Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: A block device, is, by definition, a device that stores or reads data in blocks. This means, always a certain amount of data is transmitted at every operation. How big that block is, highly depends on the protocol used. A network block device (NBD) is a standard protocol for Linux for exporting a block device over a network. NBDs are device nodes whose content is offered by a remote system. Generally, Linux users make use of NBDs to gain access to any storage device that does not reside in the local machine physically, but in a remote machine.

Vulnerability details: In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.

All variables allocated by malloc is stored in heap memory. When malloc is called, the pointer that returns from malloc will always be a pointer to “heap memory”.

NAMELEN =n specifies the length of effect names in tables and output data sets to be n characters, where n value is -1.
when namelen = -1, malloc will allocate a very small buffer, but socket_read will read a 0xffffffff, thus causing a heap overflow.

Report security problem of nbd, please refer to the link – https://lists.debian.org/nbd/2022/01/msg00037.html

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: The ST21NFCA is a single chip designed for supporting 13.56 MHz contactless communication, including Near Field Communication (NFC) functions in the three operating modes: card emulation, reader and peer-to-peer communication. Furthermore, it is a system on chip solution able to be compliant with NFC communication
system embedded in a mobile phone.

The kernel used by Android is the Linux kernel. Since the Linux kernel and Android are open source it is possible to build custom kernels with different configuration settings. These kernels can then replace the default kernel supplied with your device.

Vulnerability details: st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.

Ref: EVT_TRANSACTION. This event notifies the terminal host that it shall launch an application associated to an NFC application in a UICC host.

It appears that there are some buffer overflows in EVT_TRANSACTION.This happens because the length parameters that are passed to memcpy come directly from skb->data is not protected in any way.

Remedy: For more details, please refer to the link – https://github.com/torvalds/linux/commit/4fbcc1a4cb20fe26ad0225679c536c80f1648221

Preface: The reason why do I concerns this open source routing module? Because I predicted that vendors might used this routing module in their products. A well know idea is that routing device will select Linux system as a based OS.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It was created as a fork from Quagga. FRRouting is distributed under the terms of the GNU General Public License v2 (GPL2). It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP. FRR is a large project developed by many different groups.

Vulnerability details: Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message[.]c.

Informed by related party that there are two programming syntax which causes design weakness.

Line 143: the condition should be i + 1 >= alen instead of i + 1 > alen. Otherwise, overflows will happen at 147.

Line 148: the condition should be i + len + 2 > alen instead of i + len > alen. We need include extra two bytes, a[i] and a[i + 1] in this check.

Additional information: Int, short for “integer,” is a fundamental variable type built into the compiler and used to define numeric variables holding whole numbers. Other data types include float and double. C, C++, C# and many other programming languages recognize int as a data type.
Under the C++ standard, what you are doing is undefined behavior. The memory layout of unsigned and signed ints is not guaranteed.

Status: In the moment, no vendors claim that there products was impacted by this package/module. Let’s keep our eye open to see whether there are security updates in this matter.

Preface: SCTP is used mostly in the telecom area. Traditionally, telecom switches use SS7 (Signaling System No. 7) to interconnect different entities in the telecom network.
From technical point of view, IP network is open and not reliable. This is why SCTP was developed.

SCTP design objective:

• Emulate the advantages of the SS7 network accumulated over the decades.
• Create a connection-oriented protocol better than TCP in speed, security, and redundancy.

Background: SCTP is a message oriented, reliable transport protocol with direct support for multihoming that runs on top of ip(7), and supports both v4 and v6 versions. Like TCP, SCTP provides reliable, connection oriented data delivery with congestion control.Unlike TCP, SCTP also provides message boundary preservation, ordered and unordered message delivery, multi-streaming and multi-homing.
Stream Control Transmission Protocol over User Datagram Protocol (SCTP over UDP, also known as UDP encapsulation of SCTP) is a feature defined in RFC6951 and implemented in the Linux kernel space since 5.11. 0. It is planned to be supported by Red Hat Enterprise Linux (RHEL) 8.5. 0 and 9.0.
SCTP is a reliable message-oriented protocol. It preserves the message boundaries, and at the same time, detects lost data, duplicate data, and out-of-order data. It also has congestion control and flows control mechanisms.
About the SCTP sender’s port number. It can be used by the receiver in combination with the source IP address, the SCTP destination port and possibly the destination IP address to identify the association to which this packet belongs. The port number 0 MUST NOT be used. Destination Port Number is 16 bits (unsigned integer).This is the SCTP port number to which this packet is destined.

Vulnerability details: A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.

Remedy:

• Make sure sctp_vtag_verify() is called firstly to verify the vtag from the received chunk and discard this – chunk if it fails.
• Always use the vtag from the received INIT chunk to make the response ABORT in sctp_ootb_pkt_new().
• Fix the order for some checks and add some missing checks for the received chunk.

