CVE-2022-3642 – Insecure Default Variable Initialization on IoT USB adapter (21st Oct 2022)

Preface: In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents.

Background: Wireless routers have fourteen different channels they can use for 2.4 GHz Wi-Fi, but three of them are off limits. Channels 12 and 13 are allowed in low-power mode, while channel 14 is banned—and only allowed in Japan.
Till today, the most common Wi-Fi frequency bands that are in widespread use are 2.4 GHz and 5 GHz. 2.4 GHz and 5 GHz are the two Wi-Fi frequency bands that are in widespread use today.

Not sure if low cost USB wifi adapters will still be of interest to computer users. But suppliers of low-cost IoT products are still in demand.
For example: USB WiFi module (rtl8188fu). rtl8188fu support will be add to rtl8xxxu module of Linux kernel.
However, if you are using kernel 5.15 and 5.16, you must create a configuration file with following commands for preventing to conflict rtl8188fu module with built-in r8188eu module.

echo ‘alias usb:v0BDApF179ddcdscdpicFFiscFFipFFin* rtl8188fu’ | sudo tee /etc/modprobe.d/r8188eu-blacklist[.]conf

Vulnerability details: A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f[.]c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue.

Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=80e5acb6dd72b25a6e6527443b9e9c1c3a7bcef6

CVE-2022-3621 NILFS inode[.]c null design weakness (20th Oct 2022)

Preface: NILFS merged into Linux as the first File System from Japan in June 2009. This job completed by NTT Cyber Space Laboratories.
NILFS is a file system for Linux that saves a snapshot, a historical view of the file system, automatically and continuously. This feature enables the system not only to quickly recover from system failures, but also to recover from human operation errors because the system’s state can be restored from any point in the past.

Background: Each file in a filesystem has a unique inode number. A typical allocation heuristic for inodes in a file system is one inode for every 2K bytes contained in the filesystem. The inode number indexes a table of inodes in a known location on the device.
When you created your ext3 filesystem with smaller block sizes. The ext3 default block size is 4096 bytes. If you are using your filesystem for storing lots of very small files, you might create the filesystem with a block size of 1024 or 2048. This would let you use your disk space more efficiently, but raises the likelihood of running low on inodes.
Inodes stores metadata about the file it refers to. The metadata contains Size, Permission, Owner/Group, Location of the hard drive, Date/time & Other information.
NILFS or NILFS2 (New Implementation of a Log-structured File System) is a log-structured file system implementation for the Linux kernel. Using a copy-on-write technique known as “nothing in life is free”, NILFS records all data in a continuous log-like format that is only appended to, never overwritten, an approach that is designed to reduce seek times, as well as minimize the kind of data loss that occurs after a crash with conventional file systems. For example, data loss occurs on ext3 file systems when the system crashes during a write operation. When the system reboots, the journal notes that the write did not complete, and any partial data writes are lost.
An ordinary file is just a sequence of data bytes stored in some physical device without any name attached to it. The administrative information of this file, such as owner, permissions, size, times, etc., is stored in the inode structure of the file. All of the file system’s inodes are collected together to form an inode table. Each file system occupies a logical disk.

Vulnerability details: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.

A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. Null-pointer dereferences, while common, can generally be found and corrected in a simple way.

More details on this technical information. Please refer to the official announcement – https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=21a87d88c2253350e115029f14fe2a10a7e6c856

New faces replace traditional attack tools (Oct 20, 2022)

Preface: In IoT and IIoT world, windows OS and Linux Based OS become the mainstream technology. The endpoint devices mainly based on Linux operation system as a design baseline. If you have chances to explore the operation system architecture for IIoT and IoT. Your will found that it is a Linux world. Even through the IoT monitor API (mini dashboard) installed on your mobile phone is a Linux.
Pehaps to indicated the border of IT and consumer IoT can be catalogries by operation system. Why? Because the mainstream of information technology (IT) deploy the windows OS system.
The concept above might not apply to Industrial area. As you know, OPC technology implemented to OT environment nearly 20 years. Perhaps OPC-UA is based on Linux. But when you look at it from a wide angle, it lets you know that hybrid OS architecture design has settled in the OT space.

