Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and 3.2.1 contain an Improper Privilege Management Vulnerability. A malicious local user can exploit this vulnerability by inheriting a system thread using a leaked thread handle to gain system privileges on the affected machine.

CVE-2019-3735

Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain an Improper Range Header Processing Vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges to cause the application to compress each of the requested bytes, resulting in a crash due to excessive memory consumption and preventing users from accessing the system.

CVE-2019-3721

Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.

CVE-2019-3718

The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.

\-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-3da64f3e61 2019-02-16 01:24:20.819930 -------------------------------------------------------------------------------- Name : kernel Product : Fedora 28 Version : 4.20.8 Release : 100.fc28 URL : https://www.kernel.org/ Summary : The Linux kernel Description : The kernel meta package -------------------------------------------------------------------------------- Update Information: The 4.20.8 stable kernel update contains a number of important fixes across the tree. -------------------------------------------------------------------------------- ChangeLog: \* Tue Feb 12 2019 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.20.8-100 - Linux v4.20.8 - Fixes CVE-2019-7221 (rhbz 1671904 1673676) - Fixes CVE-2019-6974 (rhbz 1671913 1673681) - Fixes CVE-2019-7222 (rhbz 1671930 1673686) \* Wed Feb 6 2019 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.20.7-100 - Linux v4.20.7 \* Thu Jan 31 2019 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.20.6-100 - Linux v4.20.6 \* Mon Jan 28 2019 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.20.5-100 - Linux v4.20.5 - Fix CVE-2018-16880 (rhbz 1656472 1669545) \* Wed Jan 23 2019 Hans de Goede <hdegoede(a)redhat.com&gt; - Add upstream patch fixing backlight control not working on some laptops with a Nvidia GPU (rhbz#1663613, rhbz#1665505) \* Wed Jan 23 2019 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.20.4-100 - Linux v4.20.4 rebase \* Wed Jan 16 2019 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.16-200 - Linux v4.19.16 \* Mon Jan 14 2019 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.15-200 - Linux v4.19.15 - Fix CVE-2019-3459 and CVE-2019-3460 (rbhz 1663176 1663179 1665925) \* Wed Jan 9 2019 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.14-200 - Linux v4.19.14 \* Wed Jan 9 2019 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2019-3701 (rhbz 1663729 1663730) \* Mon Jan 7 2019 Hans de Goede <hdegoede(a)redhat.com&gt; - Add patch to fix bluetooth on RPI 3B+ registering twice (rhbz#1661961) \* Sat Dec 29 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.13-200 - Linux v4.19.13 \* Thu Dec 27 2018 Hans de Goede <hdegoede(a)redhat.com&gt; - Set CONFIG\_REALTEK\_PHY=y to workaround realtek ethernet issues (rhbz 1650984) \* Mon Dec 24 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; 4.19.12-200 - Linux v4.19.12 - Another fix for issue affecting Raspberry Pi 3-series WiFi (rhbz 1652093) \* Thu Dec 20 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.11-200 - Linux v4.19.11 \* Mon Dec 17 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.10-200 - Linux v4.19.10 \* Fri Dec 14 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; 4.19.9-201 - Fix Raspberry Pi issues affecting WiFi (rhbz 1652093) \* Thu Dec 13 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.9-200 - Linux v4.19.9 \* Tue Dec 11 2018 Hans de Goede <hdegoede(a)redhat.com&gt; - Really fix non functional hotkeys on Asus FX503VD (#1645070) \* Mon Dec 10 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.8-200 - Linux v4.19.8 \* Wed Dec 5 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.7-200 - Linux v4.19.7 - Fix CVE-2018-19406 (rhbz 1652650 1653346) \* Wed Dec 5 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix corruption bug in direct dispatch for blk-mq \* Tue Dec 4 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-19824 (rhbz 1655816 1655817) \* Mon Dec 3 