About CVE-2022-22519: CODESYS V3 runtime systems (CmpWebServer) encounter buffer-over-read (7th April 2022)

Preface: President Biden’s Executive Order is modernizing the Federal Government defenses and improving the security of widely-used technology. On March 2022, he urged U.S. companies operating critical infrastructure, including in the energy sector, to harden their digital defenses.

Background: CODESYS, formerly known as CoDeSys, is an acronym for Controller Development System, an Integrated Development Environment for Programmable Logic Controller applications, compliant with the IEC 61131-3 standard, a hardware and manufacturer-independent integrated development environment . IEC 61131-3:2013 specifies the syntax and semantics of a unified suite of programming languages for programmable controllers (PCs).The product CODESYS Control RTE SL is a real-time software PLC for PC-based industrial controllers under Windows. The CODESYS Control RTE SL product is a real-time soft PLC used to develop industrial controllers under the Windows operating system on the PC side. The runtime system has its own real-time kernel: in the absence of other hardware components or OS extensions, the system jitter value can remain in the μs range.

Vulnerability details: A remote, authenticated attacker can send a specific crafted HTTP or HTTPS requests causing CODESYS V3 runtime systems (CmpWebServer) encounter buffer-over-read.
A buffer overread is like a buffer overflow, except that it occurs during a read operation. While reading from a buffer, the program goes over the buffer boundary and reads adjacent memory.
In languages like C, programs are free to access data in any part of the virtual memory via a pointer. Because of this, buffer overread issues can occur when pointers or their indexes are incremented beyond the bounds of the buffer (when iterating an array or reading a string), or when pointer arithmetics yields a result outside a valid memory address.

Impact: maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone.

Official announcement: For details, please refer to the link – https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17094&token=2fb188e2213c74194e81ba61ff99f1c68602ba4d&download=

About CVE-2022-28390 – Linux kernel 5.17.1 found design flaw in can/usb interface driver (4th Apr 2022)

Preface: If the workstation is running in Linux kernel 5.17.1, due to this vulnerability (CVE-2022-28390). The adjacent communications peer device will be at risk. As a result, it allowing an attacker to execute arbitrary code to adjacent communications peer device.

Background: The CANbus USB adapter connects a CANbus to the USB port of a PC or notebook, which also supplies the power to the adapter (no power supply needed). The CAN/USB Data Converter allows a personal computer to act as a diagnostic analyzer during development and testing of an automotive ECU (electronic control unit) or industrial field bus system that supports the CAN communications protocol.

Vulnerability details: ems_usb_start_xmit in drivers/net/can/usb/ems_usb[.]c in the Linux kernel through 5.17.1 has a double free. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

According to Developer (Hangyu Hua) explanation. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes the original skb and can_free_echo_skb() deletes the cloned skb.

Known Limitations: dev_kfree_skb() is just a macro that simply calls kfree_skb(). kfree_skb bypasses the reference count of skb. Generally speaking, adding “” before the function name in the kernel prompts to be used with caution, that is, some checks are omitted, so check before calling such functions.

Solution: upgrade to v5.18-rc1.

About CVE-2022-26912 : Microsoft Edge privilege escalation (5th Apr, 2022)

Preface: Chromium is a free and open-source web browser project, principally developed and maintained by Google. This codebase provides the vast majority of code for the Google Chrome browser, which is proprietary software and has some additional features. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.

Background: The story begin: Due to the on-demand market trend, Microsoft decided to use the Chromium and Blink rendering engines in 2018. With Microsoft moving away from EdgeHTML. The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS. Chrome based browser in their way to expand the market share. As a result, when chrome have design weakness occurs, it might impact the partner products.

Vulnerability details: CVE-2022-26912 – Microsoft Edge privilege escalation
Microsoft Edge could allow a remote attacker to gain elevated privileges on the system. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
Important – The remote host has an web browser installed that is affected by multiple vulnerabilities.

