Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Istio makes traffic management transparent to the application, moving this functionality out of the application and into the platform layer as a cloud native infrastructure. Istio complements Kubernetes, by enhancing its traffic management, observability and security for cloud native applications. Istio is an open source service mesh that layers transparently onto existing distributed applications. A service mesh often has complex operational requirements which include A/B testing, canary releases, access control, and rate limiting. These are in addition to its standard requirements of load balancing, discovering, failure recovery, end-to-end authentication, monitoring, and metrics.

Vulnerability details: The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker……. For more details, please refer to the link – https://istio.io/latest/news/security/istio-security-2022-003/

Remedy: This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.13.0 and 1.13.1. For more details, please refer to the link – https://istio.io/latest/news/releases/1.13.x/announcing-1.13.1/

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: QProcess – Used to start external programs and to communicate with them. The QProcess class is used to start external programs and to communicate with them. To start a process, pass the name and command line arguments of the program you want to run as arguments to start().

What is QProcess in Qt? QProcess manages the output of the running process, keeping standard output and standard error data in separate internal buffers. You can select the QProcess’s current read channel by calling setReadChannel(). This is the default channel mode of QProcess.

Vulnerability details: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.

Impact – Opening files might lead to the execution of malicious binaries if they are placed in the right directories.

Remedy: When passed a simple program name with no slashes, QProcess on Unix systems will now only search the current directory if “.” is one of the entries in the PATH environment variable. This bug fix restores the behavior QProcess had before Qt 5.9.

Ref: If launching an executable in the directory set by setWorkingDirectory() or inherited from the parent is intended, pass a program name starting with “./”. For more information and best practices about finding an executable, see QProcess’ documentation.

Preface: In 2017, half of the world’s top 50 supercomputers used SUSE Enterprise Linux Server. Why does Linux dominate especially in supercomputer market? Linux is a free, open source operating system (OS), released under the GNU General Public License (GPL). Anyone can inspect or modify software “Source code”. Because of Linux cluster break the traditional technology limitation. Even though system developers does not have skill to develop CPU switch (crossbar) and related technology belongs. But they can modify the Linux OS and learn by Linux cluster technique. Finally, they can build their customized super power computing system. If you do a review of the top computer in the world, you will found that more and more super power computing systems are using Linux clustering technology.
Therefore the proprietary technology is not a giant anymore.
As a result, computer programmers can manipulate code to change the way software (“programs” or “applications”) works.

Background: This software (rndis.c) was originally developed in conformance with Microsoft’s Remote NDIS Specification License Agreement.

RNDIS refers to Remote NDIS. The implementation of RNDIS based on USB is actually TCP/IP over USB, which is to tun TCP/IP on the USB device, making the USB device look like a network card. With fast bridge cable, USB 3.1 could deliver a point to point network much faster than 1000-Base-T.

Vulnerability details: The RNDIS_MSG_SET usb control transfer request handler – rndis_set_response calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8. The BufOffset variable is retrieved from the RNDIS message and not validated to respect buffer boundaries. Consequently by manipulating the four byte InformationBufferOffset member of rndis_set_msg_type an attacker may offset the actual buffer by up to 0xffffffff bytes. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.

Remark: The meaning of GADGET is an often small mechanical or electronic device with a practical use but often thought of as a novelty.

Remedy: Please refer to the link for details – https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826

Ref: USB 3.1 Gen 1 and Gen 2 offer stimultaneous media rate connection of 5GB/s and 10Gb/s in each direction. As a result USB 3.1 will be faster than 1000-Base-T. Furthermore, a USB bus can have up to 127 target devices, but only one host.
But Linux is flexible since you can read the source code. If you apply your imagination to design your own system. As we know, a USB bus can have up to 127 target devices, but only one host. If you apply Linux clustering concept. Form a new array to a group of array host with ethernet connectivity. So, it can be expandable.

Preface: The DOMParser interface provides the ability to parse XML or HTML source code from a string into a DOM Document .
A module that parses a string as regular expression and returns the parsed value. it is the regular expression solution.

