Category Archives: Potential Risk of CVE

About CVE-2023-33252 – Similar concern for cyber security today, it also apply to future digital world Artificial intelligence zone. (22nd May 2023)

Preface: Foreseeing the continuous development of artificial intelligence, use blockchain technology for network communication is a must.
A blockchain is a distributed database or ledger shared among nodes in a computer network. They are known for their key role in maintaining a secure and decentralized record of transactions in cryptocurrency systems, but they are not limited to the use of cryptocurrencies.

Background: IDEN3 is NOT an ICO (Initial Coin Offerings). It has no token at all. It is an open source permissionless identity layer built on top of Ethereum that we expect many projects will be able to use as a foundational layer for their own identity solution.
What are Initial Coin Offerings? ICOs are another form of cryptocurrency that businesses use in order to raise capital. Through ICO trading platforms, investors receive unique cryptocurrency “tokens” in exchange for their monetary investment in the business.

Ref: Circom is a compiler written in Rust for compiling circuits written in the circom language. The compiler outputs the representation of the circuit as constraints and everything needed to compute different ZK proofs.

Vulnerability details: iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

References:
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags

CVE-2023-31655 Crash while running redis-7.0.10 with the redisraft-cd52ee4.(19th May 2023)

Preface: What does the ERROR: Segmentation violation mean?
Traditionally, a “segmentation violation” is a signal sent by the kernel to a process when the system has detected that the process was attempting to access a memory address that does not belong to it. Typically, this results in the offending process being terminated.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
This is how a server might accept multiple clients: we would spin up a separate thread for each client so the server could have an independent conversation with that client. Unlike processes, they share their memory with each other.
All Redis data resides in memory, enabling low-latency and high-throughput data access. Unlike traditional databases, in-memory data stores do not require access to disk.
RedisRaft is a Redis module that implements the Raft Consensus Algorithm, making it possible to create strongly-consistent clusters of Redis servers.

Vulnerability details: redis-7.0.10 was discovered to contain a segmentation violation.

Current status: Reply by developer, Redisraft is still being developed and currently, we only maintain compatibility with redisraft (master) and redis (unstable) branches.

Official announcement: Please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-31655

Dig out details on CVE-2023-20877 – VMware fixed this matter already. (18th May 2023)

Preface: If you have set “Read& Execute“ permission to everyone on parent folder, and not disable inheritance permission on the subfolder, in theory, subfolder permission should inherit the parent folder permission.

Background: VMware Aria Operations is a unified, AI-powered self-driving IT operations management platform for private, hybrid & multi-cloud environments.
You can execute scripts from the local OS using Orchestrator. To do that, Orchestrator needs access (x) to the folder where the script is located and the Orchestrator user needs to be able to read and execute (rx) it. You also need to allow Orchestrator to execute local files.
The access for Orchestrator is regulated by the entries in the js-io-rights[.]conf file.
Please note that the script needs to be in a file location that Orchestrator can access and that Orchestrator will run as user vco with the group vco.
Orchestrator has full access preconfigured for the /var/run/vco directory. The operator means that Orchestrator has the right to access the directory, for example, to list the content or to execute a file.

Vulnerability details: VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

Official announcement: Check out the details on the link – https://www.vmware.com/security/advisories/VMSA-2023-0009.html

About Ryzen 6000 design weakness CVE-2021-26365, CVE-2021-26365 & CVE-2021-46765 (17th May 2023)

Preface: Based on limited details provided by CPU vendor. Based on the steps shown in the diagram, try to speculated that where the vulnerability is located.

Background: With the introduction of the Ryzen 5000-series Zen 3, AMD leads in gaming performance (especially in single-threaded performance). Announced on January 4, 2022, the Ryzen 6000 mobile-specific series of processors uses TSMC’s modestly altered Zen3+ cores on the 6nm process, claiming up to 15% (typically 10%) performance gains (supposedly from frequency rather than IPC (instructions per clock cycle)).

Ref: Because the IPC varies depending on workload, it’s not a straightforward number.
The clock frequency, on the other hand, generally only varies when there are thermal or power constraints (thermal throttling, TDP limiting).

The AMD secure processor (ASP), also known as platform security processor (PSP), is an isolated ARM processor that runs independently from the main x86 cores of the platform. ASP executes its own firmware, and hosts security sensitive components that can run without being affected by the main system workload.

Remark: The kernel supports the SuperVisor Call (SVC) instruction, through which the user can trigger an exception. For example: If the kernel is in unprivileged mode, the program needs to access special registers that can only be accessed in privileged mode. This exception is handy when running in privileged mode.

Vulnerability details (see below):
CVE-2021-26365 – Certain size values in firmware binary headers could trigger out of bounds reads during signature validation, leading to denial of service or potentially limited leakage of information about out-of-bounds memory contents.
CVE-2021-46753 – Failure to validate the length fields of the ASP (AMD Secure Processor) sensor fusion hub headers may allow an attacker with a malicious Uapp or ABL to map the ASP sensor fusion hub region and overwrite data structures leading to a potential loss of confidentiality and integrity.
CVE-2021-46765 – Insufficient input validation in ASP may allow an attacker with a compromised SMM to induce out-of-bounds memory reads within the ASP, potentially leading to a denial of service.

Official details: For details, please refer to the remedial measures released by AMD – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4001.html

About CVE-2023-2124: If you manage very large Linux environments, maybe you’ve already fixed it. (16th May 2023)

Preface: For very large environments, the XFS file system that was developed by SGI for use on supercomputers is probably the best choice.

Background: XFS consumes roughly twice as much CPU per metadata operation as Ext3 and Ext4 compared to Ext3 and Ext4. XFS is a 64-bit file system. XFS is the default file system for Red Hat Enterprise Linux 7.
XFS is well-known for its ability to handle large amounts of data with ease. By using XFS on your SSD, you can ensure that your files are safe. Solid-state drives (SSDs) are the most common storage drives today.

Vulnerability details: CVE-2023-2124 – An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official technical details: please refer to the link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/xfs/xfs_buf_item_recover.c?h=v6.4-rc1&id=22ed903eee23a5b174e240f1cdfa9acf393a5210

About CVE-2022-40023: Do not contempt the earlier CVE record. Perhaps it will became a key point benefits to cyber criminals. (15th May 2023)

Preface: The lexer creates tokens (see TokenType and Token) from an input string. The input string is expected to be in infix notation form. The lexer can convert an infix stream into a postfix stream (Reverse Polish Notation) for further processing by a Parser.

Background: Mako is a template library written in Python. It provides a familiar, non-XML syntax which compiles into Python modules for maximum performance.
Why template is used in Python? Template Method is a behavioral design pattern that allows you to defines a skeleton of an algorithm in a base class and let subclasses override the steps without changing the overall algorithm’s structure.

Vulnerability details: Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2023:2258 advisory.

Official announcement:For details, please refer to the link – https://errata.almalinux.org/9/ALSA-2023-2258.html

Reference: https://www.businesswire.com/news/home/20230413005066/en/AlmaLinux-to-be-Used-by-CERN-and-Fermilab-in-Groundbreaking-Physics-Experiments

About CVE-2023-21666 – Memory Corruption in Graphics while accessing a buffer [Android Security Bulletin in 1st May 2023] (12th May 2023)

Preface: In smartphone, a GPU is similar a graphic card. Meanwhile, it’s the GRAPHICS PROCESSING UNIT which is similar to the CPU processor but instead it’s specifically dedicated for rendering 3D graphics. If your phone does not have one, then you will not be able to play any 3D games.

Background: Whenever a user space application requests a memory allocation for graphics processing, existing technology will seek to allocated nearest order pages from system memory (initially) to map to the GPU.
A patent design
KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device. Whenever a user space application requests a memory allocation for graphics processing, existing design will seek to allocated nearest order pages from system memory (initially) to map to the GPU. Once the application is done with its work, it releases those pages back to the KGSL pool as free for another allocation.
the KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device.

Vulnerability details: Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool.

Official announcement – For details, please refer to the link below
Android: https://source.android.com/docs/security/bulletin/2023-05-01
Qualcomm: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2023-bulletin.html

About Artificial Intelligence (NVIDIA® DGX-1): Closer look at CVE‑2023‑0209 (11th May 2023)

Preface: NVIDIA DGX-1 is an integrated deep learning workstation with a large computing capacity, which can be used to run demanding deep learning workloads. It provides GPU computing power of 1 PetaFLOPS (1 quadrillion floating-point operations per second).

Background: Historically, both vendors and attackers have overlooked (pre)EFI boot process (in)security; pre-EFI Initialization (PEI) boot stage opens many doors and offers flexibility to attackers.
The Pre-EFI Initialization (PEI) phase provides a standardized method of loading and invoking specific initial configuration routines for the processor, chipset, and system board. The PEI phase occurs after the Security (SEC) phase. The primary purpose of code operating in this phase is to initialize enough of the system to allow instantiation of the Driver Execution Environment (DXE) phase.
The Driver Execution Environment (DXE) phase is where most of the system initialization is performed. Pre-EFI Initialization (PEI), the phase prior to DXE, is responsible for initializing permanent memory in the platform so that the DXE phase can be loaded and executed.

Note: Security (SEC) and Pre-EFI (PEI) phases – both are controlled by the firmware vendor.
SEC – Init CPU, clear caches, load BIOS ROM
PEI – Initialize chipset, RAM, devices, Secure Boot (Record Secure Boot in PCR 7)

Vulnerability details: NVIDIA DGX-1 SBIOS contains a vulnerability in the Uncore PEI module, where authentication of the code executed by SSA is missing, which may lead to arbitrary code execution, denial of service, escalation of privileges, information disclosure, data tampering, and SecureBoot bypass.

Official announcement: For details, please refer to the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5458

CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability. One of the possible ways to trigger the attack. (10th May 2023)

Preface: The NFS 4.1 design flaw was released in August 2019 because it only affected the Linux operating system kernel at the time. It was hard to predict, and now it is going to the Windows platform!

Background: Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux or UNIX.
NFS in Windows Server includes Server for NFS and Client for NFS. A computer running Windows Server can use Server for NFS to act as a NFS file server for other non-Windows client computers. Client for NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.

Vulnerability detail: Windows Network File System Remote Code Execution Vulnerability

Since vendor do not disclose the technical details. My speculation is shown as below:

Point 1 – Network File System (NFS) Protocol uses Open Network Computing (RPC) to exchange control messages. The design weakness occurs due to incorrect calculation of the size of response messages.
Point 2 – The server calls a function to calculate the size of each opcode response, though it does not include the size of the opcode itself. Due to this, the response buffer becomes too small and an overflow may happen.

When the source Linux server is invaded by the NFS4.1 vulnerability, the attacker will rely on point 1 and point 2 design weakness to attack the target Windows OS server.

Workaround: This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1.

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24941

CVE-2023-2513: use-after-free in ext4_xattr_set_entry (8th May 2023)

Preface: The vulnerability was fixed in Aug 2022. This is not a zero day and therefore published this month.

Background: ext4 is the default file system for many Linux distributions including Debian and Ubuntu. Furthermore, ext4 is the default file system for DigitalOcean Volumes Block Storage. Also, Google has used Ext4 on Android since Android 2.3.

To create files on Ext4, you need to format the partition with the Ext4 file system using the mkfs.ext4 command:

mke4fs -t ext4 blockdevice

Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2513