Preface: The reason why do I concerns this open source routing module? Because I predicted that vendors might used this routing module in their products. A well know idea is that routing device will select Linux system as a based OS.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It was created as a fork from Quagga. FRRouting is distributed under the terms of the GNU General Public License v2 (GPL2). It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP. FRR is a large project developed by many different groups.

Vulnerability details: Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message[.]c.

Informed by related party that there are two programming syntax which causes design weakness.

Line 143: the condition should be i + 1 >= alen instead of i + 1 > alen. Otherwise, overflows will happen at 147.

Line 148: the condition should be i + len + 2 > alen instead of i + len > alen. We need include extra two bytes, a[i] and a[i + 1] in this check.

Additional information: Int, short for “integer,” is a fundamental variable type built into the compiler and used to define numeric variables holding whole numbers. Other data types include float and double. C, C++, C# and many other programming languages recognize int as a data type.
Under the C++ standard, what you are doing is undefined behavior. The memory layout of unsigned and signed ints is not guaranteed.

Status: In the moment, no vendors claim that there products was impacted by this package/module. Let’s keep our eye open to see whether there are security updates in this matter.

Preface: SCTP is used mostly in the telecom area. Traditionally, telecom switches use SS7 (Signaling System No. 7) to interconnect different entities in the telecom network.
From technical point of view, IP network is open and not reliable. This is why SCTP was developed.

SCTP design objective:

• Emulate the advantages of the SS7 network accumulated over the decades.
• Create a connection-oriented protocol better than TCP in speed, security, and redundancy.

Background: SCTP is a message oriented, reliable transport protocol with direct support for multihoming that runs on top of ip(7), and supports both v4 and v6 versions. Like TCP, SCTP provides reliable, connection oriented data delivery with congestion control.Unlike TCP, SCTP also provides message boundary preservation, ordered and unordered message delivery, multi-streaming and multi-homing.
Stream Control Transmission Protocol over User Datagram Protocol (SCTP over UDP, also known as UDP encapsulation of SCTP) is a feature defined in RFC6951 and implemented in the Linux kernel space since 5.11. 0. It is planned to be supported by Red Hat Enterprise Linux (RHEL) 8.5. 0 and 9.0.
SCTP is a reliable message-oriented protocol. It preserves the message boundaries, and at the same time, detects lost data, duplicate data, and out-of-order data. It also has congestion control and flows control mechanisms.
About the SCTP sender’s port number. It can be used by the receiver in combination with the source IP address, the SCTP destination port and possibly the destination IP address to identify the association to which this packet belongs. The port number 0 MUST NOT be used. Destination Port Number is 16 bits (unsigned integer).This is the SCTP port number to which this packet is destined.

Vulnerability details: A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.

Remedy:

• Make sure sctp_vtag_verify() is called firstly to verify the vtag from the received chunk and discard this – chunk if it fails.
• Always use the vtag from the received INIT chunk to make the response ABORT in sctp_ootb_pkt_new().
• Fix the order for some checks and add some missing checks for the received chunk.

Official announcement (From the Ubuntu security team) – For more details, please refer to the link – https://ubuntu.com/security/CVE-2021-3772

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. FortiManager provides automation-driven centralized management of your Fortinet devices from a single console. Both devices operate in a network-based structure. Therefore, it requires a web browser or CLI (command line) for the end user to work.

Vulnerability details: An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user.

My observation My observation (one of the possibilities): Authentication bypass vulnerabilities exist when authentication state is not consistently enforced on the devices (FortiAnalyzer and FortiManager). As a result, it can be tampered by clients.

The vulnerability risk level is not high (CVSS v3=3.9). But it will let you know more. The client can arbitrarily change the GET parameters sent with the request. Nothing prevents the client from simply changing the parameter value. It effectively bypassing policy. Since this vulnerability in low risk (enforce password change to its user). Whether there will be unknown problems, we do not know.

Official announcement – For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-21-255

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Dropbox will be deployed lossless compression algorithms that are processed for certain classes of files and storage, like Lepton for jpeg images, and Pied-Piper-esque lossless video encoding. For other file types, Dropbox currently uses the zlib compression format, which saves almost 8% of disk storage.

Lepton is a tool and file format for actively compressing JPEGs. First developed by Daniel Horn at a Dropbox Hack Week, this streaming image compression format achieves a 22% savings reduction for existing JPEG images, while preserving the original file bit-for-bit perfectly.

Vulnerability details: A security vulnerability exists in the ‘build_huffcodes’ function of the lepton/jpgcoder[.]cc file. A remote attacker can exploit this vulnerability to cause a denial of service by means of a specially crafted jpeg file.

Reference: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

Official announcement: For details , please refer to the link – https://drive.google.com/file/d/1bJlHozO37c5NZ1wI0NBWh0yHHyTcfaQL/view?usp=sharing

https://github.com/dropbox/lepton/issues/154

https://github.com/dropbox/lepton

Preface: Perhaps the risk of this vulnerability is not high. However, if attackers exploit specific design weaknesses. It’s hard to say if Lamda can’t direct the attack to the backend service cloud.

Background: Alexa is able to play music, provide information, deliver news and sports scores, tell you the weather, control your smart home and even allow Prime members to order products from Amazon.

Alexa is always listening, but not constantly recording. It doesn’t send anything to the cloud server until it hears your wake word (Alexa, Echo, or Computer). Without internet, any request or question you make will fail. This is because your commands are sent to the cloud for interpretation and decision making. Not every conversation you have in front of the smart speaker is recorded every single time, the design goal only wants you to command the smart speaker to be recorded. For this reason, the company uses wake words to attract the attention of smart speakers. To do this, Amazon uses a combination of fine-tuned microphones, short-memory buffers, and neural network training.

