Tenda AC5 US_AC5V1.0RTL_V15.03.06.28 was discovered to contain a stack overflow via the formWifiBasicSet function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC5 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC5V1.0RTL\_V15.03.06.28

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "formWifiBasicSet" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-25217: Tenda/10.md at main · DrizzlingSun/Tenda

Tenda AC10 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the sub_45EC1C function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC10 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC10V4.0si\_V16.03.10.13\_cn

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_45EC1C" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-27018: Tenda/7.md at main · DrizzlingSun/Tenda

Tenda AC10 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the sub_45DC58 function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC10 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC10V4.0si\_V16.03.10.13\_cn

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_45DC58" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-27017: Tenda/6.md at main · DrizzlingSun/Tenda

Tenda AC10 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the sub_458FBC function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC10 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC10V4.0si\_V16.03.10.13\_cn

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "sub\_458FBC" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-27019: Tenda/8.md at main · DrizzlingSun/Tenda

Tenda AC10 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the setSchedWifi function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC10 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC10V4.0si\_V16.03.10.13\_cn

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "setSchedWifi" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-27012: Tenda/5.md at main · DrizzlingSun/Tenda

Tenda AC5 US_AC5V1.0RTL_V15.03.06.28 was discovered to contain a stack overflow via the formSetFirewallCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC5 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC5V1.0RTL\_V15.03.06.28

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "formSetFirewallCfg" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-25216: Tenda/9.md at main · DrizzlingSun/Tenda

Tenda AC5 US_AC5V1.0RTL_V15.03.06.28 was discovered to contain a stack overflow via the saveParentControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Tenda AC5 Unauthorized stack overflow vulnerability

****1\. Affected version:****

US\_AC5V1.0RTL\_V15.03.06.28

****2\. Firmware download address****

资料下载\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "saveParentControlInfo" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-25215: Tenda/3.md at main · DrizzlingSun/Tenda

It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.

\[Impact\]

 \* Systems with aufs mounts are vulnerable to a kernel BUG(),  
   which can turn into a panic/crash if panic\_on\_oops is set.

 \* It is exploitable by unprivileged local users; and also  
   remote access operations (e.g., web server) potentially.

 \* This issue has also manifested in Kubernetes deployments  
   with a kernel panic in iptables-save or iptables-restore  
   after a few weeks of uptime, without user interaction.

 \* Usually all Kubernetes worker nodes hit the issue around  
   the same time.

\[Fix\]

 \* The issue is fixed with 2 patches in aufs4-linux.git:  
 - 515a586eeef3 aufs: do not call i\_readcount\_inc()  
 - f10aea57d39d aufs: bugfix, IMA i\_readcount

 \* The first addresses the issue, and the second addresses a  
   regression in the aufs feature to change RW branches to RO.

 \* The kernel v5.3 aufs patches had an equivalent fix to the  
   second patch, which is present in the Focal aufs patchset  
   (and on ubuntu-unstable/master & /master-5.8 on 20200629)

 - 1d26f910c53f aufs: for v5.3-rc1, maintain i\_readcount  
   (in aufs5-linux.git)

\[Test Case\]

 \* Repeatedly open/close the same file in read-only mode in  
   aufs (UINT\_MAX times, to overflow a signed int back to 0.)

 \* Alternatively, monitor the underlying filesystems's file  
   inode.i\_readcount over several open/close system calls.  
   (should not monotonically increase; rather, return to 0.)

\[Regression Potential\]

 \* This changes the core path that aufs opens files, so there  
   is a risk of regression; however, the fix changes aufs for  
   how other filesystems work, so this generally is OK to do.  
   In any case, most regressions would manifest in open() or  
   close() (where the VFS handles/checks inode.i\_readcount.)

 \* The aufs maintainer has access to an internal test-suite  
   used to validate aufs changes, used to identify the first  
   regression (in the branch RW/RO mode change), and then to  
   validate/publish the patches upstream; should be good now.

 \* This has also been tested with 'stress-ng --class filesystem'  
   and with 'xfstests -overlay' (patch to use aufs vs overlayfs)  
   on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).  
   No regressions observed in stress-ng/xfstests log or dmesg.

\[Other Info\]

 \* Applied on Unstable (branches master and master-5.8)  
 \* Not required on Groovy (still 5.4; should sync from Unstable)  
 \* Required on LTS releases: Bionic and Focal and Xenial.  
 \* Required on other releases: Disco and Eoan (for custom kernels)

\[Original Bug Description\]

Problem Report:  
\--------------

An user reported several nodes in their Kubernetes clusters  
hit a kernel panic at about the same time, and periodically  
(usually 35 days of uptime, and in same order nodes booted.)