Background: About two decades ago, PsExec was a powerful tool. Meanwhile, Threat actors misused and transformed this program as a tool. In fact, PsExec can help use scripts and exploit vulnerabilities when malware downloads payloads to victim machines. Why do they use the PsExec program because it’s a Windows based machine. Few years ago, hacker misuse powershell language and jepodized a bunch of MS Exchange servers. As of today, powershell still capable to enagage cyber attack in misconfig system environment. Long story tell short, IoT and IIoT devices based on Linux. It seems that the above serious effects can be avoided. is this real?

Details: The common programming language in IoT and IIoT environment will using Python. As we heard by far when IoT devices vulnerable, it can tranform into a botnet thus engage cyber attack. But in what way they do?
CISA discovery activity shows that, the new method for engaging in cyber attacks will use two Impacket tools: wmiexec[.]py and smbexec[.]py.
Smbexec[.]py uses a similar approach to psexec w/o using RemComSvc. Remcomsvc.exe is a tool used by us to execute remote command on the agent machines. Actors used Impacket tools wmiexec[.]py and smbexec[.]py to leverage Windows Management Instrumentation and execute malicious commands.
According to the above information, this is a new way for botnet activity to effectively affect the Microsoft operating system architecture environment.
But don’t take this approach lightly. People will feel when the windows OS machine doesn’t have python installed. There is no chance of falling into this attack scenario. The details below show that it can run Python scripts if you don’t have Python installed on your Windows PC.

You can either use py2exe or use the Python exe without installing. py2exe will require setting up beforehand with an environment with Python, as it is an extension of Distutils. Create a file called setup.py, with the content

from distutils[.]core import setup
import py2exe
setup(console=[‘script[.]py’])

For using python without installing:
You can download the latest version in zip format and extract it into any folder and add that folder to your PATH environment variable so you can execute python from any directory or use the exact path to the python exe.

More details on this technical information. Please refer to the official CISA article – https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

History:

  • July 2004 issue of Windows IT Pro Magazine for Mark’s article that covers advanced usage of PsExec.
  • Threat actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:
    powershell add-pssnapin exchange;New-ManagementRoleAssignment – name:”Journaling-Logs” -Role:ApplicationImpersonation -User:
    This command gave the service account the ability to access other users’ mailboxes.
  • On Oct 2022, CISA found that two different types of Python script in frequently exploit by attacker. So called wmiexec[.]py and smbexec[.]py。

CVE-2022-31813 :Hop-by-hop definition of RFC2616 (13.5.1) as a vulnerability in Oracle Secure Backup (18th Oct 2022)

Preface: The X-Forwarded-For request header is automatically added and helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. To see the IP address of the client, use the X-Forwarded-For request header.

Background: The observiced service daemon provides a wide variety of services. It runs continually on the administrative server, media server, and client. On the administrative server, observiced runs jobs at the request of the schedule daemon, cleans up log files and transcripts, and provides access to Oracle Secure Backup configuration data to other hosts in the domain.
observiced starts the schedule daemon and the Apache Web server during initialization.
When running on a media server or client, observiced handles membership in a administrative domain, allows for remote administration of the host, and handles certificate operations. The identity certificate of the requesting host is used to verify that it is permitted to invoke the operation
The obhttpd daemon provides the Web tool for Oracle Secure Backup. This daemon runs continually on the administrative server. The Web server daemon is signaled to start by the observiced daemon, which itself is normally started as part of system startup.

Vulnerability Details: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
Additional CVEs addressed are:The patch for CVE-2022-31813 also addresses CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, and CVE-2022-30556.

According to RFC 2616 13.5.1, it stated the following:
Hop-by-hop headers, which are meaningful only for a single transport-level connection, and are not stored by caches or forwarded by proxies.

If following step 3 in attached diagram do it hop-by-hop, since X-Forwarded headers do not have IP address provided. As a result, it is able to bypass access control.

