Preface: This time openSSL.cnf is not involved this vulnerability, maybe C_REHASH is the suspect?
Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.
Some VMware Tools seĴings might expose security risks. For example, VMware Tools enables you to connect virtual devices such as serial and parallel ports to virtual machines. A connected device might be a potential channel of attack.
When serial port access is enabled for a VM instance, clients can attempt to connect to that instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone.
Vulnerability Details: A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine , said VMware. Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0024.html
My observation: Since the vendor didn’t describe what the actual reason was. A hints for my analysis is based on openssl 3.0 working with VMware Tools 3.0.0 written in offical article. Coincidentally, a bug was discovered in OpenSSL 3.0.0, which was released in June 2022. The flaw will be fixed on OpenSSL 3.0.4. Affected products include 3.0.0, 3.0.1, 3.0.2, and 3.0.3. If you are interested in this, please refer to the attached image.
Preface: OPC UA bridges the divide between information technology and operational technology. It enables information and data exchange on devices within machines, between machines, and from machines to systems. As a result, companies cannot realize the benefits of the Internet of Things (IoT) and Industry 4.0 without OPC UA.
Background: Microsoft contributing Open-Source OPC UA stack to OPC Foundation on 2017. Upon today, the new OPC Foundation .NET reference stack, based on the new .NET Standard Library technology, was developed and optimized by Microsoft to serve as the complete platform-independent infrastructure, from the embedded world to the cloud. This new version is enabled on the following supported platforms: Various Linux distributions, iOS, Android, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Phone, HoloLens and the Azure cloud.
Vulnerability details: The vulnerability exists due to excessive data output by the application within the handling of OPC UA BrowseRequests. A remote attacker can gain unauthorized access to sensitive information on the system.
With the information obtained an unauthorized user can create a valid session with the OPC UA server or client to obtain sensitive information.
Preface: Security Alert from the vendor (Apple) on 17th Aug 2022, found a bug on their iOS. If you use iPhone and iPad, you need to update now. Some experts said that the update was also taken seriously by security research unit ZecOps, who tweeted that the iOS 15.6.1 patch vulnerability was already in use, and emphasized that hackers may launch one-click and “zero-click attacks”. Same strategy as NSO Group Pegasus Spyware.
What is zero-click attack? On 2021, cybersecurity firm ZecOps claimed iPhones and iPads have had a traditional vulnerability to unassisted attacks, especially with its mail app. From iOS 13, this became a vulnerability to zero-click attacks too. “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory,” a ZecOps blog published this April said. Apple reportedly patched this in April 2020.
Background: The vulnerability has been fixed, why is there another round of attacks on iPhones and iPads around the world? As we know, the Linux kernel is composed of multiple kernel types, whereas the iOS kernel types use hybrids. Since the CVE vulnerability information stated that this vulnerability is caused by an out-of-bounds vulnerability. The vendor, as usual, did not disclose details. But which key point drives the vendor to issue a remedy immediately? Let’s imagine the flaw based on the hints provided. In a multi-core environment, it is possible to trigger similar attacks. The attached image is when multiple kernels encounter errors on FreeBSD. For example, the vulnerability for FreeBSD was released on August 10, 2022. The vulnerability is an out-of-bounds read in elf_note_prpsinfo(). According to this circumstances, when an operating system runs on a multi-kernel system architecture (includes the FreeBSD operating system architecture). An out-of-scope defect occurred by design weakness.Thus triggering a serious flaw. Above is only an example, as a matter of fact not know what the vulnerability was? But even what is the root causes , nobody can tell? But if you keep your eyes open, when there is a new unknown critical bug occurs in on going future.
CWE-787: Out-of-bounds Write – Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
Remark: The Service.RestartSec setting specifies the downtime in seconds after which systemd restarts a crashed service (5 seconds by default).
Vulnerability details: CVE-2022-32893 vulnerability can exploit the WebKit that allows crafted web content to run arbitrary code on the targeted system. CVE-2022-32894 vulnerability can exploit the Kernel that allows malicious apps to run arbitrary code with kernel privileges on the targeted system. Fixes and Solutions: Safari 15.6.1 | HT213414 – https://support.apple.com/en-gb/HT213414 macOS Monterey 12.5.1 | HT213413 – https://support.apple.com/kb/HT213413 iOS 15.6.1 and iPadOS 15.6.1 | HT213412 – https://support.apple.com/kb/HT213412
Preface: What is backward compatibility in Linux? Backward compatible (also known as downward compatible or backward compatibility) refers to a hardware or software system that can successfully use interfaces and data from earlier versions of the system or with other systems.
