Preface: Looking back at the history of Android, explore Android’s ongoing evolution with this visual timeline of versions, starting Cupcake (early 2009’s Android 1.5 Cupcake) and going all the way to 2022’s Android 13 release. It really was a revolution from cordless phones to smart devices.
Background: What is the role of an Activitymanager in an Android app? This class gives information about, and interacts with, activities, services, and the containing process. A number of the methods in this class are for debugging or informational purposes and they should not be used to affect any runtime behavior of your app.
Vulnerability details: There is an unauthorized service in the system service. Since the component does not have permission check, resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242248369 References: https://source.android.com/security/bulletin/2022-10-01
Techincal Bulltein belongs to Android stated that below vulnerability affect UNISOC components and further details are available directly from UNISOC. The severity assessment of these issues is provided directly by UNISOC.
My observation: Since remedy is strip sensitive information from options before sending it to app.Furthermore, points 10 to 13 on the diagram. All process flow will arrive Activity manager then reach Zygote. So any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. Recently a RemoteTransition object was added which includes some sensitive information.
Preface: D-bus has nothing to do with the kernel or the driver, but no one is preventing drivers from having a D-Bus service too, if that’s their design. There are two standard message bus instances: the systemwide message bus (installed on many systems as the “messagebus” init service) and the per-user-login-session message bus (started each time a user logs in). dbus-demon is used for both of these instances, but with a different configuration file.
Background: Endianness means that the bytes in computer memory are read in a certain order. Big-endian is an order in which the “big end” (most significant value in the sequence) is stored first, at the lowest storage address. Little-endian is an order in which the “little end” (least significant value in the sequence) is stored first.
As we know:
On processors that handle data in big-endian, the bytes are read from left to right and stored in memory starting at the low address.
On processors that handle data in little-endian, to store B139F546, the bytes are read from right to left and stored in memory starting at the low address.
Technical spec:
Intel 32-bit and 64-bit processors running Windows and Linux interpret data in little-endian
ARM M1 chip running Mac OS interprets data in big-endian
Intel processors running Mac OS interprets data in little-endian
Vulnerability details: CVE-2022-42010 – An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures. Impact version: D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. https://www.suse.com/security/cve/CVE-2022-42010.html
CVE-2022-42011 – An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type. Impact version: D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
CVE-2022-42012 – A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. Remark: For my speculation about this vulnerability, please refer to the attached diagram. Affected version: D-Bus prior to 1.12.24, 1.13.x and 1.14.x prior to 1.14.4, and 1.15.x prior to 1.15.2 https://ubuntu.com/security/CVE-2022-42012
Preface: Memory is managed differently depending on the programming language in which the application is written. Some languages, such as C, require the programmer to manage direct allocation of memory.
Background: There is usually a requirement in the kernel to find all VMAs that map this page through the struct page data structure. Early linux kernel implementations scan the VMA of all processes, which is quite time consuming. During the development of linux 2.5, the concept of reverse mapping has been formed, and the current version has been formed after years of optimization.
The focus of the vulnerability – Found that virtual memory regions can be reused in the following situations. Degree optimization leads to leaf nodes being abandoned on anon_vma_clone() – an existing anon_vma is reused and no new parent-child relationship is created. This assumption is wrong because the ->degree optimization leads to leaf nodes being abandoned on anon_vma_clone() – an existing anon_vma is reused and no new parent-child relationship is created.
Since rmap[.]c is located in the Linux kernel. When use-after-free vulnerability happens. A unforeseen risk will be occurred.
Preface: Python can be used to develop a wide variety of applications, including web applications, gaming applications, enterprise applications, ML applications, image processing, text processing, and more.
Background: When managing Python environments, one of the key concerns is dependency management. Dependencies are all of the software components required by your project in order for it to work as intended and avoid runtime errors. The Python Package Index (PyPI) is a repository of software for the Python programming language.
PyPI helps you find and install software developed and shared by the Python community.
Package authors use PyPI to distribute their software. Dependencies in Python are managed with pip and expressed in a metadata file called requirements.txt .
Vulnerability details: dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability.
Remedy:A patch has been applied in version 0.5.2, all the users are advised to upgrade to 0.5.2 as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.
Preface: What’s interesting about our focus on CVE-2022-25718 and CVE-2022-25748 is that it exposes weaknesses in the traditional design process. What is closed-source components? On a Linux system, drivers in general are components that compile with the Linux kernel, and they are necessarily subject to the GPL.
