IoT, Potential Risk of CVE

CVE-2023-34868 – JerryScript Design weakness (15th June 2023)

Leave a comment

Preface: Samsung said that Open Source is not only the development method also a culture and various things. Samsung always keep in mind to give back to Open Source through their activities. They are partake in the culture of sharing and collaboration with the list of projects they have released and contributed to.

Background: The IoT.js platform uses JerryScript to run JavaScript code and libuv for asynchronous I/O, and enables developers to create IoT services that communicate with each other and the outside world.
JerryScript is a very lightweight JavaScript engine with capability to run on microcontrollers with less than 8KB of RAM.

Vulnerability details:
CVE-2023-34868 – Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the parser_parse_for_statement_start at jerry-core[/]parser[/]js[/]js-parser-statm[.]c.
My Predcit Consequence: The possibility of triggering an assertion failure, which could cause the BIND process to terminate.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34868

In addition there is another one.
CVE-2023-34867 – Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_property_hashmap_create at jerry-core[/]ecma[/]base[/]ecma-property-hashmap[.]c.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34867

Potential Risk of CVE

CVE-2023-33142 – Does it target a similar issue? (14th June 2023)

Leave a comment

Preface: Each SharePoint site comes with default groups and permissions.There are several options when it comes to managing permissions in SharePoint.
But you should be aware somethings!

Background: Default Permissions in SharePoint. By default, all SharePoint sites are created with the three security groups below:
• Owners – Have full control over the site
• Members – Can add and edit the content (files, lists, etc) on the site
• Visitors – Can only read
What are the levels of SharePoint site? The default permission levels are Limited Access, Read, Contribute, Design, and Full Control.
SharePoint Server permission levels are defined at the site collection level and are inherited from the parent object by default.

Vulnerability details: CVE-2023-33142 – Microsoft SharePoint Server Elevation of Privilege Vulnerability.
Since Microsoft did not release the technical details. See whether this vulnerability (CVE-2023-33142) will have similarity with attached diagram description?

Official announcement: For details, please refer to the link – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33142

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

About CVE-2023-21656, Penguin (Linux) also want to ask question to chips vendor (13th June 2023)

Leave a comment

Preface: The Out-of-Band vulnerabilities, also known as OOB, are a series of alternative ways that an attacker uses to exploit a vulnerability that can’t be detected by a traditional request-response interaction.

Background: Qualcomm Technologies offers industry leading platforms for wireless networks and products that cover the gamut of device needs. The file (wma_mgmt[.]c) contains STA/SAP/IBSS and protocol related functions.
Ref:
The Independent Basic Service Set (IBSS) is a simple and flexible wireless network configuration designed for situations where there is no centralized access point or other infrastructure in place. It operates by forming an ad hoc, self-contained network with station-to-station traffic flowing directly between devices. This makes IBSS networks effortless to set up and ideal for small groups of users who need a temporary, wireless means of communication without having to rely on any external hardware.

Vulnerability details: CVE-2023-21656 Memory corruption in WLAN HOST while receiving an WMI event from firmware.

Official Announcement: Please see the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2023-bulletin.html

Potential Risk of CVE, Under our observation

CVE-2023-27997 Lack of detail, but can we find hints? (12th June 2023)

Leave a comment

Preface: If you need to push audio/video traffic over the tunnel DTLS can be a huge performance improvement.

Background: Preferred DTLS Tunnel
If enabled, FortiClient uses DTLS if it is enabled on the FortiGate and tunnel establishment is successful. If not enabled on the FortiGate or tunnel establishment does not succeed, TLS is used. DTLS tunnel uses UDP instead of TCP and can increase throughput over VPN.
When disabled, FortiClient uses TLS, even if DTLS is enabled on FortiGate.

Vulnerability details: Fortinet has released firmware updates their pre-authentication remote code execution vulnerability in SSL VPN devices.
The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

Details of the vulnerability displayed above: Please refer to the bleepingcomputer – https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

My observation: Since no details provided by vendor. So, my assumptions can be find in attached diagram.

Potential Risk of CVE

About CVE-2023-21632: Flaw has been fixed. For reference only (12th June 2023)

Leave a comment

Preface: Google (Android) and Qualcomm pioneer empower the infotainment and connectivity processors for automotive. As times goes by, when you jump to driver seat, a multifucntion dsahboard can provide functions to you.
In-car entertainment or in-vehicle infotainment systems are large touch screens usually positioned on a vehicle’s dashboard or on the back of seats.

Background: The S820Am Snapdragon processor includes four Kryo™ CPUs, a Qualcomm® Adreno™ 530 GPU and high-performance Hexagon™ 680 DSP. The ADP features rich connectivity through the X12 LTE modem, and 802.11a/b/g/n/ac, Bluetooth 4.1 and GNSS, Glonass, BDS, Galileo. The ADP supports multiple camera sensors and 4K display outputs.

Vulnerability details: Memory corruption in Automotive GPU while querying a gsl memory node.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-21632

AI and ML, Application Development, Potential Risk of CVE

CVE-2023-29403: Are you falling into this Go runtime design weakness? (9th June 2023)

Leave a comment

Preface: Go is garbage collected instead of manual memory management which is not suitable for a kernel.
Golang is useful for carrying out programming for scalable servers and large software systems. The Golang programming language was built to fill in the gaps of C++ and Java that Google came across while working with its servers and distributed systems.

