Category Archives: Potential Risk of CVE

CVE-2023-20519 whether similar to CVE-2023-33250? (20th Nov 2023)

Preface: The term cloud native refers to the concept of building and running applications to take advantage of the distributed computing offered by the cloud delivery model. Cloud native involves cloud technologies like microservices, container orchestrators, and auto scaling. AMD 4th Gen EPYC CPU EPYC 97X4 processors, with up to 128 cores, deliver up to 3.7x throughput performance for key cloud native workloads.

Background: AMD EPYC™ 9004 Series Processors represent the fourth generation of AMD EPYC server-class processors. The 4th Gen AMD EPYC processors with AMD 3D V-Cache technology further extend the AMD EPYC 9004 Series of processors to deliver the world’s best x86 CPU for technical computing workloads such as computational fluid dynamics (CFD), finite element analysis (FEA), electronic design automation (EDA) and structural analysis.

Vulnerability details: AMD Processors could allow a local authenticated attacker to bypass security restrictions, caused by an use-after-free vulnerability in the management of an SNP guest context page. By sending a specially crafted request, an attacker could exploit this vulnerability to masquerade as the guest’s migration agent resulting in a potential loss of guest integrity.

Platforms Affected:
AMD 3rd Generation EPYC
AMD 4th Generation EPYC

Official announcement: Official details: Please refer to the link for details –https://www.supermicro.com/en/support/security_AMD_Nov_2023?mlg=0

About PostgreSQL : CVE-2023-5869 (17th Nov 2023)

Preface: As a PostgreSQL database’s workload increases, the instance’s memory usage increases. Instances that consume lots of memory can create a performance bottleneck that can sometimes lead to out-of-memory issues. An integer overflow occurs when you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold. The C standard defines this situation as undefined behavior. Refer to posgreSQL manual, user-defined functions can be written in C (or a language that can be made compatible with C, such as C++).

Background: PostgreSQL is a powerful, open source object-relational database system. Besides, PostgreSQL is a relational database. It stores data points in rows, with columns as different data attributes. A table stores multiple related rows.

PostgreSQL memory components are broadly divided into two sections:

1.Global memory: this is shared across all processes to execute queries; for example, shared_buffers and max_connections.

2.Local memory: this is dedicated memory assigned to each connection; for example, work_mem, maintenance_work_mem, and temp_buffers.

Vulnerability details: While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

About CVE-2021-32027: A flaw was found in postgresql. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Fixed In Version: PostgreSQL 16.1, PostgreSQL 15.5, PostgreSQL 14.10, PostgreSQL 13.13, PostgreSQL 12.17 and PostgreSQL 11.22

Official announcement: Official details: Please refer to the link for details –

https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

The ins and outs of CVE-2023-23583 (16th Nov 2023)

Preface: The REP MOVSB/STOSB instruction can enhance fast strings attempts to move as much of the data with larger size load/stores as possible. So, a patch exposes ERMS feature to KVM guests in June 2011.

Background: REP is a prefix that makes the processor repeat the following instruction. It decrements the RCX register each time the following instruction is executed until RCX reaches zero. REP MOVSB assembles to just two bytes of machine code, ‘F3’ and ‘A4’ in hex, so it’s an incredibly concise way of doing a data copy.

When there is an overlap between the source and destination regions, software may need to use memmove instead of memcpy to ensure correctness. It is possible to use REP MOVSB in conjunction with the direction flag (DF) in a memmove() implementation to handle situations where the latter part of the source region overlaps with the beginning of the destination region. However, setting the DF to force REP MOVSB to copy bytes from high towards low addresses will experience significant performance degradation.

Ref: What is the purpose of the direction flag? This flag is used to determine the direction (‘forward’ or ‘backward’) in which several bytes of data will be copied from one place in the memory, to another. The direction is important mainly when the original data position in memory and the target data position overlap.

Vulnerability details: Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege from CPL3 to CPL0.

Remediation: Intel is providing a microcode update to mitigate this issuehttps://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 

Official details: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-23583

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html

Citrix Hypervisor Security Bulletin for CVE-2023-23583 and CVE-2023-46835 – https://support.citrix.com/article/CTX583037/citrix-hypervisor-security-bulletin-for-cve202323583-and-cve202346835

CVE-2023-34060: Whether it hit this design weakness? (14th Nov 2023)

Preface: Before you start reading. Perhaps below two different url will lure your interest of this article. Please read 1 first, then 2

1:vCenter Server Appliance Web Console (VAMI) is removed from vCenter Server 6.0  – https://kb.vmware.com/s/article/2120477

2:Change VCSA 6.7 SSH port – https://communities.vmware.com/t5/VMware-vCenter-Discussions/Change-VCSA-6-7-SSH-port/td-p/1861744

Ref: The vCenter Server appliance is a preconfigured virtual machine that is optimized for running vCenter Server and the associated services. The vCenter Server appliance package contains the following software: Photon OS® 3.0. The vSphere authentication services. PostgreSQL.

Background: What is the difference between vCenter and vCloud director? A vCenter admin can see virtual data centers, which are logical units for management, a vCloud Director user (tenant) can see only organizational data centers, catalogs, users, and options to manage a virtual organizational data center.

Vulnerability details: VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.Known Attack Vectors On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.

Official announcement: Please refer to the link for details –

https://www.vmware.com/security/advisories/VMSA-2023-0026.html

CVE-2023-47346: A vulnerability encountered  on a 5G freeware. But do not contempt these technical factors. Perhaps it also encounter in other similar technology vendors.(14th Nov 2023)

Preface: The technology trend driven transformation in mobile communication world in global. Not only will mobile devices require more RAM to handle 5G-enabled multimedia applications and tasks, As a result, enhancing memory is key to unlocking the 5G future!

Background: The free5GC is an open-source project for 5th generation (5G) mobile core networks. The ultimate goal of this project is to implement the 5G core network (5GC) defined in 3GPP Release 15 (R15) and beyond.

What is 3GPP standard release 15? 3GPP Rel. 15 will update the MC service requirements of the railway and maritime industries. Low-power machine connectivity across trains, ships, and other automobiles will improve, leaving less room for error in critical transmissions and navigation pathway sharing.

Vulnerability details: Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-47346

The vendor did not provide details of CVE-2023-22107. Will similar vulnerabilities occur in the following scenarios? (13th Nov 2023)

Preface: When we see new vulnerability information posted on forums or NVD. According to market practice, suppliers have provided patches to customers in advance. Maybe they already received the patch earlier (few weeks ago). But a lot of vulnerability items not intend to disclose the details. Perhaps this is the way. It will reduce the attack ratio. But for the people who have interest to know. For sure it will increase the time to conduct the analytic. We believe Artificial Intelligence is powerful. But if it do not have related information.  AI also cannot provide a precise the answer.

Background: Oracle EBS applications are delivered from servers, databases, storage, and applications hosted in your local network, on-premises. Why use Oracle EBS? Oracle EBS enables organizations to manage their procurement process, from purchasing to invoicing and payment. Supply chain management. Oracle EBS provides a complete solution for managing the supply chain, including inventory management, order management, and logistics. Human resources.

Vulnerability details: Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: UI Components). Supported versions that are affected are ECC: 8, 9 and 10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Command Center Framework accessible data as well as unauthorized read access to a subset of Oracle Enterprise Command Center Framework accessible data.

CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).

CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Remark: The vendor did not provide details of CVE-2023-22107. Will similar vulnerabilities occurs in attached diagram scenarios?

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-22107

https://www.oracle.com/security-alerts/cpuoct2023.html

CVE-2023-46604: Apache ActiveMQ is vulnerable to Remote Code Execution (10th Nov 2023)

Preface: While ActiveMQ is a traditional message broker, Apache Kafka is a distributed streaming platform designed to handle high-velocity, high-volume, and fault-tolerant data streams. It was originally developed at LinkedIn and later donated to the Apache Software Foundation.

Background: ActiveMQ is open source, message-oriented middleware (MoM). It was written in Java with a full JMS (Java Message Service) client.  OpenWire is the native protocol that Apache ActiveMQ uses. Message brokers, like ActiveMQ, can filter and process individual events.

Vulnerability details: Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Remedy: Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-46604

Critical: Red Hat AMQ Broker 7.11.4 release and security update – https://access.redhat.com/errata/RHSA-2023:6879

Critical: Red Hat AMQ Broker 7.10.5 release and security update – https://access.redhat.com/errata/RHSA-2023:6878

Critical: security update jboss-amq-6/amq63-openshift container image – https://access.redhat.com/errata/RHSA-2023:6877

Critical: jboss-amq-6-amq63-openshift-container security update – https://access.redhat.com/errata/RHSA-2023:6866

CVE-2023-4272: Mali GPU Kernel Driver exposes sensitive data from freed memory (7th Nov 2023)

Preface: ARM’s Mali GPUs can be found in smartphones from different brands, including Samsung, Xiaomi, and Oppo. Mali GPUs can be seen on MediaTek, HiSilicon Kirin, and Exynos SOCs

Background: When memory is freed, all pointers into it become invalid, and its contents might either be returned to the operating system, making the freed space inaccessible, or remain intact and accessible.

Vulnerability details: A local non-privileged user can make GPU processing operations that expose sensitive data from previously freed memory.

As usual, the GPU manufacturer did not disclose the details of the vulnerability. So, let’s see if we can narrow down the problem based on limited information and design architecture. Thus, speculate on possible causes.

My observations: Refer to the original design of kernel file (mali_kbase_core_linux[.]c). See below details.

The driver counts the number of FIXABLE and FIXED allocations because they’re not supposed to happen at the same time. However, that is not a security concern: nothing bad happens if the two types of allocations are made at the same time. The only reason why the driver is guarding against them is because there’s no client use case that is supposed to need both of them at the same time, and the driver wants to help the user space catch some obvious mistake.

The driver is able to switch from FIXABLE allocations to FIXED and vice versa, if all the allocations of one kind are freed before trying to create allocations of a different kind.

Consequence: Maybe this will cause a vulnerability to occur.

Official announcement: Please refer to the link for details –

https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

CVE-2023-20702: Null pointer dereference in 5G RLC (6th Nov 2023)

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: An RLC PDU (Protocol Data Unit) consists of an RLC header and data. From an upper layer, RLC receives an RLC SDU (Service Data Unit). The data part of an RLC PDU is either a complete RLC SDU or an SDU segment. A single RLC PDU maps to a single MAC SDU . RLC has three transmission modes: TM , UM and AM .

Vulnerability details: In 5G NRLC, there is a possible invalid memory access due to lack of error handling. This could lead to remote denial of service, if UE received invalid 1-byte rlc sdu, with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://corp.mediatek.com/product-security-bulletin/November-2023

Regarding CVE-2023-43018, the focus is on defect remediation (2nd Nov 2023)

Preface: Banking industry core applications large portion running on IBM zSystems. The operations including transactional and batch, maintain systems-of-record (SOR) data. Financial Institutions, government organizations, and others have been operating, maintaining, and updating their COBOL applications for many years. The reason behind is that COBOL remains valid while functioning or competing with other modern languages.

Background: IBM CICS® TX is a comprehensive, single package of a transactional runtime with a COBOL compiler enabled on Red Hat® OpenShift®. CICS TX is an effective and efficient way to move your distributed platform transactional applications into the cloud. IBM® CICS® TX Advanced (CICS TX) is a mixed-language application server that provides cloud deployment options for suitable CICS applications using docker and orchestration using Kubernetes.

Vulnerability details: IBM CICS TX performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Cause: “Unrestricted Internet Access/Outbound Connections” affects IBM CICS TX Standard and IBM CICS TX Advanced. IBM CICS TX Standard and IBM CICS TX Advanced have addressed the applicable vulnerability.

Remedy: For network ingress to a CICS TX region, there are several ports to consider:

  • Port 1435 for connecting to region’s listener
  • Port 3270 for cicsteld
  • Port 9087 for metrics collection
  • Port 9443 for admin console
  • Port 2379 for the controller (applies only to CICS TX Standard version)

Network egress is more complex. Examples of network egress which you might want to consider:

  • Other CICS TS / CICS TX regions
  • Connecting to CICS TX Standard Controller (applies only to CICS TX Standard version)

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-43018