Preface: Did you know someone is behind your computer?

Background: WRH–300x series is wireless LAN router for microminiature hotel corresponding to 11bgn300Mbps which can enjoy the Internet with the speed of about 4 times of LTE line.

Ref: 11BGN, 11AGN, and 11AC are wireless standards supported by wireless products. Among them, 11BGN refers to the 802.11b, 802.11g, and 802.11n standards, 11AGN refers to the 802.11a, 802.11g, and 802.11n standards, and 11ac refers to the 802.11ac standard.

Vulnerability Details: Certain versions of ELECOM LAN Routers allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors.

Synopsis: The PPPoEd service is used to create Point-to-Point Protocol over Ethernet (PPPoE) connections on LAN Router. The PPPoEd daemon uses the mount system command to load and start a networking device during PPPoE connection negotiation. However, PPPoEd relies on the PATH environment variable to locate the executable file for the mount command.

Likehood: A malicious user may be able to create an arbitrary program labeled mount. Execute Hijack Execution Flow,doing Path Interception by PATH Environment Variable.
PATH variable to refer to the new mount executable. When PPPoEd checks the PATH variable to locate the executable for the mount command, it follows the PATH entry enter the new version of mount (arbitrary program labeled mount).

Affected Products: WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier

Official announcement: https://www.elecom.co.jp/news/security/20220208-02/

Preface: In addition to the traditional CVE risk level criteria, the critical level of vulnerability risk will depend on the processing technique.

Background: NVIDIA vGPU software is a graphics virtualization platform that provides virtual machines (VMs) access to NVIDIA GPU technology. In order to fulfill design objective, it is necessary enable an GPUDirect RDMA connection to NVIDIA GPUs on Linux. GPUDirect RDMA is a technology introduced in Kepler-class GPUs and CUDA 5.0 that enables a direct path for data exchange between the GPU and a third-party peer device using standard features of PCI Express. Examples of third-party devices are: network interfaces, video acquisition devices, storage adapters.

To add GPUDirect RDMA support to a device driver, a small amount of address mapping code within the kernel driver must be modified. This code typically resides near existing calls to get_user_pages().

Vulnerability details: NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia[.]ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

In computing, remote direct memory access (RDMA) is a direct memory access from the memory of one computer into that of another without involving either one’s operating system. It is assumed that the software does not restrict or erroneously restrict access to resources by unauthorized actors. As a result, it allows vulnerabilities to occur. For more details, please refer to the attached diagram.

Impact: Affected Vendor/Software: URL Logo NVIDIA – NVIDIA Virtual GPU Software and NVIDIA Cloud Gaming version vGPU version 13.x (prior to 13.2), version 11.x (prior to 11.7) and version 8.x (prior 8.10).

Preface: The traditional content distribution network (CDN) can no longer meet the specifications of 5G networks because it requires high bandwidth, low latency and on demand massive connections. The bottlenecks of traditional CDN cannot been resolved the rapidly growth in video traffic, rate, and cost.

Background: Apache Traffic Server™ software is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server. Traffic Control is a control plane for a CDN (Content Delivery Network).
In addition to being an HTTP proxy, Apache Traffic Server™ is also an HTTP cache. Traffic Server can cache any octet stream, although it currently supports only those octet streams delivered by the HTTP protocol. When such a stream is cached (along with the HTTP protocol headers) it is termed an object in the cache. Each object is identified by a globally unique value called a cache key.

Traffic Ops is the tool for administration (configuration and monitoring) of all components in a Traffic Control CDN. Traffic Portal uses the Traffic Ops API to manage servers, Cache Groups, Delivery Services, etc.

Vulnerability details: In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.

Weakness Enumeration: CWE-918: Server-Side Request Forgery (SSRF). For possible ways to trigger the specified vulnerability, please refer to the attached image.

Official announcement: https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f

Preface: If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

Background: Django itself is web framework used for developing web applications based on python. Which is used for making development proccess more simple and easy. It provides various built in things such as Django ORM, Forms, Security, Authentication, Admin and many third party packages that are available on django packages.

MultiPartParser

• It parses the incoming request form contents into QueryDict.
• It is used if “Content-Type” is set to “multipart/form-data”.
• request.data will be a QueryDict containing all the form parameters.
• request.files will be a QueryDict containing all the form files.
• FormParser and MultiPartParser together used for full support of HTML form data.

