Category Archives: Potential Risk of CVE

IoT, Potential Risk of CVE

CVE-2024-36138: Bypass incomplete fix of CVE-2024-27980 (10 Jul 2024)

Leave a comment

Preface: Node. js has two types of threads: one Event Loop and k Workers. The Event Loop is responsible for JavaScript callbacks and non-blocking I/O, and a Worker executes tasks corresponding to C++ code that completes an asynchronous request, including blocking I/O and CPU-intensive work.

Background: Why do we use child process in Node.js?

Node Child Process – Node is a tool that uses JavaScript and has many useful parts to it. Normally, it does work with one thread at a time, which means it can handle tasks without waiting. However, when there’s a lot of work to be done, we use the child_process module to create additional threads.

The child_process.spawn() method spawns the child process asynchronously, without blocking the Node.js event loop. The child_process.spawnSync() function provides equivalent functionality in a synchronous manner that blocks the event loop until the spawned process either exits or is terminated.

Vulnerability details: The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

This vulnerability affects all users of child_process.spawn and child_process.spawnSync on Windows in all active release lines.

Impact: This vulnerability affects all Windows users in active release lines: 22.x, 20.x, 18.x

Official announcement: For detail, please refer to link – https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

IoT, Potential Risk of CVE

CVE-2024-6563: About  Renesas arm-trusted-firmware (9 Jul 2024)

Leave a comment

Preface: Trusted Firmware-M (TF-M) defines several common profiles, such as Profile Small, Profile Medium, Profile Medium ARoT-less and Profile Large, to provide different levels of security to adapt to different device functions and applications. Use cases on top of firmware.

Background: The capabilities and resources of different IoT devices can vary significantly. Some IoT devices may have very limited memory resources. Programs on these devices should maintain a small memory footprint and basic functionality.

Trusted Firmware-M (TF-M) defines several general profiles, such as Profile Small, Profile Medium, Profile Medium ARoT-less and Profile Large, to provide different levels of security to fit diverse device capabilities and use cases applied on the top of the base configuration.

Ref: Trusted Firmware-M (TF-M) is an open source collaboration which implements the Platform Security Architecture (PSA) specification for Arm Cortex®-M MCU groups. This application project introduces how Trusted Firmware-M integrates with Renesas Flexible Software Package (FSP) to support PSA specification implementation on the Renesas RA Family MCU groups.

Vulnerability details: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i… https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar[.]C . In line 313 “addr_loaded_cnt” is checked not to be “CHECK_IMAGE_AREA_CNT” (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of “dst” will be written to the area immediately after the buffer, which is “addr_loaded_cnt”. This will allow an attacker to freely control the value of “addr_loaded_cnt” and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (“len”) they desire.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-6563

Potential Risk of CVE

CVE-2024-39486: Direct Rendering Manager (DRM) of video card. A race leads to use-after-free of a “struct pid” (8 Jul 2024)

Leave a comment

Preface: The display pipeline driver responsible for interfacing with the display uses the kernel mode setting (KMS) API and the GPU responsible for drawing objects into memory uses the direct rendering manager (DRM) API.

Background: The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel responsible for interfacing with GPUs of modern video cards.

For plain GEM based drivers there is the DEFINE_DRM_GEM_FOPS() macro, and for DMA based drivers there is the DEFINE_DRM_GEM_DMA_FOPS() macro to make this simpler.

A refcount records the number of references (i.e., pointers in the C language) to a given memory object. A positive refcount means a memory object could be accessed in the future, hence it should not be freed.

Vulnerability details: filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the race possible.

Remark: The official explanation says it may be difficult to encounter this design weakness in reality. Because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid().

Vulnerability (CVE-2024-39486) has been resolved.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39486

AI and ML, Application Development, Blockchain, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), Potential Risk of CVE

Get closer look CVE-2024-39920: About “SnailLoad” issue (5-Jul-2024)

Leave a comment

NVD Published Date: 07/03/2024

Preface: How is RTT measured in TCP? Measures the time from sending a packet to getting an acknowledgment packet from the target host.

Background: A new technology standard called “RFC 9293” was released on August 18, 2022.

Highlight:

-Acknowledgment Number:  32 bits – If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive.  Once a connection is established, this is always sent.

-There are also methods of “fingerprinting” that can be used to infer the host TCP implementation (operating system) version or platform
information. These collect observations of several aspects, such as
the options present in segments, the ordering of options, the
specific behaviors in the case of various conditions, packet timing,
packet sizing, and other aspects of the protocol that are left to be
determined by an implementer, and can use those observations to
identify information about the host and implementation.

Vulnerability details: The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39920

Potential Risk of CVE

CVE-2024-39309: prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. (3-Jul-2024)

Leave a comment

Preface: Parse was founded in 2011 by Tikhon Bernstam, Ilya Sukhar, James Yu, and Kevin Lacker, previously at Google and Y Combinator.

An open source backend-as-a-service (BaaS) framework originally developed by Facebook. On January 28, 2016, Facebook open sourced the Parse Platform and announced that it would shut down the Parse hosting service. However, the application source code allows users to perform migration to a self-hosted Parse Server. Parse Server is an open source backend that can be deployed on any infrastructure that can execute Node.js.

Background: Parse is the complete application stack for building applications faster with object and file storage, user authentication, push notifications, a dashboard, and more right out of the box. Compared to Google Firebase, Parse is a bunch of pure open-source projects for application building and life cycle management.

Vulnerability details: A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Remedy: The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0.

