Preface: The heap is an area of dynamically-allocated memory that is managed automatically by the operating system or the memory manager library. Memory on the heap is allocated, deallocated, and resized regularly during program execution, and this can lead to a problem called fragmentation.

Background:

For instance, when you download a c++ compiler for your platform, you, in fact, download the c++ frontend with the linux-amd64 backend. This coding architecture is extremely helpful, because it allows to port the compiler for another architecture without rewriting the whole parsing/optimizing thing.

When applications need memory, they have to request it from the operating system. This request from the kernel will naturally require a system call. You cannot allocate memory yourself in user mode. The malloc() family of functions is responsible for memory allocation in the C language. The question to ask here is whether malloc(), as a glibc function, makes a direct system call. There is no system call called malloc in the Linux kernel. However, there are two system calls for applications memory demands, which are brk and mmap.
By far the most widely used C library on Linux is the GNU C library, often referred to as glibc. The pathname /lib/libc[.]so[.]6 (or something similar) is normally a symbolic link that points to the location of the glibc library, and executing this pathname will cause glibc to display various information about the version installed on your system.

Vulnerability details: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd[.]c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the compiler and processor architecture.

What is the difference between su and sudo?

• su allows to run commands with a substitute user and group ID.
• sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user’s real (not effective) user-ID is used to determine the user name with which to query the security policy.

Remedy: Please refer to the link for details – https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050

Preface: Few years ago, people know the following details:
io_service_open_extended is one of several undocumented MIG functions to communicate with IOKit drivers from user mode. This approach provides an opportunity for an attacker to perform kernel exploitation. Code writing in C-like languages can accidentally affect memory safety.

Background: Memory Tagging Extension (MTE) is designed to provide robustness against attacks attempting to subvert code processing malicious, attacker-provided, data. It does not address algorithmic vulnerabilities or malicious software. The core principle of type isolation is that after any particular address has been used for a given “type” of object, only objects of that type can ever exist at that address for the lifetime of the program.
Memory can broadly be categorized either as “control” or as “data.” Control is what lets a program structure and organize data. It includes things such as pointers, reference counts, lengths, and typing information like union tags. Almost everything else is data.
Apple also rarely shared the core technology of XNU, mainly the security upgrade of XNU memory, the first topic is the memory allocator kalloc_type.

Vulnerability details: A vulnerability classified as critical has been found in Apple iOS and iPadOS (Smartphone Operating System) (version unknown). Affected is an unknown function of the component Kernel. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-787. The software writes data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability.

Affected: Versions prior to iOS 15.7.1 and iPadOS 15.7.1
Solutions: Apply fixes issued by the vendor: iOS 15.7.1 and iPadOS 15.7.1

Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-42827

Preface: A microframework is a term used to refer to minimalistic web application frameworks. It is contrasted with full-stack frameworks. Typically, a microframework facilitates receiving an HTTP request, routing the HTTP request to the appropriate controller, dispatching the controller, and returning an HTTP response. Microframeworks are often specifically designed for building the APIs for another service or application.

Background: Total js framework and Total js client-side UI library are without any 3rd party dependencies. Total.js framework is a server-side MVC framework written in pure JavaScript and fully optimized for Node js runtime. Software developers can use any NPM module (like PostgreSQL, MongoDB, REDIS, JWT, etc.) or existing client-side libraries (like D3, Chart js, FullCalendar, Vue, Angular, etc.).
Total js Platform supports three types of visual programming interfaces:

• Total js Flow targeted primary for IoT applications (alternative Node-red)
• Total js AppBuilder for creating rich server-side API applications
• Total js Designer for creating UI connected to 3rd party REST services

Vulnerability details: In Total js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-44019

Causes: The fact is that the server doesn’t sanitize correctly the input checking that the host provided is a legitimate one.

Ref: Even if the software developer sets the correct regular expressions. The following details also need to be considered.
The ping command returns an exit code on both operating systems. On Linux (Bash) you have $? to get the variable for this exit code, on Windows it’s %errorlevel%. The exit code is 0 on both operating systems when the ping is successful, and 1 otherwise. This value can be used to conditionally run your command.

Preface: PCMCIA Cards have been around for many years and can still be found in today’s technology. These cards are now classed as legacy products, as they were first introduced over 25 years ago.
PCMCIA cards come in 3 different types of memory; ATA, SRAM and Linear. The cards are still being made today to help support legacy products and applications, mainly aerospace, defence and transportation.

Background: Linux 5.4 was released on 24 November 2019. Although the PCMCIA subsystem will allocate resources for cards, it no longer marks these resources busy. This means that driver authors are now responsible for claiming your resources as per other drivers in Linux. You should use request_region() to mark your IO regions in-use, and request_mem_region() to mark your memory regions in-use.

