Category Archives: Potential Risk of CVE

About CVE-2022-30594 – The Linux kernel before 5.17.2 mishandles seccomp permissions (12th May 2022)

Preface: Traditionally, the only way to enable that syscall in Linux was to enable CONFIG_CHECKPOINT_RESTORE. However, since Linux v5.10.20 and v5.11.3, a new CONFIG_KCMP has been added to Linux to allow enabling sys_kcmp without having to enable CONFIG_CHECKPOINT_RESTORE!

Background: Secure computing mode ( seccomp ) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access. Syscalls are system calls, and they’re the way that you can make requests from user space into the Linux kernel.

In practical, we use syscalls a lot, because even everyday activities like making files or changing directories involve syscalls on Linux.

Vulnerability details: The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.

Vulnerability found permission checks were done on the PTRACE_SETOPTIONS path. However the PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
The vulnerability move the permissions checks out into a helper function and let both ptrace_attach() and ptrace_setoptions() call it.

Official announcement (For details, please refer to the official announcement) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee1fee900537b5d9560e9f937402de5ddc8412f3

About Intel’s CVE-2022-0004 (10th May 2022)

Preface: Hardware debug modes and processor INIT setting that allow override of locks for some Intel(R) Processors in Intel(R) Boot Guard and Intel(R) TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

Background: Protection Class “Public” (historically also known as “Green” or “Locked”) is where all sets of debuggers can use the available debug capabilities given by this class. No access mechanisms are used by the debugger and the privilege level on the debug capabilities (i.e., Basic Enabling) are considered public and available to everyone.

Intel specified CPU products can utilize two different ways to access the entity debug mechanism to enable access and to gain privileges for debug capabilities. For example: unlock. But the debugger must authenticate and unlock using Intel’s authentication key.

On CVE-2018-3659 and CVE-2018-3643 description does not mention DAM explicitly.
It is well known that DAM does not require authorization from Intel or the system manufacturer but requires the consent of the owner. The consent can be set in the following way:
• On CNP based platform, by physically connecting to Intel® Direct Connect Interface (Intel® DCI) over a USB3 port supporting a dedicated protocol and device for debugging, aka Intel® DCI OOB.
• Having BIOS set consent.
• Setting DCI enable bit in SPI descriptor, i.e. a configuration option that enable/disable automatic debug consent if the system is before EOM. This can be set using Intel Flash Image Tool (FIT).

Vulnerability details and remedy: For details, please refer to the official article (2022.1 IPU – Intel® Boot Guard and Intel® TXT Advisory) – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00613.html

My observation: According to Risk Rating, Adjacent Network, Authenticated CVSS score of 7.3. Additionally, the unauthenticated physical CVSS score is 7.3. Therefore, undisclosed details of the design weakness include both local and remote access. Attackers exploit remote access to think it is running on a management application. For example, it is the Intel Converged Security and Management Engine (CSME).

In the initialization of the x86-64 multi-core system, one core is required as the bootstrap processor (BSP). Each processor first performs a processor self-test (BIST – Built In Self Test), and if the self-test passes, it has the qualification to become a BSP. Each processor that is expected to become a BSP will send a special cycle of NOP to the bus, with the purpose of reaching the end point as quickly as possible. If a processor successfully sends a NOP first, it becomes a BSP. Vendor recommends updating the Intel Converged Security and Management Engine (CSME) to the latest version, disabling the CPU debug feature when Boot Guard is enabled, and disabling the BSP (Bootstrap Processor) INIT (DBI) bit. Refer to above details, did you speculate what is the fact causes bug happen?

About CVE-2021-46744 on 1st/2nd/3rd Gen AMD EPYC™ Processors (10th May 2022)

Preface: KVM (Kernel based Virtual Machine) is an open source Linux kernel virtualization infrastructure2 which relies on the hardware virtualization technologies, fully integrated in the Linux kernel. Its first version was introduced in the 2.6.20 Linux kernel tree (released in February 2007). KVM developers are primarily funded by a technology startup called Qumranet, now owned by RedHat. Developers had an original approach. Instead of creating major portions of an operating system kernel themselves, they choose to use the Linux kernel itself as a basis for a hypervisor.

