Category Archives: IoT

CVE-2024-33050 – Buffer Over-read in WLAN Host Communication (10th Sep 2024)

Preface: In computer programming, transient is a property of any element in the system that is temporary. The term applies to transient applications.

Background: Within frequency, In-band discovery is used for communication between 6 GHz devices. There are three in-band discovery methods: Fast Initial Link Setup (FILS) and Unsolicited Probe Response (UPR) frames are passive in-band discovery methods. Choose one of FILS and UPR and cannot use them at the same time. The 6 GHz discovery frame is only required when 6 GHz is the only operable radio frequency band. Preferred Scan Channel (PSC) is an active in-frequency discovery method. Wireless clients will only probe PSC channels; if detecting from the RNR, non-PSCs will be scanned.

Vulnerability details: Transient DOS while parsing MBSSID during new IE generation in beacon/probe frame when IE length check is either missing or improper.

Ref: The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html

CVE-2024-3655: Mali GPU Kernel Driver allows improper GPU memory processing operations (3rd Sep 2024).

Preface: Use after free errors sometimes have no effect and other times cause a program to crash. While it is technically feasible for the freed memory to be re-allocated and for an attacker to use this reallocation to launch a buffer overflow attack.

Background: When the GPU returns ownership of the buffer to the CPU, the driver needs to treat imported and non-imported memory differently.  The first case to consider is non-imported sub-regions at the beginning of the first page and at the end of last page. For these sub-regions: CPU cache shall be committed with a clean+invalidate, in order to keep the last CPU write. Imported region prefers the opposite treatment: this memory has been legitimately mapped and used by the GPU, hence GPU writes shall be committed to memory, while CPU cache shall be invalidated to make sure that CPU reads the correct memory content.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.

Impact: This issue affects Bifrost GPU Kernel Driver: from r43p0 through r49p0; Valhall GPU Kernel Driver: from r43p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r43p0 through r49p0.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

About CVE-2024-20084 and CVE-2024-20085: MediaTek’s System-on-Chip Design weakness (2nd Sep 2024)

Preface: When an out-of-bounds read occurs, typically the product has already made a separate mistake, such as modifying an index or performing pointer arithmetic that produces an out-of-bounds address.

Background: MediaTek JPEG Decoder is the JPEG decode hardware present in MediaTek SoCs. The jpeg decoder hardware device node which should be added as subnodes to the main jpeg node.

IOMMU is the so-called SMMU, which can organize discontinuous physical memory into a continuous virtual memory (this makes sense for many drivers).

Vulnerability details:

CVE-2024-20084 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

CVE-2024-20085 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the vendor announcement for details – https://corp.mediatek.com/product-security-bulletin/September-2024

CVE-2024-34731: last week CVEs, today story. (29th Aug 2024)

Preface: A race condition vulnerability is a software bug that allows these unexpected results to be exploited by malicious entities.

The Race condition is a privilege escalation vulnerability that manipulates the time between imposing a security control and using services in a UNIX like system. This vulnerability is a result of interferences caused by multiple sequential threads running in the system and sharing the same resources.

Background: TranscodingResourcePolicy is a component of the Android platform/frameworks/av package that manages resource policies for transcoding operations. Transcoding is the process of converting media files from one format to another.

Vulnerability details: In multiple functions of TranscodingResourcePolicy.cpp, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-34731

CVE-2024-45163: The 1st time seen CVE -related to malware vulnerability. (22nd Aug 2024)

Preface: Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

Background: The Mirai botnet connects to the CNC (command and control) server via simultaneous TCP. An unauthenticated session remains open, allowing an attacker, for example, to send a recognizable username (such as root), or to send arbitrary data.

Vulnerability details: The Mirai botnet through 2024-08-19 mishandles simultaneous TCP connections to the CNC (command and control) server. Unauthenticated sessions remain open, causing resource consumption. But the CNC server cannot adequately manage these connections, leading to resource exhaustion and server crashes.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-45163

CVE-2023-52910 – iommu/iova: Fix alloc iova overflows issue (21-08-2024)

Preface: Modern hardware provides an I/O memory management unit (IOMMU) that mediates direct memory accesses (DMAs) by I/O devices in the same way that a processor’s MMU mediates memory accesses by instructions.

Background: With IOMMU, when the device performs DMA access to memory, the system returns to the device driver no longer a physical address, but a virtual address. This address is generally called IOVA. When the device accesses memory, IOMMU converts this virtual address into a physical address. But when iommu bypass is used, the device can also directly use the physical address for DMA.

