Closer look CVE-2022-42331: x86 speculative vulnerability in 32bit SYSCALL path (26th Mar 2023)

Preface: Meltdown is a vulnerability allowing a process to read all memory in a given system.

Background: The Xen Project is a free and open source type-1 or bare-metal hypervisor that enables a computer to run multiple operating systems simultaneously on the same hardware. A Type 1 hypervisor runs directly on the underlying computer’s physical hardware, interacting directly with its CPU, memory, and physical storage. For this reason, Type 1 hypervisors are also referred to as bare-metal hypervisors. A Type 1 hypervisor takes the place of the host operating system.
The pros of type-1 hypervisors lie in performance and security. It offerrs high performance because the hypervisor has direct access to the hardware. Security is also more reliable on type-1 than type-2, because there is no interface between the hypervisor and CPU.

Vulnerability details: Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late.
In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.

Affected system: Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-42331

Your first quantum programming (24th Mar 2023)

Preface: How much does a 1 qubit quantum computer cost? Commercial quantum computers like D-Wave One with 50 qubits – $10,000,000. D-Wave systems use a process called quantum annealing to search for solutions to a problem.

Background: The Microsoft Quantum Development Kit offers durable quantum application development on hardware-accelerated compute resources. Program your quantum algorithms and formulate optimization solutions to cope with your AI development. Perhaps this is a prelude before the development of a scalable quantum computer in the future. Quantum computers have great potential to process the large datasets often used in AI experiments. By using quantum computing techniques to analyze data sets faster and more accurately than ever before, AI researchers have been able to make significant advances in fields such as machine learning.
Because quantum computers are fundamentally different from classical computers, conventional techniques used to communicate electronic information do not directly translate to quantum devices.

Suggestion:
Learn quantum programming (Q# programming language) with Microsoft QUANTUM Development KIT. It can use simulation. API for quantum computing simulation using the .NET ecosystem and Python.

Quantum Development Kit (SDK) contains below basic components

  • The Q# programming language (pronounced like Q-Sharp)
    Remark: The Q# development tools are based on the Microsoft.NET ecosystem. Therefore, need to install the correct version of the .NET Software Development Kit (so called .NET SDK)
  • API for quantum computing simulation using the .NET ecosystem and.or Python
  • Tools to help you develop and simulate your quantum programs using commas-line tools, Visual Studio Code, or Microsoft Visual Studio

Please refer to this link for details- https://azure.microsoft.com/en-us/resources/development-kit/quantum-computing/#overview

Linux kernel BUG: About hugetlb[.]c in mm folder (22nd Mar 2023)

Preface: Enabling HugePages makes it possible for the operating system to support memory pages greater than the default (usually 4 KB). Using very large page sizes can improve system performance by reducing the amount of system resources required to access page table entries.

Background: For Red Hat Enterprise Linux systems, it is recommend configure HugeTLB pages to guarantee that JBoss EAP processes will have access to large pages.
Reminder: Activating large pages for JBoss EAP JVMs results in pages that are locked in memory and cannot be swapped to disk like regular memory.

Ref: Hugetlb boot command line parameter semantics hugepagesz. Specify a huge page size. Used in conjunction with hugepages parameter to preallocate a number of huge pages of the specified size. Hence, hugepagesz and hugepages are typically specified in pairs such as: hugepagesz=2M hugepages=512.

Design weakness: The special hugetlb routine called at fork took care of structure updates at fork time. However, vma_splitting is not properly handled for ipc shared memory mappings backed by hugetlb pages. This can result in a “kernel NULL pointer dereference” BUG or use after free as two vmas point to the same lock structure.

Solution: Update the shm open and close routines to always call the underlying open and close routines.
For Redhat Linux, do the kernel update from 6.1.18-100.fc36 to 6.2.7-1000.fc36.

Technical reference: A subroutine IOBUFSET is provided to craved up an arbitrarily sized storage area into perforated buffer blocks with space for 132 data bytes. The beginning and ending addresses of the buffer storage area are specified to IOBUFSET in age A- and B-registers, respectively.

Sometimes, cyber security incidents are caused by Java script. What type of Java script is claimed to be dangerous? (22nd Mar 2023)

Preface: Vanilla JS is faster than other frameworks. It provides better response than all other front-end frameworks. In additional, it renders UI up to 30 times faster than React JS. In Vanilla, handling UI state is simple.React is a free and open source front-end JavaScript tool library for building user interfaces based on UI components. It is maintained by Meta and a community of individual developers and companies. React can be used as the basis for developing single-page, mobile or server-side rendering applications with frameworks like Next[.]js.

