In Tenda AC15 V15.03.05.19, the function "henan_pppoe_user" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "henan\_pppoe\_user" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30376: Tenda/9.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, The function "xkjs_ver32" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "xkjs\_ver32" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30372: Tenda/10.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function "sub_8EE8" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_8EE8" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30378: Tenda/5.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function "sub_ED14" contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_ED14" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30371: Tenda/4.md at main · 2205794866/Tenda

In Tenda AC15 V15.03.05.19, the function GetValue contains a stack-based buffer overflow vulnerability.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "GetValue" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30370: Tenda/7.md at main · 2205794866/Tenda

Debian Linux Security Advisory 5393-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5393-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 22, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2133 CVE-2023-2134 CVE-2023-2135 CVE-2023-2136                  CVE-2023-2137Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 112.0.5615.138-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmREBtkACgkQEMKTtsN8TjZHjA//Xt54GrjHMIT1eis48gYiXhfhUxNl1MiA4eeSYFJuidwGLoZbG8AGmT+2OHUvwjOCiJ4RHV06fnpPuftn95Q9Ehz79WkNeeZSIKCuZPeNK6u6c2LZv3enU3ojFejG5y6k/L6kwBx7VUPNnvraZVZcB0zwbL/f9B5wXgAwluxqynyX3vZBPRjTsJATLQs/PMhx7wWVFXspQjIm6+9bVySuNEsIUTIsDNnRlLnSVler3THdcmlHLBVDU1Qb3CIN6bAzDDnJSOUQIHWKIPLSr84ygeT6n0/eeC7qzqJ4WvG7TKhsyXrH1z+XzRdMFajVDrOhYmofmRG4WgyXibcOfi0eR7aEahNVG4aLZlP+hZvKDlDrSJ5kzI8IH4NaXZid9IGZaOXvxKaTOsKaBuC3uHDlWny1aU5MBb/itSeYbXmNVzIip7BJ10wG9rjaQ4d6VEbrMDEEWy5rqP1PUexW5wNDAwNhMHhV2pgPHnDzkC3ScQM6uN4X2vxs58oGMaSsjqjYpR5MOIEoh2SnNdz4NDXxjP8+bdpOu7MOIh4nYBC/zcWf84DgeMq1tv3RR2LDXfwdMZyxlZc7thPvtZhXfUsDJRX38LD0S0B4JR1ERRqYerpj3ixAuOk6OyyJA0CcdiI1Yave1rFGzjzitxYkpgYG+uRYa/GWgDOuG1Ebbk6R2cE==vqQn-----END PGP SIGNATURE-----

Debian Security Advisory 5393-1

Debian Linux Security Advisory 5392-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5392-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 22, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-0547 CVE-2023-1945 CVE-2023-28427 CVE-2023-29479   
                 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539   
                 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:102.10.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmREBsEACgkQEMKTtsN8  
TjZX4w/+OuttNpDWu8m7daY/USfgb3U7pVI+wbMrqMKxSjQ6BRCUaCcXN1VXZpXn  
cOGTqSoFB+qBgYrSjJ0buH9L1yWAQXfaw43wF9eDAfRZB1Svzhl+W164GGks1YKZ  
9WbJ255lvCuXuNbmP+I1xYtuN5epP1saNAET/3HDkJUbXre5T3wdGCjgJnfyE6vf  
JhAwqVYEbOabRisnEhkP67yHk6mEz2QzH+KbbxyS7hCHp+I4RIMNhxPeoPb2Mn/t  
3oja8bC1WGpJaOaQy99UlCD11L8li30LbVb95V8l91tVzbXJwfOCmdjdRp+8/xA/  
fSpNdjCa7rbX8FWeU/FNunia/KkkJgc3qa65+e0muq99gdBk/+1HrrysjZt2oya5  
/vOMLjDfRmfqyB2fn65Isl2PhJnJN9EtPXeEFGLGNmRfqVlg2w4qXm2UUGDPmeuF  
rQrsYJ7YLLfQp7JejtNbPZbH+csEXFn2DRVv9YdOX5/H+a/boqe0h+9Wtmywzfw1  
uH+A5iY5JyLhknMyzfopCfpZIcV4ieRxeOdKvkUom67zKr2OAigSGxpz7EFdnunn  
gITqkbFqHtdjcCq/Vuj+vlfcUP7iLrWNSR9FZc9k9QcN0kaot8CqUmXF4zjkH/le  
sZMm+pcds9XpShSb3SXatKj3YY/O+DbHEcuKFSjg6DSHwEz4GLI=  
=tV7a  
-----END PGP SIGNATURE-----

Debian Security Advisory 5392-1

In LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.


