IoT, Potential Risk of CVE, System

CVE-2024-42257: In the Linux kernel, the vulnerability related to ext4 has been resolved (12th Aug 2024)

Leave a comment

Published: 2024-08-08

Updated: 2024-08-07

Preface: Ext4 is a series of backwards-compatible extensions of Ext2. It is also the file system of most Linux distributions. Ext4 is supported on other operating systems including Windows, Free BSD, macOS and KolibriOS (read-only)

Background: Ext4 – The fourth generation extension file system is a log file system under the Linux system and is the successor version of the ext3 file system.

Advantage

-Has the largest single file size and volume file system size

-Supports all bytes except NULL and ‘/.’

-You can convert Ext3 file system to Ext4

-Includes advanced features such as stretching, directory indexing,

-delayed allocation and disk defragmentation

-Unlimited subdirectories

Disadvantage

-No data security provided

-Difficulty creating snapshots on different volumes

-Use more disk space

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: ext4: use memtostr_pad() for s_volume_name As with the other strings in struct ext4_super_block, s_volume_name is not NUL terminated. The other strings were marked in commit 072ebb3bffe6 (“ext4: add nonstring annotations to ext4.h”). Using strscpy() isn’t the right replacement for strncpy(); it should use memtostr_pad() instead.

Ref: Failure to properly null-terminate a character sequence that is passed to a library function that expects a string can result in buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process. Null-termination errors can also result in unintended information disclosure.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2024-42257

IoT, Potential Risk of CVE, System

CVE-2024-7589: Race condition vulnerability occurs when integration of blacklisted in OpenSSH in FreeBSD. (11-Aug-2024)

Leave a comment

Preface: SSH clients are designed for direct user interaction, providing a command-line interface (CLI) or graphical user interface (GUI) on the initiating device. The SSHD operates as a background process, running silently in the background without any user intervention.

Background: How do I make my SSH connection more stable?

SSH servers often have an idle timeout period, after which they automatically disconnect idle sessions. To prevent premature disconnections, consider modifying the server’s idle timeout setting. To modify the idle timeout: Locate the SSH server configuration file, typically located at /etc/ssh/sshd_config .

Vulnerability details: A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh.

The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.

Official announcement: Please refer to the link for details https://www.tenable.com/cve/CVE-2024-7589

AI and ML, Potential Risk of CVE

NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in web support  (07 Aug 2024)

Leave a comment

Preface: CGI is a standard protocol that allows web servers to execute external programs or scripts, typically written in languages like Perl or Python, in response to client requests.

Path Traversal: Exploiting lax file path validation, attackers navigate outside the intended directory, accessing restricted files or directories.

Background: MLNX-OSis a next-generation switch operating system for data centers with storage, enterprise, high-performance computing and cloud fabrics. Building networks with MLNX-OS enables scaling to thousands of compute and storage nodes with monitoring and provisioning capabilities, whether they are InfiniBand or Virtual Protocol Interconnect (VPI).

NVIDIA Onyx, with its robust layer-3 protocol stack, built-in monitoring and visibility tools, and high-availability mechanisms, Onyx is an ideal network operating system for enterprise and cloud data centers.

The NVIDIASkyway gateway appliance provides 1.6Tb/s  throughput, enabling scalable and efficient connectivity from InfiniBand data centers to external Ethernet-based infrastructures and storage.

The NVIDIAMetroX-3 XC long-haul system seamlessly and securely extends the reach of the NVIDIA Quantum InfiniBand networking platform, providing high data throughput, In-Network Computing, and native remote direct-memory access (RDMA) communications. Enhancing data security, MetroX-3 XC provides encrypted connectivity over long distances and dense wavelength-division multiplexing (DWDM) infrastructures.

Extending InfiniBand connectivity to 10 or 40 kilometers,. MetroX2 systems enable high data throughput, native remote direct memory access (RDMA).

Vulnerability details: NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information disclosure.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5563

AI and ML, Potential Risk of CVE

About CVE-2024-7553: Improper Access Control in MongoDB (8th Aug 2024)

Leave a comment

Preface: What Is a Document Database? A document-oriented database is a special type of key-value store where keys can only be strings. Moreover, the document is encoded using standards like JSON or related languages like XML. You can also store PDFs, image files, or text documents directly as values.

