IoT, Potential Risk of CVE

CVE-2024-38920: Use-after-free issue related to the humble version of Open Robotics Robot Operating System 2 (ROS2) and Nav2 (6 Dec 2024)

Leave a comment

Preface: Use-after-free (UAF) vulnerabilities are a class of software flaws that involve using a memory resident object after it has been freed. UAF vulnerabilities most commonly occur when a C++ object that was allocated on the heap is accessed after it is deleted, but stack-allocated objects can also be used after a free.

Background: The Robot Operating System (ROS) is a set of software libraries and tools for building robot applications. From drivers and state-of-the-art algorithms to powerful developer tools, ROS has the open source tools you need for your next robotics project.

Since ROS was started in 2007, a lot has changed in the robotics and ROS community. The goal of the ROS 2 project is to adapt to these changes, leveraging what is great about ROS 1 and improving what isn’t.

The base unit in ROS is called a node. Nodes are in charge of handling devices or computing algorithms – each node for a separate task. Nodes can communicate with each other using topics or services. ROS software is distributed in packages. A single package is usually developed for performing one type of task and can contain one or multiple nodes.

Vulnerability details: Open Robotics Robotic Operating System 2 (ROS2) and Nav2 humble versions were discovered to contain a use-after-free via the nav2_amcl process. This vulnerability is triggerd via remotely sending a request for change the value of dynamic-parameter`/amcl max_beams` .

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-38920

Potential Risk of CVE

About Qualcomm CVE-2024-4304 – Stack-based Buffer Overflow in Performance (5 Dec 2024)

Leave a comment

Preface: Primitive types such as `int`, `double`, `char`, and `boolean` are stored directly in stack memory. Each time you declare a primitive variable, the JVM allocates a specific size of memory for it.

Background: Returns the available average/minimum GPU headroom in percentage for last ‘duration’ seconds. The get_gpu_headroom() API is used by applications to get feedback on the historical application rendering workload to know if the workload is GPU bound on the SoC. The purpose of this API is to help provide GPU performance information for the application content and help drive the workload, and other APIs to ensure smooth and sustained UX performance (minimize frame drops, reduce UI sluggishness). The application can monitor thermal. If the mobile device is approaching thermal limits; it can further check if the workload is GPU bound to decide if reducing the GPU load helps to reduce thermal status (<= LIGHT) and hence improve sustained performance.

Vulnerability details: Memory corruption when invalid input is passed to invoke GPU Headroom API call.

Remark: A stackbased buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-43048

Potential Risk of CVE

About Qualcomm – CVE-2024-33056 Buffer Over-read in MProc (4th Dec 2024)

Leave a comment

Preface: What is a buffer over-read? The opposite of a buffer overflow is a buffer overread. In this case, the program requests data from outside the buffer. Because data read from outside the buffer is irrelevant to the program, it may cause the program to crash or behave unexpectedly.

Background: Qualcomm SoC chips are divided into 4 layers, including EL3, EL2, EL1 and EL0. Both EL3 and EL2 are handled by Qualcomm. However, EL 1 is divided into two regions. The Linux core is open source. The remaining non-secure and secure areas will be the responsibility of Qualcomm. The upper level (ELO) is the developer application area (Except the secure area).

Vulnerability details: Memory corruption when allocating and accessing an entry in an SMEM partition continuously.

Remark: The MProc component located inside the kernel is responsible for managing inter-processor communication.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-33056

Potential Risk of CVE

About Qualcomm – CVE-2024-33044 (3 Dec 2024)

Leave a comment

Preface: The Qualcomm Hypervisor provides a modern virtualization framework that allows multiple operating systems to run independently and concurrently, delivering high performance. The Qualcomm Type 1 Hypervisor facilitates the hosting of multiple trusted execution environments for secure use cases.

Background: On some Qualcomm platforms, the hypervisor emulates more than 128 SMR (Stream Matching Register) groups. This doesn’t conform to the ARM SMMU architecture specification which defines the range of 0-127. Moreover, the emulated groups don’t exhibit the same behavior as the architecture supported ones.

