Preface: If an attacker used our hypothetical race condition above to perform malicious operations and help bypass secured mechanisms, it then becomes “Race Condition Vulnerability.” This vulnerability commonly occurs when threads use the same shared memory to update the values of variables.

Technical background to the file named pipe[.]c: New pipe buffers will be restricted to this size while the user is exceeding their pipe buffer quota. The general pipe use case needs at least two buffers: one for data yet to be read, and one for new data. If this is less than two, then a write to a non-empty pipe may block even if the pipe is not full.
Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their own risk, namely: pipe writes to non-full pipes may block until the pipe is emptied.

Vulnerability details: CVE-2022-2959 updated on 25th Aug, 2022. However it was not published in past. The vulnerability is that a race condition was found in the Linux kernel’s watch queue due to a missing lock in pipe_resize_ring(). The solution issued on 28th May 2022.

Description: A race condition was found in the Linux kernel’s watch queue due to a missing lock in the pipe_resize_ring(). The race condition occurs when a thread uses ioctl(IOC_WATCH_QUEUE_SET_SIZE) to resize the pipe buffer and free the old pipe buffer, while another thread uses keyctl() to trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer. This flaw allows a local user to crash the system or escalate their privileges on the system.

Red Hat Enterprise Linux 6, 7 and 8 are not affected by this issue. Some versions of Linux . For that one need to use ioctl with FIONREAD command to get the size of unread data inside pipe.

If you are interested in this topic, please see the details of my speculation from the attached picture.

Official details (CVE-2022-2959): See the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-2959

Preface: Capturing and replaying a couple of signals are-synchronizes the rolling codes and unlocks most of today’s vulnerable vehicles.

Background: Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However a attack so called jamming. This is done by jamming the receiver, capturing 2 or more remote presses, then stopping the jammer nd replaying the first remote press saving the next capture iin the rolling code series to replay later.

Remark: So far, the root cause is not confirmed and no explicit mitigation exists, said Blackhat conference 2022 .

Vulnerability details: The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.

Official announcement: Refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-37418

Preface: This time openSSL.cnf is not involved this vulnerability, maybe C_REHASH is the suspect?

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems.

Some VMware Tools seĴings might expose security risks. For example, VMware Tools enables you to
connect virtual devices such as serial and parallel ports to virtual machines. A connected device might be a potential channel of attack.

When serial port access is enabled for a VM instance, clients can attempt to connect to that instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone.

Vulnerability Details: A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine , said VMware. Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0024.html

My observation: Since the vendor didn’t describe what the actual reason was. A hints for my analysis is based on openssl 3.0 working with VMware Tools 3.0.0 written in offical article. Coincidentally, a bug was discovered in OpenSSL 3.0.0, which was released in June 2022. The flaw will be fixed on OpenSSL 3.0.4. Affected products include 3.0.0, 3.0.1, 3.0.2, and 3.0.3. If you are interested in this, please refer to the attached image.

Preface: OPC UA bridges the divide between information technology and operational technology. It enables information and data exchange on devices within machines, between machines, and from machines to systems. As a result, companies cannot realize the benefits of the Internet of Things (IoT) and Industry 4.0 without OPC UA.

Background: Microsoft contributing Open-Source OPC UA stack to OPC Foundation on 2017. Upon today, the new OPC Foundation .NET reference stack, based on the new .NET Standard Library technology, was developed and optimized by Microsoft to serve as the complete platform-independent infrastructure, from the embedded world to the cloud.
This new version is enabled on the following supported platforms: Various Linux distributions, iOS, Android, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Phone, HoloLens and the Azure cloud.

Vulnerability details: The vulnerability exists due to excessive data output by the application within the handling of OPC UA BrowseRequests. A remote attacker can gain unauthorized access to sensitive information on the system.

With the information obtained an unauthorized user can create a valid session with the OPC UA server or client to obtain sensitive information.

OPC Foundation Security Bulletin – https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2022-33916.pdf

Preface: Security Alert from the vendor (Apple) on 17th Aug 2022, found a bug on their iOS. If you use iPhone and iPad, you need to update now. Some experts said that the update was also taken seriously by security research unit ZecOps, who tweeted that the iOS 15.6.1 patch vulnerability was already in use, and emphasized that hackers may launch one-click and “zero-click attacks”. Same strategy as NSO Group Pegasus Spyware.

