Category Archives: Potential Risk of CVE

CVE-2024-26926: Kernel – The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed (6 Jun 2024)

Preface: In linux distributions the term ‘upstream’ (also applied to kernel) refers to the original version (as is released by software developers) of a program/software (kernel in your case) while ‘downstream’ refers to the software provided by linux distribution.

Background: There are many ways to communicate with IPC, such as: Shared Memory, Message Queue, PIPE, FIFO, Unix Socket, etc. A process cannot access another process’s memory. However, the kernel has control over all processes and therefore can expose an interface that enables IPC. In Binder, this interface is the /dev/binder device, which is implemented by the Binder kernel driver.

Ref: A Mutex is a Mutually exclusive flag. It acts as a gate keeper to a section of code allowing one thread in and blocking access to all others.

Vulnerability details:

Kernel -The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed.

Official announcement: For detail, please refer to link –

https://source.android.com/docs/security/bulletin/2024-06-01

CVE-2024-22476: Improper input validation in some Intel® Neural Compressor software (5 June 2024)

Original article published on 14-05-2024

Preface: Ancient humans hunted for survival. As times goes by, the evolution make them become intelligence biology. This pursuit of progress divided into different level of human. Human want is never ending. When Artificial Intelligence has born. It is the creator’s final blessing to human.

Background: Intel Neural Compressor performs model optimization to reduce the model size and increase the speed of deep learning inference for deployment on CPUs or GPUs.

Intel Neural Compressor aims to provide popular model compression techniques such as quantization, pruning (sparsity), distillation, and neural architecture search on mainstream frameworks such as TensorFlow, PyTorch, ONNX Runtime, and MXNet, as well as Intel extensions such as Intel Extension for TensorFlow and Intel Extension for PyTorch.

Vulnerability details:

CVEID:  CVE-2024-22476

Description: Improper input validation in some Intel® Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:

Intel® Neural Compressor software before version 2.5.0.

Official announcement: For detail, please refer to link –

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01109.html

CVE-2024-1086 : A use-after-free vulnerability in the Linux kernel’s netfilter. The IoT world remins vigilant. 4 June 2024

Preface: By default, OpenWrt builds the kernel with a useful set of netfilter capabilities for a robust router. NAT. REJECT. REDIRECT. CONNTRACK. LOG.

OpenWrt is a Linux distribution suitable for embedded devices. Currently, many embedded hardware platforms on the market use OpenWrt as their basis, such as routers, network gateways or industrial use computer

Background: Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

Netfilter represents a set of hooks inside the Linux kernel, allowing specific kernel modules to register callback functions with the kernel’s networking stack. Those functions, usually applied to the traffic in the form of filtering and modification rules, are called for every packet that traverses the respective hook within the networking stack.

Vulnerability details: CVE-2024-1086 A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Official announcement: For detail, please refer to link – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086

About CVE-2024-36843: libmodbus v3.1.6 design weakness (3 June 2024)

Preface: Modbus is a communication protocol widely used in the field of industrial automation. It provides a standardized method for devices to communicate with each other over the network, making it an important tool for connecting and controlling various industrial equipment.

Background: libmodbus supports the following functions:

  • Support Modbus-RTU and Modbus-TCP
  • Support common function codes, such as 01/02/03/04/05/06/07/0F/10/11/16/17 Support coil type reading and writing, register reading and writing, discrete quantity reading, etc.
  • Support broadcast address 0, slave address 1-247
  • Support floating point and integer data conversion, big endian and small endian and other modes
  • Parameters are designed according to the official standard document Modbus_Application_Protocol_V1_1b.pdf, such as the maximum number of read and write coils, the maximum number of read and write registers, etc.
  • The source code is written in C, which is convenient for porting on various platforms, with only 11 files.

Vulnerability details: libmodbus v3.1.6 was discovered to contain a heap overflow via the modbus_mapping_free() function.

Official announcement: For detail, please refer to link –https://www.tenable.com/cve/CVE-2024-36843

CVE-2024-0103 – NVIDIA Triton Inference Server for Linux hit Incorrect Initialization of Resource vulnerability (31-05-2024)

Preface: AI-powered systems analyse the severity of the vulnerability, potential impact, and exploitability and prioritise patches based on the criticality of the vulnerability. Perhaps AI contains self diagostic and do remedy by himself!

Background: An open-source software that helps standardize model deployment and delivers fast and scalable AI in production.

Vulnerability details:

CVE-2024-0103 Information disclosure

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user may cause an incorrect Initialization of resource by network issue. A successful exploit of this vulnerability may lead to information disclosure.

Ref: For example, the minimum packet size is 60 bytes (the card typically adds a frame checksum to this, making the minimum packet size on the line 64 bytes). If you only have 40 bytes, then it will still transmit 60 bytes.

Because 40 bytes you send plus the next 20 bytes that happen to be sitting in the buffer beyond the 40 you intended to send.

If you haven’t explicitly initialized that area, those 20 bytes might well be data leftover from a previously sent packet, which may have belonged to some other connection. Or that memory could have previously been a data page for some program that was recently running (and hence could contain a password, or an encryption key or just about any kind of sensitive information).

Official details: For detail, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5546

CVE-2024-38016: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (29-05-2024)

Preface: In the Linux Kernels n_gsm serial line discipline, which can be exploited by local attackers to gain kernel level root access. It original published by other Linux brand on 8th May 2024.

Background: In Unix systems, a tty (which is short for “teletypewriter”) is the standard representation of a terminal device, with at least input and output capabilities and usually much more. These were originally connected to serial ports, but most today are virtual terminals, connected to either a text-mode console (DOS-like) or a graphical terminal program (like xterm or gnome-terminal).

Vulnerability details: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

Assuming the following:

– side A configures the n_gsm in basic option mode

– side B sends the header of a basic option mode frame with data length 1

– side A switches to advanced option mode

– side B sends 2 data bytes which exceeds gsm->len

Reason: gsm->len is not used in advanced option mode.

– side A switches to basic option mode

– side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration.

Official details: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36016

Red Hat security advisory: Important – glibc security update (29-05-2024)

Preface: You can clear the cache of nscd by performing the following actions:

Execute the following command: sudo /etc/init[.]d/nscd restart.

Background:

Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd. conf, determines the behavior of the cache daemon.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

The iconv() function shall convert the sequence of characters from one codeset, in the array specified by inbuf, into a sequence of corresponding characters in another codeset, in the array specified by outbuf. The codesets are those specified in the iconv_open() call that returned the conversion descriptor, cd.

Vulnerability details:

glibc: Out of bounds write in iconv may lead to remote code execution (CVE-2024-2961)

glibc: stack-based buffer overflow in netgroup cache (CVE-2024-33599)

 glibc: null pointer dereferences after failed netgroup cache insertion (CVE-2024-33600)

 glibc: netgroup cache may terminate daemon on memory allocation failure (CVE-2024-33601)

 glibc: netgroup cache assumes NSS callback uses in-buffer strings (CVE-2024-33602)

Official announcement: For detail, please refer to link – https://access.redhat.com/errata/RHSA-2024:3464

CVE-2024-5274: Google Chrome fixed remote code execution vulnerability (28-05-2024)

Preface: Every time I start learning CVE. It helps me enrich my knowledge.  Even though it was released months ago.

Background: V8 is a JavaScript and WebAssembly engine developed by Google for its Chrome browser. Each WebAssembly module executes within a sandboxed environment separated from the host runtime using fault isolation techniques.

Ref: wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.

Vulnerability details: This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.

Official announcement: For detail, please refer to link – https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html?m=1

Apple security updates on 20th May 2024, But it has not published CVE entries. Observe how Apple handled in the past, maybe you can find it in a CVE few months from now. (27-05-2024)

Preface: Apple released iOS 17.5 and iPadOS 17.5 on May 20, 2024, which fixed multiple security vulnerabilities.  I heard that some users found that photos they had deleted years ago suddenly appeared in recent albums as new photos.

Background: The attached pictures document some rare occurrences. For example, which IOS version still support 32 bit applications last year. Perhaps there is a difference regarding to offical announcement. And suspected that may be is the reason to unsupport 32 bits apps.

Official announcement: Why does deleting pictures return?

According to Apple, the photos that did not fully delete from a user’s device were not synced to iCloud Photos. Those files were only on the device itself. However, the files could have persisted from one device to another when restoring from a backup, performing a device-to-device transfer, or when restoring from an iCloud Backup but not using iCloud Photos.

As for vulnerabilities details in security updates, I will pay close attention to see if they can be found.

There are no published CVE entries for this update.  Please refer to the link for details – https://support.apple.com/en-hk/HT201222

CVE-2024-23354 Memory corruption when the IOCTL call is interrupted by a signal. (24May 2024)

Originally published on May 6, 2024

Preface: The Snapdragon 8 Gen 2 Mobile Platform defines a new premium standard for connected computing. Intelligently engineered with groundbreaking AI across the board, this AI marvel enables truly extraordinary experiences.

Background: A vertex buffer object (VBO) is an OpenGL feature that provides methods for uploading vertex data (position, normal vector, color, etc.) to the video device for non-immediate-mode rendering.

KGSL allocates GPU-shared memory from its own page pool. A VBO is a buffer of memory which the gpu can access. That’s all it is. A VAO is an object that stores vertex bindings. This means that when you call glVertexAttribPointer and friends to describe your vertex format that format information gets stored into the currently bound VAO.

Vulnerability details: Memory corruption when the IOCTL call is interrupted by a signal.

Remedy: The VBO bind operation is often synchronous, and needs to be waited on by the ioctl thread. Allocate the completion struct used to synchronize between the ioctl and bind operation on the heap for simplicity.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23354