Background: As a document database, MongoDB makes it easy for developers to store structured or unstructured data. It uses a JSON-like format to store documents. Most breaches involving MongoDB occur because of a deadly combination of authentication disabled and MongoDB opened to the internet.

Vulnerability details: Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files.

Impact: This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-7553

Potential Risk of CVE, System

CVE-2024-1067 was released in May 2024.  Are CVE-2024-2937 and CVE-2024-4607, released in August 2024, caused by similar design flaws? (7 Aug 2024)

Leave a comment

Preface: May 2021 to May 2023 (ARM GPU evolution)

Valhall 3rd Gen – On May 25, 2021, Arm announced their Valhall 3rd Gen GPU Architecture (as part of TCS21), including the Mali-G710, Mali-G510, and Mali-G310 GPUs.

Valhall 4th Gen – On June 28, 2022, Arm announced their Valhall 4th Gen GPU Architecture (as part of TCS22), including the Immortalis-G715, Mali-G715, and Mali-G615 GPUs.

5th Gen – On May 29, 2023, Arm announced their 5th Gen Arm GPU Architecture (as part of TCS23), including the Immortalis-G720, Mali-G720 and Mali-G620 GPUs.

Background: The New 5th Gen Arm GPU Architecture

The 5th Gen GPU architecture introduces a key feature called Deferred Vertex Shading (DVS), which revolutionizes data flow within the GPU and expands the number of GPU cores, reaching up to 16 cores for enhanced performance.

The Arm 5th Gen GPU architecture is the most efficient GPU architecture Arm has ever created, designed with CPU and system architecture in mind. It redefines parts of the graphics pipeline to significantly reduce memory bandwidth, thus improving total system efficiency and power.

Technical reference: It solves the bandwidth problem of the traditional model because the fragment shader reads a small block each time and puts it on the chip. It does not need to read the memory frequently until the final operation is completed and then writes it to the memory. You can even further reduce memory reads and writes by compressing tiles. In addition, when some areas of the image are fixed, the function can be called to determine whether the tiles are the same to reduce repeated rendering.

Vulnerability details: Judging from the descriptions of the two different vulnerabilities, they appear to be the same (see below):

https://nvd.nist.gov/vuln/detail/CVE-2024-2937

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p0; Valhall GPU Kernel Driver: from r41p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p0.

https://nvd.nist.gov/vuln/detail/CVE-2024-4607

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p0; Valhall GPU Kernel Driver: from r41p0 through r49p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p0.

Affected Products

Bifrost GPU kernel driver versions : r41p0 (inclusive) ~ r49p0 (inclusive)

Valhall GPU Kernel Driver versions: r41p0 (inclusive) ~ r49p0 (inclusive)

Arm 5th Generation GPU Architecture Kernel Driver versions: r41p0 (inclusive) ~ r49p0 (inclusive)

Potential Risk of CVE

About CVE-2024-21980, SNP firmware design weakness! (5th Aug 2024)

Leave a comment

Preface: Confidential node pools use VMs with hardware-based Trusted Execution Environments (TEEs). AMD SEV-SNP Confidential VM denies hypervisor and other host management code access to VM memory and state, and adds defense-in-depth against operator access.

Background: The SNP firmware may exist in two states: UNINIT and INIT.

UNINIT – The platform is uninitialized. This is the reset state of the PSP firmware.

Allowed Platform Commands: SNP_INIT, SNP_PLATFORM_STATUS,

DOWNLOAD_FIRMWARE, GET_ID

INIT – The platform is initialized

Allowed Platform Commands: All SNP commands except SNP_INIT, DOWNLOAD_FIRMWARE

Ref: The behavior of the SEV-legacy commands is altered when the SNP firmware is in the INIT state. In this case, the SEV-legacy commands require any page that the SEV-legacy command writes to be a Firmware or Default page.

Vulnerability details: CVE-2024-21980 – Improper restriction of write operations in SNP firmware could allow a malicious hypervisor to overwrite a guest’s memory or UMC seed potentially resulting in loss of confidentiality and integrity.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3011.html

AI and ML, Potential Risk of CVE

CVE-2024-3056 – About Podman (5th-Aug-2024)

Leave a comment

Preface: Size of /dev/shm. A unit can be b (bytes), k (kibibytes), m (mebibytes), or g (gibibytes). If the unit is omitted, the system uses bytes. If the size is omitted, the default is 64m. When size is 0, there is no limit on the amount of memory used for IPC by the container. This option conflicts with –ipc=host.

IPC:Shared Memory

Two processes comunicating via shared memory.

shm_server[.]c — simply creates the string and shared memory portion.

shm_client[.]c — attaches itself to the created shared memory portion and uses the string (printf.

Background: Podman, Podman Desktop, and other open standards-based container tools make Red Hat Enterprise Linux a powerful container host that delivers production-grade support, stability, and security features as well as a path forward to Kubernetes and Red Hat OpenShift.

Vulnerability details: A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container’s cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run –restart=always`, this can result in a memory-based denial of service of the system.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-3056

Application Development, Potential Risk of CVE

RHSA-2024-4982 -Security Advisory- OpenShift API for Data Protection (OADP) – Security Fix – golang: net/netip – CVE-2024-24790 (2nd Aug 2024)

Leave a comment

Preface: The IPv4-mapped IPv6 address format allows the IPv4 address of an IPv4 node to be represented as an IPv6 address. The IPv4 address is encoded into the low-order 32 bits of the IPv6 address, and the high-order 96 bits hold the fixed prefix 0:0:0:0:0:FFFF.

Background: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Package netip defines an IP address type that’s a small value type. Building on that Addr type, the package also defines AddrPort (an IP address and a port) and Prefix (an IP address and a bit length prefix).

Compared to the net.IP type, Addr type takes less memory, is immutable, and is comparable (supports == and being a map key).

Vulnerability details: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fixes from Bugzilla: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)

Official announcement: Please refer to the website for details – https://access.redhat.com/errata/RHSA-2024:4982

Potential Risk of CVE

CVE-2024-40782 – Nullptr crash due to `display:ruby block` and continuations. (1st Aug 2024)

Leave a comment

Preface: Apple doesn’t allow third party developers to use any other browser engine other than the WebKit which is the engine developed by Apple.

Background: The browser parses HTML into DOM and css into CSSOM and combines them to create a render tree. Once each node from the DOM has its style assigned, the rendering engine computes the size of each node and its position on the screen.

The process that goes from interpreting HTML, CSS, and Javascript to pixel conversion can be grouped in 4 (four) general steps:

  1. Parsing of the HTML document to DOM (Document Object Model).
  2. CSS file interpretation (CSSOM – Cascading Style Sheets Object Model) for each of the DOM nodes.
  3. Creation of the new tree that includes the DOM, and each node’s style and layout.
  4. A render tree is rendered.

Vulnerability details: A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash.

Official announcement: Please refer to the official announcement for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-40782

AI and ML, Potential Risk of CVE

CVE-2024-33976: Check for correct values rank in UpperBound and LowerBound. (30th Jul 2024)

Leave a comment

Preface: Segmentation faults (segfaults) are a common error that occurs when a program tries to access a restricted area of memory. Segfaults can occur for a wide variety of reasons: usage of uninitialized pointers, out-of-bounds memory accesses, memory leaks, buffer overflows, etc.

Background: TensorFlow can be used to develop models for various tasks, including natural language processing, image recognition, handwriting recognition, and different computational-based simulations such as partial differential equations.

Vulnerability details: TensorFlow is an end-to-end open source platform for machine learning. `array_ops.upper_bound` causes a segfault when not given a rank 2 tensor.

The shape function in array_ops.cc for those ops requires that argument to have rank 2, but that function is bypassed when switching between graph and eager modes, allowing for invalid arguments to pass through and, in the test case, cause a segfault.

Solution: The fix will be included in TensorFlow 2.13 and will also cherrypick this commit on TensorFlow 2.12.

Official announcement: Please refer to the official announcement for details – https://www.tenable.com/cve/CVE-2023-33976

antihackingonline.com