Category Archives: System

Potential Risk of CVE, System

CVE-2024-41012: filelock- Remove locks reliably when fcntl/close race is detected (24/07/2024)

Leave a comment

In the Linux kernel, design weakness (CVE-2024-41012) has been resolved.

Preface: The GFP acronym stands for “get free pages”, the underlying memory allocation function. Diversity of the allocation APIs combined with the numerous GFP flags makes the question “How should I allocate memory?” not that easy to answer, although very likely you should use. kzalloc(<size>, GFP_KERNEL);

Background: You can build a 64-bit POSIX-compliant tick-less kernel with a Linux-compatible syscall implementation using Go.

Vulnerability details: When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. In theory (but AFAIK not in practice), posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle).

After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can’t corrupt kernel memory. This only affects systems with SELinux / Smack / AppArmor / BPF-LSM in enforcing mode and only works from some security contexts.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-41012

AI and ML, IoT, Network (Protocol, Topology & Standard), Potential Risk of CVE, Science, System

CVE-2024-41009: bpf – Fix overrunning reservations in ringbuf (17th July 2024)

Leave a comment

Preface: Consumer and producer counters are put into separate pages to allow each position to be mapped with different permissions. This prevents a user-space application from modifying the position and ruining in-kernel tracking. The permissions of the pages depend on who is producing samples: user-space or the kernel. Starting from Linux 5.8, BPF provides a new BPF data structure (BPF map): BPF ring buffer (ringbuf). It is a multi-producer, single-consumer (MPSC) queue and can be safely shared across multiple CPUs simultaneously.

Background: The first core skill point is “BPF Hooks”, that is, where in the kernel can BPF programs be loaded. There are nearly 10 types of hooks in the current Linux kernel, as shown below:

kernel functions (kprobes)

userspace functions (uprobes)

system calls

fentry/fexit

Tracepoints

network devices (tc/xdp)

network routes

TCP congestion algorithms

sockets (data level)

Vulnerability details: For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos – cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A’s header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header’s pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A’s header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash.  

Official announcement: Please refer to the official announcement for details – https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=47416c852f2a04d348ea66ee451cbdcf8119f225

AI and ML, IoT, Potential Risk of CVE, System

CVE-2023-20597: AGESA™ firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. Release 2nd round of remedy.(13-June-2024)

Leave a comment

Preface: June 2024 Update – After additional analysis, AMD believes that the Client AGESA™ firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. This security bulletin has been updated with new Client AGESA™ firmware versions that contain updated mitigations.

Background: The DXE drivers are responsible for initializing the processor, chipset, and platform components as well as providing software abstractions for system services, console devices, and boot devices.

Vulnerability details:

CVE-2023-20594Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
CWE-665 Improper Initialization

CVE-2023-20597 Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.
CWE-665 Improper Initialization

Published Date: Sep 20, 2023
Last updated date: Jun 11, 2024

Official announcement: For detail, please refer to link –
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4007.html

AI and ML, Potential Risk of CVE, System

CVE-2024-38016: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (29-05-2024)

Leave a comment

Preface: In the Linux Kernels n_gsm serial line discipline, which can be exploited by local attackers to gain kernel level root access. It original published by other Linux brand on 8th May 2024.

Background: In Unix systems, a tty (which is short for “teletypewriter”) is the standard representation of a terminal device, with at least input and output capabilities and usually much more. These were originally connected to serial ports, but most today are virtual terminals, connected to either a text-mode console (DOS-like) or a graphical terminal program (like xterm or gnome-terminal).

Vulnerability details: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

Assuming the following:

– side A configures the n_gsm in basic option mode

– side B sends the header of a basic option mode frame with data length 1

– side A switches to advanced option mode

– side B sends 2 data bytes which exceeds gsm->len

Reason: gsm->len is not used in advanced option mode.

– side A switches to basic option mode

– side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration.

