A buffer overflow vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing crafted CLI commands on a vulnerable device.

CVE-2023-22924

SmartDNS through 41 before 56d0332 allows an out-of-bounds write because of a stack-based buffer overflow in the _dns_encode_domain function in the dns.c file, via a crafted DNS request.

Expand Up @@ -274,6 +274,10 @@ static int \_dns\_encode\_domain(struct dns\_context \*context, const char \*domain) total\_len++; if (dict\_offset >= 0) { int offset = 0xc000 | dict\_offset; if (\_dns\_left\_len(context) < 2) { return -1; }  
\_dns\_write\_short(&ptr\_num, offset); context->ptr++; ptr\_num = NULL; Expand All @@ -295,6 +299,10 @@ static int \_dns\_encode\_domain(struct dns\_context \*context, const char \*domain) domain++; }  
if (\_dns\_left\_len(context) < 1) { return -1; }  
\*ptr\_num = num;  
if (total\_len > 1) { Expand Down Expand Up @@ -575,7 +583,7 @@ struct dns\_rr\_nested \*dns\_add\_rr\_nested\_start(struct dns\_rr\_nested \*rr\_nested\_bu return rr\_nested\_buffer; }  
int dns\_add\_rr\_nested\_memcpy(struct dns\_rr\_nested \*rr\_nested, void \*data, int data\_len) int dns\_add\_rr\_nested\_memcpy(struct dns\_rr\_nested \*rr\_nested, const void \*data, int data\_len) { if (rr\_nested == NULL || data == NULL || data\_len <= 0) { return -1; Expand Down Expand Up @@ -603,6 +611,12 @@ int dns\_add\_rr\_nested\_end(struct dns\_rr\_nested \*rr\_nested, dns\_type\_t rtype) return -1; }  
/\* NO SVC keys, reset ptr \*/ if (len <= 14) { rr\_nested->context.ptr = rr\_nested->rr\_start; return 0; }  
\_dns\_write\_short(&ptr, len - rr\_nested->rr\_head\_len);  
return \_dns\_rr\_add\_end(rr\_nested->context.packet, rr\_nested->type, rtype, len); Expand Down Expand Up @@ -1076,7 +1090,12 @@ int dns\_add\_HTTPS\_start(struct dns\_rr\_nested \*svcparam\_buffer, struct dns\_packet return -1; }  
int target\_len = strnlen(target, DNS\_MAX\_CNAME\_LEN) + 1; int target\_len = 0; if (target == NULL) { target = ""; }  
target\_len = strnlen(target, DNS\_MAX\_CNAME\_LEN) + 1; if (\_dns\_left\_len(&svcparam\_buffer->context) < 2 + target\_len) { return -1; } Expand Down Expand Up @@ -1117,6 +1136,22 @@ int dns\_HTTPS\_add\_port(struct dns\_rr\_nested \*svcparam, unsigned short port) return 0; }  
int dns\_HTTPS\_add\_alpn(struct dns\_rr\_nested \*svcparam, const char \*alpn, int alpn\_len) { if (\_dns\_left\_len(&svcparam->context) < 2 + 2 + alpn\_len) { return -1; }  
unsigned short value = DNS\_HTTPS\_T\_ALPN; dns\_add\_rr\_nested\_memcpy(svcparam, &value, 2);  
value = alpn\_len; dns\_add\_rr\_nested\_memcpy(svcparam, &value, 2); dns\_add\_rr\_nested\_memcpy(svcparam, alpn, alpn\_len);  
return 0; }  
int dns\_HTTPS\_add\_ech(struct dns\_rr\_nested \*svcparam, void \*ech, int ech\_len) { if (\_dns\_left\_len(&svcparam->context) < 2 + 2 + ech\_len) { Expand All @@ -1133,7 +1168,7 @@ int dns\_HTTPS\_add\_ech(struct dns\_rr\_nested \*svcparam, void \*ech, int ech\_len) return 0; }  
int dns\_HTTPS\_add\_ipv4hint(struct dns\_rr\_nested \*svcparam, unsigned char addr\[\]\[DNS\_RR\_A\_LEN\], int addr\_num) int dns\_HTTPS\_add\_ipv4hint(struct dns\_rr\_nested \*svcparam, unsigned char \*addr\[\], int addr\_num) { if (\_dns\_left\_len(&svcparam->context) < 4 + addr\_num \* DNS\_RR\_A\_LEN) { return -1; Expand All @@ -1151,7 +1186,8 @@ int dns\_HTTPS\_add\_ipv4hint(struct dns\_rr\_nested \*svcparam, unsigned char addr\[\]\[  
return 0; } int dns\_HTTPS\_add\_ipv6hint(struct dns\_rr\_nested \*svcparam, unsigned char addr\[\]\[DNS\_RR\_AAAA\_LEN\], int addr\_num)  
int dns\_HTTPS\_add\_ipv6hint(struct dns\_rr\_nested \*svcparam, unsigned char \*addr\[\], int addr\_num) { if (\_dns\_left\_len(&svcparam->context) < 4 + addr\_num \* DNS\_RR\_AAAA\_LEN) { return -1; Expand All @@ -1175,41 +1211,48 @@ int dns\_add\_HTTPS\_end(struct dns\_rr\_nested \*svcparam) return dns\_add\_rr\_nested\_end(svcparam, DNS\_T\_HTTPS); }  
