About CVE-2021-46744 on 1st/2nd/3rd Gen AMD EPYC™ Processors (10th May 2022)

Preface: KVM (Kernel based Virtual Machine) is an open source Linux kernel virtualization infrastructure2 which relies on the hardware virtualization technologies, fully integrated in the Linux kernel. Its first version was introduced in the 2.6.20 Linux kernel tree (released in February 2007). KVM developers are primarily funded by a technology startup called Qumranet, now owned by RedHat. Developers had an original approach. Instead of creating major portions of an operating system kernel themselves, they choose to use the Linux kernel itself as a basis for a hypervisor.

KVM stands for Kernel-based Virtual Machine. Being an open-source virtualization software that’s embedded into Linux, KVM does two things:

  • Makes Linux a hypervisor
  • Enables Linux to run multiple, isolated virtual environments

KVM initially supported x86 platform processors and was subsequently ported to S/390, PowerPC, and IA-64 platforms

Background: AMD EPYC 7002 Processors – A dual-socket AMD EPYC workstation or server is idea for compute intensive tasks such as high performance computing (HPC) and artificial intelligence (AI) applications thanks to their huge memory bandwidth, memory capacity and outstanding I/O. AMD EPYC Processors with improved execution pipelines, higher clock rates, and up to 4x the shared Level 3 cache. A Level 3 (L3) cache is a specialized cache that that is used by the CPU and is usually built onto the motherboard and, in certain special processors, within the CPU module itself.

The AMD EPYC 7002 Series Processor is the latest generation of the AMD64 System-on-Chip (SoC) processor family. It is based on the Zen 2 microarchitecture introduced in 2019, supporting up to 64 cores (128 threads) and 8 memory channels per socket. AMD’s CCD is actually an abbreviation of Core Chiclet Die.The Zen 2 architecture processor is not a large core packaged together, but is divided into two parts: the CCD core and the I/O core, of which the CCD core is a pure computing The core contains two CCXs, that is, each CCD has 8 cores and 16 threads.

Vulnerability details: An attacker with access to a malicious hypervisor may be able to infer data values used in a SEV guest on AMD CPUs by monitoring ciphertext values over time.

Speculation based on vulnerabilities: If important data is encrypted at rest or in transit, it’s often best to try to steal the data when it’s not encrypted by monitoring the memory space of the process performing the encryption and any calls to cryptographic libraries.

Official announcement: AMD provides preventive and corrective controls, please refer to the link for more details. https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033

My comment: Due to this design flaw, the vendor (AMD) recommend to do a series of preventive and corrective control. In my personal point of view, the first step should dicuss with system architect and software development how to integrate below concept of Linux clear cache command into the work flow.
Drop all caches – Below Linux command:
sync; echo 3 > /proc/sys/vm/drop_caches

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader on Pixel devices (10th May 2022)

Preface: Google Pixel is a brand of consumer electronic devices developed by Google that run either Chrome OS or the Android operating system. The Pixel brand was introduced in February 2013 with the first-generation Chromebook Pixel. The Pixel line includes laptops, tablets, and smartphones, as well as several accessories.

Background: The Google Pixel is one of the smartphones on the market today. The Google Pixel also works with digital camera products.

How do you identify a Pixel device? The simple way is to go through the settings menu. → Settings → About Phone → Model Number. The display will tell you the make and model number of your device alongside the IMEI Number, serial number and also the version of Android you are running.

How do I get into bootloader? Follow below steps:

  • Ensure the phone is turned off.
  • Press and hold the VOLUME DOWN button.
  • Press the POWER button.
  • Continue to hold VOLUME DOWN until the Download mode is displayed.
  • Press VOLUME DOWN to go to Reboot to bootloader.
  • Press the POWER button.

Vulnerability details: With just a few minutes of physical access and a USB cable, attackers can silently and invisibly compromise unpatched devices. The exact details of the vulnerability have not been disclosed. Do you think the key factor whether similar to steps displayed in attached diagram?

