Preface: When looking at the systemd Git repository from system250 to system251, there were 79,853 lines of new code and 34,624 lines deleted over the past year.

Background: You are able to use backtrace to track function call stack and locate segment fault under Linux. The (systemd-coredump) collects and displays core core dumps for analyzing application crashes.
By default, systemd-coredump will log the core dump to the journal, furthermore including a backtrace(/usr/lib/systemd/systemd-coredump –backtrace), and store the core dump (an image of the memory contents of the process) itself in an external file in /var/lib/systemd/coredump.
These core dumps are deleted after a few days by default; see /usr/lib/tmpfiles[.]d/systemd.conf for details.

Vulnerability details: systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util[.]c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.

Remedy: LF is short for Executable and Linkable Format. It’s a format used for storing binaries, libraries, and core dumps on disks in Linux and Unix-based systems. The target remedy file is locate in systemd/src/shared/elf-util[.]c . The elf-util[.]c consists of Iterate over all program headers in that ELF object. These will have been copied by the kernel verbatim when the core file is generated. So this is the reason to modify this file with 31 additions and 6 deletions.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-45873

Ref: Technical details are known, but there is no available exploit.

Preface: There are many ways to do file based IO in Linux. The oldest and most basic are the read(2) and write(2) system calls.
io_uring is a system call interface for Linux. It was first introduced in upstream Linux Kernel version 5.1 in 2019 . It enables an application to initiate system calls that can be performed asynchronously.

Background: In the Linux kernel, reference counting (refcount) has become a default mechanism that manages resource objects. A refcount of a tracked object is incremented when a new reference is assigned and decremented when a reference becomes invalid.
io_uring is a new asynchronous I/O API for Linux created by Jens Axboe from Facebook. It aims at providing an API without the limitations of the current select(2), poll(2), epoll(7) or aio(7) family of system calls.
Reference counting allows clients of your library to keep reference objects created by your library on the heap and allows you to keep track of how many references are still active. When the reference count goes to zero you can safely free the memory used by the object.
The kernel implements reference counting, so the kernel object is not closed until all the file handles pointing to it are closed.

Vulnerability details: Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation).

Solution: Applying the patch fc7222c3a9f56271fba02aabbfbae999042f1679 is able to eliminate this problem.

Official announcement: Please refer to the link for details – https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679

Preface:Serverless functions not only make the deployment of new code quicker, simpler, and easy to automate — they also significantly decrease the possibility of downtime during a deploy.To those already familiar with the concepts of Serverless functions, they known Knative introduces some new cyber security challenges.

Background: Knative and the open source advantage Knative allows serverless applications to be deployed and run on any Kubernetes platform, including Red Hat OpenShift Container Platform. Knative installs on OpenShift using Operators. Knative offers features like scale-to-zero, autoscaling, in-cluster builds, and eventing framework for cloud-native applications on Kubernetes. Whether on-premises, in the cloud, or in a third-party data center, Knative codifies the best practices shared by successful real-world Kubernetes-based frameworks.
Knative fall into below categories:

• A simple process that watched a message queue and called other services based on the message payload (in a similar fashion to the classic Message Router EIP)
• Creating an API aggregation or request batching
  Service that exposed a single API endpoint that returned data via the internal orchestration of multiple batched requests to additional upstream services, the aggregated responses.

Vulnerability details: A vulnerability has been found in knative func (knative[.]dev/func) up to 1.8.0. This vulnerability affects an unknown code block. knative[.]dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious lifecycle container.

Solution: Upgrading to version 1.8.1 eliminates this vulnerability.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-41939

Preface: Different functional logics are encapsulated into different components/subsystems. From the perspective of the system level, gralloc belongs to the lowest HAL layer module and provides services for the upper-level libui and libgui libraries.
The Gralloc4Allocator in the libui library of the Android framework layer is used as a proxy and encapsulates its functions.

Background: Many components are involved in managing, allocating, and using GraphicBuffer in the Android graphics display system

• Producers and consumers are generally users of GraphicBuffer, either writing data or reading data;
• BufferQueue can be regarded as the manager of GraphicBuffer, which handles requests from users in a unified way, so as to manage the allocation, release and transfer of GraphicBuffer in a unified way;
• Gralloc HAL is the actual cache memory allocation module, which is responsible for allocating graphics buffers that can be shared between processes.

