CVE-2022-33719 – Improper input validation in baseband prior to SMR Aug-2022 Release 1 (5th Aug 2022)

Preface: Samsung Galaxy S22 series national version uses Qualcomm Snapdragon 8, European version uses Exynos 2200. European users will cheer as Samsung Galaxy S23 ditches Exynos chip.


Background: Android 12 is the twelfth major release and 19th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google.
Android Q is Android 10.
Android R is Android 11
Android S is Android 12

Baseband Initialization: pal_init(). .Subsequently monolith function that starts all modem subsystems and tasks
○ Activates malloc heap
○ Loads NV items
○ Starts timers
○ Initializes DSP(s) and other peripherals
○ Starts all tasks

Vulnerability details: Improper input validation in baseband prior to SMR Aug-2022 Release 1 allows attackers to cause integer overflow to heap overflow.The patch adds proper validation logic to prevent integer overflow.
The weakness was presented 08/05/2022. The advisory is available at security.samsungmobile.com. This vulnerability is handled as CVE-2022-33719 since 06/15/2022. The technical details are unknown and an exploit is not available.

Details about a summary of my observations. Please refer to the diagram

Severity: Critical
Affected versions: Selected Q(10), R(11), S(12) devices with S.LSI CP chipsets
Reported on: February 26, 2022

Official details: Please refer to the link for details – https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=08

CVE-2022-19773 A use-after-free vulnerability was found in the Linux kernel (log_replay in fs/ntfs3/fslog[.]c for NTFS logs)

Preface: The NTFS3 component is not included in the 5.15 kernel of Manjaro. The ntfs3 is a kernel module. This module will be ready for use on version 5.15.2_rt19-1.Type “modinfo ntfs3” can let you know the ntfs3 installation status.

Background: The ext4 is better on Linux based systems because it is designed and built for Linux. NTFS, on the other hand, is designed and built for Windows. KDE Partition Manager has support for a large number of file systems, the most notable ones being NTFS, FAT, F2FS, and so on. Just like every other application of KDE, the Partition Manager is released under the GNU Public License, making it completely free to use and open-source.
NTFS3 is called NTFS3 because it fully implements the latest version 3.1 of NTFS file system specification. NTFS is unlikely to change in future, thus NTFS3 naming reflects that NTFS3 implements the latest revision of NTFS.
NTFS3 is fully functional NTFS Read-Write driver. The driver works with NTFS versions up to 3.1, normal/compressed/sparse files and journal replaying. File system type to use on mount is ‘ntfs3’.

  • This driver implements NTFS read/write support for normal, sparse and compressed files.
  • Supports native journal replaying;
  • Supports extended attributes

Vulnerability details: A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem. As the vendor has not provided other details yet. So it lure my interested to speculate. For details, please refer to the chart.

Solution: Upgrading to version 5.19-rc1 eliminates this vulnerability.

Related article: Please refer to the link for details https://bugzilla.redhat.com/show_bug.cgi?id=2092542

CVE-2022-35930 – Ability to bypass attestation verification on sigstore (policy-controller) 4th Aug 2022

Preface: In simplest terms, policies define what end-users can do on the cluster and possible ways to ensure that clusters are in compliance with organization policies.Policy-enablement empowers organizations to take control of Kubernetes operation and ensure that clusters are in compliance with organization policies.

Background: The policy-controller admission controller will only validate resources in namespaces that have chosen to opt-in. This can be done by adding the label policy.sigstore.dev/include: “true” to the namespace resource (see below):
kubectl label namespace my-secure-namespace policy.sigstore.dev/include=true

Ref: An image is admitted after it has been validated against all ClusterImagePolicy that matched the digest of the image and that there was at least one valid signature or attestation obtained from the authorities provided in each of the matched ClusterImagePolicy. So each ClusterImagePolicy that matches is AND for admission, and within each ClusterImagePolicy authorities are OR.

Vulnerability details: PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (–type defaults to “custom”). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2.

Solution: Users should upgrade to version 0.2.1 to resolve this issue.

Workarounds: There are no workarounds for users unable to upgrade.

CVE-2022-37035 FRRouting Release 8.3 design weakness (4th Aug 2022)

Preface: FRRouting is a free IP protocol suite. Many companies: ISPs, SaaS, web 2.0 businesses, hyper-scale services, and Fortune 500 private clouds — use it as a fundamental part of their networks.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

BGP uses 4 messages: open, update, keepalive and notification. NOTIFICATION messages are used to signal when something is wrong with the BGP session. A NOTIFICATION will be sent when any of the following occurs: An unsupported option is sent in an OPEN message. A peer fails to send an update or keepalive.

Vulnerability details: An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.

