Preface: According to the information provided by the supplier. This vulnerability was reported on April 5, 2022. But we didn’t see that record until this month.

Background: Samsung Kies is the official tool from Samsung for Android devices. Using Samsung Kies, you can view apps in full screen on your Windows, no matter what network you’re on. You can personalise services too, simply by becoming a Samsung Apps member or registering your mobile phone. If transferring data from Samsung device to PC is your prime intention then Samsung Kies would be a good choice.
Additional reference: The new version of Smart Switch let you move data from your old device to your new Galaxy device quickly and easily.

Vulnerability details: DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code. The patch changes to load default DLL in Windows. Since the vendor hasn’t released details yet, therefore our speculating based on the app design.

According to my observations. The following details may be related to such vulnerabilities. But I think MSCOREE[.]dll will be closely related to this.

“C:\Program Files (x86)\Samsung\Kies\KiesAgent[.]exe”
USER32[.]DLL
SHELL32[.]DLL
ADVAPI32[.]DLL
KERNEL32[.]DLL

“C:\Program Files (x86)\Samsung\Kies\Kies[.]exe”
MSCOREE[.]DLL

So, it is possible for cyber criminal exploit this design weakness by Reflective Code Loading.

About Reflective code loading: Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.

Remedy: Install version 2.6.4.22043_1

For details, please refer to the official announcement – https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=6

Preface: Packet filtering are divided into two categories :

• Stateless (Packet filtering) – Stateless is the polar opposite of stateful
• Stateful (Packet filtering)
  Stateless (Packet filtering): It is also known as an access control list (ACL), does not store information on the connection state. Stateless ACLs are applicable to the network and physical layers, and sometimes the transport layer to find out the source and destination port numbers. When the sender sends a packet and gets filtered through a filter, the device checks for matches to any of the ACL rules that are configured in the filter and then drops or rejects the packet accordingly.

Background: Netfilter is an infrastructure; it is the basic API that the Linux 2.4 kernel offers for applications that want to view and manipulate network packets. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation.

Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s Netfilter subsystem in net/netfilter/nf_tables_api[.]c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
Remark: nft_expr_init() calls expr->ops->init() first, then check for NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful lookup expressions which points to a set, which might lead to UAF since the set is not properly detached from the set->binding for this case. The specific debugging method is shown in the attached drawing.

Red Hat Bugzilla – Bug 2092427
Bug 2092427 (CVE-2022-1966) – CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
Please refer to the link for details – https://bugzilla.redhat.com/show_bug.cgi?id=2092427

Preface: Move the TCP hashtable functions/structs to inet_hashtables.[ch] , it was happened 17 years ago.
On April 27, 2022, in an unpublished paper, report that clients can be accurately identified by forcing them to issue 40 times more connections than the number of entries in table_perturb[ ] Table, indexed by hash-joined tuples.
The current 2^8 setup allows them to perform this attack using only 10k connections, which is not hard to do in seconds.

Background: TCP – dynamically allocate the perturb table used by source ports. The kernel keeps the INET socket in a hash table so that the lookup operation is reasonably fast .

The vulnerability will be triggered under below circumstances.
Stochastic Fair Queuing: This queuing mechanism is based on fair queuing algorithm and proposed by John Nagle in 1987. Because it is impractical to have one queue for each conversation SFQ uses a hashing algorithm which divides the traffic over a limited number of queues. It is not so efficient than other queues mechanisms but it also requires less calculation while being almost perfectly fair. It is called “Stochastic” due to the reason that it does not actually assign a queue for every session; it has an algorithm which divides traffic over a restricted number of queues using a hashing algorithm. SFQ assigns a pretty large number of FIFO queues.

Ref: Stochastic Fairness Queueing is a classless queueing discipline available for traffic control with the tc(8) command. Example: man sfq

Vulnerability details: The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.

RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
tcp: dynamically allocate the perturb table used by source ports. Note that we use 32bit integers (vs RFC ‘short integers’) because 2^16 is not a multiple of num_ephemeral and this property might be used by clever attacker.

Remedy: The solution is increasing the perturb table from 2^8 to 2^16 so that the same precision now requires 2.6M connections, which is more difficult in this time frame and harder to hide as a background activity. The impact is that the table now uses 256 kB instead of 1 kB, which could mostly affect devices making frequent outgoing connections. However such components usually target a small set of destinations (load balancers, database clients, perf assessment tools), and in practice only a few entries will be visited. Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5

Preface: The official release of the vulnerability did not elaborate. So we don’t know what happened? Maybe you can use speculation. Even if you can’t figure out the root cause, it will let you know more about your Edge browser.

