Preface: Is cloud computing in demand in 2022? Their latest forecast predicts the spending on public cloud services to jump from $257.5 billion in 2020 to $304.9 billion in 2022 as cloud services play a central role in helping businesses recover from the onslaughts of the pandemic.
The current version of NFS is also called NFS v4 but was implemented through RFC 3530. In 2003, it was published. Since then, compared to early NFS v4, NFS v4 has improved a lot in terms of optional features, such as protection, caching, locking, and message communication performance. While NFS has PC capabilities, it has often been treated as a file-oriented protocol rather than the PC environment for UNIX and Linux operating systems. Microsoft Azure, a popular public cloud service, offers Azure Files, a cloud-based distributed file which supports NFS 4.1 since September 2020, in the Azure Files premium tier only.

Background: NFS is an RPC-based protocol, with a client-server relationship between the machine having the filesystem to be distributed and the machine wanting access to that filesystem. Each version of the NFS RPC protocol contains several procedures. The basic procedures performed on an NFS server can be grouped into directory operations, file operations, link operations, and filesystem operations. The nfsd daemon runs on a server and handles client requests for file system operations. Each daemon handles one request at a time. Assign the maximum number of threads based on the load you expect the server to handle.

• NFS version 3 (NFSv3) supports safe asynchronous writes and is more robust at error handling than the previous NFSv2; it also supports 64-bit file sizes and offsets, allowing clients to access more than 2 GB of file data.
• NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an rpcbind service, supports Access Control Lists (ACLs), and utilizes stateful operations.

Vulnerability details:
CVE-2022-43945 – The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.
Cause: One notable set of fixes addresses a subtle buffer overflow issue that occurs if a small RPC Call message arrives in an oversized RPC record. This is only possible on a framed RPC transport such as TCP. Because NFSD shares the receive and send buffers in one set of pages, an oversized RPC record steals pages from the send buffer that will be used to construct the RPC Reply message. NFSD must not assume that a full-sized buffer is always available to it; otherwise, it will walk off the end of the send buffer while constructing its reply.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-43945

Preface: If the supplier does not provide details. It’s hard to avoid that it’s not the exact answer.

Abuse code signing
-key compromise
-use of revoked or expired certificates
-code errors
-Systems compromise

Background: If you’re developing apps for iOS, you need to sign your builds in order to send them to the App Store. However, iOS code signing can be challenging for many. Code Signing is a way for iOS devices to know that the app to be install on the device is from a known source. There are 3 key components in code signing:

1) Certificates
2) Bundle IDs
3) Provisioning Profiles

Bundle IDs are unique strings that identify an app. Every app on your Apple devices have a Bundle ID. That’s how Apple and your devices separate your app from others.
For every app that needs to be signed, you need to register its Bundle ID to Apple’s Developer Portal.

In iOS 6, the first two components of the bundle ID are used to generate the vendor ID. If the bundle ID only has a single component, then the entire bundle ID is used.
In IOS 7, all components of the bundle except for the last component are used to generate the vendor ID. If the bundle ID only has a single component, then the entire bundle ID is used.
According to above, two different bundle ID names would appear to have the same vendor ID. This situation will favor cyber criminals, please refer to point no.6 shown on diagram.

Vulnerability details: An issue in code signature validation was addressed with improved checks. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6. An app may be able to bypass code signing checks.

Please refer to the link for details – https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor

Preface: The heap is an area of dynamically-allocated memory that is managed automatically by the operating system or the memory manager library. Memory on the heap is allocated, deallocated, and resized regularly during program execution, and this can lead to a problem called fragmentation.

Background:

For instance, when you download a c++ compiler for your platform, you, in fact, download the c++ frontend with the linux-amd64 backend. This coding architecture is extremely helpful, because it allows to port the compiler for another architecture without rewriting the whole parsing/optimizing thing.

When applications need memory, they have to request it from the operating system. This request from the kernel will naturally require a system call. You cannot allocate memory yourself in user mode. The malloc() family of functions is responsible for memory allocation in the C language. The question to ask here is whether malloc(), as a glibc function, makes a direct system call. There is no system call called malloc in the Linux kernel. However, there are two system calls for applications memory demands, which are brk and mmap.
By far the most widely used C library on Linux is the GNU C library, often referred to as glibc. The pathname /lib/libc[.]so[.]6 (or something similar) is normally a symbolic link that points to the location of the glibc library, and executing this pathname will cause glibc to display various information about the version installed on your system.

Vulnerability details: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd[.]c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the compiler and processor architecture.

What is the difference between su and sudo?

• su allows to run commands with a substitute user and group ID.
• sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user’s real (not effective) user-ID is used to determine the user name with which to query the security policy.

Remedy: Please refer to the link for details – https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050

Preface: Few years ago, people know the following details:
io_service_open_extended is one of several undocumented MIG functions to communicate with IOKit drivers from user mode. This approach provides an opportunity for an attacker to perform kernel exploitation. Code writing in C-like languages can accidentally affect memory safety.

