Category Archives: Uncategorized

CVE-2023-52910 – iommu/iova: Fix alloc iova overflows issue (21-08-2024)

Preface: Modern hardware provides an I/O memory management unit (IOMMU) that mediates direct memory accesses (DMAs) by I/O devices in the same way that a processor’s MMU mediates memory accesses by instructions.

Background: With IOMMU, when the device performs DMA access to memory, the system returns to the device driver no longer a physical address, but a virtual address. This address is generally called IOVA. When the device accesses memory, IOMMU converts this virtual address into a physical address. But when iommu bypass is used, the device can also directly use the physical address for DMA.

Vulnerability details: This issue occurs in the following two situations

-The first iova size exceeds the domain size. When initializing iova domain, iovad->cached_node is assigned as iovad->anchor. For example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, and the iova size allocated for the first time is 11M.

-The node with the largest iova->pfn_lo value in the iova domain is deleted, iovad->cached_node will be updated to iovad->anchor, and then the alloc iova size exceeds the maximum iova size that can be allocated in the domain.

Official announcement: Please refer to the url for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52910

NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter  (Updated 07/24/2024)

Preface: NVIDIA® offers a wide range of Network Operating Systems (NOS), from the homegrown Ethernet Operating System, NVIDIA Mellanox Onyx™, to native Linux operating systems, NVIDIA Cumulus Linux, and a variety of vendor specific options.

Background: NVIDIA® MLNX-OS® operating system, enables the management and configuration of NVIDIA’s InfiniBand switch system platforms.

NVIDIA MLNX-OS®, an InfiniBand switch operating system for high-performance data centers, enables you to build networks that scale to thousands of compute and storage nodes, while also providing monitoring and provisioning capabilities.

Vulnerability details: CVE-2024-0101 – NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch. A successful exploit of this vulnerability might lead to denial of service.

Ref: A design flaw emerged about twenty-three years ago. , could it be related to this design weakness?

IPFilter caches the decision to forward or drop a fragment and applies this decision to other IP fragments with the same IP id. Even if the fragment is an “initial” fragment (a fragment with fragment offset 0) that may contain a TCP or UDP header, it will be evaluated against the decision cache.Therefore, an attacker could create a cache of “allow” decisions in IPFilter rules and then successfully bypass the rule set and pass fragments with arbitrary UDP or TCP headers through the device where IPFilter is installed.

Official announcement: Please refer to the official announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5559

Processor vendor ARM responds to research paper published on Dec 2023. (21st Dec 2023)

Preface: The use of previously freed memory can have any number of adverse consequences – ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. They are common coding problems that can lead to vulnerabilities and affect stability.

Background: Why MTE? Memory safety bugs, which are errors in handling memory in native programming languages, are common code issues. They lead to security vulnerabilities as well as stability problems.Armv9 introduced the Arm Memory Tagging Extension (MTE), a hardware extension that allows you to catch use-after-free and buffer-overflow bugs in your native code.

Technical details: In December 2023, a research paper called ‘Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags’ was published by academics from VUSec Group, Vrije Universiteit Amsterdam. The paper demonstrates how speculative probing can potentially be used to determine Arm Memory Tagging Extension (MTE) allocation tags and explores alternative solutions to Arm MTE.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Arm%20Memory%20Tagging%20Extension

CVE-2022-41940 Interfering with the Engine[.]IO server by sending specially crafted HTTP requests (22nd Nov 2022)

Preface: Node[.]js has a built-in WebSocket module, but this module doesn’t provide the functionalities required to build complex real-time applications; this is why Socket[.]io exists.
Socket[.]IO is quite popular and companies like Amazon, Zendesk,……and several others use it to develop robust real-time applications. It one of the most powerful JavaScript frameworks on GitHub, and most depended-upon NPM (Node Package Manager) module.

Background: Socket[.]io is a JavaScript library. It is a way to communicate between a client and a server. It allows real-time data flow. It is bi-directional communication, means we can flow data in both directions:

  • Client to Server
  • Server to Client
    engine.io is a lower level library than socket.io. Engine is to Socket[.]IO what Connect is to Express. If you want the lower level abstraction, use engine[.]io. If you want a websocket abstraction, keep using socket[.]io.

Remark: engine[.]io is of more interest to you if you’re building a library/framework on top of socket[.]io.

