Category Archives: Application Development

CVE-2024-28862: The Ruby One Time Password library (ROTP) Affected versions had overly permissive default permissions (18-03-2024)

Preface: In this rushed, demanding digital world, people don’t think about what the back-end platform or its design is. Therefore, vulnerability management actually relies on vendors and software developers.

Background: Ruby on Rails is forming a niche as it is used by millions of websites, which includes well-known companies like Github, Shopify, Airbnb, Fiverr and more.

ROTP is a gem used to generate and verify TOTP (Time-Based One Time Password), rqrcode gem generates QR code SVG based on the generated TOTP.

Vulnerability details: The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions (CWE-276 – Incorrect Default Permissions).

When file has 666 permissions, which grants read and write permission to everyone. This CVE hits this matter.

Workaround: Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

Official announcement: Please refer to the link below for details –https://nvd.nist.gov/vuln/detail/CVE-2024-28862

Incorrect authorization vulnerability was identified in GitHub Enterprise Server (14 Feb-2024)

Preface: The main difference between the products is that GitHub Enterprise Cloud is hosted by GitHub, while GitHub Enterprise Server is self-hosted. GitHub Enterprise Cloud includes an enterprise account that lets you manage multiple organizations.

Sign in to the AWS Management Console and open the Developer Tools Console: https://console[.]aws[.]amazon[.]com/codesuite/settings/connections. Select Settings > Connections, then select Make a connection. To establish a connection to an installed GitHub Enterprise Server repository, select GitHub Enterprise Server.

Background: The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes.

To modify the permission of the GITHUB_TOKEN, we can make the change at the enterprise, organisation or repository level. To do this go to settings, select Actions then General, here we will find the Workflow Permissions sections.

Vulnerability details: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1482

About CVE-2018-1311: Security update for xerces-c provided by SUSE on Feb 2024. Why do design weakness can tolerance by HPC Operating system for long year? (02-02-2024)

Preface: Different HPC compilers allow the coder to make use of these tools for better performance and capability. For example, using HPC compilers allow for easier coding to run a parallel job. Compilation is the process of converting C language source code into executable program code. Running is the process of executing executable code. Compilation only needs to be completed once to produce executable code. The resulting executable code can be run multiple times.

Background: XML parser for C++ determines whether an XML document is well-formed and optionally validates it against a DTD. A DTD is a Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document. The parser constructs an object tree that can be accessed through a DOM interface or operates serially through a SAX interface.  SAX defines an abstract programmatic interface that models the XML information set (infoset) through a linear sequence of familiar method calls.

Validating an XML document determines whether the structure and content of the document conform to a set of rules.  Xerces-C++ is a validating XML parser written in a portable subset of C++.

Remark: SAX-type parsing performance of Fast Infoset is also much faster than parsing performance of XML 1.0.

Vulnerability details: A use-after-free vulnerability was found in xerces-c in the way an XML document is processed via the SAX API. Applications that process XML documents with an external Document Type Definition (DTD) may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted XML file that would crash the application or potentially lead to arbitrary code execution.

Ref: To understand the twists and turns of this story, please refer to the pictures attached to this article.

Official details: Please refer to the link for details – https://www.suse.com/support/update/announcement/2024/suse-su-20240299-1/

VE-2023-6780: Do not contempt his power! (1st Feb 2024)

Preface: The GNU C Library – The project provides the core libraries for the GNU system and GNU/Linux systems. GLib is a platform library which is used by many hundreds of projects outside of GNOME.

Background: R is a language and environment for statistical programming which includes statistical computing and graphics. Python is a general-purpose programming language for data analysis and scientific computing. It is essential to know programming languages like R and Python in order to implement the whole Machine Learning process. Python and R both provide in-built libraries that make it very easy to implement Machine Learning algorithms.

What is glibc in Python? glibc provides a complete implementation of the ISO C standard library, which includes functions for file I/O, string manipulation, memory allocation, and more. This makes it easy for us to write portable and efficient code that can run on different systems.

