Preface: Different functional logics are encapsulated into different components/subsystems. From the perspective of the system level, gralloc belongs to the lowest HAL layer module and provides services for the upper-level libui and libgui libraries.
The Gralloc4Allocator in the libui library of the Android framework layer is used as a proxy and encapsulates its functions.

Background: Many components are involved in managing, allocating, and using GraphicBuffer in the Android graphics display system

• Producers and consumers are generally users of GraphicBuffer, either writing data or reading data;
• BufferQueue can be regarded as the manager of GraphicBuffer, which handles requests from users in a unified way, so as to manage the allocation, release and transfer of GraphicBuffer in a unified way;
• Gralloc HAL is the actual cache memory allocation module, which is responsible for allocating graphics buffers that can be shared between processes.

Vulnerability details: In shared_metadata_init of SharedMetadata[.]cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

To read more about std::string_view, please refer to the link for details – https://en.cppreference.com/w/cpp/string/basic_string_view

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/pixel/2022-11-01

Preface: Most memory corruption is actually due to heap corruption. To find where the memory address is modified.

1. Set a data breakpoint 0x00408000
2. When you hit the breakpoint, use the memory window to view meory contents starting at 0x00408000.

STR instructions store a register value into memory. The memory address to load from or store to is at an offset from the register Rn . The offset is specified by the register Rm and can be shifted left by up to 3 bits using LSL . The value to load or store can be a byte, halfword, or word.

std::unique_ptr is a smart pointer that owns and manages another object through a pointer and disposes of that object when the unique_ptr goes out of scope.

Background: Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps. An executable format determines the order in which the code and data in a binary file are read into memory.
Mach-O is used by some systems based on the Mach kernel. NeXTSTEP, macOS, and iOS are examples of systems that use this format for native executables, libraries and object code.
With the introduction of Mac OS X 10.6 platform the Mach-O file underwent a significant modification that causes binaries compiled on a computer running 10.6 or later to be (by default) executable only on computers running Mac OS X 10.6 or later.

Vulnerability details: A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file.

Official announcement: Please refer to the link for details – https://github.com/lief-project/LIEF/issues/782

Preface: The impact of this flaw (CVE-2022-29279) depends on hardware vendor including smartphone, workstation and using which company SDCard architecture design.

Background: Insyde Software is leading worldwide provider of UEFI firmware systems management (BMC firmware) solutions, and custom engineering services for companies in the mobile, desktop, server, embedded and IoT (Internet-of-Things) computing industries.
SD/SDIO/MMC driver currently supports SD memory, SDIO cards, and eMMC chips. This protocol level driver builds on top of SDMMC and SD SPI host drivers.
SDMMC protocol layer handles specifics of SD protocol such as card initialization and data transfer commands.
Linux kernel has mmc subsystem which provides implementation of host cpu SPI/SDIO implementation, mmc/sd card physical implementation and Linux Block driver implementation based on gendisk.

• /drivers/mmc/core – consists of MMC/SD card related CSD, SID and other commands and responses.
• /drivers/mmc/host – consists of host cpu SPI/ SDIO related implementation.
• /drivers/mmc/card – consists of Linux block driver for MMC card and integration with Linux Block I/O layer.

In Fedora, type following command. cd [/]lib[/]modules[/]$(uname -r)[/]kernel[/]drivers[/].
Then “pwd” it will show you the correct driver location.

A host can communicate with SD/MMC card using a set of commands, and for each command host gets response from the MMC/SD card. These commands and responses have defined format. Each MMC/SD card command has 48 bits (6 bytes).

Vulnerability details: Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice.

Solution: It was fixed in: Kernel 5.0: version 05.09.17 Kernel 5.1: version 05.17.17 Kernel 5.2: version 05.27.17 Kernel 5.3: version 05.36.17 Kernel 5.4: version 05.44.17 Kernel 5.5: version 05.52.17

Official announcement: Please refer to the link for details – https://www.insyde.com/security-pledge/SA-2022062

Preface: IKE phase 1 in the sense that an attacker can perform a denial of service.

Background: Why use Ephemeral Diffie-Hellman? Ephemeral Diffie-Hellman (DHE in the context of TLS) differs from the static Diffie-Hellman (DH) in the way that static Diffie-Hellman key exchanges always use the same Diffie-Hellman private keys. So, each time the same parties do a DH key exchange, they end up with the same shared secret.
Ephemeral Diffie-Hellman doesn’t provide authentication on its own, because the key is different every time. So neither party can be sure that the key is from the intended party.
One reason that communication protocols use ephemeral keys is to help with implementing Perfect Forward Security. They’re also used in SSL to go from using RSA to using a faster symmetric encryption.
Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers.

Vulnerability details: Using long exponents in the Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations.
An attacker may cause asymmetric resource consumption with any common client application which uses a DHE implementation that applies short exponents. The attack may be more disruptive in cases where a client sends arbitrary numbers that are actually not DH public keys (aka the D(HE)ater attack) or can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE. This can affect TLS, SSH, and IKE.