Background and vulnerabilities: IEEE 802.11 standard, popularly known as WiFi, lays down the architecture and specifications of wireless LANs (WLANs).The following are the key factors that trigger these two vulnerabilities.The 4-way handshake frames (denoted EAPOL-key in Wireshark captures) and derive the PTK and GTK from the 4-way handshake frames and pre-shared key as specified in IEEE 802.11-2012. If wireless network service is available, the packets that was sent between the mobilephone and access point after the 4-way handshake successfully completed, and with the frame control value 0x4208 (the first 2 bytes are 08 42). It shall use the GTK ( Group Temporal Key ) to decrypt the data portion of the selected packet as specified in IEEE 802.11-2012, and shall verify that the decrypted data contains ASCII-readable text.
In 2015, Multiple integer overflows in the NDEF record parser in hostapd before 2.5 and wpa_supplicant before 2.5 allow remote attackers to cause a denial of service (process crash or infinite loop) via a large payload length field value in an (1) WPS or (2) P2P NFC NDEF record, which triggers an out-of-bounds read (CVE-2015-8041). In October 2017, a design weakness was discovered where an attacker can exploiting client or Access point that could reinstall specific keys (PTK, GTK, IGTK). Key Reinstallation Attack is an attack against the Wi-Fi Protected Access (WPA2) protocol that protects Wi-Fi connections, discovered in 2017 by Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven.
On a Linux system, drivers in general are components that compile with the Linux kernel, and they are necessarily subject to the GPL. Only Qualcomm can provide security updates for blobs (Binary Large Object), so no OEM can guarantee the security of a phone if Qualcomm doesn’t push security updates. Sure, they could update other components, but it would be frustrating if someone found out that a driver bug could allow for privilege escalation. It is a continuation! CVE-2022-25748 – Memory corruption in WLAN due to integer overflow to buffer overflow while parsing GTK frames. CVE-2022-25718 – Cryptographic issue in WLAN due to improper check on return value while authentication handshake
Preface: By integrating the chip inside future Intel, AMD and Qualcomm central processor units, or CPUs, it makes it far more difficult for hackers with physical access to a computer to launch hardware attacks and extract sensitive data, Microsoft said. Pluton Security Processor can emulate TPM using APIs, making the integration seamless, thus basically removing the need for TPM. So, for example, encryption keys, user profiles, users’ identities, credentials, etc., can all be secured by Pluton now.
Background: UEFI and BIOS are two different types of motherboard firmware. UEFI replaces the traditional BIOS on PCs. There’s no way to switch from BIOS to UEFI on an existing PC. You need to buy new hardware that supports and includes UEFI, as most new computers do. The new features for Windows 11 22H2 will be capable to the following features.
Pluton Security Processor employs cloud-to-chip technology where Microsoft will have the ability to update the chip.
When you try to run an app on Windows, Smart App Control will check to see if our intelligent cloud-powered security service can make a confident prediction about its safety.
Reminder: Disable BitLocker protection before starting the conversion process. With BitLocker protection turned on, Windows cannot convert your drive from Legacy BIOS to UEFI.
By pressing Win + X.
Go to “Shut down or sign out” and click on the “Restart” button while holding the Shift key.
Go to “Troubleshoot -> Advanced Options” and select the option “Command Prompt.”
Type command: mbr2gpt /validate and press Enter If you see the “Validation completed successfully” message, proceed to the next step.
After validating the disk, execute the command: mbr2gpt /convert
Restart your system, launch your motherboard firmware settings screen and change it from legacy BIOS to UEFI. Example: Hot keys to access the motherboard firmware.
Dell: F2 or F12.
HP: ESC or F10.
Acer: F2 or Delete.
ASUS: F2 or Delete.
Lenovo: F1 or F2.
MSI: Delete.
Toshiba: F2.
Samsung: F2.
Surface: Press and hold volume up button.
7. After booting into Windows, the above conversion is complete.
About the title – Are the protection controls of Windows 11 22H2 ready for different countries’ cyber laws and cyber security protection mechanisms?
Compared to the hot topic, businesses face privacy laws in global regions. But the situation will be bigger for cybersecurity service providers than for enterprise companies. Since cybersecurity vendors track millions of IoT and/or a huge number of computers. In fact. It is equal to one million nodes. Also, they are located in different areas. As a result, technological gaps are encountered between cyber laws or data protection regulations in different countries. Therefore, traditional cloud area distribution may not be effective for classification of data. So, this has to rely on the AI architecture. According to technical details provided by Microsoft, the overall operation will be handled by AI mechanisms running on top of its cloud architecture. Some people, including me, worry that AI will manipulate the world. With the digital age approaching, the use of artificial intelligence technology is inevitable. Maybe this is the reality.