Background: The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.
The chrome engine is used for Microsoft edge chromium. The features of Microsoft edge chromium are not stable as they keep on changing. The Microsoft edge chromium offers many types of user interfaces. From customer point of view, Microsoft Edge is still developing till now.

Microsoft, in true maverick fashion, built its Edge browser with its own EdgeHTML browser engine and Chakra JavaScript Engine. With the Edge 79 release, Microsoft is switching to Blink browser engine with V8 JavaScript engine.

According to Stable Channel Update for Desktop issued on Tuesday, April 26, 2022. A Type Confusion vulnerability found on V8 Javascript Engine.

Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30128.

Based on the attached diagram and the above details, I speculate that CVE-2022-30127 is related to a javascript Engine design flaw. The technical problem that occurs will be a type confusion vulnerability.

Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of application software itself. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution and Elevation of Privilege.

Official announcement: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30127

Preface: Login with key is safer than password login, and password login is easily intercepted.

Background: Net Framework is a software development platform developed by Microsoft for building and running Windows applications. The . Net framework consists of developer tools, programming languages, and libraries to build desktop and web applications. It is also used to build websites, web services, and games.

The .NET as a framework collobrate all the stuff it has under the hood for dealing with network connections. You can do peer to peer, FTP, HTTP, and direct socket connections, along with much more. However, there is no built-in support for is SSH.

SSH[.]NET is a Secure Shell (SSH) library for [.]NET, optimized for parallelism and with broad framework support.

Vulnerability details: SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an X25519 key exchange, the client’s private key is generated with System.Random. System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes. When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be brute forced. This allows an attacker who is able to eavesdrop on the communications to decrypt them.

Remedy: Version 2020.0.2 contains a patch for this issue – https://github.com/sshnet/SSH.NET/releases/tag/2020.0.2

Workaround: As a workaround, one may disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms.

Preface: mruby or mruby/c, mruby / c is an implementation of mruby that inherits the features of Ruby and consumes less memory than the conventional mruby (lightweight Ruby for embedded systems developed in Fukuoka).

Dassai｜Asahishuzo – (日本獺祭（旭酒造）) also uses mruby/c to develop winery-related monitoring equipment.

Background: mruby is a Fukuoka-developed programming language for embedded software. It’s a version of the high-efficiency development language “Ruby” that has been lightened in order to use less memory, making it suitable for embedded software.
It works using 1/4 the amount of code that C languages do and because it is also highly readable, some of its strengths are high productivity, easy trial-and-error debugging and maintenance, and it’s simple to learn.

Vulnerability details: Mruby/mruby prior to 3.2 contain Use After Free vulnerability. Use-After-Free in function hash_new_from_values in Mruby/mruby.

Remedy: The impact of this vulnerability is unclear. Upgrading to version 3.2 eliminates this vulnerability.

Official announcement: https://github.com/mruby/mruby/commit/aa7f98dedb68d735a1665d3a289036c88b0c47ce

Preface: A CVE with similar symptoms occurred in March 2022.
CVE-2022-22633 – A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

Background: The IOMMU (Input–Output Memory Management Unit) is a feature that is commonly present in 64-bit x86 processors as well as other architectures. Linux’ support for IOMMU has been a relatively disorganized development process, with several obscurities along the way. This is quite remarkable given that it’s part of the kernel’s memory management — a central role in the kernel’s functionality.

Quote:
macOS 12.3 (21E230) – Kernel stack memory corruption detected ‘ restart problem in the past.
A end user in apple community reporting that he encountered Kernel stack memory corruption when he use PCIe-4 card being used in a PCIe-3 external Thunderbolt-3 drive for the boot device.
My concept is based on Enable IOMMU kernel support, Append amd_iommu=on to the kernel command line in /boot/grub/grub.conf so that AMD IOMMU specifications are enabled at boot.
My assumptoon is that attacker write a malicious Linux PCI Drivers, once it has successfully modified the IOMMU configuration so that it can make read/write accesses to kernel memory.

Vulnerability details: A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4. An application may be able to execute arbitrary code with kernel privileges. For more details, please refer to the link – https://support.apple.com/en-us/HT213257

Preface: Log management allows you to monitor requests at any level (API, database, etc.) and see which are underperforming. Log management is based on log files.
Log files are important data points for security and surveillance, providing a full history of events over time. Beyond operating systems, log files are found in applications, web browsers, hardware, and even email.