For instance, emulated groups will not detect the quirky behavior of some firmware versions intercepting writes to S2CR register, thus skipping the quirk implemented in the driver and causing boot crash.

Vulnerability details: Memory corruption while Configuring the SMR/S2CR register in Bypass mode.

Official announcement: Please see the link below for details –

https://www.tenable.com/cve/CVE-2024-33044

Potential Risk of CVE

About CVE-2024-43703 from Imaginetech (2Dec 2024)

Leave a comment

Preface: Preface: Imagination Technologies Group Limited is a British semiconductor and software design company owned by Canyon Bridge Capital Partners, a private equity fund based in Beijing that is ultimately owned by the Chinese government. With its global headquarters in Kings Langley, England, its primary business is in the design of PowerVR mobile graphics processors (GPUs), neural network accelerators for AI processing, and networking routers. The company was listed on the London Stock Exchange until it was acquired by Canyon Bridge in November 2017.

Background: Why system calls are needed to set up shared memory between two processes?

To share memory between two processes, the MMU must be modified. That’s privileged – you can’t let a process just help itself to whatever memory it wants! Being privileged means the kernel is involved, hence system calls.

Remark: A memory management unit (MMU), sometimes called paged memory management unit (PMMU), is a computer hardware unit that examines all memory references on the memory bus, translating these requests, known as virtual memory addresses, into physical addresses in main memory.

Vulnerability details: Software installed and run as a non-privileged user may conduct improper GPU system calls to achieve unauthorised reads and writes of physical memory from the GPU HW.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-43703

Potential Risk of CVE

CVE-2023-52922 : Fix Use-After-Free in bcm_proc_show()  (29 Nov 2024)

Leave a comment

Preface: A zero-day exploit targeting a use-after-free (UAF) vulnerability in the Linux Kernel. Staying Alert!

Slabuseafterfree vulnerabilities occur when memory that’s been previously freed is accessed again, often leading to unpredictable behavior or system crashes. KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to find out-of-bound and useafterfree bugs.

Background: The Controller Area Network (CAN bus) is a message-based protocol designed to allow the Electronic Control Units (ECUs) found in today’s automobiles, as well as other devices, to communicate with each other in a reliable, priority-driven fashion.

The Broadcast Manager protocol provides a command based configuration interface to filter and send (e.g. cyclic) CAN messages in kernel space. Filtering messages in kernel space may significantly reduce the load in an application. A BCM socket is not intended for sending individual CAN frames.

Vulnerability details: KernelAddressSANitizer (KASAN) is a dynamic memory error detector. It provides a fast and comprehensive solution for finding use-after-free and out-of-bounds bugs.

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862.

Please refer to the official announcement for details

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-52922

AI and ML, Potential Risk of CVE

CVE-2024-0139 – NVIDIA Base Command Manager and Bright Cluster Manager for Linux contain an insecure temporary file vulnerability (28 Nov 2024)

Leave a comment

Preface: Nvidia acquires Bright Computing, maker of Bright Cluster Manager software that controls the configuration of clustered HPC systems, including Nvidia’s own DGX servers and HGX systems manufactured by OEMs and ODMs, as well as clusters from other manufacturers.

Background: NVIDIA Base Command Manager provides cluster management software for streamlining cluster provisioning, workload management, and infrastructure monitoring. It provides all the tools for deploying and managing an AI data center.

Note: Base Command Manager 10 is licensed on a per-GPU base. This differs from the node-base licensing model of Bright Cluster Manager. Customers with active support subscriptions using Bright Cluster Manager 9.2 and earlier can upgrade to Base Command Manager 10 by exchanging their current licenses for GPU-based Base Command Manager 10 licenses at no cost.

Slurm is an open source, fault-tolerant, and highly scalable cluster management and job scheduling system for large and small Linux clusters. SLURM is a vital component of a parallel computer for executing parallel jobs. It simplifies the job execution by hiding all the complexities.