Background: Since client-side JavaScript is a necessity for any business building dynamic web pages or websites that use single-page application (SPA) architecture.
About twelve years ago, the modern web frontend development has advanced a lot. In order to exploit the features of Model-View-Controller (MVC) architecture. So it need to consider the frontend as a separate entity which talks to the backend only using the REST API (most preferably, REST JSON).
Below details describe the flow of SPA (single-page application).

  • Request the HTML template/s to the browser in one single go.
  • Then, query the JSON REST API to fill a model (data object).
  • Adjust the UI according to the data in the model (JSON).
  • When users modify the UI, the model (data object) should change automatically. For example, in AngularJS, it is possible with two-way data binding. Finally, make REST API calls to notify the server about changes whenever you want.

Suggestion: Refer to picture, Example A and B has the own advantage. Perhaps developers will be overlook cyber security awareness. Make it simple use Vanilla JS. However it contains a potential risk when used. It’s because the JavaScript code is viewable on the client-side. Thus, the most significant disadvantage of a Vanilla script is client-side security.
Remark: The design objective of vanilla script is used to refer to the pure JavaScript without any type of additional library.

CVE-2023-28425 : About Redis (20th Mar 2023)

Preface: The word Database, inspire you thinking a large volume of database. For example, a structured set of data held in a computer, especially one that is accessible in various ways. Do a transformation of design, bring the data which going to use to a specify memory. Compare to disk access storage, direct access to memory will be more faster. This is one of the modern strategy in big data analytic design solution.

Background: Running in-memory means requests for data do not require a trip to disk.

  • What memory does Redis use? An empty instance uses ~ 3MB of memory. 1 Million small Keys -> String Value pairs use ~ 85MB of memory. 1 Million Keys -> Hash value, representing an object with 5 fields, use ~ 160 MB of memory.
    In Ubuntu and other Linux distributions, the Redis database directory is /var/lib/redis .

Vulnerability details: The vulnerability exists due to a reachable assertion when handling the MSETNX command. A remote attacker can send a specially crafted MSETNX command and perform a denial of service (DoS) attack.
Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.

Solution: The problem is fixed in Redis version 7.0.10.

Official details: Please refer to NATIONAL VULNERABILITY DATABASE – https://nvd.nist.gov/vuln/detail/CVE-2023-28425

CVE-2023-0361 – About RSA ClientKeyExchange messages in GnuTLS (19th Mar 2023)

Preface: As a computer end user. When there is a vulnerability, the only way is to patch it according to the official announcement.
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language API to access the secure communications protocols.
Remark: If OpenSSL is selected over GnuTLS, neither libnettle nor libgcrypt will be used.

Background: GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

Vulnerability details: A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

SUSE – Recommended update for gnutls: This update for gnutls fixes the following issues:

FIPS: Establish PBKDF2 additional requirements [bsc #1209001]

  • Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N)
  • Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1)
  • Set the minimum iterations count to 1000 (SP 800-132 sec 5.2)
  • Set the minimum passlen of 20 characters (SP SP800-132 sec 5)
  • Add regression tests for the new PBKDF2 requirements.

Official announcement: please refer to National vulnerability database – https://nvd.nist.gov/vuln/detail/CVE-2023-0361

About CVE-2023-22881 and CVE-2023-22882 : malicious UDP receive by client cause a denial of service (16th Mar 2023).

Preface: Make sure to use the STUN message format specified in standard, to perform the MESSAGE-INTEGRITY computation. This protocol uses Simple Traversal of UDP through NAT (STUN) binding request and response messages for connectivity checks between the two endpoints.

Background: Most attackers utilize UDP to launch amplification attacks since reflection of traffic with spoofed IP source address is possible due to the lack of proper handshake. While UDP makes it easy to launch reflected amplification attacks.
Since the STUN mechanism is that if request is valid, the endpoint MUST send a Simple Traversal of UDP through NAT (STUN) binding response message.
UDP a low-level network protocol which does not set up a connection verifying the return address of the sender, it was possible to spoof the return address of the requests to that of the victim.

Vulnerability details: Zoom clients before version 5.13.5 contain a STUN parsing vulnerability. A malicious actor could send specially crafted UDP traffic to a victim Zoom client to remotely cause the client to crash, causing a denial of service.

Official details: Please refer to the URL link – https://explore.zoom.us/en/trust/security/security-bulletin/

Staying alert of opensips vulnerabilities (16th Mar 2023)

Preface: SIP protocol take the stage of traditional telephony system. We cannot lack of this protocol today.