Workaround: A workaround is to temporary disable DHE key exchange and only use ECDHE (Elliptic Curve Diffie-Hellman), in SSL / TLS / HTTPS using network services.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-40735

Preface: About 4 years ago, it was a hot topic for enterprise companies to develop the Hyperledger system framework for their business operations.
Multiple industries are willing to develop or undergo digital transformation. It includes huge fund investment companies, insurance companies and banking environments. The blockchain system architecture is the ancestor of Hyperledger. But cryptocurrencies have concerns about potential economic risks in the countries where the financial world belongs.
So it drawn down the development force of this technology. If National Vulnerability Database not alert Hyperledger Fabric 2.3 have bug last week. I think it will lost in my mind.
In fact, the Japanese financial industry was the first to develop and integrate Hyperledger Fabric into their business. In addition, the logistics industry is also involved in this advanced distributed development technology platform. Because their business operation keen to enhance fault tolerance level and high system resilience comparing to traditional design. Perhaps an unintended vulnerability factor gave the technology momentum. It keeps running and doesn’t stop.

Background: What is a Hyperledger channel?
A Hyperledger Fabric channel is a private “subnet” of communication between two or more specific network members, for the purpose of conducting private and confidential transactions.
Chaincode is a fabric-specific script written to perform operations within the framework. Hyperledger Fabric’s chaincode enables a user with no knowledge of blockchain technology to build and deploy smart contracts and transactions.

Vulnerability details: Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist.Raft (recommended) New as of v1. 4.1, Raft is a crash fault tolerant (CFT) ordering service based on an implementation of Raft protocol in etcd .Raft is a protocol with which a cluster of nodes can maintain a replicated state machine. The state machine is kept in sync through the use of a replicated log.
Perhaps Raft will be resolve this matter. However…..
Raft is a well-known and widely used distributed consensus algorithm, but as it has a built-in purpose of comprehensibility, it is always compromised in terms of performance as a trade-off.
For example: The Raft protocol is implemented based on the state machine of log replication. However, in actual systems, the log could not allow unlimited growth. As time increases, the continuous growth of logs will take up more log transmission overhead, as well as more recovery time for node downtime.

Suggestion: Patch (go to Hyperledger Fabric 2.4). In order to avoid such vulnerability. Hyperledger Fabric 2.4 calculate package ID of a packaged chaincode.

Official announcement: Please refer to the link for details – https://github.com/hyperledger/fabric/pull/2934

Preface: In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.

Background: NVIDIA vGPU software enables multiple virtual machines (VMs) to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems.
NVIDIA Virtual GPU (vGPU) enables multiple virtual machines (VMs) to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems. By doing this, NVIDIA vGPU provides VMs with unparalleled graphics performance, compute performance, and application compatibility, together with the cost-effectiveness and scalability brought about by sharing a GPU among multiple workloads.

Vulnerability details: NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
When this vulnerability occurs, it will affect the integrity and confidentiality of the system environment (refer to this diagram). The scenario is simplified due to the description of the official vulnerability.But do not contempt this matter.

Impact software products:

• vGPU software (Virtual GPU Manager) Citrix Hypervisor,VMware vSphere and Red Hat Enterprise Linux KVM
• vGPU software (guest driver) Linux
• vGPU software (guest driver) Windows

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5383

Preface: As we know, some tools in the digital world will jeopardize the Windows operating system. This week (November 8, 2022) when we shift our focus to Microsoft Security Alerts. There is an attack scenario similar to CVE-2022-41113. The vendor will not disclose details due to security reasons. But the technical details below will wake you up.

Background: Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
Domain, local usernames, and passwords that are stored in the memory space of a process are named LSASS (Local Security Authority Subsystem Service).

Vulnerability details: This week (November 8, 2022) when we shift our focus to Microsoft Security Alerts. There is an attack scenario similar to CVE-2022-41113. The vendor will not disclose details due to security reasons. But the technical details below will wake you up.

Assigner: Microsoft
Published: 2022-11-09

Updated: 2022-11-09
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability.

One of the possible paths an attacker would take.
Mimikatz, how it collect Windows passwords, credentials
One way to avoid being blocked by antimalware is to use the Invoke-Mimikatz PowerShell module, which enables an attacker running PowerShell, Microsoft’s task automation framework, to load and execute Mimikatz remotely without needing to write the executable to the targeted system’s disk.

Run Mimikatz and use the following commands to extract credentials from your LSASS Dump file:
mimikatz # sekurlsa::minidump lsass[.]DMP
mimikatz # log lsass[.]txt
mimikatz # sekurlsa::logonPasswords

Remedy:

• On x86-based or x64-based devices using Secure Boot and UEFI or not
• enable LSA protection on a single computer
• Using Local Group Policy on Windows 11, 22H2 (Configure LSASS to run as a protected process)

Official announcement: Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41113

Preface: HTTP request smuggling exploits the inconsistency in parsing non-RFC-compliant HTTP requests via two HTTP devices (backend server and afront-end proxy). When attacker successful inject a malicious HTTP request into the web server, bypassing internal security controls. This can allow the attacker to:

• Gain access to protected resources, such as admin consoles
• Gain access to sensitive data
• Hijack sessions of web users
• Launch cross-site scripting (XSS) attacks without requiring any action from the user
• Perform credential hijacking

Background: RDP Proxy is capable providing RDP features. Users can access the remote desktops through the Citrix Gateway appliance.The design consists of the following:

1. Deployment through clientless VPN: In this mode the RDP links are published on the Gateway home page or portal, as bookmarks, through the add vpn url configuration or through an external portal. The user can click these links to get access to the Remote Desktop.
2. Deployment through ICA Proxy: In this mode a custom home page is configured on the Gateway VIP by using the wihome parameter.This home page can be customized with the list of Remote desktop resources that the user is allowed to access. This custom page can be hosted on Citrix ADC, or if external, it can be an iFrame in the existing Gateway portal page.

Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible.Design weakness impact the following product versions:

• Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
• Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
• Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
• Citrix ADC 12.1-FIPS before 12.1-55.289
• Citrix ADC 12.1-NDcPP before 12.1-55.289

Reference: The following are possible ways to mitigate the vulnerability (HTTP Request Smuggling Vulnerability)

• Ensuring that front-end and back-end servers only communicate using the HTTP/2 protocol can prevent most variants of this attack.
• Interpret HTTP headers consistently on front-end and back-end servers.

Official announcement: Please refer to the link for details – https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516

Preface: Total lunar eclipse and lunar occultation of Uranus on the evening of November 8 2022.

About: A larger block size will require higher transmission time compared to the smaller block size. A smaller block is more efficient but building too small a block will require higher block composition time to clear all the transactions. Both performance factors are contradictory to each other.

Background: The Lightning Network Daemon ( lnd ) – is a complete implementation of a Lightning Network node. lnd has several pluggable back-end chain services including btcd (a full-node), bitcoind , and neutrino (a new experimental light client).
The Lightning Network is a second layer added to Bitcoin’s blockchain that allows off-chain transactions, i.e. transactions between parties not on the blockchain network.

Vulnerability details: btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking.

Ref”: “maxWitnessItemSize” is the maximum allowed size for an item within an input’s witness data. This number is derived from the fact that for script validation, each pushed item onto the stack must be less than 10k bytes.

Remedy: The issue here is that the old checks for the maximum witness size, circa segwit v0 where placed in the wire package as well as the tx engine. This check should only be in the engine, since it’s properly gated by other related scrip validation flags.

The fix itself is simple: limit witnesses only based on the maximum block size in bytes, or ~4MB.

Official announcement: Please refer to the link for details – https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta

Preface: Is cloud computing in demand in 2022? Their latest forecast predicts the spending on public cloud services to jump from $257.5 billion in 2020 to $304.9 billion in 2022 as cloud services play a central role in helping businesses recover from the onslaughts of the pandemic.
The current version of NFS is also called NFS v4 but was implemented through RFC 3530. In 2003, it was published. Since then, compared to early NFS v4, NFS v4 has improved a lot in terms of optional features, such as protection, caching, locking, and message communication performance. While NFS has PC capabilities, it has often been treated as a file-oriented protocol rather than the PC environment for UNIX and Linux operating systems. Microsoft Azure, a popular public cloud service, offers Azure Files, a cloud-based distributed file which supports NFS 4.1 since September 2020, in the Azure Files premium tier only.

Background: NFS is an RPC-based protocol, with a client-server relationship between the machine having the filesystem to be distributed and the machine wanting access to that filesystem. Each version of the NFS RPC protocol contains several procedures. The basic procedures performed on an NFS server can be grouped into directory operations, file operations, link operations, and filesystem operations. The nfsd daemon runs on a server and handles client requests for file system operations. Each daemon handles one request at a time. Assign the maximum number of threads based on the load you expect the server to handle.

• NFS version 3 (NFSv3) supports safe asynchronous writes and is more robust at error handling than the previous NFSv2; it also supports 64-bit file sizes and offsets, allowing clients to access more than 2 GB of file data.
• NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an rpcbind service, supports Access Control Lists (ACLs), and utilizes stateful operations.

Vulnerability details:
CVE-2022-43945 – The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.
Cause: One notable set of fixes addresses a subtle buffer overflow issue that occurs if a small RPC Call message arrives in an oversized RPC record. This is only possible on a framed RPC transport such as TCP. Because NFSD shares the receive and send buffers in one set of pages, an oversized RPC record steals pages from the send buffer that will be used to construct the RPC Reply message. NFSD must not assume that a full-sized buffer is always available to it; otherwise, it will walk off the end of the send buffer while constructing its reply.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-43945