Category Archives: IoT

CVE-2024-33063 – OOB : read/writes in ML probe generation  (15-Dec 2024)

Preface: A patch published June 2023, adds parsing of the data and adding/updating the BSS using the received elements. Doing this means that userspace can discover the BSSes using an ML probe request and request association on these links.

Background: IE provides information on channel usage by AP, so that smart wireless stations can decide better AP for connectivity. Station count, Channel utilization, and Available admission capacity are the information available in this IE.

The term QBSS is used in wireless networks supporting the IEEE 802.11e Quality of Service enhancement. It defines a Basic Service Set supporting a QAP and a number of QSTA.

When enabled, appends QBSS IE in Management frames. This IE provides information of channel usage by AP, so that smart wireless station can decide better AP for connectivity. Station count, Channel utilization and Available admission capacity are the information available in this IE.

Vulnerability details: Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-33063

CVE-2024-5660: This issue could allow a modified, untrusted guest operating system to compromise the host in certain hypervisor environments. (11 Dec 2024)

Preface: NVIDIA Jetson™ is the world’s leading embedded AI computing platform with an integrated Arm CPU.

Background: The owning translation regime uses its address translation table data to determine the properties of the trace data transactions written to system memory.

CPUECTLR_EL1 is a 64-bit register, and is part of the 64-bit registers functional group. This register resets to value 0x0000000961563000. The CPUECTLR_EL1 register contains IMPLEMENTATION DEFINED configuration and control options for the MMU.

Stage 2 translation allows a hypervisor to control a view of memory in a Virtual Machine (VM). Specifically, it allows the hypervisor to control which memory-mapped system resources a VM can access, and where those resources appear in the address space of the VM.

Vulnerability details: When Hardware Page Aggregation (HPA) is enabled and Stage-1 and/or Stage-2 translation is enabled for the active translation regime, memory accesses may be translated incorrectly. This may permit bypass of Stage-2 translation and/or GPT protection

Affected products : A77, A78, A78C, A78AE, A710, V1, V2, V3, V3AE, X1, X1C, X2, X3, X4, N2, X925, Travis

Recommendations : The issue can be avoided by setting CPUECTLR_EL1[46] to 1 which will disable hardware page aggregation

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-5660

CVE-2024-38920: Use-after-free issue related to the humble version of Open Robotics Robot Operating System 2 (ROS2) and Nav2 (6 Dec 2024)

Preface: Use-after-free (UAF) vulnerabilities are a class of software flaws that involve using a memory resident object after it has been freed. UAF vulnerabilities most commonly occur when a C++ object that was allocated on the heap is accessed after it is deleted, but stack-allocated objects can also be used after a free.

Background: The Robot Operating System (ROS) is a set of software libraries and tools for building robot applications. From drivers and state-of-the-art algorithms to powerful developer tools, ROS has the open source tools you need for your next robotics project.

Since ROS was started in 2007, a lot has changed in the robotics and ROS community. The goal of the ROS 2 project is to adapt to these changes, leveraging what is great about ROS 1 and improving what isn’t.

The base unit in ROS is called a node. Nodes are in charge of handling devices or computing algorithms – each node for a separate task. Nodes can communicate with each other using topics or services. ROS software is distributed in packages. A single package is usually developed for performing one type of task and can contain one or multiple nodes.

Vulnerability details: Open Robotics Robotic Operating System 2 (ROS2) and Nav2 humble versions were discovered to contain a use-after-free via the nav2_amcl process. This vulnerability is triggerd via remotely sending a request for change the value of dynamic-parameter`/amcl max_beams` .

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-38920

CVE-2024-10382 – a code execution vulnerability in the Car App Android Jetpack Library (22 Nov 2024)

Preface: Android Auto is a platform running on the user’s phone, projecting the Android Auto user experience to a compatible in-vehicle infotainment system over a USB connection. Android Auto supports apps designed for in-vehicle use.

Background: The Android for Cars App Library lets you bring your navigation, point of interest (POI), and internet of things (IOT) apps to the car.

Android[.]car[.]app

Interfaces

OnDoneCallback – A host-side interface for handling success and failure scenarios on calls to the client.

OnRequestPermissionsListener – A listener with the results from a permissions request.

OnScreenResultListener – A listener to provide the result set by a Screen.

SurfaceCallback – A callback for changes on the SurfaceContainer and its attributes.

Vulnerability details: There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/cve-2024-10382

CVE-2024-9413 – A vulnerability has been discovered in SCP-Firmware (18 Nov 2024)

Preface: The Cortex-M3 processor is specifically developed for high-performance, low-cost platforms for a broad range of devices including microcontrollers, automotive body systems, industrial control systems and wireless networking and sensors.

Background: SCP Firmware provides a software reference implementation for the System Control Processor (SCP) and Manageability Control Processor (MCP) components found in several Arm Compute Sub-Systems. Functionality.

Description. Initialization. Initialization of the system to enable application core boot.

