This Week In Security: WebP, Cavium, Gitlab, And Asahi Lina

Last week we covered the latest 0-day from NSO group, BLASTPASS. There’s more details about exactly how that works, and a bit of a worrying revelation for Android users. One of the vulnerabilities used was CVE-2023-41064, a buffer overflow in the ImageIO library. The details have not been confirmed, but the timing suggests that this is the same bug as CVE-2023-4863, a Webp 0-day flaw in Chrome that is known to be exploited in the wild.

The problem seems to be an Out Of Bounds write in the BuildHuffmanTable() function of libwebp. And to understand that, we have to understand libwebp does, and what a Huffman Table has to do with it. The first is easy. Webp is Google’s pet image format, potentially replacing JPEG, PNG, and GIF. It supports lossy and lossless compression, and the compression format for lossless images uses Huffman coding among other techniques. And hence, we have a Huffman table, a building block in the image compression and decompression.

What’s particularly fun about this compression technique is that the image includes not just Huffman compressed data, but also a table of statistical data needed for decompression. The table is rather large, so it gets Huffman compressed too. It turns out, there can be multiple layers of this compression format, which makes the vulnerability particularly challenging to reverse-engineer. The vulnerability is when the pre-allocated buffer isn’t big enough to hold one of these decompressed Huffman tables, and it turns out that the way to do that is to make maximum-size tables for the outer layers, and then malform the last one. In this configuration, it can write out of bounds before the final consistency check.

An interesting note is that as one of Google’s C libraries, this is an extensively fuzzed codebase. While fuzzing and code coverage are both great, neither is guaranteed to find vulnerabilities, particularly well hidden ones like this one. And on that note, this vulnerability is present in Android, and the fix is likely going to wait til the October security update. And who knows where else this bug is lurking.

Snowden and Cavium

Last year, Jacob Appelbaum published his Phd thesis, “Communication in a world of pervasive surveillance” (PDF). It went unnoticed for several months, until electrospaces.net pointed out a few interesting details. Appelbaum is a journalist and researcher, but the reason this has captured our attention is that he’s one of the few people with access to the Snowden archive. And the real bombshell was a footnote:

While working on documents in the Snowden archive the thesis author learned that an American fabless semiconductor CPU vendor named Cavium is listed as a successful SIGINT “enabled” CPU vendor. By chance this was the same CPU present in the thesis author’s Internet router (UniFi USG3).

Now, to be clear, this isn’t an allegation that Cavium, now part of Marvell Technology, was knowingly producing compromised equipment. As far as we know, this isn’t another Crypto AG. (Heavens no! The NSA tends to make reasonable-sounding suggestions that just happen to weaken cryptography in non-obvious ways.) Regardless, that this action was taken against an American company seems to be beyond the pale.

There’s more in the paper, like confirmation of project BULLRUN, the effort to sabatoge security in IETF protocols, or the bulk collection of high-entropy Internet traffic for eventual decryption. It was also interesting to learn that the NSA has apparently compromised the Russian SORM Lawful Interception program. Or to put it another way, the NSA can spy on Russian citizens just like Russia can.

Gitlab

And then there’s Gitlab. If you host a Gitlab instance with open user enrollment, it’s time to update. CVE-2023-5009 allows a user to run certain pipelines as other users, with all the security implications that includes. For deployments with untrusted users, this is a critical patch to grab.

Asahi

One of the neat things about porting Linux to new hardware is that you get really familiar with the quirks of that hardware. And when one of those quirks happens to be missing security controls on virtual memory addresses in the GPU, you score a really nice bounty. And if you’re a Vtuber, then you naturally make a video about it. And that’s how we’re here, talking about Asahi Lina’s video. And if the Vtuber format doesn’t terribly annoy you, it’s actually a really well done explanation of the vulnerability and how to use it to run code.

Be Like Retool

Nobody wants to have to write a post-mortem on their own compromise. But for a technology company, security incidents of some description are nearly guaranteed, eventually. So, if you have to do an incident response, do it like Retool. An employee fell to a sophisticated spear-phishing attack — including a deepfaked phone call — on August 27. The employee logged in to a fake portal, provided a Multi-Factor Authentication token to the portal, and then gave over a second MFA token over the phone. And that was enough to put an attacker device on that employee’s GSuite account. 27 customers had their accounts accessed. Oof.

Retool broke the proverbial glass, and hit the red emergency button, revoking everything and rolling back changes. Two days later, the mess was contained and Retool contacted all 27 customers that had been affected. And now, less than a month later, the story has been told with much more detail and transparency than we normally get. So don’t make the same mistakes that Retool did, but when you’re inevitably the one in the hot seat, be like Retool.

Bits and Bytes

Juniper released patches for a few medium-severity issues in some of their firewalls and switches. It turns out that those vulnerabilities can be used together in an RCE attack chain, considered a 9.8 on the CVSS meter. Patches and fixes are available, but the attack is as trivial as a cUrl one-liner, so get those units patched!

Google has pulled back the curtain just a bit, and shared the details on an exploit chain used in the wild against Android phones. One of the noteworthy features is that the three initial bugs were all n-day exploits — fixes had been published upstream that hadn’t landed in real user’s phones yet. And then there’s the fun of exploiting the Linux system underneath all that Android.

DEF CON videos are finally live! There are some fun talks, like hacking smart grocery carts, the Github Actions worm, and more. Enjoy!

15 thoughts on “This Week In Security: WebP, Cavium, Gitlab, And Asahi Lina

  1. Buffer overflows have been the bane of programming for years now.

    Well I can understand the Retool advice, the bad guys have technology on their side. Where’s the anti-deepfake tools for example?

  2. Asahi: I may be showing my age, but having the choice between enduring 3.5 hours of VTube, or navigating an interactive page reminiscent of Flash websites of yore, I will never find out what that great exploit was about. It’s the “form over function” of hacking.

  3. > Cavium, now part of Marvell Technology
    It will be interesting to watch Marvell Technology Inc stock price today. Some people bulk buy, to short sell later in the day and others will start dumping their stock. Popcorn time!

    1. Yeah, I cannot Vtube, I can barely take a 5 min video to tell me what arcane shell command I need to fix the latest linux bug or edge case I encountered.

      So thanks for the warning, as if the link picture wasn’t warning enough.

    1. Virtual Youtubers (although the format is also quite common on Twitch) is basically the anime equivalent of “when you really don’t want your camera on, but your boss insists on not having a static profile picture, so you at least have to have some sort of live animated avatar”. It’s definitely an acquired taste and an entire thing with subgenres (pngtubers use a program to swap between static image frames based on how loud they talk, toontubers are the same but with animated vector images, etc), I certainly can’t say I ever expected a hacker talk in this format but hey, the community accepts all. …Really wish they had released a more traditional text-based explanation alongside it, though. Even for those that can handle high-pitched anime voices, a four hour stream is a hard sell.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.