**News from 2023-03-23**  
﻿

The LANTIME firmware version 7.06.013 includes security updates of various third party libraries and programs.

Meinberg

recommends

updating to LANTIME firmware version 7.06.013.

  

Estimation of Severity up to and including

*   **LANTIME firmware V7.06.011:**  
    severity level critical(0), high (3), medium (4), low (1), unknown (3)
*   **LANTIME firmware V7.06.012:**  
    severity level critical(0), high (0), medium (0), low (1), unknown (0)

Updated Versions:

*   LANTIME firmware: V7.06.013

1.  **Description of the Vulnerabilities**
    *   Third-party software:
        *   curl:
            *   **CVE-2022-43551** - Another HSTS bypass via IDN (high)  
                **CVE-2022-43552** - HTTP Proxy deny use-after-free (medium)  
                **CVE-2023-23914** - HSTS ignored on multiple requests (unknown)  
                **CVE-2023-23915** - HSTS amnesia with –parallel (unknown)  
                **CVE-2023-23916** - HTTP multi-header compression denial of service (unknown)
                
                https://curl.se/docs/security.html
                
                **Fixed in:**  
                V7.06.012 MBGID-13207
                
        *   openssl:
            *   **CVE-2023-0286** - X.400 address type confusion in X.509 GeneralName (high)  
                **CVE-2022-4304** - Timing Oracle in RSA Decryption (medium)  
                **CVE-2023-0215** - Use-after-free following BIO\_new\_NDEF (medium)  
                **CVE-2022-4450** - Double free after calling PEM\_read\_bio\_ex (medium)
                
                https://www.openssl.org/news/secadv/20230207.txt
                
                **Fixed in:**  
                V7.06.012 MBGID-13137
                
        *   libexpat:
            *   **CVE-2022-43680** - Fix heap use-after-free after overeager destruction of a shared DTD in function XML\_ExternalEntityParserCreate in out-of-memory situations. (high)
                
                https://github.com/libexpat/libexpat/blob/R\_2\_5\_0/expat/Changes
                
                **Fixed in:**  
                V7.06.012 MBGID-13174
                
        *   sudo:
            *   **CVE-2023-22809** - A flaw in sudo's -e option (aka sudoedit) exists that allows a malicious user with sudoedit privileges to edit arbitrary files. (low)
                
                https://www.sudo.ws/security/advisories/sudoedit\_any/
                
                **Fixed in:**  
                V7.06.012 MBGID-13172
                
                Notice: Severity low, because only a super-user, that already has the highest privileges, can use sudo.
                
    *   LTOS web interface
        *   **CVE-2023-1731** - The validation of the filename of the upload function was not correct (low)
            
            The filename of the upload function was not correctly validated. Authenticated users with the highest privileges were able to use this vulnerability to execute code.
            
            Many thanks to Noam Moshe of Claroty for reporting this vulnerability.
            
            **Fixed in:**  
            V7.06.013 MBGID-13329
            
            Notice: Severity low, because only a super-user that already has the highest privileges, can exploit this vulnerability.
            
2.  **Systems Affected**
    
    All LANTIME firmware versions before V7.06.013 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200).
    
    Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
    
3.  **Possible Security Measures**
    
    The relevant security updates are included in the LANTIME firmware versions V7.06.013(-light). Updating to these versions eliminates the listed vulnerabilities.
    
    Download the latest LANTIME firmware at:  
    
    *   Meinberg LANTIME firmware
    
    All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.06.013 or 7.06.013-light respectively is **recommended**. Clients who cannot install version 7.06.013 should install V7.06.013-light instead.
    
4.  **Further Information**
    
    Further details and information are available from the following websites:
    
    *   LANTIME firmware changelog: V7.06
    
    If you have any questions or need assistance, please, do not hesitate to contact Meinberg's technical support team.
    
5.  **Acknowledgments**
    
    We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
    
    **_Thank you!_**

CVE-2023-1731: Meinberg Security Advisory: [MBGSA-2023.02] LANTIME-Firmware V7.06.013

Tenda AC15 V15.03.05.19 is vulnerable to Buffer Overflow.

Tenda AC15 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC15V1.0BR\_V15.03.05.19

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_E2F4" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

CVE-2023-30369: Tenda/3.md at main · 2205794866/Tenda

Tenda AC5 V15.03.06.28 is vulnerable to Buffer Overflow via the initWebs function.

Tenda AC5 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC5V1.0RTL\_V15.03.06.28

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "initWebs" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

范启航 220579866

Tag

#dos