Category Archives: Potential Risk of CVE

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

About CVE-2023-21656, Penguin (Linux) also want to ask question to chips vendor (13th June 2023)

Leave a comment

Preface: The Out-of-Band vulnerabilities, also known as OOB, are a series of alternative ways that an attacker uses to exploit a vulnerability that can’t be detected by a traditional request-response interaction.

Background: Qualcomm Technologies offers industry leading platforms for wireless networks and products that cover the gamut of device needs. The file (wma_mgmt[.]c) contains STA/SAP/IBSS and protocol related functions.
Ref:
The Independent Basic Service Set (IBSS) is a simple and flexible wireless network configuration designed for situations where there is no centralized access point or other infrastructure in place. It operates by forming an ad hoc, self-contained network with station-to-station traffic flowing directly between devices. This makes IBSS networks effortless to set up and ideal for small groups of users who need a temporary, wireless means of communication without having to rely on any external hardware.

Vulnerability details: CVE-2023-21656 Memory corruption in WLAN HOST while receiving an WMI event from firmware.

Official Announcement: Please see the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2023-bulletin.html

Potential Risk of CVE, Under our observation

CVE-2023-27997 Lack of detail, but can we find hints? (12th June 2023)

Leave a comment

Preface: If you need to push audio/video traffic over the tunnel DTLS can be a huge performance improvement.

Background: Preferred DTLS Tunnel
If enabled, FortiClient uses DTLS if it is enabled on the FortiGate and tunnel establishment is successful. If not enabled on the FortiGate or tunnel establishment does not succeed, TLS is used. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.
When disabled, FortiClient uses TLS, even if DTLS is enabled on FortiGate.

Vulnerability details: Fortinet has released firmware updates their pre-authentication remote code execution vulnerability in SSL VPN devices.
The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

Details of the vulnerability displayed above: Please refer to the bleepingcomputer – https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

My observation: Since no details provided by vendor. So, my assumptions can be find in attached diagram.

Potential Risk of CVE

About CVE-2023-21632: Flaw has been fixed. For reference only (12th June 2023)

Leave a comment

Preface: Google (Android) and Qualcomm pioneer empower the infotainment and connectivity processors for automotive. As times goes by, when you jump to driver seat, a multifucntion dsahboard can provide functions to you.
In-car entertainment or in-vehicle infotainment systems are large touch screens usually positioned on a vehicle’s dashboard or on the back of seats.

Background: The S820Am Snapdragon processor includes four Kryo™ CPUs, a Qualcomm® Adreno™ 530 GPU and high-performance Hexagon™ 680 DSP. The ADP features rich connectivity through the X12 LTE modem, and 802.11a/b/g/n/ac, Bluetooth 4.1 and GNSS, Glonass, BDS, Galileo. The ADP supports multiple camera sensors and 4K display outputs.

Vulnerability details: Memory corruption in Automotive GPU while querying a gsl memory node.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-21632

AI and ML, Application Development, Potential Risk of CVE

CVE-2023-29403: Are you falling into this Go runtime design weakness? (9th June 2023)

Leave a comment

Preface: Go is garbage collected instead of manual memory management which is not suitable for a kernel.
Golang is useful for carrying out programming for scalable servers and large software systems. The Golang programming language was built to fill in the gaps of C++ and Java that Google came across while working with its servers and distributed systems.

Background: Go does have an extensive library, called the runtime, that is part of every Go program. The runtime library implements garbage collection, concurrency, stack management, and other critical features of the Go language.
The Go scheduler is part of the Go runtime, and the Go runtime is built into your application. This means the Go scheduler runs in user space, above the kernel.
For Go to “call the kernel directly” can exploit so-called ABI of the H/W and OS combo. For example: On linux, making a syscall requires filling a set of CPU registers with certain values, doing some other arrangements and then issuing the SYSENTER CPU instruction.
The 64-bit x86 Linux ABI supports the following entry points:

  • SYSCALL from 64-bit code;
  • interrupt 0x80 from 32- and 64-bit code;
  • SYSENTER from 32-bit code.

Vulnerability details: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Official announcement: For details, please refer to the link- https://pkg.go.dev/vuln/GO-2023-1840

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

More details, CVE-2023-0266 vulnerability is widely exploited (8th June 2023)

Leave a comment

Preface: The Advanced Linux Sound Architecture (ALSA) provides kernel driven sound card drivers.
Besides the sound device drivers, ALSA also bundles a user space driven library for application developers. This enables direct (kernel) interaction with sound devices through ALSA libraries.

Background: Exynos, formerly Hummingbird, is a series of ARM-based system-on-chips developed by Samsung Electronics’ System LSI division and manufactured by Samsung Foundry.

Conceptual example – SoC installation instruction

  1. Install X-windows packages
    % sudo zypper install libXext6 libX11-6 libXrender1 libXtst6 libXi6 libgtk-2_0-0 tar
  2. Set your DISPLAY environment variable
    % setenv DISPLAY localhost:0
  3. navigate to the SoC installer file location
  4. Run the installer
    % [.]/xxxx_SoC_v2023[.]2[.]bin
  5. Follow on screen instructions.
  6. Click Finish. It is now ready to use.

Vulnerability details: A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user.

Solution: Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
For details, please refer to link – https://security.samsungmobile.com/securityUpdate.smsb

Official announcement: For details, please refer to the following links
https://nvd.nist.gov/vuln/detail/CVE-2023-0266
https://www.hkcert.org/tc/security-bulletin/samsung-products-multiple-vulnerabilities_20230607

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

About Qualcomm: The vulnerability of CVE-2022-40507 release to public on 06/06/2023 finally.

Leave a comment

Preface: Double free errors occur when free() is called more than once with the same memory address as an argument. Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces.


Background: SnapDragon has different processors runn on top of SOC (see below):
Krait CPU — General purpose processor that usually runs android applications.
Adreno GPU — This is largely used for graphics processing like rendering.
Hexagon DSP — Hexagon specially designed for multi-media acceleration, this helps CPU to offload the task to DSP and save energy and thereby offering optimum performance.


Vulnerability details: Memory corruption due to double free in Core while mapping HLOS address to the list.

The vulnerability release to public on 06/06/2023. The announcement can be read at qualcomm.com – https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin
This vulnerability has been identified as CVE-2022-40507 since 09/12/2022. The vendor did not release technical details.

How to observe memory allocation in Linux kernel?
Generate the skeleton for the task named 1-mem and browse the contents of the mem[.]c file. Observe the use of kmalloc() call for memory allocation.

  1. Compile the source code and load the mem[.]ko module using insmod.
  2. View the kernel messages using the dmesg command.
  3. Unload the kernel module using the rmmod mem command.
Potential Risk of CVE

Regarding CVE-2023-3111: Fixed a functional bug that could affect Linux in Docker. (June 6, 2023)

Leave a comment

Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Btrfs provides a clone operation that atomically creates a copy-on-write snapshot of a file. Such cloned files are sometimes referred to as reflinks, in light of the proposed associated Linux kernel system call.
Subvolumes allow for the partitioning of a Btrfs filesystem into separate sub-filesystems. Therefore, you can mount subvolumes from a Btrfs filesystem as if they were independent filesystems.

Vulnerability details: A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation[.]c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().

Solution: To fix this possible bug, in prepare_to_relocate(), an if statement is added to check whether btrfs_commit_transaction() fails. If the  failure occurs, unset_reloc_control() is called to set > fs_info->reloc_ctl to NULL.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3111

Potential Risk of CVE, System, Under our observation, Virus & Malware

About CVE-2023-29345 and CVE-2023-33143, Microsoft released Security Updated of the Chromium project (6th June 2023)

Leave a comment

Preface: Windows has traditionally run on machines that are powered by x86 / x64 processors. Windows 11 adds the capability to run unmodified x64 Windows apps on Arm devices! This capability to run x86 & x64 apps on Arm devices gives end-users confidence that the majority of their existing apps & tools will run well even on new Arm-powered devices. For the best of result, it can exploit Arm-native Windows apps theoretically, as a result, developers cope with trend , thus built or port Arm-native Windows apps.


Background: Codenamed “Anaheim”, on December 6, 2018, Microsoft announced its intent to base Edge on the Chromium source code, using the same browser engine as Google Chrome but with enhancements developed by Microsoft. The new Microsoft Edge (Chromium) is built on the same underlying technology as Google Chrome. During the Ignite 2021 conference, Microsoft revealed plans to align the codebase of the Edge browser on all supported platforms.


Vulnerability details:
CVE-2023-29345 Microsoft Edge Remote Code Execution – A vulnerability was found in Microsoft Edge (Web Browser) (version unknown).
CVE-2023-33143 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
For details, please refer to the link – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security

Potential Risk of CVE

About CVE-2023-32690: Fixed a bug that could affect major design. (2nd June 2023)

Leave a comment

Preface: The DMTF’s Security Protocols and Data Models (SPDM) Working group is responsible for the SPDM standard. This standard enables authentication, attestation and key exchange to assist in providing infrastructure security enablement.

Background: Security Protocol and Data Model (SPDM) is a two-party protocol between a Requester that initiates the conversation and the Responder. DMTF is a standards organization by major industry players in IT infrastructure.

Vulnerability details: libspdm is a sample implementation that follows the DMTF SPDM specifications. Prior to versions 2.3.3 and 3.0, following a successful CAPABILITIES response, a libspdm Requester stores the Responder’s CTExponent into its context without validation. If the Requester sends a request message that requires a cryptography operation by the Responder, such as CHALLENGE, libspdm will calculate the timeout value using the Responder’s unvalidated CTExponent. A patch is available in version 2.3.3. A workaround is also available. After completion of VCA, the Requester can check the value of the Responder’s CTExponent. If it greater than or equal to 64, then the Requester can stop communication with the Responder.

Official announcement: For details, please refer to the link – https://www.cve.org/CVERecord?id=CVE-2023-32690

Application Development, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

About CVE-2023-3006 – Specter-BHB on arm update on end of May 2023 (1st June 2023)

Leave a comment

Preface: Speculate that this CVE is custom for Ampere Computing. Ampere Computing is an ARM architecture licensee and develops its own server microprocessors.

Background: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

Vulnerability details: CVE-2023-3006 – A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3006