Preface: An “intelligent” computer uses AI to think like a human and perform tasks on its own. Machine learning is how a computer system develops its intelligence. One way to train a computer to mimic human reasoning is to use a neural network, which is a series of algorithms that are modeled after the human brain.

Quote: A GPU devotes more transistors to arithmetic logic than a CPU does to caching and flow control. As of 2022, the highest transistor count GPU is Nvidia’s H100, built on TSMC’s N4 process and totalling 80 billion MOSFETs.

Background: The Intelligent Platform Management Interface, or IPMI, is a standard for controlling intelligent devices that monitor a system. To use this, you need an interface to an IPMI controller in your system (called a Baseboard Management Controller – BMC) and management software that can use the IPMI system.

Under normal circumstance, you must pick ‘IPMI top-level message handler’ to use IPMI. The message handler does not provide any user-level interfaces. Kernel code (like the watchdog) can still use it. If you need access from userland, you need to select ‘Device interface for IPMI’ if you want access through a device driver.

The Linux IPMI driver is modular. This driver is for supporting a system that sits on an IPMB bus; it allows the interface to look like a normal IPMI interface. Sending system interface addressed messages to it will cause the message to go to the registered BMC on the system (default at IPMI address 0x20).

Vulnerability details: NVIDIA baseboard management controller (BMC) contains a vulnerability in the Intelligent Platform Management Interface (IPMI) handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

Official announcement: For official details see the link – https://nvidia.custhelp.com/app/answers/detail/a_id/5435

NVIDIA recommends that customers follow best security practices for BMC management (IPMIport). These include, but are not limited to, such measures as:

• Restricting the DGX A100 IPMI port to an isolated, dedicated management network.
• Using a separate, firewalled subnet.
• Configuring a separate VLAN for BMC traffic if a dedicated network is not available.

Preface: OpenMP (Open Multi-Processing) is an application programming interface (API) that supports multi-platform shared-memory multiprocessing programming in C, C++, and Fortran, on many platforms, instruction-set architectures and operating systems, including Solaris, AIX, FreeBSD, HP-UX, Linux, macOS, and Windows.

Background: A LEGO brick is a small plastic part, but it can build a big robot. Similar concept, CPU manufacturers provide main components, guidelines as upstream product suppliers. Let computer hardware manufacturers build their own powerful supercomputers. So they use their own design for load sharing, offloading resources to the GPU. That’s how the tech world works right now.

We often hear that computer hardware has backdoors. It usually happens during the design phase of the hardware. If you ask, who will bear this burden, the downstream hardware developer or the upstream CPU manufacturer? My comment is two-sided (see below).

• If the hardware developer does not follow the best practices recommended by the CPU manufacturer. Risks will happen.
• If CPU and development tool manufacturers have design flaws. The risk will be on this side.

Vulnerability details: CVE-2022-40196

Description: Improper access control in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

For details, see the link – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00773.html

My observation: As usual, the vendor does not reveal the root cause. See whether it can dig out part of the possibility.

For example: Unified Shared Memory (USM): Device Kernels can access the data using pointers. Like this programming example. The memcpy operation will wait on events e1 and e2 and Transfers data back from device to host memory. As we know, the memcpy() and memmove() functions are a source of buffer overflow vulnerabilities. Will Intel oneAPI DPC++/C++ Compiler encounter a vulnerability in this place?

Preface: Qualcomm’s current Snapdragon chips for smartphones are also based on Arm technology. The Snapdragon’s central processing unit (CPU) uses the ARM architecture.

Some companies, like Apple, license the ISA from Arm, then design their own physical processor circuits to implement the ISA instructions. Other companies, like Qualcomm historically, also buy the rights to full core designs from Arm, marketed as Cortex. Arm reported $2.7 billion in sales from licensing and royalties in 2021, said CNBC.

For details, see the link – https://www.cnbc.com/2022/09/01/why-arms-lawsuit-against-qualcomm-is-a-big-deal.html

Conceptual baseline: The firmware is first loaded into a predefined memory region and authenticated in the secure world, then the remote processor is reset and starts executing it. These regions of memory should be reserved so that Linux does not map them and make them available exclusively to remote processors and the drivers that load their firmware.

Background: In Snapdragon SoCs, three components are used to provide access control: Virtual Master ID Mapping Table (VMIDMT), External Protection Unit (XPU), and System Memory Management Unit (SMMU). VMIDMT and XPU work together: VMIDMT applies security attributes corresponding to a security domain to transactions (e.g. read/write), while XPU enforces access control policies based on security domains. SMMU maps transactions to security domains and enforces corresponding access control policies.

Vulnerability details: Certain versions of Snapdragon from Qualcomm Inc. contain the following vulnerability:

Memory corruption in kernel due to missing checks when updating the access rights of a memextent mapping. For more information on this design weakness, see the link – https://www.qualcomm.com/company/product-security/bulletins/january-2023-bulletin

My observation: We locked down memextent keyword, so we assumed that design weakness will be ecountered in Type-1 hypervisor (Refer to attached diagram (point 6)).

Reference: Gunyah is a Type-1 hypervisor independent of any
high-level OS kernel, and runs in a higher CPU privilege level. It does
not depend on any lower-privileged OS kernel/code for its core
functionality. This increases its security and can support a much smaller trusted computing base than a Type-2 hypervisor.

But how to exploit this design weakness. There may be an opportunity for an attacker to exploit another vulnerability to trigger this weakness (see below).

CVE-2023-21420 Use of Externally-Controlled Format String vulnerabilities in STST TA

Preface: What is Samsung TEEGRIS? Samsung TEEGRIS is a system-wide security solution that allows you to run applications in a trusted execution environment based on TrustZone. We present the TEEGRIS architecture for external developers to enable their trusted applications and services.

Background: TEEGRIS is a relatively recent TEE OS, introduced by Samsung on the Galaxy S10. Most of the newer (starting from 2019) Samsung phones that have Exynos chipsets will also have TEEGRIS running in the TEE.

AArch64 or ARM64 is the 64-bit extension of the ARM architecture family. It was first introduced with the Armv8-A architecture. ARMv8-A CPUs support four privilege levels for each “world”, also known as exception levels:

• (S-)EL0 – user mode/app
• (S-)EL1 – kernel
• EL2 – hypervisor
• EL3 – Secure Monitor – EL3 is the level above which is called Monitor Mode. This extra level is used to run security applications (Trustzone).

Where are the exception vector table entries for EL2 and EL3? According to reference EL2 is the Hypervisor, EL3 is secure monitoring, the exception table should be a contiguous memory space with the exception vectors for all the four EL_ levels.

Remark: If you want to know how to tell at which level interrupts and exceptions should be handled, you need to instruct the processor where to find the interrupt handler. This is what the exception vector table is for.

• TlApi: set of functions used by trusted applications
• DrApi: set of functions used by secure drivers

Whether this design weakness was discovered years ago. The set of functions used by the trusted application contains the vulnerability. So it’s waiting for a vendor fix. So, that’s what the CVE describes.

Vulnerability details:

Severity: High
Affected versions: Q(10), R(11) devices with Teegris
Reported on: June 3, 2022
Disclosure status: Privately disclosed
Use of Externally-Controlled Format String vulnerabilities in ([ST] Samsung TEEgris Security Target, STST TA prior to SMR Jan-2023 Release 1 allows arbitrary code execution.
The patch restricts the triggering for the print of externally controlled format string code.

Official announcement: SMR-JAN-2023 – Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.

For more information on this design weakness, see the link – https://security.samsungmobile.com/securityUpdate.smsb

Preface: Every Fortinet product has a built-in administrator account.

Background: Ten years ago, one of the key function is reset function in business contingency program. Refer to textbooks, the objective of disaster recovery is resume the service. So more terms created: Recovery Point Objective (RPO) Recovery Time Objective (RTO) Work Recovery Time (WRT) Maximum Tolerable Downtime (MTD).

How about critical service device especially firewall appliance? There is no difference. At that time, cyber security standard is not enforce into today standard.

The password reset procedure, it all depends on manufacturer hardware design.

So if the recovery procedure only can do in privilege account. So it compliance to minimum standard. The information security so called access privilege control.

Vulnerability details: An incorrect user management vulnerability [CWE-286] in the FortiManager VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin profiled admin account is deleted.

Affected Products
At least
FortiManager version 7.0.0 through 7.0.1
FortiManager version 6.4.0 through 6.4.7
FortiManager version 6.2.0 through 6.2.8

Solutions
Please upgrade to FortiManager version 7.0.2 or above
Please upgrade to FortiManager version 6.4.8 or above
Please upgrade to FortiManager version 6.2.9 or above

Official announcement: Please refer to link – https://www.fortiguard.com/psirt/FG-IR-22-371

Preface: The Global Positioning System (GPS) employs trilateration to calculate the coordinates of positions at or near the Earth’s surface. Trilateration refers to the trigonometric law by which the interior angles of a triangle can be determined if the lengths of all three triangle sides are known.

I have a set of coordinates, that I receive from GPS. Query to calculate the travelled distance:

ST_length(ST_Transform(st_makeline(points), 26986)) AS distance_travelled

Background:  GPSD is a service daemon that monitors one or more GPSes or AIS receivers attached to a host computer through serial or USB ports, making all data on the location/course/velocity of the sensors available to be queried on TCP port 2947 of the host computer.

In normal circumstances, Android smartphone operating system (from version 4.0 onwards and possibly earlier) uses GPSD to monitor the phone’s on-board GPS, so every location-aware Android app is indirectly a GPSD client.

MediaTek, along with Qualcomm, is one of the most important third-party chipmakers in the Android smartphone ecosystem.

The program source of MediaTek is a freeware, but not open source. That’s why the source code is not public. The whole library is written in Java and the native drivers are written in assembly.

Vulnerability details: In GPS, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets: MT6580, MT6735, MT6739, MT6753, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6891, MT6893, MT6895, MT6983, MT8167, MT8168, MT8173, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions: Android 10.0, 11.0, 12.0, 13.0

Official announcement: For details, see the link –

Mediatek – https://corp.mediatek.com/product-security-bulletin/January-2023

Android – https://source.android.com/docs/security/bulletin/2023-01-01

Preface: The SSL VPN must be exposed to the Internet. So you can use the service anywhere. This is a basic design.

Fortinet has patched a zero day buffer overflow in FortiOS that could lead to remote code execution. There has been a report of active exploitation and organizations should patch urgently. (2 weeks ago – Dec 12, 2022).

Background: Establish an SSL VPN from a client outside the base network to FortiGate inside the base network so that external clients can access the inside of the base network. You need to install the VPN client software called FortiClient on the external client.

Vulnerability details: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Official announcement: For details, see the link – https://www.fortiguard.com/psirt/FG-IR-22-398

Workaround: Disable SSL-VPN.

Preface: If you were a child, you would think of the moon and Mars. Furthermore you will think about robot and extraterrestrial. But you might not think about design weakness, so called vulnerability.

Background: Robot Operating System (ROS) is a set of open source algorithms, hardware driver software and tools developed to develop robot control software. Despite having an operating system in its name, it is not an operating system.

• Communication System (Publish Subscribe and Remote Method Invocation),
• Framework & Tools (Build system & dependency management, Visualization, Record and Replay)
• Ecosystem (Language bindings, Drivers, libraries and simulation (Gazebo)).

Distributed applications are designed as units called nodes. In robotic systems, sensors (lidars, cameras) motion controllers (motors that provide motion), and algorithmic components (route planners) can all be nodes. ROS 2 separates the node concept from the OS-level process structure.

All nodes in the system can be run on a single computer or they can be distributed and run across multiple computers.

Vulnerability details: The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot’s behavior.

Official announcement: For details, see the link – https://nvd.nist.gov/vuln/detail/CVE-2022-48198

Wishing you all a very happy New Year! May your 2023 be filled with love and happiness.