struct dns\_https\_param \*dns\_get\_HTTPS\_svcparm\_start(struct dns\_rrs \*rrs, char \*domain, int maxsize, int \*ttl, int \*priority, char \*target, int target\_size) int dns\_get\_HTTPS\_svcparm\_start(struct dns\_rrs \*rrs, struct dns\_https\_param \*\*https\_param, char \*domain, int maxsize, int \*ttl, int \*priority, char \*target, int target\_size) { int qtype = 0; unsigned char \*data = NULL; int rr\_len = 0;  
data = dns\_get\_rr\_nested\_start(rrs, domain, maxsize, &qtype, ttl, &rr\_len); if (data == NULL) { return NULL; return \-1; }  
if (qtype != DNS\_T\_HTTPS) { return NULL; return \-1; }  
if (rr\_len < 2) { return NULL; return \-1; }  
\*priority = \_dns\_read\_short(&data); rr\_len -= 2; if (rr\_len <= 0) { return NULL; return \-1; }  
int len = strnlen((char \*)data, rr\_len); safe\_strncpy(target, (char \*)data, target\_size); data += len + 1; rr\_len -= len + 1; if (rr\_len <= 0) { return NULL; if (rr\_len < 0) { return -1; }  
if (rr\_len == 0) { \*https\_param = NULL; return 0; }  
return (struct dns\_https\_param \*)data; \*https\_param = (struct dns\_https\_param \*)data;  
return 0; }  
struct dns\_https\_param \*dns\_get\_HTTPS\_svcparm\_next(struct dns\_rrs \*rrs, struct dns\_https\_param \*param) Expand Down Expand Up @@ -1925,12 +1968,16 @@ static int \_dns\_encode\_HTTPS(struct dns\_context \*context, struct dns\_rrs \*rrs) int priority = 0; struct dns\_https\_param \*param = NULL;  
param = dns\_get\_HTTPS\_svcparm\_start(rrs, domain, DNS\_MAX\_CNAME\_LEN, &ttl, &priority, target, DNS\_MAX\_CNAME\_LEN); if (param == NULL) { tlog(TLOG\_ERROR, "get https param failed."); return -1; ret = dns\_get\_HTTPS\_svcparm\_start(rrs, &param, domain, DNS\_MAX\_CNAME\_LEN, &ttl, &priority, target, DNS\_MAX\_CNAME\_LEN); if (ret < 0) { tlog(TLOG\_DEBUG, "get https param failed."); return 0; }  
qtype = DNS\_T\_HTTPS; qclass = DNS\_C\_IN;  
ret = \_dns\_encode\_rr\_head(context, domain, qtype, qclass, ttl, 0, &rr\_len\_ptr); if (ret < 0) { return -1; Expand All @@ -1954,6 +2001,10 @@ static int \_dns\_encode\_HTTPS(struct dns\_context \*context, struct dns\_rrs \*rrs) return -1; }  
if (param->len + 4 > \_dns\_left\_len(context)) { return -1; }  
\_dns\_write\_short(&context->ptr, param->key); \_dns\_write\_short(&context->ptr, param->len); switch (param->key) { Expand All @@ -1974,6 +2025,10 @@ static int \_dns\_encode\_HTTPS(struct dns\_context \*context, struct dns\_rrs \*rrs) } }  
if (\_dns\_left\_len(context) < 2) { return -1; }  
\_dns\_write\_short(&rr\_len\_ptr, context->ptr - rr\_start);  
return 0; Expand Down

CVE-2023-31470: dns: fix crash issue · pymumu/smartdns@56d0332

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

Severity

High

HP Reference

HPSBPI03840 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Remote Code Execution

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Angelboy (@scwuaptx) from DEVCORE Research Team working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS 3.0

Severity

Vector

CVE-2023-27972

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0019

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-27972: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow, Remote Code Execution

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

Severity

High

HP Reference

HPSBPI03839 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Elevation of Privilege

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Neodyme working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-27971

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0018

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-27971: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow, Elevation of Privilege

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.
The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.
"Improper error message handling in some firewall versions

Network Security / Vulnerability

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.

