Preface: In 2021, Linux has been one of the most popular software packages for client devices. According to Digital TV Europe, 800 million set-top boxes are powered by this platform worldwide.

Background: The LinuxTV project is an informal group of volunteers who develop software regarding digital television for the Linux kernel-based operating systems. The community develops and maintains the Digital Video Broadcasting (DVB) driver subsystem which is part of the Linux kernel since version 2.6. x.

Vulnerability details: In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.

Ref: In computer world, reference counting is a programming technique of storing the number of references, pointers, or handles to a resource, such as an object, a block of memory, disk space, and others.
Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
An invalid pointer reference occurs when a pointer’s value is referenced even though the pointer doesn’t point to a valid block.

My observation:
The reference counting is a programming technique of storing the number of references, pointers, or handles to a resource. Furthermore in garbage collection management, reference counts may be used to deallocate objects that are no longer needed. The vulnerability will occurs a use-after-free caused by refcount races. Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The driver is located in ring 0 (kernel). If attacker know how to exploit this bug in user space. Therefore, the risk will be significant higher.

Solution and official details: Please refer to this link – https://nvd.nist.gov/vuln/detail/CVE-2022-41218

Preface: Bounds checking is a compiler-based technique that adds run-time bounds information for each allocated block of memory, and checks all pointers against those at run- time. For C and C++, bounds checking can be performed at pointer calculation time or at dereference time.

Background: The calloc () function allocates memory for an array of nmemb elements of size bytes each and returns a pointer to the allocated memory. The memory is set to zero. If nmemb or size is 0, then calloc () returns either NULL, or a unique pointer value that can later be successfully passed to free ().
The Difference Between Malloc and Calloc is that calloc allocates the memory and initializes every byte in the allocated memory to 0. In contrast, malloc allocates a memory block of a given size and doesn’t initialize the allocated memory.
Mach Kernel Abstractions:
Mach provides a small set of abstractions that have been designed to be both simple and powerful. These are the main kernel abstractions:

• Tasks. The units of resource ownership; each task consists of a virtual address space, a port right namespace, and one or more threads. (Similar to a process.)
• Threads. The units of CPU execution within a task.
• Address space. In conjunction with memory managers, Mach implements the notion of a sparse virtual address space and shared memory.
• Memory objects. The internal units of memory management. Memory objects include named entries and regions; they are representations of potentially persistent data that may be mapped into address spaces.
• Ports. Secure, simplex communication channels, accessible only via send and receive capabilities (known as port rights).
• IPC. Message queues, remote procedure calls, notifications, semaphores, and lock sets.
• Time. Clocks, timers, and waiting.

Vulnerability details:
CVE-2022-32917 The issue was addressed with improved bounds checks – https://nvd.nist.gov/vuln/detail/CVE-2022-32917
CVE-2022-32912 An out-of-bounds read was addressed with improved bounds checking – https://www.tenable.com/cve/CVE-2022-32912
CVE-2022-32788 A buffer overflow was addressed with improved bounds checking – https://nvd.nist.gov/vuln/detail/CVE-2022-32788

Quote: A technical discussion on devblogs.microsoft.com – https://devblogs.microsoft.com/oldnewthing/20200113-00/?p=103322
This is not a vulnerability. In Windows, you can put a file in a directory that the user does not have access to, but if the user can produce the name of the file, they can still access it. This works because Windows by default enables “bypass traversal checks”, which means that you can access anything you can name.

Background: Trend Micro Apex One as a Service is a centrally managed anti-malware solution that protects endpoints (servers, desktops, and portable endpoints) from a wide variety of Internet threats.
– CVE-2022-40139: Improper Validation of Rollback Mechanism Components RCE Vulnerability
– CVE-2022-40140: Origin Validation Error Denial-of-Service Vulnerability
– CVE-2022-40141: Information Disclosure Vulnerability
– CVE-2022-40142: Agent Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40143: Link Following Local Privilege Escalation Vulnerability
– CVE-2022-40144: Login Authentication Bypass Vulnerability
On this discussion, I am focusing on CVE-2022-40144. On 2019, Directory Traversal Vulnerability discovered in Trend Micro Apex One, OfficeScan and Worry-Free Business Security. Since the vulnerability details annouce by vendor lure my interested. Perhaps there is no offical details annonucment. However, it might have Directory Traversal Vulnerability awaken again in CVE-2022-40144. The design weakness will be on web console.

Vulnerability details: CVE-2022-40144 – A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product’s login authentication by falsifying request parameters on affected installations.

Remark: Trend Micro has released a new Service Pack for Trend Micro Apex One (On Premise) and Critical Patches for Apex One as a Service (SaaS) that resolve multiple vulnerabilities in the product.
Zero-Day-Initiative – CVE-2022-40140, CVE-2022-40142 and CVE-2022-40143

Remedy: To address multiple vulnerabilities in their product, follow their recommendations for fixes. For details, please refer to the following link for reference.
https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US

Preface: iSCSI is popular in the implementation of SAN systems because of their block level storage structure. When data arrives at its destination the iSCSI protocol separates the SCSI commands so that the Operating System will see the storage as a local device and allow formatting as usual.

Background: iSCSI is a block protocol for storage networking and runs the very common SCSI storage protocol across a network connection which is usually Ethernet. iSCSI, like Fibre Channel, can be used to create a Storage Area Network (SAN). iSCSI traffic can be run over a shared network or a dedicated storage network.

Design concept:

Initiator – The SCSI layer generates command descriptor blocks (CDBs) and transfers them to the iSCSI layer. The iSCSI layer generates iSCSI protocol data units (PDUs) and send them to the targer over an IP network.
Target – The iSCSI layer receives PDUs and sends CDBs to the SCSI layer.The SCSI layer interprets CDBS and gives responses when necessary.

Vulnerability details: A vulnerability was found in Linux Kernel up to 5[.]19[.]9. The design weakness occurs in the function stex_queuecommand_lck of the file drivers/scsi/stex[.]c. The manipulation leads to information disclosure.

Remedy: The passthrough structure is declared off of the stack, so it needs to be zeroed out before copied back to userspace to prevent any unintentional data leakage.

References to Advisories – Please refer to the link for details:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/scsi/stex.c
https://lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org/
https://www.openwall.com/lists/oss-security/2022/09/09/1

Preface: Dereferencing a null pointer is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code.

Background: io_uring (previously known as aioring) is a Linux kernel system call interface for storage device asynchronous I/O operations addressing performance issues with similar interfaces provided by functions like read()/write() or aio_read()/aio_write() etc. for operations on data accessed by file descriptors.

Vulnerability details: A null pointer dereference issue was discovered in fs/io_uring[.]c in the Linux kernel before 5.15.62. A local user could use this flaw to crash the system or potentially cause a denial of service.

Reminder: In the moment, open source developer did not had good way to completely fix the destructive RMW (unless we go full scrub for each partial write), But the fix thet test can be limited the damage .

Software developer announcement:
Although we have no good way to completely fix the destructive RMW (unless we go full scrub for each partial write), we can still limit the damage.
With patch “btrfs: only write the sectors in the vertical stripe which has data stripes” now we won’t really submit the P/Q of unrelated vertical stripes, so the on-disk P/Q should still be fine.

Remark:

• btrfs is a modern copy on write (CoW) filesystem for Linux aimed at implementing advanced features while also focusing on fault tolerance or repair.
• destructive read-modify-write (RMW)

Related details reference link:

• https://cve.report/CVE-2022-40476/add4b443
• https://lore.kernel.org/lkml/CAO4S-mdVW5GkODk0+vbQexNAAJZopwzFJ9ACvRCJ989fQ4A6Ow@mail.gmail.com/
• https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/io_uring.c?h=v5.15.61&id=3746d62ecf1c872a520c4866118edccb121c44fd

Preface: Whether it is correct or not, this is a spirit for learning.

Background: The critical CVE (CVE-2022-34718 ) impacts Windows TCP/IP, allowing an unauthenticated attacker to send a specially crafted IPv6 packet to Windows node where IPSec is enabled. But the supplier didn’t reveal too many details.

My observation: CVE-2021-24074 and CVE-2021-24094 occurred in 2021.The RCE vulnerability is more complex, and it is more difficult to initiate exploit, and it will not happen in a short period of time.
In response to CVE-2021-24074, Microsoft recommends turning off Source Routing to defend against, which is already turned off by default in Windows.
For CVE-2021-24094, Microsoft recommends turning off packet reassembly to block IPv6 packet fragmentation, but this may also affect services that rely on IPv6.
Essentially, fragments are reassembled in IP Filter mechanism. So, Disable fragment reassembly is a workaround.

VPN support IPv6 protocol. Meanwhile the VPN support reassembly features. If unautheticated attacker send a specially crafted IPv6 packet to Windows node where IPSec is enabled. As a result, if WFP still support packet reassembly, the TCP RCE vulnerability (CVE-2021-24074 and CVE-2021-24094) will appears again.

Official detail:Please go to the link for details https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718

Preface: Failures happen all the time, it’s important to see how to deal with them.

Background: Background: The new OLE DB provider is called the Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL). The Microsoft OLE DB Provider for SQL Server (SQLOLEDB) still ships as part of Windows Data Access Components. It isn’t maintained anymore and it isn’t recommended to use this driver for new development. When developing an application that uses the OLE DB Driver for SQL Server library, developer is able to use ADO with OLE DB Driver for SQL Server.

