Preface: As time goes by, Log management is a mandatory setting in the digital world. Log management core architecture design involves a lot of software design. Therefore, you will be exposed to different forms of cyber attacks. So you need to watch out and protect yourself from harm.

Background: Log Insight includes the following key capabilities
• Integrates with VMware vRealize Operations™ to bring unstructured and structured data together, for significantly enhanced end-to-end operations management.

System Features:
Web Hooks supports additional alerting extensibility into Slack,etc.
• Simple Query API adds support for simple keyword search, complex queries, integration with CMDBs, external UI analysis,etc.
• Support for pure IPV6 environment – both server and agent side.
• Server side Agent upgrades – supports automatic agent upgrades

Remark: Working with webhooks exposes an HTTP endpoint that can be called from any actor on your server. Without appropriate measures, this could be extremely unsafe. For example: A man-in-the-middle attack is a vulnerability where a third party obtains access to your webhook data by capturing and reading the request.

Vulnerability details: VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.

Affected Versions: VMware vRealize Log Insight 8.x prior to 8.10.2.

Consequence: Successful exploitation of the vulnerability may allow remote code execution and complete system compromise.

Official announcement: For more information please refer to – https://www.vmware.com/security/advisories/VMSA-2023-0001.html

Preface: As usual when you read a vulnerability bulletin. The vendor sometimes do not disclose technical details to the public. If you will read daily renewal CVE records. Maybe you feel the same way I do. CPU is one of the key topics of the vulnerability database. Since the supplier has the right to secrecy. As a computer user, all you have to do is patch.

Background: AMD engineers that made the “Zen” architecture powering every AMD processor available today, from AMD Ryzen™ desktop and mobile processors, to AMD EPYC™ CPUs, and AMD Threadripper™ CPUs. It all started with “Zen”. AMD Epyc CPU codenames follow the naming scheme of Italian cities, including Milan (3rd Gen 2021), Rome (2nd Gen 2019) and Naples (1st Gen 2017).
The system management unit (SMU) is tasked with the job of continuously sampling sensory data and making rapid corrections to various circuits on the chip.
Ryzen SMU is a Linux kernel driver that exposes access to the SMU (System Management Unit) for certain AMD Ryzen Processors.

Vulnerability details: Insufficient input validation in the SMU may allow an attacker to improperly lock resources, potentially resulting in a denial of service.

Reference: Traditionally, There are two main types of kernel locks. The fundamental type is the spinlock (include/asm/spinlock[.]h). The second type is a mutex (include/linux/mutex[.]h): it is like a spinlock, but you may block holding a mutex.

For official announcement on AMD Server Vulnerabilities – January 2023. Please refer to url – https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1032

Remark: If you’re interested in the matter, see the diagram for details.

Preface: The basic idea behind AIO is to allow a process to initiate a number of I/O operations without having to block or wait for any to complete.

Background: System calls are how a program enters the kernel to perform some task. Programs use system calls to perform a variety of operations such as: creating processes, doing network , file IO,…etc.
io_uring is an asynchronous I/O interface provided by Linux. The implementation of io_uring uses only three syscalls: io_uring_setup, io_uring_enter and io_uring_register.
io_uring gets its name from ring buffers which are shared between user space and kernel space.

There is a size limit of 1GiB per buffer. Currently, the buffers must be anonymous, non-file-backed memory, such as that returned by malloc(3) or mmap(2) with the MAP_ANONYMOUS flag set.
Do you think it is possible to launch a remote attack through this vulnerability (CVE-2023-0240)? Perhaps possible. It can exploit Kernel Driver mmap Handler Exploitation.

Ref: The use-after-free vulnerability exploits a mistake made by the original author of a software and can result in devastating effects that range from remote code execution to the leaking of sensitive data.

Vulnerability details: There is a logic error in io_uring’s implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation. In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.

Official announcement: For details, please refer to the URL – https://nvd.nist.gov/vuln/detail/CVE-2023-0240

Preface: Believed that this design weakness already been fixed before CVE release to public. So do not worry about that.
To become secure, since a known Potential issues of IPv6 extension headers. Therefore , both stateful and stateless firewalls should do a deep inspection. Otherwise, it can do the evasion silently.

Background: From an early deployment aspect, IPv6 is seen as mandatory for specific 5G traffic flows, such as the 5G Control Plane (CP) and the 5G User Plane (UP). For the Management Plane (MP) and IPSec, IPv6 deployment in the early phase is not seen as mandatory but optional if available. But time will tell, IPv6 will have a major role to play in 5G, as IPv4 addresses, which are already in short supply, could never suffice the ever-growing connection demand further down the road.
IPv6 extension headers contains supplementary information used by network devices (such as routers, switches, and endpoint hosts) to decide how to direct or process an IPv6 packet. The length of each extension header is an integer multiple of 8 octets.

