Category Archives: Uncategorized

About CVE-2022-1734 – When Linux finds a vulnerability, how will it affect the IoT or IIoT world. 18 May 2022

Preface: A system on a chip (SoC), is an integrated circuit that integrates all or most components of a computer or other electronic system. A SoC chip may have several GPIO components. Linux doesn’t usually run on Cortex-M, 8051, AVR, or other popular microcontroller architectures. Instead, we use application processors — popular ones are the Arm Cortex-A, ARM926EJ-S, and several MIPS iterations.

Background: How can mobile device download firmware directly from vendor if it don’t have windows, Linux or Mac workstation? Mobile device can use firmware downloader to check for the latest update for your device, download that firmware as long as you know the correct model, region, and firmware string.

The file which responsible for Firmware downloader function is (./drivers/nfc/nfcmrvl/fw_dnld.h). Furthermore, the file name (./drivers/nfc/nfcmrvl/main.c) is responsible for major function.

Vulnerability details: A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.

Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Official announcement: See the link for details on this vulnerability – https://github.com/torvalds/linux/commit/d270453a0d9ec10bb8a802a142fb1b3601a83098

About CVE-2022-27005 (15th Mar 2022)

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: About seven years ago (2015), TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers, wifi access points and network devices. Furthermore, there are Backdoor and RCE found in 8 TOTOLINK router models. Since cyber security is a continous program. Therefore when therer is new product release or firmware update. May be there is other turn of vulnerability will be happen soon.

Vulnerability details: Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Recommendation: If vendor not release the new firmware to fix this bug. As a user, in the short run, it is recommended hidden your wifi SSID, make your wifi SSID password more difficult to guess (more than 15 characters).

Ref: About 22 days ago, another security expert found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently, it allows remote attackers to execute arbitrary OS commands from a crafted request. The difference in between them is the vulnerability are happen in another function.

CVE-2022-0572 – Heap-based Buffer Overflow in vim (13th Feb, 2022)

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Vim is a greatly improved version of the good old UNIX editor Vi. The core of VIM is written in C. Most of the files are .c and .h in the folder itself (not in sub folders).
Heap is a region of process’s memory which is used to store dynamic variables. These variables are allocated using malloc() and calloc() functions and resize using realloc() function, which are inbuilt functions of C.
If we dynamically allocate large number of variables (refer to attached diagram). It can result in heap overflow.

Vulnerability details: A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or arbitrary code execution.

What kinds of “arbitrary code” will the attacker typically run?
The attacker could get a simple directory listing by executing an “ls” on Linux/Unix. Furthermore, the attacker can examine your file system. Alternatively, the attacker could run commands to delete files, launching a data destruction and/or denial-of-service-attack. The attacker could also steal data, downloading sensitive files.

Impact: Heap overflow may lead to exploiting the program, which can allow the attacker to execute arbitrary code.

Official announcement: Please refer to the link for details – https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f

Oracle cve-2020-14606 & CVE-2020-14701. It makes interested people want to know more (17-7-2020)

Preface: The addition of a forged TCP packet to an existing TCP session. Can only be performed on unsecured sessions (not HTTPS).

About Oracle Critical Patch Update – July 2020 : When I open the related Oracle article. It was amazing that containing a whole bunch of vulnerability details. Meanwhile I had headache that how to conduct my analysis in correct way. As usual, Oracle do not want to disclose the details on vulnerability, may be this is the company policy!

In short, I had did research and analytic on SD WAN topic. As mentioned, the data provided by vendor not clear and therefore I did the analytic and summarize my findings based on below circumstances. My observation found the following matter close to vulnerability (CVE-2020-14606).

In Oracle SD-WAN Edge 8.2 features guide has the following details:
Issue:29989632 (19500) – User Names can now contain several special characters that were previously disallowed: @, /, and \ . (APN 8.1 P1)
Issue:29986230 (15145) – The special characters ‘/’, ‘ \ ‘, and ‘@’ are now permitted in Aware usernames.

Speculation: Perhaps the regular expression not correctly filter special character “\” especially special character “\” contain in HTTP and causes the HTTP Response Splitting.