Since Microsoft did not explain the details, symptoms similar to CVE-2022-26912 may appear in this case. Perhaps the following information will attract your interest in digging for more information.
CSS Animations is a module of CSS that lets you animate the values of CSS properties over time, using keyframes. The behavior of these keyframe animations can be controlled by specifying their timing function, duration, their number of repetitions, and other attributes.
As early as 2007, WebKit had announced its intent to include CSS animation, transitions, and transforms as features of WebKit.
Use after free errors occur when a program continues to use a pointer after it has been freed. Under CSS animation circumstance, there is no way to explicitly ask the browser to collect garbage.
Example: Use-After-Free when Array.sort() is called with a comparator function. The two arguments are untracked by the garbage collector.

Solutions: Apply fixes issued by the vendor: Update to version 100.0.1185.29

CVE-2022-28356 – Design weakness found on af_llc[.]c (in the Linux kernel before 5.17.1) -2nd Apr 2022

Preface: IEEE 802.2 provides two connectionless and one connection-oriented operational modes:
– Type 1 is an unacknowledged connectionless mode for a datagram service.
– Type 2 is a connection-oriented operational mode.
– Type 3 is an acknowledged connectionless service. It supports point-to-point communication only.

Background: af_llc[.]c (LLC User Interface SAPs):
Description: Functions in this module are implementation of socket based llc communications for the Linux operating system. Support of llc class one and class two is provided via SOCK_DGRAM and SOCK_STREAM respectively.
General speaking, TCP almost always uses SOCK_STREAM and UDP uses SOCK_DGRAM.

Vulnerability details: In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc[.]c. Refcount bugs happen when there is a mismatch between refcount inc instructions and dec instructions (see below).
The inc and dec instructions use the following syntax:
– inc( mem/reg );
– dec( mem/reg );
However, when to perform dec instructions largely depends on the purpose of the developers and the usage of the tracked object.
The single operand can be any legal 8-bit, 16-bit, or 32-bit register or memory operand. The inc instruction will add 1 to the specified operand, and the dec instruction will subtract 1 from the specified operand.

Reminder: Whenever llc_ui_bind() and/or llc_ui_autobind() took a reference on a netdevice but subsequently fail, they must properly release their reference.

Synopsis by developer findings: unregister_netdevice: waiting for eth0 to become free. Usage count = 3
Result: The bug encountered the following symptom. It dismantled the device and messaging his handlers saying he had pulled out. So called a refcount leak bug occured.

Resolution: Upgrade to “Linux-2.6.12-rc2”

About CVE-2022-0998: Linux Kernel’s virtio device driver design weakness (30th Mar 2022)

Preface: You use a method that takes an array of bytes. But you don’t know how big this array is, but it’s controlled by the code calling the method. Let’s assume it is 500 bytes long. Then you read an integer from somewhere else, let’s assume 1000 is read.
As a result, you attempt to read 1000 bytes into an array that can only hold 500 bytes, you perform no checking to make sure your array is it big enough, nor do you attempt to read in chunks and concatenate if it’s not big enough. So an error display in log event activtites. Whereby, the system halted.

Background: KVM (Kernel-based Virtual Machine) is a FreeBSD and Linux kernel module that allows a user space program access to the hardware virtualization features of various processors, with which QEMU is able to offer virtualization for x86, PowerPC, and S/390 guests.
Virtio is a virtualization standard for network and disk device drivers where just the guest’s device driver “knows” it is running in a virtual environment, and cooperates with the hypervisor. As a physical NIC, the virtio device supports features such as many offloadings, and can let the real host’s device do them. To send a packet, the driver sends to the device a buffer that includes metadata information such as desired offloadings for the packet, followed by the packet frame to transmit.

Vulnerability details: An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Official announcement – about their troubleshooting: The added ‘c->off > size’ test in that commit will be done as an unsigned comparison on 32-bit (safe due to not being signed).
On a 64-bit platform, it will be done as a signed comparison, but in that case the comparison will be done in 64-bit, and ‘c->off’ being an
u32 it will be valid thanks to the extended range (ie both values will be positive in 64 bits).
So this was a real bug, but it was already addressed and marked for stable. For more details, please refer to the link – https://lore.kernel.org/netdev/20220123001216.2460383-13-sashal@kernel.org/

Reference: Primitive Type u32 – The 32-bit unsigned integer type.
size_t type is a base unsigned integer type of C/C++ language. It is the type of the result returned by size of operator. The type’s size is chosen so that it can store the maximum size of a theoretically possible array of any type. On a 32-bit system size_t will take 32 bits, on a 64-bit one 64 bits.