Official announcement (From the Ubuntu security team) – For more details, please refer to the link – https://ubuntu.com/security/CVE-2021-3772

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. FortiManager provides automation-driven centralized management of your Fortinet devices from a single console. Both devices operate in a network-based structure. Therefore, it requires a web browser or CLI (command line) for the end user to work.

Vulnerability details: An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user.

My observation My observation (one of the possibilities): Authentication bypass vulnerabilities exist when authentication state is not consistently enforced on the devices (FortiAnalyzer and FortiManager). As a result, it can be tampered by clients.

The vulnerability risk level is not high (CVSS v3=3.9). But it will let you know more. The client can arbitrarily change the GET parameters sent with the request. Nothing prevents the client from simply changing the parameter value. It effectively bypassing policy. Since this vulnerability in low risk (enforce password change to its user). Whether there will be unknown problems, we do not know.

Official announcement – For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-21-255

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Dropbox will be deployed lossless compression algorithms that are processed for certain classes of files and storage, like Lepton for jpeg images, and Pied-Piper-esque lossless video encoding. For other file types, Dropbox currently uses the zlib compression format, which saves almost 8% of disk storage.

Lepton is a tool and file format for actively compressing JPEGs. First developed by Daniel Horn at a Dropbox Hack Week, this streaming image compression format achieves a 22% savings reduction for existing JPEG images, while preserving the original file bit-for-bit perfectly.

Vulnerability details: A security vulnerability exists in the ‘build_huffcodes’ function of the lepton/jpgcoder[.]cc file. A remote attacker can exploit this vulnerability to cause a denial of service by means of a specially crafted jpeg file.

Reference: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

Official announcement: For details , please refer to the link – https://drive.google.com/file/d/1bJlHozO37c5NZ1wI0NBWh0yHHyTcfaQL/view?usp=sharing

https://github.com/dropbox/lepton/issues/154

https://github.com/dropbox/lepton

Preface: Perhaps the risk of this vulnerability is not high. However, if attackers exploit specific design weaknesses. It’s hard to say if Lamda can’t direct the attack to the backend service cloud.

Background: Alexa is able to play music, provide information, deliver news and sports scores, tell you the weather, control your smart home and even allow Prime members to order products from Amazon.

Alexa is always listening, but not constantly recording. It doesn’t send anything to the cloud server until it hears your wake word (Alexa, Echo, or Computer). Without internet, any request or question you make will fail. This is because your commands are sent to the cloud for interpretation and decision making. Not every conversation you have in front of the smart speaker is recorded every single time, the design goal only wants you to command the smart speaker to be recorded. For this reason, the company uses wake words to attract the attention of smart speakers. To do this, Amazon uses a combination of fine-tuned microphones, short-memory buffers, and neural network training.

Vulnerability details: Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an “Alexa versus Alexa (AvA)” attack.

Ref: What is Alexa in Python? What is Alexa command in the skill’s context?

The Alexa Skills Kit SDK for Python simplifies the development of the back-end cloud service for your Alexa skill. A part of the Alexa Skills Kit, the SDK reduces the amount of code you need to write to process Alexa requests and responses and to handle other common skill tasks.

You can built few basic Alexa skills, the goal of these skills related to predefined questions. These predefined skills will do information mapping to find the right answer.

For more details, please refer to the link – https://arxiv.org/abs/2202.08619

Preface: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. There are three basic types of blockchain: public blockchain, consortium blockchain and private blockchain.

Background: RigoBlock is a blockchain protocol that makes it possible for anyone to set up and run a digital token pool. It is an open protocol which developers can use for building their own applications for token management.

Vulnerability details: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, “Whitehat”, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.

In RigoBlock Dragos, all versions as of 2022-02-17 and later (until a major protocol update is accomplished) contain an exposed function (CWE-749), specifically setMultipleAllowances() which was not set to onlyOwner. The setMultipleAllowances() function can be to manipulate tokens with the contract.

Ref: CWE-749: Exposed Dangerous Method or Function
The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Reminder: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. If it require a major protocol upgrade to fix the design weakness. Before it fixed, you should consider not to use in the moment.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Istio makes traffic management transparent to the application, moving this functionality out of the application and into the platform layer as a cloud native infrastructure. Istio complements Kubernetes, by enhancing its traffic management, observability and security for cloud native applications. Istio is an open source service mesh that layers transparently onto existing distributed applications. A service mesh often has complex operational requirements which include A/B testing, canary releases, access control, and rate limiting. These are in addition to its standard requirements of load balancing, discovering, failure recovery, end-to-end authentication, monitoring, and metrics.

Vulnerability details: The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker……. For more details, please refer to the link – https://istio.io/latest/news/security/istio-security-2022-003/

Remedy: This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.13.0 and 1.13.1. For more details, please refer to the link – https://istio.io/latest/news/releases/1.13.x/announcing-1.13.1/