Category Archives: Potential Risk of CVE

CISA urges to be vigilant! About GPS Daemon (GPSD) Rollover Bug (21st Oct, 2021)

Preface: If you are using a security token (fobs or software), when there is a problem with the NTP time source. This is unforeseen. Maybe there is nothing wrong with it. Or, in the worst case, similar you mistaken reset the NTP server time setting. Therefore, all your tokens should be suspended.

Background: Because in the original GPS protocol, only 10 bits were used to represent the week number. If there are 10 bits, it will overflow after counting to 1023, so it can only indicate about 19.6 years. Since the GPS time epoch (epoch) began in the early 1980s, there have been two rollover events (in 1999 and 2019, respectively). In April 2019, Headline News (The Register) announced this vulnerability to the public. It indicates that if you do not or cannot update, there will be a problem. Over time, the deadline has arrived.

Vulnerability details: Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038 , but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.

Official details for reference: https://isc.sans.edu/forums/diary/Keeping+Track+of+Time+Network+Time+Protocol+and+a+GPSD+Bug/27886/

CVE-2021-41135 Cosmos-SDK up to 0.44.1 xauthz Module ValidateBasic unusual condition (21st Oct, 2021)

Preface:To date, more than 240 applications have been built on the Cosmos mainnet. The main categories of applications include finance, infrastructure, privacy, and social interactions.

Background: The Cosmos SDK is a framework for building blockchain applications. Tendermint Core (BFT Consensus) and the Cosmos SDK are written in the Golang programming language. Cosmos SDK is used to build Gaia, the first implementation of the Cosmos Hub.

Vulnerability details: Affected versions of the SDK (up to 0.44.1) were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the node’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.

Remedy: Upgrading to version 0.44.2 eliminates this vulnerability. Applying the patch 68ab790a761e80d3674f821794cf18ccbfed45ee is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Security focus: Oracle Critical Patch Update Advisory (October 2021)

Preface: The design weakness was disclosed by the apache organization on January 14, 2021. Design limitations on Xmlbeans have been fixed. Developer suggest to use 3.0.1, instead of Xmlbeans 2.6.0.

Background: PS/nVision – a PeopleTools software that you use to design and create Microsoft Excel spreadsheet reports for PeopleSoft data. nVision selects data from your PeopleSoft database using ledgers, trees, and queries. Queries are useful for extracting data from sources other than ledgers.
nVision works in three modes:OpenXML mode, Excel Automation mode and Cross Platform mode.

  • nVision uses the OpenXML mode on the batch server that uses Microsoft’s OpenXML SDK to generate Excel-compatible documents.
  • nVision continues using the operation mode called Excel automation mode that automates the Excel application to generate spreadsheet documents in PeopleTools PIA architecture
  • nVision uses the Cross Platform mode to generate spreadsheet documents in PeopleTools PIA architecture

Vulnerability details: CVE-2021-23926 PeopleSoft Enterprise PeopleTools (nVision (XML Beans)) – The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Reference: The XML entity extension injection attack uses valid and well-formed xml blocks to expand exponentially until the resources allocated by the server are exhausted. This is because XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input.

Official announcement: Oracle Critical Patch Update Advisory (October 2021) – https://www.oracle.com/security-alerts/cpuoct2021.html

ClearPass Policy Manager Multiple Vulnerabilities. Does your infrastructure fall into this design weakness? (18-10-2021)

Preface: Sometimes, a low to medium risk rating vulnerability will be transformed into potential risk.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD & corporate devices.

The ClearPass Policy Manager is the only policy solution that centrally enforces all aspects of enterprise-grade mobility and NAC for any industry. Granular network access enforcement is based on a user’s role, device type and role, authentication method, EMM/MDM attributes, device health, location, and time-of-day.

Vulnerability details: Publication Date: 2021-Oct-12 (see below):

CVE-2021-37736, CVE-2021-37737, CVE-2021-37738,     CVE-2021-37739, CVE-2021-40986, CVE-2021-40987,      CVE-2021-40988, CVE-2021-40989, CVE-2021-40990,      CVE-2021-40991, CVE-2021-40992, CVE-2021-40993,      CVE-2021-40994, CVE-2021-40995, CVE-2021-20996,      CVE-2021-40997, CVE-2021-40998, CVE-2021-40999.

Multiple vulnerabilities have occurred. The focus area of this topic will focus on CVE-2021-40988 (path traversal). From a technical point of view, once this type of vulnerability persists. It will amplify other potential risks. Perhaps our description is one of the possibilities. The goal is to provide you with tips for consideration.

Images are loaded via some HTML, the loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk. Thus, attacker allow the application reads from the web page reachable file path. If the web application has path traversal vulnerability encounters, so an attacker can request additional path to retrieve an arbitrary file from the server’s filesystem. See the attached drawings for details.

Official announcement: ClearPass Policy Manager Multiple Vulnerabilities – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-018.txt

Old defects, new records – CVE-2021-42340 (14th Oct, 2021)

Preface: A Java EE server is a server application that the implements the Java EE platform APIs and provides the standard Java EE services. Java EE servers are sometimes called application servers, because they allow you to serve application data to clients, much like web servers serve web pages to web browsers.

Background: The difference between WildFly and Tomcat:
WildFly is a full Java EE application Server, while Tomcat is a Java servlet container and web server and, since because it doesn’t come with an implementation of the full JEE stack.

Tomcat uses JMX MBeans as the technology for implementing manageability of Tomcat. The descriptions of JMX MBeans for Catalina are in the mbeans-descriptors. xml file in each package. You will need to add MBean descriptions for your custom components in order to avoid a “ManagedBean is not found” exception.

Vulnerability details: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Remedy: Users of the affected versions should apply one of the following
mitigations:

  • Upgrade to Apache Tomcat 10.1.0-M6 or later
  • Upgrade to Apache Tomcat 10.0.12 or later
  • Upgrade to Apache Tomcat 9.0.54 or later
  • Upgrade to Apache Tomcat 8.5.72 or later

Technical reference: When using the WebSocket client to connect to server endpoints, the number of HTTP redirects that the client will follow is controlled by the userProperties of the provided javax.websocket.ClientEndpointConfig. The property is org.apache.tomcat.websocket.MAX_REDIRECTIONS. The default value is 20. Redirection support can be disabled by configuring a value of zero.

Apple released security update (11th Oct, 2021)

Preface: For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Background: The assert macro performs a runtime check of the given condition. For example: When a buffer maximum is 8, where the value of i is less that 8 the assert passes. But once i becomes 8 the assert fails causing the program to abort.

Vulnerability details: An expert discovered that even if the screen color is reversed, this vulnerability can be triggered. A memory corruption issue was addressed with improved memory handling.

Impact: An application may be able to execute arbitrary code with kernel privileges.

Official announcement: https://support.apple.com/en-us/HT212846

Above CVE-2021-42252 (11th October, 2021)

Preface: Linux mainly uses a paging mechanism to achieve virtual memory management. The size of the memory page is PAGE_SIZE bytes instead of 4 KB. On different platforms, the page size can range from 4 KB to 64 KB.

Background: The Aspeed BMC family which is what is used on OpenPOWER machines and a number of x86 as well is typically connected to the host via an LPC (Low Pin Count) bus (among others).

The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver.

Vulnerability details: CVE-2021-42252 – An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.

Reminder: Hardware filter in the southbridge perhaps not easy to detect attacker exploit the vulnerability.

Official announcement:Please refer to the website for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b49a0e69a7b1a68c8d3f64097d06dabb770fec96

Remark: Seems no proof of concept disclosed till now. Refer to official details, it is a local attack. But this design flaw cause by memory corruption error trigger privilege escalation. Furthermore it is running on Linux. Therefore exploit the design flaw through 3rd party API then triggers the vulnerability still have possibilities.

About Apache HTTP Server 2.4.49 and 2.4.50 – CISA urges organizations to patch immediately if they haven’t already (7th Oct 2021)

Preface: the most famous UTF-8 attack was against unpatched web server.

Background: The most common users of Apache HTTP Server are from Small Businesses and the Information Technology & Services industry. Perhaps

How to Check the Apache Version?

  1. Open terminal application on your Linux, Windows/WSL or macOS desktop.
  2. Login to remote server using the ssh command.
  3. To see Apache version on a Debian/Ubuntu Linux, run: apache2 -v.
  4. For CentOS/RHEL/Fedora Linux server, type command: httpd -v.

Vulnerability details: The server didn’t correctly handle contents in the URL. So the contain contained invalid UTF-8 representation of the [/] character. Such an invalid UTF-8 escape is often referred to as an overlong sequence. Therefore it provide an opportunity to the attacker. On 6th Oct,2021, Apache released Apache HTTP 2.4.50 to fix an actively exploited path traversal vulnerability in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server. Please refer to the official website for announcements – https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013

If your IoT development is based on Zigbee,perhaps Zephyr CVE will bring to your consideration. (6th Oct 2021)

Preface: Ensure that the JSON parser does not try to write a potentially unlimited number of elements into a C array of a fixed size.

Background: Zephyr is a small real-time operating system (RTOS) for connected, resource-constrained and embedded devices (with an emphasis on microcontrollers) supporting multiple architectures and released under the Apache License 2.0. Zephyr includes a kernel, and all components and libraries, device drivers, protocol stacks, file systems, and firmware updates, needed to develop full application software. Furthermore the footprint as small as 8K.

Vulnerability details: Till now, the CVSS score not been defined yet. According to 4 different vulnerabilities registered this month. There are two different vulnerabilities related to BLE. Besides, a vulnerability related to Zigbee. The remaining one is related to JSON decoder. The flaw of JSON decoder display as below: When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. “arr_parse” then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. For the details of this vulnerability, please refer to link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

The following list shows other CVE details:

BLE:

CVE-2021-3436 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

CVE-2021-3581 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5

Zigbee:

CVE-2021-3319 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364

About CVE-2021-29249, IoT vendor should stay alert! (1st Oct, 2021)

Preface: BPF is available on most Unix-like operating systems and eBPF for Linux and for Microsoft Windows. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

Background: The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic (and eBPF is an extended BPF JIT virtual machine in the Linux kernel). It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Vulnerability details: CVE-2021-29249 prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.

In 32-bit architecture, the result of sizeof() is a 32-bit integer so the expression becomes the multiplication between two 32-bit integers which can potentially leads to integer overflow. As a result, bpf_map_area_alloc() allocates less memory than needed.

Remedy: Correct this by casting 1 operand to u64 (See attached picture for details).