Preface: Firmware is stored in a flash memory either inside or outside of a microcontroller. If Firmware had vulnerability occurs. It should finally do the Firmware update to fix the problem.
Firmware is usually found in general purpose computing devices like smartphones, PCs, laptops, etc.

Background: About CVE-2022-27250, may be this matter occured since 2019. The specify chip model tends to be the processor brand of choice for many low-cost manufacturers. Per hostorical record, Low-cost brands are usually involved malware cases, ostensibly due to limited resources, let the bug cannot fix it in effective way.

Vulnerability details: The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device’s screen, record video of the device’s physical environment, or modify data. See the link for details.
https://www.tenable.com/cve/CVE-2022-27250
The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Quote: Some have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it’s memory or storage).

One of the possibilities to isolate the problem. If you’re interested, you can check out ROM dumps.Or other method: add basic DT to support Unisoc’s SC9863A, with this patch, the board sp9863a-1h10 can run into console.
Link: https://lore.kernel.org/r/20191223092948.24824-4-zhang.lyra@gmail.com

Temporary remedy: Install antivirus software on your smartphone, in which case data breaches or evasion activities may not be avoided. But this is baseline control.

Preface: A lot of people will familiar with Rapid 7 (metasploit), it is a powerful penetration test tools in existing market. If the product only provide a penetration test tool in today demanding market. It is limited the business development. However, from my personal point of view, SIEM and log management functions by Rapid 7 is a new area to me. Perhaps this is not new product.

Background: The universal Insight Agent is lightweight software you can install on any asset—in the cloud or on-premises—to collect data from across your IT environment. With unified data collection, security, IT, and DevOps teams can collaborate effectively to monitor and analyze the environments. View endpoint data is one of the powerful feature, it including: detailed asset information, Windows registry information, file version and package information, running processes, authentication information, local security and event logs. As a agent based design, so it is compatible with Linux, Mac and windows. Vendor claimed that the agent footprint is small. Apart from that memory consumption is low.

Vulnerability details: When security expert utilizing procmon boot-logging, it give a seen to him found that the call for ‘Program.exe’ via command line utilizing Windows ‘runas’ only single-quoted. Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine.

Remedy: Fix-Windows runas when used with spaces in the path needs to be double-quoted. Please refer to attached diagram (point 8)

Vendor announcement: For details, please refer to the link – https://docs.rapid7.com/release-notes/insightagent/20220225/

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: A USB Linux Gadget is a device which has a UDC (USB Device Controller) and can be connected to a USB Host to extend it with additional functions like a serial port or a mass storage capability.

Another way to integrate Modern USB gadgets on Linux with systemd: Users create a separate directory for each gadget they want to have, give their gadget a personality by specifying a vendor ID, product ID, and a USB string (eg visible after running lsusb -v as root), then In that directory create the configuration they want and instantiate the USB functions they want (both by creating the corresponding directory), and finally associate the function with the configuration via a symlink. At this point, the composition of the gadget is already in memory, but not bound to any UDC. To activate a gadget, the UDC name must be written to the UDC property in the gadget’s configfs directory – the gadget is then bound to this specific UDC (and a UDC cannot be used by multiple gadgets). Available UDC names are at /sys/class/udc. The gadget can only be successfully enumerated by the USB host after it is bound to the UDC.

Vulnerability details: In drivers/usb/gadget/udc/udc-xilinx[.]c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

References to Advisories: https://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: SR9700 is a type of USB to Ethernet Converter and is compatible with USB 1.1 protocol, the design merge SR9700 device driver (sr9700[.]c) into the Linux Kernel. The buffers used by the kernel to manage network packets are referred to as sk_buffs in Linux.

The buffers are always allocated as at least two separate components: a fixed size header of type struct sk_buff; and a variable length area large enough to hold all or part of the data of a single packet.

Vulnerability details: An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700[.]c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

Remedy: Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9da0b56fe27206b49f39805f7dcda8a89379062

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Writing a device name to this file will cause the kernel binds devices to a compatible driver.

Vulnerability details: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()

On the reception of packets with an invalid packet type, the memory of the allocated socket buffers is never freed. Add a default case that frees these to avoid a memory leak.

Typically, memory leaks occur because allocated memory is not freed and you lose a pointer to the allocated block. As a result, a memory leak occurs.

Status: Remedy has been released on October 2021 – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1d0688421449718c6c5f46e458a378c9b530ba18

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: SAP SE — SE stands for societas Europaea, a public company registered in accordance with the European Union corporate law.

SAP NetWeaver is a software stack for many of SAP SE’s applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebAS: supplier relationship management (SRM), customer relationship management (CRM), supply chain management (SCM), product lifecycle management (PLM), enterprise resource planning (ERP), transportation management system (TMS)….copy from wiki

Vulnerability details: SAP NetWeaver Enterprise Portal – versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website.

*Cross site scripting attacks can be broken down into two types: stored and reflected.

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user’s browser. The script is embedded into a link, and is only activated once that link is clicked on.

Impact: The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Generally, suppliers have the right to keep design defect information from being released to the public. This CVE record was publicly released on March 9, 2022. But if you try to look in the local Windows directory (c:\windows\system32). You found that at least two of the[ .] dlls have been updated. They are hal[.]dll and ci[.]dll. Both files are closely related to ntoskrnl[.]exe. My guess is more based on this design limitation of ci[.]dll .

Ci[.] dll runs a feature that validates the integrity of a system file or drive whenever it is loaded into memory. This is an important Windows component and should not be removed. The Microsoft Windows operating system exhibits a graphical user interface and made its first appearance in November, 1985.

Virtual Secure Mode (VSM) has to be enabled in a special policy in the Group Policy Editor (gpedit[. ]msc): Computer Configuration -> Administrative templates -> System -> Device Guard -> Turn on Virtualization Based Security. Enable this policy and select Secure Boot option in Select Platform security level.

Vulnerability details: Certain versions of Windows from Microsoft contain the following vulnerability: Windows NT OS Kernel Elevation of Privilege Vulnerability.

Official announcement – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: youtube-dl is a command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and it is not platform specific. It should work on your Unix box, on Windows or on macOS. It is released to the public domain, which means you can modify it, redistribute it or use it however you like.

Cope with Alltube, it make you easily download videos from YouTube, Dailymotion, Vimeo and other websites. Web GUI for youtube-dl. Contribute to Rudloff/alltube development by creating an account on GitHub. How do I download from Alltube? Clicking on the icon will open up the pop-up window. The extension will attempt to find the list of video qualities for the video in the watch page. The list of video will be displayed. To download the video, just click on the ‘Download’ button of the video quality.

Vulnerability details: Certain versions of Alltube from Rudloff contain the following vulnerability:

alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability.

Remedy: Please refer to link – https://github.com/Rudloff/alltube/commit/3d092891044f2685ed66c73c870a021bee319c37

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: A block device, is, by definition, a device that stores or reads data in blocks. This means, always a certain amount of data is transmitted at every operation. How big that block is, highly depends on the protocol used. A network block device (NBD) is a standard protocol for Linux for exporting a block device over a network. NBDs are device nodes whose content is offered by a remote system. Generally, Linux users make use of NBDs to gain access to any storage device that does not reside in the local machine physically, but in a remote machine.

Vulnerability details: In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.

All variables allocated by malloc is stored in heap memory. When malloc is called, the pointer that returns from malloc will always be a pointer to “heap memory”.

NAMELEN =n specifies the length of effect names in tables and output data sets to be n characters, where n value is -1.
when namelen = -1, malloc will allocate a very small buffer, but socket_read will read a 0xffffffff, thus causing a heap overflow.

Report security problem of nbd, please refer to the link – https://lists.debian.org/nbd/2022/01/msg00037.html