Preface: CWE-125 Out-of-Bounds Read is a type of software error that can occur when reading data from memory. This can happen if the program tries to read beyond the end of an array, for example. Out of bounds reads can lead to crashes or other unexpected vulnerabilities, and may allow an attacker to read sensitive information that they should not have access to. 

Background: The Exynos DSP driver implements two distinct ioctl calls that are used to load images and graphs and boot the device. The DSP_IOC_BOOT ioctl loads the dsp’s firmware images, common libraries, an xml global kernel descriptor file and a linker file for linking libraries. In February 2021 Samsung made some changes in one of its low level drivers : the Digital Signal Processor (DSP) Linux driver. They removed one feature : the ability for untrusted apps to load a custom DSP firmware of their choice.

Vulnerability details: An issue was discovered in Exynos Mobile Processor 980 and 2100. An integer overflow at a buffer index can prevent the execution of requested services via a crafted application.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40353

Preface: Redis is a standard key-value store, like a dictionary, containing multiple keys, each with its unique value that can be retrieved or pinned. It is similar to a data structure server that relies on various key values. Redis has built-in replica functionality. It can hold keys to 512MB.

Background: The Redis SORT_RO command is a read-only variant of the SORT command. It allows us to sort lists, sets, and sorted sets. The SORT command enables us to have the sorted elements returned to the client, or stored in a separate key. But the SORT_RO command only allows us to have them returned to the client.

Vulnerability details: Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Official announcement: For detail, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-41053

Preface: The Qualcomm Neural Processing SDK is designed to help developers run one or more neural network models trained in TensorFlow, PyTorch,…

Background: Deep neural network (DNN) models can address these limitations of matrix factorization. DNNs can easily incorporate query features and item features (due to the flexibility of the input layer of the network), which can help capture the specific interests of a user and improve the relevance of recommendations.

• Network is a collection of connected layers

• DNN models are stored in DLC files

According to Qualcomm, the Qualcomm® QCS605 SoC is a high performance IoT System-on-Chip (SoCs) that incorporates key features for building advanced use cases encompassing machine learning, edge computing, sensor processing, voice UI enablement and integrated wireless connectivity.

Vulnerability details: A malformed DLC can trigger Memory Corruption in SNPE library due to out of bounds read, such as by loading an untrusted model (e.g. from a remote source).

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-28543

Preface: The first-level (L1) cache is small enough to provide a one- or two-cycle access time. The second-level (L2) cache is also built from SRAM but is larger, and therefore slower, than the L1 cache. The processor first looks for the data in the L1 cache. If the L1 cache misses, the processor looks in the L2 cache.

Background: Refer to diagram. If a multiple request on point 2 and 3. In normal circumstances, the ID number will be added each time the number is found. Therefore, the URL field might end up looking like example shown below:

2,2,2,4,7,8,8,8,8,8,9,9

So above result has a significant influence on the performance of an algorithm, but in Java You have close to no control over how your data is arranged in memory. If this issue happen in CPU. The processor first looks for the data in the L1 cache. If CPU manufacturer do not focus this matter in design phase. Perhaps it will hit this vulnerability.

Vulnerability details:

CVE-2023-38468 – In urild service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed

CVE-2023-38467 – In urild service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed

Official announcement: For details, please refer to the link – https://www.unisoc.com/en_us/secy/announcementDetail/1698296481653522434

Preface: Xiaomi and Samsung are MediaTek’s biggest clients

Background: MediaTek 8188 (MT8188) is a 64-bit ARM SoC introduced by MediaTek in 2022. The chip incorporates eight cores – six Cortex-A55 little cores and two Cortex-A78. Cortex-A78 can operate at up to 2.6 GHz. Cortex-A55 can operate at up to 2.0 GHz.

STC(Store Coprocessor Registers) writes a coprocessor register to memory (or multiple). It is unlikely to get much use out of the STC instruction without some custom coprocessor to use it on, since the behaviour and meaning of the generic coprocessor instructions is defined by the coprocessor itself.

Vulnerability details: In stc, there is a possible out of bounds read due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.

Remark: According to my observation (predicting the possible cause of this vulnerability), please refer to the attached picture.

Reference I:

STC is available in all versions of the ARM architecture.
STC2 is available in ARMv5T and above.

Reference II:

Race conditions are most commonly associated with computer science and programming. They occur when two computer program processes, or threads, attempt to access the same resource at the same time and cause problems in the system. Race conditions are considered a common issue for multithreaded applications.

