(1st Sep 2023)

Preface: AI (Artificial intelligence) moves from big data normalization to learning to understand data, so called trained. It require large amount of computer processing resources.

The machine learning process requires CPUs and GPUs. GPUs are used to train large deep learning models, while CPUs are good for data preparation, feature extraction, and small-scale models. For inference and hyperparameter tweaking, CPUs and GPUs may both be utilized.

Background: The NVIDIA Hopper architecture will supersede the already powerful NVIDIA Ampere architecture.

The NVIDIA DGX H100 System is the universal system purpose-built for all AI infrastructure and workloads, from analytics to training to inference. The system is built on eight NVIDIA H100 Tensor Core GPUs. If you want to run Java programs, but not develop them, download the Java Runtime Environment, or JRE.

BMC uses JViewer to view the console. Launch JViewer – This is an OS-independent plug-in which can be used in Windows as well as Linux with the help of Java Runtime Environment (JRE).

Vulnerability details:

CVE-2023-25528 – NVIDIA DGX H100 baseboard management controller (BMC) contains a vulnerability in a web server plugin, where an unauthenticated attacker may cause a stack overflow by sending a specially crafted network packet. A successful exploit of this vulnerability may lead to arbitrary code execution, denial of service, information disclosure, and data tampering.

CVE-2023-25533 – NVIDIA DGX H100 BMC contains a vulnerability in the web UI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to information disclosure, code execution, and escalation of privileges.

Official announcement: For details, please refer to the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5473

Preface: The easier way to get the SAML token is directly through the UserSession you can access in your Java plugin.  UserSession has a samlTokenXml field.  Then you can use the SSO API to convert that xml into the SAML token object.

Background: VMware Tools is a set of services and modules that enable several features in VMware products for better management of guests operating systems. For example:

– Pass messages from the host operating system to the guest operating system.

– Customize guest operating systems as a part of the vCenter Server and other VMware products.

– Run scripts that help automate guest operating system operations. The scripts run when the power state of the virtual machine changes.

– Synchronize the time in the guest operating system with the time on the host operating system

Vulnerability details: CVE-2023-20900 VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor with man-in-the-middle (MITM) network positioning between vCenter server and the virtual machine may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations.

Official announcement: For details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2023-0019.html

Preface: VMware Aria Operations for Networks (Formerly vRealize Network Insight).

Background: VMware Aria Operations for Networks (formerly vRealize Network Insight) delivers end-to-end network visibility converged across virtual and physical networks, planning and troubleshooting with assurance and verification that network and application connectivity performs towards business and security intents across Software Defined Data Center, VMware NSX, VMware SD-WAN™ by VeloCloud®, VMware Cloud on AWS, Azure, AWS, and Kubernetes.

Vulnerability details: Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.

Official announcement: For details, please refer to the link – https://www.vmware.com/security/advisories/VMSA-2023-0018.html

Resolution: Using VMware Aria Operations for Networks 6.11

Preface: OSPF is used to determine the fastest route, while BGP focuses on determining the best path.

Background: Network architects using FRR for ISPs, SaaS infrastructure, web 2.0 businesses, hyperscale services, and Fortune 500 private clouds. If you look around, the traditional networking equipment vendors also offer software appliances, because now it’s a tiny stackable virtual machine world.

FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms.

The worker nodes are responsible for running the containers and doing any work assigned to them by the master node.

Ref: Calico is a networking and security solution that enables Kubernetes workloads and non-Kubernetes/legacy workloads to communicate seamlessly and securely.

Vulnerability details: An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open[.]c does not check for an overly large length of the rcv software version.

Official details: For details, please refer to the link – https://github.com/FRRouting/frr/pull/14241

Preface: Samsung has also used a cheaper and less smart processor, Exynos 9610 with the unit cost of $14.90, for the affordable Galaxy A50 model.

Background: Global edition devices instead use EXYNOS – Samsung LSI’s in-house SoC (System on a chip). Shannon co-exists in the SoC floorplan as an IP block.

Every phone today that has a SIM card has a baseband processor. Shannon is-a particular implementation of these standards.

Remark: When writing Linux kernel driver software for a new SOC, it can be helpful to know the specific IP block (and it’s heritage) used in a chip, in order to reuse software from other projects.

Vulnerability details: An issue was discovered in Samsung Exynos Mobile Processor and Wearable Processor 9810, 9610, 9820, 980, 850, 1080, 2100, 2200, 1280, 1380, 1330, 9110, and W920. Improper handling of PPP length parameter inconsistency can cause an infinite loop.

Official announcement: For details, please refer to the link – https://semiconductor.samsung.com/support/quality-support/product-security-updates/

Preface: Server Side Request forgery (SSRF) in few years ago not bring IT admin attention. But when ransomware was born, SSRF vulnerability make worries because it can exploit by cyber criminals. So we should be careful when we know our web server apps contains SSRF vulnerability.

Background: GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. It brings together mature and stable open-source software projects under a consistent and easy-to-use interface allowing non-specialized users to share data and create interactive maps.

For reference:

• Django is a high-level Python web framework

• PostgreSQL / PostGIS (Vector Datasets)

• pyCSW – pycsw is an OARec and OGC CSW server implementation written in Python.

• Raster Datasets – Raster datasets represent geographic features by dividing the world into discrete square or rectangular cells laid out in a grid. Each cell has a value that is used to represent some characteristic of that location, such as temperature, elevation, or a spectral value.

• File System Raster Datasets – There are three methods to store image and raster data: as files in a file system, within a geodatabase, or managed from within the geodatabase but stored in a file system.

Vulnerability details: GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts.

Remedy: A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40017

Preface: Now that said, SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. Or are there other concerns?

Background: Node-SAML has built in support for SLO including. Signature validation. IdP initiated and SP initiated logouts. Decryption of encrypted name identifiers in IdP initiated logout. Redirect and POST SAML Protocol Bindings.

A SAML Service Provider (SP) is a system entity that receives and accepts authentication assertions in conjunction with a Single Sign-On (SSO) profile of the Security Assertion Markup Language (SAML).  For example: Gmail, Salesforce,…etc

An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service. Microsoft Active Directory or Azure are common identity providers. Salesforce and other CRM solutions are usually service providers, in that they depend on an identity provider for user authentication.

Vulnerability details: Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale.

Remedy: This issue was patched in version 4.0.5.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-40178

Preface: It is popular like Java, Python applications can run on all operating systems (Windows, Unix, Linux, Mac).

Background: What’s New in Python 3.11. One of the new module is tomllib – For parsing TOML.
I. TOML makes writing configuration files simple, straightforward, and more human-readable than many other formats, including JSON.
The TOML file used to configure the buildkitd daemon settings has a short list of global settings followed by a series of sections for specific areas of daemon configuration.
The file path is /etc/buildkit/buildkitd.toml for rootful mode, ~/.config/buildkit/buildkitd.toml for rootless mode.

II. os[.]path[.]normpath() method in Python is used to normalize the specified path. All redundant separator and up-level references are collapsed in the process of path normalization.
For example: A//B, A/B/, A/./B and A/foo/../B all will be normalized to A/B.

If your Docker setup automation programming including above I and II. You should staying alert.

Vulnerability details:

'\0' means NULL. If a path containing ‘\0’ bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first ‘\0’ byte.

In some cases, in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11 through 3.11.4.

08/23/2023 disclosed

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-41105

Background: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.

Chrome used only WebCore, and included its own JavaScript engine named V8 and a multiprocess system. Chrome for iOS continues to use WebKit because Apple requires that web browsers on that platform must do so.

Remark: Edge was originally based on Chakra but has more recently been rebuilt using Chromium and the V8 engine. V8 is written in C++, and it’s continuously improved.

Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.

06/27/2023 CVE reserved

08/17/2023 +51 days

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36787

Preface: UUID is an simple 128 bit digit which uniquely distributed across the world. Bluetooth sends data over air and all nearby device can receive it.

Background: Android “O” was officially released on August 21, 2017 under the name “Oreo”. The BluetoothHidDevice framework adds the SDP record during app registration, so that the Android device can be discovered as a Bluetooth HID Device. The related module include file “sdp_db[.]cc” was appear during this period of time. As time goes by, bluetooth module including file sdp_db[.]cc carry forward to present. So called Android Open Source Project (ASOP).

Vulnerability details: In SDP_AddAttribute of sdp_db[.]cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Severity – Critical

Type – RCE

Updated AOSP versions – 11,12,12L, 13

Official Announcement: For details, please refer to the link below:

https://android.googlesource.com/platform/packages/modules/Bluetooth/+/1e27ef69755a0735278a1c6af130c71a92b94e3f%5E%21/#F0

https://source.android.com/security/bulletin/2023-08-01