Category Archives: Potential Risk of CVE

About CVE-2023-39368: The machine learning process requires CPUs and GPUs. Does bus lock regulator mechanism impact this area? Glad to tell, the problem fixed. (14-03-2024)

CVE-2023-39368 was published on 13th March 2024. In fact, Intel solve this problem since the end of 2020. Maybe hesitant about this design weakness. So it wasn’t announced until this month.

Preface: What is Intel E core? While P cores are focused on delivering peak performance for intensive workloads, E cores ensure that the system runs efficiently during regular use.

Background: What is the lock prefix in Intel? The LOCK prefix is typically used with the BTS instruction to perform a read-modify-write operation on a memory location in shared memory environment. The integrity of the LOCK prefix is not affected by the alignment of the memory field. Memory locking is observed for arbitrarily misaligned fields.

Vulnerability details: CVE-2023-39368 – A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.

Official announcement: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html

Could CVE-2022-2637 and CVE-2023-38575 be the same? (13th March 2024)

Preface: In August 2022, CVE-2022-26373 told that Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. It looks that same vulnerability with new CVE reference number. What’s going on?  CVE-2023-38575 was published on 13th March 2024.

Background: Fundamentally, branch prediction unit can reduce pipeline stalls and keep the CPU executing instructions. However, if the prediction has fault, the CPU may have to flush the pipeline, as a result it has performance penalty.

Operating systems have a process or task scheduler, which schedules the execution of various available tasks by allocating the CPU time. Furthermore, each process stores information about its state, which we call its context.

Vulnerability details: CVE-2023-38575 – Non-transparent sharing of return predictor targets between contexts in some Intel Processors may allow an authorized user to potentially enable information disclosure via local access.

Remark: Updating your microcode can help to mitigate certain potential security vulnerabilities in CPUs as well as address certain functional issues.

Official announcement: Please refer to the link for details – https://www.suse.com/security/cve/CVE-2023-46839.html

CVE-2023-46839: Fixed memory access through PCI device with phantom functions (XSA-449) 12th Mar 2024

Preface: SUSE’s partnership with HPE Cray dates back to the early 1990s, pre HPE’s acquisition of Cray, and the entire time SUSE has been collaborating on Cray OS – a specialized version of SUSE Linux Enterprise Server.

Background: The hypervisor needs to manipulate the interaction between the guest OS and the associated physical device.

PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated.  This allows a device to extend the number of outstanding requests.

Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned.  Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain.

Vulnerability details: Under certain circumstances a malicious guest assigned a PCI device with phantom functions may be able to access memory from a previous owner of the device.

CVE-2023-46839: Fixed memory access through PCI device with phantom functions (XSA-449) (bsc#1218851).

Official announcement: Please refer to the link for details – https://www.suse.com/security/cve/CVE-2023-46839.html

CVE-2024-23278: An app may be able to break out of its sandbox (11thMar 2024)

Vulnerability CVE-2024-23278 was released on March 7, 2024. Apple didn’t reveal specific details, so let’s see if we can dig out any clues.

Preface: XPC has a sizeable portion of undocumented functionality, including its implementation (for example, the main project libxpc is closed source). XPC provides a public API at two levels: low-level and Foundation wrappers.

Background: XPC is the enhanced IPC framework used in macOS/iOS. Since its introduction in version 10.7/5.0, its use has exploded. XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). XPC provides public APIs on two levels: the low level and the Foundation wrappers.

Vulnerability details: The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23278

CVE-2023-28582 Buffer Copy Without Checking Size of Input in Data Modem (8th Mar 2024)

This issue was fixed on 2023/09/04. But the vendor did not announce the vulnerability until today (March 8, 2024).

Preface: Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery.

Background: 5G security standards bring enhancements to air interface and transport security mechanisms used in 4G.

In terms of transport security, the N2/N3 interfaces connecting the access and core networks and Xn interfaces connecting base stations use IPsec in 4G for transport security. 5G additionally supports Datagram Transport Layer Security (DTLS) over Stream Control Transmission Protocol (SCTP) to secure signaling transmission on the control plane, ensuring transport security between RANs and core networks. Operators can select a transport security protection scheme based on security requirements to prevent data breach and attacks on the transport network.

Vulnerability details: Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.

Official announcement: https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2024-bulletin.html

CVE-2024-27307: Not only machine learning, other system should staying alert because zOS Connect Designer uses JSONata, an open source expression language that is used for querying and transforming JSON data. (7thMar 2024)

Preface: What is declarative machine learning? Declarative machine learning enables users to specify what they want, and let the software figure out how to do it. Declarative ML is similar to AutoML tools that also make default selections and automate part or all of the ML lifecycle.

Background: JSONata is a JSON query and transformation language that is inspired by the location path semantics of XPath 3.1. XPath 3.1 is an expression language that allows the processing of values conforming to the data model defined in [XQuery and XPath Data Model (XDM) 3.1].

The JSONata reference is implemented in JavaScript and ships via NPM. There are also implementations available in Rust, Go, Java, Python, and .NET, some of which use JavaScript interpreters to ensure compatibility.

Vulnerability details: JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.

Remedy: This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Official announcement: Please refer to the link for details https://nvd.nist.gov/vuln/detail/CVE-2024-27307

Android has released vulnerability information about CVE-2024-0039, However, with limited details. Take a closer look to see if it can dig out the details. (6th Mar 2024)

Preface: Android devices that act as both peripheral and central devices can communicate with other BLE peripherals while sending advertisements in peripheral mode. Devices supporting Bluetooth 4.1 and earlier can only use BLE in central mode. Older device chipsets may not support BLE peripheral mode.

Background: A BLE device sends out a repetitive packet of information over one of three channels with random delays of up to 10 milliseconds. The repetition period between each packet of information is called the ‘advertising interval’.

For Bluetooth 4.0, the BLE Radio is capable of transmitting 1 symbol per microsecond and one bit of data can be encoded in each symbol. This gives a raw radio bitrate of 1 Megabit per second (Mbps).

Vulnerability details: Fix an OOB write bug in “attp_build_value_cmd”.

Official announcement: Please refer to the link for details https://source.android.com/docs/security/bulletin/2024-03-01

CVE-2023-6143: Mali GPU Kernel Driver allows improper GPU memory processing operations (4th Mar 2024)

Preface: Use after free errors sometimes have no effect and other times cause a program to crash. While it is technically feasible for the freed memory to be re-allocated and for an attacker to use this reallocation to launch a buffer overflow attack.

Background: Systems with Mali GPUs typically have a shared memory, so you are not required to copy data. This parameter CL_MEM_ALLOC_HOST_PTR is the best way to avoid a copy.

This is a hint to the driver indicating that the buffer is accessed on the host side. To use the buffer on the application processor side, you must map this buffer and write the data into it. This is the only method that does not involve copying data. If you must fill in an image that is processed by the GPU. This is the best way to avoid copy.

Vulnerability details: A local non-privileged user can exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user and the system is under heavy load, then this in turn cause a use-after-free.

Resolution: This issue is fixed in the Bifrost Kernel Driver in r19p0, in the Valhall and Arm 5th Gen GPU Architecture Kernel Drivers in r47p0. Users are recommended to upgrade if they are impacted by this issue. Please contact Arm support for Midgard GPUs.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

Linux Kernel Memory Management (MM) Vulnerability (CVE-2024-26621) resolved (4th Mar 2024)

Preface: The Memory Management (MM) subsystem is an important cornerstone of the Linux kernel. It provides the necessary utilities for the underlying memory hardware (especially RAM) to meet the different needs of other kernel components and user-space processes.

Background: About two months ago, larger anonymous mappings are now THP aligned. When a malloc library allocates a 2MB or larger arena, that arena can now be mapped with THPs right from the start, which can result in better TLB hit rates and execution time.

Ref: Align larger anonymous memory mappings on THP boundaries by going through thp_get_unmapped_area if THPs are enabled for the current process.

Vulnerability details: mm: huge_memory: don’t force huge page alignment on 32 bit.

mm: huge_memory: don’t force huge page alignment on 32 bit

(“mm: align larger anonymous mappings on THP boundaries”) caused two issues reported on 32 bit system or compat userspace. The issues shown as below:

[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/

[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/

Official announcement: Please refer to the official announcement for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-26621

Closer look of CVE-2023-52485 (1st Mar 2024)

Preface: DRM and KMS

DRM stands for Direct Rendering Manager and was introduced to deal with graphic cards embedding GPUs

KMS stands for Kernel Mode Setting and is a sub-part of the DRM API

Background: The AMDgpu display manager, amdgpu_dm (or even simpler, dm) sits between DRM and DC. It acts as a liaison, converting DRM requests into DC requests, and DC responses into DRM responses.

Drm[/]amd[/]display – Display Core (DC): Because it is partially shared with other operating systems, the Display Core Driver is divided in two pieces.

-Display Core (DC) contains the OS-agnostic components. Things like hardware programming and resource management are handled here.

-Display Manager (DM) contains the OS-dependent components. Hooks to the amdgpu base driver and DRM are implemented here.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: drm[/]amd[/]display: Wake DMCUB before sending a command

[Why] We can hang in place trying to send commands when the DMCUB isn’t powered on.

[How] For functions that execute within a DC context or DC lock we can wrap the direct calls to dm_execute_dmub_cmd[/]list with code that exits idle power optimizations and reallows once we’re done with the command submission on success. For DM direct submissions the DM will need to manage the enter[/]exit sequencing manually. We cannot invoke a DMCUB command directly within the DM execution helper or we can deadlock.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52485