Preface: The x86-64-AMD Ryzen Zen 2 CPU is a microprocessor architecture developed by AMD. It is based on the Zen microarchitecture, which was first introduced in 2017. The Zen 2 architecture features a number of improvements over the previous generation, including higher performance, lower power consumption, and support for new features such as PCIe 4.0 and DDR5 memory. It is commonly used in desktops, laptops, and servers.

AMD is still releasing Zen2 CPUs in 2022, its AM4 shifting to the mainstream, and Zen4 occupies the high-end space.

Background: Zen 2 microarchitecture – The EPYC 7742 Rome processor has a base CPU clock of 2.25 GHz and a maximum boost clock of 3.4 GHz. There are eight processor dies (CCDs) with a total of 64 cores per socket.

Vulnerability details: Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

Ref: AVX uses sixteen YMM registers to perform a single instruction on multiple pieces of data (see SIMD). Each YMM register can hold and do simultaneous operations (math) on: eight 32-bit single-precision floating point numbers or. four 64-bit double-precision floating point numbers.

Ref: If your whole program doesn’t use any non-VEX instructions that write xmm registers, you don’t need vzeroupper to avoid state-transition penalties.

Official announcement: For details, please refer to link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Preface: How does IO uring work? It works by creating two circular buffers, called “queue rings”, for storage of submission and completion of I/O requests, respectively. For storage devices, these are called the submission queue (SQ) and completion queue (CQ).

Background: io_uring can handle various I/O related requests. for example:

• File related: read, write, open, fsync, fallocate, fadvise, close
• Network related: connect, accept, send, recv, epoll_ctl
• Etc…

How io_uring is implemented in the kernel? io_uring has two options when it is created, corresponding to the different ways io_uring handles tasks:

• After turning on IORING_SETUP_IOPOLL, io_uring will use polling to perform all operations.
• After enabling IORING_SETUP_SQPOLL, io_uring will create a kernel thread dedicated to harvesting tasks submitted by users.

Vulnerability details: A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring[.]c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-2430

Preface:  In Oracle Database, you can store and execute Java code directly in the database using Oracle Java Virtual Machine (OJVM). You can take your Java code, put it into the database and execute it.

Background: You can extend a relational database’s storage, indexing, and searching capabilities to include semistructured and nonstructured data (including Web Services) in addition to enabling federated data. By calling Web Services, the database can track, aggregate, refresh, and query dynamic data produced on-demand, such as stock prices, currency exchange rates, and weather information.

The Web services client code is written in SQL, PL/SQL, or Java to run inside Oracle Database, which then calls the external Web service. You can call a Web service from a Java client within the database, using one of the following methods:

• SQL and PL/SQL call specifications
• Pure Java static proxy class
• Pure Java using dynamic invocation interface (DII) over JAX-RPC

For Web services call-outs using PL/SQL, use the UTL_DBWS PL/SQL package. This package essentially uses the same application programming interfaces (APIs) as the DII classes.

Vulnerability details: Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java VM accessible data.

Supported Versions Affected: 19.3-19.19, 21.3-21.10

Official announcement: For details, please refer to the link – https://www.oracle.com/security-alerts/cpujul2023.html

Background: Use Citrix Gateway with StoreFront to provide secure remote access for users outside the corporate network and Citrix ADC to provide load balancing.

*Citrix StoreFront is an enterprise application store that provides an interface for users to access XenDesktop and XenApp virtual desktops and applications remotely.

How do I access Citrix StoreFront? On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile. Select the Stores node in the right pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Remote Access Settings.

Vulnerability details: An attacker can exploit design weakness to execute code remotely without authentication.

Design flaws arise under specified conditions: Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

Ref: StoreFront includes a Cross Site Request Forgery (CSRF) token in the query string of a few URLs. A security concern might arise because the tokens might be retained in the browser history or in the logs of intermediate devices, such as proxy servers.

Official announcement: For details, please refer to the link – https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Preface: What is Kerberos authentication in database? Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos support is built in to all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux.

Background: The Oracle Advanced Networking Option is an optional product that provides enhanced functionality to SQL*Net. Its set of features provides enhanced security and authentication to your network, enables integration with a Distributed Computing Environment (DCE), and provides access to native directory services through Native Naming Adapters.

Vulnerability details: CVE-2023-21949 – Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Advanced Networking Option accessible data. CVSS 3.1 Base Score 3.7 (Integrity impacts). 

Since Oracle didn’t provide details. But I speculate that this is one of the possibilities leading to the vulnerability. For details, please refer to attached diagram.

Ref: A vulnerability in the Kerberos authentication feature of oracle authentication server adapter could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected DB server that is configured to perform Kerberos authentication for remote or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the authentication server. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.

Official announcement: For details, please refer to the link – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21949

Preface: Since the software device will be customized by the manufacturer. So-called OS and even web server hardening will be done by the manufacturer. If the web server and SQL packages contain design flaws (so-called multiple vulnerabilities). Sometimes there is no workaround. Need to be patched. But manufacturers of cyber defense utilities were quick to react. Their product design weaknesses will be fixed immediately.

Background: By w3techs.com statistics, Apache is used by 31.4% of all the websites whose web server we know. What is SonicWall Global Management System?

SonicWall Global Management System (GMS) solves these challenges. GMS integrates management and monitoring, analytics, forensics and audit reporting. This forms the foundation of a security governance, compliance and risk management strategy.

Security Focus: CVE-2023-34124 – The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass.

