Category Archives: IoT

AI and ML, Application Development, IoT, Potential Risk of CVE

A critical step in exploiting a buffer overflow is determining the offset where important program control information is overwritten. In the Linux kernel, the (CVE-2024-41011) vulnerability has been resolved. (18-07-2024)

Leave a comment

Preface: The PAGE_SIZE macro defined in the Linux kernel source determines the page size. Its definition is in the kernel header file /usr/src/kernels/5.14[.] 0-22. el9[.] x86_64/include/asm-generic/page.

Background: MMIO stands for Memory-Mapped Input/Output. In Linux, MMIO is a mechanism used by devices to interface with the CPU that involves mapping their control registers and buffers directly into the processor’s memory address space.

This enables the CPU to access device registers and exchange data with devices using load and store instructions, just as if they were conventional memory locations. Graphics cards, network interfaces, and storage controllers all employ MMIO to effectively conduct input and output tasks.

Vulnerability details: drm/amdkfd: don’t allow mapping the MMIO HDP page with large pages We don’t get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41011

AI and ML, IoT, Network (Protocol, Topology & Standard), Potential Risk of CVE, Science, System

CVE-2024-41009: bpf – Fix overrunning reservations in ringbuf (17th July 2024)

Leave a comment

Preface: Consumer and producer counters are put into separate pages to allow each position to be mapped with different permissions. This prevents a user-space application from modifying the position and ruining in-kernel tracking. The permissions of the pages depend on who is producing samples: user-space or the kernel. Starting from Linux 5.8, BPF provides a new BPF data structure (BPF map): BPF ring buffer (ringbuf). It is a multi-producer, single-consumer (MPSC) queue and can be safely shared across multiple CPUs simultaneously.

Background: The first core skill point is “BPF Hooks”, that is, where in the kernel can BPF programs be loaded. There are nearly 10 types of hooks in the current Linux kernel, as shown below:

kernel functions (kprobes)

userspace functions (uprobes)

system calls

fentry/fexit

Tracepoints

network devices (tc/xdp)

network routes

TCP congestion algorithms

sockets (data level)

Vulnerability details: For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos – cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A’s header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header’s pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A’s header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash.  

Official announcement: Please refer to the official announcement for details – https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=47416c852f2a04d348ea66ee451cbdcf8119f225

AI and ML, IoT, Potential Risk of CVE

AMD released the CVE-2023-20587 security update on July 13, 2024.Don’t underestimate this related SPI flash design weakness! (15th Jul 2024)

Leave a comment

Preface: SMM is the privileged mode of the processor. Like BIOS and UEFI, SMM code operates underneath the operating system. SMM has full access to physical memory, SMM-specific memory called SMRAM, MSR-specific scratchpad, the SPI flash region to read and write BIOS variables, and I/O operations. Additionally, SMM is designed to be invisible to lower privileged layers such as the operating system kernel or hypervisor.

Background: Attackers typically escalate privileges to the SMM by exploiting vulnerabilities in the SMM code. The OS calls SMM code through system management interrupts, or SMI, and passes parameters to SMI handlers using a shared memory area called the SMM Communication Buffer.

Vulnerability details: CVE-2023-20587: Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

The relevant vulnerabilities are as follows:

CVE-2023-20579: Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.

CVE-2023-20576: Insufficient Verification of Data Authenticity in AGESA™ may allow an attacker to update SPI ROM data potentially resulting in denial of service or privilege escalation.

CVE-2023-20577: A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution.

Official announcement: Please refer to the vendor announcement for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7009.html

AI and ML, IoT, Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2024-39489: Linux kernel enhance memory management on IPv6 feature (11 July 2024)

Leave a comment

Preface: The Linux kernel implements most of its IPv6 parts from USAGI. USAGI project was founded to improve and develop Linux IPv6 stack. The integrated USAGI version/release is unknown. Implemented into the kernel are the core functions of USAGI; the “standard” user-level programs provide basic IPv6 functionality.

Background: IPv6 converting to using crypto_pool has the following advantages.

– now SR uses asynchronous API which may potentially free CPU cycles and improve performance for of CPU crypto algorithm providers;

– hash descriptors now don’t have to be allocated on boot, but only at the moment SR starts using HMAC and until the last HMAC secret is deleted;

– potentially reuse ahash_request(s) for different users

– allocate only one per-CPU scratch buffer rather than a new one for

  each user

– have a common API for net/ users that need ahash on RX/TX fast path

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it’s going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39489

IoT, Potential Risk of CVE

CVE-2024-36138: Bypass incomplete fix of CVE-2024-27980 (10 Jul 2024)

Leave a comment

Preface: Node. js has two types of threads: one Event Loop and k Workers. The Event Loop is responsible for JavaScript callbacks and non-blocking I/O, and a Worker executes tasks corresponding to C++ code that completes an asynchronous request, including blocking I/O and CPU-intensive work.

Background: Why do we use child process in Node.js?

Node Child Process – Node is a tool that uses JavaScript and has many useful parts to it. Normally, it does work with one thread at a time, which means it can handle tasks without waiting. However, when there’s a lot of work to be done, we use the child_process module to create additional threads.

The child_process.spawn() method spawns the child process asynchronously, without blocking the Node.js event loop. The child_process.spawnSync() function provides equivalent functionality in a synchronous manner that blocks the event loop until the spawned process either exits or is terminated.

Vulnerability details: The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

This vulnerability affects all users of child_process.spawn and child_process.spawnSync on Windows in all active release lines.