Vulnerability details: A specially crafted HTTP request can trigger an uncaught exception on the Engine[.]IO server, thus killing the Node[.]js process. This impacts all the users of the engine[.]io package, including those who uses depending packages like socket[.]io.
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node[.]js process:

Solution: There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

Official announcement: Please refer to the link for details – https://github.com/advisories/GHSA-r7qp-cfhv-p84w

About CVE-2022-1734 – When Linux finds a vulnerability, how will it affect the IoT or IIoT world. 18 May 2022

Preface: A system on a chip (SoC), is an integrated circuit that integrates all or most components of a computer or other electronic system. A SoC chip may have several GPIO components. Linux doesn’t usually run on Cortex-M, 8051, AVR, or other popular microcontroller architectures. Instead, we use application processors — popular ones are the Arm Cortex-A, ARM926EJ-S, and several MIPS iterations.

Background: How can mobile device download firmware directly from vendor if it don’t have windows, Linux or Mac workstation? Mobile device can use firmware downloader to check for the latest update for your device, download that firmware as long as you know the correct model, region, and firmware string.

The file which responsible for Firmware downloader function is (./drivers/nfc/nfcmrvl/fw_dnld.h). Furthermore, the file name (./drivers/nfc/nfcmrvl/main.c) is responsible for major function.

Vulnerability details: A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.

Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Official announcement: See the link for details on this vulnerability – https://github.com/torvalds/linux/commit/d270453a0d9ec10bb8a802a142fb1b3601a83098

About CVE-2022-27005 (15th Mar 2022)

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: About seven years ago (2015), TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers, wifi access points and network devices. Furthermore, there are Backdoor and RCE found in 8 TOTOLINK router models. Since cyber security is a continous program. Therefore when therer is new product release or firmware update. May be there is other turn of vulnerability will be happen soon.

Vulnerability details: Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Recommendation: If vendor not release the new firmware to fix this bug. As a user, in the short run, it is recommended hidden your wifi SSID, make your wifi SSID password more difficult to guess (more than 15 characters).

Ref: About 22 days ago, another security expert found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently, it allows remote attackers to execute arbitrary OS commands from a crafted request. The difference in between them is the vulnerability are happen in another function.

CVE-2022-0572 – Heap-based Buffer Overflow in vim (13th Feb, 2022)

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Vim is a greatly improved version of the good old UNIX editor Vi. The core of VIM is written in C. Most of the files are .c and .h in the folder itself (not in sub folders).
Heap is a region of process’s memory which is used to store dynamic variables. These variables are allocated using malloc() and calloc() functions and resize using realloc() function, which are inbuilt functions of C.
If we dynamically allocate large number of variables (refer to attached diagram). It can result in heap overflow.

Vulnerability details: A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or arbitrary code execution.

What kinds of “arbitrary code” will the attacker typically run?
The attacker could get a simple directory listing by executing an “ls” on Linux/Unix. Furthermore, the attacker can examine your file system. Alternatively, the attacker could run commands to delete files, launching a data destruction and/or denial-of-service-attack. The attacker could also steal data, downloading sensitive files.

Impact: Heap overflow may lead to exploiting the program, which can allow the attacker to execute arbitrary code.

Official announcement: Please refer to the link for details – https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f

Oracle cve-2020-14606 & CVE-2020-14701. It makes interested people want to know more (17-7-2020)

Preface: The addition of a forged TCP packet to an existing TCP session. Can only be performed on unsecured sessions (not HTTPS).

About Oracle Critical Patch Update – July 2020 : When I open the related Oracle article. It was amazing that containing a whole bunch of vulnerability details. Meanwhile I had headache that how to conduct my analysis in correct way. As usual, Oracle do not want to disclose the details on vulnerability, may be this is the company policy!

In short, I had did research and analytic on SD WAN topic. As mentioned, the data provided by vendor not clear and therefore I did the analytic and summarize my findings based on below circumstances. My observation found the following matter close to vulnerability (CVE-2020-14606).

In Oracle SD-WAN Edge 8.2 features guide has the following details:
Issue:29989632 (19500) – User Names can now contain several special characters that were previously disallowed: @, /, and \ . (APN 8.1 P1)
Issue:29986230 (15145) – The special characters ‘/’, ‘ \ ‘, and ‘@’ are now permitted in Aware usernames.

Speculation: Perhaps the regular expression not correctly filter special character “\” especially special character “\” contain in HTTP and causes the HTTP Response Splitting.

For the rest of the vulnerabilities, please refer to the link – https://www.oracle.com/security-alerts/cpujul2020verbose.html