Background: Memory Tagging Extension (MTE) is designed to provide robustness against attacks attempting to subvert code processing malicious, attacker-provided, data. It does not address algorithmic vulnerabilities or malicious software. The core principle of type isolation is that after any particular address has been used for a given “type” of object, only objects of that type can ever exist at that address for the lifetime of the program.
Memory can broadly be categorized either as “control” or as “data.” Control is what lets a program structure and organize data. It includes things such as pointers, reference counts, lengths, and typing information like union tags. Almost everything else is data.
Apple also rarely shared the core technology of XNU, mainly the security upgrade of XNU memory, the first topic is the memory allocator kalloc_type.

Vulnerability details: A vulnerability classified as critical has been found in Apple iOS and iPadOS (Smartphone Operating System) (version unknown). Affected is an unknown function of the component Kernel. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-787. The software writes data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability.

Affected: Versions prior to iOS 15.7.1 and iPadOS 15.7.1
Solutions: Apply fixes issued by the vendor: iOS 15.7.1 and iPadOS 15.7.1

Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-42827

Preface: A microframework is a term used to refer to minimalistic web application frameworks. It is contrasted with full-stack frameworks. Typically, a microframework facilitates receiving an HTTP request, routing the HTTP request to the appropriate controller, dispatching the controller, and returning an HTTP response. Microframeworks are often specifically designed for building the APIs for another service or application.

Background: Total js framework and Total js client-side UI library are without any 3rd party dependencies. Total.js framework is a server-side MVC framework written in pure JavaScript and fully optimized for Node js runtime. Software developers can use any NPM module (like PostgreSQL, MongoDB, REDIS, JWT, etc.) or existing client-side libraries (like D3, Chart js, FullCalendar, Vue, Angular, etc.).
Total js Platform supports three types of visual programming interfaces:

• Total js Flow targeted primary for IoT applications (alternative Node-red)
• Total js AppBuilder for creating rich server-side API applications
• Total js Designer for creating UI connected to 3rd party REST services

Vulnerability details: In Total js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-44019

Causes: The fact is that the server doesn’t sanitize correctly the input checking that the host provided is a legitimate one.

Ref: Even if the software developer sets the correct regular expressions. The following details also need to be considered.
The ping command returns an exit code on both operating systems. On Linux (Bash) you have $? to get the variable for this exit code, on Windows it’s %errorlevel%. The exit code is 0 on both operating systems when the ping is successful, and 1 otherwise. This value can be used to conditionally run your command.

Preface: PCMCIA Cards have been around for many years and can still be found in today’s technology. These cards are now classed as legacy products, as they were first introduced over 25 years ago.
PCMCIA cards come in 3 different types of memory; ATA, SRAM and Linear. The cards are still being made today to help support legacy products and applications, mainly aerospace, defence and transportation.

Background: Linux 5.4 was released on 24 November 2019. Although the PCMCIA subsystem will allocate resources for cards, it no longer marks these resources busy. This means that driver authors are now responsible for claiming your resources as per other drivers in Linux. You should use request_region() to mark your IO regions in-use, and request_mem_region() to mark your memory regions in-use.

PCMCIA design weakness recently (28th Oct 2022):
CVE-2022-44032 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach(). Please refer to the link for details – https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44033 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().Please refer to the link for details –
https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44034 —–> SCR24x PCMCIA Smart Card Reader Driver
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove(). Please refer to the link for details –
https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/

Remedy:
In order to avoid vulnerabilities, we recommend the following:
The dangling pointer errors can be avoided by initializing the pointer to the NULL value. If we assign the NULL value to the pointer, then the pointer will not point to the de-allocated memory. Assigning NULL value to the pointer means that the pointer is not pointing to any memory location.

Preface: The design weakness found on 2015. But till today, it looks the matter not been fixed. Perhaps you also read vendor statement. they will continue to update this advisory as additional information becomes available, said vendor.

NetApp Advisory ID: NTAP-20220616-0001 Version: 4.0 Last updated: 09/26/2022 – https://security.netapp.com/advisory/ntap-20220616-0001/
[SECURITY] Fedora 36 Update: 18 June 2022 – https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/

Background: When you run python at the console or install a Python distribution from python.org, you are running CPython. CPython is one of the many Python runtimes, maintained and written by different teams of developers. The unique thing about CPython is that it contains both a runtime and the shared language specification that all Python runtimes use.
The mailcap format is documented in RFC 1524, “A User Agent Configuration Mechanism For Multimedia Mail Format Information”, but is not an internet standard. However, mailcap files are supported on most Unix systems. According to Python (CPython) techincal document. Mailcap files are used to configure how MIME-aware applications such as mail readers and Web browsers react to files with different MIME types. (The name mailcap'' is derived from the phrasemail capability”.) For example, a mailcap file might contain a line like “video/mpeg; xmpeg %s”. Then, if the user encounters an email message or Web document with the MIME type video/mpeg, “%s” will be replaced by a filename (usually one belonging to a temporary file) and the xmpeg program can be automatically started to view the file.

