Preface: What is difference between underflow and overflow?
Buffer Overflow – When accessed memory is beyond the end of the buffer.
Buffer Underflow – When the accessed memory is before the beginning of a buffer.

Background: Zephyr is embedded RTOS, it compatible to support more than 350 CPU boards includes x86, ARM, ARC, MIPS, etc. The Zephyr Project has been one of the fastest growing RTOSes, with ambitious goals established in their charter for connected and constrained devices; but it is more than just an RTOS. It is an open-source and open-governance project with a full and growing ecosystem of drivers, communication stacks, hardware abstractions, low-power OS services, build system and application components that allow for the rapid creation of innovative applications.

About Control use of Explicit Congestion Notification (ECN) by TCP: ECN is used only when both ends of the TCP connection indicate support for it. This feature is useful in avoiding losses due to congestion by allowing supporting routers to signal congestion before having to drop packets.

Vulnerability details: In subsys/net/ip/tcp[.]c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.

When a malformed tcp packet is received, the tcp_flags function does not check the validity of the parameters, but directly parses the th_flags field in TCP header. When th_flags is ECN or CWR , in the tcp_flags function, len is always 0, and buf[0-1] will be
written ‘\0’ . This will modify other data on the stack.

On 20th May 2022, it was fix possible buffer underflow. It do the remedy in file (tcp[.]c). Details can be found at this link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5c3j-p8cr-2pgh

Question: ECN is used only when both ends of the TCP connection indicate support for it. If it is not in use or ignore. Why do not disable it? Perhaps if it is disabled, it also avoid CVE-2022-1841 vulnerability.

Preface: Microsoft officials said a bug in Ubuntu 18/04 “will lead to DNS resolution errors”, and that “reports of this issue are confined to this single Ubuntu version.” 31st Aug 2022

Background: How to install Kubernetes on Ubuntu 18.04 Bionic Beaver Linux?

1. Install docker on every node (master and slave nodes). Execute the below linux command to install docker on all your Kubernetes nodes:
   $ sudo apt install docker[.]io
   Once the Docker is installed ensure that it is enabled to start after reboot:
   $ sudo systemctl enable docker
2. Install Kubernetes on all nodes (master & slave):
   Adding the Kubernetes signing key:
   $ curl -s https://packages[.]cloud[.]google.com/apt/doc/apt-key[].gpg | sudo apt-key add
3. Add the Kubernetes repository and install Kubernetes
   $ sudo apt-add-repository “deb http://apt[.]kubernetes[.]io/ kubernetes-xenial main”
   $ sudo apt install kubeadm
4. Disable swap memory on all your nodes (master & slave):
   $ sudo swapoff -a
5. Next, ensure that all your nodes have a unique host name. set the master node with the kubernetes-master hostname:
   $ sudo hostnamectl set-hostname kubernetes-master
   5.1 Set the slave node with the kubernetes-master hostname:
   $ sudo hostnamectl set-hostname kubernetes-slave
   6.Initialize the Kubernetes master node – Execute the following linux command on your master node:
   kubernetes-master:~$ sudo kubeadm init –pod-network-cidr=10[.]244[.]0[.]0/16
   6.1 Execute the bellow commands as a regular user to start using Kubernetes cluster:
   kubernetes-master:~$ mkdir -p $HOME/.kube
   kubernetes-master:~$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   kubernetes-master:~$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
   7.Deploy a pod network
   kubernetes-master:~$ kubectl apply -f https://raw[.]githubusercontent[.]com/coreos/flannel/master/Documentation/kube-flannel[.]yml
6. Join Kubernetes Cluster
   kubernetes-slave:~$ sudo kubeadm join 10[.]1[.]1[.]9:6443 –token qdjnpd[.]5glu39uxr92xarsj –discovery-token-ca-cert-hash sha256:ed0684156c718caf425ceae6c85a56c05f7b49037cde3a2f1fd57430a4f58f89
   Remark: Refer Step 6, copy the token hash from the screen display.