KVM stands for Kernel-based Virtual Machine. Being an open-source virtualization software that’s embedded into Linux, KVM does two things:

  • Makes Linux a hypervisor
  • Enables Linux to run multiple, isolated virtual environments

KVM initially supported x86 platform processors and was subsequently ported to S/390, PowerPC, and IA-64 platforms

Background: AMD EPYC 7002 Processors – A dual-socket AMD EPYC workstation or server is idea for compute intensive tasks such as high performance computing (HPC) and artificial intelligence (AI) applications thanks to their huge memory bandwidth, memory capacity and outstanding I/O. AMD EPYC Processors with improved execution pipelines, higher clock rates, and up to 4x the shared Level 3 cache. A Level 3 (L3) cache is a specialized cache that that is used by the CPU and is usually built onto the motherboard and, in certain special processors, within the CPU module itself.

The AMD EPYC 7002 Series Processor is the latest generation of the AMD64 System-on-Chip (SoC) processor family. It is based on the Zen 2 microarchitecture introduced in 2019, supporting up to 64 cores (128 threads) and 8 memory channels per socket. AMD’s CCD is actually an abbreviation of Core Chiclet Die.The Zen 2 architecture processor is not a large core packaged together, but is divided into two parts: the CCD core and the I/O core, of which the CCD core is a pure computing The core contains two CCXs, that is, each CCD has 8 cores and 16 threads.

Vulnerability details: An attacker with access to a malicious hypervisor may be able to infer data values used in a SEV guest on AMD CPUs by monitoring ciphertext values over time.

Speculation based on vulnerabilities: If important data is encrypted at rest or in transit, it’s often best to try to steal the data when it’s not encrypted by monitoring the memory space of the process performing the encryption and any calls to cryptographic libraries.

Official announcement: AMD provides preventive and corrective controls, please refer to the link for more details. https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033

My comment: Due to this design flaw, the vendor (AMD) recommend to do a series of preventive and corrective control. In my personal point of view, the first step should dicuss with system architect and software development how to integrate below concept of Linux clear cache command into the work flow.
Drop all caches – Below Linux command:
sync; echo 3 > /proc/sys/vm/drop_caches

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader on Pixel devices (10th May 2022)

Preface: Google Pixel is a brand of consumer electronic devices developed by Google that run either Chrome OS or the Android operating system. The Pixel brand was introduced in February 2013 with the first-generation Chromebook Pixel. The Pixel line includes laptops, tablets, and smartphones, as well as several accessories.

Background: The Google Pixel is one of the smartphones on the market today. The Google Pixel also works with digital camera products.

How do you identify a Pixel device? The simple way is to go through the settings menu. → Settings → About Phone → Model Number. The display will tell you the make and model number of your device alongside the IMEI Number, serial number and also the version of Android you are running.

How do I get into bootloader? Follow below steps:

  • Ensure the phone is turned off.
  • Press and hold the VOLUME DOWN button.
  • Press the POWER button.
  • Continue to hold VOLUME DOWN until the Download mode is displayed.
  • Press VOLUME DOWN to go to Reboot to bootloader.
  • Press the POWER button.

Vulnerability details: With just a few minutes of physical access and a USB cable, attackers can silently and invisibly compromise unpatched devices. The exact details of the vulnerability have not been disclosed. Do you think the key factor whether similar to steps displayed in attached diagram?

Official announcement (Pixel Update Bulletin—May 2022): Please refer to the link for details – https://source.android.com/security/bulletin/pixel/2022-05-01#pixel

CVE-2022-28165 for Brocade SANnav (6th May, 2022)

Preface: If you look into a Mainframe computer system, you will find Brocade SANS storage made use of Ficon connection. As times goes by, Hi-end supercomputer system still using this solution.
Furthermore, Brocade products not limit the usage in supercomputer. The Fibre Channel storage networking and management solution are expanded to cloud computing. Becuase the Fibre Channel storage networking solutions are the most trusted.