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix very quiet speakers on the Thinkpad T570 (rhbz 1554304) \* Mon Dec 3 2018 Hans de Goede <hdegoede(a)redhat.com&gt; - Fix non functional hotkeys on Asus FX503VD (#1645070) \* Sun Dec 2 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.6-200 - Linux v4.19.6 \* Thu Nov 29 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix a problem with some rtl8168 chips (rhbz 1650984) - Fix slowdowns and crashes for AMD GPUs in pre-PCIe-v3 slots \* Tue Nov 27 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.5-200 - Linux v4.19.5 - Fix CVE-2018-16862 (rhbz 1649017 1653122) - Fix CVE-2018-19407 (rhbz 1652656 1652658) \* Mon Nov 26 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fixes a null pointer dereference with Nvidia and vmwgfx drivers (rhbz 1650224) \* Fri Nov 23 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; 4.19.4-200 - Linux v4.19.4 \* Wed Nov 21 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.3-300 - Linux v4.19.3 \* Tue Nov 20 2018 Hans de Goede <hdegoede(a)redhat.com&gt; - Turn on CONFIG\_PINCTRL\_GEMINILAKE on x86\_64 (rhbz#1639155) - Add a patch fixing touchscreens on HP AMD based laptops (rhbz#1644013) - Add a patch fixing KIOX010A accelerometers (rhbz#1526312) \* Sat Nov 17 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; - Fix WiFi on Raspberry Pi 3 on aarch64 (rhbz 1649344) - Fixes for Raspberry Pi hwmon driver and firmware interface \* Thu Nov 15 2018 Hans de Goede <hdegoede(a)redhat.com&gt; - Add patch fixing touchpads on some Apollo Lake devices not working (#1526312) \* Wed Nov 14 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.19.2-200 - Linux v4.19.2 - Fix CVE-2018-18710 (rhbz 1645140 1648485) \* Mon Nov 12 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.18-200 - Linux v4.18.18 \* Mon Nov 5 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.17-200 - Linux v4.18.17 \* Tue Oct 23 2018 Laura Abbott <labbott(a)redhat.com&gt; - Add i915 eDP fixes \* Sat Oct 20 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; 4.18.16-200 - Linux v4.18.16 - Fix network on some i.MX6 devices (rhbz 1628209) \* Thu Oct 18 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.18.15-200 - Linux v4.18.15 \* Mon Oct 15 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.18.14-200 - Linux v4.18.14 \* Fri Oct 12 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix the microphone on Lenovo G50-30s (rhbz 1249364) \* Wed Oct 10 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.13-300 - Linux v4.18.13 \* Mon Oct 8 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Revert drm/amd/pp: Send khz clock values to DC for smu7/8 (rhbz 1636249) \* Thu Oct 4 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.12-200 - Linux v4.18.12 \* Wed Oct 3 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix arm64 kvm priv escalation (rhbz 1635475 1635476) \* Mon Oct 1 2018 Laura Abbott <labbott(a)redhat.com&gt; - Disable CONFIG\_CRYPTO\_DEV\_SP\_PSP (rhbz 1608242) \* Mon Oct 1 2018 Laura Abbott <labbott(a)redhat.com&gt; - Fix for Intel Sensor Hub (rhbz 1634250) \* Sun Sep 30 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.11-200 - Linux v4.18.11 \* Wed Sep 26 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.10-200 - Linux v4.18.10 \* Wed Sep 26 2018 Laura Abbott <labbott(a)redhat.com&gt; - Fix powerpc IPv6 (rhbz 1628394) \* Mon Sep 24 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-14633 (rhbz 1626035 1632185) \* Thu Sep 20 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.9-200 - Linux v4.18.9 - Fixes CVE-2018-17182 (rhbz 1631205 1631206) \* Sun Sep 16 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.8-200 - Linux v4.18.8 \* Fri Sep 14 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Additional Fixes for CVE-2018-5391 (rhbz 1616059) \* Thu Sep 13 2018 Laura Abbott <labbott(a)redhat.com&gt; - Use the CPU RNG for entropy (rhbz 1572944) \* Thu Sep 13 2018 Laura Abbott <labbott(a)redhat.com&gt; - HID fixes (rhbz 1627963 1628715) \* Mon Sep 10 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.7-200 - Linux v4.18.7 \* Sun Sep 9 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.6-200 - Linux v4.18.6 \* Fri Aug 24 2018 Laura Abbott <labbott(a)redhat.com&gt; - 4.18.5-200 - Linux v4.18.5 \* Fri Aug 24 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.19-200 - Linux v4.17.19 \* Wed Aug 22 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.18-200 - Linux v4.17.18 \* Mon Aug 20 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.17-200 - Linux v4.17.17 - Fix CVE-2018-15471 (rhbz 1610555 1618414) \* Wed Aug 15 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.14-202 - Include missing Forshadow patches \* Tue Aug 14 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.14-201 - Fix "Foreshadow" CVE-2018-3620 CVE-2018-3646 (rhbz 1585005 1615998) \* Thu Aug 9 2018 Justin M. Forbes <jforbes(a)redhat.com&gt; - 4.17.14-200 - Linux v4.17.14 \* Wed Aug 8 2018 Justin M. Forbes <jforbes(a)redhat.com&gt; - 4.17.13-200 - Linux v4.17.13 \* Fri Aug 3 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.12-200 - Linux v4.17.12 - Fixes CVE-2018-14734 (rhbz 1611005 1611007) - Fixes (rhbz 1609932) \* Wed Aug 1 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; - Add fix for lan78xx RX packets (Raspberry Pi 3B+) \* Mon Jul 30 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.11-200 - Linux v4.17.11 - Turn off kernel-headers for the split - Fix CVE-2018-14678 (rhbz 1608559 1608560) \* Wed Jul 25 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.10-200 - Linux v4.17.10 \* Mon Jul 23 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.9-200 - Linux v4.17.9 - Fix emergency shell with ext4 rootfs (rhbz 1602971) \* Mon Jul 23 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix iwlwifi module load failure (rhbz 1607092) \* Tue Jul 17 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.7-200 - Linux v4.17.7 \* Thu Jul 12 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Avoid an early WARN\_ON in Xen (rhbz 1592976) - Fix perceived dead xhci host (rhbz 1597333) \* Thu Jul 12 2018 Dan Hor��k <dan(a)danny.cz&gt; - Enable HDA sound drivers on PPC \* Wed Jul 11 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.17.6-200 - Linux v4.17.6 \* Wed Jul 11 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Add device ID for RTL8822BE in the Asus ROG GL702ZC (rhbz 1599917) \* Mon Jul 9 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.17.5-200 - Linux v4.17.5 - Fix CVE-2018-13405 (rhbz 1599161 1599162) \* Thu Jul 5 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-13053 (rhbz 1597747 1597748) - Fix CVE-2018-12896 (rhbz 1597759 1597760) - Fix CVE-2018-13093 (rhbz 1597766 1597767) - Fix CVE-2018-13094 (rhbz 1597771 1597772) - Fix CVE-2018-13095 (rhbz 1597775 1597777) \* Tue Jul 3 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.4-200 - Linux v4.17.4 \* Fri Jun 29 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Revert the CRNG init patches (rhbz 1572944) \* Thu Jun 28 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix CVE-2018-12714 (rhbz 1595835 1595837) \* Tue Jun 26 2018 Laura Abbott <labbott(a)redhat.com&gt; - Enable leds-pca9532 module (rhbz 1595163) \* Tue Jun 26 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.17.3-200 - Linux v4.17.3 \* Mon Jun 25 2018 Laura Abbott <labbott(a)fedoraproject.org&gt; - Some webcam fixes (rhbz 1592454 1590304) - Fix for armv7 siginfo ABI regression (rhbz 1591516) \* Fri Jun 22 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-12633 (rhbz 1594170 1594172) \* Thu Jun 21 2018 Laura Abbott <labbott(a)fedoraproject.org&gt; - Fix for Xen MTU issue (rhbz 1584216) \* Thu Jun 21 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; - Add fix for 96boards DB410c \* Tue Jun 19 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Re-apply the XPS 13 9370 backlight, ath10k bandwidth, and kexec patches - Don't log an error if RTC\_NVMEM isn't enabled (rhbz 1568276) \* Mon Jun 18 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.17.2-200 - Linux v4.17.2 Rebase \* Sun Jun 17 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.16-300 - Linux v4.16.16 \* Tue Jun 12 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix a crash in ath10k when bandwidth changes (rhbz 1577106) - Fix kexec\_file\_load pefile signature verification (rhbz 1470995) \* Tue Jun 12 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-12232 (rhbz 1590215 1590216) \* Mon Jun 11 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.15-300 - Fix for the keyboard backlight on Dell XPS 13 9370 - Linux v4.16.15 \* Mon Jun 11 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-10853 (rhbz 1589890 1589892) \* Tue Jun 5 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Enable CONFIG\_SCSI\_DH on s390x (rhbz 1586189) \* Tue Jun 5 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.14-300 - Linux v4.16.14 \* Mon Jun 4 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Drop SanDisk SD7UB3Q\*G1001 NOLPM quirk (rhbz 1583207) \* Wed May 30 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.13-300 - Linux v4.16.13 - Fixes CVE-2018-11506 (rhbz 1583210 1583213) \* Fri May 25 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.12-300 - Linux v4.16.12 - Fix CVE-2018-10840 (rhbz 1582346 1582348) - Fix for incorrect error message about parsing PCCT (rhbz 1435837) \* Tue May 22 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.11-300 - Linux v4.16.11 \* Mon May 21 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - 4.16.10-301 - Fix CVE-2018-3639 (rhbz 1566890 1580713) \* Mon May 21 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.10-300 - Linux v4.16.10 \* Sun May 20 2018 Hans de Goede <hdegoede(a)redhat.com&gt; - Enable GPIO\_AMDPT, PINCTRL\_AMD and X86\_AMD\_PLATFORM\_DEVICE Kconfig options to fix i2c and GPIOs not working on AMD based laptops (rhbz#1510649) \* Thu May 17 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-1120 (rhbz 1575472 1579542) \* Thu May 17 2018 Jeremy Cline <jcline(a)redhat.com&gt; - 4.16.9-300 - Linux v4.16.9 - Silence unwanted "swiotlb buffer is full" warnings (rhbz 1556797) \* Wed May 9 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Workaround for m400 uart irq firmware description (rhbz 1574718) \* Wed May 9 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.8-300 - Linux v4.16.8 \* Mon May 7 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix issue with KVM on older Core 2 processors (rhbz 1566258) \* Sat May 5 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; - ARM and Raspberry Pi fixes - Fix USB-2 on Tegra devices \* Fri May 4 2018 Laura Abbott <labbott(a)redhat.com&gt; - Fix for building out of tree modules on powerpc (rhbz 1574604) \* Fri May 4 2018 Justin M. Forbes <jforbes(a)fedoraproject.org&gt; - Fix CVE-2018-10322 (rhbz 1571623 1571624) - Fix CVE-2018-10323 (rhbz 1571627 1571630) \* Wed May 2 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.7-300 - Linux v4.16.7 \* Tue May 1 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.6-302 - Revert the entire random series from 4.16.4 (rhbz 1572944) \* Tue May 1 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.6-301 - Revert the fix for CVE-2018-1108 (rhbz 1572944) \* Mon Apr 30 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.6-300 - Linux v4.16.6 \* Fri Apr 27 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.5-300 - Fix an issue with bluetooth autosupsend on some XPS 13 9360 (rhbz 1514836) - Fix prlimit64 with RLIMIT\_CPU ignored (rhbz 1568337) - Linux v4.16.5 \* Fri Apr 27 2018 Peter Robinson <pbrobinson(a)fedoraproject.org&gt; - Enable QLogic NICs on ARM \* Wed Apr 25 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - Fix a kernel oops when using Thunderbolt 3 docks (rhbz 1565131) \* Tue Apr 24 2018 Jeremy Cline <jeremy(a)jcline.org&gt; - 4.16.4-300 - Linux v4.16.4 - Fix a regression in backlight interfaces for some laptops (rhbz 1571036) -------------------------------------------------------------------------------- References: \[ 1 \] Bug #1671930 - CVE-2019-7222 Kernel: KVM: leak of uninitialized stack contents to guest https://bugzilla.redhat.com/show\_bug.cgi?id=1671930 \[ 2 \] Bug #1671913 - CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm\_ioctl\_create\_device() https://bugzilla.redhat.com/show\_bug.cgi?id=1671913 \[ 3 \] Bug #1671904 - CVE-2019-7221 Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer https://bugzilla.redhat.com/show\_bug.cgi?id=1671904 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-3da64f3e61' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command\_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------

