Category Archives: System

Potential Risk of CVE, System

A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 (18-03-2025)

Leave a comment

Preface: Stateless applications perform tasks based on the input provided in the current transaction. These applications make use of Content Delivery Network (CDN) and web to process short term requests. Unlike stateful applications, stateless applications do not save users data. There is no stored knowledge or information for reference to past records. 

Containers are widely used for deploying microservices, running stateful applications, and achieving high-performance, scalable solutions.

Background: A 32-bit signed integer can represent values from -2,147,483,648 to 2,147,483,647. When applied to UID (User Identifier) and GID (Group Identifier), it means that the maximum value for these identifiers is 2,147,483,647.

Setting a user with a specific UID:GID serves several important purposes in Unix-like operating systems:

  1. Identification: The UID uniquely identifies a user, while the GID identifies the group to which the user belongs. This helps the system manage user permissions and access control.
  2. Permissions Management: UIDs and GIDs are used to determine the access rights of users and groups to files and directories. For example, a file might be readable and writable by its owner (identified by UID), but only readable by others in the same group (identified by GID).
  3. Security: By assigning different UIDs and GIDs, the system can enforce security policies, ensuring that users can only access the resources they are permitted to. This is crucial for maintaining the integrity and confidentiality of data.
  4. Resource Allocation: UIDs and GIDs help in allocating system resources, such as CPU time and memory, to users and groups.
  5. This ensures fair usage and prevents any single user or group from monopolizing system resources.

Vulnerability details: containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-40635

AI and ML, Potential Risk of CVE, System

CVE-2024-0114: NVIDIA Hopper HGX for 8-GPU contains a vulnerability in the HGX Management Controller HMC (7 th March 2025)

Leave a comment

Preface: NVIDIA collaborates with Supermicro for their server solutions, including the use of Supermicro’s BMC (Baseboard Management Controller) in certain systems. Supermicro provides a range of server solutions optimized for NVIDIA’s platforms.

Background: The NVIDIA Hopper HGX for 8 GPUs has several standout features:

High Performance: It hosts eight H100 Tensor Core GPUs, which are designed for AI and high-performance computing (HPC) workloads.

Advanced Connectivity: Each H100 GPU connects to four third-generation NVSwitches, enabling a fully connected topology. This setup allows any H100 GPU to communicate with any other H100 GPU concurrently at a bidirectional speed of 900 GB/s.

Enhanced Bandwidth: The NVLink ports provide more than 14 times the bandwidth of the current PCIe Gen4 x16 bus.

Vulnerability details: VIDIA Hopper HGX for 8-GPU contains a vulnerability in the HGX Management Controller (HMC) that may allow a malicious actor with administrative access on the BMC to access the HMC as an administrator. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5561

System

PAGE PREFETCHER ATTACK – AMD ID: AMD-SB-7040 (28-2-2025)

Leave a comment

Preface: Page prefetching is a technique used to improve performance by preloading data into the cache before it’s actually needed. However, the implementation and presence of a page prefetcher can vary depending on the CPU architecture and design.

Background: A page prefetcher attack is a type of side-channel attack that exploits the page prefetching mechanism in modern CPUs. Page prefetching is a performance optimization technique where the CPU predicts and loads pages of memory into the cache before they are actually needed. This can inadvertently create security vulnerabilities.

In a page prefetcher attack, an attacker can infer sensitive information by observing the patterns and timing of page prefetching operations. For example, the attacker might be able to determine which memory pages are being accessed by the victim, thereby gaining insights into the victim’s activities or extracting sensitive data.

About the topic: Researchers have disclosed to AMD a potential exploit, the page prefetcher attack (PPA), a prefetcher-based side-channel attack.

