Preface: Pluto is an IKE (“IPsec Key Exchange”) daemon. Pluto is an implementation of IKE. It runs as a daemon on a network node. Currently, this network node must be a LINUX system running the KLIPS
or NETKEY implementation of IPsec, or a FreeBSD/NetBSD/Mac OSX system running the KAME implementation of IPsec.

Background: Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using “IPsec” and the Internet Key Exchange (“IKE”). Most IPsec deployments fall into two types of deployment. The first type is the Remote Access, where roaming users (phones, laptops) connect to the corporate network. The second type of IPsec network is where two or more IPsec gateways connects different networks together.

Is Libreswan safe? This open-source VPN is secure if you’re a Linux user since it uses a built-in “XFRM” IPsec stack and DDNS crypto library. The VPN is compatible with Linux distribution such as RHEL/EPEL, Arch Linux, and Fedora.

What is xfrm interface?
The design of virtual xfrm interfaces interfaces was discussed at the Linux IPsec workshop 2018. This patchset implements these interfaces as the IPsec userspace and kernel developers agreed. The purpose of these interfaces is to overcome the design limitations that the existing (Virtual Tunnel Interfaces) VTI devices have.

Vulnerability details: According to vendor announcement. Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1[.]c wrongly expects that a state object exists.
Observation: Are the consequences of NULL pointer dereference due to vmalloc in the specified function?

Mitigation: If all configured connections are using IKEv2, the IKEv1 subsystem can be disabled by adding the option ikev1-policy=drop to the “config setup” section of ipsec[.]conf. Alternatively, libreswan can be compiled with USE_IKEv1=false.

OR Install version 4.6.

Official announcement: For details of the official announcement, please see the homepage – https://libreswan.org/

Preface: Virtual memory settings can often be controlled through the OS. In addition, RAM uses swapping techniques, while virtual memory uses paging. While physical memory is limited to the size of the RAM chip, virtual memory is limited by the size of the hard disk.

Background: When you create a VM, a fixed amount of memory is allocated to the VM. You can use Dynamic Memory Control (DMC) to improve the utilization of physical memory in your Citrix Hypervisor environment. DMC is a memory management feature that enables dynamic reallocation of memory between VMs.

The QEMU component is a superset of the QEMU device model present in Xen. In KVM, the QEMU binary directly takes care of talking to the hypervisor to create the guest domain. In Xen, the QEMU binary merely provides the I/O emulation, while XenD takes care of actually creating the domain.

DomU, it is an unprivileged domain with (by default) no access to the hardware. It must run a FrontendDriver for multiplexed hardware it wishes to share with other domains. In Dom0, the kernel for a DomU comes from Dom0’s filesystem, not from the filesystem exported to the DomU.

Vulnerability details: Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to take control of an affected system. For more details, please refer to the link – https://support.citrix.com/article/CTX335432

Preface: HTTP[.]sys is mature technology that protects against many types of attacks and provides the robustness, security, and scalability of a full-featured web server. IIS itself runs as an HTTP listener on top of HTTP[.]sys.

Background: HTTP/1.1 specifies that a response sent as Transfer-Encoding: chunked can include optional trailers (ie. what would normally be sent as headers, but for whatever reason can’t be calculated before the content, so they can be appended to the end).

The http 1.1 specification, which lays out how chunking works. Specifically section 3.6.1.
The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields. This allows dynamically produced content to be transferred along with the information necessary for the recipient to verify that it has received the full message.

Vulnerability details: This vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability.

Ref (1): The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent. No package install is needed if you use the (xref:)Microsoft[.]AspNetCore[.]All metapackage.

The Microsoft[.]AspNetCore[.]Server[.]HttpSys package is included in the metapackage.

Ref (2): Call the UseHttpSys extension method on WebHostBuilder in your Main method, specifying any HTTP[.]sys options that you need.

Mitigations: Please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907

Preface: For security reasons, SAP will not disclose the details of the vulnerability. Security bulletin issued yesterday. However, the end user only needs to tinker. But we don’t know what happened? So my purpose of this topic is to try to dig out details an interest that appeals to you. If , my findings didn’t precise find the reason of this vulnerability. No worries. Since, the weaknesses in client-side JavaScript security in SAPUI5 applications may be ubiquitous. It is easily find the details somewhere.

Background: F0743 (Create Single Payment) is a SAP S/4HANA Transactional app used by a Accounts Payable Accountant through user interface (UI) technology SAP Fiori (SAPUI5). With this app you can make a direct payment to a supplier when no invoice exists and you can pay open supplier line items. When you make a direct payment to a supplier without an invoice, you specify the supplier details, the bank details, and the amount to be paid, then create the payment.

Vulnerability details: Official announcement stated that Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA.

Results are based on my observations: SAPUI5 is Hybrid app (Because of HTML5). Therefore, SAPUI5 is technology whereas Fiori is a methodology. Fiori focus mainly on mobility. Fiori uses SAPUI5 for frontend and it uses odata to get back end data. Based on the theory above apps built using SAPUI5 are responsive across browsers and devices. They can run on smartphones, tablets, and desktops.If not properly used, SAPUI5 framework is susceptible to various types of security vulnerabilities that usually affect client side JavaScript frameworks.

Static Application Security Testing shown that SAPUI5 contains DOM Based Cross Site Scripting & Code injection loophole. For example (type-0 XSS), vulnerable document.write() sink method that reflects user input directly in the web page DOM structure from the user input textbox retrieved from getValue() method from vulnerable SAPUI5 application.

Impact: It increases the likelihood that client code will behave in an “unexpected” way.

Official announcement: Please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035

Preface: Privilege escalation attacks can be separated into two way. It is horizontal privilege escalation and vertical privilege escalation. Privilege escalation happens when a malicious user exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to resources that should normally be unavailable to them.