CVE-2022-22948 – VMware vCenter Server updates address an information disclosure vulnerability 29th Mar, 2022

Preface: Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.

Background: vSphere is a product suite. ESXi is a hypervisor installed on the physical machine. vCenter Server is a management platform for VMs. When you are working on a small virtualization environment, the vSphere client will be sufficient enough to maintain and manage virtual machines hosted on a few ESXi servers.

Vulnerability details: The vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.

Likelihood – Remediation related to this vulnerability (see below):

Switching the vCenter Server Appliance 6.x to Appliance Shell

Log in to the vCenter Server Appliance through SSH.
Run this command to change from using the BASH Shell to the Appliance Shell:

chsh -s /bin/appliancesh root

Log out from the Appliance Shell.
Log in again for the changes to take effect.

Vendor announcement : Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2022-0009.html

CVE-2022-27950 – Design weakness in drivers/hid/hid-elo.c (impacted to ELO Touchscreen Monitor product) – 28th Mar 2022

Preface: Touchscreens provide direct navigation and accessibility through physical touch controls, eliminating the need for traditional computer mice and keyboards.

Background: Touchscreens are common in devices such as game consoles, personal computers, electronic voting machines, and point-of-sale (POS) systems. Elo’s IntelliTouch controllers are designed and manufactured to work specifically with IntelliTouch SAW touchscreens for optimal performance. No additional drivers are required for your projected-capacitive touch monitor with Windows 7, Windows 10 and most versions of Mac OS X, Android or Linux as it will use the built-in HID drivers in the Operating System.

Come from Linux Operating system the driver (hid-elo[.]c) located in drivers/hid subdirectory. It is compatible with ELO controller (single touch unit) that works through serial interface or via USB. This hardware controller is a full-speed, self-powered, USB device. By default, the controller communicates over a RS-232 serial link. If, however, a USB cable is connected, the controller switches to an exclusively USB communicating mode.

Vulnerability details: In drivers/hid/hid-elo[.]c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. When hid_parse() in elo_probe() fails, it forgets to call usb_put_dev to
decrease the refcount.

Remedy: Fix this by adding usb_put_dev() in the error handling code of elo_probe(). For details, please refer to attached diagram.

Recommendation: Update to driver v5.17-rc5

About CVE-2022-27948 (Tesla electric cars) – 27th Mar 2022

Preface: Hacking using RF tools due to RF transmit power limiting capabilities. From a technical point of view, it is similar to a short-range attack. Compared to traditional network attacks that run on top of TCP/IP networks. Network-based cyberattacks will be more disruptive because they are not limited to a single device.

Background: The following attacks can be performed on the radio communication component of any IoT device.
Utilize tools to capture the raw data transmitted to the IoT device and attack. This is so called a replay attack. Since the raw data is played back to the IoT device to perform the actual attack. Whereby, this is the most common method for cyber expert to dig out the cyber security matter.

Tools used – HackRF, BladeRF, RTL-SDR, FUNcube dongle, GQRX, SDR#, URH, etc.

Vulnerability details: Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols.

According to the security expert findings. Doing a little post analyses on the message it appears to be ASK/OOK with a symbol rate ~2.5KHz at 315MHz. Once the data is analyzed and processed, it will obtained the binary data including center frequency and the Modulation scheme that is being used. Then attacker will use the reserve engineering. Exploiting RFtool sent back original data to the IoT device for launching the actual attack. This kind of attack is complicated to perform when compared to the replay attack.

Remark: Tesla US model S, requires a 315Mhz module.