CPython is the standard Python software implementation or the default Python interpreter. The main purpose of CPython is to execute the programming language Python. CPython has great compatibility with various Python packages and modules.

Vulnerability details: Mailcap file handling in Python through 3.10.4
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.

Remedy: Filename should be quoted with quote(filename) to fix the bug. Please refer to the link for details – https://bugs.python.org/issue24778

Status: Deprecated since version 3.11, will be removed in version 3.13: The mailcap module is deprecated

Preface: Despite the presence of USB C ports, many smartphones launching in 2022 will feature USB 2.0. USB 2.0 is generally considered to have a signaling rate of 480 MB/s.

Background: What is Usbmon in Linux? The name “usbmon” in lowercase refers to a facility in kernel which is used to collect traces of I/O on the USB bus. This function is analogous to a packet socket used by network monitoring tools such as tcpdump or Ethereal.

Vulnerability details: drivers/usb/mon/mon_bin[.]c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor’s internal memory. The weakness was disclosed 10/26/2022. The manipulation with an unknown input leads to a memory corruption vulnerability.

Reference: Found an issue in usbmon module, where the user space client can corrupt the monitor’s internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc.

The PoC exploits mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which triggers this vulnerability.

Remedy: Upgrading to version 5.19.15 or 6.0.1 eliminates this vulnerability. The upgrade is hosted for download at cdn.kernel.org. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org.

Official announcement: Please refer to the link for details – https://github.com/torvalds/linux/commit/a659daf63d16aa883be42f3f34ff84235c302198

Preface: The GPU can not only receive transactions, but it can also initiate transactions. Which also means it has access to DRAM memory too.
How can the GPU communicate to the CPU? Well, both have access to DRAM memory. The CPU can store information in DRAM memory (0x8000_0000 – 0x0000_0000) and then write to a register in the GPU (0x9000_0000 – 0x8000_0000) to inform the GPU that the information is ready.

Background: ARM produce designs for a GPU called “Mali”. This is incorporated in many SoCs and thus devices. It is used in a number of devices that can run Debian. There are four major revisions of Mali GPUs: Utgard, Midgard, Bifrost, and Valhall.
There are only two hardware implementations of GPUs that are particularly popular in Android devices: ARM Mali and Qualcomm Adreno.
The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Bifrost family.
July 2021 Collabora announced that they reverse engineered the Valhall instruction set of the Mali-G78 GPU using a Samsung Galaxy S21 smartphone. If the mainline Linux and GPU drivers are not rooted, this cannot be done on the device. Turns out they just use It comes to reverse engineer instructions and do some testing by modifying compiled shaders and GPU data structures.
Remark: The Input/Output Memory Management Unit (IOMMU) is a hardware extension to control memory accesses of I/O devices. The IOMMU prevents malicious devices from performing arbitrary Direct Memory Access (DMA) operations and can be used to isolate device drivers.

Vulnerability details: An Arm product family through 2022-08-12 mail GPU kernel driver allows non-privileged users to make improper GPU processing operations to gain access to already freed memory.
In certain circumstances, some versions of the Mali GPU Kernel driver can become compromised.
Affects:
Midgard GPU Kernel Driver: All versions from r4p0 – r31p0
Bifrost GPU Kernel Driver: All versions from r0p0 – r38p1, and r39p0
Valhall GPU Kernel Driver: All versions from r19p0 – r38p1, and r39p0

Resolution: This issue is fixed in Bifrost and Valhall GPU Kernel Driver r38p2 and r40p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities#Technical-Specifications

Preface: One time password is secure. What If we following their algorithm generate a password and apply in both end. If it is matches with each other. Can we do the exploit? Perhaps the answer is “Yes”. The key technology is you understand how to use the “Time” value.

Background: The IIJ SmartKey app produces one-time passwords that conform to TOTP (RFC 6238) standards and can be used in the 2-step verification authentication processes of a variety of online services supporting TOTP. RFC 6238 – The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038.
The HMAC-based One-Time Password (HOTP) algorithm specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security.

Vulnerability details: A vulnerability, which was classified as problematic, was found in Iij SmartKey up to 2.1.3 on Android (Android App Software). This affects some unknown processing of the component One-Time Password Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

Information disclosure vulnerability in Android App ‘IIJ SmartKey’ versions prior to 2.1.4 allows an attacker to obtain a one-time password issued by the product under certain conditions.

Official description: This vulnerability was fixed in version 2.1.4 released on June 16, 2020. Please refer to the link for details – https://jvn.jp/en/jp/JVN74534998/index.html

Remedy: Upgrading to version 2.1.4 eliminates this vulnerability.

10/07/2022 CVE reserved
10/24/2022 +17 days Advisory disclosed