For the rest of the vulnerabilities, please refer to the link – https://www.oracle.com/security-alerts/cpujul2020verbose.html

For my imagination only – Mona Lisa smile – Mar 2020

In order to prevent people know the information, Da Vinci use wrote backwards handwriting. Also known as mirror-writing, where the words appear as normal when seen with a mirror.

Modern people know very little about Da Vinci’s early life, and he only recorded two childhood story. This happened during Da Vinci’s expedition in the mountains. Da Vinci discovered a cave during his expedition. He was afraid that there would be some huge monster lurking in the cave, but he was driven by curiosity and wanted to know what was inside. When he walked into the cave and found a huge unknown object lying quietly in the cave, Da Vinci was shocked. Later, several non man kind emerged from the unknown object, and they imparted knowledge to Da Vinci. Before he pass away, Da Vinci spend decade to finish his Arts work. It is the famous Mona Lisa smile.

I can seen the cave in his art work. How about you?

The CVE-2020-0688 vulnerability affects Exchange Control Panel (ECP) components. Maybe it fixed it. However, because OWA is Internet-oriented, you still worry about it. 5th Mar 2020

Preface: To do the remedy of CVE-2020-0688, you need to install the security update in addition to the Cumulative Updates.

Vulnerability Background: Microsoft using the same set of cryptographic keys on every Exchange Server installation. The keys being stored in plain text in a web.config file on every server.

Details: Microsoft release the patch on 11th Feb, 2020. Less than 2 weeks later. Researchers released proof of concept (POC) exploits for this vulnerability on February 24, 2020. If you have chosen publish Exchange externally. This patch must be applied.
Attacker exploit this vulnerability is easy. The social network sometimes unintentionally leave the finger print (company email address). When attacker got the email address on hand. The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection. If victim fall to the trap (phishing mail) which lure they provide the credential. Even though it is a non privileges user.Attacker can activated this vulnerability to conduct the remote code execution.

“They will try to locate you OWA server. If your existing Exchange SRV is vulnerable. The attack channel can pass through your OWA.”

Remedy: Official announcement – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Das U-Boot Self-Referential DOS Partition Table Infinite Recursion Vulnerability Aug 2019

Vulnerability details: A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.

Introduction: Das U-Boot a popular primary bootloader, it widely used in embedded devices to fetch data from different sources and run the next stage code.In the technology and computer markets, widely used to this bootloader is Linux Kernel. Meanwhile, it is commonly used by IoT. Kindle and ARM ChromeOS devices.

Remedy: Official remediation solution is disable DOS partition default sector for 512 because it’s not very common at all to use large numbers of partitions. Meanwhile set a maximum recursion level (refer to the parameter shown on attached diagram).

Please note that Das U-Boot has other vulnerabilities found. The CVE details shown as below:
CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204

Above vulnerabilities could let attacker gain remote code execution at the U-Boot powered device when U-Boot is configured to use the network for fetching the next stage boot resources.

Official announcement on CVW-2019-13103https://lists.denx.de/pipermail/u-boot/2019-July/375512.html

CVE-2019-0228 Apache PDFBox XML Parser XML External Entity Vulnerability – 22nd Apr 2019

Preface: We are all familiar with the .doc and .pdf formats. Because this is our choice in the business world.

Synopsis: Apache PDFBox is an open source pure-Java library that can be used to create, render, print, split, merge, alter, verify and extract text and meta-data of PDF files.

Vulnerability details: A vulnerability in Apache PDFBox could allow an unauthenticated, remote attacker to conduct an XML External Entity (XXE) attack on a targeted system. Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a
crafted XFDF.

Remedy: Apache has released software updates at the following link: https://pdfbox.apache.org/download.cgi

Remediation – Cisco IOS XR-64 Software for ASR 9000 series isolation feature vulnerability (17th Apr 2019)

Preface: One of the objective for Aggregation Services aim to provision and manage a huge number of separate physical platforms. As a result, the international vendor like Cisco also doing the transformation of the physical network devices. And therefore we seen VM devices OS system image today.

Synopsis: In order to cope with cloud computing and container environment, IOS XR 64-bit operating system (OS) is able to runs on virtualized environment with underlying 64-bit Linux kernel. As a result, the cisco product services can be extended.

Vulnerability details:
A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM.

Official remedy solution: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr