Preface: What is jiffies in the Linux kernel? A jiffy is a kernel unit of time declared in <linux/jiffies[.]h> . To understand jiffies, we need to introduce a new constant, HZ, which is the number of times jiffies is incremented in one second. Each increment is called a tick.
Background: tcp_user_timeout – Controls the number of milliseconds that transmitted data may remain unacknowledged before a connection is forcibly closed. Default is 0 which means it is disabled.
Vulnerability details: Avoid too many retransmit packets. If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has ‘expired’.
Solution: The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account. Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits. Also worth noting that before commit e89688e3e978 (“net: tcp: fix unexcepted socket die when snd_wnd is 0”), the issue would last 2 minutes instead of 4.
Speculation: CVE does not describe a Common Weakness Enumeration. But believe that the minimal impact would be a denial of service. But it may more serious!
Preface: The Linux kernel implements most of its IPv6 parts from USAGI. USAGI project was founded to improve and develop LinuxIPv6 stack. The integrated USAGI version/release is unknown. Implemented into the kernel are the core functions of USAGI; the “standard” user-level programs provide basic IPv6 functionality.
Background: IPv6 converting to using crypto_pool has the following advantages.
– now SR uses asynchronous API which may potentially free CPU cycles and improve performance for of CPU crypto algorithm providers;
– hash descriptors now don’t have to be allocated on boot, but only at the moment SR starts using HMAC and until the last HMAC secret is deleted;
– potentially reuse ahash_request(s) for different users
– allocate only one per-CPU scratch buffer rather than a new one for
each user
– have a common API for net/ users that need ahash on RX/TX fast path
Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix memleak in seg6_hmac_init_algo seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it’s going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly.
Preface: How is RTT measured in TCP? Measures the time from sending a packet to getting an acknowledgment packet from the target host.
Background: A new technology standard called “RFC 9293” was released on August 18, 2022.
Highlight:
-Acknowledgment Number: 32 bits – If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established, this is always sent.
-There are also methods of “fingerprinting” that can be used to infer the host TCP implementation (operating system) version or platform information. These collect observations of several aspects, such as the options present in segments, the ordering of options, the specific behaviors in the case of various conditions, packet timing, packet sizing, and other aspects of the protocol that are left to be determined by an implementer, and can use those observations to identify information about the host and implementation.
Vulnerability details: The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number.
Preface: AI-powered systems analyse the severity of the vulnerability, potential impact, and exploitability and prioritise patches based on the criticality of the vulnerability. Perhaps AI contains self diagostic and do remedy by himself!
Background: An open-source software that helps standardize model deployment and delivers fast and scalable AI in production.
Vulnerability details:
CVE-2024-0103 Information disclosure
NVIDIA Triton Inference Server for Linux contains a vulnerability where a user may cause an incorrect Initialization of resource by network issue. A successful exploit of this vulnerability may lead to information disclosure.
Ref: For example, the minimum packet size is 60 bytes (the card typically adds a frame checksum to this, making the minimum packet size on the line 64 bytes). If you only have 40 bytes, then it will still transmit 60 bytes.
Because 40 bytes you send plus the next 20 bytes that happen to be sitting in the buffer beyond the 40 you intended to send.
If you haven’t explicitly initialized that area, those 20 bytes might well be data leftover from a previously sent packet, which may have belonged to some other connection. Or that memory could have previously been a data page for some program that was recently running (and hence could contain a password, or an encryption key or just about any kind of sensitive information).
Preface: Syzbot has begun to report kernel findings to LKML in 2017. Syzbot is a continuous kernel build / fuzz / report aggregation system.
Background: Linux has two mechanisms for setting routes, one is fib, and the other is routing generated by dynamic. fib uses route (man 8 route) to specify a static route table. What net/ipv4/route[.]c does is dynamic generate routing hash to speed up route decision.
Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() . syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree .
It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result.
Original article published January 2024, status update published January 23, 2024.
Preface: Supermicro is aware of a potential vulnerability known as “PixieFAIL” in the BIOS firmware. Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of UEFI. These nine vulnerabilities that if exploited via network can lead to remote code execution, DoS attacks, DNS cache poisoning, and/or potential leakage of sensitive information.
Background: The UEFI image parser is well-implemented, with a strict set of format validation requirements. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The UEFI image loader starts the image allocation process by reserving enough memory for the image to be fully loaded. The required memory is extended by a single page so that the loader has enough space to store information about the debugging symbols. Usually this is not necessary, but depending on the linker, debugging information can be placed inside the image overlay. Because the overlay information is not loaded into memory, the UEFI loader ensures that it is available by copying it from disk to this additionally allocated page.
