Preface: OPC UA is a standard that ensures the open connectivity, interoperability, security, and reliability of industrial automation devices and systems. OPC UA is widely recognized as the key communication and data modeling technology for the Industry 4.0 initiative.
The UA SDK is a C++ library that supports you in writing portable C++ OPC UA Servers. The UA SDK actually consists of two SDKs, a Server SDK and a Client SDK. Both use the same UA Base Library which does all the C++ encapsulation of the raw ANSI C types that are defined in the OPC UA Communication Stack by the OPC Foundation.

Background: The C++ OPC UA Server SDK provides a C++ class library used to develop OPC UA Servers providing a standard interface to vendor specific systems. The OPC UA Server is normally used to describe the available information from a vendor system and to provide access to the data for external systems in a standardized way.
The SDK allows multiple instances of our address space implementation. For every namespace you create a new address space, which together form the complete server address space. For each address space the “ns” is well known which allows to eliminate redundant “ns” information in the nodes. For each address space you can configure the size constraints and if the address space is created dynamically in RAM or if it is compiled into the application.

Vulnerability details: On 17th Aug 2022, Softing OPC UA C++ SDL from version 6.0 has information update. Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.
NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator – https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html

Ref: On June 17, 2021, Softing OPC UA C++ SDK (Software Development Kit) versions from 5.59 to 5.64 exported library functions don’t properly validate received extension objects, which may allow an attacker to crash the software by sending a variety of specially crafted packets to access several unexpected memory locations.
https://nvd.nist.gov/vuln/detail/CVE-2021-32994
https://www.cisa.gov/uscert/ics/advisories/icsa-21-168-02

Preface: The three top industries that use Apache Airflow for Workflow Automation are Machine Learning, Big Data and Artificial Intelligence.

Background: Airflow is a platform that lets you build and run workflows. A workflow is represented as a DAG (a Directed Acyclic Graph), and contains individual pieces of work called Tasks, arranged with dependencies and data flows taken into account.
Following details is the basics of deploying Airflow inside Kubernetes. I assumed you have the following installed in your docker containers running inside Kubernetes (Postgres Container, Postgres Service, Airflow Webserver, Airflow Scheduler and Airflow LoadBalancer Service).

Below steps are the quickview according to above components.
Step 1. Get Apache Airflow Docker image.
Step 2. Deploy Postgres into Kubernetes.
Step 3. Deploy a Service for Postgres.
Step 4. Prepare Postgres database for Airflow.
Step 5. Get ready to write some YAML files.
Step 6. Deploy a LoadBalancer Service to expose Airflow UI to Internet.
Warning: Once this step is complete you will have an Airflow UI that anyone can access.

Vulnerability details: Apache Airflow Docker’s Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.

Remark: A DAG is defined in a Python script, which represents the DAGs structure (tasks and their dependencies) as code.

Mitigation: Disable loading of example DAGs or upgrade the apache-airflow-providers-docker to 3.0.0 or above

Official announcement: Please refer to the link for details https://lists.apache.org/thread/614p38nf4gbk8xhvnskj9b1sqo2dknkb

Preface: Bluetooth mesh is ideal for industrial IoT use cases—especially lighting—that require the relatively low-cost and low-power scalability, reliability, and performance of Bluetooth technology. It enables many-to-many device communications and is optimized for creating large-scale device networks.

Background: Bluetooth mesh networks – Communication from one node to another. Unlike traditional IP-based networks, Bluetooth Mesh uses a managed flood routing model for forwarding messages from one node to another. In this model, messages are broadcast to each node in the vicinity and a time-to-live (TTL) is used to address the potential of a routing loop.

The nRF5 SDK for mesh is ideal for developing applications that use Bluetooth mesh networks .

Heap is a region of processes’s memory which is used to store dynamic variables. These variables are allocated using malloc() and calloc() functions and resize using realloc() function, which are inbuilt functions of C.
The function memcpy() is used to copy a memory block from one location to another. One is source and another is destination pointed by the pointer. This is declared in “string.h” header file in C language. It does not check overflow.

Vulnerability details: CVE-2022-35623 – In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented control packets and access packets with the same SeqAuth. The vulnerable function is trs_seg_packet_in in mesh/core/src/transport[.]c.

Official details: https://docs.google.com/document/d/1Y3sB5JbyrTIOgvA1h9X6o8pJQBG4PjWF/edit

Additional: CVE-2022-35624 – In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented packets with SegO > SegN.
https://docs.google.com/document/d/1BrgB1bQiL-cMXQGaXJWSSyaZY51Zxomp/edit
The vulnerable function is trs_seg_packet_in in mesh/core/src/transport[.]c.

Preface: The CISCO Talos article mentions a ransomware attack on their company. They mentioned in detail that on the 1st phase of attack. The attacker use Phishing to victims. When the target machine compromised. Then the attacker proceed 2nd phase. But so-called zero-day, therefore no one will know. If we could do scenario replay, maybe this design flaw would be one of the possibilities to trigger the event.

Background: In summary and recommendation posted by Talos Intelligence Group (see below):
Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021.
But so-called zero-day, therefore no one will know. If we could do scenario replay, maybe this design flaw would be one of the possibilities to trigger the event.

CVE-2021-22928 – A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

One of the key items I make this speculation: Since we don’t know the exact infrastructure. From a security standpoint, Cisco would not disclose details. But below information provide hints to my interested.

Quote:
After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.

Official details: If you are interested in digging out the details, please refer to the official website link – https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Comment: From a technical point of view, if this is a zero-day vulnerability, I don’t think it can be prevented with preventive or detective controls.

Preface: Pixel phones install downloaded Android updates in the background. The installed updates become active the next time that you restart your phone.

Background: Protection of the sensitive date stored on the mobile devices is a hot topic.This is the reason why it is very important for mobile app developers to take care of it. As a result, the Google development team took advantage of this solution. The Android key store was created to allow you to use asymmetric keys and symmetric keys outside your application code.
HMAC stands for Hash-based Message Authentication Code or Keyed-hash Message Authentication Code. Android use it to verify the authenticity and integrity of data transmitted. HMACs are ideal for high-performance systems like routers due to the use of hash functions which are calculated and verified quickly unlike the public key systems.

Vulnerability details: In TBD of keymaster_ipc[.]cpp, there is a possible to force gatekeeper, fingerprint, and faceauth to use a known HMAC key. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Since the details not disclosed by vendor. One of the possible cause will be caused by the following issue. HMACs uses shared key which may lead to non-repudiation. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data.
If either sender or receiver’s key is compromised then it will be easy for attackers to create unauthorized messages.

Official announcement – Please refer to the link for details – https://source.android.com/security/bulletin/pixel/2022-08-01

Preface: Is this a possible solution? Can we disabled SMT technology as mitigating SQUIP? As far as we know, it will severely degrade the performance of AMD processors.

Background: Attacker modifies system MTR registers to change the SMM memory space from uncacheable to cacheable with type Write-back. The MTRR (Memory Type Range Registers), are registers that provide the system software with control of how accesses to memory ranges by the CPU are cached.
The attacker now can write code into the memory space that is normally reserved only for SMM functions. The CPU will execute the SMM code but it will fetch it from the cache before DRAM. If the malicious code is in cache so it is executed.

Remark: SMM code is the most privileged code executed on the CPU, the code is completely hidden from the running operating system, it cannot be modified by the kernel and even by DMA devices and the most important SMM code can access any physical memory.

Vulnerability details: A contention-based side channel vulnerability was found in hw. Some AMD CPUs using simultaneous multithreading (SMT) may allow an attacker to measure the contention level on scheduler queues, leading to potential leakage of sensitive information.

To exploit the design weakness and get access to data processed by the same CPU core, attacker need to run malicious code on that CPU core first. Is it possible to take advantage of SMM?

Official announcement – Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors. Please refer to the link for details – https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039

Preface: SAP has released its August 2022 Patch Day updates. However, you will still see items you are familiar with. What’s that? As follows!
Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business ClientProduct-SAP Business Client, Versions -6.5, 7.0, 7.70 (Hot News – CVSS 10)

Background: SAP Business Client 7.70, launched together with SAP GUI for Windows 7.70. With 7.70 you can connect to your launchpad in the cloud (SAP BTP, Cloud Foundry runtime environment) and whenever there is a navigation to a transaction running in an on-premise system, the transaction will be rendered with SAP GUI for Windows, otherwise SAP GUI for HTML. Furthermore, SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser.

What rendering engine does Chrome use? Most of Chrome’s source code comes from Google’s free and open-source software project Chromium, but Chrome is licensed as proprietary freeware. WebKit was the original rendering engine, but Google eventually forked it to create the Blink engine; all Chrome variants except iOS now use Blink.

Vulnerability details: No CVE record number provided. A note with CVSS 9.8 for component BC-FES-BUS-DSK was released by SAP on 10.04.2018. The correction/advisory 2622660 was described with “Security updates for the browser control Google Chromium delivered with SAP Business Client” and affects the system type SAP GUI / Frontend.

Details of the problem are require user ID and password – https://accounts.sap.com/saml2/idp/sso .Perhaps, it is no need to open the vendor registration wall you can guess what’s going on.

SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The security note 2622660, released since April 2018. Patch action is to update customers on the vulnerabilities that SAP Business Client inherits from third party web browsers like Google Chromium. The vulnerabilities listed in the security note are found in components delivered by Google.

On 9th of August 2022, SAP Security Patch Day saw the release of 5new Security Notes. Further, there were 2 updates to previously released Patch Day Security Notes.Please refer to the link for details – https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Preface: Samsung Galaxy S22 series national version uses Qualcomm Snapdragon 8, European version uses Exynos 2200. European users will cheer as Samsung Galaxy S23 ditches Exynos chip.

Background: Android 12 is the twelfth major release and 19th version of Android, the mobile operating system developed by the Open Handset Alliance led by Google.
Android Q is Android 10.
Android R is Android 11
Android S is Android 12

Baseband Initialization: pal_init(). .Subsequently monolith function that starts all modem subsystems and tasks
○ Activates malloc heap
○ Loads NV items
○ Starts timers
○ Initializes DSP(s) and other peripherals
○ Starts all tasks

Vulnerability details: Improper input validation in baseband prior to SMR Aug-2022 Release 1 allows attackers to cause integer overflow to heap overflow.The patch adds proper validation logic to prevent integer overflow.
The weakness was presented 08/05/2022. The advisory is available at security.samsungmobile.com. This vulnerability is handled as CVE-2022-33719 since 06/15/2022. The technical details are unknown and an exploit is not available.

Details about a summary of my observations. Please refer to the diagram

Severity: Critical
Affected versions: Selected Q(10), R(11), S(12) devices with S.LSI CP chipsets
Reported on: February 26, 2022

Official details: Please refer to the link for details – https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=08

Preface: The NTFS3 component is not included in the 5.15 kernel of Manjaro. The ntfs3 is a kernel module. This module will be ready for use on version 5.15.2_rt19-1.Type “modinfo ntfs3” can let you know the ntfs3 installation status.

Background: The ext4 is better on Linux based systems because it is designed and built for Linux. NTFS, on the other hand, is designed and built for Windows. KDE Partition Manager has support for a large number of file systems, the most notable ones being NTFS, FAT, F2FS, and so on. Just like every other application of KDE, the Partition Manager is released under the GNU Public License, making it completely free to use and open-source.
NTFS3 is called NTFS3 because it fully implements the latest version 3.1 of NTFS file system specification. NTFS is unlikely to change in future, thus NTFS3 naming reflects that NTFS3 implements the latest revision of NTFS.
NTFS3 is fully functional NTFS Read-Write driver. The driver works with NTFS versions up to 3.1, normal/compressed/sparse files and journal replaying. File system type to use on mount is ‘ntfs3’.

• This driver implements NTFS read/write support for normal, sparse and compressed files.
• Supports native journal replaying;
• Supports extended attributes

Vulnerability details: A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. This flaw allows a local attacker to crash the system and leads to a kernel information leak problem. As the vendor has not provided other details yet. So it lure my interested to speculate. For details, please refer to the chart.

Solution: Upgrading to version 5.19-rc1 eliminates this vulnerability.

Related article: Please refer to the link for details https://bugzilla.redhat.com/show_bug.cgi?id=2092542

Preface: In simplest terms, policies define what end-users can do on the cluster and possible ways to ensure that clusters are in compliance with organization policies.Policy-enablement empowers organizations to take control of Kubernetes operation and ensure that clusters are in compliance with organization policies.

Background: The policy-controller admission controller will only validate resources in namespaces that have chosen to opt-in. This can be done by adding the label policy.sigstore.dev/include: “true” to the namespace resource (see below):
kubectl label namespace my-secure-namespace policy.sigstore.dev/include=true

Ref: An image is admitted after it has been validated against all ClusterImagePolicy that matched the digest of the image and that there was at least one valid signature or attestation obtained from the authorities provided in each of the matched ClusterImagePolicy. So each ClusterImagePolicy that matches is AND for admission, and within each ClusterImagePolicy authorities are OR.

Vulnerability details: PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (–type defaults to “custom”). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2.

Solution: Users should upgrade to version 0.2.1 to resolve this issue.

Workarounds: There are no workarounds for users unable to upgrade.