Category Archives: Potential Risk of CVE

OpenSUSE Backports SLE-15-SP3 watchman suffers from design flaw (26-01-2022)

Preface: What are backports in traditional Linux?
“Backporting” is the process of making new software run on something old. A version of something new that’s been modified to run on something old is called a “backport”. The Backports Project develops tools to automate the backporting process for Linux drivers. These tools form the backports suite.

Background: The idea of the Backports project is to collect openSUSE packages built for SUSE Linux Enterprise in a central repository. The policies for this repo are aligned with SUSE in order to maintain supportability of the main OS, making the packages “safe” to install and use.

The openSUSE:Backports projects are built as “Maintenance” projects. This is a special type of project which not only contains the latest build of a package, but also a history of previous releases. It’s also how the openSUSE updates projecs are managed.

Vulnerability details: A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root.

Below details is the explanation of Matthias Gerstner.

The problem here is that watchman should continue working as normal on the command line without using systemd. This means that an unprivileged watchman instance must be able to create /run/watchman/$USER-state. This is why /run/watchman is a public sticky-bit directory.

What does a sticky bit do?
The modern function of the sticky bit refers to directories, and protects directories and their content from being hijacked by non-owners;

Official announcement: Please refer to the link for details https://bugzilla.suse.com/show_bug.cgi?id=1194470

Does this concept like CVE-2022-23008? (26-01-2022)

Preface: NGINX Controller provides lightning-fast application delivery and API management for modern app teams.

Background: What is a Data Plane?

The data plane is a layer of service proxies that manage application-level network traffic. Data plane typically operate on Layer 7 (application) traffic, although they may also operate at Layer 4 (transport) traffic as well. For Example: Popular data plane proxies include Envoy Proxy, NGINX, and HAProxy.

Layer seven refers to a layer of security built into the open systems interconnect model. This is the highest level of security in the application level that supports end-user applications and processes. Defenses and attacks will be based on this area. So some experts firm will be focus layer 4 and Layer 7.

Vulnerability details: CVE-2022-23008 – Successful exploitation allows an attacker to read and/or write files on the NGINX data plane instance. The access to files is limited to the user running the NGINX process, typically the nginx user.

Does this concept like CVE-2022-23008? An attacker can trick the browser by replacing the Access-Control-Allow-Origin header.
First, the attack should be hidden using (proxy_hide_header Access-Control-Allow-Origin;) . Then we add our own before sending back the response. NGINX will not replace headers; it will append to them.
So a possible way is that an attacker can exploit a proxy.

If you are interested in the details, please refer to the attached diagram.

Vendor announcement: Final – K57735782: NGINX Controller API Management vulnerability CVE-2020-23008 – https://support.f5.com/csp/article/K57735782

CVE-2022-23852 – Prevent Expat (XML_GetBuffer) Signed integer overflow (24-01-2022)

Preface: Expat is free software. You may copy, distribute, and modify it under the terms of the License contained in the file COPYING distributed with this package. This license is the same as the MIT/X Consortium license.

Background: As a open-source XML parser, Expat can be implemented by several programming languages, such as: Python, PHP,Perl,…etc. There are four functions will be frequent in use (see below):

  • XML_ParserCreate – To create a new analyzer object.
  • XML_SetElementHandler – To define handlers for start and end tags.
  • XML_SetCharacterDataHandler – To define the handler for text.
  • XML_Parse – To pass a buffer full of documents to the analyzer

After the Web Server receives the XML data, it will give it to the XML parser. To use the Expat library, programs first register handler functions with Expat. When Expat parses an XML document, it calls the registered handlers as it finds relevant tokens in the input stream. These tokens and their associated handler calls are called events. Typically, programs register handler functions for XML element start or stop events and character events. Expat provides facilities for more sophisticated event handling such as XML Namespace declarations, processing instructions and DTD events.

Vulnerability details: CVE-2022-23852 – Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more.

Some kinds of integer overflow are undefined, and these kinds of behavior are especially problematic. According to the C99 standard, undefined behavior is “behavior, upon use of a non-portable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements.”

Ref: A signed integer is a 32-bit datum that encodes an integer in the range [-2147483648 to 2147483647]. An unsigned integer is a 32-bit datum that encodes a nonnegative integer in the range [0 to 4294967295]. The signed integer is represented in twos complement notation.

Official article: https://github.com/libexpat/libexpat/pull/550

Are you worried when jerryscript has vulnerabilities? (24th Jan, 2022)

Preface: Samsung Electronics has started the development of IoT.js on 2015, a platform for IoT applications written in JavaScript, and JerryScript, a JavaScript engine for small, embedded devices.

Background: JerryScript is an ultra-lightweight JavaScript engine for the Internet of things. It is capable of executing ECMAScript 5.1 source code on devices with less than 64 KB of memory.
JerryScript Engine can be embedded into any application, providing the way to run JavaScript in a large range of environments – from desktops to low-memory microcontrollers.