Vulnerability details: In shared_metadata_init of SharedMetadata[.]cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

To read more about std::string_view, please refer to the link for details – https://en.cppreference.com/w/cpp/string/basic_string_view

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/pixel/2022-11-01

Preface: Most memory corruption is actually due to heap corruption. To find where the memory address is modified.

1. Set a data breakpoint 0x00408000
2. When you hit the breakpoint, use the memory window to view meory contents starting at 0x00408000.

STR instructions store a register value into memory. The memory address to load from or store to is at an offset from the register Rn . The offset is specified by the register Rm and can be shifted left by up to 3 bits using LSL . The value to load or store can be a byte, halfword, or word.

std::unique_ptr is a smart pointer that owns and manages another object through a pointer and disposes of that object when the unique_ptr goes out of scope.

Background: Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps. An executable format determines the order in which the code and data in a binary file are read into memory.
Mach-O is used by some systems based on the Mach kernel. NeXTSTEP, macOS, and iOS are examples of systems that use this format for native executables, libraries and object code.
With the introduction of Mac OS X 10.6 platform the Mach-O file underwent a significant modification that causes binaries compiled on a computer running 10.6 or later to be (by default) executable only on computers running Mac OS X 10.6 or later.

Vulnerability details: A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file.

Official announcement: Please refer to the link for details – https://github.com/lief-project/LIEF/issues/782

Preface: The impact of this flaw (CVE-2022-29279) depends on hardware vendor including smartphone, workstation and using which company SDCard architecture design.

Background: Insyde Software is leading worldwide provider of UEFI firmware systems management (BMC firmware) solutions, and custom engineering services for companies in the mobile, desktop, server, embedded and IoT (Internet-of-Things) computing industries.
SD/SDIO/MMC driver currently supports SD memory, SDIO cards, and eMMC chips. This protocol level driver builds on top of SDMMC and SD SPI host drivers.
SDMMC protocol layer handles specifics of SD protocol such as card initialization and data transfer commands.
Linux kernel has mmc subsystem which provides implementation of host cpu SPI/SDIO implementation, mmc/sd card physical implementation and Linux Block driver implementation based on gendisk.

• /drivers/mmc/core – consists of MMC/SD card related CSD, SID and other commands and responses.
• /drivers/mmc/host – consists of host cpu SPI/ SDIO related implementation.
• /drivers/mmc/card – consists of Linux block driver for MMC card and integration with Linux Block I/O layer.

In Fedora, type following command. cd [/]lib[/]modules[/]$(uname -r)[/]kernel[/]drivers[/].
Then “pwd” it will show you the correct driver location.

A host can communicate with SD/MMC card using a set of commands, and for each command host gets response from the MMC/SD card. These commands and responses have defined format. Each MMC/SD card command has 48 bits (6 bytes).

Vulnerability details: Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice.

Solution: It was fixed in: Kernel 5.0: version 05.09.17 Kernel 5.1: version 05.17.17 Kernel 5.2: version 05.27.17 Kernel 5.3: version 05.36.17 Kernel 5.4: version 05.44.17 Kernel 5.5: version 05.52.17

Official announcement: Please refer to the link for details – https://www.insyde.com/security-pledge/SA-2022062

Preface: IKE phase 1 in the sense that an attacker can perform a denial of service.

Background: Why use Ephemeral Diffie-Hellman? Ephemeral Diffie-Hellman (DHE in the context of TLS) differs from the static Diffie-Hellman (DH) in the way that static Diffie-Hellman key exchanges always use the same Diffie-Hellman private keys. So, each time the same parties do a DH key exchange, they end up with the same shared secret.
Ephemeral Diffie-Hellman doesn’t provide authentication on its own, because the key is different every time. So neither party can be sure that the key is from the intended party.
One reason that communication protocols use ephemeral keys is to help with implementing Perfect Forward Security. They’re also used in SSL to go from using RSA to using a faster symmetric encryption.
Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers.

Vulnerability details: Using long exponents in the Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations.
An attacker may cause asymmetric resource consumption with any common client application which uses a DHE implementation that applies short exponents. The attack may be more disruptive in cases where a client sends arbitrary numbers that are actually not DH public keys (aka the D(HE)ater attack) or can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE. This can affect TLS, SSH, and IKE.