Official details: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36016

AI and ML, Potential Risk of CVE, System

Red Hat security advisory: Important – glibc security update (29-05-2024)

Leave a comment

Preface: You can clear the cache of nscd by performing the following actions:

Execute the following command: sudo /etc/init[.]d/nscd restart.

Background:

Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd. conf, determines the behavior of the cache daemon.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

The iconv() function shall convert the sequence of characters from one codeset, in the array specified by inbuf, into a sequence of corresponding characters in another codeset, in the array specified by outbuf. The codesets are those specified in the iconv_open() call that returned the conversion descriptor, cd.

Vulnerability details:

glibc: Out of bounds write in iconv may lead to remote code execution (CVE-2024-2961)

glibc: stack-based buffer overflow in netgroup cache (CVE-2024-33599)

 glibc: null pointer dereferences after failed netgroup cache insertion (CVE-2024-33600)

 glibc: netgroup cache may terminate daemon on memory allocation failure (CVE-2024-33601)

 glibc: netgroup cache assumes NSS callback uses in-buffer strings (CVE-2024-33602)

Official announcement: For detail, please refer to link – https://access.redhat.com/errata/RHSA-2024:3464

AI and ML, System, Under our observation

AMD urged software developers to implement best practices to avoid secret-dependent data accesses or control flows. (28-04-2024)

Leave a comment

Originally published on April 26, 2024.

Preface: (Level 3 cache) A memory bank built onto the motherboard or within the CPU module. The L3 cache feeds the L2 cache, and its memory is typically slower than the L2 memory, but faster than main memory.

Background: The last-level cache (LLC) is the last chance for memory accesses from the processor to avoid the costly latency of going to main memory. Level 3 (L3) represents the Last Level Cache (LLC) in the example above, and is the last (and slowest) stop within the cache hierarchy before the system must endure the long trek out to Main Memory.

The last-level cache (LLC) is one of the most dangerous shared resources since it is shared by all of the cores in a processor package, yet it allows fine-grained, high-bandwidth, low-noise cross-core attacks.

The cache memory divides into three levels:

L1 cache – fastest, but smallest, data and instructions

L2 cache – slower, but bigger, data-only

L3 cache – slowest, but biggest, data-only

Vulnerability detail: Cache side channel attacks work by monitoring security-critical operations such as AES T table entries or modular exponentiation or multiplication or memory accesses. The attacker is then able to derive the encryption key by recovering the key based on the accesses made (or not made) by the victim.

Official announcement: Please refer to the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7019.html

IoT, Potential Risk of CVE, System

CVE-2024-4017 and CVE-2024-4018 on BeyondTrust (19-04-2024)

Leave a comment

Preface: CyberArk most likely to be known as a leader in PAM. BeyondTrust more popular among small and medium-sized enterprises.

Background: U-Series is a self-contained physical or virtual appliance that contains the operating system, the database, the BeyondTrust BeyondInsight platform, and the BeyondTrust Password Safe solution.

For a BeyondInsight deployment with a local SQL Server instance, the minimum requirement is 32GB. It is based on Microsoft Windows Server 2022 Standard operating system. The license included with the U-Series v20 and U-Series v20 SQL Free for Microsoft Windows Server 2022 covers up to 16 cores on the physical virtualization (host) server.

Vulnerability details:

CVE-2024-4018: Improper Privilege Management vulnerability in BeyondTrust U-Series Appliance on Windows, 64 bit (local appliance api modules) allows Privilege Escalation.This issue affects U-Series Appliance: from 3.4 before 4.0.3. Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-4018

CVE-2024-4017: Improper Privilege Management vulnerability in BeyondTrust U-Series Appliance on Windows, 64 bit (filesystem modules) allows DLL Side-Loading.This issue affects U-Series Appliance: from 3.4 before 4.0.3. Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-4017

Potential Risk of CVE, System

Why does Arm not affected by CVE-2024-2201? (11-Apr-2024)

Leave a comment

Preface: I believed that similar type of design weakness known last year by Arm (Feb 2023). May be it fixed it already.