Vulnerability details: NVIDIA Base Command Manager and Bright Cluster Manager for Linux contain an insecure temporary file vulnerability. A successful exploit of this vulnerability might lead to denial of service.

Official announcement: Please see the link below for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5600

AI and ML, Potential Risk of CVE

CVE-2024-0130: About design weakness on NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI (27 Nov 2024)

Leave a comment

Preface: Artificial intelligence penetrates into different industries. Perhaps the expansion of some HPC supercomputers is not limited to regions. They can be run on a blockchain network to build a matrix.

Background: In today’s high-performance computing (HPC) landscape, network interconnect technology is essential in linking compute nodes to ensure efficient data transfer. Among the interconnect technologies, NVIDIA’s NVLink and InfiniBand stand offers diverse advantages for specific use cases.

UFM (Unified Fabric Manager) Server is a server on which UFM is installed and has complete visibility over the fabric to manage routing on all devices.

NVIDIA® UFM® Cyber-AI is packaged in a tar le. The tar le consists of several docker images and an installation script. The script will load the docker images and create a UFM Cyber-AI service. UFM Cyber-AI should be installed on UFM Cyber-AI appliance.

In addition to the REST API used for Cyber AI management, Cyber AI software provides several command-line tools (CLI) for managing the Cyber AI system.

Vulnerability details: NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, and information disclosure.

Official announcement: Please see the link below for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5584

Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2024-52811 : Fix heap buffer overflow writing not validated ACK to qlog (25 Nov 2024)

Leave a comment

Preface: Most of Google’s traffic already goes through QUIC. Several other well-known companies have also begun developing their own implementations, such as Microsoft, Facebook, CloudFlare, Mozilla, Apple, Akamai,…etc

Background: By combining the best of TCP and UDP, along with encryption and better handling of modern network conditions, QUIC is set to become the foundation of faster, more secure, and more reliable internet experiences. ngtcp2 project is an effort to implement RFC9000 QUIC protocol.

Vulnerability details: The ngtcp2 project is an effort to implement IETF QUIC protocol in C. In affected versions acks are not validated before being written to the qlog leading to a buffer overflow.

In `ngtcp2_conn::conn_recv_pkt` for an ACK, there was new logic that got added to skip `conn_recv_ack` if an ack has already been processed in the payload. However, this causes us to also skip `ngtcp2_pkt_validate_ack`. The ack which was skipped still got written to qlog.

The bug occurs in `ngtcp2_qlog::write_ack_frame`. It is now possible to reach this code with an invalid ack, suppose `largest_ack=0` and `first_ack_range=15`. Subtracting `largest_ack – first_ack_range` will lead to an integer underflow which is 20 chars long. However, the ngtcp2 qlog code assumes the number written is a signed integer and only accounts for 19 characters of overhead (see `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`).

Therefore, we overwrite the buffer causing a heap overflow. This is high priority and could potentially impact many users if they enable qlog.

Remark: qlog is disabled by default. Due to its overhead, it is most likely used for debugging purpose, but the actual use is unknown.

Remedy: ngtcp2 v1.9.1 fixes the bug and users are advised to upgrade. Users unable to upgrade should not turn on qlog.

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/CVE-2024-52811

AI and ML, Potential Risk of CVE

CVE-2024-11393 – Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability (25 Nov 2024)

Leave a comment

Preface: What is the difference between Hugging Face and transformers?

Transformers is a library that contains various state-of-the-art machine learning models, as well as a Trainer API which can be used to train models. Huggingface_hub is a library to programmatically integrate with the hub.

Backgound: Masks are often used in segmentation tasks, where they provide a precise way to isolate the object of interest for further processing or analysis.

MaskFormer is based on the DETR architecture, which uses a transformer decoder to predict masks for each object in an image. MaskFormer has been shown to be effective for both semantic segmentation and panoptic segmentation. However, it has not been as successful for instance segmentation.

Vulnerability details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files.

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/CVE-2024-11393

antihackingonline.com