Preface: In simplest terms, policies define what end-users can do on the cluster and possible ways to ensure that clusters are in compliance with organization policies.Policy-enablement empowers organizations to take control of Kubernetes operation and ensure that clusters are in compliance with organization policies.

Background: The policy-controller admission controller will only validate resources in namespaces that have chosen to opt-in. This can be done by adding the label policy.sigstore.dev/include: “true” to the namespace resource (see below):
kubectl label namespace my-secure-namespace policy.sigstore.dev/include=true

Ref: An image is admitted after it has been validated against all ClusterImagePolicy that matched the digest of the image and that there was at least one valid signature or attestation obtained from the authorities provided in each of the matched ClusterImagePolicy. So each ClusterImagePolicy that matches is AND for admission, and within each ClusterImagePolicy authorities are OR.

Vulnerability details: PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (–type defaults to “custom”). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2.

Solution: Users should upgrade to version 0.2.1 to resolve this issue.

Workarounds: There are no workarounds for users unable to upgrade.

Preface: FRRouting is a free IP protocol suite. Many companies: ISPs, SaaS, web 2.0 businesses, hyper-scale services, and Fortune 500 private clouds — use it as a fundamental part of their networks.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

BGP uses 4 messages: open, update, keepalive and notification. NOTIFICATION messages are used to signal when something is wrong with the BGP session. A NOTIFICATION will be sent when any of the following occurs: An unsupported option is sent in an OPEN message. A peer fails to send an update or keepalive.

Vulnerability details: An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.

My speculation: As soon as the real BGP speaker communicates again (keepalive), an ACK storm ensues due to the overlapping sequence numbers. Refer to diagram, the file (bgp_packet.c). The BGP_MSG_KEEPALIVE contains operations tagged “memory_order_relaxed”.
Atomic operations tagged memory_order_relaxed are not synchronization operations; they do not impose an order among concurrent memory accesses. Perhaps this is one of the possibility to encountered similar design weakness.

CWE-416: Use After Free
The memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process.

Ref: A use-after-free bug due to race conditions in 2 threads. · Issue #11698 · FRRouting/frr · GitHub – https://github.com/FRRouting/frr/issues/11698

Preface: Mali GPU kernel drivers have a wide range of applications in the IoT and IIoT world. Even the auto industry, gaming, healthcare and artificial intelligence.

Background:The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Valhall family. Some of these components are being made available under the GPLv2 licence. The company named “ARM”. They provides access to the source packages from which loadable kernel modules can be built.
The Mali GPU kernel device driver handles the following. Access to the Mali GPU hardware, Interrupt handling and Low level memory management.

Example:
Question: In normal circumstances, when program (software driver or software application) called kmalloc and didn’t free that memory before rmmod was called on the module, what happens to that memory? Is it a memory leak and it is completely unusable until restart, or does the kernel free that memory automatically?
Answer: It won’t be freed until explicitly done. Memory allocated with kmalloc() needs to be freed using kfree(). That piece of memory stays till the system is on.

Vulnerability details: An issue was discovered in the Arm Mali GPU Kernel Driver (Valhall r29p0 through r38p0). A non-privileged user can make improper GPU processing operations to gain access to already freed memory.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
As usual, vendor not disclose the details. Perhaps we can find hints in between two different version of software drivers.
Please refer to attached image for details.

Solution: This issue is fixed in Valhall GPU Kernel Driver r39p0. Users are recommended to upgrade if they are impacted by this issue. Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Remark: The patch was release on 17th June 2022. Perhaps the risk is mitigated.

Preface: On 2017, Facebook’s artificial intelligence robots shut down after they start talking to each other in their own language. Maybe no one remembers!

Background: If you are a data scientist. You know the details of the algorithms, which libraries to use, and perform diagnostics. For the machine learning setup, perhaps you will use a opensource software technology. One of the way is creating an ML app using Flask, a commonly used web framework in Python.
Furthermore, you have another choices. Streamlit is a framework that is used by different machine learning engineers and data scientists to build UIs and powerful machine learning apps from a trained model.

1. How to install streamlit?
   pip install streamlit
2. Build the streamlit app

• Create a new Python file named app.py.
• Add our pickled model into a created folder.

3. Import required packages.
4. Unplick the model.
5. Building your prediction logic.
6. You will use material UI for styles and icons for your app
7. Adding an image.

Vulnerability details: Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.
An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

Solution: Vendor strongly recommend users upgrade to v1.11.1 as soon as possible. Please refer to the link for details – https://github.com/streamlit/streamlit/security/advisories/GHSA-v4hr-4jpx-56gc

Preface: Uninitialized data segment, often called the “bss” segment, named after an ancient assembler operator that stood for “block started by symbol.” Data in this segment is initialized by the kernel to arithmetic 0 before the program starts executing.