Vulnerability details: Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an “Alexa versus Alexa (AvA)” attack.

Ref: What is Alexa in Python? What is Alexa command in the skill’s context?

The Alexa Skills Kit SDK for Python simplifies the development of the back-end cloud service for your Alexa skill. A part of the Alexa Skills Kit, the SDK reduces the amount of code you need to write to process Alexa requests and responses and to handle other common skill tasks.

You can built few basic Alexa skills, the goal of these skills related to predefined questions. These predefined skills will do information mapping to find the right answer.

For more details, please refer to the link – https://arxiv.org/abs/2202.08619

Preface: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. There are three basic types of blockchain: public blockchain, consortium blockchain and private blockchain.

Background: RigoBlock is a blockchain protocol that makes it possible for anyone to set up and run a digital token pool. It is an open protocol which developers can use for building their own applications for token management.

Vulnerability details: RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, “Whitehat”, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward.

In RigoBlock Dragos, all versions as of 2022-02-17 and later (until a major protocol update is accomplished) contain an exposed function (CWE-749), specifically setMultipleAllowances() which was not set to onlyOwner. The setMultipleAllowances() function can be to manipulate tokens with the contract.

Ref: CWE-749: Exposed Dangerous Method or Function
The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Reminder: Blockchain protocols are regulations and guidelines followed to achieve its decentralized and distributed nature, to ensure secure transactions, and more. If it require a major protocol upgrade to fix the design weakness. Before it fixed, you should consider not to use in the moment.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Istio makes traffic management transparent to the application, moving this functionality out of the application and into the platform layer as a cloud native infrastructure. Istio complements Kubernetes, by enhancing its traffic management, observability and security for cloud native applications. Istio is an open source service mesh that layers transparently onto existing distributed applications. A service mesh often has complex operational requirements which include A/B testing, canary releases, access control, and rate limiting. These are in addition to its standard requirements of load balancing, discovering, failure recovery, end-to-end authentication, monitoring, and metrics.

Vulnerability details: The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker……. For more details, please refer to the link – https://istio.io/latest/news/security/istio-security-2022-003/

Remedy: This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.13.0 and 1.13.1. For more details, please refer to the link – https://istio.io/latest/news/releases/1.13.x/announcing-1.13.1/

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: QProcess – Used to start external programs and to communicate with them. The QProcess class is used to start external programs and to communicate with them. To start a process, pass the name and command line arguments of the program you want to run as arguments to start().

What is QProcess in Qt? QProcess manages the output of the running process, keeping standard output and standard error data in separate internal buffers. You can select the QProcess’s current read channel by calling setReadChannel(). This is the default channel mode of QProcess.

Vulnerability details: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.

Impact – Opening files might lead to the execution of malicious binaries if they are placed in the right directories.

Remedy: When passed a simple program name with no slashes, QProcess on Unix systems will now only search the current directory if “.” is one of the entries in the PATH environment variable. This bug fix restores the behavior QProcess had before Qt 5.9.

Ref: If launching an executable in the directory set by setWorkingDirectory() or inherited from the parent is intended, pass a program name starting with “./”. For more information and best practices about finding an executable, see QProcess’ documentation.

Preface: In 2017, half of the world’s top 50 supercomputers used SUSE Enterprise Linux Server. Why does Linux dominate especially in supercomputer market? Linux is a free, open source operating system (OS), released under the GNU General Public License (GPL). Anyone can inspect or modify software “Source code”. Because of Linux cluster break the traditional technology limitation. Even though system developers does not have skill to develop CPU switch (crossbar) and related technology belongs. But they can modify the Linux OS and learn by Linux cluster technique. Finally, they can build their customized super power computing system. If you do a review of the top computer in the world, you will found that more and more super power computing systems are using Linux clustering technology.
Therefore the proprietary technology is not a giant anymore.
As a result, computer programmers can manipulate code to change the way software (“programs” or “applications”) works.

Background: This software (rndis.c) was originally developed in conformance with Microsoft’s Remote NDIS Specification License Agreement.

RNDIS refers to Remote NDIS. The implementation of RNDIS based on USB is actually TCP/IP over USB, which is to tun TCP/IP on the USB device, making the USB device look like a network card. With fast bridge cable, USB 3.1 could deliver a point to point network much faster than 1000-Base-T.

Vulnerability details: The RNDIS_MSG_SET usb control transfer request handler – rndis_set_response calls gen_ndis_set_resp passing a buffer pointer offset by BufOffset + 8. The BufOffset variable is retrieved from the RNDIS message and not validated to respect buffer boundaries. Consequently by manipulating the four byte InformationBufferOffset member of rndis_set_msg_type an attacker may offset the actual buffer by up to 0xffffffff bytes. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.

Remark: The meaning of GADGET is an often small mechanical or electronic device with a practical use but often thought of as a novelty.

Remedy: Please refer to the link for details – https://github.com/torvalds/linux/commit/38ea1eac7d88072bbffb630e2b3db83ca649b826

Ref: USB 3.1 Gen 1 and Gen 2 offer stimultaneous media rate connection of 5GB/s and 10Gb/s in each direction. As a result USB 3.1 will be faster than 1000-Base-T. Furthermore, a USB bus can have up to 127 target devices, but only one host.
But Linux is flexible since you can read the source code. If you apply your imagination to design your own system. As we know, a USB bus can have up to 127 target devices, but only one host. If you apply Linux clustering concept. Form a new array to a group of array host with ethernet connectivity. So, it can be expandable.