Background: The Session Initiation Protocol is a signaling protocol that enables the Voice Over Internet Protocol (VoIP) by defining the messages sent between endpoints and managing the actual elements of a call. SIP supports voice calls, video conferencing, instant messaging, and media distribution.
OpenSIPS is used by telecom operators, enterprises and network operators. OpenSIPS is essentially a SIP proxy server. Relevant only to signaling, OpenSIPS is a multipurpose, multifunctional SIP server that can be used as: A switch. router.

Found vulnerabilities on openSIPS, offical developer conduct demon found the symptoms. However, I observed that the msg_parser[.]c has it own design weakness. When it run in switch mode, pkg_malloc may provide way to the attacker do the exploitation.
Whether the attacker can exploit SIP Header Manipulation . SIP Header Manipulation allows you to automatically modify the user fields in a SIP INVITE.
For reference (below) and refer to attached picture.
if header-field well-known, parse it, find its end otherwise ;
– after leaving the hdr->type switch, tmp should be set to the next header field

Vulnerability details:
CVE-2023-28096 – A memory leak was detected in the function parse_mi_request while performing coverage-guided fuzzing. moderate severity 4.5
CVE-2023-27596 – OpenSIPS crashes when a malformed SDP body is sent multiple times to an OpenSIPS configuration that makes use of the stream_process function.
This issue was discovered during coverage guided fuzzing of the function codec_delete_except_re.
CVE-2023-28097 – A malformed SIP message containing a large Content-Length value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS.
CVE-2023-27597 – When a specially crafted SIP message is processed by the function rewrite_ruri, a crash occurs due to a segmentation fault.
CVE-2023-27598 – Sending a malformed Via header to OpenSIPS triggers a segmentation fault when the function calc_tag_suffix is called. A specially crafted Via header which is deemed correct by the parser, will pass uninitialized strings to the function MD5StringArray which leads to the crash.
Please refer to this link for details – https://github.com/OpenSIPS/opensips/security/advisories?state=published

Have you upgraded your Linux kernel? (15th Mar 2023)

Preface: Blue screen of death (BSOD) is error display on Windows commonly. In Linux, it is unlikely and uncommon, but is it possible?

Background: As the only copyright holder to the GPL-covered components of the software, you are free to add exceptions and additional terms to the GPLv3, as described in section 7 of that license. In fact, the LGPLv3 is just such a GPLv3 section 7 additional permission, allowing the component to be linked to proprietary code. But it is not recommended. Because it is extreme tricky.

The kernel marks itself as “tainted” when some event occurs that may be relevant when investigating the problem. Found that Kernel 6.1.16 was apparently subject to “oops”. What is “oops”? See below:
The tainted status is printed when a kernel internal problem (“kernel bug”), recoverable error (“kernel oops”), or unrecoverable error (“kernel panic”) occurs, and debug information about this is written to the log dmesg output. The tainted status can also be checked at runtime via files in /proc/.

Solution: Maybe it has nothing to do with serious cyberattacks. But it is recommended to upgrade the kernel . 6.2.5 and 6.1.18 has been updated

ndctl: release v76.1, have you update yet? (14th Mar 2023)

Preface: Preface: Advantages of NVDIMMs in servers. NVDIMMs provide high-speed DRAM performance coupled with flash-backed persistent storage. Aside from providing an additional memory tier in servers, NVDIMM persistence allows applications to continue processing I/O traffic during planned or unexpected system failures.

Background: Persistent Memory (PM) is a type of Non-Volatile Memory (NVM). The ndctl utility is used to manage the libnvdimm (non-volatile memory device) sub-system in the Linux Kernel. It is required for several Persistent Memory Developer Kit (PMDK) features if compiling from source. If ndctl is not available, the PMDK may not build all components and features.
Utility library for managing the libnvdimm (non-volatile memory device) sub-system in the Linux kernel
If you going to Writing Applications for Persistent Memory. Below details is the Programming Model Modes:

Block and File modes use IO

  • Data is read or written using RAM buffers
  • Software controls how to wait (context switch or poll)
  • Status is explicitly checked by software

Volume and PM modes enable Load/Store

  • Data is loaded into or stored from processor registers
  • Processor makes software wait for data during instruction
  • No status checking – errors generate exceptions

Recommendation: Suggest upgrade to ndctl: release v76.1
Version 76.1 Fixed the following:
cxl/event-trace: use the wrapped util_json_new_u64()
cxl/monitor: fix include paths for tracefs and traceevent
cxl/monitor: Make libtracefs dependency optional

antihackingonline.com