Background: Xen is an open-source baremetal hypervisor that is widely used by commercial and non-commercial platforms to provide virtualization support.

Dom0 is the initial domain started by the Xen hypervisor on boot. Dom0 is an abbrevation of “Domain 0” (sometimes written as “domain zero” or the “host domain”). Dom0 is a privileged domain that starts first and manages the DomU unprivileged domains. The Xen hypervisor is not usable without Dom0.

Vulnerability details: The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. For details, please refer to attached diagram.

Instead of clearing the bss area in assembly code, use the clear_bss()function.This requires to pass the start_info address as parameter to xen_start_kernel() in order to avoid the xen_start_info being zeroed again.

Details released by NIST: Please refer to the link – https://cve.report/CVE-2022-36123

Preface: Last September (2021) ICS adviced that the public should be concerned about the multiple vulnerabilities encountered by Modbus products. This product model is (TBox) from the supplier Ovarro.
Such vulnerabilities were documented in a CVE article published until this week (July 28, 2022). The record number is CVE-2021-22642.
Perhaps reader has confuse about this CVE record because same CVE number was found on CISA published on last year (2021) September. I think may be it has admended on vulnerability description and therefore has this matter occurs.
Maybe readers are confused about this CVE record, because the same CVE number was found in a CISA article published last September (2021). I think a modification to the original vulnerability description may be required. Thus this happens.

Reference:

• ICS Advisory (ICSA-21-054-04) – Original release date: September 23, 2021
  https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04
• Relevant CVE record details in the US National Vulnerability Database. Please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2021-22642

Security focus – Related design weakness brought to my attention
An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system.
As usual, the technical article only writes the description of the vulnerability, but not the root cause. Maybe it’s public safety related, so it wasn’t disclosed.
As far as I know, TBOX products are designed to provide a safe and robust RTU solution for remote automation and monitoring of critical asset functions. Maybe I’ll try to do a quick research and see if it finds hints for your reference.

Observation (CVE-2021-22642): The MODBUS/TCP protocol contains also vulnerability that could allow an attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to an implementation error in the affected protocol when processing Read Discrete Inputs request and response messages.
An unauthenticated, remote attacker could exploit the vulnerability by sending request or response parameters that contain malicious values for the data field option to a system that contains a vulnerable MODBUS/TCP implementation. The processing of the messages could trigger a DoS condition on the vulnerable system.

Official announcement (ovarro) – https://www.ovarro.com/content-media/assigned/89928/TBOX-SA-2021-0005.pdf

Preface: What is SKB in Linux kernel? SKBs are composed of a linear data buffer, and optionally a set of 1 or more page buffers. If there are page buffers, the total number of bytes in the page buffer area is ‘data_len’. Therefore the number of bytes in the linear buffer is ‘skb->len – skb->data_len’.

Background: The Linux kernel has built-in packet filtering software in the form of something called netfilter. You use the iptables command to set up the rules for what happens to the packets based on the IP addresses in their header and the network connection type. Furthermore, NFQUEUE is an iptables and ip6tables target which delegate the decision on packets to a userspace software.
To understand NFQUEUE, the easiest way is to understand the architecture inside Linux kernel. When a packet reach an NFQUEUE target it is en-queued to the queue corresponding to the number given by the –queue-num option. The packet queue is a implemented as a chained list with element being the packet and metadata (a Linux kernel skb):

• It is a fixed length queue implemented as a linked-list of packets.
• Storing packet which are indexed by an integer
• A packet is released when userspace issue a verdict to the corresponding index integer
• When queue is full, no packet can be enqueued to it

Vulnerability details: CVE-2022-36946 – nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.

Official details and solution: Details provided in the following link –https://lore.kernel.org/netdev/165889141391.5272.4804742479205778392.git-patchwork-notify@kernel.org/t/

Preface: According to technical report (OT:ICEFALL) by cyber security service provider (Forescout). They observe that an APT toolkit targeting several OT devices, such as OPC UA servers and PLCs from Omron and Schneider Electric. According to ICS-CERT advisories on 28th June, 2022. The article had written down the RISK EVALUATION.  Successful exploitation of these vulnerabilities could cause a denial-of-service condition and allow remote code execution.Please refer to the link for details.

Background: The Omron FINS Ethernet Driver provides a reliable way to connect Omron FINS Ethernet controller to client applications; including HMI, SCADA, Historian, MES, ERP, and countless custom applications.
Remark: A PLC is a hardware-based device, SCADA is a system that works in conjunction with the PLC. Furthermore, HMI is also a system that works in conjunction with a PLC.