The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.

"Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel said in an advisory on April 25, 2023.

Products impacted by the flaw are -

*   ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
*   USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
*   VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
*   ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)

Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit an authenticated attacker to execute some OS commands remotely.

The shortcoming, which impacts ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices, has been resolved in ZLD V5.36.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Lastly, the company also shipped fixes for five high-severity flaws affecting several firewalls and access point (AP) devices (from CVE-2023-22913 to CVE-2023-22918) that could result in code execution and cause a denial-of-service (DoS) condition.

Nikita Abramov from Russian cybersecurity company Positive Technologies has been credited for reporting the issues. Abramov, earlier this year, also discovered four command injection and buffer overflow vulnerabilities in CPE, fiber ONTs, and WiFi extenders.

The most severe of the flaws is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.

"It did not require authentication to be exploited and led to arbitrary code execution on the device," Abramov explained at the time. "As a result, an attacker could gain remote access to the device and fully control its operation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Categories: News
Tags: VMware

Tags:  workstation

Tags:  fusion

Tags:  virtual machine

Tags:  SCSI

Tags:  DVD

Tags:  CD

Tags:  virtualisation

Tags:  exploit

Tags:  vulnerability

Tags:  flaw

Tags:  CVE

VMWare has released fixes and mitigations for three Important and one Critical vulnerability in its Fusion and Workstation software.



(Read more...)




The post Update now: Critical flaw in VMWare Fusion and VMWare Workstation appeared first on Malwarebytes Labs.

Four vulnerabilities in virtualisation software have been fixed by VMware, including two which were exploited at the 20223 Pwn2Own contest. Three have been given the severity rating “Important”, with the last (CVE-2023-20869) is classed as “Critical”.

> Success! @starlabs\_sg used an uninitialized variable and UAF against VMWare Workstation. They earn $80,000 and 8 Master of Pwn points, pushing the prize total for #P2OVancouver past $1,000,000. #Pwn2Own pic.twitter.com/DEjgYcmphH
> 
> — Zero Day Initiative (@thezdi) March 24, 2023

The four vulnerabilities are:

*   CVE-2023-20869 is "Critical" flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the advisory, "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host." Needless to say, guest VMs are not supposed to be able to make the host machines they're running on do things.
*   **CVE-2023-20870 is an "Important" flaw that affects Fusion and Workstation. It's** another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine’s hypervisor memory.
*   **CVE-2023-20871 is an "Important" flaw that only affects Fusion. It allows an** attacker who has read / write access to the host operating system to elevate their privileges to gain root access to the host operating system.
*   **CVE-2023-20872 is an "Important" flaw that affects Fusion and Workstation. It allows** virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a virtual SCSI controller.

**Workarounds and updates**

All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.

CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the “**Share Bluetooth devices with the virtual machine**” option. The relevant support documents for each product are VMware Workstation Pro, VMware Workstation Player, and VMware Fusion.

CVE-2023-20872 can be mitigated by removing the CD/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:

To remove the CD/DVD device in VMWare Workstation:

*   Select VM > Settings
*   Click the Hardware tab
*   Select the CD/DVD and click Remove

To remove the CD/DVD device in VMWare Fusion:

*   Select a virtual machine in the Virtual Machine Library window
*   Click on Virtual Machine menu
*   Click Settings
*   Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

To configure VMWare Workstation not to use a virtual SCSI controller:

*   Select VM > Settings
*   Click the Hardware tab
*   Select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
*   You can configure the Bus type

To configure VMWare Fusion not to use a virtual SCSI controller:

