Preface: Google (Android) and Qualcomm pioneer empower the infotainment and connectivity processors for automotive. As times goes by, when you jump to driver seat, a multifucntion dsahboard can provide functions to you. In-car entertainment or in-vehicle infotainment systems are large touch screens usually positioned on a vehicle’s dashboard or on the back of seats.
Background: The S820Am Snapdragon processor includes four Kryo™ CPUs, a Qualcomm® Adreno™ 530 GPU and high-performance Hexagon™ 680 DSP. The ADP features rich connectivity through the X12 LTE modem, and 802.11a/b/g/n/ac, Bluetooth 4.1 and GNSS, Glonass, BDS, Galileo. The ADP supports multiple camera sensors and 4K display outputs.
Vulnerability details: Memory corruption in Automotive GPU while querying a gsl memory node.
Preface: Go is garbage collected instead of manual memory management which is not suitable for a kernel. Golang is useful for carrying out programming for scalable servers and large software systems. The Golang programming language was built to fill in the gaps of C++ and Java that Google came across while working with its servers and distributed systems.
Background: Go does have an extensive library, called the runtime, that is part of every Go program. The runtime library implements garbage collection, concurrency, stack management, and other critical features of the Go language. The Go scheduler is part of the Go runtime, and the Go runtime is built into your application. This means the Go scheduler runs in user space, above the kernel. For Go to “call the kernel directly” can exploit so-called ABI of the H/W and OS combo. For example: On linux, making a syscall requires filling a set of CPU registers with certain values, doing some other arrangements and then issuing the SYSENTER CPU instruction. The 64-bit x86 Linux ABI supports the following entry points:
SYSCALL from 64-bit code;
interrupt 0x80 from 32- and 64-bit code;
SYSENTER from 32-bit code.
Vulnerability details: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
Preface: The Advanced Linux Sound Architecture (ALSA) provides kernel driven sound card drivers. Besides the sound device drivers, ALSA also bundles a user space driven library for application developers. This enables direct (kernel) interaction with sound devices through ALSA libraries.
Background: Exynos, formerly Hummingbird, is a series of ARM-based system-on-chips developed by Samsung Electronics’ System LSI division and manufactured by Samsung Foundry.
Set your DISPLAY environment variable % setenv DISPLAY localhost:0
navigate to the SoC installer file location
Run the installer % [.]/xxxx_SoC_v2023[.]2[.]bin
Follow on screen instructions.
Click Finish. It is now ready to use.
Vulnerability details: A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user.
Solution: Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung. For details, please refer to link – https://security.samsungmobile.com/securityUpdate.smsb
Preface: Double free errors occur when free() is called more than once with the same memory address as an argument. Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces.
Background: SnapDragon has different processors runn on top of SOC (see below): Krait CPU — General purpose processor that usually runs android applications. Adreno GPU — This is largely used for graphics processing like rendering. Hexagon DSP — Hexagon specially designed for multi-media acceleration, this helps CPU to offload the task to DSP and save energy and thereby offering optimum performance.
Vulnerability details: Memory corruption due to double free in Core while mapping HLOS address to the list.
How to observe memory allocation in Linux kernel? Generate the skeleton for the task named 1-mem and browse the contents of the mem[.]c file. Observe the use of kmalloc() call for memory allocation.
Compile the source code and load the mem[.]ko module using insmod.
View the kernel messages using the dmesg command.
Unload the kernel module using the rmmod mem command.
Preface: Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.
Background: Btrfs provides a clone operation that atomically creates a copy-on-write snapshot of a file. Such cloned files are sometimes referred to as reflinks, in light of the proposed associated Linux kernel system call. Subvolumes allow for the partitioning of a Btrfs filesystem into separate sub-filesystems. Therefore, you can mount subvolumes from a Btrfs filesystem as if they were independent filesystems.
Vulnerability details: A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation[.]c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().
Solution: To fix this possible bug, in prepare_to_relocate(), an if statement is added to check whether btrfs_commit_transaction() fails. If the failure occurs, unset_reloc_control() is called to set > fs_info->reloc_ctl to NULL.
Preface: Windows has traditionally run on machines that are powered by x86 / x64 processors. Windows 11 adds the capability to run unmodified x64 Windows apps on Arm devices! This capability to run x86 & x64 apps on Arm devices gives end-users confidence that the majority of their existing apps & tools will run well even on new Arm-powered devices. For the best of result, it can exploit Arm-native Windows apps theoretically, as a result, developers cope with trend , thus built or port Arm-native Windows apps.
Background: Codenamed “Anaheim”, on December 6, 2018, Microsoft announced its intent to base Edge on the Chromium source code, using the same browser engine as Google Chrome but with enhancements developed by Microsoft. The new Microsoft Edge (Chromium) is built on the same underlying technology as Google Chrome. During the Ignite 2021 conference, Microsoft revealed plans to align the codebase of the Edge browser on all supported platforms.
Vulnerability details: CVE-2023-29345 Microsoft Edge Remote Code Execution – A vulnerability was found in Microsoft Edge (Web Browser) (version unknown). CVE-2023-33143 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability For details, please refer to the link – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security
Preface: The DMTF’s Security Protocols and Data Models (SPDM) Working group is responsible for the SPDM standard. This standard enables authentication, attestation and key exchange to assist in providing infrastructure security enablement.
Background: Security Protocol and Data Model (SPDM) is a two-party protocol between a Requester that initiates the conversation and the Responder. DMTF is a standards organization by major industry players in IT infrastructure.
Vulnerability details: libspdm is a sample implementation that follows the DMTF SPDM specifications. Prior to versions 2.3.3 and 3.0, following a successful CAPABILITIES response, a libspdm Requester stores the Responder’s CTExponent into its context without validation. If the Requester sends a request message that requires a cryptography operation by the Responder, such as CHALLENGE, libspdm will calculate the timeout value using the Responder’s unvalidated CTExponent. A patch is available in version 2.3.3. A workaround is also available. After completion of VCA, the Requester can check the value of the Responder’s CTExponent. If it greater than or equal to 64, then the Requester can stop communication with the Responder.
Preface: Speculate that this CVE is custom for Ampere Computing. Ampere Computing is an ARM architecture licensee and develops its own server microprocessors.
Background: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.
Vulnerability details: CVE-2023-3006 – A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.
Preface: About 20 years ago, people know java is unsafe. Perhaps of technology trend, so whatever the design appyling java language. The flexibility and easy to use will let people contempt about awareness of cyber security. While Java is considered relatively safe because it is a server side language, there are still multiple ways to attack and access secure code you’d like to remain private.
Background: The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform. Mustache is a logicless template engine and it is helpful for creating dynamic content like HTML and configuration files. If your models are type based and not just Map then JStachio is good choice.
Ref:End-users only use JVM and JRE to execute the application program. JRE identifies all the helpful class libraries needed for execution, while JVM is a subclass of JRE that decodes the bytecode into machine language and other minor tasks. Each JVM server can have a maximum of 256 threads to run Java applications.
Vulnerability details: Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users visiting pages that use this template engine. This can lead to various consequences, including session hijacking, defacement of web pages, theft of sensitive information, or even the propagation of malware.
Solution: Version 1.0.1 contains a patch for this issue.
Workaround: To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape ' as '. As a workaround, users can avoid this issue by using only double quotes " for HTML attributes.
Preface: c-ares is a C language implementation of asynchronous request DNS. When using c-ares, you usually only need to reference the ares.h header file, and the related header files of the library are included.
Background: For some asynchronous DNS requests, Node[.]js uses a C library called c-ares. So called Async DNS – This feature bypasses the normal operating system mechanisms for resolving domain names and uses the browser directly. In this mode, DNS requests will communicate directly own DNS servers and some third party providers.
Vulnerability details: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
According to the technical aspect of UDP packet with a length of 0 matter. Do you have below queries? Writing a datagram of length 0 is acceptable. In the case of UDP, this results in an IP datagram containing an IP header (normally 20 bytes for IPv4 and 40 bytes for IPv6), an 8-byte UDP header, and no data. This also means that a return value of 0 from recvfrom is acceptable for a datagram protocol: It does not mean that the peer has closed the connection, as does a return value of 0 from read on a TCP socket. Since UDP is connectionless, there is no such thing as closing a UDP connection.