Omron PLCs usually have three different modes; Program Monitor and Run.

• Program Mode: In PROGRAM mode the CPU unit is stopped so your logic will not be executed. User programming can be created or modified, memory can be cleared, and programs can be checked. Depending on the PLC type there may be other options as well.
• Monitor Mode: In MONITOR mode the CPU unit is running, so your logic will be executed. I/O is processed in the same way as in RUN mode. The operating status of the CPU unit can be monitored, bits can be forced and/or set or reset. The set values and present values of timers and counters can be modified. The present values of word data can be modified. This mode is used for system adjustments.
• Run Mode: RUN mode is used for normal system operation. The operating status of the CPU unit can be monitored, but bits cannot be forced and/or set or reset. Present and set values cannot be modified using programming devices.
  Let’s put our CP1H controller into monitor mode. Ctrl + 3, Monitor Icon or PLC | Operating Mode | Monitor from the main menu.

Vulnerability details (see below):

• CVE-2022-31204 – Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords.
• CVE-2022-31207 – The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) through 2022-05-18 lack cryptographic authentication.
• CVE-2022-31206 – The Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18 lack cryptographic authentication.
• CVE-2022-31205 – In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449…D1452 and can be read out using the Omron FINS protocol without any further authentication.
  Remark: Omron Cx series Authentication bypass & plaintext credentials – CVE-2022-31204, CVE-2022-31205

Reference A: Public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors. Please follow this link to download the report – https://www.forescout.com/resources/ot-icefall-report/

Reference B: ICS-CERT advisories on 28th June, 2022. Please follow this link to download the report – https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-02

Preface: As time goes by, online training course is the mainstream to offload traditional onsite training course. The Learning Management System (LMS) is a software application designed to deliver, track, report on and manage trainings and learner activity. Some popular LMS used by educational institutions include Moodle, Blackboard Learn and Schoology.
Accroding to security reason, LMS will running in a separate web hosting area. However, if it contains (stored XSS and blind SSRF) vulnerabilities. Even though it is not running in the student office, it is potentially risky allowing cybercriminals to steal their sensitive information. Therefore, it may affect their enterprise systems.

Background: SCORM (Sharable Content Object Reference Model) can be described as a collection of standards and specifications that allow for the description and packaging of an e-learning course. SCORM 1.2 is the most widely distributed version of the SCORM specification. The SCORM 1.2 definition has two main parts SCORM Content Aggregation Model (CAM) and SCORM RunTime Environment (RTE).
SCORM packages are typically zip files. Within the zip file you will find all the content needed at delivery time by the SCORM package and a manifest file, named imsmanifest.xml. The manifest file describes the SCORM package so that the SCORM player understands how to run the SCORM package.
SCORM 1.2 is supported by Moodle 1.9.3 (or higher) and Moodle 1.8.7 (or higher). It is very simple to add a SCORM package to Moodle. The SCORM package is simply added to a course as a course activity.

Vulnerability details: A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Below details are the existing vulnerabilities found by vendor.

CVE-2022-35653 – A reflected XSS issue was identified in the LTI module of Moodle
CVE-2022-35652 – An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature.
CVE-2022-35651 – A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details.
CVE-2022-35650 – The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions.
CVE-2022-35649 – Due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50.

Solution: For Solutions to fix the above vulnerabilities. See the official announcement in the link – https://moodle.org/security/

Preface: GdkPixbuf is a library with a long history, and it has been incrementally modified over years, so it may retain some older coding practices alongside newer ones.

Background: GdkPixbuf is a library that loads image data in various formats and stores it as linear buffers in memory. The buffers can then be scaled, composited,modified, saved, or rendered.GdkPixbuf can load image data encoded in different formats, such as: PNG, JPEG, TIFF, TGA and GIF.

The GdkPixbuf class provides methods for saving image data in a number of file formats. The formatted data can be written to a file or to a memory buffer. GdkPixbuf can also call a user-defined callback on the data, which allows to e.g. write the image to a socket or store it in a database.

Vulnerability details: GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation[.]c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.

This design weakness found in last year. Since no CVE was registered, it probably is not being considered as a problem for downstream users of the package. Till July 2022, the latest Debian stable package is affected by this vulnerability. Using a GNOME file system browser and browsing to that folder will cause a crash, as will opening it up in a GNOME image viewer and even attempting to load it in Chromium .

The bug is in composite_frame() in io-gif-animation[.]c. The problem appears to be in the calculation of the offset variable (see below):

• because it is a signed int, it can overwrite when it’s over INT32_MAX.
• even if it was as an unsigned int, given the calculations, it becomes quite easy to reach very large values.

Solution: Upgrade to gdk-pixbuf 2[.]42[.]8