Date of issue: 3rd May 2024

Preface: The Mali-G720 and Mali-G620 GPUs complete the world-class GPU portfolio for a wide range of consumer devices. After four generations of GPUs on the fourth-generation Valhall architecture, the latest Arm GPUs are built on a new fifth-generation GPU architecture (called Gen 5).

Background: The New 5th Gen Arm GPU Architecture

The 5th Gen GPU architecture introduces a key feature called Deferred Vertex Shading (DVS), which revolutionizes data flow within the GPU and expands the number of GPU cores, reaching up to 16 cores for enhanced performance.

The Arm 5th Gen GPU architecture is the most efficient GPU architecture Arm has ever created, designed with CPU and system architecture in mind. It redefines parts of the graphics pipeline to significantly reduce memory bandwidth, thus improving total system efficiency and power.

Technical reference: It solves the bandwidth problem of the traditional model because the fragment shader reads a small block each time and puts it on the chip. It does not need to read the memory frequently until the final operation is completed and then writes it to the memory. You can even further reduce memory reads and writes by compressing tiles. In addition, when some areas of the image are fixed, the function can be called to determine whether the tiles are the same to reduce repeated rendering.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. On Armv8.0 cores, there are certain combinations of the Linux Kernel and Mali GPU kernel driver configurations that would allow the GPU operations to affect the userspace memory of other processes.

Ref: Arm did not provide details. Is the senario on attached diagram similar to this CVE?

Resolution: This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r48p0. Users are recommended to upgrade if they are impacted by this issue.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-1067

Preface: The two prerequisites for running Open5GS are the Open5GS core and MongoDB. The MongoDB, a document-based database, for user equipment registration. MongoDB uses some weird special processor instruction, which is not provided in intel Celeron processor.

Background: The Access and Mobility Management Function (AMF) is one of the control plane network functions (NF) of the 5G core network (5GC). The control plane in 5G Network Architecture contains the AMF which is the first node in the control plane that connects to the gNB. And it is responsible for the access and mobility management. The SMF, that is responsible for session management.

Authentication messages are a set of NAS message involved in Athenticating UE to 5G RAN and Core Network. Mainly three NAS messages are involved : AuthenticationRequest, AuthenticationResponse. Important Information of RegistrationRequest are : Authentication Key Information.

Vulnerability details: Open5GS before 2.7.1 is vulnerable to a reachable assertion that can cause an AMF crash via NAS messages from a UE: ogs_nas_encrypt in lib/nas/common/security[.]c for pkbuf->len.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-34476

Preface: How to use iframes? To use iframes, you need to create an <iframe> element and place it inside the <body> element of your web page. You can use the src attribute to specify the web page you want to load into the iframe. For example, <iframe src=”page2.html”> loads page2.html into the iframe. You can also use the width and height attributes to specify the size of the iframe.

Background: Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

Vulnerability details: A logic issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, Safari 17.3, tvOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A malicious website may cause unexpected cross-origin behavior.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23271

Preface: Upgrade from Xamarin to [.]NET, Microsoft support for Xamarin will end on May 1, 2024 for all Xamarin SDKs including Xamarin.Forms.

Background: The Microsoft Authentication Library (MSAL) enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.

-Xamarin is an open-source platform for building modern and performant applications for iOS, Android, and Windows with [.] NET. Xamarin is an abstraction layer that manages communication of shared code with underlying platform code.

-NET Multi-platform App UI (. NET MAUI) apps can be written for the following platforms: Android 5.0 (API 21) or higher is required. iOS 11 or higher is required.

Vulnerability details: The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL[.}NET applications targeting Xamarin Android and [.]NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability. A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL[.]NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.

Solution: MSAL[.]NET version 4.60.1 includes the fix.

Workaround: developer may explicitly mark the MSAL[.]NET activity non-exported.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-27086

Preface: This vulnerability was posted on April 1 2024. For details, please refer to the Qualcomm April 2024 Security Bulletin.