Vulnerability Details: A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.

Ref:In normal circumstances, Extension headers other than the Hop-by-Hop (HBH) options header are not processed, inserted, or removed by any node until the packet reaches the destination node, but this is a potential problem.

For the official announcement, please refer to the following URL: https://nvd.nist.gov/vuln/detail/CVE-2023-0394

Preface: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.

The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.

Background: In Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. Last year it found flaw occurred. CVE-2022-1134 – bug got remote code execution in Chrome renderer. The bug exists in the super inline cache (SuperIC) feature.

Blink is Google Chrome’s rendering engine , V8 is the JavaScript Engine used within Blink. Inline cache is an optimization used in V8 for speeding up property accesses in bytecode generated by Ignition (the interpreter in V8). 

Edge and Chrome are both built on the Chromium open-source browser using the Blink rendering engine

Vulnerability details:

CVE-2023-21796: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21795.

CVE-2023-21795: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21796.

CVE-2023-21775: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-21719: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

Official announcement: See URL for details – https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security

Observation: Refer to CVE-2022-1134. A JavaScript object has its map as its first field. In V8, this field is used for determining the type of an object, so by putting the map of a double Array in our fake object, V8 will interpret it as a double array. So, code region overwritten.

Since no details release by vendor. But think it over, in Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. However if there is Remote Code Execution Vulnerability happened (similar CVE-2022-1134). Then the impact will be different.

The flaw display in diagram so called  type confusion vulnerability. When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution. Then Exploiting this flaw to get a Privileged Shell.

Preface: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon possible.

Background: AVX-512 debuted in 2016 on Intel’s Xeon Phi x200 (codenamed Knights Landing). However, the instruction set has since found its way into other products from the chipmaker, such as Skylake-SP, Skylake-X, Cannon Lake, and Cascade Lake.
Furthermore, Intel’s support for AVX-512 instructions with its Alder Lake processors.
But an information disclosed by vendor to downstream manufacture that AVX-512 support on Alder Lake much like overclocking.
Remark: Overclocking is the action of increasing a component’s clock rate, running it at a higher speed than it was designed to run.

Oracle Essbase is a business analytics solution that uses a proven, flexible, best-in-class architecture for analysis, reporting, and collaboration. Oracle Essbase can be accessed on an intuitive web interface, or using Microsoft Office, for all of your analytic and business modeling needs, from multi-dimensional analysis to complex procedural business logic applied to your data.

Vulnerability details: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

Observation: Fundamentally, OpenSSL will build a record from each call to SSL_write and the kernel. The improvement is that build buffer in front of OpenSSL and don’t make SSL_write calls with small amounts of data if it have more coming. If AVX512IFMA instructions of the X86_64 architecture cause memory corruption due to overclocking.
So the buffer in front of openssl may have way exploit by attacker.

Due to memory corruption, an attacker may be able to trigger remote code execution on the machine performing the computation. I speculate that there may be an opportunity to exploit code execution in a similar vulnerability CVE-2022-42475 (heap-based buffer overflow vulnerability).

Workaround (RedHat) – Disabling the AVX512IFMA instruction set extension can effectively mitigate this flaw:
export OPENSSL_ia32cap=:~0x200000

Official announcement (Oracle):  For  details please refer to link – https://www.oracle.com/security-alerts/cpujan2023.html

Preface: OLAP is all about BI and Big Data. Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets.

Background: SAP have released a new statement of direction for SAP BusinessObjectsthat introduces a new version of the SAP BusinessObjects BI suite code named SAP BusinessObjects BI 2024, available on-premises and through managed cloud. SAP will provide clear use case migration paths for the components that they plan to end support of after 2027.

https://www.sap.com/documents/2020/03/908ee705-8a7d-0010-87a3-c30de2ffd8ff.html

Vulnerability details: A code injection flaw in the BusinessObjects Business Intelligence platform (CVSS score of 9.9).

SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network. On successful exploitation, an attacker can perform operations that may completely compromise the application causing a high impact on the confidentiality, integrity, and availability of the application.

What was that happen? In what way Does customer will trigger this vulnerability? As usual, vendor did not disclosed the details. But in case of similar design. Attacker will do the attack in this way. For details, please refer to diagram for reference.

Official Announcement: Please see the link for details of this official announcement

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Affected Products: SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP), Versions – 420, 430