Background: Ansible Automation Platform provides an enterprise framework for building and operating IT automation at scale, from hybrid cloud to the edge. Ansible Automation Platform enables users across an organization to create, share, and manage automation—from development and operations to security and network teams.
Configure Automation Hub to support your organization by creating groups for your users and providing them with the level of system access they require. For this design, system administrator will configure Automation Hub to support the operation structure by creating groups for users and providing them with the level of system access they require.
The relevant packages are as follows:
python-galaxy-ng – A Pulp plugin to support hosting your very own Ansible Galaxy server.
pulpcore-selinux – pulpcore-selinux is a set of SELinux policies for Pulp 3, with several plugins[0] installed.
openshift-clients – With the OpenShift command-line interface (CLI), the oc command, you can create applications and manage OpenShift Container Platform projects from a terminal.
automation-hub – The Red Hat Ansible Automation Automation Hub is the official location to discover and download supported Ansible content collections.
automation-controller – The automation controller allows users of Red Hat® Ansible® Automation Platform to define, operate, scale, and delegate automation across their enterprise.
ansible-core – Ansible core or ansible-core is the main building block and architecture for Ansible and includes: CLI tools such as ansible-playbook, ansible-doc. and others for driving and interacting with automation.
Vulnerability details: A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with ‘change user’ permissions to modify the account settings of the superuser account and also remove the superuser privileges.
Preface: OPC UA is a standard that ensures the open connectivity, interoperability, security, and reliability of industrial automation devices and systems. OPC UA is widely recognized as the key communication and data modeling technology for the Industry 4.0 initiative. The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types that are defined in the OPC UA Communication Stack by the OPC Foundation.
Background: The C++ OPC UA Server SDK provides a C++ class library used to develop OPC UA Servers providing a standard interface to vendor specific systems. The OPC UA Server is normally used to describe the available information from a vendor system and to provide access to the data for external systems in a standardized way. The SDK allows multiple instances of our address space implementation. For every namespace you create a new address space, which together form the complete server address space. For each address space the “ns” is well known which allows to eliminate redundant “ns” information in the nodes. For each address space you can configure the size constraints and if the address space is created dynamically in RAM or if it is compiled into the application.
Vulnerability details: On 17th Aug 2022, Softing OPC UA C++ SDL from version 6.0 has information update. Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability. NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator – https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html
Ref: On June 17, 2021, Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations. https://nvd.nist.gov/vuln/detail/CVE-2021-32994 https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02
Preface: The three top industries that use Apache Airflow for Workflow Automation are Machine Learning, Big Data and Artificial Intelligence.
Background: Airflow is a platform that lets you build and run workflows. A workflow is represented as a DAG (a Directed Acyclic Graph), and contains individual pieces of work called Tasks, arranged with dependencies and data flows taken into account. Following details is the basics of deploying Airflow inside Kubernetes. I assumed you have the following installed in your docker containers running inside Kubernetes (Postgres Container, Postgres Service, Airflow Webserver, Airflow Scheduler and Airflow LoadBalancer Service).
Below steps are the quickview according to above components. Step 1. Get Apache Airflow Docker image. Step 2. Deploy Postgres into Kubernetes. Step 3. Deploy a Service for Postgres. Step 4. Prepare Postgres database for Airflow. Step 5. Get ready to write some YAML files. Step 6. Deploy a LoadBalancer Service to expose Airflow UI to Internet. Warning: Once this step is complete you will have an Airflow UI that anyone can access.
Vulnerability details: Apache Airflow Docker’s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
Remark: A DAG is defined in a Python script, which represents the DAGs structure (tasks and their dependencies) as code.
Mitigation: Disable loading of example DAGs or upgrade the apache-airflow-providers-docker to 3.0.0 or above
Preface: Bluetooth mesh is ideal for industrial IoT use cases—especially lighting—that require the relatively low-cost and low-power scalability, reliability, and performance of Bluetooth technology. It enables many-to-many device communications and is optimized for creating large-scale device networks.