Tomcat become web server of GMS/Analyze by design. It can straight seen as administrator front end console/dashboard. When vulnerabilities occurs in Tomcat. It is hard to avoid burden the downstream services.

The manufacturer did not specify. See if it can find the root cause.

Perhaps multiple vulnerabilities on Tomcat/Apache burden Sonicwall GMS/Analyze!

Below is my observation:

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm.

I believe the manufacturer is very concerned about this place. If the client code calls HttpServletRequest#logout(), it is delegated to getContext().getAuthenticator().logout(this); but AuthenticatorBase#logout(Request) never calls TomcatPrincipal#logout() to free resources.

Vulnerability details: SonicWall has identified four critical vulnerabilities (CVE-2023-34124, CVE-2023-34133, CVE-2023-34134, and CVE-2023-34137) that could allow an unauthenticated attacker to bypass authentication and potentially access Sensitive information on vulnerable websites. An on-prem system running GMS 9.3.2-SP1 or earlier and Analytics 2.5.0.4-R7 or earlier.

Official announcement: For details, please refer to the link – https://www.sonicwall.com/support/notices/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/

Preface: Enable/Disable AMD virtualization in BIOS

1. Open BIOS menu.
2. Go to Advanced- > IOMMU and enable/disable AMD IOMMU. B. AMD SVM.
3. Go to Advanced -> SVM Mode and enable/disable AMD SVM.

Background: AMD-V technology added VM capability via VM instructions in AMD’s x86 CPU chips. The technology uses hardware to simplify the tasks that VM managers normally perform via software emulation.

Prior to starting an encrypted VM, software must enable MemEncryptionModEn through MSR C001_0010 (SYSCFG). SEV may then be enabled on a specific virtual machine during the VMRUN instruction if the hypervisor sets the SEV enable (bit 1) in VMCB offset 090h.

Vulnerability details: A potential power side-channel vulnerability in some AMD processors may allow an authenticated attacker to use the power reporting functionality to monitor a program’s execution inside an AMD SEV VM potentially resulting in a leak of sensitive information.

This attack exploit by attacker does not seem to be a particularly novel attack as it uses the same technique as the Platypus attack from 2020. One difference from the Platypus attack is this reported attack is used against an AMD SEV virtual machine.

2022-10-27 CVE assigned

2023-07-11 +257 days Released to public

Official announcement: For details, please refer to the links:

https://nvd.nist.gov/vuln/detail/CVE-2023-20575

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3004.html

Preface: If you recall, programming in Java was involved in the field of network security ten years ago, because many serious incidents were caused by Java applications. Over time, the Java sandbox and secure programming techniques temporarily calmed the field. However, there was no long-term peace.

Background: vm2 is a sandbox that can run untrusted code with whitelisted Node’s built-in modules. It specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host’s system resources or external data.

Vulnerability details: The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code. Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Ref: A Node[.]js Promise is a placeholder for a value that will be available in the future, allowing us to handle the result of an asynchronous task once it has completed or encountered an error. Promises make writing asynchronous code easier. They’re an improvement on the callback pattern and very popular in Node[.]js.

Ref: The Proxy object allows you to create an object that can be used in place of the original object, but which may redefine fundamental Object operations like getting, setting, and defining properties. Proxy objects are commonly used to log property accesses, validate, format, or sanitize inputs, and so on.

Official announcement: For details, please refer to the link – https://www.tenable.com/cve/CVE-2023-37466

Preface: Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Background: In HTTP/2, a series of “pseudo-headers” is used to send key information about the message. Most notably, several pseudo-headers effectively replace the HTTP/1 request line and status line. In total, there are five pseudo-headers: :method – The HTTP method of the request, such as GET or POST .
Deep packet inspection evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.
Security profiles in proxy mode can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

Vulnerability details: A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Ref: When using TLS, most clients default to HTTP/1 and explicitly advertise support for HTTP/2 via the ALPN field during the web server TLS handshake. Some web servers that support HTTP/2 are misconfigured to advertise this fact, causing clients to only communicate with them HTTP/1, and hiding the potential attack surface. Attacker takes HTTP/1.1-formatted requests as input, then rewrites them as HTTP/2. During the rewrite, it performs a few character mappings on the headers to override pseudo-headers by specifying them as fake HTTP/1.1 headers.

Official announcement: For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-23-183

Preface: The secure access solution from Citrix provides a unified stack of cloud-delivered services that allows IT to provide a productive hybrid work environment with zero trust security.

Background: Citrix Secure Access client for Linux is a VPN client software managed by NetScaler Gateway that enables users to access corporate data and applications remotely. It protects applications from unauthorized access, application-level threats, and browser-based attacks.
Ref: If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client side JavaScript. This measure makes certain client side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie’s value via an injected script.

Vulnerability details: Vulnerabilities have been discovered in Citrix Secure Access client for Ubuntu (previously Citrix Gateway VPN client for Ubuntu). 
If exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts.
The following supported versions are affected by the vulnerability: Versions before 23.5.2
Ref: The Citrix Secure Access and Citrix EPA clients support the HTTPOnly flag on the  authentication cookies.
NetScaler Gateway admins configure the HTTPOnly feature on the authentication cookie that are generated by web applications. This feature help in preventing cookie theft due to cross site scripting .

Official announcement:For details, please refer to the link – https://support.citrix.com/article/CTX564169/citrix-secure-access-client-for-ubuntu-security-bulletin-for-cve202324492