Background: SANnav Management Portal supports an application programming interface (API) for managing Brocade® storage area network (SAN) fabrics. The REST API provides you with a web-services interface for accessing the SANnav Management Portal server system. The REST APIs are organized into various services, such as Login, Discovery,FCR, Fault, Inventory, and Northbound Streaming. You can use the REST API to build your own SANnav clients.

Vulnerability details: A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests.

Important notice – If you add a service principal to a group, and then assign an app role to that group, it does not add the roles claim to tokens it issues. Vice versa, if client side using stateless authentication, it has possibilities that it allow remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform.

Reference (see below):

  • With stateful authentication, a unique session id is generated when the user logs in. In subsequent requests, this session ID serves as a reference to the user details stored on the server. The session ID is opaque; it doesn’t contain any user data.
  • With stateless authentication, all user-identifying information is stored in a client-side token. The token can be passed to any server or micro service, eliminating the need to maintain session state on the server. Stateless authentication is often factored out to an authorization server, which produces, signs, and optionally encrypts the token upon user login.

Affected Products – Brocade SANnav before 2.2.0
Remedy: Fixed in Brocade SANnav 2.2.0

Official announcement: Please refer to the link for details – https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844

Additional details: According to above principles. One of the remedy solution can be used to implement claim-based authorization. App roles can be assigned to a user or a group of users. App roles can also be assigned to the service principal for another application, or to the service principal for a managed identity.

About F5 network advisory – CVE-2022-1388 (5th May 2022)

Preface: A distributed hypermedia architect has only three fundamental options: 1) render the data where it is located and send a fixed-format image to the recipient; 2) encapsulate the data with a rendering engine and send both to the recipient; or, 3) send the raw data to the recipient along with metadata that describes the data type, so that the recipient can choose their own rendering engine.

Background: F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is an advisory for CVE-2022-1388, which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system.

Please refer to the link for details – https://support.f5.com/csp/article/K23605346#proc3

Vendor reminded that restricting access to the management interface by IP address in httpd is not a viable mitigation for this issue. It should add “Connection: close” header. Why?

My speculation: According to the above situation. My thoughts are as follows:

Whether add “Connection: close” header to custom HTTP/1.1 responses avoid the max request body size is exceeded.

The recommended actions to do the remedy by vendor is that client should manually add a “Connection: close” header in httpd configuration files. In normal circumstances, when the app writes a custom response and the max request body size has been exceeded. Without this header, the attacker might try to reuse the connection.

CVE-2022-30284 – Design weakness in the python-libnmap package (4th May 2022)

Preface: If you do a resources plan in large data center. Maybe you use nmap. E.g: Performs a list scan on the provided ranges and returns an NmapReport object including in your MIS report.

Background: libnmap is a python library to parse nmap xml data. It supports python 3.6+.
libnmap is a python library enabling python developers to manipulate nmap data. The libnmap targets are as follows:

  • manipulate nmap scans results to do reporting
  • compare and diff nmap scans to generate graphs
  • batch process scan reports

How to install? pip install python-libnmap

Vulnerability details: In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments).

My imagination. Refer to attached diagram. If attacker have a way to do a re-engineering to the file (hostname-discovery.py) and replace the original file.See add on command syntax in red box in the diagram.
The file replaced by the attacker (hostname-discovery.py) will execute the command syntax to upload the file (rev.nse) over http.Therefore, it can execute an NSE reverse shell on the target system.

Preventive control and protective control: Please refer to the link for details – https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Expert findings and Proof of concept: Please refer to the link for details – https://www.swascan.com/security-advisory-libnmap-2/

About CVE-2022-0882 – Fuchsia allows illegal access to the kernel log (3rd May 2022)

Preface: Fuchsia is an IoT; first OS means OS for your fridge, RaspberryPi, car, TV, etc.