What is zero-click attack?
On 2021, cybersecurity firm ZecOps claimed iPhones and iPads have had a traditional vulnerability to unassisted attacks, especially with its mail app. From iOS 13, this became a vulnerability to zero-click attacks too. “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory,” a ZecOps blog published this April said. Apple reportedly patched this in April 2020.

Background: The vulnerability has been fixed, why is there another round of attacks on iPhones and iPads around the world?
As we know, the Linux kernel is composed of multiple kernel types, whereas the iOS kernel types use hybrids.
Since the CVE vulnerability information stated that this vulnerability is caused by an out-of-bounds vulnerability. The vendor, as usual, did not disclose details. But which key point drives the vendor to issue a remedy immediately? Let’s imagine the flaw based on the hints provided. In a multi-core environment, it is possible to trigger similar attacks. The attached image is when multiple kernels encounter errors on FreeBSD. For example, the vulnerability for FreeBSD was released on August 10, 2022. The vulnerability is an out-of-bounds read in elf_note_prpsinfo(). According to this circumstances, when an operating system runs on a multi-kernel system architecture (includes the FreeBSD operating system architecture). An out-of-scope defect occurred by design weakness.Thus triggering a serious flaw.
Above is only an example, as a matter of fact not know what the vulnerability was? But even what is the root causes , nobody can tell?
But if you keep your eyes open, when there is a new unknown critical bug occurs in on going future.

CWE-787: Out-of-bounds Write – Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

Remark: The Service.RestartSec setting specifies the downtime in seconds after which systemd restarts a crashed service (5 seconds by default).

Vulnerability details:
CVE-2022-32893 vulnerability can exploit the WebKit that allows crafted web content to run arbitrary code on the targeted system.
CVE-2022-32894 vulnerability can exploit the Kernel that allows malicious apps to run arbitrary code with kernel privileges on the targeted system.
Fixes and Solutions:
Safari 15.6.1 | HT213414 – https://support.apple.com/en-gb/HT213414
macOS Monterey 12.5.1 | HT213413 – https://support.apple.com/kb/HT213413
iOS 15.6.1 and iPadOS 15.6.1 | HT213412 – https://support.apple.com/kb/HT213412

Preface: What is backward compatibility in Linux?
Backward compatible (also known as downward compatible or backward compatibility) refers to a hardware or software system that can successfully use interfaces and data from earlier versions of the system or with other systems.

Background: Ansible Automation Platform provides an enterprise framework for building and operating IT automation at scale, from hybrid cloud to the edge. Ansible Automation Platform enables users across an organization to create, share, and manage automation—from development and operations to security and network teams.

Configure Automation Hub to support your organization by creating groups for your users and providing them with the level of system access they require. For this design, system administrator will configure Automation Hub to support the operation structure by creating groups for users and providing them with the level of system access they require.

The relevant packages are as follows:

• python-galaxy-ng – A Pulp plugin to support hosting your very own Ansible Galaxy server.
• pulpcore-selinux – pulpcore-selinux is a set of SELinux policies for Pulp 3, with several plugins[0] installed.
• openshift-clients – With the OpenShift command-line interface (CLI), the oc command, you can create applications and manage OpenShift Container Platform projects from a terminal.
• automation-hub – The Red Hat Ansible Automation Automation Hub is the official location to discover and download supported Ansible content collections.
• automation-controller – The automation controller allows users of Red Hat® Ansible® Automation Platform to define, operate, scale, and delegate automation across their enterprise.
• ansible-core – Ansible core or ansible-core is the main building block and architecture for Ansible and includes: CLI tools such as ansible-playbook, ansible-doc. and others for driving and interacting with automation.

Vulnerability details: A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with ‘change user’ permissions to modify the account settings of the superuser account and also remove the superuser privileges.

Official details – https://access.redhat.com/security/cve/cve-2022-2568

Preface: OPC UA is a standard that ensures the open connectivity, interoperability, security, and reliability of industrial automation devices and systems. OPC UA is widely recognized as the key communication and data modeling technology for the Industry 4.0 initiative.
The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types that are defined in the OPC UA Communication Stack by the OPC Foundation.

Background: The C++ OPC UA Server SDK provides a C++ class library used to develop OPC UA Servers providing a standard interface to vendor specific systems. The OPC UA Server is normally used to describe the available information from a vendor system and to provide access to the data for external systems in a standardized way.
The SDK allows multiple instances of our address space implementation. For every namespace you create a new address space, which together form the complete server address space. For each address space the “ns” is well known which allows to eliminate redundant “ns” information in the nodes. For each address space you can configure the size constraints and if the address space is created dynamically in RAM or if it is compiled into the application.

