Category Archives: Network (Protocol, Topology & Standard)

CVE-2024-41009: bpf – Fix overrunning reservations in ringbuf (17th July 2024)

Preface: Consumer and producer counters are put into separate pages to allow each position to be mapped with different permissions. This prevents a user-space application from modifying the position and ruining in-kernel tracking. The permissions of the pages depend on who is producing samples: user-space or the kernel. Starting from Linux 5.8, BPF provides a new BPF data structure (BPF map): BPF ring buffer (ringbuf). It is a multi-producer, single-consumer (MPSC) queue and can be safely shared across multiple CPUs simultaneously.

Background: The first core skill point is “BPF Hooks”, that is, where in the kernel can BPF programs be loaded. There are nearly 10 types of hooks in the current Linux kernel, as shown below:

kernel functions (kprobes)

userspace functions (uprobes)

system calls



network devices (tc/xdp)

network routes

TCP congestion algorithms

sockets (data level)

Vulnerability details: For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos – cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A’s header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header’s pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A’s header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash.  

Official announcement: Please refer to the official announcement for details –

CVE-2024-41007: When use TCP_USER_TIMEOUT in Linux. It may hit Kernel design weakness! (16th July 2024)

Preface: What is jiffies in the Linux kernel? A jiffy is a kernel unit of time declared in <linux/jiffies[.]h> . To understand jiffies, we need to introduce a new constant, HZ, which is the number of times jiffies is incremented in one second. Each increment is called a tick.

Background: tcp_user_timeout – Controls the number of milliseconds that transmitted data may remain unacknowledged before a connection is forcibly closed. Default is 0 which means it is disabled.

Vulnerability details: Avoid too many retransmit packets. If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has ‘expired’.

Solution: The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account. Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits. Also worth noting that before commit e89688e3e978 (“net: tcp: fix unexcepted socket die when snd_wnd is 0”), the issue would last 2 minutes instead of 4.

Speculation: CVE does not describe a Common Weakness Enumeration. But believe that the minimal impact would be a denial of service. But it may more serious!

Official announcement: Please refer to the vendor announcement for details –

CVE-2024-39489: Linux kernel enhance memory management on IPv6 feature (11 July 2024)

Preface: The Linux kernel implements most of its IPv6 parts from USAGI. USAGI project was founded to improve and develop Linux IPv6 stack. The integrated USAGI version/release is unknown. Implemented into the kernel are the core functions of USAGI; the “standard” user-level programs provide basic IPv6 functionality.

Background: IPv6 converting to using crypto_pool has the following advantages.

– now SR uses asynchronous API which may potentially free CPU cycles and improve performance for of CPU crypto algorithm providers;

– hash descriptors now don’t have to be allocated on boot, but only at the moment SR starts using HMAC and until the last HMAC secret is deleted;

– potentially reuse ahash_request(s) for different users

– allocate only one per-CPU scratch buffer rather than a new one for

  each user

– have a common API for net/ users that need ahash on RX/TX fast path

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it’s going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly.

Official announcement: For detail, please refer to link –

Get closer look CVE-2024-39920: About “SnailLoad” issue (5-Jul-2024)

NVD Published Date: 07/03/2024

Preface: How is RTT measured in TCP? Measures the time from sending a packet to getting an acknowledgment packet from the target host.

Background: A new technology standard called “RFC 9293” was released on August 18, 2022.


-Acknowledgment Number:  32 bits – If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive.  Once a connection is established, this is always sent.

-There are also methods of “fingerprinting” that can be used to infer the host TCP implementation (operating system) version or platform
information. These collect observations of several aspects, such as
the options present in segments, the ordering of options, the
specific behaviors in the case of various conditions, packet timing,
packet sizing, and other aspects of the protocol that are left to be
determined by an implementer, and can use those observations to
identify information about the host and implementation.

Vulnerability details: The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number.

Official announcement: For detail, please refer to link –

CVE-2024-0103 – NVIDIA Triton Inference Server for Linux hit Incorrect Initialization of Resource vulnerability (31-05-2024)

Preface: AI-powered systems analyse the severity of the vulnerability, potential impact, and exploitability and prioritise patches based on the criticality of the vulnerability. Perhaps AI contains self diagostic and do remedy by himself!

Background: An open-source software that helps standardize model deployment and delivers fast and scalable AI in production.

Vulnerability details:

CVE-2024-0103 Information disclosure

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user may cause an incorrect Initialization of resource by network issue. A successful exploit of this vulnerability may lead to information disclosure.

Ref: For example, the minimum packet size is 60 bytes (the card typically adds a frame checksum to this, making the minimum packet size on the line 64 bytes). If you only have 40 bytes, then it will still transmit 60 bytes.

Because 40 bytes you send plus the next 20 bytes that happen to be sitting in the buffer beyond the 40 you intended to send.

If you haven’t explicitly initialized that area, those 20 bytes might well be data leftover from a previously sent packet, which may have belonged to some other connection. Or that memory could have previously been a data page for some program that was recently running (and hence could contain a password, or an encryption key or just about any kind of sensitive information).

Official details: For detail, please refer to link –

CVE-2024-36008: The impact may be widespread but has been resolved. Linux, you did a great job. (21May 2024)

Preface: Syzbot has begun to report kernel findings to LKML in 2017. Syzbot is a continuous kernel build / fuzz / report aggregation system.