Background: Starting with 2109 version, Citrix Workspace app introduces an option to append the User-Agent strings in the network request and identify the source of a network request. Based on this User-Agent strings request, you can decide how to manage your network request.
For version 2108, the app protection feature is now fully functional. The app protection feature supports apps and desktop sessions and is enabled by default. However, you must configure the app protection feature in the AuthManConfig.xml file to enable it for the authentication manager and the Self-Service plug-in interfaces.

Vulnerability details: A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux.

This vulnerability only affects Citrix Workspace app for Linux 2012 – 2111 and only exists if App Protection was installed as part of Citrix Workspace app for Linux. This vulnerability does not exist if App Protection is not installed.

My observation: Vendor did not disclose details, but due to the design constraints of the product. The vulnerable version of glibc might have possibilities to trigger the design weakness. Because workspace app for Linux (has been installed with App Protection) do not support the app protection feature on the OS that uses glibc 2.34 or later. For more details, please refer to attached diagram.

Official announcement: Please refer to the link –

https://support.citrix.com/article/CTX338435

Preface: Deploy the leading enterprise container runtime with just two commands

Background: Mirantis Container Runtime is the industry-leading, high-level runtime at the heart of Mirantis Kubernetes Engine, enabling it to operate Swarm and Kubernetes containers efficiently on any substrate. It is based on containerd, the Cloud Native Computing Foundation (CNCF) core container runtime. FIPS 140-2 is only supported in MCR. MKE and MSR currently do not support FIPS 140-2.

Vulnerability details: When running with FIPS mode enabled, Mirantis Container Runtime leaks memory during TLS Handshakes which could be abused to cause a denial of service.

Affected Products: Mirantis Container Runtime (MCR) version 20.10.8

Mitigations: FIPS mode is not the default mode of operation.

Observation: One of the possibilities. Users using SSL channels with applications often connecting and disconnecting state. The message digest in such a way which could cause internal resources to fail to be cleaned up when multiple threads were starting and ending SSL sessions concurrently.

Official announcement: Please refer to the link – https://github.com/Mirantis/security/blob/main/advisories/0002.md

Preface: What if , design weakness not directly effect the software component. Is it a vulnerability? Or, can we ignore?

Background: What is the difference between DNS and nameservers?
DNS records are what contain the actual information that other browsers or services need to interact with, like your server’s IP address. Nameservers, on the other hand, help store and organize those individual DNS records.

DNSLib is a Python library that provides the framework of a server. The file Client[.]py. Mostly useful for testing. Furthermore, it can optionally compare results from two nameservers (–diff) or compare results against DiG (–dig).

Vulnerability details: The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query.

Official announcement: For details, please refer to the link – https://github.com/paulc/dnslib/issues/30

Remark: Application developers can write their own DNS servers using Python hosted on Kubernetes. Even if the risk of this vulnerability is not very high risk. Maybe it should know.

Preface: Citrix Hypervisor is based on the Xen Project hypervisor, with extra features and supports provided by Citrix. Citrix Hypervisor 8.2 uses version 4.13. 4 of the Xen hypervisor.

Background: Netfront communicates with a counterpart backend driver called netback in the driver domain, using shared memory I/O channels. The driver domain uses a software bridge to route packets among the physical device and multiple guests though their netback interfaces.

Vulnerability details: Incoming data packets for a guest in the Linux kernel’s netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest:

There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection
on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715)

The timeout could even never trigger if the guest manages to have only
one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO,XDP, or software hashing. (CVE-2021-28714)

Additional: Traditionally, attacker will use Consecutive hypercall attacks with irregular orders bother to Xen Hypervisor.
A new exploitation seems more easy to suspend the service of netback driver. UDP is connectionless, it will be delivered more packets to destination in same specifics time comparing with TCP (connnection orientied). As a result, make use of time compensate the design weakness of memory consumption become a loophole.

Official announcement: https://cve.report/CVE-2021-28715/6270cec3

Preface: A Pod represents a single instance of a running process in your cluster. Pods contain one or more containers, such as Docker containers. When a Pod runs multiple containers, the containers are managed as a single entity and share the Pod’s resources.

Background: Containerd was designed to be used by Docker and Kubernetes as well as any other container platform that wants to abstract away syscalls or OS specific functionality to run containers on linux, windows, solaris, or other operation system. Kubernetes is removing support for Docker as a container runtime. Kubernetes does not actually handle the process of running containers on a machine. Instead, it relies on another piece of software called a container runtime. CRI is a containerd plugin implementation of Kubernetes container runtime interface (CRI). With it, you could run Kubernetes using containerd as the container runtime.

Vulnerability details: On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files.

Additional: Simple conceptual diagram attached.

Remediation: This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

Reference: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c

Preface: You cannot connect to a virtual machine’s CD/DVD-ROM device with the Administrator role. By default setting, the Administrator role does not have permission to access a virtual machine’s CD/DVD-ROM device.

Background: Most of the files stored on a VMFS volume, though, are large files – virtual disk files, swap files, installation image files. VMFS operates on disks attached to ESXi servers but not on computers running VMware Workstation or VMware Player.VMFS 6 was released in vSphere 6.5 and is used in vSphere 6.7, vSphere 7.0, and newer versions such as vSphere 7.0 Update 3.

Vulnerability details: VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

VMware released security advisory for ESXi hosts. Remedy for ESXi 6.5 and 6.7 are ready. However, 7.0 there only provides workaround. For more details, please refer to the link – https://kb.vmware.com/s/article/87249

Official announcement: https://www.vmware.com/security/advisories/VMSA-2022-0001.html

Additional: Because the supplier wants to keep it confidential. So the details have not been announced yet. My observations of this vulnerability are drawn in the attached drawings.