Background: EL1 can access most system registers, EL2 has additional privileges, and EL3 has all privileges. The only way that the processor can change from one exception level to a higher level is when an exception occurs.

In computing, an input–output memory management unit is a memory management unit connecting a direct-memory-access–capable I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses to physical addresses.

Qualcomm “B” family devices which are not compatible with arm-smmu have a similar looking IOMMU but without access to the global register space, and optionally requiring additional configuration to route context irqs to non-secure vs secure interrupt line.

Vulnerability details: Use After Free in Kernel. UAF scenario may occur in clients with EL1 privileges for iova mappings when we miss to check the return value of arm_lpae_init_pte which may lead to an PTE be counted as it was set even if it was already existing. This can cause a dangling IOMMU PTE to be left mapped pointing to a freed object and cause UAF in the client if the dangling PTE is accessed after a failed unmap operation.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2024-bulletin.html

Preface: iPhone XS is powered by the A12 Bionic processor. iPhone 13 and iPhone 13 Mini use the Apple-designed A15 Bionic chip system. Additionally, the iPhone 15 is powered by a six-core Apple A16 Bionic processor. All above Bionic processors have common point. They are 64-bit ARM-based system on a chip (SoC) designed by Apple Inc.

Speculation: If you remember, a vulnerability related to AMD on 15th Mar, 2024.(CVE-2024-21930) Specter v1 variant inheriting the Specter v1 vulnerability. So called GhostRace. But this design weakness not only to AMD. For example, ARM Limited do not announce they do not impact with this vulnerability. So, do you think, Apple Inc. might worries about this vulnerability thus in priority to update Firmware and Linux base OS to mitigate this risk?

Official announcement: Please refer to the link for details  – https://support.apple.com/en-us/HT201222

CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions – https://www.kb.cert.org/vuls/id/488902

Vulnerability CVE-2024-23278 was released on March 7, 2024. Apple didn’t reveal specific details, so let’s see if we can dig out any clues.

Preface: XPC has a sizeable portion of undocumented functionality, including its implementation (for example, the main project libxpc is closed source). XPC provides a public API at two levels: low-level and Foundation wrappers.

Background: XPC is the enhanced IPC framework used in macOS/iOS. Since its introduction in version 10.7/5.0, its use has exploded. XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). XPC provides public APIs on two levels: the low level and the Foundation wrappers.

Vulnerability details: The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23278

This issue was fixed on 2023/09/04. But the vendor did not announce the vulnerability until today (March 8, 2024).

Preface: Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery.

Background: 5G security standards bring enhancements to air interface and transport security mechanisms used in 4G.

In terms of transport security, the N2/N3 interfaces connecting the access and core networks and Xn interfaces connecting base stations use IPsec in 4G for transport security. 5G additionally supports Datagram Transport Layer Security (DTLS) over Stream Control Transmission Protocol (SCTP) to secure signaling transmission on the control plane, ensuring transport security between RANs and core networks. Operators can select a transport security protection scheme based on security requirements to prevent data breach and attacks on the transport network.

Vulnerability details: Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.

Official announcement: https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2024-bulletin.html

Preface: Trusted Firmware-A (TF-A) provides a reference implementation of secure world software for Armv7-A, Armv8-A and Armv9-A, including a Secure Monitor executing at Exception Level 3 (EL3) and a Secure Partition Manager running at Secure EL2 (S-EL2) of the Arm architecture.

Background: Software Delegated Exception Interface (SDEI) provides a mechanism for registering and servicing system events from system firmware. This specification defines a standard interface that is vendor-neutral, interoperable, and software portable. The interface is offered by a higher Exception level to a lower Exception level, in other words, by a Secure platform firmware to hypervisor or hypervisor to OS or both.

System events are high priority events, which must be serviced immediately by an OS or hypervisor. These events are often orthogonal to normal OS operation and the events can be handled, even when the OS is executing within its own critical section with interrupts masked. System events can be provided to support: Platform error handling (RAS), Software watchdog timer, Sample-based profiling & Kernel debugger.

Vulnerability details: Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-49100