Category Archives: Potential Risk of CVE

SAP GUI chronicle – even you are using NWBC client, can you ignore web browser vulnerability? (17th Feb 2023)

Preface: It was the periodically recurring SAP Security Note #2622660 which patches the latest Chromium vulnerabilities for SAP Business Client.

Background: Difference between SAP NWBC and SAP GUI?
Web Dynpro is the SAP NetWeaver programming model for user interfaces (UIs).
– Using SAP GUI, when you execute WD (Web Dynpro) application, it opens in a browser.

-The SAP NetWeaver Business Client enables direct connectivity to the ABAP back-end system and PFCG role repository centrally holding SAP GUI, Web Dynpro and various Web content applications. NWBC provides role-based access to applications either.

Remark: SAP GUI is a prerequsite of NWBC client. You will still require SAP GUI to be installed on the desktop.

Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).

Technical articles: SAP Security Patch Day (February 2023. For details, please refer to the url link – https://blogs.sap.com/2023/02/14/sap-security-patch-day-february/

CVE-2023-20927 About Android “AndroidManifest[.]xml” (15th Feb 2023)

Preface: When an Android application needs to access sensitive resources on the device, whether it hit design weakness lead to vulnerability occurs.

Background: Usually, if we want to add some user permissions, we write the following code in the AndroidManifest[.]xml file:

The android system grants these permissions at the installation time but there is one condition. The app that is asking for some permission must be signed with the same signature as that of the app that defines the required permission.

Following are some of the Signature permissions:
1. BIND_ACCESSIBILITY_SERVICE
2. BIND_AUTOFILL_SERVICE
3. BIND_CARRIER_SERVICE
4. BIND_DEVICE_ADMIN
5. BIND_INPUT_METHOD
6. BIND_NFC_SERVICE
7. BIND_TV_INPUT
8. BIND_WALLPAPER
9. READ_VOICEMAIL
10. WRITE_SETTINGS
11. WRITE_VOICEMAIL

Vulnerability details: In permissions of AndroidManifest[.]xml, there is a possible way to grant signature permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2023-20927

CVE-2023-21808 – Patched MS zero-day vulnerability (14th Feb 2023)

Preface: .NET is a free, cross-platform, open source developer platform for building many different types of applications. With .NET, you can use multiple languages, editors, and libraries to build web, mobile, desktop, games, IoT, and more.

Background: The demand for .NET will continue to increase as long as new and better technologies are developed.
NET 6 is a LTS (Long Term Support) release and will be supported with bug and security fixes for (has to look it up) 3 years. . NET 7 however is a STS (Short Term Support) release and will only be supported for 18 months (6 months beyond the release of . NET 8).
The release date of .NET 8, which will ship during the .NET Conf 2023 event about Nov. 10.

Internet Information Service (IIS) is the flexible and general-purpose web server provided by Microsoft that will be run on Windows.
IIS can be used to host, deploy, and manage web applications using technologies such as ASP.NET and PHP.
A PDB file is created when you compile a C/C++ program with /ZI or /Zi or a Visual Basic, Visual C#, or JScript program with the /debug option.
You need to configure your build machine to publish your .pdb files into a known directory which is later used in your IIS configuration.
However, when .PDB files on website exception occurs, and you do not aware to set the CustomErrors property in web.config. The stack trace will be displayed with file names and line numbers.

Vulnerability details: A vulnerability exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in remote code execution.

Solution: For details, see the link – https://devblogs.microsoft.com/dotnet/february-2023-updates/

CVE-2023-0405: Like a newborn. AI in some fields may have design weakness. (14th Feb 2023)

Preface: Today is Valentine’s Day 2023, are you alone? But in the future artificial intelligence will be with you.


Background: With an AI content writer, all you need to do is enter your desired topic or keyword into the plugin settings, and then AI will immediately generate an article that reads as if it were written by a human. You’ll get unique, engaging stories without having to spend hours typing out paragraphs or researching facts. Plus, you’ll have a consistent style and tone that you can use for all of your content.


Vulnerability details: The GPT AI Power: Content Writer & ChatGPT & Image Generator & WooCommerce Product Writer & AI Training WordPress plugin before 1.4.38 does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts.
Ref: CWE is classifying the issue as CWE-862. The software does not perform an authorization check when an actor attempts to access a resource or perform an action. This is going to have an impact on integrity, and availability.


Solution: Upgrading to version 1.4.38 eliminates this vulnerability.


Official Announcement: For details, see the link – https://wpscan.com/vulnerability/3ca9ac21-2bce-4480-9079-b4045b261273

Before you enjoy it with your AI girlfriend, I wish you have a great Valentine’s Day today.

CVE-2022-42292 : Nvidia fixed GeForce Experience design weakness (13th Feb 2023 )

Preface: This design weakness was released 30th Jan 2023. However, this vulnerability is known as CVE-2022-42292 since 10/03/2022. But it already been fixed.

Background: The GeForce Experience features a host of performance and configuration tweaks for games, automatic driver updates for your GPU, Nvidia Shadowplay for live streaming, integrated game filters (like Instagram filters but for your PC games), and many more powerful options.

Vulnerability details: NVIDIA GeForce Experience contains a vulnerability in the NVContainer component, where a user without administrator privileges can create a symbolic link to a file that requires elevated privileges to write to or modify, which may lead to denial of service, escalation of privilege or limited data tampering.

Official announcement: For details, see the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5384/kw/cve-2022-42292

My observation:
I speculate that this vulnerability will affect home users rather than business users. Since the domain user account has best practice Windows access control policies which driven by IT department.

For your reference:
Symbolic links have irrelevant access permissions. Users are only prevented from operating on a symlink by the permissions of its parent directory and the target file. Windows 11 doesn’t require administrative privileges to create symbolic links.

Apart from above concern. Actually, it’s easy to setup access restrictions for home user. You can do it yourself.

Enable Administrator account on Windows 11 from Command Prompt
1. Open Start on Windows 11.
2. Run “Command Prompt”, right-click the top result, and select the Run as administrator option.
3. Type the following command to enable the Windows 11 Administrator account and press Enter: net user “Administrator” /active:yes.

CVE-2023-23625 Certain versions of Go-unixfs from Ipfs contain vulnerability (9th Feb 2023)

Preface: AI system infrastructure may not have a mature model, it will continue forever, without end. Perhaps this is true sustainability. Since the key component is the computer. So the only thing that slows him down is software or hardware bugs.


Background: Cryptocurrency technology fully utilise the concept of Blockchain. Seems the advantage of cryptocurrency is easy misused and lead it become dangerous. Therefore many government hesitate to get involves and let it fail to original objective. However their related technology will be growth rapidly. Yes, it is the IFPS. AI requires heavy amounts of storage and compute. From technical point of view, Distributing storage will be an advantage. Since the data not place in the same area. It enhance overall reliability and efficiency. AI robots will communicate using 5G. Deal with distributed data storage. Machine learning operations and processes can be fully leveraged as it breaks down regional constraints.Perhaps the distributed cloud computing platform is the beginning of milestone to boots the world into artificial intelligence world.

Large models of deep learning are often shared by researchers via Google Drive links which have transfer limits and are not reliably online. IPFS provides a great decentralized solution to hosting data which can be downloaded via regular web links.
IPFS implementation in Go. “unixfs” is a tool in the Go Modules Packages category of a tech stack.
A Merkle DAG is a DAG where each node has an identifier, and this is the result of hashing the node’s contents. go-unixfs implements unix-like filesystem utilities on top of an ipld merkledag. MerkelDAG implementation in Python.

Vulnerability details: go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes.

Solution: Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

Official announcement: For details, see the link – https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778

CVE-2023-0286: X.400 address type confusion in X.509 GeneralName. What exactly does it mean? (8th Feb 2023)

Preface: What is the benefits of corrective action. A motivation to maintain sustainability.

Background: Background: X.509 describes an approach to providing and managing authentication using asymmetric cryptography, generally referred to as Public Key Infrastructure (PKI).
If X.400 defined authentication mechanism using x.509 PKI:
It enhance end to end services for content integrity, message origin authentication and message sequence integrity.

Certificate extensions were introduced in version 3 of the X. 509 standard for certificates. These v3 extensions allow certificates to be customized to applications by supporting the addition of arbitrary fields in the certificate.

OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) .

Vulnerability details: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

My observation: Whether the attacker use a vulnerability exploit method similar to CVE-2020-1971 as an attack?
OpenSSL’s s_server, s_client and verify mechanism have support for the “-crl_download” option which implements automatic CRL downloading and this attack has been demonstrated to work against those mechanism. The way is that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL’s parser will accept and hence trigger this attack.

Official announcement: For details, see the link (below):

https://nvd.nist.gov/vuln/detail/CVE-2023-0401
https://www.openssl.org/news/secadv/20230207.txt

CVE-2023-23931 – cryptography (7th Feb 2023)

Preface: PyCrypto is no longer under active development (project is dead  – 2015). For details, see the link – https://github.com/pycrypto/pycrypto/issues/173
“cryptography” is a package which provides cryptographic recipes and primitives to Python developers. The goal is for it to be your “cryptographic standard library”. It supports Python 3.6+ and PyPy3 7.2+.

Background: “cryptography” is a package which provides cryptographic recipes and primitives to Python developers.
Unlike some OOP languages, Python is dynamically typed, which means that you don’t need to declare what kind of data (e.g. integer, array, etc) a variable can take before using it.
In computer science, a data buffer (or just buffer) is a region of a memory used to temporarily store data while it is being moved from one place to another.
Immutable buffers are allocated with an initial data content that may not be subsequently modified. This access model implies that all sharing of buffers is read-only.

Vulnerability details: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

My observation: According to CFFI technical manual, if require_writable is set to True, the function fails if the buffer obtained from python_buffer is read-only (e.g. if python_buffer is a byte string). The exact exception is raised by the object itself, and for things like bytes it varies with the Python version, so don’t rely on it. (Before version 1.12, the same effect can be achieved with a hack: call. Therefore it may need to take care of this cryptographic lib again when Python version update.

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2023-23931

Whether it is the last round of remediation on CVE-2022-26373? Intel’s Enhanced Indirect Branch Restricted Speculation (eIBRS) – 6th Feb 2023

Preface: CVE-2022-26373 technical detail has released to public on 9th Aug 2022. Till end of Jan, 2023 it still has update on this vulnerability. For example, Red Hat fixed this vulnerability in their product Enterprise Linux 7 on 3rd Nov 2022. Since then it conducting the remediation to their product line. Perhaps the remediation on 24th Jan 2023 to Red Hat Virtualisation 4 for Red Hat Enterprise Linux 8 is the final round.
Looks like this is a CPU vendor specific bug. As a result, some vendors have stated that their products are not affected by this vulnerability. Whether it a absolute answer? All will depends on the use of CPU processor brand.

Background: From technical point of view, Indirect Branch Restricted Speculation (IBRS) is an indirect branch control mechanism that restricts speculation of indirect branches. See below for technical details.
CPUID.(EAX=7H,ECX=0): If EDX[26] is 1, it means support IBRS and IBPB,
OS can write IA32_SPEC_CTRL0 and IA32_PRED_CMD0 to control the behavior of indirect branch predictor.
IBRS finally failed to enter the kernel due to function problems, however when when the vm is switched. It can get into kernel. This weakness found in 2018 earlier stage.

Vulnerability details: A flaw was found in hw. In certain processors with Intel’s Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

Official announcement – For details, see URL – https://access.redhat.com/security/cve/cve-2022-26373

CVE-2022-31711 – VMware vRealize Log Insight 8.x prior to 8.10.2 (Updated On: 2023-01-31)

Preface: As time goes by, Log management is a mandatory setting in the digital world. Log management core architecture design involves a lot of software design. Therefore, you will be exposed to different forms of cyber attacks. So you need to watch out and protect yourself from harm.

Background: Log Insight includes the following key capabilities
• Integrates with VMware vRealize Operations™ to bring unstructured and structured data together, for significantly enhanced end-to-end operations management.

System Features:
Web Hooks supports additional alerting extensibility into Slack,etc.
• Simple Query API adds support for simple keyword search, complex queries, integration with CMDBs, external UI analysis,etc.
• Support for pure IPV6 environment – both server and agent side.
• Server side Agent upgrades – supports automatic agent upgrades

Remark: Working with webhooks exposes an HTTP endpoint that can be called from any actor on your server. Without appropriate measures, this could be extremely unsafe. For example: A man-in-the-middle attack is a vulnerability where a third party obtains access to your webhook data by capturing and reading the request.

Vulnerability details: VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.

Affected Versions: VMware vRealize Log Insight 8.x prior to 8.10.2.

Consequence: Successful exploitation of the vulnerability may allow remote code execution and complete system compromise.

Official announcement: For more information please refer to – https://www.vmware.com/security/advisories/VMSA-2023-0001.html