Background: Go does have an extensive library, called the runtime, that is part of every Go program. The runtime library implements garbage collection, concurrency, stack management, and other critical features of the Go language.
The Go scheduler is part of the Go runtime, and the Go runtime is built into your application. This means the Go scheduler runs in user space, above the kernel.
For Go to “call the kernel directly” can exploit so-called ABI of the H/W and OS combo. For example: On linux, making a syscall requires filling a set of CPU registers with certain values, doing some other arrangements and then issuing the SYSENTER CPU instruction.
The 64-bit x86 Linux ABI supports the following entry points:

  • SYSCALL from 64-bit code;
  • interrupt 0x80 from 32- and 64-bit code;
  • SYSENTER from 32-bit code.

Vulnerability details: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Official announcement: For details, please refer to the link- https://pkg.go.dev/vuln/GO-2023-1840

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

More details, CVE-2023-0266 vulnerability is widely exploited (8th June 2023)

Leave a comment

Preface: The Advanced Linux Sound Architecture (ALSA) provides kernel driven sound card drivers.
Besides the sound device drivers, ALSA also bundles a user space driven library for application developers. This enables direct (kernel) interaction with sound devices through ALSA libraries.

Background: Exynos, formerly Hummingbird, is a series of ARM-based system-on-chips developed by Samsung Electronics’ System LSI division and manufactured by Samsung Foundry.

Conceptual example – SoC installation instruction

  1. Install X-windows packages
    % sudo zypper install libXext6 libX11-6 libXrender1 libXtst6 libXi6 libgtk-2_0-0 tar
  2. Set your DISPLAY environment variable
    % setenv DISPLAY localhost:0
  3. navigate to the SoC installer file location
  4. Run the installer
    % [.]/xxxx_SoC_v2023[.]2[.]bin
  5. Follow on screen instructions.
  6. Click Finish. It is now ready to use.

Vulnerability details: A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user.

Solution: Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
For details, please refer to link – https://security.samsungmobile.com/securityUpdate.smsb

Official announcement: For details, please refer to the following links
https://nvd.nist.gov/vuln/detail/CVE-2023-0266
https://www.hkcert.org/tc/security-bulletin/samsung-products-multiple-vulnerabilities_20230607

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

About Qualcomm: The vulnerability of CVE-2022-40507 release to public on 06/06/2023 finally.

Leave a comment

Preface: Double free errors occur when free() is called more than once with the same memory address as an argument. Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces.


Background: SnapDragon has different processors runn on top of SOC (see below):
Krait CPU — General purpose processor that usually runs android applications.
Adreno GPU — This is largely used for graphics processing like rendering.
Hexagon DSP — Hexagon specially designed for multi-media acceleration, this helps CPU to offload the task to DSP and save energy and thereby offering optimum performance.


Vulnerability details: Memory corruption due to double free in Core while mapping HLOS address to the list.

The vulnerability release to public on 06/06/2023. The announcement can be read at qualcomm.com – https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin
This vulnerability has been identified as CVE-2022-40507 since 09/12/2022. The vendor did not release technical details.

How to observe memory allocation in Linux kernel?
Generate the skeleton for the task named 1-mem and browse the contents of the mem[.]c file. Observe the use of kmalloc() call for memory allocation.

  1. Compile the source code and load the mem[.]ko module using insmod.
  2. View the kernel messages using the dmesg command.
  3. Unload the kernel module using the rmmod mem command.
Potential Risk of CVE

Regarding CVE-2023-3111: Fixed a functional bug that could affect Linux in Docker. (June 6, 2023)

Leave a comment

Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Background: Btrfs provides a clone operation that atomically creates a copy-on-write snapshot of a file. Such cloned files are sometimes referred to as reflinks, in light of the proposed associated Linux kernel system call.
Subvolumes allow for the partitioning of a Btrfs filesystem into separate sub-filesystems. Therefore, you can mount subvolumes from a Btrfs filesystem as if they were independent filesystems.

Vulnerability details: A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation[.]c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().

Solution: To fix this possible bug, in prepare_to_relocate(), an if statement is added to check whether btrfs_commit_transaction() fails. If the  failure occurs, unset_reloc_control() is called to set > fs_info->reloc_ctl to NULL.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3111

Potential Risk of CVE, System, Under our observation, Virus & Malware

About CVE-2023-29345 and CVE-2023-33143, Microsoft released Security Updated of the Chromium project (6th June 2023)

Leave a comment

Preface: Windows has traditionally run on machines that are powered by x86 / x64 processors. Windows 11 adds the capability to run unmodified x64 Windows apps on Arm devices! This capability to run x86 & x64 apps on Arm devices gives end-users confidence that the majority of their existing apps & tools will run well even on new Arm-powered devices. For the best of result, it can exploit Arm-native Windows apps theoretically, as a result, developers cope with trend , thus built or port Arm-native Windows apps.


Background: Codenamed “Anaheim”, on December 6, 2018, Microsoft announced its intent to base Edge on the Chromium source code, using the same browser engine as Google Chrome but with enhancements developed by Microsoft. The new Microsoft Edge (Chromium) is built on the same underlying technology as Google Chrome. During the Ignite 2021 conference, Microsoft revealed plans to align the codebase of the Edge browser on all supported platforms.


Vulnerability details:
CVE-2023-29345 Microsoft Edge Remote Code Execution – A vulnerability was found in Microsoft Edge (Web Browser) (version unknown).
CVE-2023-33143 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
For details, please refer to the link – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security

antihackingonline.com