Preface: There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program.

Background: Encapsulating Security Payload (ESP) is a protocol in the Internet Protocol Security (IPsec) family that encrypts and authenticates data packets sent between computers via a virtual private network (VPN). VPNs can work securely because of the emphasis and layers on which ESP functions.

When one protocol’s packets or frames are encapsulated within another protocol, it increases the overall frame size. Encapsulation adds a protocol header, so any packets that are created at 1500 bytes and are then encapsulated will exceed MTU the network can handle. For example (see below):

IPsec encryption performed by the DMVPN adds 73 bytes for ESP-AES-256 and ESP-SHA-HMAC overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC)

Ref: What is Iotlb?
IOMMUs include an input/output translation lookaside buffer (IOTLB) to speed-up address resolution, but still every IOTLB cache-miss causes a substantial increase in DMA latency and performance degradation of DMA-intensive workloads.

Vulnerability details: In the Linux kernel before 5.16.15, there is a buffer overflow in ESP transformation in net/ipv4/esp4.c and net/ipv6/esp6.c via a large message. In some configurations, local users can gain privileges by overwriting kernel heap objects.

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4[.]c and net/ipv6/esp6[.]c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

Remedy: The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Observation: Presumably firewall and VPN vendors will suffer in this matter.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: BIND (Berkeley Internet Name Domain) is a software collection of tools including the world’s most widely used DNS (Domain Name System) server software. This feature-full implementation of DNS service and tools aims to be 100% standards-compliant and is; intended to serve as a reference architecture for DNS software.
DS Lookup lets you check DS records for any domain. The online tool allows you to query the DNS servers and identify the Delegation Signers (DS) record for the specified domain.

On 26th Jan, 2022. ISC official announce the release of BIND 9.18.0. This is the first stable release that contains support for DoT and DoH. This branch will be supported for 4 years, through the end of 2025. With this new branch, the BIND 9.11 branch is officially EOL. We will continue to issue security patches for 9.11 for the remainder of Q1 2022, but that will be the end of maintenance for 9.11.

Remark: Support for securing DNS traffic using Transport Layer Security (TLS). TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).

Vulnerability details:

CVE-2022-0635:The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled)

Solution: Users of BIND 9.18.0 should upgrade to BIND 9.18.1

Ref: https://kb.isc.org/docs/cve-2022-0635

CVE-2022-0667:While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down. This introduces the possibility of triggering an assertion failure, which could cause the BIND process to terminate.

Solution:Users of BIND 9.18.0 should upgrade to BIND 9.18.1

Ref: https://kb.isc.org/v1/docs/cve-2022-0667

End of topic

Preface: What is application layer load balancing?
Application layer load balancers distribute requests based on content of the requests being processed, including its HTTP/S header and message in addition to session cookies. They can also track responses as they travel back from the server, thereby providing data on the load each server is processing at all times.

Background: There are two primary protocols on the internet – TCP and UDP. These are what we call layer 4 protocols. How about the web browsing and email? The majority of the data sent across the internet is TCP and that is what Snapt load balances. Protocols like HTTP, SMTP, SSL and much more all use TCP.
HTTP is a layer 7 protocol. All web browsing are communicating with either HTTP or SSL (HTTPS) to browse web content. Aria is the premier ADC solution for businesses, providing a load balancer, web accelerator, web app firewall (WAF), global server load balancer (GSLB),..etc
The Snapt Balancer is a feature-rich layer 7 TCP load balancer.

Vulnerability details: The snaptPowered2 component of Snapt Aria v12.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands.

To establish a typical remote shell, a machine controlled by the attacker connects to a remote network host and requests a shell session – this is called a bind shell. But what if the remote host is not directly accessible, for example because it has no public IP or is protected by a firewall? In this situation, a reverse shell might be used, where the target machine initiates an outgoing connection to a listening network host and a shell session is established.
Refer to diagram , the Proof of concept try to spawn a reverse shell on the target host to the attackers machine. For more technical details, please refer to the link – https://www.cryptnetix.com/blog/2022/03/19/Snapt-Aria-Vulnerability-Disclosure.html

Preface: Firmware is stored in a flash memory either inside or outside of a microcontroller. If Firmware had vulnerability occurs. It should finally do the Firmware update to fix the problem.
Firmware is usually found in general purpose computing devices like smartphones, PCs, laptops, etc.

Background: About CVE-2022-27250, may be this matter occured since 2019. The specify chip model tends to be the processor brand of choice for many low-cost manufacturers. Per hostorical record, Low-cost brands are usually involved malware cases, ostensibly due to limited resources, let the bug cannot fix it in effective way.