Ref: IoT devices come with severe constraints in terms of CPU performance and memory footprint. Because of that, Samsung has designed the JerryScript engine to run in less than 64KB or RAM and the entire code fits in less than 200KB of ROM.

Vulnerability details: CVE-2022-22895 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion[.]c.

Why are we interested in CVE-2022-22893? Here’s why:

Stack is a linear data structure whereas Heap is a hierarchical data structure. Stack memory will never become fragmented whereas Heap memory can become fragmented as blocks of memory are first allocated and then freed. Stack accesses local variables only while Heap allows you to access variables globally.

See whether the attached diagram give you a quick idea of the vulnerability? Also, some vulnerabilities were found in jerryscript. See below for details:

CVE-2022-22894 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache[.]c.

CVE-2022-22893 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm[.]c.

CVE-2022-22891 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc[.]c.

Remedy: Please refer to Github.

Regarding to ManageEngine security announcement (CVE-2021-44757), do you have doubt on their design? (19-1-2022)

Preface: Asset scan is the key function to maintain the asset management integrity. If the company structure not operating standalone. In some circumstance, the system architect will formalize a distributed architecture. However, how to scan and collecting data is a important topic. Perhaps the file size is variable because of the data content. As a result, when the file transfer go to back-end system. it will using compression technology traditionally to resolve the network bandwidth consumption. For example: ZIP file. Furthermore, software developer aim to improve the process completion time.

Background (Asset Scan in Remote AE Server): The scanned information in the Remote AE Server can be updated periodically either manually or automatically in the Central AE Server.

You can install AssetExplorer as a Central Server by choosing the server type as Central AE Server on starting the application for the first time. The application is started as the Central AE Server.

As a result, Central AE server will tracks all your newly added assets, and have a record of all the assets in the organization.

About CVE-2021-44757: An authentication bypass vulnerability that can allow a remote user to perform unauthorized actions in the server. If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary zip file on the server. 

As usual, vendor not disclose the vulnerability in details. However, referring to existing system design. It relies on compression function assistance. Perhaps the earlier version of design do not enforce the data integrity check. And therefore it provide a channel to attacker create the trouble.

Official announcement: For details, please refer to link – https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022

Oracle Releases January 2022 Critical Patch Update – Quick and easy understanding of CVE-2021-2351 (Oracle JDBC Native Network Encryption design limitation).

Preface: Even thought CVE-2021-2351 was announced on last year (21st July, 2021), however this topic still lure of my interest. As we know, web server and DB server is an important component in existing digital World. For example, Big data, IoT, automotive and mobility functions will working with front end web server. Whereby in between web server and database server relies on ODBC or JDBC form a bridge do communications to database server. In traditional attack scenario, SQL injection is very common type of attack. When incident happen, it will lost our data confidentiality.

Background: The JDBC thin client is a pure Java, Type IV driver. If you are accessing one type of database, such as Oracle, Sybase and IBM, the preferred driver type is 4.

Oracle Database provides native data network encryption and integrity to ensure that data is secure as it travels across the network. The setup offers two ways to encrypt data over the network, native network encryption and Transport Layer Security (TLS).

In order to cope with confidentiality of data in system design. Encrypting network data provides data privacy so that unauthorized parties cannot view plaintext data as it passes over the network. However, if a design weakness occurs in between devices communication? Do you think what is the exact impact to this defect?

Vulnerability details: There are two fundamental design constraints on this issue (Native Network Encryption).

  • Clients that do not support native network encryption can fall back to unencrypted connections while incompatibility is mitigated.
  • It provides no non-repudiation of the server connection (that is, no protection against a third-party attack).

When an insider threat occurs, the above 2 design limitations will increase the possibility of being attacked.

Attack scenario: If insider threat happens, cyber criminals do a sniffing in internal network since the reason of point 1 and 2 (refer to attached diagram). And therefore it can easily to do the session hijacking because there is no more protection. Since no need to get and install the SSL certificate CA in attacker machine to conduct the man-in-the-middle attack. Therefore he can easily receive a valid session token. As a result, he gain authorized access similar to existing victim user.

Workaround: Update the Oracle Database servers and clients to the patched versions. Enforce usage of a secured protocol version by setting the following options:

SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS=FALSE (server-side)
SQLNET.ALLOW_WEAK_CRYPTO=FALSE (client-side)

Or use TLS-based transport security instead of Native Network Encryption.

US National Vulnerability Database details announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-2351

About CVE-2022-0240 Do not contempt low risk vulnerability (17th Jan,2022)

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2[.]x compatible. MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration.

MRuby is the lightweight implementation of the Ruby language complying to (part of) the ISO standard. Its syntax is Ruby 2.x compatible. Whereas, MRuby is embeddable. Can be run inside other applications. Great for scripting and configuration. An unofficial consensus by IoT manufacturer that IoT Dumb devices are only provide resources/service. In broker cloud of IoT, most of them contains application logic design. MRuby fits this use case well despite performance issues.

