Category Archives: Potential Risk of CVE

Whether we can open the mask – About CVE-2023-21085 & CVE-2023-21096 (5th April 2023)

Preface: Vendor did not describe in details, see whether this is the vulnerability they found?

Background: The Android Runtime (ART) and managed core library (libcore) were part of the Runtime module effort in Android 10 along with the native runtime (Bionic) and ICU.
In Android 11, ART and libcore are packaged as non-updateable APEX. Bionic and ICU (code and data) remain on the platform and are separated from ART to improve updatability.

Vulnerability details: Google has started rolling out April 2023 security update for its mobile operating system platform to address a total of 69 new security vulnerabilities affecting Android devices, 6 of which have been rated critical in severity.
This topic we focus to the following vulnerabilities CVE-2023-21085 and CVE-2023-21096.

Official announcement: For details, please refer to the link – https://source.android.com/docs/security/bulletin/2023-04-01

New Design vs Old Style Attacks (5th April 2023)

Preface: On Dec 2022, Microsoft has warned that malicious hackers were able to get the software giant to digitally sign their code so it could be used in attacks, such as the deployment of ransomware.

Background: The newest update to AMD’s P-State EPP Linux driver hit today, offering better Ryzen & EPYC performance & better power control on CPUs.
AMD P-State EPP can further help tune the performance and power efficiency of AMD Linux systems beyond the existing basic AMD P-State driver support and address some existing deficiencies.
AMD EPYC processors are the only x86 server CPUs with an integrated, embedded security processor that is “hardened at the core” to help secure customer data whether in a central data center or distributed across locations at the network edge.

Observation of the subject: AMD confirms Ryzenfall vulnerabilities, but says they’ll be fixed soon via routine BIOS updates on 2018. From earlier stage, AMD has neither confirmed nor denied whether the attacks can be executed remotely, or require local access.
AMD has recently released a BIOS update that supposedly allows users disable the Secure Processor, but this feature works only partially and does not stop the RYZENFALL attacks. But some experts say this is not an effective mitigation measure.

What do you think? Do you think the specify design weakness still valid or it has fixed by vendor?

About Kubernetes Hardening Guide (3rd Apr 2023)

Prefect: The Lord taught Enoch that those who build their lives upon the Savior would never fall.
Don’t mind about it was really had Lord or advanced civilization, human being go to digitization. In bible it mention about Lucifer. It is similar to cyber threat actor.

Background: Technology trends from on-premises to cloud. Cloud-based attack most likely through below ways
– Compromised Laptop via Phishing Emails – The RansomCloud attack is a relatively new type of ransomware that targets cloud-based email services such as Office 365.
– Compromised Server via Unpatched Vulnerabilities
Based on cyber defense capabilities, we believe that major cloud service providers will have effective ways to deal with disruptions caused by cyber attacks.

However , more and more native applications rely on CSPs’ API. For example: Push notification, push messages, or notifications, through its cloud messaging service. However Applications running on mobile devices, browsers or IoT devices can use push technology. For example: application-to-application (A2A) and application-to-person (A2P) communication.
A2A provides high-throughput, push-based, many-to-many messaging between distributed systems, microservices, and event-driven serverless applications.
Push notifications can be cloud-based or app-based, and are built to work with a server that provides the notification. An API can enable push notifications from cloud services as app and web push services. Once an organization requests a push notification, an API calls this service and sets the message in place to be delivered.
Push API can use these capabilities in order to spread fake or deceptive messages, flood the user’s device with spam, and trick people into installing malicious apps.
Remark: Push API is the general term for all push APIs.

Ref: Push notifications can be cloud-based or app-based, and are built to work with a server that provides the notification. An API can enable push notifications from cloud services as app and web push services. Once an organization requests a push notification, an API calls this service and sets the message in place to be delivered.