Official announcement (Pixel Update Bulletin—May 2022): Please refer to the link for details – https://source.android.com/security/bulletin/pixel/2022-05-01#pixel

CVE-2022-28165 for Brocade SANnav (6th May, 2022)

Preface: If you look into a Mainframe computer system, you will find Brocade SANS storage made use of Ficon connection. As times goes by, Hi-end supercomputer system still using this solution.
Furthermore, Brocade products not limit the usage in supercomputer. The Fibre Channel storage networking and management solution are expanded to cloud computing. Becuase the Fibre Channel storage networking solutions are the most trusted.

Background: SANnav Management Portal supports an application programming interface (API) for managing Brocade® storage area network (SAN) fabrics. The REST API provides you with a web-services interface for accessing the SANnav Management Portal server system. The REST APIs are organized into various services, such as Login, Discovery,FCR, Fault, Inventory, and Northbound Streaming. You can use the REST API to build your own SANnav clients.

Vulnerability details: A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests.

Important notice – If you add a service principal to a group, and then assign an app role to that group, it does not add the roles claim to tokens it issues. Vice versa, if client side using stateless authentication, it has possibilities that it allow remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform.

Reference (see below):

  • With stateful authentication, a unique session id is generated when the user logs in. In subsequent requests, this session ID serves as a reference to the user details stored on the server. The session ID is opaque; it doesn’t contain any user data.
  • With stateless authentication, all user-identifying information is stored in a client-side token. The token can be passed to any server or micro service, eliminating the need to maintain session state on the server. Stateless authentication is often factored out to an authorization server, which produces, signs, and optionally encrypts the token upon user login.

Affected Products – Brocade SANnav before 2.2.0
Remedy: Fixed in Brocade SANnav 2.2.0

Official announcement: Please refer to the link for details – https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844

Additional details: According to above principles. One of the remedy solution can be used to implement claim-based authorization. App roles can be assigned to a user or a group of users. App roles can also be assigned to the service principal for another application, or to the service principal for a managed identity.

About F5 network advisory – CVE-2022-1388 (5th May 2022)

Preface: A distributed hypermedia architect has only three fundamental options: 1) render the data where it is located and send a fixed-format image to the recipient; 2) encapsulate the data with a rendering engine and send both to the recipient; or, 3) send the raw data to the recipient along with metadata that describes the data type, so that the recipient can choose their own rendering engine.

Background: F5 has released security advisories on vulnerabilities affecting multiple products, including various versions of BIG-IP. Included in the release is an advisory for CVE-2022-1388, which allows undisclosed requests to bypass the iControl REST authentication in BIG-IP. An attacker could exploit CVE-2022-1388 to take control of an affected system.

Please refer to the link for details – https://support.f5.com/csp/article/K23605346#proc3

Vendor reminded that restricting access to the management interface by IP address in httpd is not a viable mitigation for this issue. It should add “Connection: close” header. Why?

My speculation: According to the above situation. My thoughts are as follows:

Whether add “Connection: close” header to custom HTTP/1.1 responses avoid the max request body size is exceeded.

The recommended actions to do the remedy by vendor is that client should manually add a “Connection: close” header in httpd configuration files. In normal circumstances, when the app writes a custom response and the max request body size has been exceeded. Without this header, the attacker might try to reuse the connection.

CVE-2022-30284 – Design weakness in the python-libnmap package (4th May 2022)

Preface: If you do a resources plan in large data center. Maybe you use nmap. E.g: Performs a list scan on the provided ranges and returns an NmapReport object including in your MIS report.

Background: libnmap is a python library to parse nmap xml data. It supports python 3.6+.
libnmap is a python library enabling python developers to manipulate nmap data. The libnmap targets are as follows:

  • manipulate nmap scans results to do reporting
  • compare and diff nmap scans to generate graphs
  • batch process scan reports

How to install? pip install python-libnmap

Vulnerability details: In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments).