Power Control System Architecture (PCSA) defines the concept of a System Control Processor (SCP), a specialized processor that abstracts power and system management tasks from the application processor.

Vulnerability details: The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.

Official announcement: For detail, please refer to link –

https://nvd.nist.gov/vuln/detail/CVE-2024-9413

CVE-2024-38408 – Cryptographic Issues in BT Controller (7 Nov 2024)

Preface: Snapdragon 8 Gen 2 SoC comes with many new features and technologies such as new tri-cluster architecture, AI improvements, ray tracing support, and more. However, one largely overlooked feature is dual Bluetooth. Now, it’s not going to revolutionize the Bluetooth experience on mobile devices, but it will actually solve some of the fundamental problems we face when using Bluetooth technology on mobile devices.

Background: The encryption key negotiation protocol is conducted between two parties as follows: the initiator proposes an entropy value N that is an integer between 1 and 16, the other party either accepts it or proposes a lower value or aborts the protocol. If the other party proposes a lower value, e.g., N − 1, then the initiator either accepts it or proposes a lower value or it aborts the protocol. At the end of a successful negotiation the two parties have agreed on the entropy value of the Bluetooth encryption key. The entropy negotiation is performed over the Link Manager Protocol (LMP), it is not encrypted and not authenticated, and it is transparent to the Bluetooth.

Vulnerability details: Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html

CVE-2024-7883 – CMSE secure state may leak from stack to floating-point registers (3rd Nov 2024)

Preface: The Cortex-M stands for the Microcontroller which is used in most of our daily life applications also starting from the automation to DSP applications, sensors, smart displays, IoT applications ,etc.

Background: In April of 2024, Arm Limited published a Cortex-M Security Extensions (CMSE) Security Bulletin that identifies a potential software security issue in code that uses CMSE. The security vulnerability allows an attacker to pass out-of-range values to code executing in Secure state to cause incorrect operation in Secure state. This security vulnerability is present in compilers that are not compliant with version 1.4 of the Arm v8-M Security Extensions Requirements on Development Tools.

Vulnerability details: When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.

LLVM and the GNU Compiler Collection (GCC) are both compilers. The difference is that GCC supports a number of programming languages while LLVM isn’t a compiler for any given language. LLVM is a framework to generate object code from any kind of source code.

Official announcement: For more information about the vulnerability, please see the link –

https://nvd.nist.gov/vuln/detail/CVE-2024-7883

https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability

CVE-2024-41445: Library MDF (mdflib) v2.1 is vulnerable to a heap-based buffer overread (25-09-2024)

Preface: What is an MF4/MDF4 file? Measurement Data Format version 4 (MDF 4) is a standard file format by ASAM used by the automotive industry for storing measurement data in binary file format. It records CAN, CAN FD, LIN bus data, sensor data from an engine control unit (ECU), offering interoperability across many CAN tools.

Background: MF4 (aka MDF or Measurement Data Format) is a popular CAN bus log file format. It was designed for use in the automotive industry, primarily for the areas of ECU development, Calibration and testing.

What is ECU development? The development of an ECU involves both hardware and software required to perform the functions expected from that particular module. Automotive ECU’s are being developed following the V-model.

Can I use the MDF-LIB freely? Yes, the lib was created to encourage all software developers to use the MDF4 format.

Vulnerability details: Library MDF (mdflib) v2.1 is vulnerable to a heap-based buffer overread via a crafted mdf4 file is parsed using the ReadData function.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41445

About Android Framework: Bypass CVE-2022-20338, formed CVE-2024-40662 (11th Sep 2024).

Preface: What is a malformed URI? The JavaScript exception “malformed URI sequence” occurs when URI encoding or decoding wasn’t successful.

Background: URI definition In computer terms, a Uniform Resource Identifier (URI) is a string used to identify the name of a certain network resource. This identification allows users to interact with any resource (including local and Internet) through specific protocols.

URI is either an absolute URI whose scheme-specific part begins with a slash character, or a relative URI, that is, a URI that does not specify a scheme. 

Vulnerability details: In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the vendor announcement for details –

https://www.tenable.com/cve/CVE-2024-40662

CVE-2024-40754: Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine (11th Sep 2024)

Preface: A stack is not flexible, the memory size allotted cannot be changed whereas a heap is flexible, and the allotted memory can be altered.

Background: Escargot is a memory optimized JavaScript engine for mid-range devices such as mobile phone, tablet and TV. C++. •. GNU Lesser General Public License v2.1. Memory Efficiency: The engine is designed with memory constraints in mind, making it suitable for devices with limited RAM and storage. Performance Optimization: Escargot implements various optimization techniques to ensure fast execution of JavaScript code, even on low-power devices.

Vulnerability details: Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0.

Ref: The memory allocated by malloc() not only includes the user requested block but also the data used to manage the heap (size of the block, pointer to other blocks and the like). The vulnerability is that a heap variable can be overflowed to overwrite those management data.

Official announcement: Please refer to the vendor announcement for details –

https://www.tenable.com/cve/CVE-2024-40754