Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. FortiManager provides automation-driven centralized management of your Fortinet devices from a single console. Both devices operate in a network-based structure. Therefore, it requires a web browser or CLI (command line) for the end user to work.

Vulnerability details: An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user.

My observation My observation (one of the possibilities): Authentication bypass vulnerabilities exist when authentication state is not consistently enforced on the devices (FortiAnalyzer and FortiManager). As a result, it can be tampered by clients.

The vulnerability risk level is not high (CVSS v3=3.9). But it will let you know more. The client can arbitrarily change the GET parameters sent with the request. Nothing prevents the client from simply changing the parameter value. It effectively bypassing policy. Since this vulnerability in low risk (enforce password change to its user). Whether there will be unknown problems, we do not know.

Official announcement – For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-21-255

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Dropbox will be deployed lossless compression algorithms that are processed for certain classes of files and storage, like Lepton for jpeg images, and Pied-Piper-esque lossless video encoding. For other file types, Dropbox currently uses the zlib compression format, which saves almost 8% of disk storage.

Lepton is a tool and file format for actively compressing JPEGs. First developed by Daniel Horn at a Dropbox Hack Week, this streaming image compression format achieves a 22% savings reduction for existing JPEG images, while preserving the original file bit-for-bit perfectly.

Vulnerability details: A security vulnerability exists in the ‘build_huffcodes’ function of the lepton/jpgcoder[.]cc file. A remote attacker can exploit this vulnerability to cause a denial of service by means of a specially crafted jpeg file.

Reference: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

Official announcement: For details , please refer to the link – https://drive.google.com/file/d/1bJlHozO37c5NZ1wI0NBWh0yHHyTcfaQL/view?usp=sharing

https://github.com/dropbox/lepton/issues/154

https://github.com/dropbox/lepton

Preface: Perhaps the risk of this vulnerability is not high. However, if attackers exploit specific design weaknesses. It’s hard to say if Lamda can’t direct the attack to the backend service cloud.

Background: Alexa is able to play music, provide information, deliver news and sports scores, tell you the weather, control your smart home and even allow Prime members to order products from Amazon.

Alexa is always listening, but not constantly recording. It doesn’t send anything to the cloud server until it hears your wake word (Alexa, Echo, or Computer). Without internet, any request or question you make will fail. This is because your commands are sent to the cloud for interpretation and decision making. Not every conversation you have in front of the smart speaker is recorded every single time, the design goal only wants you to command the smart speaker to be recorded. For this reason, the company uses wake words to attract the attention of smart speakers. To do this, Amazon uses a combination of fine-tuned microphones, short-memory buffers, and neural network training.

Vulnerability details: Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an “Alexa versus Alexa (AvA)” attack.

Ref: What is Alexa in Python? What is Alexa command in the skill’s context?

The Alexa Skills Kit SDK for Python simplifies the development of the back-end cloud service for your Alexa skill. A part of the Alexa Skills Kit, the SDK reduces the amount of code you need to write to process Alexa requests and responses and to handle other common skill tasks.

You can built few basic Alexa skills, the goal of these skills related to predefined questions. These predefined skills will do information mapping to find the right answer.

For more details, please refer to the link – https://arxiv.org/abs/2202.08619

Preface: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. There are three basic types of blockchain: public blockchain, consortium blockchain and private blockchain.

Background: RigoBlock is a blockchain protocol that makes it possible for anyone to set up and run a digital token pool. It is an open protocol which developers can use for building their own applications for token management.

Vulnerability details: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, “Whitehat”, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.

In RigoBlock Dragos, all versions as of 2022-02-17 and later (until a major protocol update is accomplished) contain an exposed function (CWE-749), specifically setMultipleAllowances() which was not set to onlyOwner. The setMultipleAllowances() function can be to manipulate tokens with the contract.

Ref: CWE-749: Exposed Dangerous Method or Function
The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Reminder: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. If it require a major protocol upgrade to fix the design weakness. Before it fixed, you should consider not to use in the moment.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Istio makes traffic management transparent to the application, moving this functionality out of the application and into the platform layer as a cloud native infrastructure. Istio complements Kubernetes, by enhancing its traffic management, observability and security for cloud native applications. Istio is an open source service mesh that layers transparently onto existing distributed applications. A service mesh often has complex operational requirements which include A/B testing, canary releases, access control, and rate limiting. These are in addition to its standard requirements of load balancing, discovering, failure recovery, end-to-end authentication, monitoring, and metrics.

Vulnerability details: The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker……. For more details, please refer to the link – https://istio.io/latest/news/security/istio-security-2022-003/

Remedy: This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.13.0 and 1.13.1. For more details, please refer to the link – https://istio.io/latest/news/releases/1.13.x/announcing-1.13.1/

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: QProcess – Used to start external programs and to communicate with them. The QProcess class is used to start external programs and to communicate with them. To start a process, pass the name and command line arguments of the program you want to run as arguments to start().

What is QProcess in Qt? QProcess manages the output of the running process, keeping standard output and standard error data in separate internal buffers. You can select the QProcess’s current read channel by calling setReadChannel(). This is the default channel mode of QProcess.

Vulnerability details: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.

Impact – Opening files might lead to the execution of malicious binaries if they are placed in the right directories.

Remedy: When passed a simple program name with no slashes, QProcess on Unix systems will now only search the current directory if “.” is one of the entries in the PATH environment variable. This bug fix restores the behavior QProcess had before Qt 5.9.

Ref: If launching an executable in the directory set by setWorkingDirectory() or inherited from the parent is intended, pass a program name starting with “./”. For more information and best practices about finding an executable, see QProcess’ documentation.

Preface: In 2017, half of the world’s top 50 supercomputers used SUSE Enterprise Linux Server. Why does Linux dominate especially in supercomputer market? Linux is a free, open source operating system (OS), released under the GNU General Public License (GPL). Anyone can inspect or modify software “Source code”. Because of Linux cluster break the traditional technology limitation. Even though system developers does not have skill to develop CPU switch (crossbar) and related technology belongs. But they can modify the Linux OS and learn by Linux cluster technique. Finally, they can build their customized super power computing system. If you do a review of the top computer in the world, you will found that more and more super power computing systems are using Linux clustering technology.
Therefore the proprietary technology is not a giant anymore.
As a result, computer programmers can manipulate code to change the way software (“programs” or “applications”) works.

Background: This software (rndis.c) was originally developed in conformance with Microsoft’s Remote NDIS Specification License Agreement.

RNDIS refers to Remote NDIS. The implementation of RNDIS based on USB is actually TCP/IP over USB, which is to tun TCP/IP on the USB device, making the USB device look like a network card. With fast bridge cable, USB 3.1 could deliver a point to point network much faster than 1000-Base-T.

Vulnerability details: The RNDIS_MSG_SET usb control transfer request handler – rndis_set_response calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8. The BufOffset variable is retrieved from the RNDIS message and not validated to respect buffer boundaries. Consequently by manipulating the four byte InformationBufferOffset member of rndis_set_msg_type an attacker may offset the actual buffer by up to 0xffffffff bytes. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.

Remark: The meaning of GADGET is an often small mechanical or electronic device with a practical use but often thought of as a novelty.

Remedy: Please refer to the link for details – https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826

Ref: USB 3.1 Gen 1 and Gen 2 offer stimultaneous media rate connection of 5GB/s and 10Gb/s in each direction. As a result USB 3.1 will be faster than 1000-Base-T. Furthermore, a USB bus can have up to 127 target devices, but only one host.
But Linux is flexible since you can read the source code. If you apply your imagination to design your own system. As we know, a USB bus can have up to 127 target devices, but only one host. If you apply Linux clustering concept. Form a new array to a group of array host with ethernet connectivity. So, it can be expandable.

Preface: The DOMParser interface provides the ability to parse XML or HTML source code from a string into a DOM Document .
A module that parses a string as regular expression and returns the parsed value. it is the regular expression solution.

Background: The “url-parse” was created in 2014 when the WHATWG URL API was not available in Node.js and the URL interface was supported only in some browsers. As times goes by, the “url-parse” method exposes two different API interfaces nowadays. It is the url interface from Node.js and the new URL interface that is available in the latest browsers.

In version 1.0.0, url-parse module decide not relies on the RegExp based solution in favor of a pure string parsing solution which chops up the URL into smaller pieces. To parse an URL simply call the URL method with the URL that needs to be transformed into an object.

Vulnerability details: Vulnerability details: Url-parse is not able to verify broken protocol. If a specify host included in blacklist check (refer to attached diagram for details). This will allow to bypass hostname validation when hostname check equals null.

Official announcement: If the userinfo is present but empty, the parsed host is also empty, and url[.]pathname is not '/', then readd the empty userinfo to url[.]href, otherwise the original invalid URL might be transformed into a valid one with url[.]pathname as host. See the link for details – https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: NSX Data Center for vSphere provides networking and security functionality for your vSphere environment, including logical switching, logical routing, Distributed Firewall, load balancer, NAT, and VPN. NSX Data Center for vSphere is installed as a plug-in to VMware vCenter Server®.

Vulnerability details: The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in the NSX Edge appliance component. A local user with access to NSX-Edge appliance (NSX-V) can pass specially crafted argument to unspecified shell utility and execute arbitrary OS commands as root.

One of the possibilities: An attacker can exploit a command injection in the NETCONF over SSH access (TCP port 830). the SSH configuration checks if the commands starts with scp and then, evaluates the command as a whole, resulting in a command injection instead of allowing scp command only.
Attacker has a chance to identified a SUID program that can be used to gain full root privileges on the system.

Official announcement: Refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0005.html

Preface: The number 2,147,483,647 (or hexadecimal 7FFF,FFFF) is the maximum positive value for a 32-bit signed binary integer.

Background: TensorFlow is an end-to-end open source platform for machine learning. It has a comprehensive, flexible ecosystem of tools, libraries and community resources that lets researchers push the state-of-the-art in ML and developers easily build and deploy ML powered applications. TensorFlow and Scikit-learn, two of the most popular words from the jargon of the Machine Learning world!

Scikit-learn (sklearn) is positioned as a general-purpose machine learning library , but TensorFlow (tf) is positioned as a deep learning library .

For easy to understand on what ways of processing data with machine learning models. See below details.
– Traditional machine learning: use feature engineering to artificially refine and clean the data
– Deep learning: using representation learning, the machine learning model itself refines the data

Vulnerability details: Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Ref: For example: If below setup is customized for agriculture yield analytic and artificial intelligence irrigation system. From design point of view, input not only limit to climatic parameters were considered in predicting the crop yield, the crop yield is influenced by many other input parameters such as irrigation, fertilizer application, pesticide application etc. Since those data will be defined as user input data (crop arguments are user controlled). In this circumstances, if such parameters does not implement maximum data input limit value or verification. As a result, it can trigger an overflow maliciously.

Impact: The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Remedy: Vendor have patched the issue in GitHub commit 0aaaae6eca5a7175a193696383f582f53adab23f.

The fix will be included in TensorFlow 2.8.0. It also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.