Preface: How to use iframes? To use iframes, you need to create an <iframe> element and place it inside the <body> element of your web page. You can use the src attribute to specify the web page you want to load into the iframe. For example, <iframe src=”page2.html”> loads page2.html into the iframe. You can also use the width and height attributes to specify the size of the iframe.
Background: Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
Vulnerability details: A logic issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, Safari 17.3, tvOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A malicious website may cause unexpected cross-origin behavior.
Preface: The Mali-G720 and Mali-G620 GPUs complete the world-class GPU portfolio for a wide range of consumer devices. After four generations of GPUs on the fourth-generation Valhall architecture, the latest Arm GPUs are built on a new fifth-generation GPU architecture (called Gen 5).
Background: The New 5th Gen Arm GPU Architecture
The 5th Gen GPU architecture introduces a key feature called Deferred Vertex Shading (DVS), which revolutionizes data flow within the GPU and expands the number of GPU cores, reaching up to 16 cores for enhanced performance.
The Arm 5th Gen GPU architecture is the most efficient GPU architecture Arm has ever created, designed with CPU and system architecture in mind. It redefines parts of the graphics pipeline to significantly reduce memory bandwidth, thus improving total system efficiency and power.
Technical reference: It solves the bandwidth problem of the traditional model because the fragment shader reads a small block each time and puts it on the chip. It does not need to read the memory frequently until the final operation is completed and then writes it to the memory. You can even further reduce memory reads and writes by compressing tiles. In addition, when some areas of the image are fixed, the function can be called to determine whether the tiles are the same to reduce repeated rendering.
Vulnerability details: A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.
Resolution: This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r49p0. Users are recommended to upgrade if they are impacted by this issue.
Affects :
Bifrost GPU Kernel Driver: All versions from r45p0 to r48p0
Valhall GPU Kernel Driver: All versions from r45p0 to r48p0
Arm 5th Gen GPU Architecture Kernel Driver: All versions from r45p0 to r48p0
Preface: Upgrade from Xamarin to [.]NET, Microsoft support for Xamarin will end on May 1, 2024 for all Xamarin SDKs including Xamarin.Forms.
Background: The Microsoft Authentication Library (MSAL) enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.
-Xamarin is an open-source platform for building modern and performant applications for iOS, Android, and Windows with [.] NET. Xamarin is an abstraction layer that manages communication of shared code with underlying platform code.
-NET Multi-platform App UI (. NET MAUI) apps can be written for the following platforms: Android 5.0 (API 21) or higher is required. iOS 11 or higher is required.
Vulnerability details: The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL[.}NET applications targeting Xamarin Android and [.]NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability. A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL[.]NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.
Solution: MSAL[.]NET version 4.60.1 includes the fix.
Workaround: developer may explicitly mark the MSAL[.]NET activity non-exported.
Preface: This vulnerability was posted on April 1 2024. For details, please refer to the Qualcomm April 2024 Security Bulletin.
Background: EL1 can access most system registers, EL2 has additional privileges, and EL3 has all privileges. The only way that the processor can change from one exception level to a higher level is when an exception occurs.
In computing, an input–output memory management unit is a memory management unit connecting a direct-memory-access–capable I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses to physical addresses.
Qualcomm “B” family devices which are not compatible with arm-smmu have a similar looking IOMMU but without access to the global register space, and optionally requiring additional configuration to route context irqs to non-secure vs secure interrupt line.
Vulnerability details: Use After Free in Kernel. UAF scenario may occur in clients with EL1 privileges for iova mappings when we miss to check the return value of arm_lpae_init_pte which may lead to an PTE be counted as it was set even if it was already existing. This can cause a dangling IOMMU PTE to be left mapped pointing to a freed object and cause UAF in the client if the dangling PTE is accessed after a failed unmap operation.
Preface: iPhone XS is powered by the A12 Bionic processor. iPhone 13 and iPhone 13 Mini use the Apple-designed A15 Bionic chip system. Additionally, the iPhone 15 is powered by a six-core Apple A16 Bionic processor. All above Bionic processors have common point. They are 64-bit ARM-based system on a chip (SoC) designed by Apple Inc.
Speculation: If you remember, a vulnerability related to AMD on 15th Mar, 2024.(CVE-2024-21930) Specter v1 variant inheriting the Specter v1 vulnerability. So called GhostRace. But this design weakness not only to AMD. For example, ARM Limited do not announce they do not impact with this vulnerability. So, do you think, Apple Inc. might worries about this vulnerability thus in priority to update Firmware and Linux base OS to mitigate this risk?
Vulnerability CVE-2024-23278 was released on March 7, 2024. Apple didn’t reveal specific details, so let’s see if we can dig out any clues.
Preface: XPC has a sizeable portion of undocumented functionality, including its implementation (for example, the main project libxpc is closed source). XPC provides a public API at two levels: low-level and Foundation wrappers.
Background: XPC is the enhanced IPC framework used in macOS/iOS. Since its introduction in version 10.7/5.0, its use has exploded. XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). XPC provides public APIs on two levels: the low level and the Foundation wrappers.
Vulnerability details: The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.
This issue was fixed on 2023/09/04. But the vendor did not announce the vulnerability until today (March 8, 2024).
Preface: Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery.
Background: 5G security standards bring enhancements to air interface and transport security mechanisms used in 4G.
In terms of transport security, the N2/N3 interfaces connecting the access and core networks and Xn interfaces connecting base stations use IPsec in 4G for transport security. 5G additionally supports Datagram Transport Layer Security (DTLS) over Stream Control Transmission Protocol (SCTP) to secure signaling transmission on the control plane, ensuring transport security between RANs and core networks. Operators can select a transport security protection scheme based on security requirements to prevent data breach and attacks on the transport network.
Vulnerability details: Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.
Preface: Trusted Firmware-A (TF-A) provides a reference implementation of secure world software for Armv7-A, Armv8-A and Armv9-A, including a Secure Monitor executing at Exception Level 3 (EL3) and a Secure Partition Manager running at Secure EL2 (S-EL2) of the Arm architecture.
Background: Software Delegated Exception Interface (SDEI) provides a mechanism for registering and servicing system events from system firmware. This specification defines a standard interface that is vendor-neutral, interoperable, and software portable. The interface is offered by a higher Exception level to a lower Exception level, in other words, by a Secure platform firmware to hypervisor or hypervisor to OS or both.
System events are high priority events, which must be serviced immediately by an OS or hypervisor. These events are often orthogonal to normal OS operation and the events can be handled, even when the OS is executing within its own critical section with interrupts masked. System events can be provided to support: Platform error handling (RAS), Software watchdog timer, Sample-based profiling & Kernel debugger.
Vulnerability details: Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.
Preface: The title states that Buffer does not check the size of the input in Core when copying. But I believe it is more important to avoid unauthorized copying.
Background: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.
OpenCL supports buffer and image objects (and pipe objects from OpenCL 2.0). The one-dimensional buffer objects are a natural choice for many developers due to their simplicity and flexibility, such as the support of pointers, byte-addressable access, etc. For instance, using images allows hardware to handle out-of-boundaries read automatically.
Ref: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.
Vulnerability details: The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Preface: Out-of-bounds writes, a common explanation, are the consequences of writing to memory outside the boundaries of the buffer or to invalid memory when the root cause is not sequential copying of too much data from a fixed starting position. This may include issues such as incorrect pointer arithmetic, access to invalid pointers due to incomplete initialization or memory deallocation.
Background: Arm Mali-G71 is the first high-end GPU to implement the Mali Bifrost architecture. Bifrost enables high-end mobile GPUs to provide additional computing performance. This additional performance is used to solve the increasingly complex problems of modern use cases such as VR and high-fidelity gaming.
Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel Driver, and if the system’s memory is carefully prepared by the user, then this in turn could write to memory outside of buffer bounds.
Affected products:
Bifrost GPU Kernel Driver: All versions from r41p0 – r45p0
Valhall GPU Kernel Driver: All versions from r41p0 – r45p0
Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r45p0