The kernel panics message/stack trace are consistent across  
nodes, in \_\_fput() by iptables-save/restore from kube-proxy.

Example:

"""  
\[3016161.866702\] kernel BUG at .../include/linux/fs.h:2583!  
\[3016161.866704\] invalid opcode: 0000 \[#1\] SMP  
...  
\[3016161.866780\] CPU: 40 PID: 33068 Comm: iptables-restor Tainted: P OE 4.4.0-133-generic #159-Ubuntu  
...  
\[3016161.866786\] RIP: 0010:\[...\] \[...\] \_\_fput+0x223/0x230  
...  
\[3016161.866818\] Call Trace:  
\[3016161.866823\] \[...\] \_\_\_\_fput+0xe/0x10  
\[3016161.866827\] \[...\] task\_work\_run+0x86/0xb0  
\[3016161.866831\] \[...\] exit\_to\_usermode\_loop+0xc2/0xd0  
\[3016161.866833\] \[...\] syscall\_return\_slowpath+0x4e/0x60  
\[3016161.866839\] \[...\] int\_ret\_from\_sys\_call+0x25/0x9f  
"""

(uptime: 3016161 seconds / (24\*60\*60) = 34.90 days)

They have provided a crashdump (privately available) used  
for analysis later in this bug report.

Note: the root cause turns out to be independent of K8s,  
as explained in the Root Cause section.

Related Report:  
\--------------

This behavior matches this public bug of another user:  
https://github.com/kubernetes/kubernetes/issues/70229

"""  
I have several machines happen kernel panic，and these  
machine have same dump trace like below:

KERNEL: /usr/lib/debug/boot/vmlinux-4.4.0-104-generic  
...  
PANIC: "kernel BUG at .../include/linux/fs.h:2582!"  
...  
COMMAND: "iptables-restor"  
...  
crash> bt  
...  
\[exception RIP: \_\_fput+541\]  
...  
#8 \[ffff880199f33e60\] \_\_fput at ffffffff812125ac  
#9 \[ffff880199f33ea8\] \_\_\_\_fput at ffffffff812126ee  
#10 \[ffff880199f33eb8\] task\_work\_run at ffffffff8109f101  
#11 \[ffff880199f33ef8\] exit\_to\_usermode\_loop at ffffffff81003242  
#12 \[ffff880199f33f30\] syscall\_return\_slowpath at ffffffff81003c6e  
#13 \[ffff880199f33f50\] int\_ret\_from\_sys\_call at ffffffff818449d0  
...

The above showed command "iptables-restor" cause the kernel  
panic and its pid is 16884，its parent process is kube-proxy.

Sometimes the process of kernel panic is "iptables-save" and  
the dump trace are same.

The kernel panic always happens every 26 days(machine uptime)  
"""

<< Adding further sections as comments to keep page short. >>

CVE-2020-11935: Bug #1873074 “kernel panic hit by kube-proxy iptables-save/resto...” : Bugs : linux package : Ubuntu

A flaw in Twitter code allows bot abuse to trick the algorithm into suppressing certain accounts.

A vulnerability in Twitter's code was recently discovered that allows users to game the algorithm with mass blocking actions from large numbers of accounts, in an effort to suppress specific users showing up in people's feeds — essentially, it allows bot-created "shadow bans" in the parlance of social media censorship critics.

Now, the flaw has been assigned a CVE number as an officially recognized security vulnerability: CVE-2023-29218.

"The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023," the MITRE CVE entry explained.

The vulnerability was first flagged by infosec researcher Federico Andres Lois after analyzing Twitter's source code, which was leaked to the public and later posted on GitHub by Twitter as part of its commitment to transparency.

The bug means that botnet armies have the ability to game the algorithm with mass blocks, mutes, abuse reports, spam reports, and unfollows to drive down the number of times specific accounts show up in Twitter's recommendation engine.

"The current implementation allows for coordinated hurting of account reputation without recourse," Lois wrote in his disclosure. "Any other time I would just report this information using a vulnerability channel, but given that this is already popular knowledge there is no use to do so."

The vulnerability has since been discovered by others, prompting a cryptic, yet splashy, response from Twitter CEO Elon Musk.

"Who is behind these botnets?" Musk tweeted. "Million dollar bounty if convicted."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Twitter 'Shadow Ban' Bug Gets Official CVE

In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441821; Issue ID: ALPS07441821.

Tag

#dos