My speculation: As soon as the real BGP speaker communicates again (keepalive), an ACK storm ensues due to the overlapping sequence numbers. Refer to diagram, the file (bgp_packet.c). The BGP_MSG_KEEPALIVE contains operations tagged “memory_order_relaxed”.
Atomic operations tagged memory_order_relaxed are not synchronization operations; they do not impose an order among concurrent memory accesses. Perhaps this is one of the possibility to encountered similar design weakness.


CWE-416: Use After Free
The memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process.

Ref: A use-after-free bug due to race conditions in 2 threads. · Issue #11698 · FRRouting/frr · GitHub – https://github.com/FRRouting/frr/issues/11698

CVE-2022-33917: In certain circumstances, some versions of the Mali GPU Kernel driver can become compromised. (2nd Aug 2022)

Preface: Mali GPU kernel drivers have a wide range of applications in the IoT and IIoT world. Even the auto industry, gaming, healthcare and artificial intelligence.

Background:The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Valhall family. Some of these components are being made available under the GPLv2 licence. The company named “ARM”. They provides access to the source packages from which loadable kernel modules can be built.
The Mali GPU kernel device driver handles the following. Access to the Mali GPU hardware, Interrupt handling and Low level memory management.

Example:
Question: In normal circumstances, when program (software driver or software application) called kmalloc and didn’t free that memory before rmmod was called on the module, what happens to that memory? Is it a memory leak and it is completely unusable until restart, or does the kernel free that memory automatically?
Answer: It won’t be freed until explicitly done. Memory allocated with kmalloc() needs to be freed using kfree(). That piece of memory stays till the system is on.

Vulnerability details: An issue was discovered in the Arm Mali GPU Kernel Driver (Valhall r29p0 through r38p0). A non-privileged user can make improper GPU processing operations to gain access to already freed memory.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
As usual, vendor not disclose the details. Perhaps we can find hints in between two different version of software drivers.
Please refer to attached image for details.

Solution: This issue is fixed in Valhall GPU Kernel Driver r39p0. Users are recommended to upgrade if they are impacted by this issue. Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Remark: The patch was release on 17th June 2022. Perhaps the risk is mitigated.

CVE-2022-35918 Streamlit vulnerability – If you work in the machine learning industry, you should consider it.
(1st Aug, 2022)

Preface: On 2017, Facebook’s artificial intelligence robots shut down after they start talking to each other in their own language. Maybe no one remembers!

Background: If you are a data scientist. You know the details of the algorithms, which libraries to use, and perform diagnostics. For the machine learning setup, perhaps you will use a opensource software technology. One of the way is creating an ML app using Flask, a commonly used web framework in Python.
Furthermore, you have another choices. Streamlit is a framework that is used by different machine learning engineers and data scientists to build UIs and powerful machine learning apps from a trained model.

  1. How to install streamlit?
    pip install streamlit
  2. Build the streamlit app
  • Create a new Python file named app.py.
  • Add our pickled model into a created folder.
  1. Import required packages.
  2. Unplick the model.
  3. Building your prediction logic.
  4. You will use material UI for styles and icons for your app
  5. Adding an image.

Vulnerability details: Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.
An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

Solution: Vendor strongly recommend users upgrade to v1.11.1 as soon as possible. Please refer to the link for details – https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc

CVE-2022-36124 – Linux kernel design flaws prior to 5.18.13 put Xen PV guest OS at risk (29-07-2022)

Preface: Uninitialized data segment, often called the “bss” segment, named after an ancient assembler operator that stood for “block started by symbol.” Data in this segment is initialized by the kernel to arithmetic 0 before the program starts executing.

Background: Xen is an open-source baremetal hypervisor that is widely used by commercial and non-commercial platforms to provide virtualization support.

Dom0 is the initial domain started by the Xen hypervisor on boot. Dom0 is an abbrevation of “Domain 0” (sometimes written as “domain zero” or the “host domain”). Dom0 is a privileged domain that starts first and manages the DomU unprivileged domains. The Xen hypervisor is not usable without Dom0.

Vulnerability details: The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. For details, please refer to attached diagram.

Instead of clearing the bss area in assembly code, use the clear_bss()function.This requires to pass the start_info address as parameter to xen_start_kernel() in order to avoid the xen_start_info being zeroed again.

Details released by NIST: Please refer to the link – https://cve.report/CVE-2022-36123

CVE-2021-22641 – Cyber attack on TCPmodbus protocol products (28th July 2022)

Preface: Last September (2021) ICS adviced that the public should be concerned about the multiple vulnerabilities encountered by Modbus products. This product model is (TBox) from the supplier Ovarro.
Such vulnerabilities were documented in a CVE article published until this week (July 28, 2022). The record number is CVE-2021-22642.
Perhaps reader has confuse about this CVE record because same CVE number was found on CISA published on last year (2021) September. I think may be it has admended on vulnerability description and therefore has this matter occurs.
Maybe readers are confused about this CVE record, because the same CVE number was found in a CISA article published last September (2021). I think a modification to the original vulnerability description may be required. Thus this happens.

Reference:

Security focus – Related design weakness brought to my attention
An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system.
As usual, the technical article only writes the description of the vulnerability, but not the root cause. Maybe it’s public safety related, so it wasn’t disclosed.
As far as I know, TBOX products are designed to provide a safe and robust RTU solution for remote automation and monitoring of critical asset functions. Maybe I’ll try to do a quick research and see if it finds hints for your reference.

Observation (CVE-2021-22642): The MODBUS/TCP protocol contains also vulnerability that could allow an attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to an implementation error in the affected protocol when processing Read Discrete Inputs request and response messages.
An unauthenticated, remote attacker could exploit the vulnerability by sending request or response parameters that contain malicious values for the data field option to a system that contains a vulnerable MODBUS/TCP implementation. The processing of the messages could trigger a DoS condition on the vulnerable system.

Official announcement (ovarro)https://www.ovarro.com/content-media/assigned/89928/TBOX-SA-2021-0005.pdf

CVE-2022-36946 – About Android and Linux (Torvalds) netfilter design weakness (27th July 2022)

Preface: What is SKB in Linux kernel? SKBs are composed of a linear data buffer, and optionally a set of 1 or more page buffers. If there are page buffers, the total number of bytes in the page buffer area is ‘data_len’. Therefore the number of bytes in the linear buffer is ‘skb->len – skb->data_len’.

Background: The Linux kernel has built-in packet filtering software in the form of something called netfilter. You use the iptables command to set up the rules for what happens to the packets based on the IP addresses in their header and the network connection type. Furthermore, NFQUEUE is an iptables and ip6tables target which delegate the decision on packets to a userspace software.
To understand NFQUEUE, the easiest way is to understand the architecture inside Linux kernel. When a packet reach an NFQUEUE target it is en-queued to the queue corresponding to the number given by the –queue-num option. The packet queue is a implemented as a chained list with element being the packet and metadata (a Linux kernel skb):

  • It is a fixed length queue implemented as a linked-list of packets.
  • Storing packet which are indexed by an integer
  • A packet is released when userspace issue a verdict to the corresponding index integer
  • When queue is full, no packet can be enqueued to it

Vulnerability details: CVE-2022-36946 – nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

Official details and solution: Details provided in the following link –https://lore.kernel.org/netdev/165889141391.5272.4804742479205778392.git-patchwork-notify@kernel.org/t/

Even though it is protected in the software driver to avoid buffer overflows in the driver. But still let the cyber security provider draw out the shortcomings! (26th July 2022)

Preface: According to technical report (OT:ICEFALL) by cyber security service provider (Forescout). They observe that an APT toolkit targeting several OT devices, such as OPC UA servers and PLCs from Omron and Schneider Electric. According to ICS-CERT advisories on 28th June, 2022. The article had written down the RISK EVALUATION.  Successful exploitation of these vulnerabilities could cause a denial-of-service condition and allow remote code execution.Please refer to the link for details.

Background: The Omron FINS Ethernet Driver provides a reliable way to connect Omron FINS Ethernet controller to client applications; including HMI, SCADA, Historian, MES, ERP, and countless custom applications.
Remark: A PLC is a hardware-based device, SCADA is a system that works in conjunction with the PLC. Furthermore, HMI is also a system that works in conjunction with a PLC.

Omron PLCs usually have three different modes; Program Monitor and Run.

  • Program Mode: In PROGRAM mode the CPU unit is stopped so your logic will not be executed. User programming can be created or modified, memory can be cleared, and programs can be checked. Depending on the PLC type there may be other options as well.
  • Monitor Mode: In MONITOR mode the CPU unit is running, so your logic will be executed. I/O is processed in the same way as in RUN mode. The operating status of the CPU unit can be monitored, bits can be forced and/or set or reset. The set values and present values of timers and counters can be modified. The present values of word data can be modified. This mode is used for system adjustments.
  • Run Mode: RUN mode is used for normal system operation. The operating status of the CPU unit can be monitored, but bits cannot be forced and/or set or reset. Present and set values cannot be modified using programming devices.
    Let’s put our CP1H controller into monitor mode. Ctrl + 3, Monitor Icon or PLC | Operating Mode | Monitor from the main menu.

Vulnerability details (see below):

  • CVE-2022-31204 – Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords.
  • CVE-2022-31207 – The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication.
  • CVE-2022-31206 – The Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18 lack cryptographic authentication.
  • CVE-2022-31205 – In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449…D1452 and can be read out using the Omron FINS protocol without any further authentication.
    Remark: Omron Cx series Authentication bypass & plaintext credentials – CVE-2022-31204, CVE-2022-31205

Reference A: Public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors. Please follow this link to download the report – https://www.forescout.com/resources/ot-icefall-report/

Reference B: ICS-CERT advisories on 28th June, 2022. Please follow this link to download the report – https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02

antihackingonline.com