A permissions issue was addressed with improved validation. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. An app may be able to access sensitive user data.

Released September 18, 2023

**App Store**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to break out of Web Content sandbox

Description: The issue was addressed with improved handling of protocols.

CVE-2023-40448: w0wbox

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40432: Mohamed GHANNAM (@\_simo36)

CVE-2023-41174: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40399: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

**AuthKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved handling of caches.

CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

**Bluetooth**

Available for: Apple Watch Series 4 and later

Impact: An attacker in physical proximity can cause a limited out of bounds write

Description: The issue was addressed with improved checks.

CVE-2023-35984: zer0k

**bootp**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab)

**CFNetwork**

Available for: Apple Watch Series 4 and later

Impact: An app may fail to enforce App Transport Security

Description: The issue was addressed with improved handling of protocols.

CVE-2023-38596: Will Brattain at Trail of Bits

**CoreAnimation**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

**Dev Tools**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2023-32396: Mickey Jin (@patch1t)

**Game Center**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access contacts

Description: The issue was addressed with improved handling of caches.

CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with improved validation.

CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

**libpcap**

Available for: Apple Watch Series 4 and later

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2023-40400: Sei K.

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxslt**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

**Maps**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

**MobileStorageMounter**

Available for: Apple Watch Series 4 and later

Impact: A user may be able to elevate privileges

Description: An access issue was addressed with improved access restrictions.

CVE-2023-41068: Mickey Jin (@patch1t)

**Passcode**

Available for: Apple Watch Ultra (all models)

Impact: An Apple Watch Ultra may not lock when using the Depth app

Description: An authentication issue was addressed with improved state management.

CVE-2023-40418: serkan Gurbuz

**Photos Storage**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access edited photos saved to a temporary directory

Description: The issue was addressed with improved checks.

CVE-2023-40456: Kirin (@Pwnrin)

CVE-2023-40520: Kirin (@Pwnrin)

**Safari**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to identify what other apps a user has installed

Description: The issue was addressed with improved checks.

CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

**Safari**

Available for: Apple Watch Series 4 and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

**Sandbox**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

**Share Sheet**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

**Simulator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: The issue was addressed with improved checks.

CVE-2023-40419: Arsenii Kostromin (0x3c3e)

**StorageKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

**TCC**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett (@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee (@l33d0hyun) of PK Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

CVE-2023-40429: About the security content of watchOS 10

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read sensitive location information.

CVE-2023-40384: About the security content of iOS 17 and iPadOS 17

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.




**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Bluetooth subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/tbs.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/mcc.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/media\_controller.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/conn.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/beacon.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/prov\_device.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/provisioner.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/shell/rpr.c

**Details**

Static buffer overflows in /subsys/bluetooth/audio/tbs.c:

int bt\_tbs\_remote\_incoming(uint8\_t bearer\_index, const char \*to,
			   const char \*from, const char \*friendly\_name)
{
	struct tbs\_service\_inst \*inst;
	struct bt\_tbs\_call \*call \= NULL;
	size\_t local\_uri\_ind\_len;
	size\_t remote\_uri\_ind\_len;
	size\_t friend\_name\_ind\_len;
...
	inst \= &svc\_insts\[bearer\_index\];
...
	if (friendly\_name) {
		inst\->friendly\_name.call\_index \= call\->index;
		(void)strcpy(inst\->friendly\_name.uri, friendly\_name); /\* VULN \*/
		friend\_name\_ind\_len \= strlen(from) + 1;
...
	if (IS\_ENABLED(CONFIG\_BT\_GTBS)) {
...
		if (friendly\_name) {
			gtbs\_inst.friendly\_name.call\_index \= call\->index;
			(void)strcpy(gtbs\_inst.friendly\_name.uri, friendly\_name); /\* VULN \*/
			friend\_name\_ind\_len \= strlen(from) + 1;
...

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/mcc.c:

#ifdef CONFIG\_BT\_MCC\_OTS
static int cmd\_mcc\_send\_search\_raw(const struct shell \*sh, size\_t argc,
				   char \*argv\[\])
{
	int result;
	struct mpl\_search search;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	result \= bt\_mcc\_send\_search(default\_conn, &search);
	if (result) {
		shell\_print(sh, "Fail: %d", result);
	}
	return result;
}

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/media\_controller.c:

#ifdef CONFIG\_BT\_OTS
static int cmd\_media\_set\_search(const struct shell \*sh, size\_t argc, char \*argv\[\])
{
	/\* TODO: Currently takes the raw search as input - add parameters
	 \* and build the search item here
	 \*/

	struct mpl\_search search;
	int err;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	err \= media\_proxy\_ctrl\_send\_search(current\_player, &search);
	if (err) {
		shell\_error(ctx\_shell, "Search send failed (%d)", err);
	}

	return err;
}

Heap-based buffer overflow in /subsys/bluetooth/host/conn.c:

#if defined(CONFIG\_BT\_SMP)
...
int bt\_conn\_le\_start\_encryption(struct bt\_conn \*conn, uint8\_t rand\[8\],
				uint8\_t ediv\[2\], const uint8\_t \*ltk, size\_t len)
{
	struct bt\_hci\_cp\_le\_start\_encryption \*cp;
	struct net\_buf \*buf;

	buf \= bt\_hci\_cmd\_create(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, sizeof(\*cp));
	if (!buf) {
		return \-ENOBUFS;
	}

	cp \= net\_buf\_add(buf, sizeof(\*cp));
	cp\->handle \= sys\_cpu\_to\_le16(conn\->handle);
	memcpy(&cp\->rand, rand, sizeof(cp\->rand));
	memcpy(&cp\->ediv, ediv, sizeof(cp\->ediv));

	memcpy(cp\->ltk, ltk, len); /\* VULN \*/
	if (len < sizeof(cp\->ltk)) {
		(void)memset(cp\->ltk + len, 0, sizeof(cp\->ltk) \- len);
	}

	return bt\_hci\_cmd\_send\_sync(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, buf, NULL);
}

Ineffective size check due to assert and buffer overflow in /subsys/bluetooth/mesh/beacon.c:

void bt\_mesh\_beacon\_priv\_random\_get(uint8\_t \*random, size\_t size)
{
	\_\_ASSERT(size <= sizeof(priv\_random.val), "Invalid random value size %u", size);
	memcpy(random, priv\_random.val, size); /\* VULN \*/
}

Static buffer overflow in /subsys/bluetooth/mesh/prov\_device.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/
	notify\_input\_complete();

	send\_confirm();
}

Static buffer overflow in /subsys/bluetooth/mesh/provisioner.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	if (!memcmp(data, bt\_mesh\_prov\_link.conf, conf\_size)) {
		LOG\_ERR("Confirm value is identical to ours, rejecting.");
		prov\_fail(PROV\_ERR\_CFM\_FAILED);
		return;
	}

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/

	send\_random();
}

Stack-based buffer overflow in /subsys/bluetooth/mesh/shell/rpr.c:

static void rpr\_scan\_report(struct bt\_mesh\_rpr\_cli \*cli,
			    const struct bt\_mesh\_rpr\_node \*srv,
			    struct bt\_mesh\_rpr\_unprov \*unprov,
			    struct net\_buf\_simple \*adv\_data)
{
	char uuid\_hex\_str\[32 + 1\];

	bin2hex(unprov\->uuid, 16, uuid\_hex\_str, sizeof(uuid\_hex\_str));

	shell\_print(bt\_mesh\_shell\_ctx\_shell,
		    "Server 0x%04x:\\n"
		    "\\tuuid:   %s\\n"
		    "\\tOOB:    0x%04x",
		    srv\->addr, uuid\_hex\_str, unprov\->oob);

	while (adv\_data && adv\_data\->len \> 2) {
		uint8\_t len, type;
		uint8\_t data\[31\];

		len \= net\_buf\_simple\_pull\_u8(adv\_data) \- 1;
		type \= net\_buf\_simple\_pull\_u8(adv\_data);
		memcpy(data, net\_buf\_simple\_pull\_mem(adv\_data, len), len); /\* VULN \*/
		data\[len\] \= '\\0';

		if (type \== BT\_DATA\_URI) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tURI:    \\"\\\\x%02x%s\\"",
				    data\[0\], &data\[1\]);
		} else if (type \== BT\_DATA\_NAME\_COMPLETE) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tName:   \\"%s\\"", data);
		} else {
			char string\[64 + 1\];

			bin2hex(data, len, string, sizeof(string));
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\t0x%02x:  %s", type, string);
		}
	}
}

