![]() For deployments with untrusted users, this is a critical patch to grab. CVE-2023-5009 allows a user to run certain pipelines as other users, with all the security implications that includes. If you host a Gitlab instance with open user enrollment, it’s time to update. Or to put it another way, the NSA can spy on Russian citizens just like Russia can. It was also interesting to learn that the NSA has apparently compromised the Russian SORM Lawful Interception program. There’s more in the paper, like confirmation of project BULLRUN, the effort to sabatoge security in IETF protocols, or the bulk collection of high-entropy Internet traffic for eventual decryption. (Heavens no! The NSA tends to make reasonable-sounding suggestions that just happen to weaken cryptography in non-obvious ways.) Regardless, that this action was taken against an American company seems to be beyond the pale. As far as we know, this isn’t another Crypto AG. Now, to be clear, this isn’t an allegation that Cavium, now part of Marvell Technology, was knowingly producing compromised equipment. By chance this was the same CPU present in the thesis author’s Internet router (UniFi USG3). While working on documents in the Snowden archive the thesis author learned that an American fabless semiconductor CPU vendor named Cavium is listed as a successful SIGINT “enabled” CPU vendor. Appelbaum is a journalist and researcher, but the reason this has captured our attention is that he’s one of the few people with access to the Snowden archive. It went unnoticed for several months, until pointed out a few interesting details. Last year, Jacob Appelbaum published his Phd thesis, “ Communication in a world of pervasive surveillance” (PDF). And who knows where else this bug is lurking. And on that note, this vulnerability is present in Android, and the fix is likely going to wait til the October security update. While fuzzing and code coverage are both great, neither is guaranteed to find vulnerabilities, particularly well hidden ones like this one. In this configuration, it can write out of bounds before the final consistency check.Īn interesting note is that as one of Google’s C libraries, this is an extensively fuzzed codebase. The vulnerability is when the pre-allocated buffer isn’t big enough to hold one of these decompressed Huffman tables, and it turns out that the way to do that is to make maximum-size tables for the outer layers, and then malform the last one. It turns out, there can be multiple layers of this compression format, which makes the vulnerability particularly challenging to reverse-engineer. The table is rather large, so it gets Huffman compressed too. What’s particularly fun about this compression technique is that the image includes not just Huffman compressed data, but also a table of statistical data needed for decompression. And hence, we have a Huffman table, a building block in the image compression and decompression. ![]() It supports lossy and lossless compression, and the compression format for lossless images uses Huffman coding among other techniques. Webp is Google’s pet image format, potentially replacing JPEG, PNG, and GIF. And to understand that, we have to understand libwebp does, and what a Huffman Table has to do with it. The problem seems to be an Out Of Bounds write in the BuildHuffmanTable() function of libwebp. The details have not been confirmed, but the timing suggests that this is the same bug as CVE-2023-4863, a Webp 0-day flaw in Chrome that is known to be exploited in the wild. One of the vulnerabilities used was CVE-2023-41064, a buffer overflow in the ImageIO library. There’s more details about exactly how that works, and a bit of a worrying revelation for Android users. Last week we covered the latest 0-day from NSO group, BLASTPASS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |