Preface: The NFS 4.1 design flaw was released in August 2019 because it only affected the Linux operating system kernel at the time. It was hard to predict, and now it is going to the Windows platform!

Background: Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux or UNIX.
NFS in Windows Server includes Server for NFS and Client for NFS. A computer running Windows Server can use Server for NFS to act as a NFS file server for other non-Windows client computers. Client for NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.

Vulnerability detail: Windows Network File System Remote Code Execution Vulnerability

Since vendor do not disclose the technical details. My speculation is shown as below:

Point 1 – Network File System (NFS) Protocol uses Open Network Computing (RPC) to exchange control messages. The design weakness occurs due to incorrect calculation of the size of response messages.
Point 2 – The server calls a function to calculate the size of each opcode response, though it does not include the size of the opcode itself. Due to this, the response buffer becomes too small and an overflow may happen.

When the source Linux server is invaded by the NFS4.1 vulnerability, the attacker will rely on point 1 and point 2 design weakness to attack the target Windows OS server.

Workaround: This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1.

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24941

Preface: The vulnerability was fixed in Aug 2022. This is not a zero day and therefore published this month.

Background: ext4 is the default file system for many Linux distributions including Debian and Ubuntu. Furthermore, ext4 is the default file system for DigitalOcean Volumes Block Storage. Also, Google has used Ext4 on Android since Android 2.3.

To create files on Ext4, you need to format the partition with the Ext4 file system using the mkfs.ext4 command:

mke4fs -t ext4 blockdevice

Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2513

Preface: TEE is an area on the chipset that works like a TPM, but is not physically isolated from the rest of the chip.

Background: The Trusted Execution Environment (TEE) is a secure area within the main processor. As an isolation environment, it ensures that the code and data loaded in the TEE are protected from software attacks and vulnerabilities in the Rich Execution Environment (REE).
How Samsung Blockchain Keystore leverages TEE? Samsung Blockchain Keystore SDK allows your Android DApp to communicate directly with Samsung Blockchain Keystore, a preloaded feature on selected Galaxy devices.
Developers can use an API provided by the Samsung Blockchain Keystore to check if a user is ready to use Samsung Blockchain Keystore. If the user has not created a wallet yet, developers can direct the user to create a new wallet to leverage Samsung Blockchain Keystore features.

Vulnerability details: Out-of-bounds Read vulnerability while processing CMD_COLDWALLET_BTC_SET_PRV_UTXO in bc_core trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.

Official announcement: For details, please refer to the link – https://security.samsungmobile.com/serviceWeb.smsb?year=2023&month=05

Preface: In former design weakness, attacker can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.
This article a speculation, since vendor do not have technical details provided in this CVE record.

Background: FortiADC is an advanced Application Delivery Controller (ADC) that ensures application availability, application security, and application optimization.

For example: Configure a SAML service provider
To configure an SP, you must have the required IDP metadata file imported into FortiADC ahead of time.

• Click User Authentication > SAML.
• Select the SAML Service Providers tab, if it is not selected.
• Click Create New to open the SAML Service Providers configuration editor.
• Configure the settings.

Vulnerability details: An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 through 7.1.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

Official Announcement: See the link below for details – https://cve.report/CVE-2023-27999

Preface: The product does not sufficiently track and release allocated memory after it has been used. Such design weakness will belongs to CWE-401.

Background: Snapdragon Heterogeneous Compute SDK: provides developers with the ability to allocate work to any of the three processors on Snapdragon. The SDK provides C++ API’s for the Kryo CPU and Adreno GPU, the latter of which interacts through OpenGL and OpenCL calls.

Vulnerability details: Improper Release of Memory Before Removing Last Reference (`Memory Leak`) in Graphics.

Solution: Official announcement, please refer to the link – https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/9968fcdd9d1c853d0c6472307510a81f5db398da

Preface: In order to avoid vulnerabilities, cloud service providers have their hands full!

Background: It will be open-sourced under the name of StreamX in April 2021, renamed StreamPark in August 2022, and then formally become an incubation project of the Apache Open Source Software Foundation through voting in September.
StreamPark is a streaming application development framework. Aimed at ease building and managing streaming applications, StreamPark provides development framework for writing streaming process application with Apache Flink and Apache Spark.
Apache Spark and Apache Flink are two of the most popular tools used for machine learning and data science.
Known for its speed and scalability, Apache Spark can handle a wide variety of workloads, including batch processing, stream processing, and machine learning. On the other hand, Apache Flink is designed for real-time data processing and optimized for low latency and high throughput.

Vulnerability details: Apache StreamPark (incubating): Logic error causing any account reset.

Affected products: Apache StreamPark 1.0.0 before 2.0.0

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-46365

Preface: Open source software fosters collaboration. As such, open source software will continue to play a key role in modern software development.

Background: cloud-init is a software package that automates the initialization of cloud instances during system boot. You can configure cloud-init to perform a variety of tasks. Cloud-init is a service used for customizing Linux-based operating systems in the cloud.
Cloud-init is the service that is installed inside the instance and cloud-config are a set of scripts that are executed as soon as the instance is started. Cloud-config is the language of the scripts that cloud-init knows to execute. cloud-init is developed and released as free software under both the GPLv3 open source license and the Apache License version 2.0.

Vulnerability details: Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. (CVE-2023-1786)

Official announcement: For details, please refer to the relevant link – https://linux.oracle.com/errata/ELSA-2023-12298.html

Reference: With structured logging, your logs are relational data sets, like key/value pairs, rather than just text. Structured logging has the advantage of being more easily searched and analyzed. It can also help with keeping sensitive data out of your logs.
The most common structured logging format is JSON since it is the standard message format for every message parsing between systems and within applications.
Understand that, it is require tool convert Common Event Format (CEF) to JSON .
Perhaps there is other solution it can help. For example: Fix log file permissions.

Preface: If a website is hacked, cyber criminals don’t get access to your password. Instead, they just get access to the encrypted “hash” created by your password. Talking about hash algotithms, For example, MD5, SHA1, and so on.
The length of a hash is always a constant, irrespective of the length of the input. For example, if we use the MD5 algorithm and hash two strings like “Password123” and “HelloWorld1234”, the final hash will have a fixed length.
To enforce security and protect hashes from attacks, use strong passwords and salts before hashing passwords.

Background: Metal³ works as a Kubernetes application, it runs on Kubernetes and is managed through Kubernetes interfaces. Metal³ provides Platform9 uses a truly unified operating model by providing bare metal host provisioning integration for Kubernetes.

Bare Metal Operator

• Define and manage BareMetaHost as Custom Resource(CR) in Kubernetes
• Handles reconciling the BareMetaHost with Ironic API underneath

Reference:
The bmc fields contain the connection information for the BMC (Baseboard Management Controller) on the host.
The sub-fields are
• address — The URL for communicating with the BMC controller, based on the provider being used. See below for more details.
• credentialsName — A reference to a secret containing the username and password for the BMC.
• disableCertificateVerification — A boolean to skip certificate validation when true.

Vulnerability details: Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0[.]3[.]0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy[.]sh store their [.]htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster’s Etcd storage.

Solution:This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-30841