Observation: According to the original design. If the charge cable is close to the charge port door, you can press the button on the charge cable to open the charge port door even when Model S is locked or a recognized key is not within range. About eight years ago, a technical expert found that when you use Type 2 charge cable on Tesla model S. The auto sense function cannot open the charge port door. In additional, he discovered that available data memory divided into Bank 0-15. Each Bank may contain Special Function Registers, General Purpose Registers, and Access RAM .
As a result, it looks that the existing design do not have tight protection in this area. Therefore, it is possible make use of a 315Mhz transmitter send the original function.
It looks that this design weakness require vendor enhancing the protection of this feature in this area.

Details of Design Weaknesses: Please refer to the link – https://github.com/pompel123/Tesla-Charging-Port-Opener

CVE-2022-21820 – NVIDIA DCGM contains a vulnerability in nv-hostengine (24th Mar, 2022).

Preface:The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Background: The NVIDIA host engine, nv-hostengine, is a thin wrapper around the DCGM shared library. Its main job is to instantiate the DCGM library as a persistent standalone process, including appropriate management of the monitoring and management activities.

Vulnerability details: NVIDIA DCGM contains a vulnerability in nvhostengine, where a network user can cause detection of error conditions without action, which may lead to limited code execution, some denial of service, escalation of privileges, and limited impacts to both data confidentiality and integrity.

My observations and details

Step1. The NVIDIA host engine, nv-hostengine, is a thin wrapper around the DCGM shared library. Its main job is to instantiate the DCGM library as a persistent standalone process, including appropriate management of the monitoring and management activities.

Step2. Starting the Prometheus Client
The script dcgm_prometheus.py is provided as a fully functional Prometheus client that will publish timeseries data on a port to be read (scraped) by Prometheus. By default, this script will publish common fields read from a DCGM instance running locally every 10 seconds to localhost:8000. Information on controlling what is published, how often, and on what port will be in the section on customization.
On the client side, start this script. It can either connect to a standalone host engine or run on embedded in the script.
To start an embedded host engine and check that it is publishing:
$ python dcgm_prometheus[.]py -e
$ curl localhost:8000 > tmp[.]txt

Step3. Whether below details is the design weakness of this vulnerability because vendor did not explain in details.
dcgm_prometheus.py error AttributeError: ‘DcgmPrometheus’ object has no attribute ‘m_publishFieldIds’

Remark: When class-validator is used to validate user-input, the attributes in the user-input object will be transformed into the validation class instance.
However, the transforming procedure will overwrite the internal attribute of validation class instance (e.g., constructor attribute) if the attacker injects an attribute with the same name into user-input. Once this internal attribute being overwritten, class-validator will be bypassed.

Official announcement: Reference link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5328

CVE-2022-27666 – a buffer overflow in ESP transformation in net/ipv4/esp4.c and net/ipv6/esp6.c via a large message. (23rd Mar 2022)

Preface: There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program.

Background: Encapsulating Security Payload (ESP) is a protocol in the Internet Protocol Security (IPsec) family that encrypts and authenticates data packets sent between computers via a virtual private network (VPN). VPNs can work securely because of the emphasis and layers on which ESP functions.

When one protocol’s packets or frames are encapsulated within another protocol, it increases the overall frame size. Encapsulation adds a protocol header, so any packets that are created at 1500 bytes and are then encapsulated will exceed MTU the network can handle. For example (see below):

IPsec encryption performed by the DMVPN adds 73 bytes for ESP-AES-256 and ESP-SHA-HMAC overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC)

Ref: What is Iotlb?
IOMMUs include an input/output translation lookaside buffer (IOTLB) to speed-up address resolution, but still every IOTLB cache-miss causes a substantial increase in DMA latency and performance degradation of DMA-intensive workloads.

Vulnerability details: In the Linux kernel before 5.16.15, there is a buffer overflow in ESP transformation in net/ipv4/esp4.c and net/ipv6/esp6.c via a large message. In some configurations, local users can gain privileges by overwriting kernel heap objects.

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4[.]c and net/ipv6/esp6[.]c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

Remedy: The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Observation: Presumably firewall and VPN vendors will suffer in this matter.

antihackingonline.com