Vulnerability details: A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in ‘resolved-dns-stream[.]c’ not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

For headline news details, please refer to the link – https://www.theregister.com/2022/08/30/ubuntu_systemd_dns_update/

Preface: The vendor who transforming Linux kernel not limit to Apple computer. Oracle, they are also has it own Linux Kernel so called UEK (Unbreakable Enterprise Kernel).
So, who maintains software updates for Oracle Linux? It will depend on Oracle Linux yum server.

Background: Oracle Linux commes with a choice of two kernels, the UEK, which is installed and enabled by default, and the Red Hat Compatible Kernel. The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built by Oracle and supported through Oracle Linux support. Its focus is performance, stability, and minimal backports by tracking the mainline source code as closely as is practical. The UEK 4 Cryptographic Module is a software only cryptographic module that provides general-purpose cyrptographic services to the remainder of the Linux kernel.

Vulnerability details: On 15th Nov, 2021, CVE reserved not disclose to public. Till 30th Aug 2022, the details of vulnerability exposed. A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine.
Reliable Datagram Sockets (RDS) is a high-performance, low-latency, reliable connectionless protocol for delivery datagrams. It is development by Oracle Coporation. This new function come with Linux kernel 2.6.30. And released on 9th June 2009. The code was contributed by the openFabrics Alliance (OFA).

Official details: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea010070d0a7497253d5a6f919f6dd107450b31a

Reference: So far by Oracle Linux design, RDS provides reliable, ordered datagram delivery by using a single reliable connection between two nodes in the cluster.
RDS supports a number of sysctls in/proc/sys/net/rds
Applications can ask the RDS kernel module to receive notifications via control message (for instance, there is a notification when a congestion update arrived, oe when a RDMA operation completes). These notifications are received through the msg[.]msg_control buffer of struct msghdr.

Suspect this is the start of the vulnerability story:
Perhaps such modifications potential driven this vulnerability occured (see below):
An enhancement improved memory usage in 2010. The enhancement is that copy rds_iovecs into kernel memory instead of rereading from userspace.
Implement stack-based storage for small numbers of iovecs, based on net/socket[.]c, to save an alloc in the extremely common case.
Although this time of enhancementis reduces iovec copies in cmsg_rdma_args to 1. However, it still require to do enhancement in rds_rdma_extra_size located in net/rds/rdma[.]c .
But this part will be difficult. So it need to implement in a separate patch.

Preface: The identification of this vulnerability is CVE-2022-1043 since 03/22/2022. On 21st Aug 2022 the problem was fixed (see below):
io_uring: fix xa_alloc_cycle() error return value check
We currently check for ret != 0 to indicate error, but ‘1’ is a valid return and just indicates that the allocation succeeded with a wrap. Correct the check to be for < 0, like it was before the xarray conversion.

Background: io_uring (previously known as aioring) is a Linux kernel system call interface for storage device asynchronous I/O operations addressing performance issues with similar interfaces provided by functions like read() / write() or aio_read() / aio_write() etc. for operations on data accessed by file descriptors.
On Linux, the set of file descriptors open in a process can be accessed under the path /proc/PID/fd/ , where PID is the process identifier. File descriptor /proc/PID/fd/0 is stdin , /proc/PID/fd/1 is stdout , and /proc/PID/fd/2 is stderr .
For example: In Fedora, the file descriptor is located at /dev

Vulnerability details: A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.
In some operating systems, including Unix and Linux, a pseudoterminal, pseudotty, or PTY is a pair of pseudo-device endpoints (files) which establish asynchronous, bidirectional communication (IPC) channel (with two ports) between two or more processes. For example, before starting SAP® Sybase® Adaptive Server Enterprise, system engineer need to verify there are sufficient system resources for kernel asynchronous I/O.
Therefore, if CVE-2022-1043 occurs, the impact will be huge. Maybe that’s why the announcement was delayed until after the fix.

Details of the official fix are shown in the link below:
https://github.com/torvalds/linux/commit/a30f895ad3239f45012e860d4f94c1a388b36d14

Official details: https://nvd.nist.gov/vuln/detail/CVE-2022-1043

Preface: A similar vulnerability to Dlink (CVE-2022-36524).The device vulnerable to Static Default Credentials via /etc/init0.d/S80telnetd[.]sh.