Preface: Do I need to install drivers in Linux? That’s the vision of Linux — the drivers are open-source and integrated into the kernel and other pieces of software. You don’t have to install them or tweak them — the system automatically detects your hardware and uses the appropriate drivers. If you’ve installed Linux, your hardware should just work.
Background: The smscufx[.]c is a Framebuffer driver for SMSC UFX USB controller.The Kernel drivers are present in the Kernel from a long time. A lot of USB-display output adapters uses DisplayLink chipsets. There are Linux drivers for older USB2 chipsets but no support for USB3 chipsets SMSC adapters are less popular or explicitly marked that they use SMSC chipset. To configure for 16 bit mode, locate DEFAULT_BPP in smscufx[.]h and set it to 2. And use xorg[.]conf[.]16bit as your xorg[.]conf file. Your start up screen will be green. To configure for 32 bit mode, locate DEFAULT_BPP in smscufx[.]h and set it to 4.And use xorg[.]conf[.]32bit as your xorg[.]cong file.Your start up screen will be white.
Vulnerability details: The smscufx[.]c driver in Linux kernel has a race condition and resultant use-after-free design weakness. if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect occurs. Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities. But such design weakness includes a local physical action to trigger the vulnerability. Perhaps the risk rating will be step down since it will become a local attack. There are unknown matter since Gembird USB3 to HDMI adapter is one of SMSC based and with attached X.org drivers it works with Ubuntu 10.04 LTS. Whether it will be impacted of this design weakness. This is unconfirmed in the moment.
Remedy: Add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race condition of krefs.
Preface: This design weakness was fixed on earlier June 2022. As we know, there is no mandatory policy on vendor side when should be disclosed the vulnerability details. It all depends on vendor analysis and judgement. So, as a user we only take the action to do the patching.
Background: By default, Redshift stores data in a raw, uncompressed format, and you can choose whether to compress data. Each column within a table can use a different type of compression. It is possible to let Redshift automatically select encoding for column compression, or select it manually when creating a table.
Data Warehousing and Analytics Using Amazon Redshift To access a Redshift data store using the Amazon Redshift JDBC Driver, you need to configure the following:
Referencing JDBC Driver Libraries
Registering the Driver Class
The connection URL for the driver
Vulnerability details: In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.
Foreword: A vulnerability published a few months ago (CVE-2022-22071) intrigued me due to a design flaw in snapdargon’s memory management. Therefore written down my gather information on the subject. CVE-2022-22071 – Possible use after free when process shell memory is freed using IOCTL munmap call and process initialization is in progress in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music. Perhaps there is no proof of concept how to exploit this flaw. As an Android lover, it allowed me to learn and gain understanding.
Background: In Snapdragon SoCs, three components are used to provide access control: Virtual Master ID Mapping Table (VMIDMT), External Protection Unit (XPU), and System Memory Management Unit (SMMU). The SMMU is a hardware component that performs address translation and access control for bus initiators outside of the CPU. An SMMU can perform two stages of address translation.
usually controlled by the CPU OS, maps the virtual addresses visible to applications and the OS kernel to intermediate physical addresses visible to a virtual machine.
maps intermediate physical addresses to physical addresses.
Vulnerability details: Memory Corruption during wma file playback due to integer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables. See the diagram for details on my research on such vulnerabilities.
Preface: The vmalloc() function works in a similar fashion to kmalloc(), except it allocates memory that is only virtually contiguous and not necessarily physically contiguous.
Background: In the kernel, ION supports multiple clients, one for each driver that uses the ION functionality. A kernel driver calls the following function to obtain an ION client handle:
ION usage on Snapdragon is slightly different from the standard linux implementation.
Heaps are listed in the order they will be allocated. Do not swap the order unless you know what you are doing, said Qualcomm.
Vulnerability details: Memory corruption due to use after free issue in kernel while processing ION handles in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.
Reference:
A use-after-free vulnerability is an issue related to incorrect use of dynamic memory during program operation, according to MITRE.
“Heap” memory, also known as “dynamic” memory, is an alternative to local stack memory. Local memory is quite automatic. Local variables are allocated automatically when a function is called, and they are deallocated automatically when the function exits.