Official announcement: For details, please refer to link – https://corp.mediatek.com/product-security-bulletin/September-2023

 (1st Sep 2023)

Preface: AI (Artificial intelligence) moves from big data normalization to learning to understand data, so called trained. It require large amount of computer processing resources.

The machine learning process requires CPUs and GPUs. GPUs are used to train large deep learning models, while CPUs are good for data preparation, feature extraction, and small-scale models. For inference and hyperparameter tweaking, CPUs and GPUs may both be utilized.

Background: The NVIDIA Hopper architecture will supersede the already powerful NVIDIA Ampere architecture.

The NVIDIA DGX H100 System is the universal system purpose-built for all AI infrastructure and workloads, from analytics to training to inference. The system is built on eight NVIDIA H100 Tensor Core GPUs. If you want to run Java programs, but not develop them, download the Java Runtime Environment, or JRE.

BMC uses JViewer to view the console. Launch JViewer – This is an OS-independent plug-in which can be used in Windows as well as Linux with the help of Java Runtime Environment (JRE).

Vulnerability details:

CVE-2023-25528 – NVIDIA DGX H100 baseboard management controller (BMC) contains a vulnerability in a web server plugin, where an unauthenticated attacker may cause a stack overflow by sending a specially crafted network packet. A successful exploit of this vulnerability may lead to arbitrary code execution, denial of service, information disclosure, and data tampering.

CVE-2023-25533 – NVIDIA DGX H100 BMC contains a vulnerability in the web UI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to information disclosure, code execution, and escalation of privileges.

Official announcement: For details, please refer to the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5473

Preface: The easier way to get the SAML token is directly through the UserSession you can access in your Java plugin.  UserSession has a samlTokenXml field.  Then you can use the SSO API to convert that xml into the SAML token object.

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of guests operating systems. For example:

– Pass messages from the host operating system to the guest operating system.

– Customize guest operating systems as a part of the vCenter Server and other VMware products.

– Run scripts that help automate guest operating system operations. The scripts run when the power state of the virtual machine changes.

– Synchronize the time in the guest operating system with the time on the host operating system

Vulnerability details: CVE-2023-20900 VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor with man-in-the-middle (MITM) network positioning between vCenter server and the virtual machine may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations.

Official announcement: For details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2023-0019.html

Preface: VMware Aria Operations for Networks (Formerly vRealize Network Insight).

Background: VMware Aria Operations for Networks (formerly vRealize Network Insight) delivers end-to-end network visibility converged across virtual and physical networks, planning and troubleshooting with assurance and verification that network and application connectivity performs towards business and security intents across Software Defined Data Center, VMware NSX, VMware SD-WAN™ by VeloCloud®, VMware Cloud on AWS, Azure, AWS, and Kubernetes.

Vulnerability details: Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.

Official announcement: For details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2023-0018.html

Resolution: Using VMware Aria Operations for Networks 6.11

Preface: OSPF is used to determine the fastest route, while BGP focuses on determining the best path.

Background: Network architects using FRR for ISPs, SaaS infrastructure, web 2.0 businesses, hyperscale services, and Fortune 500 private clouds. If you look around, the traditional networking equipment vendors also offer software appliances, because now it’s a tiny stackable virtual machine world.

FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms.

The worker nodes are responsible for running the containers and doing any work assigned to them by the master node.

Ref: Calico is a networking and security solution that enables Kubernetes workloads and non-Kubernetes/legacy workloads to communicate seamlessly and securely.

Vulnerability details: An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open[.]c does not check for an overly large length of the rcv software version.

Official details: For details, please refer to the link – https://github.com/FRRouting/frr/pull/14241

Preface: Samsung has also used a cheaper and less smart processor, Exynos 9610 with the unit cost of $14.90, for the affordable Galaxy A50 model.

Background: Global edition devices instead use EXYNOS – Samsung LSI’s in-house SoC (System on a chip). Shannon co-exists in the SoC floorplan as an IP block.

Every phone today that has a SIM card has a baseband processor. Shannon is-a particular implementation of these standards.

Remark: When writing Linux kernel driver software for a new SOC, it can be helpful to know the specific IP block (and it’s heritage) used in a chip, in order to reuse software from other projects.

Vulnerability details: An issue was discovered in Samsung Exynos Mobile Processor and Wearable Processor 9810, 9610, 9820, 980, 850, 1080, 2100, 2200, 1280, 1380, 1330, 9110, and W920. Improper handling of PPP length parameter inconsistency can cause an infinite loop.

Official announcement: For details, please refer to the link – https://semiconductor.samsung.com/support/quality-support/product-security-updates/