Manufacturer response: AMD has evaluated the paper and does not believe there are any new security implications. Please refer to the link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7040.html

Science, System

Python , have ever you though? (25-02-2025)

Leave a comment

Preface: Maintaining a satellite’s orbit involves a combination of precise calculations and regular adjustments. Here are the key factors:

  1. Velocity and Gravity: A satellite stays in orbit by balancing its velocity (speed in a straight line) with the gravitational pull of the Earth. The satellite must travel fast enough to counteract the pull of gravity, which keeps it in a stable orbit.
  2. Orbital Station-Keeping: This involves small adjustments using thrusters to correct any deviations in the satellite’s path. These maneuvers ensure the satellite remains in its designated orbit.
  3. Fuel Management: Satellites carry a limited amount of fuel for these adjustments. Efficient fuel management is crucial for prolonging the satellite’s operational life.
  4. Monitoring and Control: Ground stations continuously monitor satellites and send commands to perform necessary adjustments. This helps in maintaining the satellite’s orbit and addressing any potential issues.

Background: The PyEphem module provides highly precise data on the planets and our solar system. This module leverages an extremely robust C library that allows you to pinpoint planets, perform interplanetary calculations and discover more data than you’ll ever know what to do with.

Best practice: If you’re using PyEphem, it’s a good idea to keep your Python environment and libraries up to date and to check the module’s GitHub repository for any reported issues or updates.

Potential Risk of CVE, System

CVE-2023-31315: AMD SMM Lock Bypass (21-Aug-2024)

Leave a comment

Preface: AMD EPYC™ Processors power the highest-performing x86 servers for the modern data center, on prem and in cloud environments, across industries.

Background: Model-specific registers (MSR) are control registers provided by the processor implementation so that system software can interact with a variety of features, including performance monitoring, checking processor status, debugging, program tracing or toggling specific CPU features.

Intel and AMD may use the same MSR for the same feature, such as the IA32_LSTAR MSR register.

When it came to the Intel Pentium processor, Intel officially introduced two instructions, RDMSR and WRMSR, for reading and writing the MSR temporary register. At this time, MSR was officially introduced. When the RDMSR and WRMSR instructions were introduced, the CPUID instruction was also introduced. This instruction is used to indicate which functions are available in a specific CPU chip, or whether the MSR registers corresponding to these functions exist. The software can query a certain function through the CPUID instruction. Whether these functions are supported on the current CPU.

Vulnerability details: Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.

Ref: Researchers from IOActive have reported that it may be possible for an attacker with ring 0 access to modify the configuration of System Management Mode (SMM) even when SMM Lock is enabled.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

IoT, Potential Risk of CVE, System, Uncategorized

CVE-2023-52910 – iommu/iova: Fix alloc iova overflows issue (21-08-2024)

Leave a comment

Preface: Modern hardware provides an I/O memory management unit (IOMMU) that mediates direct memory accesses (DMAs) by I/O devices in the same way that a processor’s MMU mediates memory accesses by instructions.

Background: With IOMMU, when the device performs DMA access to memory, the system returns to the device driver no longer a physical address, but a virtual address. This address is generally called IOVA. When the device accesses memory, IOMMU converts this virtual address into a physical address. But when iommu bypass is used, the device can also directly use the physical address for DMA.

Vulnerability details: This issue occurs in the following two situations

-The first iova size exceeds the domain size. When initializing iova domain, iovad->cached_node is assigned as iovad->anchor. For example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, and the iova size allocated for the first time is 11M.

-The node with the largest iova->pfn_lo value in the iova domain is deleted, iovad->cached_node will be updated to iovad->anchor, and then the alloc iova size exceeds the maximum iova size that can be allocated in the domain.

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52910

Network (Protocol, Topology & Standard), Potential Risk of CVE, System

CVE-2024-44070: FRRouting (FRR) – bgpd – ensure the hash works  (18th Aug 2024)

Leave a comment

Preface: As Time Goes By , OSS (Open Source Software) for use by cost-conscious commercial companies. It is quite popular in cloud.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

FRR’s seamless integration with native Linux/Unix IP networking stacks makes it a general purpose routing stack applicable to a wide variety of use cases including connecting hosts/VMs/containers to the network, advertising network services, LAN switching and routing, Internet access routers, and Internet peering.

Vulnerability details: An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.