Background: Bluetooth mesh networks – Communication from one node to another. Unlike traditional IP-based networks, Bluetooth Mesh uses a managed flood routing model for forwarding messages from one node to another. In this model, messages are broadcast to each node in the vicinity and a time-to-live (TTL) is used to address the potential of a routing loop.
The nRF5 SDK for mesh is ideal for developing applications that use Bluetooth mesh networks .
Heap is a region of processes’s memory which is used to store dynamic variables. These variables are allocated using malloc() and calloc() functions and resize using realloc() function, which are inbuilt functions of C. The function memcpy() is used to copy a memory block from one location to another. One is source and another is destination pointed by the pointer. This is declared in “string.h” header file in C language. It does not check overflow.
Vulnerability details: CVE-2022-35623 – In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented control packets and access packets with the same SeqAuth. The vulnerable function is trs_seg_packet_in in mesh/core/src/transport[.]c.
Additional: CVE-2022-35624 – In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented packets with SegO > SegN. https://docs.google.com/document/d/1BrgB1bQiL-cMXQGaXJWSSyaZY51Zxomp/edit The vulnerable function is trs_seg_packet_in in mesh/core/src/transport[.]c.
Preface: The CISCO Talos article mentions a ransomware attack on their company. They mentioned in detail that on the 1st phase of attack. The attacker use Phishing to victims. When the target machine compromised. Then the attacker proceed 2nd phase. But so-called zero-day, therefore no one will know. If we could do scenario replay, maybe this design flaw would be one of the possibilities to trigger the event.
Background: In summary and recommendation posted by Talos Intelligence Group (see below): Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021. But so-called zero-day, therefore no one will know. If we could do scenario replay, maybe this design flaw would be one of the possibilities to trigger the event.
CVE-2021-22928 – A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.
One of the key items I make this speculation: Since we don’t know the exact infrastructure. From a security standpoint, Cisco would not disclose details. But below information provide hints to my interested.
Quote: After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.
Preface: Pixel phones install downloaded Android updates in the background. The installed updates become active the next time that you restart your phone.
Background: Protection of the sensitive date stored on the mobile devices is a hot topic.This is the reason why it is very important for mobile app developers to take care of it. As a result, the Google development team took advantage of this solution. The Android key store was created to allow you to use asymmetric keys and symmetric keys outside your application code. HMAC stands for Hash-based Message Authentication Code or Keyed-hash Message Authentication Code. Android use it to verify the authenticity and integrity of data transmitted. HMACs are ideal for high-performance systems like routers due to the use of hash functions which are calculated and verified quickly unlike the public key systems.
Vulnerability details: In TBD of keymaster_ipc[.]cpp, there is a possible to force gatekeeper, fingerprint, and faceauth to use a known HMAC key. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Since the details not disclosed by vendor. One of the possible cause will be caused by the following issue. HMACs uses shared key which may lead to non-repudiation. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. If either sender or receiver’s key is compromised then it will be easy for attackers to create unauthorized messages.
Preface: Is this a possible solution? Can we disabled SMT technology as mitigating SQUIP? As far as we know, it will severely degrade the performance of AMD processors.
Background: Attacker modifies system MTR registers to change the SMM memory space from uncacheable to cacheable with type Write-back. The MTRR (Memory Type Range Registers), are registers that provide the system software with control of how accesses to memory ranges by the CPU are cached. The attacker now can write code into the memory space that is normally reserved only for SMM functions. The CPU will execute the SMM code but it will fetch it from the cache before DRAM. If the malicious code is in cache so it is executed.
Remark: SMM code is the most privileged code executed on the CPU, the code is completely hidden from the running operating system, it cannot be modified by the kernel and even by DMA devices and the most important SMM code can access any physical memory.
Vulnerability details: A contention-based side channel vulnerability was found in hw. Some AMD CPUs using simultaneous multithreading (SMT) may allow an attacker to measure the contention level on scheduler queues, leading to potential leakage of sensitive information.
To exploit the design weakness and get access to data processed by the same CPU core, attacker need to run malicious code on that CPU core first. Is it possible to take advantage of SMM?
.jpg)
