Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.

As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities**

*   Security Advisory ID: MPSA-210501
*   Version: V1.0
*   Release Date: May 27, 2021
*   Reference:
    *   CVE-2021-32974
    *   BDU:2021-02699, BDU:2021-02700, BDU:2021-02701, BDU:2021-02702, BDU:2021-02703, BDU:2021-02704, BDU:2021-02705,BDU:2021-02706, BDU:2021-02707, BDU:2021-02708

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Buffer Overflow (CWE-120)  
BDU:2021-02699, BDU:2021-02702

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack.

2

Stack-Based Buffer Overflow (CWE-121)  
BDU:2021-02700, BDU:2021-02701, BDU:2021-02703, BDU:2021-02704, BDU:2021-02708

A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack and execute arbitrary code (RCE).

3

Improper Input Validation (CWE-20)  
BDU:2021-02705, BDU:2021-02706

Data can be copied without validation in the built-in web server, which allows remote attackers to initiate a DoS attack.

4

OS Command Injection (CWE-78)  
BDU:2021-02707

Improper input validation in the built-in web server allows remote attackers to execute the OS command.

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

NPort IAW5000A-I/O Series

Firmware Version 2.2 or lower

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series

Solutions

NPort IAW5000A-I/O Series

Please contact Moxa Technical Support for a security patch.

**Acknowledgment:**

We would like to express our appreciation to Konstantin Kondratev, Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.  
 

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

May 27, 2021

**Relevant Products**

NPort IAW5000A-I/O Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2021-32974: NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

At Bitdefender, we care deeply about security, so we’ve been working with media partners and IoT devices manufacturers to identify vulnerabilities in the world’s best-selling connected devices. As a leading vendor of cybersecurity protection across endpoint and IoT devices, we have been assessing the security of smart-home equipment for more than half a decade. Our goal is to help vendors and customers stay on top of security and privacy blind spots and make the IoT ecosystem safer for everybody.

While looking into the Wyze Cam device, we identified several vulnerabilities that let an outside attacker access the camera feed or execute malicious code to further compromise the device.

**Vulnerabilities at a glance**

*   Authentication bypass (CVE-2019-9564)
*   Remote control execution flaw caused by a stack-based buffer overflow (CVE-2019-12266)
*   Unauthenticated access to contents of the SD card

Download the research paper here

****Mitigation****

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.

_**IMPORTANT**: The analyzed device comes in several versions: Wyze Cam version 1, Wyze Cam Black version 2, as well as Wyze Cam version 3. We learned that, while versions 2 and 3 have been patched against these vulnerabilities, version 1 has been discontinued and is no longer receiving security fixes. Customers who keep using Wyze Cam version 1 are no longer protected and risk having their devices exploited._

CVE-2019-9564: Vulnerabilities Identified in Wyze Cam IoT Device

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.

**Description**

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1160: heap buffer overflow in get_one_sourceline in vim

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the minAddress parameter.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2022-26640: Hardware-IoT/tp-link tl-wr840n_minAddress=.pdf at main · Quadron-Research-Lab/Hardware-IoT

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the DNSServers parameter.

CVE-2022-26639: Hardware-IoT/tp-link tl-wr840n_DNSServers=.pdf at main · Quadron-Research-Lab/Hardware-IoT

Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.

Skip to content

GitLab

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    *   Switch to GitLab Next
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   libtiff
*   libtiff
*   Merge requests
*   !307

**tiffcrop: fix issue #380 and #382 heap buffer overflow in extractImageSection**

*   Review changes
    

*   
*   Download
    
*   Email patches
    
*   Plain diff
    

Merged Su Laus requested to merge Su\_Laus/libtiff:Fix\_Issue#380 into master Feb 25, 2022

*   Overview 4
*   Commits 2
*   Pipelines 2
*   Changes 1

tiffcrop: fix issue #380 (closed) and #382 (closed) heap buffer overflow in extractImageSection.  
Corrected wrong formula for image row size calculation.

CVE-2022-1056: tiffcrop: fix issue #380 and #382 heap buffer overflow in extractImageSection (!307) · Merge requests · libtiff / libtiff · GitLab

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug found in get\_l2len\_protocol, can be triggered via tcpprep + ASan

**Expected behavior**  
ASan report that ./tcpprep has a heap buffer overflow in function get\_l2len\_protocol

    Warning: crash.0 was captured using a snaplen of 1 bytes.  This may mean you have truncated packets.
    =================================================================
    ==22937==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000001c at pc 0x000000510fb4 bp 0x7ffd68b94250 sp 0x7ffd68b94248
    READ of size 2 at 0x60200000001c thread T0
        #0 0x510fb3 in get_l2len_protocol /benchmark/vulnerable/tcpreplay/src/common/get.c:322:46
        #1 0x512222 in get_ipv4 /benchmark/vulnerable/tcpreplay/src/common/get.c:442:11
        #2 0x4f82f2 in process_raw_packets /benchmark/vulnerable/tcpreplay/src/tcpprep.c:368:41
        #3 0x4f7929 in main /benchmark/vulnerable/tcpreplay/src/tcpprep.c:144:23
        #4 0x7fc5856d2bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c1b9 in _start (/benchmark/vulnerable/tcpreplay/src/tcpprep+0x41c1b9)
    
    0x60200000001c is located 11 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x4aeb80 in malloc /home/nipc/workspace/install/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fc586add90f  (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f90f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /benchmark/vulnerable/tcpreplay/src/common/get.c:322:46 in get_l2len_protocol
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa 01[fa]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==22937==ABORTING

CVE-2022-27941: [Bug] heap-overflow in get_l2len_protocol · Issue #716 · appneta/tcpreplay

tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug found in parse\_mpls, can be triggered via tcpprep+ ASan

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcpprep --auto=bridge --pcap=$POC --cachefile=/dev/null

Output:

    ==2021941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000142 at pc 0x000000448721 bp 0x7fff4fd006f0 sp 0x7fff4fd006e0
    READ of size 4 at 0x602000000142 thread T0
        #0 0x448720 in parse_mpls (/validate/run1/tcpreplay/tcpprep+0x448720)
        #1 0x44edb0 in parse_metadata (/validate/run1/tcpreplay/tcpprep+0x44edb0)
        #2 0x44c591 in get_l2len_protocol (/validate/run1/tcpreplay/tcpprep+0x44c591)
        #3 0x44fa30 in get_ipv4 (/validate/run1/tcpreplay/tcpprep+0x44fa30)
        #4 0x41434c in process_raw_packets (/validate/run1/tcpreplay/tcpprep+0x41434c)
        #5 0x412708 in main (/validate/run1/tcpreplay/tcpprep+0x412708)
        #6 0x7f6b96777d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x2dd8f)
        #7 0x7f6b96777e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2de3f)
        #8 0x4085f4 in _start (/validate/run1/tcpreplay/tcpprep+0x4085f4)
    
    0x602000000142 is located 2 bytes to the right of 16-byte region [0x602000000130,0x602000000140)
    allocated by thread T0 here:
        #0 0x4dd0d8 in __interceptor_realloc (/validate/run1/tcpreplay/tcpprep+0x4dd0d8)
        #1 0x7f6b969bd1c7  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x291c7)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/validate/run1/tcpreplay/tcpprep+0x448720) in parse_mpls
    Shadow bytes around the buggy address:
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8010: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    =>0x0c047fff8020: fa fa fd fd fa fa 00 00[fa]fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2021941==ABORTING
    

**System (please complete the following information):**

*   OS: Ubuntu 20.04
*   Clang 12.0.1
*   Tcpreplay Version : latest commit 09f0774

**Credit**  
NCNIPC of China  
Hexhive

**POC**

POC2.zip

CVE-2022-27942: [Bug] heap buffer overflow in parse_mpls · Issue #719 · appneta/tcpreplay

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

*      
    
    {{ skuObj.title.length < 15 ? skuObj.title : skuObj.title.substring(0,14) + "..." }}

CVE-2022-22995: WDC-22005 Netatalk Security Vulnerabilities | Western Digital

Heap Buffer Overflow in iterate_chained_fixups in GitHub repository radareorg/radare2 prior to 5.6.6.

**Description**

heap buffer overflow in iterate\_chained\_fixups function.