Vulnerability details: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-6780

Android Security Bulletin – Released January 2024, covers a vulnerability in August 2023 (CVE-2023-21651) – 4th Jan 2024

Preface: According to the Android Security Bulletin, it releases a security bulletin once a month in the traditional way. However, if design limitations are related to other suppliers. The conclusion of the vulnerability details will be included the responses from relevant manufacturers. Therefore, Qualcomm also released its assessment of the severity of these problems.

I was not paying attention to this vulnerability in August 2023. Out of personal interest, maybe I’ll take this opportunity to dig into the details of this vulnerability. If you are interested, please become my guest.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel

The Qualcomm Trusted Execution Environment software cryptographic library is part of the implemented software hybrid module. As part of the Snapdragon SoC architecture. It is the physical boundary of a single-chip software hybrid module.

Vulnerability details: Memory Corruption in Core due to incorrect type conversion or cast in secure_io_read/write function in TEE.

Official announcement: Please refer to the link for details –

Android: https://source.android.com/docs/security/bulletin/2024-01-01

Qualcomm: https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2023-bulletin.html

Don’t underestimate the impact of today’s open-source software development! (18th Dec 2023)

Preface: In ten years ago, if you talk to people that your product software development use opensource products. Most likely cyber security expert will query your decision. But the trend of open-source software products usage seems change. The truth is a lot of open-source products alliances with enterprise computer vendor. So, the patch will deliver quickly when vulnerability found. As a matter of fact, in the world no software can avoid vulnerability occur. Furthermore, since open-source less portion bother by business decision. So it similar a technology booster driven the technology running more faster.

Background: In essence, a neural network accepts inputs , does some processing and produces outputs. This input-process-output mechanism is called neural network feed-forward. Understanding the feed-forward mechanism is required. To create a neural network that solves difficult practical problems such as facial recognition or voice identification.

PyTorch provides the elegantly designed modules and classes, including torch[.]nn, to help you create and train neural networks. An nn[.]Module contains layers, and a method forward(input) that returns the output.

Today’s market trends: According to news article published on Nov 2019. For autopilot, Tesla trains around 48 networks that do 1,000 different predictions and it takes 70,000 GPU hours. Moreover, this training is not a one-time affair but an iterative one and all these workflows should be automated while making sure that these 1,000 different predictions don’t regress over time.

PyTorch, especially has become the go-to framework for machine learning researchers. It is fast and efficient, allowing users to quickly iterate on experiments and build models. PyTorch supports both CUDA and OpenCL, making it easy to take advantage of powerful GPUs for faster training.

There is no doubt about the future development of artificial intelligence, so the demand for GPUs goes hand in hand with autonomous driving.

Pulling back the curtain on Python satellite technology (24th Nov 2023)

Preface: Satellite communications use the very high-frequency range of 1–50 gigahertz (GHz; 1 gigahertz = 1,000,000,000 hertz) to transmit and receive signals. The frequency ranges or bands are identified by letters: (in order from low to high frequency) L-, S-, C-, X-, Ku-, Ka-, and V-bands. The band 435- 438 MHz is heavily used for amateur satellites in accordance with No. 5.282. No. 5.278 (WRC-19) provides primary status for the amateur service at 430-440 MHz in 11 countries in Region 2.

Background: About twenty-five years ago, satellites were advanced technology. Satellite technology services, especially GPS, have become commonplace today. Perhaps it is an invisible force that makes development stronger and stronger. Who is this knight? It is the Python programming language technology. But you may ask, why do people always say that Python program development has a large share in the industrial world including aerospace technology. Long story short, Python has ready-made software modules, and software developers can use similar concepts to start their new development. This is the advantage of open source software.