Impact: This vulnerability affects all Windows users in active release lines: 22.x, 20.x, 18.x

Official announcement: For detail, please refer to link – https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

IoT, Potential Risk of CVE

CVE-2024-6563: About  Renesas arm-trusted-firmware (9 Jul 2024)

Leave a comment

Preface: Trusted Firmware-M (TF-M) defines several common profiles, such as Profile Small, Profile Medium, Profile Medium ARoT-less and Profile Large, to provide different levels of security to adapt to different device functions and applications. Use cases on top of firmware.

Background: The capabilities and resources of different IoT devices can vary significantly. Some IoT devices may have very limited memory resources. Programs on these devices should maintain a small memory footprint and basic functionality.

Trusted Firmware-M (TF-M) defines several general profiles, such as Profile Small, Profile Medium, Profile Medium ARoT-less and Profile Large, to provide different levels of security to fit diverse device capabilities and use cases applied on the top of the base configuration.

Ref: Trusted Firmware-M (TF-M) is an open source collaboration which implements the Platform Security Architecture (PSA) specification for Arm Cortex®-M MCU groups. This application project introduces how Trusted Firmware-M integrates with Renesas Flexible Software Package (FSP) to support PSA specification implementation on the Renesas RA Family MCU groups.

Vulnerability details: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i… https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar[.]C . In line 313 “addr_loaded_cnt” is checked not to be “CHECK_IMAGE_AREA_CNT” (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of “dst” will be written to the area immediately after the buffer, which is “addr_loaded_cnt”. This will allow an attacker to freely control the value of “addr_loaded_cnt” and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (“len”) they desire.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-6563

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-20081: Out-of-bounds write in gnss, response by Mediatek security advisory. (2nd July 2024)

Leave a comment

Preface: GPS traditionally refers to the North American Global Positioning System, or satellite positioning system. GNSS is the term for the international multi-constellation satellite system. Therefore, GNSS typically includes GPS, GLONASS, Baidu, Galileo, and any other constellation system.

Background: GNSS positioning modules or chips, as the core component of In-vehicle Infotainment systems, provide position, speed, and time information. GNSS position and speed measurements are integral, especially with respect to moving map navigation.

GNSS are used in all forms of transportation: space stations, aviation, maritime, rail, road and mass transit. Positioning, navigation and timing (PNT) play a critical role in telecommunications, land surveying, law enforcement, emergency response, precision agriculture, mining, finance, scientific research…etc.

Vulnerability details: In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08720039; Issue ID: MSV-1424.

Official announcement: For detail, please refer to link –

https://corp.mediatek.com/product-security-bulletin/July-2024

IoT, Potential Risk of CVE

About CVE-2024-38952 on PX4-Autopilot v1.14.3 (27 June 2024)

Leave a comment

Preface: The PX4 is a professional autopilot. Developed by world-class developers from industry and academia and supported by an active worldwide community, it powers a variety of vehicles from racing and cargo drones to ground vehicles and submersibles.

Background:  What is needed to control a drone using PX4 flight controller?

-A computer with Internet Access.

-Linux operating system (I am using Ubuntu 14.04 LTS, you can use the operating system you want, but since I am also doing source code development, Linux will make my days a lot easier).

-A PX4 autopilot (Pixhawk, Pixfalcon, HK Pilot 32, Pixracer) with micro usb cable.

-Your drone.

-A pair of telemetry modules (optional).

Vulnerability details: PX4-Autopilot v1[.]14[.]3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics[.]cpp.

Official announcement: For detail, please refer to link –

https://nvd.nist.gov/vuln/detail/cve-2024-38952

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-38663: blk-cgroup – fix list corruption from resetting io stat (25-June-2024)

Leave a comment

Preface: Android uses cgroups to control and account for system resources such as CPU and memory usage and allocation, with support for Linux kernel cgroups v1 and cgroups v2.

Background: New IO stats are stored in the percpu iostat_cpu within blkcg_gq (blkg). There are multiple blkg’s (one for each block device) attached to each blkcg. The rstat code keeps track of which cpu has IO stats updated, but it doesn’t know which blkg has the updated stats. If there are many block devices in a system, the cost of iterating all the blkg’s to flush out the IO stats can be high. To reduce such overhead, a set of percpu lockless lists (lhead) per blkcg are used to track the set of recently updated iostat_cpu’s since the last flush. An iostat_cpu will be put onto the lockless list on the update side [blk_cgroup_bio_start()] if not there yet and then removed when being flushed [blkcg_rstat_flush()].

References to blkg are gotten and then put back in the process to protect against blkg removal.

Vulnerability details: blk-cgroup: fix list corruption from resetting io stat. Since commit 3b8cc6298724 (“blk-cgroup: Optimize blkcg_rstat_flush()”), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can’t reset the stat instance by memset(), otherwise the llist may be corrupted.

Fix the issue by only resetting the counter part.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-38663

IoT, Potential Risk of CVE

CVE-2024-21478 – Automotive manufacturer staying alert! (18 June 2024)

Leave a comment

Preface: For example, if your app defines a fence for headphones, it gets callbacks when the headphones are plugged in and when they’re unplugged.

Background: Automotive infotainment is an in-car system that combines entertainment such as radio and music playing with driving information, including navigation, ADAS, and vehicle settings.

The SA8255P delivers next-generation Qualcomm Snapdragon automotive infotainment SoC. Developed with SEooC targeting ASIL B use cases, the SAM8255P empowers automakers with scalable solutions that are connected, smart, and aware.

Vulnerability details: NULL Pointer Dereference in Graphics,

transient DOS when setting up a fence callback to free a KGSL memory entry object during DMA.

Affected Chipsets: QAM8255P, QAM8650P, QAM8775P, QAMSRV1H, QAMSRV1M, SA8255P, SA8650P, SA8770P, SA8775P, SA9000P, SRV1H, SRV1M.

Official announcement: For detail, please refer to link – https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html