Technical details: My friend Enoch (CCIE) recommend Kubernetes Hardening Guide last week. In my view that it is good for preventive control. Since it is a lot of uncertainty in digital world. Be my guest, you can download on this official link.

https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

CVE-2023-20947 : About Permission Controller APK (30th March 2023)

Preface: The Android operating system is mainly based on Linux, and its kernel is written in C language. Some modifications may have been done using the C++ language.

Background:
Get Group State – Different software uses different way (see below):

  • only need to input the queried union information unionID
  • need unionID and zoneID; query information about the state of the union binding the group Return information and result:

static void GetGroupState (String unionID, String zoneID = “”, String extraJson = “”) ;

Vulnerability details: In getGroupState of GrantPermissionsViewModel.kt, there is a possible way to keep a one-time permission granted due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

If a permission is split, all permissions the original permission is split into are affected.
For <= N_MR1 apps all permissions of the groups of the requested permissions are affected

Affected Products: AndroidVersions: Android-12 Android-12L Android-13Android

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2023-20947

CVE-2022-42827 – A type confusion issue was addressed with improved checks (29th Mar 2023).

Preface: WebKitGTK is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.

Background: There is no Webkit. framework in Cocoa Touch. The webkit framework is only available on OS X. For iOS, just use UIWebview.
The Core OS Layer is the last layer of the iOS stack and sits directly on top of the device hardware. This layer provides a variety of services including low level networking, access to external accessories and the usual fundamental operating system services such as memory management, file system handling and threads.

Vulnerability details: A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

My observation: Since the vulnerability not described in details! My speculation, does vendor found attacker exploit below design weakness (see belwo):
%rbx is a callee save register , we know that some callee of JITCode::execute() must have modified %rbx and failed to restore it before returning. JSC does have code to save and restore callee save registers in LLInt interpreter and Just-In-Time (JIT) compiler generated code.
Perhaps the vulnerability enhancement is going to correctly caller-save return address register.

Official announcement: For details, please refer to the link https://nvd.nist.gov/vuln/detail/CVE-2023-23529

Redhat provide a quick way to do the mitigation for CVE-2023-1281 (28th Mar 2023)

Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Background: tcindex, traffic control index filter. This filter allows to match packets based on their tcindex field value, i.e. the combination of the DSCP and ECN fields as present in IPv4 and IPv6 headers.
SYNOPSIS:
tc filter … tcindex [ hash SIZE ] [ mask MASK ] [ shift SHIFT ] [ pas_on | fall_through ] [ classid CLASSID] [ action ACTION_SPEC ]

Vulnerability details: A use-after-free vulnerability was found in the traffic control index filter (tcindex) in the Linux kernel. The imperfect hash area can be updated while packets are traversing. This issue could allow a local attacker to cause a use-after-free problem, leading to privilege escalation.

Solution: How do I blacklist a kernel module to prevent it from loading automatically?
https://access.redhat.com/solutions/41278

CVE-2023-0767: nss – Arbitrary memory write via PKCS 12 (27th Mar 2023)

Preface: During the learning process of artificial intelligence, he was always disrupted by vulnerabilities. Artificial intelligence said, to become an artificial intelligence, I will use my wisdom to create a perfect OS system.

Background: Large scale of artificial intelligence structure especially machine learning may have a enterprise Linux system installed. The key component is shown as below:
Apache Kafka is an open source distributed streaming system for stream processing, real-time data pipelines, and large-scale data integration.
Kafka with more than one broker is called Kafka Cluster. It can be expanded and used without downtime. Apache Kafka Clusters are used to manage the persistence and replication of messages of data, so if the primary cluster goes down, other Kafka Clusters can be used to deliver the same service without any delay.
However if there is vulnerability occurs on Linux system. It will cause unforseen problem on the infrastructure.

Vulnerability details: CVE-2023-0767 – An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.
Firefox and Thunderbird in Red Hat Enterprise Linux 8.6 and later are not affected by this vulnerability, as they use the system NSS library. Firefox and Thunderbird in earlier Red Hat Enterprise Linux 8 extended life streams were affected, and should be updated to fixed versions as they become available.
Remark: To better support the PKCS12 format add one or several command line options to the pkcs12 tool to allow adding arbitrary attributes to bags.