EDK2’s Network Package provides network modules that conform to UEFI 2.4 specification
Vulnerability details: EDK2’s Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
Ref: The subject matter expert performed a cursory inspection of NetworkPkg, Tianocore’s EDK II PXE implementation, and identified nine vulnerabilities that can be exploited by unauthenticated remote attackers on the same local network, and in some cases, by attackers on remote networks. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.
NIST Official details: Please refer to the link for details –
Background: IPIP tunnel is typically used to connect two internal IPv4 subnets through public IPv4 internet. It has the lowest overhead but can only transmit IPv4 unicast traffic.
Vulnerability details: The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. Should you have interested of the actual impact, please refer attached diagram.
Remedy: Users can block IP-in-IP packets by filtering IP protocol number 4 (IPv4 encapsulation – RFC 2003).
Preface: Why some people want everything fast. But when a man is having dinner with his girlfriend, he hopes that time will be slower.
5G communication background: In April 2008, NASA partnered with Geoff Brown and Machine-to-Machine Intelligence (M2Mi) Corp to develop 5G communications technology. As times go by, On 3 April 2019, South Korea became the first country to adopt 5G.
Heard a lot of news of 5G technology. In additional to high speed and low latency. Can the 5G architecture be hacked?
5G is the first generation that was designed with virtualization and cloud-based technology. Nokia said building separate systems to meet future requirements and use cases of 5G was not an option, so the future network needed to be integrated and aligned with software-defined functions, cognitive technology to orchestrate it and distributed content and processing. 5G’s future rests on software-defined networking (SDN), whose main concept is to decouple the infrastructure of wireless networks from expensive, closed hardware and shift it to an intelligent software layer running on commodity hardware. However, software-defined functions are vulnerable to security threats as well. One of the most significant security risk factors is the possibility of a compromised SDN controller attack at the control plane layer. Due to the centralization design of the SDN, the SDN controller becomes the brain of the SDN architecture. Attackers can focus on compromising the SDN controller in an attempt to manipulate the entire network.
Perhaps above prediction was true. Samsung 5G Core NFs are cloud native NFs, which consist of container-based micro-services to enable flexible scaling and upgrade to meet telecom operators’ requirements. For more details, please refer below diagram.
Besides, 5G Service-Based Architecture (SBA) components consists of serveral components (Resource Controller, Subscription Manager, Policy Controller and Exposure Server). The interconnect in between packet core controller to above four different components could make use of HTTP/JSON. From security point of view , it is hard to forseen that this type of interconnection whether will encounter vulnerability in future.
On demand patch management in existing information technology world will be extend to 5G network in future.
Docker and Kubernetes become a main trend in technology world. Both products features can improve the redundancy and fault tolerance level of the system. And therefore it is hard to avoid the 5G services provider install similar architecture. APT attack and ransomware will wreak havoc with cyber world. In order to reduce the the zero-day of attack to Docker and Kubernetes environment. System hardening process and access control policy must be take in this place. So the 5G service based architecture system will be the new hacker target soon.
Summary: The above description is only cover a small part of the 5G network. Let us observe what will happen to the mobile communication world?
Preface: Maybe people won’t use WPA because it’s not safe. However, WPA2 can also collect PSK through tools.
Technical details:
WPA and WPA2 offline attack technique are well known today. For instance, penetration test conduct the WiFi penetration test will relies on tool (Aircrack-NG). As a matter of fact, the attacker first obtains a man-in-the-middle (MitM) position between the victim and the real Wi-Fi network. However it does not enable the attacker to decrypt packets! One of the way use a password recovery tool work with “wordlist”. The mechanism is read line by line from a textfile (aka “dictionary” or “wordlist”) and try each line to find out the password.
Reference: The dictionary pass-phrase attack is one of the popular attacks on WPA2-PSK. Since PSK will be the main key to protect WLAN, the attacker will try to guess the pass-phrase used to generate PSK. This can be done by capturing the initial WPA2-PSK handshaking between a legitimate wireless client and the AP.
Remedy: Sounds like not difficult to crack. In our world, IoT devices do not use 802.1x for authentication. What can we do?
If not possible change to 802.1x, configure a strong PSK with a minimum length of 19 characters or more.
IPv6 design limitation highlights by Cisco on 2013 RSA conference. Since ICMP header is in 2nd fragment. Defense mechanism especially RA guard no cue where to find (see my cartoon picture). Perhaps stateful firewall can doing the defense. Meanwhile, this issue told the world there is no real secure Internet Protocol! But this vulnerability occurs on Cisco only causes Denial of Service (reboot). At least no privileges escalation or data leakage.