Vulnerability details: The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device’s screen, record video of the device’s physical environment, or modify data. See the link for details.
https://www.tenable.com/cve/CVE-2022-27250
The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Quote: Some have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it’s memory or storage).

One of the possibilities to isolate the problem. If you’re interested, you can check out ROM dumps.Or other method: add basic DT to support Unisoc’s SC9863A, with this patch, the board sp9863a-1h10 can run into console.
Link: https://lore.kernel.org/r/20191223092948.24824-4-zhang.lyra@gmail.com

Temporary remedy: Install antivirus software on your smartphone, in which case data breaches or evasion activities may not be avoided. But this is baseline control.

Preface: A lot of people will familiar with Rapid 7 (metasploit), it is a powerful penetration test tools in existing market. If the product only provide a penetration test tool in today demanding market. It is limited the business development. However, from my personal point of view, SIEM and log management functions by Rapid 7 is a new area to me. Perhaps this is not new product.

Background: The universal Insight Agent is lightweight software you can install on any asset—in the cloud or on-premises—to collect data from across your IT environment. With unified data collection, security, IT, and DevOps teams can collaborate effectively to monitor and analyze the environments. View endpoint data is one of the powerful feature, it including: detailed asset information, Windows registry information, file version and package information, running processes, authentication information, local security and event logs. As a agent based design, so it is compatible with Linux, Mac and windows. Vendor claimed that the agent footprint is small. Apart from that memory consumption is low.

Vulnerability details: When security expert utilizing procmon boot-logging, it give a seen to him found that the call for ‘Program.exe’ via command line utilizing Windows ‘runas’ only single-quoted. Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine.

Remedy: Fix-Windows runas when used with spaces in the path needs to be double-quoted. Please refer to attached diagram (point 8)

Vendor announcement: For details, please refer to the link – https://docs.rapid7.com/release-notes/insightagent/20220225/

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: A USB Linux Gadget is a device which has a UDC (USB Device Controller) and can be connected to a USB Host to extend it with additional functions like a serial port or a mass storage capability.

Another way to integrate Modern USB gadgets on Linux with systemd: Users create a separate directory for each gadget they want to have, give their gadget a personality by specifying a vendor ID, product ID, and a USB string (eg visible after running lsusb -v as root), then In that directory create the configuration they want and instantiate the USB functions they want (both by creating the corresponding directory), and finally associate the function with the configuration via a symlink. At this point, the composition of the gadget is already in memory, but not bound to any UDC. To activate a gadget, the UDC name must be written to the UDC property in the gadget’s configfs directory – the gadget is then bound to this specific UDC (and a UDC cannot be used by multiple gadgets). Available UDC names are at /sys/class/udc. The gadget can only be successfully enumerated by the USB host after it is bound to the UDC.

Vulnerability details: In drivers/usb/gadget/udc/udc-xilinx[.]c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

References to Advisories: https://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: SR9700 is a type of USB to Ethernet Converter and is compatible with USB 1.1 protocol, the design merge SR9700 device driver (sr9700[.]c) into the Linux Kernel. The buffers used by the kernel to manage network packets are referred to as sk_buffs in Linux.

The buffers are always allocated as at least two separate components: a fixed size header of type struct sk_buff; and a variable length area large enough to hold all or part of the data of a single packet.

Vulnerability details: An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700[.]c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

Remedy: Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9da0b56fe27206b49f39805f7dcda8a89379062

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Writing a device name to this file will cause the kernel binds devices to a compatible driver.

Vulnerability details: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()

On the reception of packets with an invalid packet type, the memory of the allocated socket buffers is never freed. Add a default case that frees these to avoid a memory leak.

Typically, memory leaks occur because allocated memory is not freed and you lose a pointer to the allocated block. As a result, a memory leak occurs.

Status: Remedy has been released on October 2021 – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1d0688421449718c6c5f46e458a378c9b530ba18

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: SAP SE — SE stands for societas Europaea, a public company registered in accordance with the European Union corporate law.

SAP NetWeaver is a software stack for many of SAP SE’s applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebAS: supplier relationship management (SRM), customer relationship management (CRM), supply chain management (SCM), product lifecycle management (PLM), enterprise resource planning (ERP), transportation management system (TMS)….copy from wiki

Vulnerability details: SAP NetWeaver Enterprise Portal – versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website.

*Cross site scripting attacks can be broken down into two types: stored and reflected.

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user’s browser. The script is embedded into a link, and is only activated once that link is clicked on.

Impact: The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser.