Category Archives: Potential Risk of CVE

CVE-2024-21464 – msm: ipa3: adding a preventive check for holb stats (8th JAN 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: IPA Capabilities

● Presented by its driver as a network device

● Performs checksum offload, packet aggregation

○ Reduces processing and interrupt load on the main CPU

● Also implements integrated IPA filtering, routing, and NAT

○ These features are not supported by the upstream driver (yet!)

● Capable of operation independent while AP is asleep

○ Tethered operation (WiFi hotspot)

○ Requires much less power than operating AP

○ This mode is not supported upstream either

Vulnerability details: Memory corruption while processing IPA statistics, when there are no active clients registered.

[CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)]

In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

An Android security bulletin was published on January 6, 2025, which disclosed multiple vulnerabilities but did not provide details (7th Jan 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: CUPS provides the “cups” library to talk to the different parts of CUPS and with Internet Printing Protocol (IPP) printers. The “cups” library functions are accessed by including the <cups/cups.h> header. CUPS is based on the Internet Printing Protocol (“IPP”), which allows clients (applications) to communicate with a server (the scheduler, printers, etc.) to get a list of destinations, send print jobs, and so forth. You identify which server you want to communicate with using a pointer to the opaque structure http_t. The CUPS_HTTP_DEFAULT constant can be used when you want to talk to the CUPS scheduler.

Vulnerability details: Five critical Android fixes (CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, CVE-2024-49748) were released in the January 2025 Security Advisory Bulletin. We are aware that the above vulnerability advisory was released on December 3, 2024. But why not provide details?

Perhaps it related to CUPS. When android install this opensource system, Android itself cannot protect itself.So, it bring out the vulnerabilities.

I speculated the vulnerability exchange CVE reference numbers on CUPS to Android is shown as below:

Android CVE-2024-43096 – CVE-2024-47076 (CUPS)

Android CVE-2024-49747 – CVE-2024-47175 (CUPS)

Android CVE-2024-49748 – CVE-2024-47176

Android CVE-2024-43770 – CVE-2024-47176 (CUPS): When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Android CVE-2024-43771 – CVE-2024-47177 (CUPS)

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

CVE-2025-0222 A vulnerability was found in IObit Protected Folder up to 13.6.0.5. (6th Jan 2025)

Preface: Dereferencing just means accessing the memory value at a given address. So when you have a pointer to something, to dereference the pointer means to read or write the data that the pointer points to.

Background: IObit Uninstaller is one of the free software uninstallers for Windows thanks to a batch uninstall feature, an installation monitor, support for most Windows versions, and a quick install itself. Every piece of an application is searched for and removed completely, leaving no useless, junk files behind.

IObit Protected Folder is designed to password-protect your folders and files from being seen, read or modified in Windows OS platform. It works like a safety box, just drag and drop the folders or files you want to hide or protect into Protected Folder, then no one can see, read or modify them.

IObit have 20 free trials of Protected Folder. When the trials end, end user require click on the Register button in the left corner and then click Purchase Online to buy a license code.

If you forget your Iobit protected folder password, so you have to use a  tool (uninstall). It allow local user uninstall Iobit Protected software without password.

Vulnerability details: A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic. This issue affects the function 0x8001E000/0x8001E004 in the library IUProcessFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-0222

CVE-2024-56756: nvme-pci: fix freeing of the HMB descriptor table (30th Dec 2024)

Preface: Large Hadron Collider (LHC) at CERN works with amazing quantities of data and has publicly stated that they get much higher I/O and memory bandwidth — more than a terabit per second of data – with their AMD-based system. If they get that kind of performance, other end users will be in great shape. Plus, more PCIe lanes means more NVMe drives at native speed, versus storage interfaces running at switched speeds (which adds a latency and bottleneck points). Full utilization will make a huge difference in stored data access and processing.

Background: The impact of the fast PCIe technology available today is spread over several areas.

– The ability to use more x16 devices (such as graphics processing units (GPUs) and network cards) at full speed – which means data can be transferred at a faster rate

– The ability to use higher bandwidth network cards – which means more quantities of data can be transferred per second

– Non-volatile memory express (NVMe) storage was already incredibly fast and with PCIe Gen 4 it is even faster. In some cases, there is twice the performance in speed and throughput.

Vulnerability details: The HMB descriptor table is sized to the maximum number of descriptors that could be used for a given device, but __nvme_alloc_host_mem could break out of the loop earlier on memory allocation failure and end up using less descriptors than planned for, which leads to an incorrect size passed to dma_free_coherent.

In practice this was not showing up because the number of descriptors tends to be low and the dma coherent allocator always allocates and frees at least a page.

Ref: In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix freeing of the HMB descriptor table

Official announcement: Please refer to the link for details

https://nvd.nist.gov/vuln/detail/CVE-2024-56756

CVE-2024-21944: Undermining Integrity Features of SEV-SNP with Memory Aliasing

Preface: The Serial Presence Detect function is implemented using a 2048 bit EEPROM component. This nonvolatile storage device contains data programmed by the DIMM manufacturer that identifies the module type and various SDRAM organization and timing parameters.

EEPROM stands for Electrically Erasable Programmable Read-Only Memory. It’s a type of non-volatile memory used in computers and other electronic devices to store critical data that remains intact even when power is off.

Background: AMD SEV-SNP is a confidential computing hardware technology present in AMD EPYC processors from generation 3 and newer. It is based on hardware virtualization extensions and achieves isolation by adding these measures: Full memory encryption.

SEV-SNP is supported on AMD EYPC processors starting with the AMD EPYC 7003 series processors. AMD SEV-SNP offers powerful and flexible support for the isolation of a guest virtual machine from an untrusted host operating system. It is very useful in public cloud and any untrusted host scenario.

Vulnerability details: Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.

Remark: AMD recommends utilizing memory modules that lock Serial Presence Detect (SPD), as well as following physical system security best practices.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3015.html

CVE-2024-49194: Databricks JDBC Driver Vulnerability Advisory (19th Dec 2024)

Preface: The Databricks Platform is the world’s first data intelligence platform powered by generative AI. Infuse AI into every facet of your business.

Generative artificial intelligence, also known as generative AI or gen AI for short, is a type of AI that can create new content and ideas, including conversations, stories, images, videos, and music. It can learn human language, programming languages, art, chemistry, biology, or any complex subject matter.

Background: Databricks JDBC, the first version of the driver, is a Simba driver developed by insightsoftware. It enables you to connect participating apps, tools, clients, SDKs, and APIs to Azure Databricks through Java Database Connectivity (JDBC), an industry-standard specification for accessing database management systems.

Vulnerability details: Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.

Official announcement: Please refer to the link for details –https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194

CVE-2024-10205: Authentication bypass vulnerability exists in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer (18-12-2024)

Preface: Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).

Background: Hitachi Ops Center analytics and observability software supports VSP arrays whether on-premises, in a colocation facility, or a public cloud environment. Ops Center’s analytics software provides health insights and best practices to monitor key performance and capacity indicators across a heterogeneous data center infrastructure, to easily identify and isolate performance problems. By analyzing the data path from virtual machine (VM) and server to SAN fabric and logical storage resources, Hitachi Ops Center analytics software provides essential IT operations visibility and optimization.

Vulnerability details:  Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics component ).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.3-00; Hitachi Infrastructure Analytics Advisor: from 2.1.0-00 through 4.4.0-00.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-10205

About Siemens: CVE-2024-49775 – Heap-based Buffer Overflow Vulnerability in User Management Component (UMC)

Preface: SIMATIC WinCC is a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) system from Siemens. SCADA systems are used to monitor and control physical processes involved in industry and infrastructure on a large scale and over long distances. SIMATIC WinCC can be used in combination with Siemens controllers. WinCC is written for the Microsoft Windows operating system.[1][2] It uses Microsoft SQL Server for logging and comes with a VBScript and ANSI C application programming interface.

Background: The User Management Component (UMC) enables the system-wide, central maintenance of users with an optional connection to Microsoft Active Directories.

The User Management Component (UMC) enables the system-wide, central maintenance of users with an optional connection to Microsoft Active Directories. UMC allows the establishment of central user management. This means that you can define and manage users and user groups across software and devices. Users and user groups can also be transferred from a Microsoft Active Directory (AD).

The following applications are connected to UMC: SINEMA RC, SINEC NMS, WinCC Unified, TIA Portal & WinCC Runtime Advanced

Vulnerability details: A vulnerability has been identified in Opcenter Execution Foundation (All versions), Opcenter Intelligence (All versions), Opcenter Quality (All versions), Opcenter RDL (All versions), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions if operated in conjunction with UMC < V2.15), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component.
This could allow an unauthenticated remote attacker to execute arbitrary code.

Official announcement: Please refer to the link for details –

https://cert-portal.siemens.com/productcert/html/ssa-928984.html?ste_sid=ee8ee88d412b10e86a45542d24a25db6

CVE-2024-33063 – OOB : read/writes in ML probe generation  (15-Dec 2024)

Preface: A patch published June 2023, adds parsing of the data and adding/updating the BSS using the received elements. Doing this means that userspace can discover the BSSes using an ML probe request and request association on these links.

Background: IE provides information on channel usage by AP, so that smart wireless stations can decide better AP for connectivity. Station count, Channel utilization, and Available admission capacity are the information available in this IE.

The term QBSS is used in wireless networks supporting the IEEE 802.11e Quality of Service enhancement. It defines a Basic Service Set supporting a QAP and a number of QSTA.

When enabled, appends QBSS IE in Management frames. This IE provides information of channel usage by AP, so that smart wireless station can decide better AP for connectivity. Station count, Channel utilization and Available admission capacity are the information available in this IE.

Vulnerability details: Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-33063

CVE-2024-5660: This issue could allow a modified, untrusted guest operating system to compromise the host in certain hypervisor environments. (11 Dec 2024)

Preface: NVIDIA Jetson™ is the world’s leading embedded AI computing platform with an integrated Arm CPU.

Background: The owning translation regime uses its address translation table data to determine the properties of the trace data transactions written to system memory.

CPUECTLR_EL1 is a 64-bit register, and is part of the 64-bit registers functional group. This register resets to value 0x0000000961563000. The CPUECTLR_EL1 register contains IMPLEMENTATION DEFINED configuration and control options for the MMU.

Stage 2 translation allows a hypervisor to control a view of memory in a Virtual Machine (VM). Specifically, it allows the hypervisor to control which memory-mapped system resources a VM can access, and where those resources appear in the address space of the VM.

Vulnerability details: When Hardware Page Aggregation (HPA) is enabled and Stage-1 and/or Stage-2 translation is enabled for the active translation regime, memory accesses may be translated incorrectly. This may permit bypass of Stage-2 translation and/or GPT protection

Affected products : A77, A78, A78C, A78AE, A710, V1, V2, V3, V3AE, X1, X1C, X2, X3, X4, N2, X925, Travis

Recommendations : The issue can be avoided by setting CPUECTLR_EL1[46] to 1 which will disable hardware page aggregation

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-5660