CVE-2019-7222: [SECURITY] Fedora 28 Update: kernel-4.20.8-100.fc28 - package-announce

An exploitable double fetch vulnerability exists in the SboxDrv.sys driver functionality of Invincea-X 6.1.3-24058. A specially crafted input buffer and race condition can result in kernel memory corruption, which could result in privilege escalation. An attacker needs to execute a special application locally to trigger this vulnerability.

**Summary**

An exploitable double fetch vulnerability exists in the SboxDrv.sys driver functionality of Invincea-X 6.1.3-24058. A specially crafted input buffer and race condition can result in kernel memory corruption, which could result in privilege escalation. An attacker needs to execute a special application locally to trigger this vulnerability.

**Tested Versions**

Invincea-X 6.1.3-24058 (Dell Protected Workspace)

**Product URLs**

https://www.invincea.com/solution-overview/

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**Details**

This vulnerability is present in the SboxDrv.sys driver which is a part of Invincea-X (Dell Protected Workspace).This product provides sandbox functionality for Windows environments. Because of weak permissions set on the driver any malicious application can communicate with driver. The application can also provide pointer value that is double fetched in the kernel, allowing an attacker to cause a race condition resulting in memory corruption which can lead to local privilege escalation. Diving into the details we need to start with permission sets on device created by vulnerable driver. Vectors of attacks are definitely increased due to the weak permissions set on the ‘\\Device\\SandboxDriverApi’ device created by the SboxDrv.sys driver which gives group Everyone full access to this device.

    accesschk.exe -o \Device\SandboxDriverApi
    \Device\SandboxDriverApi
      Type: Device
      RW Everyone
      RW NT AUTHORITY\SYSTEM
      RW BUILTIN\Administrators
      R  NT AUTHORITY\RESTRICTED
    

The driver handles a few IOCTLs codes but one of them (0x222007) is especially rich and uses the first DWORD in the input buffer to decide what particular function is executed. Let’s investigate the vulnerable function which is launched when first DWORD in input buffer is set to 0x12340001:

    .text:004014B0 ; signed int __stdcall sub_4014B0(int a1, DWORD inputBuffer)
    .text:004014B0 sub_4014B0      proc near               ; DATA XREF:    
    sub_423070+105o
    .text:004014B0
    .text:004014B0 a1              = dword ptr  8
    .text:004014B0 inputBuffer     = dword ptr  0Ch
    .text:004014B0
    .text:004014B0                 push    ebp
    .text:004014B1                 mov     ebp, esp
    .text:004014B3                 push    edi
    .text:004014B4                 mov     edi, [ebp+inputBuffer]
    .text:004014B7                 mov     edx, [edi+8]
    .text:004014BA                 test    edx, edx
    .text:004014BC                 jnz     short loc_4014C8
    .text:004014BE                 mov     eax, 0C000000Dh
    .text:004014C3                 pop     edi
    .text:004014C4                 pop     ebp
    .text:004014C5                 retn    8
    .text:004014C8 ;    
    ---------------------------------------------------------------------------
    .text:004014C8
    .text:004014C8 loc_4014C8:                             ; CODE XREF: sub_4014B0+Cj
    .text:004014C8                 mov     eax, ver_string
    .text:004014CD                 push    esi
    .text:004014CE                 lea     esi, [eax+2]
    .text:004014D1
    .text:004014D1 loc_4014D1:                             ; CODE XREF: sub_4014B0+2Aj
    .text:004014D1                 mov     cx, [eax]
    .text:004014D4                 add     eax, 2
    .text:004014D7                 test    cx, cx
    .text:004014DA                 jnz     short loc_4014D1
    .text:004014DC                 sub     eax, esi
    .text:004014DE                 sar     eax, 1
    .text:004014E0                 push    2               ; Alignment
    .text:004014E2                 lea     esi, [eax+eax+2]
    .text:004014E6                 push    esi             ; Length
    .text:004014E7                 push    edx             ; Address
    .text:004014E8                 call    ds:ProbeForWrite
    .text:004014EE                 mov     eax, ver_string
    .text:004014F3                 mov     ecx, [edi+8]
    .text:004014F6                 push    esi             ; size_t
    .text:004014F7                 push    eax             ; void *
    .text:004014F8                 push    ecx             ; void *
    .text:004014F9                 call    memcpy
    .text:004014FE                 add     esp, 0Ch
    .text:00401501                 pop     esi
    .text:00401502                 xor     eax, eax
    .text:00401504                 pop     edi
    .text:00401505                 pop     ebp
    .text:00401506                 retn    8
    .text:00401506 sub_4014B0      endp
    

At address 004014B4 we see that inputBuffer pointer gets put into the edi register and its later also used from this register. Next at 004014B7 a pointer specified by user at offset +8 in inputBuffer is moved to edx. The intended purpose of this pointer is to hold the version of the sandbox driver. We see at address 004014E8 a very important check is done on the edx value using ProbeForWrite before a copy operation is made to this buffer. However, a double fetch vulnerability appears at 004014F3 where the buffer pointer value to which driver version should be copied is again read from inputBuffer (edi + 8) instead of using the checked pointer value kept in edx. This vulnerability opens the possibility for race condition where a malicious application changes the pointer value between ProbeForWrite and its usage in memcpy. Finally that situation will lead to an arbitrary write in kernel address space.

Pseudo-code presenting vulnerable code:

    signed int __stdcall sub_4014B0(int a1, struct_inputBuffer *inputBuffer)
    
      void *inVerBufferLocalPtr; // edx@1
      unsigned int v4; // esi@3
    
      inVerBufferLocalPtr = inputBuffer->inVerBuffer;
      if ( !inVerBufferLocalPtr )
    	return 0xC000000D;
      v4 = 2 * wcslen((const unsigned __int16 *)ver_string) + 2;
      ProbeForWrite(inVerBufferLocalPtr, v4, 2u);
      memcpy(inputBuffer->inVerBuffer, ver_string, v4);
      return 0;
    

**Timeline**

2016-12-12 - Vendor Disclosure  
2017-06-30 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2016-9038: TALOS-2016-0256 || Cisco Talos Intelligence Group

drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.

CVE-2017-18079

crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls.

CVE-2017-18075

SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens.

Document Title: =============== SonicWall SonicOS NSA - Bypass & Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1729 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5281 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5280 CVE-ID: ======= CVE-2018-5281 Release Date: ============= 2018-01-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1729 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side vulnerability in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL SonicWall Product: Sonicwall SonicOS (all versions) Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A filter bypass issue and an application-side web vulnerability has been discovered in the official SonicWall NSA Web-Firewall Appliance Series with SonicOS. The filter bypass issue allows an attacker to bypass a restricted mechanism or a filter protection to finally evade the controls of the web-application. The \`Security Service\` section with the \`Content Filter\` module allows an attacker to bypass the regular web-filter validation mechanism. Remote attackers with privileged appliance user accounts are able to inject own malicious script codes on the application-side of the affected modules. The filter of the \`CFS Custom Category\` module with the \`Add\` function allows an attacker to bypass the regular web-filter validation of the web-application. As far as an attacker injects in the \`CFS Custom Category\` a payload to the as \`Name\`, he will be forced to use only words without script code by a secure exception-handling. In the Formular of the Edit procedure is also an \`Update\` function available. Remote attackers with local low privileged user accounts are able to bypass the name input validation the following way. First the attacker inserts a regular domain, after that the update function is available. Now the attacker injects his payload to the \` Content\` input field and clicks update to the already temporarily stored entry. Now the illegal payload is inside the listing and can be saved via \`OK\` for further manipulation to compromise the web appliance of sonicwall. The vulnerable files were the injection point is located are \`addTrustedDomainDlg.html\` and \`gavCloudExclusions.html\`. The final script code execution occurs in the \`main.html or index\` file. The same filter bypass issue is located in the \`Cloud AV DB Exclusion Settings\` module with the vulnerable \`Cloud AV Signature ID\` input field context as well. After the context is include an application-side script code execution occurs in the main listing of the \`CFS Custom Category\`. The validation does not encode the input of the Edit formular and sends the context to the item listing in the index of the content filter module. The attack vector of the issue is located on the application-side and the request method to inject is POST. The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent input validation web vulnerability requires a low privileged or restricted web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] CFS Custom Category \[+\] Cloud AV DB Exclusion Settings Vulnerable File(s): \[+\] addTrustedDomainDlg.html \[+\] gavCloudExclusions.html Vulnerable Inputs(s): \[+\] Name \[+\] Content \[+\] Cloud AV Signature ID Vulnerable Parameter(s): \[+\] cfsRatingObjectName \[+\] selectedItem \[+\] itemList \[+\] cfsRatingDomainList \[+\] gav\_cloud\_exclude\_list \[+\] inputbox \[+\] list Affected Module(s): \[+\] CFS Custom Category - Item Listing (Name & Content) \[+\] Gateway Anti-Virus Signatures - Item Listing (Name & Content) Proof of Concept (PoC): ======================= The filter bypass and application-side input validation vulnerability can be exploited by remote attackers with privileged web-application user account and low or medium user interaction For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application (nsa series) 2. Login to the application 3. Switch to the Security Services 4. Open the Content Filter module 5. Scroll down and click in the \`CFS Custom Category\` the \`Add\` button 6. Now, a new form opens with several inputs Note: To edit existing items the item listing or to add new context to the item listing 7. Include a regular name and a basic content as domain name 8. Save the entry temporarily via \`Add\` to the edit list 9. Choose the same track that you added and include a script code payload after the domainname 10. Now, click on update (Note via Add!) 11. The illegal domain context is now saved Note: We used the update function to bypass the protected Add mechanism 12. Click the Ok button to save the entry to the dbms of the appliance web-application 13. The code executes directly in the item list of the CFS Custom Category module next to the add function 14. Successful reproduce of the filter bypass issue and persistent vulnerability! --- Session Logs (Standard Request) --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=securityServicesCFView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[test23\] cfsRatingCategory\[2\] selectedItem\[test.com\] itemList\[test.com\] cfsRatingDomainList\[test.com\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #1 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=systemStatusView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3EMALIICOUS INJECTED PAYLOAD!\] cfsRatingCategory\[9\] selectedItem\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] itemList\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] cfsRatingDomainList\[testdomain.com++%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dprompt%2823%29%3B%26gt%3B+++%22%26gt%3B%26lt%3B%22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #2 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html\] Cookie\[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 2040=%7B%22refreshTime%22%3A3%2C%22 showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C %22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22 viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C %22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22 connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C %22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends %22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C %22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart %22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C %22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors %22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C %22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23FFFFD9%22%5D%2C%22rtDataColors %22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%23FFFF33%22%2C %22%23A65628%22%2C%22%23F781BF%22%2C%22%23999999%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80 24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C %22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D\] POST-Daten: csrfToken\[???\] inputbox\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_exclude\_list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_refresh\_exclusions\[\] refresh\_page\[gav\_cloud.html\] isobject\[1\] cgiaction\[%5Bobject+Window%5D\] Reference(s): https://utm\_waf.sonicwall.localhost:8351/main.cgi https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html https://utm\_waf.sonicwall.localhost:8351/addTrustedDomainDlg.html Solution - Fix & Patch: ======================= The vulnerability can be patched by setting up a secure validation for the update inputbox save procedure. Use the same as on the add procedure. Encode the context and disallow usage of special chars in the item list when processing to add. Parse the context and filter the input next to the permanent save that finally displays the context in the main item list to prevent an application-side script code execution. Note: The vulnerabilities has been reported to the dell security team. The issue has been resolved to 2016Q4 - 2017Q4 by the sonicwall developers. Security Risk: ============== The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium (CVSS 4.5). Credits & Authors: ================== Benjamin K.M. \[bkm@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5281

SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens.