Vulnerability details: In below operating process sequence, a design weakness occurs . For more details, please see below:
Factors that expose this vulnerability. Content-Type should contain multipart and the boundary information.

• Step 1. UploadHandler instance that performs operations on the uploaded data.
• Step 2. Parse the header to get the boundary to split the parts.
• Step 3. Whether or not to signal a file-completion at the beginning of the loop.
• Step 4. If step 3 is negative, it cannot be sure a file is complete until it hit the next boundary/part of the multipart content. Loop will continue to run until the Boolean expression is TRUE.

Impact: An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Remedy: Fixed CVE-2022-23833 (Fixed DoS possiblity in file uploads). Please refer to the link for details – https://github.com/django/django/blob/main/django/http/multipartparser.py

Preface: If you are a Kubernetes administrator, doing the resources distribution, may be it is a daily routine job. Regarding to this vulnerability, have you resolve yet?

Background: Namespaces are one of the main features of the Linux kernel – they carry out the distinction between kernel resources. It makes sure that a process can only see the specified set of resources. Examples of resources are process IDs, hostnames, files, usernames, network access names, and inter-process communications.

Vulnerability details: kernel/ucount[.]c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.

Ref: Ordinary ucount references exist in places that also have a reference to the user namspace, but in POSIX message queues, the SysV shm code,and the SIGPENDING code there is no independent user namespace reference.

Inspection of the the user_namespace show no instance of circular references between struct ucounts and the user_namespace. So hold a reference from struct ucount to i’s user_namespace to resolve this problem.

Remediation: Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f9d87929d451d3e649699d0f1d74f71f77ad38f5

Preface: If no open source software concept in our world, technology is hard to become common. Even though you concern cyber security. They can fixed it when there is vulnerability occurs.

Background: pfSense is an open source firewall and routing platform based on FreeBSD. pfSense can be installed on physical computers or virtual machines, and can act as an independent firewall and router in the network. It is equipped with a Web user interface for administrative tasks such as setting and updating, which makes it easier to use.

Vulnerability details: If you accept QNAP solution turn your NAS into a virtual router. This vulnerability found on pfSense this time remind you should stay alert. The following vulnerability was found:/usr/local/www/pkg[.]php in pfSense through 2.5.2 uses $_REQUEST[‘pkg_filter’] in a PHP echo call.
The main reason using $_REQUEST is that parameter can get transferred in $_POST or $_GET. By accessing $_REQUEST you don’t have to check both $_GET and $_POST it the value is set.
If you are passing $_GET (or $_POST) parameters to your queries, make sure that they are cast to strings first. Attacker can insert associative arrays in GET and POST requests, which could then become unwanted $-queries.

Official article, what remedies they did: Please refer to the link – Please refer to the link – https://github.com/pfsense/pfsense/commit/5d82cce0d615a76b738798577a28a15803e59aeb

Preface: What are backports in traditional Linux?
“Backporting” is the process of making new software run on something old. A version of something new that’s been modified to run on something old is called a “backport”. The Backports Project develops tools to automate the backporting process for Linux drivers. These tools form the backports suite.

Background: The idea of the Backports project is to collect openSUSE packages built for SUSE Linux Enterprise in a central repository. The policies for this repo are aligned with SUSE in order to maintain supportability of the main OS, making the packages “safe” to install and use.

The openSUSE:Backports projects are built as “Maintenance” projects. This is a special type of project which not only contains the latest build of a package, but also a history of previous releases. It’s also how the openSUSE updates projecs are managed.

Vulnerability details: A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root.

Below details is the explanation of Matthias Gerstner.

The problem here is that watchman should continue working as normal on the command line without using systemd. This means that an unprivileged watchman instance must be able to create /run/watchman/$USER-state. This is why /run/watchman is a public sticky-bit directory.

What does a sticky bit do?
The modern function of the sticky bit refers to directories, and protects directories and their content from being hijacked by non-owners;

Official announcement: Please refer to the link for details https://bugzilla.suse.com/show_bug.cgi?id=1194470

Preface: NGINX Controller provides lightning-fast application delivery and API management for modern app teams.