Vulnerability details: Mruby is vulnerable to NULL Pointer Dereference. There is a NULL Pointer Dereference in prepare_singleton_class. Offical remedy said that add additional two lines of syntax in src/class[.]c will be remedied the vulnerability.

Refer to attached diagram, if the design criteria based on Ruby code compiler to Bytecode . Then install to virtual machine of IoT.
As a matter of fact, null pointer dereference happened in MRuby object class. Will it be impacted the program after compiler?

Perhaps below articles by apple developer will provides guidance.

Dereferencing a null pointer always results in undefined behavior and can cause crashes. If the compiler finds a pointer dereference, it treats that pointer as nonnull. As a result, the optimizer may remove null equality checks for dereferenced pointers.

But uncertainty related to above topic not found hints on internet. So, it still need to observed.

Remedy: The official announcement can be found at the following link: https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca

CVE-2022-23094 on Libreswan. Stay alert!

Preface: Pluto is an IKE (“IPsec Key Exchange”) daemon. Pluto is an implementation of IKE. It runs as a daemon on a network node. Currently, this network node must be a LINUX system running the KLIPS
or NETKEY implementation of IPsec, or a FreeBSD/NetBSD/Mac OSX system running the KAME implementation of IPsec.

Background: Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using “IPsec” and the Internet Key Exchange (“IKE”). Most IPsec deployments fall into two types of deployment. The first type is the Remote Access, where roaming users (phones, laptops) connect to the corporate network. The second type of IPsec network is where two or more IPsec gateways connects different networks together.

Is Libreswan safe? This open-source VPN is secure if you’re a Linux user since it uses a built-in “XFRM” IPsec stack and DDNS crypto library. The VPN is compatible with Linux distribution such as RHEL/EPEL, Arch Linux, and Fedora.

What is xfrm interface?
The design of virtual xfrm interfaces interfaces was discussed at the Linux IPsec workshop 2018. This patchset implements these interfaces as the IPsec userspace and kernel developers agreed. The purpose of these interfaces is to overcome the design limitations that the existing (Virtual Tunnel Interfaces) VTI devices have.

Vulnerability details: According to vendor announcement. Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1[.]c wrongly expects that a state object exists.
Observation: Are the consequences of NULL pointer dereference due to vmalloc in the specified function?

Mitigation: If all configured connections are using IKEv2, the IKEv1 subsystem can be disabled by adding the option ikev1-policy=drop to the “config setup” section of ipsec[.]conf. Alternatively, libreswan can be compiled with USE_IKEv1=false.

OR Install version 4.6.

Official announcement: For details of the official announcement, please see the homepage – https://libreswan.org/

About Citrix vulnerabilities (CVE-2021-28704 & CVE-2021-28707) 13th Jan 2022

Preface: Virtual memory settings can often be controlled through the OS. In addition, RAM uses swapping techniques, while virtual memory uses paging. While physical memory is limited to the size of the RAM chip, virtual memory is limited by the size of the hard disk.

Background: When you create a VM, a fixed amount of memory is allocated to the VM. You can use Dynamic Memory Control (DMC) to improve the utilization of physical memory in your Citrix Hypervisor environment. DMC is a memory management feature that enables dynamic reallocation of memory between VMs.

The QEMU component is a superset of the QEMU device model present in Xen. In KVM, the QEMU binary directly takes care of talking to the hypervisor to create the guest domain. In Xen, the QEMU binary merely provides the I/O emulation, while XenD takes care of actually creating the domain.

DomU, it is an unprivileged domain with (by default) no access to the hardware. It must run a FrontendDriver for multiplexed hardware it wishes to share with other domains. In Dom0, the kernel for a DomU comes from Dom0’s filesystem, not from the filesystem exported to the DomU.

Vulnerability details: Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to the link – https://support.citrix.com/article/CTX335432

About: HTTP Protocol Stack RCE Vulnerability (11th Jan, 2022)

Preface: HTTP[.]sys is mature technology that protects against many types of attacks and provides the robustness, security, and scalability of a full-featured web server. IIS itself runs as an HTTP listener on top of HTTP[.]sys.

Background: HTTP/1.1 specifies that a response sent as Transfer-Encoding: chunked can include optional trailers (ie. what would normally be sent as headers, but for whatever reason can’t be calculated before the content, so they can be appended to the end).

The http 1.1 specification, which lays out how chunking works. Specifically section 3.6.1.
The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields. This allows dynamically produced content to be transferred along with the information necessary for the recipient to verify that it has received the full message.

Vulnerability details: This vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability.

Ref (1): The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent. No package install is needed if you use the (xref:)Microsoft[.]AspNetCore[.]All metapackage.

The Microsoft[.]AspNetCore[.]Server[.]HttpSys package is included in the metapackage.

Ref (2): Call the UseHttpSys extension method on WebHostBuilder in your Main method, specifying any HTTP[.]sys options that you need.

Mitigations: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907