Preface: Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Background: In HTTP/2, a series of “pseudo-headers” is used to send key information about the message. Most notably, several pseudo-headers effectively replace the HTTP/1 request line and status line. In total, there are five pseudo-headers: :method – The HTTP method of the request, such as GET or POST .
Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.
Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Vulnerability details: A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Ref: When using TLS, most clients default to HTTP/1 and explicitly advertise support for HTTP/2 via the ALPN field during the web server TLS handshake. Some web servers that support HTTP/2 are misconfigured to advertise this fact, causing clients to only communicate with them HTTP/1, and hiding the potential attack surface. Attacker takes HTTP/1.1-formatted requests as input, then rewrites them as HTTP/2. During the rewrite, it performs a few character mappings on the headers to override pseudo-headers by specifying them as fake HTTP/1.1 headers.

Official announcement: For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-23-183

Preface: The secure access solution from Citrix provides a unified stack of cloud-delivered services that allows IT to provide a productive hybrid work environment with zero trust security.

Background: Citrix Secure Access client for Linux is a VPN client software managed by NetScaler Gateway that enables users to access corporate data and applications remotely. It protects applications from unauthorized access, application-level threats, and browser-based attacks.
Ref: If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client side JavaScript. This measure makes certain client side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie’s value via an injected script.

Vulnerability details: Vulnerabilities have been discovered in Citrix Secure Access client for Ubuntu (previously Citrix Gateway VPN client for Ubuntu). 
If exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts.
The following supported versions are affected by the vulnerability: Versions before 23.5.2
Ref: The Citrix Secure Access and Citrix EPA clients support the HTTPOnly flag on the  authentication cookies.
NetScaler Gateway admins configure the HTTPOnly feature on the authentication cookie that are generated by web applications. This feature help in preventing cookie theft due to cross site scripting .

Official announcement:For details, please refer to the link – https://support.citrix.com/article/CTX564169/citrix-secure-access-client-for-ubuntu-security-bulletin-for-cve202324492

Preface: Android Ril The RIL part of Android is mainly divided into two parts: RILJ and RILC. RILJ runs in the java part of framework->telephony, and RILC runs in the native part of the HAL layer.

Background: The AP side of different manufacturers of the Android platform can be the same, but the Modem side will definitely be very different. One problem that the RIL layer needs to solve is to adapt to the Modem of different manufacturers. In order to meet the compatibility requirements, Android builds a In the framework of RILC, different Modem manufacturers connect their own protocols to the AP side. For the Qualcomm platform, his RILC is QCRIL.

Vulnerability details: Memory Corruption in Linux while processing QcRilRequestImsRegisterMultiIdentityMessage request.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-21633

Preface: Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity. Independent of any high-level OS kernel, Gunyah runs in a higher CPU privilege level, and does not depend on any lower-privileged OS kernel/code for its core functionality.

Background: Gunyah is a product of Qualcomm Innovation Center, Inc. Gunyah is an open-source type-1 hypervisor developed by Qualcomm with an emphasis on security and other features.
There are 2 types of process:

• Independent Processes – Processes that do not share data with other processes.
• Cooperating Processes – Processes that shares data with other processes.
  Inter-Process Communication is the mechanism by which cooperating process share data and information.
• Shared memory: A particular region of memory is shared between cooperating process.
• Cooperating process can exchange information by reading and writing data to this shared region.
• It’s faster than Memory Parsing, as Kernel is required only once, that is, setting up a shared memory . After That, kernel assistance is not required.

Vulnerability details: Arbitrary memory overwrite when VM gets compromised in TX write leading to Memory Corruption.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-22387

Preface: When you know there is a vulnerability on the tool. Perhaps, your security awareness level will decrease. Maybe that makes sense, if you don’t use the tool, the risk is nullified.
But sometimes it’s exceptions and coincidences. Something similar happens in the Kubernetes environment as well.

Background: Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications.
Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn’t include debugging utilities.

In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster.

• IPC namespaces contain a specific kind of IPC objects known as “POSIX IPC” and “SysV IPC” – shared memory areas, message queues, and semaphores.
• Mount (MNT) namespaces are a powerful tool for creating per-process file system trees, thus per-process root filesystem views.
  Linux maintains a data structure for all the different filesystems mounted on the system. This structure is a per-process attribute and also per-namespace.

Vulnerability details: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified
in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes[.]io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Official announcement: For details please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2728

Preface: Since the official announcement did not contain details. Perhaps the situation describe here is one of the possible reasons for encountering such vulnerabilities.

Background: SMS messages are sent in plain text. Rich Communications Services (RCS) is a communication protocol that will ultimately replace MMS and SMS messages on Android devices.
Android Pie (codenamed Android P during development), also known as Android 9 (API 28) is the ninth major release and the 16th version of the Android mobile operating system. It was first released as a developer preview on March 7, 2018, and was released publicly on August 6, 2018.
Android 8.0 places limitations on what apps can do while users aren’t directly interacting with them. Apps are restricted in two ways:
Background Service Limitations and Broadcast Limitations.
On the other hand, The system distinguishes between foreground and background apps. Foreground app is connected to the app, either by binding to one of its services or by making use of one of its content providers. For example, the app is in the foreground if another app binds to its: Voice or text service.
So, if Android users forget to turn on the RCS function. Their text messages will be read through a man-in-the-middle attack.

Vulnerability details: there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264590585References: N/A

Official announcement: For details, please refer to the link – https://source.android.com/security/bulletin/pixel/2023-06-01