Background: Zircon is the core platform that powers the Fuchsia OS. Zircon is composed of a microkernel (source in kernel/…) as well as a small set of userspace services, drivers, and libraries (source in system/…) necessary for the system to boot, talk to hardware, load userspace processes and run them, etc. Fuchsia builds a much larger OS on top of this foundation. One benefit of the microkernel approach is ease of extending the operating system. All new services are added to user space and consequently do not require modification of the kernel. Fuchsia is an open-source capability-based operating system developed by Google. As a general purpose operating system, Fuchsia is designed to power a diverse ecosystem of hardware and software.

Vulnerability Details: A bug exists where an attacker can read the kernel log through exposed Zircon kernel addresses without the required capability ZX_RSRC_KIND_ROOT.Fuchsia allows illegal access to the kernel log. This exposes Zircon kernel addresses and other sensitive information to components that do not have the required functionality. It is a security issue. Please refer to the link for details – https://bugs.fuchsia.dev/p/fuchsia/issues/detail?id=94740

Remedy: It is recommended to upgrade the Fuchsia kernel to 4.1.1 or greater.

About CVE-2022-28197: NVIDIA Jetson Linux Driver Package design weakness (26-4-2022)

Preface: Embedded AI solutions on the Linux platform. With the superior performance, small size and low power consumption, it will be able to do more real-time processing at the demanding environment than ever before.

Background: NVIDIA® Jetson Nano™ Developer Kit is a small, powerful computer that lets you run multiple neural networks in parallel for applications like image classification, object detection, segmentation, and speech processing. All in an easy-to-use platform that runs in as little as 5 watts.

Jetson Board Support Package
• Linux Kernel: A UNIX-like computer operating system kernel mostly used for mobile devices.
• Sample Root Filesystem derived from Ubuntu: A sample root filesystem of the Ubuntu distribution. Helps you create root filesystems for different configurations.
• Toolchain: A set of development tools chained together by stages that runs on various architectures.
• Bootloader: Boot software boot for initializing the system on the chip.
• Sources: Source code for kernel and multimedia applications.

…..more

Vulnerability details: NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_mount function, where Insufficient validation of untrusted data may allow a highly privileged local attacker to cause an integer overflow. This difficult- to-exploit vulnerability may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity.

Speculation: This is an old design weakness in the kernel. Is it possible to reuse again in this case?
An integer overflow flaw was found in the extent range checking code in the Linux kernel’s ext4 file system implementation. A local, unprivileged user with write access to an ext4-monted file system could trigger this flaw by writing to a file at a very large file offset. The expected impact will result in a denial of service.

Official announcement: NVIDIA has released a software update for NVIDIA® Jetson AGX Xavier™ series, Jetson Xavier™ NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX) in the NVIDIA JetPack™ software development kit (SDK). Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5343

Redis vulnerabilities – Lua readonly tables (CVE-2022-24736, CVE-2022-24735) – 27th April 2022

Preface: Complex data queries not to use Redis as a Database.
Big data and the new phenomenon open data are closely related but they’re not the same. Open data is information that is available to the public, regardless of its intended purpose.

Background: Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet. Redis is an in-memory database that persists on disk. It can be used as a distributed cache, which is probably its most common and popular use case, as a NoSQL Database and as a Message broker (pub\sub mode, similar to Kafka or RabbitMQ).

Redis EVAL command is used to evaluate scripts using the Lua interpreter. Lua lets you run part of your application logic inside Redis. Such scripts can perform conditional updates across multiple keys, possibly combining several different data types atomically. Scripts are executed in Redis by an embedded execution engine.

Vulnerability details:

(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis.
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

Ref: This type of vulnerability (known as CWE-94) occurs when a developer uses the Lua loadstring() function and passes it untrusted data that an attacker can modify. The loadstring() function will compile the code and return a function that when called has the same effect as executing the string. Attackers can use this to inject arbitraty Lua code that is then executed by the web application.

Several weaknesses of these measures have been publicly known for a long time.

Official announcement: Please refer to the link for details – https://github.com/redis/redis/pull/10651

Remedy: The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.