Background: Linux has two mechanisms for setting routes, one is fib, and the other is routing generated by dynamic. fib uses route (man 8 route) to specify a static route table. What net/ipv4/route[.]c does is dynamic generate routing hash to speed up route decision.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() . syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree .

It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result.

Official announcement: Please refer to the link for details –

Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, Security focus of CVE-2023-4523 (5th Feb 2024)

Original article published January 2024, status update published January 23, 2024.

Preface: Supermicro is aware of a potential vulnerability known as “PixieFAIL” in the BIOS firmware. Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of UEFI. These nine vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information.

Background: The UEFI image parser is well-implemented, with a strict set of format validation requirements. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The required memory is extended by a single page so that the loader has enough space to store information about the debugging symbols. Usually this is not necessary, but depending on the linker, debugging information can be placed inside the image overlay. Because the overlay information is not loaded into memory, the UEFI loader ensures that it is available by copying it from disk to this additionally allocated page.

EDK2’s Network Package provides network modules that conform to UEFI 2.4 specification

Vulnerability details: EDK2’s Network Package is susceptible to an out-of-bounds read vulnerability when processing  Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

Ref: The subject matter expert performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.

NIST Official details: Please refer to the link for details –

Supermicro Official details: Please refer to the link for details –

do you know the weaknesses of IP-in-IP design? 2nd jun 2020.

Background: IPIP tunnel is typically used to connect two internal IPv4 subnets through public IPv4 internet. It has the lowest overhead but can only transmit IPv4 unicast traffic.

Vulnerability details: The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. Should you have interested of the actual impact, please refer attached diagram.

Remedy: Users can block IP-in-IP packets by filtering IP protocol number 4 (IPv4 encapsulation – RFC 2003).

For official announcement, please refer to following link –

5g, where to go from here?

Preface: Why some people want everything fast. But when a man is having dinner with his girlfriend, he hopes that time will be slower.

5G communication background: In April 2008, NASA partnered with Geoff Brown and Machine-to-Machine Intelligence (M2Mi) Corp to develop 5G communications technology.
As times go by, On 3 April 2019, South Korea became the first country to adopt 5G.

Heard a lot of news of 5G technology. In additional to high speed and low latency. Can the 5G architecture be hacked?

5G is the first generation that was designed with virtualization and cloud-based technology. Nokia said building separate systems to meet future requirements and use cases of 5G was not an option, so the future network needed to be integrated and aligned with software-defined functions, cognitive technology to orchestrate it and distributed content and processing. 5G’s future rests on software-defined networking (SDN), whose main concept is to decouple the infrastructure of wireless networks from expensive, closed hardware and shift it to an intelligent software layer running on commodity hardware. However, software-defined functions are vulnerable to security threats as well. One of the most significant security risk factors is the possibility of a compromised SDN controller attack at the control plane layer. Due to the centralization design of the SDN, the SDN controller becomes the brain of the SDN architecture. Attackers can focus on compromising the SDN controller in an attempt to manipulate the entire network.

Perhaps above prediction was true. Samsung 5G Core NFs are cloud native NFs, which consist of container-based micro-services to enable flexible scaling and upgrade to meet telecom operators’ requirements. For more details, please refer below diagram.

Besides, 5G Service-Based Architecture (SBA) components consists of serveral components (Resource Controller, Subscription Manager, Policy Controller and Exposure Server). The interconnect in between packet core controller to above four different components could make use of HTTP/JSON. From security point of view , it is hard to forseen that this type of interconnection whether will encounter vulnerability in future.

On demand patch management in existing information technology world will be extend to 5G network in future.

Docker and Kubernetes become a main trend in technology world. Both products features can improve the redundancy and fault tolerance level of the system. And therefore it is hard to avoid the 5G services provider install similar architecture. APT attack and ransomware will wreak havoc with cyber world. In order to reduce the the zero-day of attack to Docker and Kubernetes environment. System hardening process and access control policy must be take in this place. So the 5G service based architecture system will be the new hacker target soon.

Summary: The above description is only cover a small part of the 5G network. Let us observe what will happen to the mobile communication world?

Configure a strong PSK to avoid wireless offline cryptographic attack

Preface: Maybe people won’t use WPA because it’s not safe. However, WPA2 can also collect PSK through tools.

Technical details:

WPA and WPA2 offline attack technique are well known today. For instance, penetration test conduct the WiFi penetration test will relies on tool (Aircrack-NG). As a matter of fact, the attacker first obtains a man-in-the-middle (MitM) position between the victim and the real Wi-Fi network. However it does not enable the attacker to decrypt packets! One of the way use a password recovery tool work with “wordlist”. The mechanism is read line by line from a textfile (aka “dictionary” or “wordlist”) and try each line to find out the password.

Reference: The dictionary pass-phrase attack is one of the popular attacks on WPA2-PSK. Since PSK will be the main key to protect WLAN, the attacker will try to guess the pass-phrase used to generate PSK. This can be done by capturing the initial WPA2-PSK handshaking between a legitimate wireless client and the AP.

Remedy: Sounds like not difficult to crack. In our world, IoT devices do not use 802.1x for authentication. What can we do?

If not possible change to 802.1x, configure a strong PSK with a minimum length of 19 characters or more.