Background: What is a Data Plane?

The data plane is a layer of service proxies that manage application-level network traffic. Data plane typically operate on Layer 7 (application) traffic, although they may also operate at Layer 4 (transport) traffic as well. For Example: Popular data plane proxies include Envoy Proxy, NGINX, and HAProxy.

Layer seven refers to a layer of security built into the open systems interconnect model. This is the highest level of security in the application level that supports end-user applications and processes. Defenses and attacks will be based on this area. So some experts firm will be focus layer 4 and Layer 7.

Vulnerability details: CVE-2022-23008 – Successful exploitation allows an attacker to read and/or write files on the NGINX data plane instance. The access to files is limited to the user running the NGINX process, typically the nginx user.

Does this concept like CVE-2022-23008? An attacker can trick the browser by replacing the Access-Control-Allow-Origin header.
First, the attack should be hidden using (proxy_hide_header Access-Control-Allow-Origin;) . Then we add our own before sending back the response. NGINX will not replace headers; it will append to them.
So a possible way is that an attacker can exploit a proxy.

If you are interested in the details, please refer to the attached diagram.

Vendor announcement: Final – K57735782: NGINX Controller API Management vulnerability CVE-2020-23008 – https://support.f5.com/csp/article/K57735782

Preface: Expat is free software. You may copy, distribute, and modify it under the terms of the License contained in the file COPYING distributed with this package. This license is the same as the MIT/X Consortium license.

Background: As a open-source XML parser, Expat can be implemented by several programming languages, such as: Python, PHP,Perl,…etc. There are four functions will be frequent in use (see below):

• XML_ParserCreate – To create a new analyzer object.
• XML_SetElementHandler – To define handlers for start and end tags.
• XML_SetCharacterDataHandler – To define the handler for text.
• XML_Parse – To pass a buffer full of documents to the analyzer

After the Web Server receives the XML data, it will give it to the XML parser. To use the Expat library, programs first register handler functions with Expat. When Expat parses an XML document, it calls the registered handlers as it finds relevant tokens in the input stream. These tokens and their associated handler calls are called events. Typically, programs register handler functions for XML element start or stop events and character events. Expat provides facilities for more sophisticated event handling such as XML Namespace declarations, processing instructions and DTD events.

Vulnerability details: CVE-2022-23852 – Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more.

Some kinds of integer overflow are undefined, and these kinds of behavior are especially problematic. According to the C99 standard, undefined behavior is “behavior, upon use of a non-portable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements.”

Ref: A signed integer is a 32-bit datum that encodes an integer in the range [-2147483648 to 2147483647]. An unsigned integer is a 32-bit datum that encodes a nonnegative integer in the range [0 to 4294967295]. The signed integer is represented in twos complement notation.

Official article: https://github.com/libexpat/libexpat/pull/550

Preface: Samsung Electronics has started the development of IoT.js on 2015, a platform for IoT applications written in JavaScript, and JerryScript, a JavaScript engine for small, embedded devices.

Background: JerryScript is an ultra-lightweight JavaScript engine for the Internet of things. It is capable of executing ECMAScript 5.1 source code on devices with less than 64 KB of memory.
JerryScript Engine can be embedded into any application, providing the way to run JavaScript in a large range of environments – from desktops to low-memory microcontrollers.

Ref: IoT devices come with severe constraints in terms of CPU performance and memory footprint. Because of that, Samsung has designed the JerryScript engine to run in less than 64KB or RAM and the entire code fits in less than 200KB of ROM.

Vulnerability details: CVE-2022-22895 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion[.]c.

Why are we interested in CVE-2022-22893? Here’s why:

Stack is a linear data structure whereas Heap is a hierarchical data structure. Stack memory will never become fragmented whereas Heap memory can become fragmented as blocks of memory are first allocated and then freed. Stack accesses local variables only while Heap allows you to access variables globally.

See whether the attached diagram give you a quick idea of the vulnerability? Also, some vulnerabilities were found in jerryscript. See below for details:

CVE-2022-22894 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache[.]c.

CVE-2022-22893 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm[.]c.

CVE-2022-22891 – The following vulnerability was found:
Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc[.]c.

Remedy: Please refer to Github.