PCMCIA design weakness recently (28th Oct 2022):
CVE-2022-44032 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach(). Please refer to the link for details – https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44033 —–> A driver for the Omnikey PCMCIA smartcard reader CardMan 4040
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().Please refer to the link for details –
https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
CVE-2022-44034 —–> SCR24x PCMCIA Smart Card Reader Driver
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs[.]c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove(). Please refer to the link for details –
https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/

Remedy:
In order to avoid vulnerabilities, we recommend the following:
The dangling pointer errors can be avoided by initializing the pointer to the NULL value. If we assign the NULL value to the pointer, then the pointer will not point to the de-allocated memory. Assigning NULL value to the pointer means that the pointer is not pointing to any memory location.

Preface: The design weakness found on 2015. But till today, it looks the matter not been fixed. Perhaps you also read vendor statement. they will continue to update this advisory as additional information becomes available, said vendor.

NetApp Advisory ID: NTAP-20220616-0001 Version: 4.0 Last updated: 09/26/2022 – https://security.netapp.com/advisory/ntap-20220616-0001/
[SECURITY] Fedora 36 Update: 18 June 2022 – https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/

Background: When you run python at the console or install a Python distribution from python.org, you are running CPython. CPython is one of the many Python runtimes, maintained and written by different teams of developers. The unique thing about CPython is that it contains both a runtime and the shared language specification that all Python runtimes use.
The mailcap format is documented in RFC 1524, “A User Agent Configuration Mechanism For Multimedia Mail Format Information”, but is not an internet standard. However, mailcap files are supported on most Unix systems. According to Python (CPython) techincal document. Mailcap files are used to configure how MIME-aware applications such as mail readers and Web browsers react to files with different MIME types. (The name mailcap'' is derived from the phrasemail capability”.) For example, a mailcap file might contain a line like “video/mpeg; xmpeg %s”. Then, if the user encounters an email message or Web document with the MIME type video/mpeg, “%s” will be replaced by a filename (usually one belonging to a temporary file) and the xmpeg program can be automatically started to view the file.

CPython is the standard Python software implementation or the default Python interpreter. The main purpose of CPython is to execute the programming language Python. CPython has great compatibility with various Python packages and modules.

Vulnerability details: Mailcap file handling in Python through 3.10.4
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.

Remedy: Filename should be quoted with quote(filename) to fix the bug. Please refer to the link for details – https://bugs.python.org/issue24778

Status: Deprecated since version 3.11, will be removed in version 3.13: The mailcap module is deprecated

Preface: Despite the presence of USB C ports, many smartphones launching in 2022 will feature USB 2.0. USB 2.0 is generally considered to have a signaling rate of 480 MB/s.

Background: What is Usbmon in Linux? The name “usbmon” in lowercase refers to a facility in kernel which is used to collect traces of I/O on the USB bus. This function is analogous to a packet socket used by network monitoring tools such as tcpdump or Ethereal.

Vulnerability details: drivers/usb/mon/mon_bin[.]c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor’s internal memory. The weakness was disclosed 10/26/2022. The manipulation with an unknown input leads to a memory corruption vulnerability.

Reference: Found an issue in usbmon module, where the user space client can corrupt the monitor’s internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc.

The PoC exploits mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which triggers this vulnerability.

Remedy: Upgrading to version 5.19.15 or 6.0.1 eliminates this vulnerability. The upgrade is hosted for download at cdn.kernel.org. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.kernel.org.

Official announcement: Please refer to the link for details – https://github.com/torvalds/linux/commit/a659daf63d16aa883be42f3f34ff84235c302198

Preface: The GPU can not only receive transactions, but it can also initiate transactions. Which also means it has access to DRAM memory too.
How can the GPU communicate to the CPU? Well, both have access to DRAM memory. The CPU can store information in DRAM memory (0x8000_0000 – 0x0000_0000) and then write to a register in the GPU (0x9000_0000 – 0x8000_0000) to inform the GPU that the information is ready.

Background: ARM produce designs for a GPU called “Mali”. This is incorporated in many SoCs and thus devices. It is used in a number of devices that can run Debian. There are four major revisions of Mali GPUs: Utgard, Midgard, Bifrost, and Valhall.
There are only two hardware implementations of GPUs that are particularly popular in Android devices: ARM Mali and Qualcomm Adreno.
The Android and Linux version of the Mali GPUs Device Driver provide low-level access to the Mali GPUs that are part of the Bifrost family.
July 2021 Collabora announced that they reverse engineered the Valhall instruction set of the Mali-G78 GPU using a Samsung Galaxy S21 smartphone. If the mainline Linux and GPU drivers are not rooted, this cannot be done on the device. Turns out they just use It comes to reverse engineer instructions and do some testing by modifying compiled shaders and GPU data structures.
Remark: The Input/Output Memory Management Unit (IOMMU) is a hardware extension to control memory accesses of I/O devices. The IOMMU prevents malicious devices from performing arbitrary Direct Memory Access (DMA) operations and can be used to isolate device drivers.