*   Select a virtual machine in the Virtual Machine Library window
*   Click on Virtual Machine menu
*   Click on Settings
*   Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
*   You can configure the Bus type.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now: Critical flaw in VMWare Fusion and VMWare Workstation

swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c

**1.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id7\_heap-buffer-overflow.zip

**crash**

    ./swfrender id7_heap-buffer-overflow -o /dev/null
    ==1106906==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003eb at pc 0x557c2e072578 bp 0x7ffd975b4940 sp 0x7ffd975b4930
    READ of size 1 at 0x6070000003eb thread T0
        #0 0x557c2e072577 in enumerateUsedIDs_fillstyle modules/swftools.c:509
        #1 0x557c2e0728d1 in enumerateUsedIDs_styles modules/swftools.c:565
        #2 0x557c2e05c7d9 in swf_ParseShapeData modules/swfshape.c:692
        #3 0x557c2e06020d in swf_ShapeToShape2 modules/swfshape.c:884
        #4 0x557c2e04c298 in extractDefinitions readers/swf.c:375
        #5 0x557c2e04c298 in swf_open readers/swf.c:736
        #6 0x557c2e04800a in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:174
        #7 0x7f8c197fa082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x557c2e046ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x6070000003eb is located 0 bytes to the right of 75-byte region [0x6070000003a0,0x6070000003eb)
    allocated by thread T0 here:
        #0 0x7f8c19c40808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x557c2e0e4ab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftools.c:509 in enumerateUsedIDs_fillstyle
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8030: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8040: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff8060: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 04
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00[03]fa fa
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1106906==ABORTING
    

**2.negative-size-param****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id107\_negative-size-param.zip

**crash**

    ./swfrender id107_negative-size-param -o /dev/null
    =1148866==ERROR: AddressSanitizer: negative-size-param: (size=-21465837888)
        #0 0x7fe31237dfdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x559b516b3c75 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x559b516b3c75 in newclip devices/render.c:538
        #3 0x559b516b41e1 in render_startpage devices/render.c:936
        #4 0x559b516348e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #5 0x7fe311fdd082 in __libc_start_main ../csu/libc-start.c:308
        #6 0x559b51632ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fe2fef21800 is located 0 bytes inside of 8998592-byte region [0x7fe2fef21800,0x7fe2ff7b66c0)
    allocated by thread T0 here:
        #0 0x7fe312423a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x559b516d0bc1 in rfx_calloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:69
    
    SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    ==1148866==ABORTING
    

**3.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id157\_heap-buffer-overflow.zip

**crash**

    ./swfrender id157_heap-buffer-overflow -o /dev/null
    =1167329==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb50bafcc00 at pc 0x7fb50f696f3d bp 0x7fffa3c52d40 sp 0x7fffa3c524e8
    WRITE of size 16 at 0x7fb50bafcc00 thread T0
        #0 0x7fb50f696f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x55ca7b7620cc in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x55ca7b7620cc in render_startpage devices/render.c:922
        #3 0x55ca7b6e28e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #4 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55ca7b6e0ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fb50bafcc00 is located 0 bytes to the right of 13906944-byte region [0x7fb50adb9800,0x7fb50bafcc00)
    allocated by thread T0 here:
        #0 0x7fb50f73c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55ca7b77eab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
        #2 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff721757930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff721757980:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff721757990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1167329==ABORTING

CVE-2023-29950: bug report -- swfrender · Issue #198 · matthiaskramm/swftools

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

Summary

Zyxel is aware of multiple vulnerabilities reported by our security consultancy partner, SEC Consult, and advises users to install the applicable firmware updates for optimal protection.

 

What are the vulnerabilities?

There are eight vulnerabilities, identified as follows.

1.  Multiple buffer overflow vulnerabilities were discovered in the web server of the affected devices.
2.  The CGI program lacks a proper permission control mechanism, which could allow an attacker to read sensitive files on the devices.
3.  Insufficiently protected credentials in the configuration file of the devices could allow an attacker to retrieve the passwords.
4.  Command injection vulnerabilities were found in the diagnostic tool and the certificate upload interface of the devices.
5.  Access control vulnerabilities in the devices could allow a less privileged user to access functionality of a more privileged role.
6.  The improper symbolic links processing vulnerability in the FTP server could allow an attacker to get read access to the root file system.
7.  A security flaw was found in API of the devices that could be abused without authentication in order to obtain a new session key.
8.  A cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the devices.

 

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the link here. If a product is not listed, it is not affected or has reached end-of-life. We encourage users to install the applicable updates for optimal protection.

Please note that the table in the link provided does NOT include customized models for internet service providers (ISPs).

If you are an ISP, please contact your Zyxel sales or service representative for further details.