Vulnerability details: On 17th Aug 2022, Softing OPC UA C++ SDL from version 6.0 has information update. Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.
NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator – https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html

Ref: On June 17, 2021, Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.
https://nvd.nist.gov/vuln/detail/CVE-2021-32994
https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02

Preface: The three top industries that use Apache Airflow for Workflow Automation are Machine Learning, Big Data and Artificial Intelligence.

Background: Airflow is a platform that lets you build and run workflows. A workflow is represented as a DAG (a Directed Acyclic Graph), and contains individual pieces of work called Tasks, arranged with dependencies and data flows taken into account.
Following details is the basics of deploying Airflow inside Kubernetes. I assumed you have the following installed in your docker containers running inside Kubernetes (Postgres Container, Postgres Service, Airflow Webserver, Airflow Scheduler and Airflow LoadBalancer Service).

Below steps are the quickview according to above components.
Step 1. Get Apache Airflow Docker image.
Step 2. Deploy Postgres into Kubernetes.
Step 3. Deploy a Service for Postgres.
Step 4. Prepare Postgres database for Airflow.
Step 5. Get ready to write some YAML files.
Step 6. Deploy a LoadBalancer Service to expose Airflow UI to Internet.
Warning: Once this step is complete you will have an Airflow UI that anyone can access.

Vulnerability details: Apache Airflow Docker’s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

Remark: A DAG is defined in a Python script, which represents the DAGs structure (tasks and their dependencies) as code.

Mitigation: Disable loading of example DAGs or upgrade the apache-airflow-providers-docker to 3.0.0 or above

Official announcement: Please refer to the link for details https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb

Preface: Bluetooth mesh is ideal for industrial IoT use cases—especially lighting—that require the relatively low-cost and low-power scalability, reliability, and performance of Bluetooth technology. It enables many-to-many device communications and is optimized for creating large-scale device networks.

Background: Bluetooth mesh networks – Communication from one node to another. Unlike traditional IP-based networks, Bluetooth Mesh uses a managed flood routing model for forwarding messages from one node to another. In this model, messages are broadcast to each node in the vicinity and a time-to-live (TTL) is used to address the potential of a routing loop.

The nRF5 SDK for mesh is ideal for developing applications that use Bluetooth mesh networks .

Heap is a region of processes’s memory which is used to store dynamic variables. These variables are allocated using malloc() and calloc() functions and resize using realloc() function, which are inbuilt functions of C.
The function memcpy() is used to copy a memory block from one location to another. One is source and another is destination pointed by the pointer. This is declared in “string.h” header file in C language. It does not check overflow.

Vulnerability details: CVE-2022-35623 – In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented control packets and access packets with the same SeqAuth. The vulnerable function is trs_seg_packet_in in mesh/core/src/transport[.]c.

Official details: https://docs.google.com/document/d/1Y3sB5JbyrTIOgvA1h9X6o8pJQBG4PjWF/edit

Additional: CVE-2022-35624 – In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented packets with SegO > SegN.
https://docs.google.com/document/d/1BrgB1bQiL-cMXQGaXJWSSyaZY51Zxomp/edit
The vulnerable function is trs_seg_packet_in in mesh/core/src/transport[.]c.

Preface: The CISCO Talos article mentions a ransomware attack on their company. They mentioned in detail that on the 1st phase of attack. The attacker use Phishing to victims. When the target machine compromised. Then the attacker proceed 2nd phase. But so-called zero-day, therefore no one will know. If we could do scenario replay, maybe this design flaw would be one of the possibilities to trigger the event.

Background: In summary and recommendation posted by Talos Intelligence Group (see below):
Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021.
But so-called zero-day, therefore no one will know. If we could do scenario replay, maybe this design flaw would be one of the possibilities to trigger the event.

CVE-2021-22928 – A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

One of the key items I make this speculation: Since we don’t know the exact infrastructure. From a security standpoint, Cisco would not disclose details. But below information provide hints to my interested.

Quote:
After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.

Official details: If you are interested in digging out the details, please refer to the official website link – https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Comment: From a technical point of view, if this is a zero-day vulnerability, I don’t think it can be prevented with preventive or detective controls.