My imagination. Refer to attached diagram. If attacker have a way to do a re-engineering to the file (hostname-discovery.py) and replace the original file.See add on command syntax in red box in the diagram.
The file replaced by the attacker (hostname-discovery.py) will execute the command syntax to upload the file (rev.nse) over http.Therefore, it can execute an NSE reverse shell on the target system.

Preventive control and protective control: Please refer to the link for details – https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Expert findings and Proof of concept: Please refer to the link for details – https://www.swascan.com/security-advisory-libnmap-2/

About CVE-2022-0882 – Fuchsia allows illegal access to the kernel log (3rd May 2022)

Preface: Fuchsia is an IoT; first OS means OS for your fridge, RaspberryPi, car, TV, etc.

Background: Zircon is the core platform that powers the Fuchsia OS. Zircon is composed of a microkernel (source in kernel/…) as well as a small set of userspace services, drivers, and libraries (source in system/…) necessary for the system to boot, talk to hardware, load userspace processes and run them, etc. Fuchsia builds a much larger OS on top of this foundation. One benefit of the microkernel approach is ease of extending the operating system. All new services are added to user space and consequently do not require modification of the kernel. Fuchsia is an open-source capability-based operating system developed by Google. As a general purpose operating system, Fuchsia is designed to power a diverse ecosystem of hardware and software.

Vulnerability Details: A bug exists where an attacker can read the kernel log through exposed Zircon kernel addresses without the required capability ZX_RSRC_KIND_ROOT.Fuchsia allows illegal access to the kernel log. This exposes Zircon kernel addresses and other sensitive information to components that do not have the required functionality. It is a security issue. Please refer to the link for details – https://bugs.fuchsia.dev/p/fuchsia/issues/detail?id=94740

Remedy: It is recommended to upgrade the Fuchsia kernel to 4.1.1 or greater.

hiccup, web server load balancing solution  3rd May 2022

Preface: Online banking cannot lack of load balancing solution today. However in terms of life cycle of operation system and software libaries , Java language development platform and on-demand custom fuctions. Does it bother the load balancing functions? The most challenging parts is the layer 7 load balancing. Perhaps you can do the healt check on appliation functions. However, it is difficult to garantee the non stop function on application side (availability).

Background: The load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. An additional function includes client non interrupt services using application & service availability (health-checks performance).

My focus: Online banking platform (Hong Kong)
Error 500: java.lang.RuntimeException: no EntityContext found in existing session
Date: Around 8:15 am 5/3/2022

Fundamentally, Web server load balancing function in correct way make no downtime. Therefore when you connected to web server had problem. The load balancing function will keep persistence (SSL Sticky) then redirect your connection to the web server which is available.
My experience operating in online banking system in today morning (3rd May, 2022) hints the technical information to me.
I encountered error my web services. (Reminded – it successful logged on and doing operations). However an error 500 display on my screen. Thereafter. even I close the browser, make new established connection to Banking system. It still redirect my new connection to e-banking1.hangseng.com. But in round robin setup architecture, I can connect to e-banking2.hangseng.com by chance.

Observation: Perhaps, load balancer capable web application health check function. But for online banking system, it do a health check on web server front page. On java server page. For example: The EntityContext interface contains the getEjbObject and getPrimaryKey methods that a bean can use to find out about the object it is associated with. The client communicates with the bean via the EJBObject. If one of the java service had error occur. May be the load balancer health check function not know what’s happening.

Whether there is concerns on vulnerable Java SE Embedded versions. So,  apply tight protection and causes this technical problem occurs. Or there is an software configuration problem in web application itself?

About CVE-2022-28197: NVIDIA Jetson Linux Driver Package design weakness (26-4-2022)

Preface: Embedded AI solutions on the Linux platform. With the superior performance, small size and low power consumption, it will be able to do more real-time processing at the demanding environment than ever before.

Background: NVIDIA® Jetson Nano™ Developer Kit is a small, powerful computer that lets you run multiple neural networks in parallel for applications like image classification, object detection, segmentation, and speech processing. All in an easy-to-use platform that runs in as little as 5 watts.