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main: #60465

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-08-19

CVE-2023-4264: Buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

Possible buffer overflow  in Zephyr mgmt subsystem when asserts are disabled



**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp\_cp.c

**Details**

Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:

void \*smp\_alloc\_rsp(const void \*req, void \*arg)
{
	const struct net\_buf \*req\_nb;
	struct net\_buf \*rsp\_nb;
	struct smp\_transport \*smpt \= arg;

	req\_nb \= req;

	rsp\_nb \= smp\_packet\_alloc();
	if (rsp\_nb \== NULL) {
		return NULL;
	}

	if (smpt\->functions.ud\_copy) {
		smpt\->functions.ud\_copy(rsp\_nb, req\_nb);
	} else {
		memcpy(net\_buf\_user\_data(rsp\_nb),
		       net\_buf\_user\_data((void \*)req\_nb),
		       req\_nb\->user\_data\_size); /\* VULN \*/
	}

	return rsp\_nb;
}

Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp\_cp.c:

static int cp\_build\_command(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	struct osdp\_cmd \*cmd \= NULL;
	int len \= 0;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif

	buf += data\_off;
	max\_len \-= data\_off;
	if (max\_len <= 0) {
		return OSDP\_CP\_ERR\_GENERIC;
	}

	switch (pd\->cmd\_id) {
...
	case CMD\_TEXT:
		cmd \= (struct osdp\_cmd \*)pd\->ephemeral\_data;
		assert\_buf\_len(CMD\_TEXT\_LEN + cmd\->text.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->cmd\_id;
		buf\[len++\] \= cmd\->text.reader;
		buf\[len++\] \= cmd\->text.control\_code;
		buf\[len++\] \= cmd\->text.temp\_time;
		buf\[len++\] \= cmd\->text.offset\_row;
		buf\[len++\] \= cmd\->text.offset\_col;
		buf\[len++\] \= cmd\->text.length;
		memcpy(buf + len, cmd\->text.data, cmd\->text.length); /\* VULN: buffer overflow \*/
		len += cmd\->text.length;
		break;

Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp\_pd.c:

static int pd\_build\_reply(struct osdp\_pd \*pd, uint8\_t \*buf, int max\_len)
{
	int ret \= OSDP\_PD\_ERR\_GENERIC;
	int i, len \= 0;
	struct osdp\_cmd \*cmd;
	struct osdp\_event \*event;
	int data\_off \= osdp\_phy\_packet\_get\_data\_offset(pd, buf);
#ifdef CONFIG\_OSDP\_SC\_ENABLED
	uint8\_t \*smb \= osdp\_phy\_packet\_get\_smb(pd, buf);
#endif
	buf += data\_off;
	max\_len \-= data\_off;

	switch (pd\->reply\_id) {
...
	case REPLY\_KEYPPAD:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_KEYPAD\_LEN + event\->keypress.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->keypress.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->keypress.length;
		memcpy(buf + len, event\->keypress.data, event\->keypress.length); /\* VULN: buffer overflow \*/
		len += event\->keypress.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	case REPLY\_RAW: {
		int len\_bytes;

		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		len\_bytes \= (event\->cardread.length + 7) / 8;
		assert\_buf\_len(REPLY\_RAW\_LEN + len\_bytes, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.format;
		buf\[len++\] \= BYTE\_0(event\->cardread.length);
		buf\[len++\] \= BYTE\_1(event\->cardread.length);
		memcpy(buf + len, event\->cardread.data, len\_bytes); /\* VULN: buffer overflow \*/
		len += len\_bytes;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
	}
	case REPLY\_FMT:
		event \= (struct osdp\_event \*)pd\->ephemeral\_data;
		assert\_buf\_len(REPLY\_FMT\_LEN + event\->cardread.length, max\_len); /\* VULN: assert \*/
		buf\[len++\] \= pd\->reply\_id;
		buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
		buf\[len++\] \= (uint8\_t)event\->cardread.direction;
		buf\[len++\] \= (uint8\_t)event\->cardread.length;
		memcpy(buf + len, event\->cardread.data, event\->cardread.length); /\* VULN: buffer overflow \*/
		len += event\->cardread.length;
		ret \= OSDP\_PD\_ERR\_NONE;
		break;
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

CVE-2023-4262: Buffer overflow vulnerabilities in the Zephyr Mgmt subsystem

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.