Workaround: A workaround is to temporary disable DHE key exchange and only use ECDHE (Elliptic Curve Diffie-Hellman), in SSL / TLS / HTTPS using network services.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-40735

Preface: About 4 years ago, it was a hot topic for enterprise companies to develop the Hyperledger system framework for their business operations.
Multiple industries are willing to develop or undergo digital transformation. It includes huge fund investment companies, insurance companies and banking environments. The blockchain system architecture is the ancestor of Hyperledger. But cryptocurrencies have concerns about potential economic risks in the countries where the financial world belongs.
So it drawn down the development force of this technology. If National Vulnerability Database not alert Hyperledger Fabric 2.3 have bug last week. I think it will lost in my mind.
In fact, the Japanese financial industry was the first to develop and integrate Hyperledger Fabric into their business. In addition, the logistics industry is also involved in this advanced distributed development technology platform. Because their business operation keen to enhance fault tolerance level and high system resilience comparing to traditional design. Perhaps an unintended vulnerability factor gave the technology momentum. It keeps running and doesn’t stop.

Background: What is a Hyperledger channel?
A Hyperledger Fabric channel is a private “subnet” of communication between two or more specific network members, for the purpose of conducting private and confidential transactions.
Chaincode is a fabric-specific script written to perform operations within the framework. Hyperledger Fabric’s chaincode enables a user with no knowledge of blockchain technology to build and deploy smart contracts and transactions.

Vulnerability details: Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist.Raft (recommended) New as of v1. 4.1, Raft is a crash fault tolerant (CFT) ordering service based on an implementation of Raft protocol in etcd .Raft is a protocol with which a cluster of nodes can maintain a replicated state machine. The state machine is kept in sync through the use of a replicated log.
Perhaps Raft will be resolve this matter. However…..
Raft is a well-known and widely used distributed consensus algorithm, but as it has a built-in purpose of comprehensibility, it is always compromised in terms of performance as a trade-off.
For example: The Raft protocol is implemented based on the state machine of log replication. However, in actual systems, the log could not allow unlimited growth. As time increases, the continuous growth of logs will take up more log transmission overhead, as well as more recovery time for node downtime.

Suggestion: Patch (go to Hyperledger Fabric 2.4). In order to avoid such vulnerability. Hyperledger Fabric 2.4 calculate package ID of a packaged chaincode.

Official announcement: Please refer to the link for details – https://github.com/hyperledger/fabric/pull/2934

Preface: In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.

Background: NVIDIA vGPU software enables multiple virtual machines (VMs) to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems.
NVIDIA Virtual GPU (vGPU) enables multiple virtual machines (VMs) to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems. By doing this, NVIDIA vGPU provides VMs with unparalleled graphics performance, compute performance, and application compatibility, together with the cost-effectiveness and scalability brought about by sharing a GPU among multiple workloads.

Vulnerability details: NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
When this vulnerability occurs, it will affect the integrity and confidentiality of the system environment (refer to this diagram). The scenario is simplified due to the description of the official vulnerability.But do not contempt this matter.

Impact software products:

• vGPU software (Virtual GPU Manager) Citrix Hypervisor,VMware vSphere and Red Hat Enterprise Linux KVM
• vGPU software (guest driver) Linux
• vGPU software (guest driver) Windows

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5383

Preface: As we know, some tools in the digital world will jeopardize the Windows operating system. This week (November 8, 2022) when we shift our focus to Microsoft Security Alerts. There is an attack scenario similar to CVE-2022-41113. The vendor will not disclose details due to security reasons. But the technical details below will wake you up.

Background: Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
Domain, local usernames, and passwords that are stored in the memory space of a process are named LSASS (Local Security Authority Subsystem Service).

Vulnerability details: This week (November 8, 2022) when we shift our focus to Microsoft Security Alerts. There is an attack scenario similar to CVE-2022-41113. The vendor will not disclose details due to security reasons. But the technical details below will wake you up.

Assigner: Microsoft
Published: 2022-11-09

Updated: 2022-11-09
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability.

One of the possible paths an attacker would take.
Mimikatz, how it collect Windows passwords, credentials
One way to avoid being blocked by antimalware is to use the Invoke-Mimikatz PowerShell module, which enables an attacker running PowerShell, Microsoft’s task automation framework, to load and execute Mimikatz remotely without needing to write the executable to the targeted system’s disk.

Run Mimikatz and use the following commands to extract credentials from your LSASS Dump file:
mimikatz # sekurlsa::minidump lsass[.]DMP
mimikatz # log lsass[.]txt
mimikatz # sekurlsa::logonPasswords

Remedy:

• On x86-based or x64-based devices using Secure Boot and UEFI or not
• enable LSA protection on a single computer
• Using Local Group Policy on Windows 11, 22H2 (Configure LSASS to run as a protected process)

Official announcement: Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41113