Vulnerability details: Certain versions of Windows from Microsoft contain the following vulnerability:
Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34731, CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, & CVE-2022-35840.

My observation: Because Microsoft did not disclose the reason. I guess that one of the possibility will be triggered by ADO with OLE DB Driver for SQL Server. My speculation is shown on diagram. Let’s recall CVE-2019-0888.

A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with the victim user’s privileges. An attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website. The security update addresses the vulnerability by modifying how ActiveX Data Objects handle objects in memory.

Even if my speculation not a correct story, long story short. We should do a patch.

Official announcement – Please refer to the link for details – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35836

Preface: Not sure if this vulnerability affects all linux brands. However, Debian has solved this problem. Maybe when you turned on your linux yesterday. A critical update will cover this issue.
Remark: Debian Linux’s mainline kernel has been ported bare-metal to the Apple M1 SoC, opening up the way for a Linux ecosystem replacing MacOS.

Background: BIOS uses the Master Boot Record (MBR) to save information about the hard drive data while UEFI uses the GUID partition table (GPT). Compared with BIOS, UEFI is more powerful and has more advanced features. It is the latest method of booting a computer, which is designed to replace BIOS.UEFI is the replacement for BIOS. EFI is the storage partition used with UEFI.
Unified Extensible Firmware Interface is a personal computer system specification that defines the software interface between the operating system and system firmware as an alternative to BIOS. The extensible firmware interface is responsible for POST, contacting the operating system, and providing the interface between the operating system and the hardware. The predecessor of UEFI was the Intel Boot Initiative, which was developed by Intel in 1998, and was later renamed the Extensible Firmware Interface.

Introducing a kernel module to expose capsule loader interface (misc char device file note) for user to upload capsule binaries. This option exposes a loader interface “/dev/efi_capsule_loader” for user to load EFI capsule binary and update the EFI firmware through system reboot. It expose a misc char interface for user to upload the capsule binary and calling efi_capsule_update() API to pass the binary to EFI firmware. The steps to update efi firmware are:
1) cat firmware[.]cap > /dev/efi_capsule_loader
2) reboot

Vulnerability details: An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader[.]c has a race condition with a resultant use-after-free.

NVD Published Date:09/09/2022
NVD Last Modified:09/09/2022

Official announcement – https://nvd.nist.gov/vuln/detail/CVE-2022-40307

Preface: Race conditions are most commonly associated with computer science and programming. They occur when two computer program processes, or threads, attempt to access the same resource at the same time and cause problems in the system. Race conditions are considered a common issue for multithreaded applications.

Background: The kernel uses virtual memory areas to keep track of the process’s memory mappings; for example, a process has one VMA for its code, one VMA for each type of data, one VMA for each distinct memory mapping (if any), and so on. VMAs are processor-independent structures, with permissions and access control flags.

Vulnerability details: An issue was discovered in include/asm-generic/tlb[.]h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

Summary found by Google project zero – There are drivers (in particular GPU drivers) that create VM_PFNMAP VMAs containing PTEs that point to normal pages from the page allocator. VM_PFNMAP means that the core kernel won’t track this using the page mapcounts.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-39188

Preface: Don’t contempt this design weakness. Why? Red Hat Virtualization (RHV, previously known as Red Hat Enterprise Virtualization) is an enterprise virtualization product based on the KVM hypervisor.

Background: Avi Kivity began the development of KVM in mid-2006 at Qumranet, a technology startup company that was acquired by Red Hat in 2008. KVM surfaced in October, 2006 and was merged into the Linux kernel mainline in kernel version 2.6. 20, which was released on 5 February 2007. KVM is maintained by Paolo Bonzini.

• OpenShift Virtualization uses the Red Hat Enterprise Linux KVM hypervisor technology deployed using containers, allowing Kubernetes to deploy and manage VMs locally.
• KVM is a hypervisor, which is used to achieve full virtualization. Many of the cluster environments make use of KVM in order to achieve a cluster of virtual machines. In order to manage this type of cluster and the virtual machines therein, managing systems have been developed.

Vulnerability details: An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.
As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all
cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.

Refer to attached diagram. If a vCPU 0 is outside guest mode and is scheduled out, it might be in the process of making a memory access. A problem occurs if another vCPU (vcpu 1) uses the PV TLB flush feature during the period when the vCPU 0 is scheduled out. The problem is that a virtual address has already been translated but has not yet been accessed.
If such scenario occurs, the attacker can do attack not prevented by deployed defenses. Specifically, the attacks exploit the Return Stack Buffer (RSB) to cause speculative execution of the payload gadget that reads and exposes sensitive information.

Official announcement – Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-39189