Workaround: No known workarounds are available.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39309

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-20081: Out-of-bounds write in gnss, response by Mediatek security advisory. (2nd July 2024)

Leave a comment

Preface: GPS traditionally refers to the North American Global Positioning System, or satellite positioning system. GNSS is the term for the international multi-constellation satellite system. Therefore, GNSS typically includes GPS, GLONASS, Baidu, Galileo, and any other constellation system.

Background: GNSS positioning modules or chips, as the core component of In-vehicle Infotainment systems, provide position, speed, and time information. GNSS position and speed measurements are integral, especially with respect to moving map navigation.

GNSS are used in all forms of transportation: space stations, aviation, maritime, rail, road and mass transit. Positioning, navigation and timing (PNT) play a critical role in telecommunications, land surveying, law enforcement, emergency response, precision agriculture, mining, finance, scientific research…etc.

Vulnerability details: In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08720039; Issue ID: MSV-1424.

Official announcement: For detail, please refer to link –

https://corp.mediatek.com/product-security-bulletin/July-2024

Potential Risk of CVE

CVE-2024-37371: About MIT Kerberos 5 (2nd July 2024)

Leave a comment

Preface: Kerberos is built into all major operating systems, including those from Microsoft, Apple, Red Hat, and Sun. Kerberos is the authentication mechanism for some devices like Microsoft Active Directory and even X-Box. LDAP is primarily used for managing and accessing directories, while Kerberos is designed to provide security authentication for client/server applications.

Background: MIT krb5 is a free implementation of Kerberos 5.

It centralizes authentication databases and uses Kerberized applications to work with Kerberos-enabled servers or services, allowing single sign-on and encrypted communication over an internal network or the Internet.

Remark: krb5 Use Kerberos for authentication only. krb5i Use Kerberos for authentication, and include a hash with each transaction to ensure integrity.

Vulnerability detail: In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-37371

Potential Risk of CVE

About CVE-2024-37571: SAS: Data and AI Solutions (SAS Broker – V9.2, build 1495) 26-June-2024

Leave a comment

Preface: What’s required to create good machine learning systems?

-Data preparation capabilities.

-Algorithms – basic and advanced.

-Automation and iterative processes.

-Scalability.

 -Ensemble modeling.

Did you know?

-In machine learning, a target is called a label.

-In statistics, a target is called a dependent variable.

-A variable in statistics is called a feature in machine learning.

-A transformation in statistics is called feature creation in machine learning.

Background: SAS offers many different solutions to use machine learning to model and predict your data. Machine learning is in high demand. Whether you are a citizen data scientist who wants to work interactively or you are a hands-on data scientist who wants to code. Migration of your BI/DI environment from SAS 9.2 to SAS 9.3 and the installation of SAS Visual Analytics (SAS 9.4).

You have access to the latest analytic techniques with SAS® Visual Data Mining and Machine Learning on SAS® Viya.

What is the difference between SAS 9.4 and SAS Viya?

SAS® 9.4 and SAS® Viya® Functional Comparison – Perhaps the most significant core platform functional difference between SAS 9.4 and SAS Viya is in the way that each one handles distributed processing. SAS Viya leverages the CAS server, and SAS 9.4 uses SAS® LASR™, SAS® HighPerformance Analytics (HPA) and SAS® Grid Manager.

Vulnerability details: Buffer Overflow vulnerability in SAS Broker 9.2 build 1495 allows attackers to cause denial of service or obtain sensitive information via crafted payload to the ‘_debug’ parameter.

Official announcement: For detail, please refer to link –

https://www.tenable.com/cve/CVE-2024-37571

IoT, Potential Risk of CVE

About CVE-2024-38952 on PX4-Autopilot v1.14.3 (27 June 2024)

Leave a comment

Preface: The PX4 is a professional autopilot. Developed by world-class developers from industry and academia and supported by an active worldwide community, it powers a variety of vehicles from racing and cargo drones to ground vehicles and submersibles.

Background:  What is needed to control a drone using PX4 flight controller?

-A computer with Internet Access.

-Linux operating system (I am using Ubuntu 14.04 LTS, you can use the operating system you want, but since I am also doing source code development, Linux will make my days a lot easier).

-A PX4 autopilot (Pixhawk, Pixfalcon, HK Pilot 32, Pixracer) with micro usb cable.

-Your drone.

-A pair of telemetry modules (optional).

Vulnerability details: PX4-Autopilot v1[.]14[.]3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics[.]cpp.

Official announcement: For detail, please refer to link –

https://nvd.nist.gov/vuln/detail/cve-2024-38952

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-38663: blk-cgroup – fix list corruption from resetting io stat (25-June-2024)

Leave a comment

Preface: Android uses cgroups to control and account for system resources such as CPU and memory usage and allocation, with support for Linux kernel cgroups v1 and cgroups v2.

Background: New IO stats are stored in the percpu iostat_cpu within blkcg_gq (blkg). There are multiple blkg’s (one for each block device) attached to each blkcg. The rstat code keeps track of which cpu has IO stats updated, but it doesn’t know which blkg has the updated stats. If there are many block devices in a system, the cost of iterating all the blkg’s to flush out the IO stats can be high. To reduce such overhead, a set of percpu lockless lists (lhead) per blkcg are used to track the set of recently updated iostat_cpu’s since the last flush. An iostat_cpu will be put onto the lockless list on the update side [blk_cgroup_bio_start()] if not there yet and then removed when being flushed [blkcg_rstat_flush()].

References to blkg are gotten and then put back in the process to protect against blkg removal.

Vulnerability details: blk-cgroup: fix list corruption from resetting io stat. Since commit 3b8cc6298724 (“blk-cgroup: Optimize blkcg_rstat_flush()”), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can’t reset the stat instance by memset(), otherwise the llist may be corrupted.

Fix the issue by only resetting the counter part.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-38663