Official announcement: For details, please refer to link – https://www.tenable.com/cve/CVE-2024-44070

AI and ML, Potential Risk of CVE, System

CVE-2024-43855: md/raid5 – recheck if reshape has finished with device_lock held. From technical point of view, it also impact RedHat cluster. (18 Aug 2024)

Leave a comment

Preface: LVM version 2, or LVM2, is the default for Red Hat Enterprise Linux, which uses the device mapper driver contained in the 2.6 kernel. LVM2, which is almost completely compatible with the earlier LVM1 version, can be upgraded from versions of Red Hat Enterprise Linux running the 2.4 kernel.

The Clustered Logical Volume Manager (CLVM) is a set of clustering extensions to LVM. These extensions allow a cluster of computers to manage shared storage (for example, on a SAN) using LVM.

Background: In the Mutex concept, when the thread is trying to lock or acquire the Mutex which is not available then that thread will go to sleep until that Mutex is available. Whereas in Spinlock it is different. The spinlock is a very simple single-holder lock. If a process attempts to acquire a spinlock and it is unavailable, the process will keep trying (spinning) until it can acquire the lock. This simplicity creates a small and fast lock.

Vulnerability details: Deadlock occurs when mddev is being suspended while some flush bio is in progress. It is a complex issue.

T1. the first flush is at the ending stage, it clears ‘mddev->flush_bio’ and tries to submit data, but is blocked because mddev is suspended by T4.

T2. the second flush sets ‘mddev->flush_bio’, and attempts to queue md_submit_flush_data(), which is already running (T1) and won’t execute again if on the same CPU as T1.

T3. the third flush inc active_io and tries to flush, but is blocked because ‘mddev->flush_bio’ is not NULL (set by T2).

T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc by T3.

The root issue is non-atomic inc/dec of active_io during flush process.

Official announcement: For details, please refer to link –

https://nvd.nist.gov/vuln/detail/CVE-2024-43855

AI and ML, Potential Risk of CVE, System

CVE-2024-21969: (AMD security focus) Whispering Pixels – Exploiting Uninitialized Register Accesses in Modern GPUs (14th Aug 2024)

Leave a comment

Preface: The new AMD Radeon Instinct MI50 hints at the capabilities of AMD’s future GPUs. A study proof MI50 is capable scientific and ML applications.

Background: The proliferation of graphics processing units (GPUs) has brought unprecedented computing power.

Multiple register-based vulnerabilities found across different GPU implementations.

So-called whisper pixels. The vulnerability poses unique challenges to an adversary due to opaque scheduling and register remapping algorithms present in the GPU firmware, complicating the reconstruction of leaked data.

GPU Programming: An application has to use vendor- provided libraries in order to translate a shader from its high-level source code to an architecture-dependent binary code. Vendors provide these libraries for a variety of high-level languages.

Vulnerability details: Improper clearing of GPU registers could allow a malicious shader to read left-over pixel data leading to loss of confidentiality.

Mitigation: AMD plans to create a new operating mode designed to prevent processes from running in parallel on the GPU, and to clear registers between processes on supported products.

Official announcement: Please refer to the website for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6013.html

Potential Risk of CVE, System

CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability (13th Aug 2024)

Leave a comment

Preface: A HEAP-Based buffer overflow vulnerability occurs when a program writes more data to a heap-allocated memory buffer than the buffer is designed to hold.

Background: Microsoft provides network virtualization in Hyper-V with Windows Server 2016 and 2019. With this feature, workloads on Hyper-V can connect to virtualized Layer 2 networks and traffic is routed between virtual networks in Hyper-V or to and from the physical network via gateways.

Vulnerability details: Windows Network Virtualization Remote Code Execution Vulnerability.

My speculation: The new SDN features starting from windows server 2016. Because Network Controller uses Representational State Transfer (REST) on its northbound interface with JavaScript Object Notation (JSON) payloads.

As a matter of fact, it is possible to exploit heap overflow techniques in the JavaScript interpreter. Are the vulnerabilities reported by Microsoft related to this factor?

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2024-38160