Jetson Board Support Package
• Linux Kernel: A UNIX-like computer operating system kernel mostly used for mobile devices.
• Sample Root Filesystem derived from Ubuntu: A sample root filesystem of the Ubuntu distribution. Helps you create root filesystems for different configurations.
• Toolchain: A set of development tools chained together by stages that runs on various architectures.
• Bootloader: Boot software boot for initializing the system on the chip.
• Sources: Source code for kernel and multimedia applications.

…..more

Vulnerability details: NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_mount function, where Insufficient validation of untrusted data may allow a highly privileged local attacker to cause an integer overflow. This difficult- to-exploit vulnerability may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity.

Speculation: This is an old design weakness in the kernel. Is it possible to reuse again in this case?
An integer overflow flaw was found in the extent range checking code in the Linux kernel’s ext4 file system implementation. A local, unprivileged user with write access to an ext4-monted file system could trigger this flaw by writing to a file at a very large file offset. The expected impact will result in a denial of service.

Official announcement: NVIDIA has released a software update for NVIDIA® Jetson AGX Xavier™ series, Jetson Xavier™ NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX) in the NVIDIA JetPack™ software development kit (SDK). Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5343

Redis vulnerabilities – Lua readonly tables (CVE-2022-24736, CVE-2022-24735) – 27th April 2022

Preface: Complex data queries not to use Redis as a Database.
Big data and the new phenomenon open data are closely related but they’re not the same. Open data is information that is available to the public, regardless of its intended purpose.

Background: Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet. Redis is an in-memory database that persists on disk. It can be used as a distributed cache, which is probably its most common and popular use case, as a NoSQL Database and as a Message broker (pub\sub mode, similar to Kafka or RabbitMQ).

Redis EVAL command is used to evaluate scripts using the Lua interpreter. Lua lets you run part of your application logic inside Redis. Such scripts can perform conditional updates across multiple keys, possibly combining several different data types atomically. Scripts are executed in Redis by an embedded execution engine.

Vulnerability details:

(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. This issue affects all versions of Redis.
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

Ref: This type of vulnerability (known as CWE-94) occurs when a developer uses the Lua loadstring() function and passes it untrusted data that an attacker can modify. The loadstring() function will compile the code and return a function that when called has the same effect as executing the string. Attackers can use this to inject arbitraty Lua code that is then executed by the web application.

Several weaknesses of these measures have been publicly known for a long time.

Official announcement: Please refer to the link for details – https://github.com/redis/redis/pull/10651

Remedy: The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.

Big data perspective , CVE-2022-24706: Apache CouchDB Remote Privilege Escalation (26th April 2022)

Preface: NoSQL is used for Big data and real-time web apps. Perhaps if you can manage big data, you can rule the AI zone in future.

Background: NoSQL is used for Big data and real-time web apps. For example, companies like Twitter, Facebook and Google collect terabytes of user data every single day. There are many indexing data structures used in NoSQL databases. For example: B-Tree indexing, T-Tree indexing, and O2-Tree indexing…..

Apache CouchDB is an open source repository that is a file-oriented NoSQL database using JSON as the storage format, JavaScript as the query language, and MapReduce and HTTP as the API. CouchDB accepts queries via a RESTful HTTP API, while MongoDB uses its own query language. CouchDB is written in Erlang. It uses JSON to store data.

Vulnerability details: In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. An attacker can access an improperly secured default installation without authenticating and gain admin privileges.

  1. CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called epmd advertises that random port to the network.
    Remark: epmd itself listens on a fixed port.
  2. CouchDB packaging previously chose a default cookie value for single-node as well as clustered installations. That cookie authenticates any communication between Erlang nodes

Workaround: The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

Remediation: Upgrade to version 3.2.2.

Details: CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of monster. Installations that upgrade to this versions are forced to choose a different value.

In addition, all binary packages have been updated to bind epmd as
well as the CouchDB distribution port to 127.0.0.1 and/or ::1
respectively.

Please refer to the link for details – https://www.openwall.com/lists/oss-security/2022/04/26/1

antihackingonline.com