Background: According to Trendnet’s official announcement, TEW-733GR (version v1.0R) has been discontinued. Because not sure if the vendor is talking about hardware or firmware. In fact, you go through their portal. The firmware (Trendnet TEW733GR v1.03B01) is still available for download.

Vulnerability details:Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd[.]sh.
Coincidentally, DLink (CVE-2022-36524) encountered similar of design weakness.The device vulnerable to Static Default Credentials via /etc/init.d/S80 Telnetd[.]sh.

Observation: Once the attacker does small reverse engineering. This design weakness (the valid credentials stored by default) similarly helps them run scripts that download and install XorDdos on the target device with root privileges. Similar to the 2.4 Tbps DDoS attack Microsoft encountered in August 2021 will be happened again.

Due to the attack method of XorDdos, botnet attacks will be formed on victims in different regions. It’s hard to say that it can be avoided through a GRE tunnel. Or stop an ongoing attack by identifying patterns in traffic. If the remedy or mitation can do it quickly. It can avoid the unknown cyber attack. As we know, IoT and computing devices flaw happen hourly or daily. But it’s easy to forget. In fact, even if the fix is ready, the end user may not take immediate action. That’s what security experts feared a decade ago. When the Internet of Things was born, cybersecurity would make the digital world crazy.

Official announcement – Please refer to the link for details:

Trendnet CVE-2022-38556 – https://nvd.nist.gov/vuln/detail/CVE-2022-38556

DLink CVE-2022-36524 – https://nvd.nist.gov/vuln/detail/CVE-2022-36524

Preface: If an attacker used our hypothetical race condition above to perform malicious operations and help bypass secured mechanisms, it then becomes “Race Condition Vulnerability.” This vulnerability commonly occurs when threads use the same shared memory to update the values of variables.

Technical background to the file named pipe[.]c: New pipe buffers will be restricted to this size while the user is exceeding their pipe buffer quota. The general pipe use case needs at least two buffers: one for data yet to be read, and one for new data. If this is less than two, then a write to a non-empty pipe may block even if the pipe is not full.
Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their own risk, namely: pipe writes to non-full pipes may block until the pipe is emptied.

Vulnerability details: CVE-2022-2959 updated on 25th Aug, 2022. However it was not published in past. The vulnerability is that a race condition was found in the Linux kernel’s watch queue due to a missing lock in pipe_resize_ring(). The solution issued on 28th May 2022.

Description: A race condition was found in the Linux kernel’s watch queue due to a missing lock in the pipe_resize_ring(). The race condition occurs when a thread uses ioctl(IOC_WATCH_QUEUE_SET_SIZE) to resize the pipe buffer and free the old pipe buffer, while another thread uses keyctl() to trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer. This flaw allows a local user to crash the system or escalate their privileges on the system.

Red Hat Enterprise Linux 6, 7 and 8 are not affected by this issue. Some versions of Linux . For that one need to use ioctl with FIONREAD command to get the size of unread data inside pipe.

If you are interested in this topic, please see the details of my speculation from the attached picture.

Official details (CVE-2022-2959): See the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-2959

Preface: Capturing and replaying a couple of signals are-synchronizes the rolling codes and unlocks most of today’s vulnerable vehicles.

Background: Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However a attack so called jamming. This is done by jamming the receiver, capturing 2 or more remote presses, then stopping the jammer nd replaying the first remote press saving the next capture iin the rolling code series to replay later.

Remark: So far, the root cause is not confirmed and no explicit mitigation exists, said Blackhat conference 2022 .

Vulnerability details: The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.

Official announcement: Refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-37418

Preface: This time openSSL.cnf is not involved this vulnerability, maybe C_REHASH is the suspect?

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.

Some VMware Tools seĴings might expose security risks. For example, VMware Tools enables you to
connect virtual devices such as serial and parallel ports to virtual machines. A connected device might be a potential channel of attack.

When serial port access is enabled for a VM instance, clients can attempt to connect to that instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone.