Document Title: =============== SonicWall SonicOS NSA - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1725 Release Date: ============= 2018-01-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1725 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research Team discovered multiple persistent validation vulnerabilities and a filter bypass issue in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL Product: SonicWall UTM Firewall (NSA;MX,CLI;TZ) Series 2016 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities and a filter bypass issue has been discovered in the official SonicWall SoniOS NSA UTM Web-Firewall Series. The issue allows remote attackers and privileged user accounts to inject own malicious script codes with persistent attack vector to the affected modules to compromise the web-application or user session data. The peristent exploitable validation vulnerabilities are located in the \`Host Name / IP Address\`, \`Client Name/IP Address\` and \`Proxy Forward To\` input fields of the \`Users - Settings - Configure SSO\` web appliance module. Remote attackers and low privileged application user accounts are able to inject own malicious script codes to the vulnerable input fields to compromise the \`Users - Settings - Configure SSO\` settings module item listing. At the end an attacker is able to save the information as executable content within the backend. After that the malicious context is saved to the SSO configuration module which executes the context. The input fields are not parsed, the context does not encode the input with a secure mechanism. The injection points are the marked input fields with the request method of the vulnerable modules. The execution points are located in the item listing of the separate sections. A filter restriction is implemented and is trying to secure the validation. The filter mechanism parses iframes with src source and other script code tags. In case of a mouseover onload link to a source or an img src onload with cookie alert the tags can bypass the filter validation procedure somehow and an execution of the context occurs. The security risk of the peristent web vulnerabilities and filter bypass issue are estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent web vulnerabilities and filter bypass issue requires a low privileged web application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicious script codes or persistent web module context manipulation. Affected Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] Users - Settings - Configure SSO - SSO Agents \[+\] Users - Settings - Configure SSO - Terminal Services Agent Settings \[+\] Users - Settings - Configure SSO - RADIUS Accounting Single-Sign-On Vulnerable Input(s): \[+\] Host Name / IP Address \[+\] Client Name/IP Address \[+\] Proxy Forward To Vulnerable Parameter(s): \[+\] ldapServerBindName \[+\] usrTreesSel \[+\] ldapUsrsTree\_1 \[+\] svcObjId Affected Serie(s): \[+\] SonicWALL NSA 6600 \[+\] SonicWALL NSA 5600 \[+\] SonicWALL NSA 4600 \[+\] SonicWALL NSA 3600 \[+\] SonicWALL NSA 2600 \[+\] SonicWALL NSA 250M Affected System(s): \[+\] SonicOS (Standard or Enhanced) Proof of Concept (PoC): ======================= The web vulnerabilities can be exploited by remote attackers with low privileged or restricted appliance application user account with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application firewall of sonicwall and login as restricted user or lower privileged user account 2. Surf to the Users module 3. Click to Settings and open the "SSO Configure" button 4. Open one of the vulnerable modules Note: Users > Settings > Configure SSO > SSO Agents; > Terminal Services Agent Settings or > RADIUS Accounting Single-Sign-On 5. Inject a script code payload to the Host Name/IP Address(es), Client Name/IP Address & Proxy Forward To input fields Note: Regular frames are filtered but img or iframes with alert onload or onmouseover tag do bypass the filter validation 6. Save the entry and the payload directly executes in the utm firewall web user interface 7. Successful reproduce of the application-side input validation vulnerability and filter bypass issue! PoC Payload(s): ">XSS ONMOUSEOVER TEST "> "><"%20%20>"

CVE-2018-5280

Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.

Tag

#dell