Background: Linux kernel on Intel systems is susceptible to Spectre v2 attacks. CVE-2022-0001 explained Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. On 9th April, 2024 Dr. Elke Drennan published an article focus an attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget. When you read the details, you will find that AMD and ARM are not affected. Why?

Vulnerability details: An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget.

Solution: Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.

Official announcement: Please refer to the link for details- https://www.kb.cert.org/vuls/id/155143

Potential Risk of CVE, System

When Intel met Heckle – hypervisor’s interrupt injection behavior on Intel TDX  (10th April 2024)

Leave a comment

Technical report shared by ETH Zurich on 4th April 2024: Please refer to the link for details – https://arxiv.org/html/2404.03387v1

Background: Intel CPU’s inbuilt TDX Module provides an interface for the hypervisor to manage VMs indirectly and offers new instructions, VMLAUNCH-VMX and VMRESUME, for starting and resuming a VM. Instead of keeping track of the owner for each memory page on a system wide basis, TDX relies on keeping one shared extended page table for the hypervisor and multiple private extended page tables for each virtual machine (called TD by Intel).

Reference: int means interrupt, and the number 0x80 is the interrupt number. An interrupt transfers the program flow to whomever is handling that interrupt, which is interrupt 0x80 in this case. In Linux, 0x80 interrupt handler is the kernel, and is used to make system calls to the kernel by other programs.

The kernel is notified about which system call the program wants to make, by examining the value in the register %eax (AT&T syntax, and EAX in Intel syntax). Each system call have different requirements about the use of the other registers. For example, a value of 1 in %eax means a system call of exit(), and the value in %ebx holds the value of the status code for exit().

Vulnerability details: The test implement a kernel module in 150 LoC to inject interrupts into the TDX VM. Our host module uses kernel hooks to call a function in KVM that is used to deliver int 0x80 interrupts to TDX VMs. Unlike SEV-SNP, TDX does not expose the Virtual Machine Control Structure (VMCS) or the virtual APIC pages to the untrusted hypervisor. Instead, it expects the hypervisor to write into a Posted Interrupt Request (PIR) buffer. This buffer is used by hardware to inject interrupts into TDX VMs through the virtual APIC [34]. We inject two interrupts into two different cores of the CVM with this mechanism, one to gain login into the TDX VM with OpenSSH and another to get root access with sudo. During these two injects, the guest kernel does not acknowledge the interrupts. While this does not stop our attacks, it does leave the APIC with an elevated Task-Priority-Register (TPR), blocking all lower-priority interrupts on the affected vCPU. This may break CVM functionality that is noticeable by the user. To evade such detection, we implement a guest kernel module (kern_ack) that resets the APIC state. We inject this kernel module into the TDX VM as the last part of our attack after gaining root access.

Potential Risk of CVE, System

AMD response to technical article (Heckler – Disrupting AMD SEV-SNP with interrupts) (9th Apr 2024)

Leave a comment

Preface: AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) is a feature of AMD EPYC processors that adds strong memory integrity protection to help prevent malicious hypervisor-based attacks in order to create an isolated execution environment.

Background: Fundamentally, int means interrupt, and the number 0x80is the interrupt number. An interrupt transfers the program flow to whomever is handling that interrupt, which is interrupt 0x80 in this case. In Linux, 0x80 interrupt handler is the kernel, and is used to make system calls to the kernel by other programs.

In current Linux, 32-bit syscalls (including int 0x80 from 64-bit) eventually end up indo_syscall_32_irqs_on(struct pt_regs *regs). It dispatches to a function pointer ia32_sys_call_table, with 6 zero-extended args. This maybe avoids needing a wrapper around the 64-bit native syscall function in more cases to preserve that behaviour, so more of the ia32 table entries can be the native system call implementation directly.

Vulnerability details: Researchers from ETH Zurich have shared with AMD a paper titled “Heckler: Disrupting AMD SEV-SNP with Interrupts.”

In their paper, the researchers report that a malicious hypervisor can potentially break confidentiality and integrity of Linux® SEV-SNP guests by injecting interrupts. 

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html