Vulnerability details: This issue occurs in the following two situations

-The first iova size exceeds the domain size. When initializing iova domain, iovad->cached_node is assigned as iovad->anchor. For example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, and the iova size allocated for the first time is 11M.

-The node with the largest iova->pfn_lo value in the iova domain is deleted, iovad->cached_node will be updated to iovad->anchor, and then the alloc iova size exceeds the maximum iova size that can be allocated in the domain.

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52910

CVE-2024-42257: In the Linux kernel, the vulnerability related to ext4 has been resolved (12th Aug 2024)

Published: 2024-08-08

Updated: 2024-08-07

Preface: Ext4 is a series of backwards-compatible extensions of Ext2. It is also the file system of most Linux distributions. Ext4 is supported on other operating systems including Windows, Free BSD, macOS and KolibriOS (read-only)

Background: Ext4 – The fourth generation extension file system is a log file system under the Linux system and is the successor version of the ext3 file system.

Advantage

-Has the largest single file size and volume file system size

-Supports all bytes except NULL and ‘/.’

-You can convert Ext3 file system to Ext4

-Includes advanced features such as stretching, directory indexing,

-delayed allocation and disk defragmentation

-Unlimited subdirectories

Disadvantage

-No data security provided

-Difficulty creating snapshots on different volumes

-Use more disk space

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ext4: use memtostr_pad() for s_volume_name As with the other strings in struct ext4_super_block, s_volume_name is not NUL terminated. The other strings were marked in commit 072ebb3bffe6 (“ext4: add nonstring annotations to ext4.h”). Using strscpy() isn’t the right replacement for strncpy(); it should use memtostr_pad() instead.

Ref: Failure to properly null-terminate a character sequence that is passed to a library function that expects a string can result in buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process. Null-termination errors can also result in unintended information disclosure.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-42257

CVE-2024-7589: Race condition vulnerability occurs when integration of blacklisted in OpenSSH in FreeBSD. (11-Aug-2024)

Preface: SSH clients are designed for direct user interaction, providing a command-line interface (CLI) or graphical user interface (GUI) on the initiating device. The SSHD operates as a background process, running silently in the background without any user intervention.

Background: How do I make my SSH connection more stable?

SSH servers often have an idle timeout period, after which they automatically disconnect idle sessions. To prevent premature disconnections, consider modifying the server’s idle timeout setting. To modify the idle timeout: Locate the SSH server configuration file, typically located at /etc/ssh/sshd_config .

Vulnerability details: A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh.

The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.

Official announcement: Please refer to the link for details https://www.tenable.com/cve/CVE-2024-7589

A critical step in exploiting a buffer overflow is determining the offset where important program control information is overwritten. In the Linux kernel, the (CVE-2024-41011) vulnerability has been resolved. (18-07-2024)

Preface: The PAGE_SIZE macro defined in the Linux kernel source determines the page size. Its definition is in the kernel header file /usr/src/kernels/5.14[.] 0-22. el9[.] x86_64/include/asm-generic/page.

Background: MMIO stands for Memory-Mapped Input/Output. In Linux, MMIO is a mechanism used by devices to interface with the CPU that involves mapping their control registers and buffers directly into the processor’s memory address space.

This enables the CPU to access device registers and exchange data with devices using load and store instructions, just as if they were conventional memory locations. Graphics cards, network interfaces, and storage controllers all employ MMIO to effectively conduct input and output tasks.

Vulnerability details: drm/amdkfd: don’t allow mapping the MMIO HDP page with large pages We don’t get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41011

CVE-2024-41009: bpf – Fix overrunning reservations in ringbuf (17th July 2024)

Preface: Consumer and producer counters are put into separate pages to allow each position to be mapped with different permissions. This prevents a user-space application from modifying the position and ruining in-kernel tracking. The permissions of the pages depend on who is producing samples: user-space or the kernel. Starting from Linux 5.8, BPF provides a new BPF data structure (BPF map): BPF ring buffer (ringbuf). It is a multi-producer, single-consumer (MPSC) queue and can be safely shared across multiple CPUs simultaneously.

Background: The first core skill point is “BPF Hooks”, that is, where in the kernel can BPF programs be loaded. There are nearly 10 types of hooks in the current Linux kernel, as shown below:

kernel functions (kprobes)

userspace functions (uprobes)

system calls

fentry/fexit

Tracepoints

network devices (tc/xdp)

network routes

TCP congestion algorithms

sockets (data level)

Vulnerability details: For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos – cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A’s header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header’s pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A’s header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash.  

Official announcement: Please refer to the official announcement for details – https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=47416c852f2a04d348ea66ee451cbdcf8119f225