Official announcement: Oracle Critical Patch Update Bulletin – October 2022 has been released. See the link for details – https://www.oracle.com/security-alerts/cpuoct2022.html

CVE-2022-3541 has impact on IoT Linux chips and should be upgraded with firmware (17th Oct 2022)

Preface: BPF introduced two big innovations in packet filtering:

  • A new virtual machine (VM) designed to work efficiently with register-based CPUs.
  • The usage of per-application buffers that could filter packets without copying all the packet information. This minimized the amount of data BPF required to make decisions.

Background: BPF programs are designed to run in the linux kernel which is written in C, hence BPF defines instruction set compatible with two most used architectures x64 and arm64.
BPF allows a user-space program to attach a filter onto any socket and allow or disallow certain types of data to come through the socket. LSF follows exactly the same filter code structure as BSD’s BPF, so referring to the BSD bpf.4 manpage is very helpful in creating filters.
New generation of IoT security framework implements a packet filtering mechanism on the gateway side in order to mitigate DoS network attacks. The packet filtering module can cover all the networking stack layers, focusing on the Message Queuing Telemetry Transport (MQTT) / MQTT for Sensor Networks (MQTT-SN) and CoAP application layer protocols. The network filter layer consists of two sub-modules: the packet filter mechanism in the kernel side and the userspace filter component. The packet filtering on the kernel side will be implemented the Berkeley Packet Filter or Extended Berkeley Packet Filter (eBPF) technology.
An SoC that has the power of a Linux-grade chip and the integration simplicity of a micro-controller. So called IoT Linux chips. CVE-2022-3541 has impact on IoT Linux chips and should be upgraded with firmware.

Vulnerability Details: CVE-2022-3541 A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver[.]c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue.

For official announcement, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-3541

Security Focus – CVE-2022-3524 Ping6 command (16th Oct 2022)

Preface: Ping6 command uses ICMPv6 ECHO_REQUEST to check network connectivity. This design weakness found July 2022 (few months ago). The remedy looks simple, the key element is destroy the ping6 socket – inet6_destroy_sock(sk);

Background: In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the kernel of the operating system on which it is executed.
Since the ping command does ICMP. To find out the syscalls involved, you can strace that command (under root).
$ strace -e trace=network ping 127[.]0[.]0[.]1 -c 1 -4
During the process, you can see a bunch of setsockopt system calls, but they are all on the first socket that was created.
i.e. for IPPROTO_ICMP with the file descriptor, 3.
Finally, we have the call to, sendto and recvmsg system calls which are used to send the IP packet (with the ICMP packet embedded in it) to the destination host and then receive the reply from the destination host respectively.

Remark:The special aspect of file descriptor 3 is that it will usually be the first file descriptor returned from a system call that allocates a new file descriptor, given that 0, 1 and 2 are usually set up for stdin, stdout and stderr.
This means that if any library function you have called allocates a file descriptor for its own internal purposes in order to perform its functions, it will get fd 3.

Vulnerability details: A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.

Remark: When we close ping6 sockets, some resources are left unfreed because pingv6_prot is missing sk->sk_prot->destroy().
As reported by syzbot [0], just three syscalls leak 96 bytes and easily cause OOM.

Technical details can be found at the following link – https://nvd.nist.gov/vuln/detail/CVE-2022-3524

CVE-2022-20436 – Android design weakness.There is an unauthorized service in the system service. (11th Oct 2022)

Preface: Looking back at the history of Android, explore Android’s ongoing evolution with this visual timeline of versions, starting Cupcake (early 2009’s Android 1.5 Cupcake) and going all the way to 2022’s Android 13 release. It really was a revolution from cordless phones to smart devices.

Background: What is the role of an Activitymanager in an Android app?
This class gives information about, and interacts with, activities, services, and the containing process. A number of the methods in this class are for debugging or informational purposes and they should not be used to affect any runtime behavior of your app.

Vulnerability details: There is an unauthorized service in the system service. Since the component does not have permission check, resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242248369
References: https://source.android.com/security/bulletin/2022-10-01

Techincal Bulltein belongs to Android stated that below vulnerability affect UNISOC components and further details are available directly from UNISOC. The severity assessment of these issues is provided directly by UNISOC.