Official announcement: For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the link – https://access.redhat.com/security/cve/CVE-2023-0767

Closer look CVE-2022-42331: x86 speculative vulnerability in 32bit SYSCALL path (26th Mar 2023)

Preface: Meltdown is a vulnerability allowing a process to read all memory in a given system.

Background: The Xen Project is a free and open source type-1 or bare-metal hypervisor that enables a computer to run multiple operating systems simultaneously on the same hardware. A Type 1 hypervisor runs directly on the underlying computer’s physical hardware, interacting directly with its CPU, memory, and physical storage. For this reason, Type 1 hypervisors are also referred to as bare-metal hypervisors. A Type 1 hypervisor takes the place of the host operating system.
The pros of type-1 hypervisors lie in performance and security. It offerrs high performance because the hypervisor has direct access to the hardware. Security is also more reliable on type-1 than type-2, because there is no interface between the hypervisor and CPU.

Vulnerability details: Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late.
In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

Affected system: Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-42331

Sometimes, cyber security incidents are caused by Java script. What type of Java script is claimed to be dangerous? (22nd Mar 2023)

Preface: Vanilla JS is faster than other frameworks. It provides better response than all other front-end frameworks. In additional, it renders UI up to 30 times faster than React JS. In Vanilla, handling UI state is simple.React is a free and open source front-end JavaScript tool library for building user interfaces based on UI components. It is maintained by Meta and a community of individual developers and companies. React can be used as the basis for developing single-page, mobile or server-side rendering applications with frameworks like Next[.]js.

Background: Since client-side JavaScript is a necessity for any business building dynamic web pages or websites that use single-page application (SPA) architecture.
About twelve years ago, the modern web frontend development has advanced a lot. In order to exploit the features of Model-View-Controller (MVC) architecture. So it need to consider the frontend as a separate entity which talks to the backend only using the REST API (most preferably, REST JSON).
Below details describe the flow of SPA (single-page application).

  • Request the HTML template/s to the browser in one single go.
  • Then, query the JSON REST API to fill a model (data object).
  • Adjust the UI according to the data in the model (JSON).
  • When users modify the UI, the model (data object) should change automatically. For example, in AngularJS, it is possible with two-way data binding. Finally, make REST API calls to notify the server about changes whenever you want.

Suggestion: Refer to picture, Example A and B has the own advantage. Perhaps developers will be overlook cyber security awareness. Make it simple use Vanilla JS. However it contains a potential risk when used. It’s because the JavaScript code is viewable on the client-side. Thus, the most significant disadvantage of a Vanilla script is client-side security.
Remark: The design objective of vanilla script is used to refer to the pure JavaScript without any type of additional library.

CVE-2023-28425 : About Redis (20th Mar 2023)

Preface: The word Database, inspire you thinking a large volume of database. For example, a structured set of data held in a computer, especially one that is accessible in various ways. Do a transformation of design, bring the data which going to use to a specify memory. Compare to disk access storage, direct access to memory will be more faster. This is one of the modern strategy in big data analytic design solution.

Background: Running in-memory means requests for data do not require a trip to disk.

  • What memory does Redis use? An empty instance uses ~ 3MB of memory. 1 Million small Keys -> String Value pairs use ~ 85MB of memory. 1 Million Keys -> Hash value, representing an object with 5 fields, use ~ 160 MB of memory.
    In Ubuntu and other Linux distributions, the Redis database directory is /var/lib/redis .

Vulnerability details: The vulnerability exists due to a reachable assertion when handling the MSETNX command. A remote attacker can send a specially crafted MSETNX command and perform a denial of service (DoS) attack.
Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.

Solution: The problem is fixed in Redis version 7.0.10.

Official details: Please refer to NATIONAL VULNERABILITY DATABASE – https://nvd.nist.gov/vuln/detail/CVE-2023-28425