Pulling back the curtain on Python satellite technology: gr-satellites is an OOT module encompassing a collection of telemetry decoders that supports nearly 40 different Amateur satellites. This open-source project started in 2015 with the goal of providing telemetry decoders for all the satellites that transmit on the Amateur radio bands.

gr-satellites is a GNU Radio out-of-tree module encompassing a collection of telemetry decoders that supports many different Amateur satellites.It supports most popular protocols, such as AX.25, the GOMspace NanoCom U482C and AX100 modems, an important part of the CCSDS stack, the AO-40 protocol used in the FUNcube satellites, and several ad-hoc protocols used in other satellites.

The KISS frame allow transmission of AX.25 packet radio frames containing IP packets over an asynchronous serial link.

KISS stands for “Keep It Simple, Stupid” and is not only a design principle, but also one of the most used Host-to-TNC communication protocols in HAM Radios. It is a very simple protocol that standardizes the transmission of data, normally AX.25 packets, over a asynchronous serial link, like RS232 or UART. It allows the transmission any arbitrary data, with no length limitation.

Reference: Using GPS in amateur radio is about GPS and other GNSS (Global Navigation Satellite System) satellites and how we can use the data broadcast by them for amateur radio. You will find that GPS benefits in digital modes like FT8, WSPR, and WSJT which rely on accurate transmit and receive period timing and this is easy to achieve with internet access to international time servers.

Please refer to the link for details:

https://orbitntnu.com

https://github.com/daniestevez/gr-satellites

CVE-2023-29403: Are you falling into this Go runtime design weakness? (9th June 2023)

Preface: Go is garbage collected instead of manual memory management which is not suitable for a kernel.
Golang is useful for carrying out programming for scalable servers and large software systems. The Golang programming language was built to fill in the gaps of C++ and Java that Google came across while working with its servers and distributed systems.

Background: Go does have an extensive library, called the runtime, that is part of every Go program. The runtime library implements garbage collection, concurrency, stack management, and other critical features of the Go language.
The Go scheduler is part of the Go runtime, and the Go runtime is built into your application. This means the Go scheduler runs in user space, above the kernel.
For Go to “call the kernel directly” can exploit so-called ABI of the H/W and OS combo. For example: On linux, making a syscall requires filling a set of CPU registers with certain values, doing some other arrangements and then issuing the SYSENTER CPU instruction.
The 64-bit x86 Linux ABI supports the following entry points:

  • SYSCALL from 64-bit code;
  • interrupt 0x80 from 32- and 64-bit code;
  • SYSENTER from 32-bit code.

Vulnerability details: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Official announcement: For details, please refer to the link- https://pkg.go.dev/vuln/GO-2023-1840

About CVE-2023-3006 – Specter-BHB on arm update on end of May 2023 (1st June 2023)

Preface: Speculate that this CVE is custom for Ampere Computing. Ampere Computing is an ARM architecture licensee and develops its own server microprocessors.

Background: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

Vulnerability details: CVE-2023-3006 – A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3006

About CVE-2023-33962 – JStachio fails to escape single quotes in HTML (31st May 2023)

Preface: About 20 years ago, people know java is unsafe. Perhaps of technology trend, so whatever the design appyling java language. The flexibility and easy to use will let people contempt about awareness of cyber security. While Java is considered relatively safe because it is a server side language, there are still multiple ways to attack and access secure code you’d like to remain private.

Background: The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform.
Mustache is a logicless template engine and it is helpful for creating dynamic content like HTML and configuration files.
If your models are type based and not just Map then JStachio is good choice.

Ref:End-users only use JVM and JRE to execute the application program. JRE identifies all the helpful class libraries needed for execution, while JVM is a subclass of JRE that decodes the bytecode into machine language and other minor tasks. Each JVM server can have a maximum of 256 threads to run Java applications.

Vulnerability details: Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware.

Solution: Version 1.0.1 contains a patch for this issue.

Workaround: To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape ' as &#39. As a workaround, users can avoid this issue by using only double quotes " for HTML attributes.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-33962