If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

If you are an end-user who purchased your Zyxel device yourself, please contact your local Zyxel support team or visit our forum for further assistance.

 

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

 

Acknowledgment

Thanks to SEC Consult for reporting the issues to us.

 

Revision history

2022-2-15: Initial release

CVE-2023-28770: Zyxel security advisory for multiple vulnerabilities | Zyxel Networks

Buffer Overflow vulnerability found in Netgear R6900 v.1.0.2.26, R6700v3 v.1.0.4.128, R6700 v.1.0.0.26 allows a remote attacker to execute arbitrary code and cause a denial ofservice via the getInputData parameter of the fwSchedule.cgi page.

\[09:43:36\] Starting 'watch-extension:vscode-api-tests' ...

\[09:43:36\] Finished 'clean-extension:typescript-language-features' after 248 ms

\[09:43:36\] Starting 'watch-extension:typescript-language-features' ...

\[09:43:36\] Finished 'clean-extension:php-language-features' after 384 ms

\[09:43:36\] Starting 'watch-extension:php-language-features' ...

\[09:43:40\] Finished 'clean-extension:html-language-features-server' after 4.66 s

\[09:43:40\] Starting 'watch-extension:html-language-features-server' ...

\[09:43:43\] Finished 'clean-client' after 7.33 s

\[09:43:43\] Starting 'watch-client' ...

CVE-2023-30280: GitHub: Let’s build from here

Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.

**Crash Inputs**

Here is the crash file that trigger the error

cmix\_asan\_crash\_mem\_overlap.zip

**Bug Description:**

When executing cmix (new release version) with the file inputs and parameter "-n", the ASan (Memory Sanitizer ) instrumented program terminates with Nonfatal Error shown below.

    ==102390==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x619000041c63,0x619000041c67) and [0x619000041c64, 0x619000041c68) overlap
        #0 0x4ca038 in __asan_memcpy (/cmix/cmix_asan+0x4ca038)
        #1 0x656a09 in paq8::FrenchStemmer::ConvertUTF8(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2502:11
        #2 0x65569b in paq8::FrenchStemmer::Stem(paq8::Word*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:2782:5
        #3 0x558c65 in paq8::TextModel::Update(paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3258:28
        #4 0x63978b in paq8::TextModel::Predict(paq8::Mixer&, paq8::Buf&, paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3160:7
        #5 0x615679 in paq8::contextModel2(paq8::ModelStats*) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8183:13
        #6 0x61867b in paq8::Predictor::update() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:8277:11
        #7 0x6c0d24 in Predictor::Perceive(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/predictor.cpp:394:12
        #8 0x4fed5c in Encoder::Encode(int) /data/Deter-Study/temp/benchmark/crash/cmix/src/coder/encoder.cpp:23:7
        #9 0x6ef0d0 in Compress(unsigned long long, std::basic_ifstream<char, std::char_traits<char> >*, std::basic_ofstream<char, std::char_traits<char> >*, unsigned long long*, Predictor*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:106:9
        #10 0x6f06d3 in RunCompression(bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, _IO_FILE*, unsigned long long*, unsigned long long*) /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:203:3
        #11 0x6f3b13 in main /data/Deter-Study/temp/benchmark/crash/cmix/src/runner.cpp:298:10
        #12 0x7f0cc1be9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #13 0x41f819 in _start (/cmix/cmix_asan+0x41f819)
    
    0x619000041c63 is located 483 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
    allocated by thread T0 here:
        #0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
        #1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
        #2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
        #3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
    
    0x619000041c64 is located 484 bytes inside of 960-byte region [0x619000041a80,0x619000041e40)
    allocated by thread T0 here:
        #0 0x4cb3ba in calloc (/cmix/cmix_asan+0x4cb3ba)
        #1 0x654691 in paq8::Array<paq8::Word, 0>::create(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:118:16
        #2 0x654691 in paq8::Array<paq8::Word, 0>::Array(unsigned int) /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:76
        #3 0x654691 in paq8::Cache<paq8::Word, 8u>::Cache() /data/Deter-Study/temp/benchmark/crash/cmix/src/models/paq8.cpp:3013
    
    SUMMARY: AddressSanitizer: memcpy-param-overlap (/cmix/cmix_asan+0x4ca038) in __asan_memcpy
    

**Step to reproduce**

*   download the cmix from github and build it with ASAN
*   Execute cmix with provide files and given parameters "-n".

Tag

#buffer_overflow