Preface: In technical aspect, a Socket[.]IO server can sustain 10,000 concurrent connections. Therefore you can build a chat experience and using Socket[.]IO as your realtime communication solution. But if you want chat users to receive push notifications when they’re not actively using the app, Socket[.]IO can’t help, as it relies on a persistent socket connection.

Background: Socket[.]IO is a library that enables real-time, bidirectional and event-based communication between the browser and the server.
A socket[.]io encoder and decoder written in JavaScript complying with version 4 of socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.
In addition, a socket[.]io-parser has included. A socket.io encoder and decoder written in JavaScript complying with socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.

Ref:socket-io[.] client is the code for the client-side implementation of socket[.]io[.] That code may be used either by a browser client or by a server process that is initiating a socket[.]io connection to some other server (thus playing the client-side role in a socket[.]io connection).

Vulnerability details: socket[.]io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket[.]io-protocol.

Potential impact: A specially crafted Socket[.]IO packet can trigger an uncaught exception on the Socket[.]IO server, thus killing the Node[.]js process.

Solution: A patch has been released in version 4.2.3.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32695

Preface: Perhaps you feeling that it’s not follow best practice when it is a zero-day matter. Seems this CVE was late published. The fact is that the impact look serious. So before vendor resolve the problem. Vendor do not intent disclose to public. But problem resolved now.

Background: The User Identity Module may contain information such as the NAM (Number Assignment Module) and subscription feature information. Based on design, UIM can be integrated into the smartphone or it may be a R-UIM (Removable Identity Module).
Refer to vendor design mechanism, Reading a mobile subscriber identity from a memory device associated with the smartphone; determining if part or all of the mobile subscriber identity matches a data set entry within a file associated with the smartphone.
For example, a program assists find highest number in an array by the pointer. As a result, the result of high-array is the number of elements from the start of the array to the element pointed to by high, and that is the index of that element.

Ref: What is a Function Pointer? Function Pointers are pointers, i.e. variables, which point to an address of a function. The running programs get a certain space in the main memory. Both, the executable compiled program code and the used variables, are put inside this memory.

Vulnerability details: Qualcomm found that a memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

Official details: Please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2022-33302

Preface: A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously. Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
In Linux, a process is an instance of executing a program or command. While these processes exist, they’ll be in one of the five possible states:

• Running or Runnable (R)
• Uninterruptible Sleep (D)
• Interruptable Sleep (S)
• Stopped (T)
• Zombie (Z)

Ref: Zombie processes are already dead, so they cannot be killed, they can only be reaped, which has to be done by their parent process via wait*(). This is usually called the child reaper idiom, in the signal handler for SIGCHLD.

When a child process stops or terminates, SIGCHLD is sent to the parent process. The default response to the signal is to ignore it. The signal can be caught and the exit status from the child process can be obtained by immediately calling wait(2) and wait3(3C). This allows zombie process entries to be removed as quickly as possible.

Vulnerability details: A race condition was addressed with improved state handling.

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Official announcement: About the security content of iOS 16.5 and iPadOS 16.5. Please refer to the link – https://support.apple.com/en-us/HT213757

Preface: In smartphone, a GPU is similar a graphic card. Meanwhile, it’s the GRAPHICS PROCESSING UNIT which is similar to the CPU processor but instead it’s specifically dedicated for rendering 3D graphics. If your phone does not have one, then you will not be able to play any 3D games.

Background: Whenever a user space application requests a memory allocation for graphics processing, existing technology will seek to allocated nearest order pages from system memory (initially) to map to the GPU.
A patent design
KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device. Whenever a user space application requests a memory allocation for graphics processing, existing design will seek to allocated nearest order pages from system memory (initially) to map to the GPU. Once the application is done with its work, it releases those pages back to the KGSL pool as free for another allocation.
the KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device.

Vulnerability details: Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool.

Official announcement – For details, please refer to the link below
Android: https://source.android.com/docs/security/bulletin/2023-05-01
Qualcomm: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2023-bulletin.html

Preface: Why configure Secure Boot? This type of hardware restriction protects the operating system from rootkits and other attacks that may not be detected by antivirus software.