My observation: Since remedy is strip sensitive information from options before sending it to app.Furthermore, points 10 to 13 on the diagram. All process flow will arrive Activity manager then reach Zygote. So any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. Recently a RemoteTransition object was added which includes some sensitive information.

Security Focus: CVE-2022-42012 – Design flaw in the Dbus daemon (10/10/2022)

Preface: D-bus has nothing to do with the kernel or the driver, but no one is preventing drivers from having a D-Bus service too, if that’s their design. There are two standard message bus instances: the systemwide message bus (installed on many systems as the “messagebus” init service) and the per-user-login-session message bus (started each time a user logs in). dbus-demon is used for both of these instances, but with a different configuration file.

Background: Endianness means that the bytes in computer memory are read in a certain order.
Big-endian is an order in which the “big end” (most significant value in the sequence) is stored first, at the lowest storage address. Little-endian is an order in which the “little end” (least significant value in the sequence) is stored first.

As we know:

  • On processors that handle data in big-endian, the bytes are read from left to right and stored in memory starting at the low address.
  • On processors that handle data in little-endian, to store B139F546, the bytes are read from right to left and stored in memory starting at the low address.

Technical spec:

  • Intel 32-bit and 64-bit processors running Windows and Linux interpret data in little-endian
  • ARM M1 chip running Mac OS interprets data in big-endian
  • Intel processors running Mac OS interprets data in little-endian

Vulnerability details:
CVE-2022-42010 – An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
Impact version: D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2.
https://www.suse.com/security/cve/CVE-2022-42010.html

CVE-2022-42011 – An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
Impact version: D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2.
https://gitlab.freedesktop.org/dbus/dbus/-/issues/413

CVE-2022-42012 – A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds.
Remark: For my speculation about this vulnerability, please refer to the attached diagram.
Affected version: D-Bus prior to 1.12.24, 1.13.x and 1.14.x prior to 1.14.4, and 1.15.x prior to 1.15.2
https://ubuntu.com/security/CVE-2022-42012

CVE-2022-42703 – mm/rmap[.]c in the Linux kernel before 5[.]19[.]7 has a use-after-free related to leaf anon_vma double reuse. (9th Oct 2022)

Preface: Memory is managed differently depending on the programming language in which the application is written. Some languages, such as C, require the programmer to manage direct allocation of memory.

Background: There is usually a requirement in the kernel to find all VMAs that map this page through the struct page data structure. Early linux kernel implementations scan the VMA of all processes, which is quite time consuming. During the development of linux 2.5, the concept of reverse mapping has been formed, and the current version has been formed after years of optimization.

The focus of the vulnerability – Found that virtual memory regions can be reused in the following situations.
Degree optimization leads to leaf nodes being abandoned on anon_vma_clone() – an existing anon_vma is reused and no new parent-child relationship is created. This assumption is wrong because the ->degree optimization leads to leaf nodes being abandoned on anon_vma_clone() – an existing anon_vma is reused and no new parent-child relationship is created.

Since rmap[.]c is located in the Linux kernel. When use-after-free vulnerability happens. A unforeseen risk will be occurred.

Official details: Please refer to this external link – https://www.tenable.com/cve/CVE-2022-42703

Remedy: Upgrading to version 5[.]19[.]7 eliminates this vulnerability.

CVE-2022-39280 – ReDoS issue in dparse (6th Oct 2022)

Preface: Python can be used to develop a wide variety of applications, including web applications, gaming applications, enterprise applications, ML applications, image processing, text processing, and more.

Background: When managing Python environments, one of the key concerns is dependency management. Dependencies are all of the software components required by your project in order for it to work as intended and avoid runtime errors.
The Python Package Index (PyPI) is a repository of software for the Python programming language.

  • PyPI helps you find and install software developed and shared by the Python community.
  • Package authors use PyPI to distribute their software. 
    Dependencies in Python are managed with pip and expressed in a metadata file called requirements.txt .

Vulnerability details: dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability.

Remedy:A patch has been applied in version 0.5.2, all the users are advised to upgrade to 0.5.2 as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.

Ref: https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614

antihackingonline.com