Category Archives: Potential Risk of CVE

About CVE-2023-32690: Fixed a bug that could affect major design. (2nd June 2023)

Preface: The DMTF’s Security Protocols and Data Models (SPDM) Working group is responsible for the SPDM standard. This standard enables authentication, attestation and key exchange to assist in providing infrastructure security enablement.

Background: Security Protocol and Data Model (SPDM) is a two-party protocol between a Requester that initiates the conversation and the Responder. DMTF is a standards organization by major industry players in IT infrastructure.

Vulnerability details: libspdm is a sample implementation that follows the DMTF SPDM specifications. Prior to versions 2.3.3 and 3.0, following a successful CAPABILITIES response, a libspdm Requester stores the Responder’s CTExponent into its context without validation. If the Requester sends a request message that requires a cryptography operation by the Responder, such as CHALLENGE, libspdm will calculate the timeout value using the Responder’s unvalidated CTExponent. A patch is available in version 2.3.3. A workaround is also available. After completion of VCA, the Requester can check the value of the Responder’s CTExponent. If it greater than or equal to 64, then the Requester can stop communication with the Responder.

Official announcement: For details, please refer to the link – https://www.cve.org/CVERecord?id=CVE-2023-32690

About CVE-2023-3006 – Specter-BHB on arm update on end of May 2023 (1st June 2023)

Preface: Speculate that this CVE is custom for Ampere Computing. Ampere Computing is an ARM architecture licensee and develops its own server microprocessors.

Background: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

Vulnerability details: CVE-2023-3006 – A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3006

About CVE-2023-33962 – JStachio fails to escape single quotes in HTML (31st May 2023)

Preface: About 20 years ago, people know java is unsafe. Perhaps of technology trend, so whatever the design appyling java language. The flexibility and easy to use will let people contempt about awareness of cyber security. While Java is considered relatively safe because it is a server side language, there are still multiple ways to attack and access secure code you’d like to remain private.

Background: The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform.
Mustache is a logicless template engine and it is helpful for creating dynamic content like HTML and configuration files.
If your models are type based and not just Map then JStachio is good choice.

Ref:End-users only use JVM and JRE to execute the application program. JRE identifies all the helpful class libraries needed for execution, while JVM is a subclass of JRE that decodes the bytecode into machine language and other minor tasks. Each JVM server can have a maximum of 256 threads to run Java applications.

Vulnerability details: Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware.

Solution: Version 1.0.1 contains a patch for this issue.

Workaround: To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape ' as &#39. As a workaround, users can avoid this issue by using only double quotes " for HTML attributes.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-33962

CVE-2023-32067 – c-ares is vulnerable to denial of service (30th May 2023)

Preface: c-ares is a C language implementation of asynchronous request DNS. When using c-ares, you usually only need to reference the ares.h header file, and the related header files of the library are included.

Background: For some asynchronous DNS requests, Node[.]js uses a C library called c-ares.
So called Async DNS – This feature bypasses the normal operating system mechanisms for resolving domain names and uses the browser directly. In this mode, DNS requests will communicate directly own DNS servers and some third party providers.

Vulnerability details: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

According to the technical aspect of UDP packet with a length of 0 matter. Do you have below queries?
Writing a datagram of length 0 is acceptable. In the case of UDP, this results in an IP datagram containing an IP header (normally 20 bytes for IPv4 and 40 bytes for IPv6), an 8-byte UDP header, and no data. This also means that a return value of 0 from recvfrom is acceptable for a datagram protocol: It does not mean that the peer has closed the connection, as does a return value of 0 from read on a TCP socket. Since UDP is connectionless, there is no such thing as closing a UDP connection.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32067

About CVE-2023-32695 – A patch has been released in socket[.]io-parser version 4.2.3.

Preface: In technical aspect, a Socket[.]IO server can sustain 10,000 concurrent connections. Therefore you can build a chat experience and using Socket[.]IO as your realtime communication solution. But if you want chat users to receive push notifications when they’re not actively using the app, Socket[.]IO can’t help, as it relies on a persistent socket connection.

Background: Socket[.]IO is a library that enables real-time, bidirectional and event-based communication between the browser and the server.
A socket[.]io encoder and decoder written in JavaScript complying with version 4 of socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.
In addition, a socket[.]io-parser has included. A socket.io encoder and decoder written in JavaScript complying with socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.

Ref:socket-io[.] client is the code for the client-side implementation of socket[.]io[.] That code may be used either by a browser client or by a server process that is initiating a socket[.]io connection to some other server (thus playing the client-side role in a socket[.]io connection).

Vulnerability details: socket[.]io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket[.]io-protocol.

Potential impact: A specially crafted Socket[.]IO packet can trigger an uncaught exception on the Socket[.]IO server, thus killing the Node[.]js process.

Solution: A patch has been released in version 4.2.3.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32695

CVE-2022-33302 – Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.(25th May 2023)

Preface: Perhaps you feeling that it’s not follow best practice when it is a zero-day matter. Seems this CVE was late published. The fact is that the impact look serious. So before vendor resolve the problem. Vendor do not intent disclose to public. But problem resolved now.