Background: The “url-parse” was created in 2014 when the WHATWG URL API was not available in Node.js and the URL interface was supported only in some browsers. As times goes by, the “url-parse” method exposes two different API interfaces nowadays. It is the url interface from Node.js and the new URL interface that is available in the latest browsers.

In version 1.0.0, url-parse module decide not relies on the RegExp based solution in favor of a pure string parsing solution which chops up the URL into smaller pieces. To parse an URL simply call the URL method with the URL that needs to be transformed into an object.

Vulnerability details: Vulnerability details: Url-parse is not able to verify broken protocol. If a specify host included in blacklist check (refer to attached diagram for details). This will allow to bypass hostname validation when hostname check equals null.

Official announcement: If the userinfo is present but empty, the parsed host is also empty, and url[.]pathname is not '/', then readd the empty userinfo to url[.]href, otherwise the original invalid URL might be transformed into a valid one with url[.]pathname as host. See the link for details – https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: NSX Data Center for vSphere provides networking and security functionality for your vSphere environment, including logical switching, logical routing, Distributed Firewall, load balancer, NAT, and VPN. NSX Data Center for vSphere is installed as a plug-in to VMware vCenter Server®.

Vulnerability details: The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in the NSX Edge appliance component. A local user with access to NSX-Edge appliance (NSX-V) can pass specially crafted argument to unspecified shell utility and execute arbitrary OS commands as root.

One of the possibilities: An attacker can exploit a command injection in the NETCONF over SSH access (TCP port 830). the SSH configuration checks if the commands starts with scp and then, evaluates the command as a whole, resulting in a command injection instead of allowing scp command only.
Attacker has a chance to identified a SUID program that can be used to gain full root privileges on the system.

Official announcement: Refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0005.html

Preface: The number 2,147,483,647 (or hexadecimal 7FFF,FFFF) is the maximum positive value for a 32-bit signed binary integer.

Background: TensorFlow is an end-to-end open source platform for machine learning. It has a comprehensive, flexible ecosystem of tools, libraries and community resources that lets researchers push the state-of-the-art in ML and developers easily build and deploy ML powered applications. TensorFlow and Scikit-learn, two of the most popular words from the jargon of the Machine Learning world!

Scikit-learn (sklearn) is positioned as a general-purpose machine learning library , but TensorFlow (tf) is positioned as a deep learning library .

For easy to understand on what ways of processing data with machine learning models. See below details.
– Traditional machine learning: use feature engineering to artificially refine and clean the data
– Deep learning: using representation learning, the machine learning model itself refines the data

Vulnerability details: Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Ref: For example: If below setup is customized for agriculture yield analytic and artificial intelligence irrigation system. From design point of view, input not only limit to climatic parameters were considered in predicting the crop yield, the crop yield is influenced by many other input parameters such as irrigation, fertilizer application, pesticide application etc. Since those data will be defined as user input data (crop arguments are user controlled). In this circumstances, if such parameters does not implement maximum data input limit value or verification. As a result, it can trigger an overflow maliciously.

Impact: The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Remedy: Vendor have patched the issue in GitHub commit 0aaaae6eca5a7175a193696383f582f53adab23f.

The fix will be included in TensorFlow 2.8.0. It also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: NVIDIA License System supports the following types of service instances:

• Cloud License Service (CLS) instance. A CLS instance is hosted on the NVIDIA Licensing Portal.
• Delegated License Service (DLS) instance. A DLS instance is hosted on-premises at a location that is accessible from your private network, such as inside your data center.

NVIDIA License System is used to serve a pool of floating licenses to NVIDIA licensed products. The NVIDIA License System is configured with licenses obtained from the NVIDIA Licensing Portal. The license server is designed to be installed at a location that is accessible from a customer’s network, and be configured with licenses obtained from the NVIDIA Licensing Portal.

Vulnerability details: NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges.

One of the possibilities: Traditional technology make use of service account concept.

