Preface: In 2020, the global AI software market is expected to grow approximately 54 percent year-on-year, reaching a forecast size of 22.6 billion U.S. dollars.

Background: NVIDIA^® Jetson™ Linux requires a root file system. You must create a Linux host system and copy it to your reference board. NVIDIA provides a tool to generate a root filesystem. To use the tool, go to Navigate to the tools/samplefs directory of the extracted NVIDIA driver package. When you install according to the standard, you must download a file. Then run the apply_binaries.sh script to copy the NVIDIA user space libraries into the target file system.

Vulnerability details: A vulnerability occurred of existing mechanism causes improper access control is applied, which may lead to an unprivileged user being able to modify system device tree files, leading to denial of service. Official details shown as below link.

https://nvidia.custhelp.com/app/answers/detail/a_id/5147

Supplement: Perhaps the impact is a denial of service but this is the alert signal to AI and robotic world to staying alert.

Preface: About decades ago, video recording was used to perform IT system monitoring and governance. The most famous brands are RSA NetWitness and CyberArk. However, products made in Israel provide a cost-effective solution. The software product named “ObserveIT”. The “ObserveIT” software product is now under the umbrella of Proofpoint, Inc..

Vulnerability details: The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows, which allows a local authenticated Windows user to run arbitrary commands with the privileges of the Windows SYSTEM user.

Affected version: before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and 7.11.0.25 as well as versions 7.3 and earlier.

Remedy: https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0001

Additional note: If user have access permission to change a file or folder. Meanwhile there is a named service in this directory.
As a result, user can create a payload with “msfvenom” tool. With this payload it can manipulate this specify service. After uploading the payload to system and moved into “common files” directory. When it start, you will receive a session on the system as NT Authority/System.

Background: sudo command allows you to run programs with the security privileges of another user. All auditors and security expert highly recommend to use. We can say it is a best practices.

Vulnerability details: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s”
and a command-line argument that ends with a single backslash character.

Impact: Taking control of the Linux system vulnerability version: before 1.9.5p2

Workaround: No

Fix: The bug is fixed in sudo 1.9.5p2.

Immediate action: You should patch immediately.

Reference: https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/sudo-heap-based-buffer-overflow-vulnerability-cve-2021-3156

Security concern: Since system admin will deny to use SSH remotely without VPN connectivity because of security reason.
Therefore this design weakness will be exploit by insider threats. If you cannot patch immediately. You should fine tune your SIEM to monitoring sudo usage.

Background: Adobe ColdFusion is a development platform that uses CFML to quickly build modern web apps. Unlike other programming languages, ColdFusion is tag-based. It’s easy to use and can be the backbone of numerous development modules and functionalities.

Dynamic-link library loading mechanism: The DLL loaded once and all programs share the same in-memory copy of code. The read-only sections of the DLL loader uses a technique called “memory mapping” to map the DLL into the process’s address space. The pages are only loaded into physical memory once for all processes, even though they may have the page mapped to different address in their virtual address space. If no design weakness occurs, dynamically-allocated memory is not shared.

Question: Can the .dll file be replaced while the application is running? If you would like to update DLLs that applications use in Windows without terminating the process. Yes, it is possible, but the application must have special machanism to unload the current running DLL and reload the new DLL file.

Vulnerability Details:

1. By placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. By default C:[\]ColdFusion2021.
2. 2. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. Or Modify the program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL.

Reference article: About Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs – https://kb.cert.org/vuls/id/125331

Preface: Mount a drive image emulated as an SD card with qemu-system-x86_64.

qemu-system-x86_64 -smp cores=4 -m 1024 -device sdhci-pci -device sd-card,drive=mydrive -drive id=mydrive,if=none,format=raw,file=image.bin

Background:

QEMU Integration with other virtual machines

• VirtualBox uses some QEMU virtual hardware devices and has a built-in qemudede-based Dynamic re-compiler.Same as KQEMU.
• Xen HVM has device emulation based on the QEMU project to provide I/O virtualization to the virtual machines.
• Qemu on FreeBSD as host.It runs under Windows 2000, Windows XP, GNU/Linux (RedHat, Debian) and FreeBSD “host” systems.

QEMU can simulate a variety of hardware devices

• Android and ARM: QEMU emulates the ARMv7 instruction set using the NEON extension.It simulates the Integrated System / CP board,multi-function backplane.
• In Android OS because the VM memory page allocation is not continuous,PIPE driver will pass the remote data address
  to QEMU several times.

Design weakness: sdhci – While doing multi block SDMA, transfer block size may exceed the ‘s->fifo_buffer[s->buf_maxsz]’ size.