**Summary**

I spotted an off-by-one buffer overflow vulnerability at the following location in the Zephyr FS subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/fs/fuse\_fs\_access.c

**Details**

If the string passed to the following function via the path parameter is PATH\_MAX chars long (including the NUL terminator), the insecure sprintf() function call marked below writes one NUL byte off the stack variable mount_path:

static int fuse\_fs\_access\_readdir(const char \*path, void \*buf,
			      fuse\_fill\_dir\_t filler, off\_t off,
			      struct fuse\_file\_info \*fi)
{
	struct fs\_dir\_t dir;
	struct fs\_dirent entry;
	int err;
	struct stat stat;

	ARG\_UNUSED(off);
	ARG\_UNUSED(fi);

	if (strcmp(path, "/") \== 0) {
		return fuse\_fs\_access\_readmount(buf, filler);
	}

	fs\_dir\_t\_init(&dir);

	if (is\_mount\_point(path)) {
		/\* File system API expects trailing slash for a mount point
		 \* directory but FUSE strips the trailing slashes from
		 \* directory names so add it back.
		 \*/
		char mount\_path\[PATH\_MAX\];

		sprintf(mount\_path, "%s/", path); /\* VULN \*/
		err \= fs\_opendir(&dir, mount\_path);
	} else {
		err \= fs\_opendir(&dir, path);
	}
...

**PoC**

I haven't tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

**Impact**

If the unchecked input above is attacker-controlled and crosses a security boundary, depending on stack layout, the off-by-one buffer overflow vulnerability could be exploited to cause a denial of service or even achieve arbitrary code execution.

CVE-2023-4260: Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem


Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

**Revision History**

**Revision**

**Date**

**Description**

1.0

2023-09-26

Initial Release

2.0

2023-09-27

Added Point 4 Under "Additional Info" Section

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Additional Information**

1.  Platforms: Windows & Linux (All variants and flavors are impacted)
2.  Impacted Components: Dell NetWorker NW Client
3.  Since the capability to modify server files remotely was added in 19.7, this vulnerability is not applicable to Versions prior to 19.7.
4.  Dell recommends that you always upgrade to the latest release/version for your product

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

CVE-2023-28055: DSA-2023-294: Security update for Dell NetWorker NW Client vulnerabilities

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Issued:

2023-08-31

Updated:

2023-08-31

**RHSA-2023:4918 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat Single Sign-On 7.6.5 security update on RHEL 7

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

New Red Hat Single Sign-On 7.6.5 packages are now available for Red Hat Enterprise Linux 7.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.  

This release of Red Hat Single Sign-On 7.6.5 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.  

Security Fix(es):  

*   jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
*   jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
*   undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Single Sign-On 7.6 for RHEL 7 x86\_64

**Fixes**

*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
*   BZ - 2209689 - CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling

**Red Hat Single Sign-On 7.6 for RHEL 7**

SRPM

rh-sso7-keycloak-18.0.9-1.redhat\_00001.1.el7sso.src.rpm

SHA-256: 815b38ee5176e3db39d67d75c58e3da2d2497beb98bf0285571d956ce2f813c2

x86\_64

rh-sso7-keycloak-18.0.9-1.redhat\_00001.1.el7sso.noarch.rpm

SHA-256: 1d66f533b329f7eb6502b3c1883a610f0ba13eb91192a770eebdc588bac5cacb

rh-sso7-keycloak-server-18.0.9-1.redhat\_00001.1.el7sso.noarch.rpm

SHA-256: f74947d427d57dfa47aa747c0a22964487151056b44a88eeeaa7bc8d41d564bd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-3223

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.

CVE-2023-23495: About the security content of macOS Sonoma 14

In Apollo  change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

CVE-2023-30959: Palantir | Trust and Security Portal

Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link.

Tag

#dos