Vulnerability Details: A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine , said VMware. Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0024.html

My observation: Since the vendor didn’t describe what the actual reason was. A hints for my analysis is based on openssl 3.0 working with VMware Tools 3.0.0 written in offical article. Coincidentally, a bug was discovered in OpenSSL 3.0.0, which was released in June 2022. The flaw will be fixed on OpenSSL 3.0.4. Affected products include 3.0.0, 3.0.1, 3.0.2, and 3.0.3. If you are interested in this, please refer to the attached image.

Preface: OPC UA bridges the divide between information technology and operational technology. It enables information and data exchange on devices within machines, between machines, and from machines to systems. As a result, companies cannot realize the benefits of the Internet of Things (IoT) and Industry 4.0 without OPC UA.

Background: Microsoft contributing Open-Source OPC UA stack to OPC Foundation on 2017. Upon today, the new OPC Foundation .NET reference stack, based on the new .NET Standard Library technology, was developed and optimized by Microsoft to serve as the complete platform-independent infrastructure, from the embedded world to the cloud.
This new version is enabled on the following supported platforms: Various Linux distributions, iOS, Android, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Phone, HoloLens and the Azure cloud.

Vulnerability details: The vulnerability exists due to excessive data output by the application within the handling of OPC UA BrowseRequests. A remote attacker can gain unauthorized access to sensitive information on the system.

With the information obtained an unauthorized user can create a valid session with the OPC UA server or client to obtain sensitive information.

OPC Foundation Security Bulletin – https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2022-33916.pdf

Preface: Security Alert from the vendor (Apple) on 17th Aug 2022, found a bug on their iOS. If you use iPhone and iPad, you need to update now. Some experts said that the update was also taken seriously by security research unit ZecOps, who tweeted that the iOS 15.6.1 patch vulnerability was already in use, and emphasized that hackers may launch one-click and “zero-click attacks”. Same strategy as NSO Group Pegasus Spyware.

What is zero-click attack?
On 2021, cybersecurity firm ZecOps claimed iPhones and iPads have had a traditional vulnerability to unassisted attacks, especially with its mail app. From iOS 13, this became a vulnerability to zero-click attacks too. “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory,” a ZecOps blog published this April said. Apple reportedly patched this in April 2020.

Background: The vulnerability has been fixed, why is there another round of attacks on iPhones and iPads around the world?
As we know, the Linux kernel is composed of multiple kernel types, whereas the iOS kernel types use hybrids.
Since the CVE vulnerability information stated that this vulnerability is caused by an out-of-bounds vulnerability. The vendor, as usual, did not disclose details. But which key point drives the vendor to issue a remedy immediately? Let’s imagine the flaw based on the hints provided. In a multi-core environment, it is possible to trigger similar attacks. The attached image is when multiple kernels encounter errors on FreeBSD. For example, the vulnerability for FreeBSD was released on August 10, 2022. The vulnerability is an out-of-bounds read in elf_note_prpsinfo(). According to this circumstances, when an operating system runs on a multi-kernel system architecture (includes the FreeBSD operating system architecture). An out-of-scope defect occurred by design weakness.Thus triggering a serious flaw.
Above is only an example, as a matter of fact not know what the vulnerability was? But even what is the root causes , nobody can tell?
But if you keep your eyes open, when there is a new unknown critical bug occurs in on going future.

CWE-787: Out-of-bounds Write – Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

Remark: The Service.RestartSec setting specifies the downtime in seconds after which systemd restarts a crashed service (5 seconds by default).

Vulnerability details:
CVE-2022-32893 vulnerability can exploit the WebKit that allows crafted web content to run arbitrary code on the targeted system.
CVE-2022-32894 vulnerability can exploit the Kernel that allows malicious apps to run arbitrary code with kernel privileges on the targeted system.
Fixes and Solutions:
Safari 15.6.1 | HT213414 – https://support.apple.com/en-gb/HT213414
macOS Monterey 12.5.1 | HT213413 – https://support.apple.com/kb/HT213413
iOS 15.6.1 and iPadOS 15.6.1 | HT213412 – https://support.apple.com/kb/HT213412