Impact: Resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

Vulnerability details: Refer to link – https://nvd.nist.gov/vuln/detail/CVE-2020-17380

Preface: On macOS, dynamic-link libraries are known as dylib files. This is the equivalent to a DLL on Windows and
a shared library (or .so library) on Linux.

Background: ctypes is a foreign function library for Python. It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python.

Design objective: Calling C++ libraries from Python allows the developer to build an application that takes advantage of the best of Python and C++. The result is an application that combines both speed and simplicity.

Vulnerability details: There’s a buffer overflow in the ctypes PyCArg_repr() function. (Disclosure date: 2021-01-16)

Design weakness: There’s a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of specify sprintf() function.

CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3177

Preface: When Oracle has security advisory announce each time, I feel headache because vendor not willing to provide the details.

Vulnerability details: CVE-2021-2018 -Please refer to the link for details: https://nvd.nist.gov/vuln/detail/CVE-2021-2018

Technical Supplement: A large computer foot print around the world in the office is Microsoft window base machine. Therefore DB infrastructure integrate to Active Directory is common. Windows AD server classic way is Kerberos authentication. Oracle database competence support Kerberos. So called configuring the Kerberos authentication adapter. On Nov 2020 Microsoft do the remediation of Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049). When you read the official of Oracle vulnerability (CVE-2021-2018), it say, it is only affects Windows platform only. OK, be my guest. Using your imagination to understand this vulnerability. Great day, great fun!

Ref 1: To setup Kerberos on oracle DB. We will need to make changes in three places: DB Server, Client Workstation & Active Directory.

Ref 2: Kerberos KDC Security Feature Bypass Vulnerability – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

Preface: I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger, said Natalie Silvanovich.

Background: Bugs in Signal, Google chat apps let attackers spy on users. Such vulnerability is given by programming code, and was not due to WebRTC functionality. Furthermore , expert found that facebook messenger is vulnerable to this matter perhaps they are not using WebRTC. Facebook official say that they use ‘fbthrift’. What is Thrift. Facebook’s branch of Apache Thrift, including a new C++ server.\ \.

For the details of vulnerability. You can found on the following website – https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html

Supplement: Discovering this vulnerability let us know the function of Frida hook framework. Frida is a hook framework based on python + javascript. To exploit the design weakness on Facebook Messenger. It was not straightforward because of the amount of reverse engineering required. Finally Frida hook framework complete the task.

Reference: Instrumentation technology

Instrumentation technology refers to injecting additional code into the program to collect runtime information. It can be divided into two types:

(1) Source Code Instrumentation (SCI): Additional code is injected into the program source code.

(2) Binary Instrumentation: Extra code is injected into the binary executable file.

●Static Binary Instrumentation (SBI): Insert additional code and data before program execution to generate a permanently changed executable file.

●Dynamic Binary Instrumentation (DBI): Insert additional code and data in real time while the program is running, without any permanent changes to the executable file.

Preface: On August 27, 2015 Cisco announced it has completed the acquisition of OpenDNS (now branded as Cisco Umbrella). Perhaps they predict that this day will come.

Background: dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server,
router advertisement and network boot features, intended for small computer networks. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

Vulnerability details: Dnsmasq is vulnerable to memory corruption and cache poisoning. For more details, please see the follow links: https://kb.cert.org/vuls/id/434904

Workarounds:

• Configure dnsmasqnot to listen on WAN interfaces
• Reduce the maximum queries (–dns-forward-max=). The default is 150.
• Do a patching
• Use protocols that provide transport security for DNS (DoT or DoH)
• Reducing the maximum size of EDNS message (Recommendations related to RFC5625)

Preface: Quite a lot of UEFI vulnerabilities and hardware misconfigurations have been found in past. This is an alert signal. As a matter of fact, the problem is that it’s very difficult to get malicious code into UEFI systems.

Background: Reading the first sector from a disk and loading it to 0x7C00 is a BIOS specific booting protocol. But it never been use. It is a old technology. UEFI bootloaders are loaded from a filesystem. UEFI requires the firmware and operating system loader (or kernel) to be size-matched; for example, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel.

Synopsis: A local attacker with access to system memory may exploit the UEFI vulnerability attack. Perhaps this is not the only way.

Dell mitigates design flaws in a specific product (Inspiron 5675). Please refer to the link below. https://www.dell.com/support/kbdoc/zh-hk/000180645/dsa-2020-247-dell-client-platform-security-update-for-uefi-bios-runtimeservices-overwrite-vulnerability