Background: The User Identity Module may contain information such as the NAM (Number Assignment Module) and subscription feature information. Based on design, UIM can be integrated into the smartphone or it may be a R-UIM (Removable Identity Module).
Refer to vendor design mechanism, Reading a mobile subscriber identity from a memory device associated with the smartphone; determining if part or all of the mobile subscriber identity matches a data set entry within a file associated with the smartphone.
For example, a program assists find highest number in an array by the pointer. As a result, the result of high-array is the number of elements from the start of the array to the element pointed to by high, and that is the index of that element.

Ref: What is a Function Pointer? Function Pointers are pointers, i.e. variables, which point to an address of a function. The running programs get a certain space in the main memory. Both, the executable compiled program code and the used variables, are put inside this memory.

Vulnerability details: Qualcomm found that a memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

Official details: Please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2022-33302

About CVE-2023-21930, new CVE added on 16th May 2023 by Oracle (24th May 2023)

Preface: Oracle Linux is an optimized and secure operating environment for application development and deployment. Oracle Linux 9 with UEK R7 provides kernel, performance, and security enhancements.
On 16th May 2023 Oracle added second revise on their bulletin which held on April 2023. In NVD CVE publications advisories, CVE-2023-21930 also provided lasted update on 27th April 2023.
Does this update related to oracle DB environment stability ? This is the goal of this short discussion.

Background: What does Java SE do? It provides a foundation for building and deploying network-centric enterprise applications that range from the PC desktop computer to the workgroup server.

Vulnerability details: Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Impact of Java SE Security Vulnerabilities on Oracle Products:

  • Oracle WebLogic Server – Version 10.3.2 and later
  • Oracle Fusion Middleware – Version 10.1.2.0.0 to 10.1.4.3.0 [Release AS10gR2 to AS10gR3]
  • Oracle Containers for J2EE – Version 10.1.2.0.0 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
  • Oracle Database – Enterprise Edition – Version 11.1.0.7 and later

Official announcement: For details, please refer to the link – https://www.oracle.com/security-alerts/linuxbulletinapr2023.html

CVE-2023-32413 A race condition occurred in process state handling. It is very common in OS systems, be it Linux or Microsoft Windows. (23rd May 2023)

Preface: A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously. Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
In Linux, a process is an instance of executing a program or command. While these processes exist, they’ll be in one of the five possible states:

  • Running or Runnable (R)
  • Uninterruptible Sleep (D)
  • Interruptable Sleep (S)
  • Stopped (T)
  • Zombie (Z)

Ref: Zombie processes are already dead, so they cannot be killed, they can only be reaped, which has to be done by their parent process via wait*(). This is usually called the child reaper idiom, in the signal handler for SIGCHLD.

When a child process stops or terminates, SIGCHLD is sent to the parent process. The default response to the signal is to ignore it. The signal can be caught and the exit status from the child process can be obtained by immediately calling wait(2) and wait3(3C). This allows zombie process entries to be removed as quickly as possible.

Vulnerability details: A race condition was addressed with improved state handling.

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Official announcement: About the security content of iOS 16.5 and iPadOS 16.5. Please refer to the link – https://support.apple.com/en-us/HT213757

About CVE-2023-33252 – Similar concern for cyber security today, it also apply to future digital world Artificial intelligence zone. (22nd May 2023)

Preface: Foreseeing the continuous development of artificial intelligence, use blockchain technology for network communication is a must.
A blockchain is a distributed database or ledger shared among nodes in a computer network. They are known for their key role in maintaining a secure and decentralized record of transactions in cryptocurrency systems, but they are not limited to the use of cryptocurrencies.

Background: IDEN3 is NOT an ICO (Initial Coin Offerings). It has no token at all. It is an open source permissionless identity layer built on top of Ethereum that we expect many projects will be able to use as a foundational layer for their own identity solution.
What are Initial Coin Offerings? ICOs are another form of cryptocurrency that businesses use in order to raise capital. Through ICO trading platforms, investors receive unique cryptocurrency “tokens” in exchange for their monetary investment in the business.

Ref: Circom is a compiler written in Rust for compiling circuits written in the circom language. The compiler outputs the representation of the circuit as constraints and everything needed to compute different ZK proofs.

Vulnerability details: iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

References:
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags

CVE-2023-31655 Crash while running redis-7.0.10 with the redisraft-cd52ee4.(19th May 2023)

Preface: What does the ERROR: Segmentation violation mean?
Traditionally, a “segmentation violation” is a signal sent by the kernel to a process when the system has detected that the process was attempting to access a memory address that does not belong to it. Typically, this results in the offending process being terminated.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
This is how a server might accept multiple clients: we would spin up a separate thread for each client so the server could have an independent conversation with that client. Unlike processes, they share their memory with each other.
All Redis data resides in memory, enabling low-latency and high-throughput data access. Unlike traditional databases, in-memory data stores do not require access to disk.
RedisRaft is a Redis module that implements the Raft Consensus Algorithm, making it possible to create strongly-consistent clusters of Redis servers.

Vulnerability details: redis-7.0.10 was discovered to contain a segmentation violation.

Current status: Reply by developer, Redisraft is still being developed and currently, we only maintain compatibility with redisraft (master) and redis (unstable) branches.

Official announcement: Please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-31655