Background: It is important to control the sizes of log files on a Linux server because their size always grows over time. Every server has limited resources and too large logs can lead to performance and memory problems, not to mention the loss of precious storage space. This problem is typically solved through log rotation, a process that involves renaming or compressing a log file before it gets too large, and cleaning up old logs to reclaim storage.

Vulnerability details: A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation.

Remedy for older releases of logrotate (from 3.17.0 to 3.19.0):

https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9
https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d

Besides users can upgrade to 3.20.1 – https://github.com/logrotate/logrotate/releases/tag/3.20.1

My comment: From security point of view, it is a critical risk. For example, SIEM relies log event to do the correlation function. If such vulnerability happen and log event agent do not have reporting mechanism to confirm the log events activities. It such a way provide a channel to attacker to try the evade activities because alert function will not respond by firing rule.

Preface: The main difference is that FreeRTOS has traditionally been completely open source (MIT license) whereas ThreadX has traditionally been completely commercial / proprietary. Therefore, FreeRTOS is dominating the embedded RTOS market, with something like 20% of new projects using it.

Background: Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack. Azure RTOS USBX is fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors.

Azure RTOS USBX has a remarkably small minimal footprint of 10.5 KB of FLASH and 5.1 KB RAM for Azure RTOS USBX Device CDC/ACM support. Azure RTOS USBX Host requires a minimum of 18 KB of FLASH and 25 KB of RAM for CDC/ACM support.

The CDC-ACM class provides a serial interface for connecting devices such as modems to an embedded system. The package provides a CDC-ACM host class driver for a USB stack. The system allows a USB serial port device to be plugged into the host and recognized as a remote serial port.

Vulnerability details: The implementation of ux_device_class_dfu_control_request function does not assure that a buffer overflow will not occur during handling of the DFU UPLOAD command. When an attacker issues the UX_SLAVE_CLASS_DFU_COMMAND_UPLOAD control transfer request with wLenght larger than the buffer size (UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH, 256 bytes), depending on the actual implementation of dfu -> ux_slave_class_dfu_read, a buffer overflow may occur. In example ux_slave_class_dfu_read may read 4096 bytes (or more up to 65k) to a 256 byte buffer ultimately resulting in an overflow. Furthermore in case an attacker has some control over the read flash memory – in example DFU is used with an external SPI flash chip or the DFU DOWNLOAD command may be used – this may result in execution of arbitrary code and platform compromise.

Remedy: This fix has been included in USBX release 6.1.11.

Official announcement: Please refer to the link for details – https://github.com/azure-rtos/usbx/security/advisories/GHSA-hh5p-x584-j8hv

Preface:If the operating system itself contains unknown technical matter. When 3rd party application installed, a vulnerability merely encounter on the specified software. Do you think operating system vendor should do the remedy? Or third party vendor take the responsibility?

Background: Cybersecurity related to functional safety will be included Powergrid, public facilities and manufacturing industry. SCADA systems are used in many different industries to collect and analyze real-time data, as well as to control functions, which makes them a target to malicious hackers.

AVEVA InTouch Access Anywhere enables you to remotely view a running InTouch application from a desktop computer or a mobile device including tablets, smartphones, or laptops. You view and control the application through a secure web browser without requiring a separate client application.
InTouch Access Anywhere provides the following features:
– Provides secure and remote access to InTouch applications.
– Incorporates image compression, packet shaping, and whole frame rendering to improve Internet performance.
– Automatically adjusts the size of your InTouch Access Anywhere session to the web browser window showing the application.
– Supports finger gestures on touch screen devices.
– Works on devices that only support web applications like Chromebooks
– Provides an expandable session toolbar with icons to disconnect your InTouch Access Anywhere sessions, access system keys, and copy application data to your Windows clipboard.

Vulnerability details: Certain versions of AVEVA InTouch Access Anywhere from AVEVA contain the following vulnerability:
Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is possible to manipulate the Windows OS language bar to launch an OS command prompt, resulting in a context-escape from application into OS.

Remedy:

Application Software Vendor Security Updates – https://www.aveva.com/en/support-and-success/cyber-security-updates/

ICS Advisory (ICSA-22-130-05) – https://www.cisa.gov/uscert/ics/advisories/icsa-22-130-05