ASAN report：

    =================================================================
    ==2540511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000065710 at pc 0x7f5b64ccb878 bp 0x7ffeab141380 sp 0x7ffeab141370
    READ of size 8 at 0x602000065710 thread T0
        #0 0x7f5b64ccb877 in iterate_chained_fixups /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4562
        #1 0x7f5b64c77396 in rebase_buffer /root/radare2/libr/..//libr/bin/p/bin_mach0.c:807
        #2 0x7f5b64c76cd2 in rebasing_and_stripping_io_read /root/radare2/libr/..//libr/bin/p/bin_mach0.c:768
        #3 0x7f5b6e4aa493 in r_io_plugin_read /root/radare2/libr/io/io_plugin.c:161
        #4 0x7f5b6e4b3d19 in r_io_desc_read /root/radare2/libr/io/io_desc.c:213
        #5 0x7f5b6e4c708c in r_io_fd_read /root/radare2/libr/io/io_fd.c:24
        #6 0x7f5b6ffa0369 in buf_io_read /root/radare2/libr/util/buf_io.c:72
        #7 0x7f5b6ffa1fc2 in buf_read /root/radare2/libr/util/buf.c:46
        #8 0x7f5b6ffa5ef3 in r_buf_read /root/radare2/libr/util/buf.c:452
        #9 0x7f5b6ffa7259 in r_buf_read_at /root/radare2/libr/util/buf.c:600
        #10 0x7f5b64ccafb8 in get_hdr /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4517
        #11 0x7f5b64cca3dc in mach_fields /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4417
        #12 0x7f5b64aa04a1 in r_bin_object_set_items /root/radare2/libr/bin/bobj.c:310
        #13 0x7f5b64a9d2a6 in r_bin_object_new /root/radare2/libr/bin/bobj.c:168
        #14 0x7f5b64a91db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
        #15 0x7f5b64a4f9f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
        #16 0x7f5b64a5082e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
        #17 0x7f5b66ecb223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
        #18 0x7f5b66ecdd77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
        #19 0x7f5b6f96ab18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
        #20 0x564e0b55f937 in main /root/radare2/binr/radare2/radare2.c:96
        #21 0x7f5b6ed6e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #22 0x564e0b55f30d in _start (/root/radare2/binr/radare2/radare2+0x230d)
    
    0x602000065711 is located 0 bytes to the right of 1-byte region [0x602000065710,0x602000065711)
    allocated by thread T0 here:
        #0 0x7f5b70abba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x7f5b64c96f4b in parse_chained_fixups /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:1517
        #2 0x7f5b64ca2b6b in init_items /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2069
        #3 0x7f5b64ca2f29 in init /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2092
        #4 0x7f5b64ca55fa in new_buf /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:2207
        #5 0x7f5b64c6a112 in load_buffer /root/radare2/libr/..//libr/bin/p/bin_mach0.c:57
        #6 0x7f5b64a9cd3b in r_bin_object_new /root/radare2/libr/bin/bobj.c:147
        #7 0x7f5b64a91db0 in r_bin_file_new_from_buffer /root/radare2/libr/bin/bfile.c:585
        #8 0x7f5b64a4f9f9 in r_bin_open_buf /root/radare2/libr/bin/bin.c:279
        #9 0x7f5b64a5082e in r_bin_open_io /root/radare2/libr/bin/bin.c:339
        #10 0x7f5b66ecb223 in r_core_file_do_load_for_io_plugin /root/radare2/libr/core/cfile.c:435
        #11 0x7f5b66ecdd77 in r_core_bin_load /root/radare2/libr/core/cfile.c:636
        #12 0x7f5b6f96ab18 in r_main_radare2 /root/radare2/libr/main/radare2.c:1184
        #13 0x564e0b55f937 in main /root/radare2/binr/radare2/radare2.c:96
        #14 0x7f5b6ed6e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/radare2/libr/..//libr/bin/p/../format/mach0/mach0.c:4562 in iterate_chained_fixups
    Shadow bytes around the buggy address:
      0x0c0480004a90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
      0x0c0480004aa0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 02
      0x0c0480004ab0: fa fa 00 02 fa fa 02 fa fa fa 05 fa fa fa 05 fa
      0x0c0480004ac0: fa fa 00 00 fa fa 00 02 fa fa 05 fa fa fa 00 06
      0x0c0480004ad0: fa fa 00 00 fa fa 00 fa fa fa 05 fa fa fa 02 fa
    =>0x0c0480004ae0: fa fa[01]fa fa fa 05 fa fa fa 07 fa fa fa 00 fa
      0x0c0480004af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480004b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2540511==ABORTING
    

**How can we reproduce the issue?**

Compile command

    ./sys/sanitize.sh
    

reproduce command

tests\_65305.zip

    unzip tests_65305.zip
    ./radare2 -qq -AA <poc_file>
    

**Impact**

latest commit and latest release

$ ./radare2 -v radare2 5.6.5 27847 @ linux-x86-64 git.5.6.2 commit: 60182bb63a77282ae469654556b899dbe2a7674c build: 2022-03-22\_\_09:29:41 $ cat /etc/issue Ubuntu 20.04.3 LTS \\n \\l

Tag

#buffer_overflow