Vulnerability details: An Arm product family through 2022-08-12 mail GPU kernel driver allows non-privileged users to make improper GPU processing operations to gain access to already freed memory.
In certain circumstances, some versions of the Mali GPU Kernel driver can become compromised.
Affects:
Midgard GPU Kernel Driver: All versions from r4p0 – r31p0
Bifrost GPU Kernel Driver: All versions from r0p0 – r38p1, and r39p0
Valhall GPU Kernel Driver: All versions from r19p0 – r38p1, and r39p0

Resolution: This issue is fixed in Bifrost and Valhall GPU Kernel Driver r38p2 and r40p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities#Technical-Specifications

Preface: One time password is secure. What If we following their algorithm generate a password and apply in both end. If it is matches with each other. Can we do the exploit? Perhaps the answer is “Yes”. The key technology is you understand how to use the “Time” value.

Background: The IIJ SmartKey app produces one-time passwords that conform to TOTP (RFC 6238) standards and can be used in the 2-step verification authentication processes of a variety of online services supporting TOTP. RFC 6238 – The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038.
The HMAC-based One-Time Password (HOTP) algorithm specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security.

Vulnerability details: A vulnerability, which was classified as problematic, was found in Iij SmartKey up to 2.1.3 on Android (Android App Software). This affects some unknown processing of the component One-Time Password Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

Information disclosure vulnerability in Android App ‘IIJ SmartKey’ versions prior to 2.1.4 allows an attacker to obtain a one-time password issued by the product under certain conditions.

Official description: This vulnerability was fixed in version 2.1.4 released on June 16, 2020. Please refer to the link for details – https://jvn.jp/en/jp/JVN74534998/index.html

Remedy: Upgrading to version 2.1.4 eliminates this vulnerability.

10/07/2022 CVE reserved
10/24/2022 +17 days Advisory disclosed

Preface: In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents.

Background: Wireless routers have fourteen different channels they can use for 2.4 GHz Wi-Fi, but three of them are off limits. Channels 12 and 13 are allowed in low-power mode, while channel 14 is banned—and only allowed in Japan.
Till today, the most common Wi-Fi frequency bands that are in widespread use are 2.4 GHz and 5 GHz. 2.4 GHz and 5 GHz are the two Wi-Fi frequency bands that are in widespread use today.

Not sure if low cost USB wifi adapters will still be of interest to computer users. But suppliers of low-cost IoT products are still in demand.
For example: USB WiFi module (rtl8188fu). rtl8188fu support will be add to rtl8xxxu module of Linux kernel.
However, if you are using kernel 5.15 and 5.16, you must create a configuration file with following commands for preventing to conflict rtl8188fu module with built-in r8188eu module.

echo ‘alias usb:v0BDApF179ddcdscdpicFFiscFFipFFin* rtl8188fu’ | sudo tee /etc/modprobe.d/r8188eu-blacklist[.]conf

Vulnerability details: A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f[.]c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue.

Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=80e5acb6dd72b25a6e6527443b9e9c1c3a7bcef6

Preface: NILFS merged into Linux as the first File System from Japan in June 2009. This job completed by NTT Cyber Space Laboratories.
NILFS is a file system for Linux that saves a snapshot, a historical view of the file system, automatically and continuously. This feature enables the system not only to quickly recover from system failures, but also to recover from human operation errors because the system’s state can be restored from any point in the past.

Background: Each file in a filesystem has a unique inode number. A typical allocation heuristic for inodes in a file system is one inode for every 2K bytes contained in the filesystem. The inode number indexes a table of inodes in a known location on the device.
When you created your ext3 filesystem with smaller block sizes. The ext3 default block size is 4096 bytes. If you are using your filesystem for storing lots of very small files, you might create the filesystem with a block size of 1024 or 2048. This would let you use your disk space more efficiently, but raises the likelihood of running low on inodes.
Inodes stores metadata about the file it refers to. The metadata contains Size, Permission, Owner/Group, Location of the hard drive, Date/time & Other information.
NILFS or NILFS2 (New Implementation of a Log-structured File System) is a log-structured file system implementation for the Linux kernel. Using a copy-on-write technique known as “nothing in life is free”, NILFS records all data in a continuous log-like format that is only appended to, never overwritten, an approach that is designed to reduce seek times, as well as minimize the kind of data loss that occurs after a crash with conventional file systems. For example, data loss occurs on ext3 file systems when the system crashes during a write operation. When the system reboots, the journal notes that the write did not complete, and any partial data writes are lost.
An ordinary file is just a sequence of data bytes stored in some physical device without any name attached to it. The administrative information of this file, such as owner, permissions, size, times, etc., is stored in the inode structure of the file. All of the file system’s inodes are collected together to form an inode table. Each file system occupies a logical disk.

Vulnerability details: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.

A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area. Null-pointer dereferences, while common, can generally be found and corrected in a simple way.

More details on this technical information. Please refer to the official announcement – https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=21a87d88c2253350e115029f14fe2a10a7e6c856