Preface: Under normal circumstances, CVEs are recorded sequentially every year. Microsoft announced CVE-2024-21318 on January 9, 2024. It’s the start of a new year, and this record let me speculated that whether there are plenty of design weakness found in 2023. But it is waiting to be verified. Due to the huge amount of data, it need to wait for the official CVE reference number. So, it carry forward to 2024. This brings the total to five figures.

Background: Microsoft did not disclose details. Therefore, the technical details are not yet clear. Do you think SharePoint Add-in is one of the possible factor in this matter?

A SharePoint Add-in is a self-contained piece of functionality that extends the capabilities of SharePoint websites to solve a well-defined business problem. Add-ins don’t have custom code that runs on SharePoint servers. Instead, all custom logic moves “up” to the cloud, or “down” to client computers, or “over” to an on-premises server that is outside the SharePoint farm or SharePoint Online subscription. Keeping custom code off SharePoint servers provides reassurance to SharePoint administrators that the add-in can’t harm their servers or reduce the performance of their SharePoint Online websites.

Business logic in a SharePoint Add-in can access SharePoint data through one of the several client APIs included in SharePoint. Which API you use for your add-in depends on certain other design decisions you make.

Vulnerability details: Microsoft SharePoint Server Remote Code Execution Vulnerability. Technical details unknown.

Remedy: Applying the patch can eliminate this problem. Possible mitigations were released immediately after the vulnerability was disclosed.

Official announcement: Please refer to the link for details –

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21318

Preface: Is Qualcomm Snapdragon based on Arm? Based on its brand-new ARM CPU core ‘Oryon’, developed from its Nuvia acquisition, Qualcomm’s Snapdragon X Elite SoC is built on TSMC’s 4nm process node. The CPU uses ARM’s 8.7 instruction set and features 12 high-performance ‘Oryon’ cores clocked at 3.8GHz.

Background: How to call ioctl from user space? To invoke ioctl commands of a device, the user-space program would open the device first, then send the appropriate ioctl() and any necessary arguments. static int mydrvr_ioctl (struct inode *inode, struct file *filp, unsigned int cmd, unsigned long arg);

Ref: A kbase_context object is responsible for managing resources for each driver file that is opened and is unique for each file handle. In particular, the kbase_context manages different types of memory that are shared between the GPU devices and user space applications.

Ref: DSPs are optimized in two key areas compared to classic CPUs. They accelerate common DSP mathematical operations in hardware and boast specific memory architectures designed for real-time data streams. A DSP is designed for performing mathematical functions like “add”, “subtract”, “multiply” and “divide” very quickly.

Vulnerability details: Memory corruption while invoking IOCTLs calls from user space for internal mem MAP and internal mem UNMAP.

Consequence: Use After Free vulnerability in DSP Services

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2024-bulletin.html

Preface: VoLTE stands for Voice over Long-Term Evolution or Voice over LTE. VoLTE offers the possibility to voice call via the LTE/4G* mobile network. Previously, 4G was limited to surfing the Internet. When it came to calls, your phone would automatically switch to 3G or 2G.

Background: A 5G modem-RF system is a combination of two different technologies that work together to enable 5G communication. The modem is the part of the system that processes the digital signals, including encoding and decoding data, and managing the connection to the network.

Voice over LTE, or VoLTE, is a digital packet technology that uses 4G LTE networks to route voice traffic and transmit data. From technical point of view, VoLTE uses “Internet data,” whereas traditional voice calls are circuit-switched.

Ref: For example: Qualcomm Snapdragon X55 5G Modem-RF System is a comprehensive modem-to-antenna solution designed to allow OEMs to build 5G multimode devices for a new era of connected experiences.

Vulnerability details:  Memory corruption in Data Modem when a non-standard SDP body, during a VOLTE call.

Vulnerability Type:  CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2024-bulletin.html

Preface: PostgreSQL allocates memory from the work_mem pool when a query requires sorting or hashing. If there is not enough memory available in the work_mem pool, PostgreSQL will spill to disk. temp_buffers controls the amount of memory allocated for temporary tables.

Does Postgres write to disk? To guard against unforeseen failures, PostgreSQL periodically writes full page images to permanent storage before modifying the actual page on disk. By doing this, during crash recovery PostgreSQL can restore partially-written pages.

Background: Declaring an array in PostgreSQL is straightforward. An array data type is defined by appending square brackets [] to any valid data type. This could be an array of integers, text, boolean values, or even more complex data types like composite types or other arrays.
Many databases support array fields of a scalar type. SQL allows ARRAY column types. In PostgreSQL INTEGER[5] represents an array of 5 integers.

Vulnerability details: A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server’s memory.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5869

Preface: But what is the significance of SPS keywords? Qualcomm didn’t mention it. Let’s trace if we can find what are the weak points of the design?

Background: The Qualcomm Secure Processing Unit is an isolated hardware security core implemented in the Snapdragon 8cx Gen 3 Mobile Compute Platform SoC. As such, this security core incorporates standalone ROM, RAM, CPU, cryptographic acceleration units, countermeasure sensors, one-time programmable memory, etc. Key generation, signing and verification utilizing RSA and ECC cryptosystems across a range of modes.

Ref: SPS can be a term related to encryption capabilities. It can be applied to UDSF. For example: Samsung SDS UDSF is a 3GPP standard based network function for 5G core network mainly to store call processing and session related unstructured information of network functions such as AMF, SMF, etc.

SPS encryption functions: Methods in this class can help admin to encrypt files been output from sps. For now it is only used to encypt and decrypt snapshots. This class requires the SPS database. This class inherits all functions from the spsDb class, so there is no need to initiate the spsDb container. This class is required to run a SPS app. This class needs to be initialized global level.

Vulnerability details: Memory Corruption in SPS Application while exporting public key in sorter TA.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-28546

https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html

Preface: Unix domain sockets and network sockets have different security characteristics. In general, Unix domain sockets are considered to be more secure than network sockets, as they are not exposed to the network and are only accessible to processes on the same machine.

Background: A Unix domain socket aka UDS or IPC socket (inter-process communication socket) is a data communications endpoint for exchanging data between processes executing on the same host operating system. It is also referred to by its address family AF_UNIX .

DOCA Socket Relay allows Unix Domain Socket (AF_UNIX family) server applications to be offloaded to the DPU while communication between the two sides is proxied by DOCA Comm Channel.

Vulnerability details: A use-after-free vulnerability in the Linux kernel’s af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer’s recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-4622