-31335 GPU – PowerVR: Wrong order of operations in DevmemIntUnmapPMR2 may lead to temporarily dangling PTEs.AI accelerators called Neural Network Accelerator (NNA) staying alert! (7 June 2024)

Leave a comment

Official Posted: 31st May 2024

Preface: PowerVR not limited 2D and 3D rendering, and for video encoding, decoding, associated image processing. It also develops AI accelerators called Neural Network Accelerator (NNA). The IMG Series4 is a revolutionary neural network accelerator (NNA) for the automotive industry that enables ADAS and autonomous driving.

PowerVR accelerators are not manufactured by PowerVR, but instead their IP blocks of integrated circuit designs and patents are licensed to other companies.

Remark: An IP block is a reusable unit of logic, cell, or chip layout design and can be used as building block for various chip- and logic designs. By making this technology available NXP is opening up the opportunity for chip designers to leverage our building blocks in a wide assortment of on-chip solutions.

Background: What is DDK? To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. For Android 14+, Kleaf is strongly recommended. One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: CVE-2024-31335 – GPU – PowerVR: Wrong order of operations in DevmemIntUnmapPMR2 may lead to temporarily dangling PTEs.

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.

Official announcement: For detail, please refer to link –

https://www.imaginationtech.com/gpu-driver-vulnerabilities/#may24

AI and ML, Application Development, Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2024-0103 – NVIDIA Triton Inference Server for Linux hit Incorrect Initialization of Resource vulnerability (31-05-2024)

Leave a comment

Preface: AI-powered systems analyse the severity of the vulnerability, potential impact, and exploitability and prioritise patches based on the criticality of the vulnerability. Perhaps AI contains self diagostic and do remedy by himself!

Background: An open-source software that helps standardize model deployment and delivers fast and scalable AI in production.

Vulnerability details:

CVE-2024-0103 Information disclosure

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user may cause an incorrect Initialization of resource by network issue. A successful exploit of this vulnerability may lead to information disclosure.

Ref: For example, the minimum packet size is 60 bytes (the card typically adds a frame checksum to this, making the minimum packet size on the line 64 bytes). If you only have 40 bytes, then it will still transmit 60 bytes.

Because 40 bytes you send plus the next 20 bytes that happen to be sitting in the buffer beyond the 40 you intended to send.

If you haven’t explicitly initialized that area, those 20 bytes might well be data leftover from a previously sent packet, which may have belonged to some other connection. Or that memory could have previously been a data page for some program that was recently running (and hence could contain a password, or an encryption key or just about any kind of sensitive information).

Official details: For detail, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5546

AI and ML, Application Development, Potential Risk of CVE

CVE-2024-21661: Argo CD suffers denial of service (DoS) vulnerability (18-03-2024)

Leave a comment

Preface: What does multi threaded environment mean? Multithreading is the ability of a program or an operating system to enable more than one user at a time without requiring multiple copies of the program running on the computer.

Background: Argo CD is implemented as a Kubernetes controller which continuously monitors running applications and compares the current, live state against the desired target state (as specified in the Git repo). Hooks are simply Kubernetes manifests tracked in the source repository of your Argo CD Application. Synchronization can be configured using resource hooks. Hooks are ways to run scripts before, during, and after a Sync operation. Hooks can also be run if a Sync operation fails at any point. For example:

Using a Sync hook to orchestrate a complex deployment requiring more sophistication than the Kubernetes rolling update strategy.

Vulnerability details: An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/CVE-2024-21661

Application Development, Potential Risk of CVE

CVE-2024-28862: The Ruby One Time Password library (ROTP) Affected versions had overly permissive default permissions (18-03-2024)

Leave a comment

Preface: In this rushed, demanding digital world, people don’t think about what the back-end platform or its design is. Therefore, vulnerability management actually relies on vendors and software developers.

Background: Ruby on Rails is forming a niche as it is used by millions of websites, which includes well-known companies like Github, Shopify, Airbnb, Fiverr and more.

ROTP is a gem used to generate and verify TOTP (Time-Based One Time Password), rqrcode gem generates QR code SVG based on the generated TOTP.

Vulnerability details: The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions (CWE-276 – Incorrect Default Permissions).

When file has 666 permissions, which grants read and write permission to everyone. This CVE hits this matter.

Workaround: Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

Official announcement: Please refer to the link below for details –https://nvd.nist.gov/vuln/detail/CVE-2024-28862

Application Development, Potential Risk of CVE

Incorrect authorization vulnerability was identified in GitHub Enterprise Server (14 Feb-2024)

Leave a comment

Preface: The main difference between the products is that GitHub Enterprise Cloud is hosted by GitHub, while GitHub Enterprise Server is self-hosted. GitHub Enterprise Cloud includes an enterprise account that lets you manage multiple organizations.

Sign in to the AWS Management Console and open the Developer Tools Console: https://console[.]aws[.]amazon[.]com/codesuite/settings/connections. Select Settings > Connections, then select Make a connection. To establish a connection to an installed GitHub Enterprise Server repository, select GitHub Enterprise Server.

Background: The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes.

To modify the permission of the GITHUB_TOKEN, we can make the change at the enterprise, organisation or repository level. To do this go to settings, select Actions then General, here we will find the Workflow Permissions sections.

Vulnerability details: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1482