Design weakness: Predefined sudo user account for a DLS virtual appliance.
Purpose: This user account has the elevated privileges required to update and upgrade the Ubuntu GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance.

Remark: This account is provided to comply with the terms of the GPL/LGPL v3 license under which some libraries in the Ubuntu operating system in the DLS virtual appliance are released.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5319

Preface: SOC → System on Chip. It is basically a cluster collection or group of different types of processor components like CPU[,GPU,Modems, DSP units and memory units.

ASIC → Application Specific Integrated Circuits. ASICs are chip that is basically hardwired to do a specific job.

Background: The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2 with SDMA (single operation DMA), ADMA1 (4 KB boundary limited DMA), and ADMA2 (ADMA2 allows data of any location and any size to be transferred in a 32-bit system memory – scatter-gather DMA) support. The core also supports up to seven functions in SD1, SD4, but does not support SPI mode. It does support SD high-speed (SDHS) and SD High Capacity (SDHC) card standards.

The Zynq®-7000 SoC family integrates the software programmability of an ARM®-based processor with the hardware programmability of an FPGA, enabling key analytics and hardware acceleration while integrating CPU, DSP, ASSP, and mixed signal functionality on a single device.

To build a custom Linux image, it’s recommended that you start with a Petalinux BSP for one of the Xilinx boards, and then customize the configuration to suit your needs.

Vulnerability details: A vulnerability has been found in Xilinx Zynq-7000 and classified as critical. On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM.

Ref: The SDIO controller is not documented in details because The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2.

Refer to the Zynq design, the ROM resets all of the interesting SDIO config registers each time it goes to send a command. Found that even though it blocks on the transaction completion. It doesn’t clear out the DMA base address register . If attacker modify the transfer data size, it can trigger a buffer overflow in this circumstance.

Official announcement: Refer the link for details – https://support.xilinx.com/s/article/76964?language=zh_CN

Preface: Apple has announced the launch of its new operating system, macOS 10.15 Catalina on October 7, 2019. In keeping with Apple’s release cycle, macOS 10.12 Sierra will no longer be receiving security updates. Sierra was replaced by High Sierra 10.13, Mojave 10.14, and the newest Catalina 10.15.

Background: SwiftNIO is Apple non-blocking networking library. It can be used to write either client libraries or server frameworks and works on macOS, iOS and Linux. Swift-nio-http2 follows SemVer 2.0.0 with a separate document declaring SwiftNIO’s Public API. The project (SwiftNIO HTTP/2) contains HTTP/2 support for Swift projects using SwiftNIO.SwiftNIO is the library to build backend servers in the Swift programming language. In SwiftNIO, you cannot model concurrent execution without at least an event loop. To execute your asynchronous code, you need to ask the EventLoopGroup for an EventLoop. You can use the method next() to get a new EventLoop, in a round-robin fashion.

Does SemVer have a size limit on the version string?
No, but use good judgment. A 255 character version string is probably overkill, for example. Also, specific systems may impose their own limits on the size of the string.

Vulnerability details:

CVE-2022-24668 – caused by a network peer sending ALTSVC or ORIGIN frames (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.
CVE-2022-24667 – caused by a network peer sending a specially crafted HPACK-encoded header block (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle all conditions in the function.
CVE-2022-24666 – caused by a network peer sending a specially crafted HTTP/2 frame (vulnerable to a denial of service attack). The issue is fixed by rewriting the parsing code to correctly handle the condition.

Ref.1: Security concern with HPACK – Denial of service resulting from exhausting processing or memory capacity at a decoder.

Ref2: Some regular expression engines have a feature called “backtracking”. If the token cannot match, the engine “backtracks” to a position that may result in a different token that can match.
Backtracking becomes a weakness if all of these conditions are met:

• The number of possible backtracking attempts are exponential relative to the length of the input.
• The input can fail to match the regular expression.
• The input can be long enough.

Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

Remedy: The risk can be mitigated if untrusted peers can be prevented from communicating with the service.