Background: Secure Boot is the process where the operating system boot images and code are authenticated against the hardware before they are authorized to be used in the boot process. The hardware is pre-configured to authenticate code using trusted security credentials. ARM architectures are the most common electronic design in the world, even though x86 is more common in the server market. ARM architectures are used in almost all smartphone designs, as well as in other small mobile devices and laptops.

Arm is the CPU architecture used by all modern smartphones in the Android and Apple ecosystems.

Vulnerability details: Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.

Additional Details – One of its designs is not affected by this vulnerability:

If the config like below:

“load_auth_image” invoke “load_auth_image_internal” – See the attached picture for details

If the platform uses a custom image parser instead of the certificate
parser, the bug in the certificate parser is obviously not relevant. The
bug in auth_nvctr() may be relevant, but only if the returned data is:

• Taken from an untrusted source (meaning that it is read prior to
  authentication).
• Not already checked to be a primitively-encoded ASN.1 tag.
  In particular, if the custom image parser implementation wraps a 32-bit integer in an ASN.1 INTEGER, it is not affected.

Official announcement : Official details, please refer to url – https://nvd.nist.gov/vuln/detail/CVE-2022-47630

Denial of service from the big world to the small world

Preface: Perhaps the historical information can be enrich our knowledge base. Even through you think the information I posted by today not very useful. However this is so called database. See whether you are still interested in this matter today?

Background:

The Flutter framework is a popular, multi-platform UI toolkit that’s powered by the Dart platform, and that provides tooling and UI libraries to build UI experiences that run on iOS, Android, macOS, Windows, Linux, and the web. When creating configuration files for application projects, languages like Python and the Google-developed Flutter framework for Dart both use YAML (. yaml). Furthermore, YAML can be used to format containerized files. Cloud computing operations also using it.

There are several libraries available to parse. yaml is a popular library to read yaml files. yaml_writer library is used to write to a yaml file.

• yaml[.]dart for reading
• yaml_writer for write operations

yaml is a popular library in dart and flutter for reading the yaml file and yaml_writer for writing to yaml document.

Ref: YAML is a data serialization language that is often used for writing configuration files. Depending on whom you ask, YAML stands for yet another markup language or YAML ain’t markup language (a recursive acronym), which emphasizes that YAML is for data, not documents. 

Vulnerability details: Certain versions of Gopkg[.]in/yaml[.]v2 from Gopkg[.]inyaml[.]v2 contain the following vulnerability:
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Official announcement: For details about the vulnerability, please refer to the official announcement – https://pkg.go.dev/vuln/GO-2022-0956

Wish you a Happy New Year.

Preface: When an external GPU is connected to the iOS system. Refer to attached diagram , it will perform compute simulations on that external GPU. And thus graphics rendering on a built-in GPU.

According the current GPU design. Do you think is there desugn weakness happen here. For instance, memory access control and access permission.

Background: A MTLBuffer can’t be directly transferred between different devices; its data must be transferred via system memory. Refer to attached diagram. The sample calls the vm_allocate function to allocate a page-aligned buffer, updateAddress, backed by system memory. The sample then calls the newBufferWithBytesNoCopy:length:options:deallocator: method to create a new MTLBuffer, _updateBuffer, backed by the same system memory used for the previous buffer.

Vulnerability details: The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

As details could not be found in the official announcement. My speculation is shown as below:

According to step 1 and 2 (refer to attached diagram), believe that it will have way to enhance the access control of GPU Driver buffer. The reason is that it may have potential risk  let attacker do manipulation with an unknown input leads to a memory corruption vulnerability. As a result, it may be possible for an application to leak kernel memory.

Official announcement: For details, see the link – https://support.apple.com/en-us/HT213530

• Christmas is celebrated to commemorate the birth of Jesus Christ, who Christians believe is the Son of God. Sunday, December 25, 2022 is Christmas. Maybe you don’t have this belief. However, I also wish you Merry Christmas and my best wishes to you and your family.