Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

There is a FPE error in computeOutputPixelOffsets, tools/tiffcrop.c:5936. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from #347.

    # CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix=$PWD/build_orig --disable-shared
    
    # make -j; make install; make clean
    
    # ./build_orig/bin/tiffcrop -R 270 -P 300.0x300.0 poc /tmp/foo
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 12544 (0x3100) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65427 (0xff93) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 245 (0xf5) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65407 (0xff7f) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 26003 (0x6593) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 51657 (0xc9c9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 8393 (0x20c9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 60361 (0xebc9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 59136 (0xe700) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16448 (0x4040) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 25888 (0x6520) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1024 (0x400) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 42 (0x2a) encountered.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 42"; tag ignored.
    TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
    TIFFAdvanceDirectory: Error fetching directory count.
    loadImage: Image lacks Photometric interpretation tag.
    Floating point exception (core dumped)
    
    (gdb) # bt
    #0  0x000000000041181a in computeOutputPixelOffsets (crop=0x7fffffff8eb0, image=0x7fffffff8c30,
        page=0x7fffffff8c50, sections=0x7fffffff91a0, dump=0x7fffffffb530) at tiffcrop.c:5936
    #1  0x00000000004076d7 in main (argc=0x7, argv=0x7fffffffe688) at tiffcrop.c:2459
    #2  0x00007ffff6749840 in __libc_start_main (main=0x406c6d <main>, argc=0x7, argv=0x7fffffffe688,
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe678)
        at ../csu/libc-start.c:291
    #3  0x0000000000402f69 in _start ()

    # uname -a
    Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

CVE-2022-2057: tiffcrop: FPE in computeOutputPixelOffsets, tiffcrop.c:5936 (Different from #347) (#427) · Issues · libtiff / libtiff · GitLab

Ubuntu Security Notice 5497-1 - It was discovered that Libjpeg6b was not properly performing bounds checks when compressing PPM and Targa image files. An attacker could possibly use this issue to cause a denial of service. Chijin Zhou discovered that Libjpeg6b was incorrectly handling the EOF character in input data when generating JPEG files. An attacker could possibly use this issue to force the execution of a large loop, force excessive memory consumption, and cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5497-1June 30, 2022libjpeg6b vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Libjpeg6b.Software Description:- libjpeg6b: library for handling JPEG filesDetails:It was discovered that Libjpeg6b was not properly performing boundschecks when compressing PPM and Targa image files. An attacker couldpossibly use this issue to cause a denial of service.(CVE-2018-11212)Chijin Zhou discovered that Libjpeg6b was incorrectly handling theEOF character in input data when generating JPEG files. An attackercould possibly use this issue to force the execution of a large loop,force excessive memory consumption, and cause a denial of service.(CVE-2018-11813)Sheng Shu and Dongdong She discovered that Libjpeg6b was not properlylimiting the amount of memory being used when it was performingdecompression or multi-pass compression operations. An attacker couldpossibly use this issue to force excessive memory consumption andcause a denial of service. (CVE-2020-14152)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 ESM:   libjpeg62                       6b1-4ubuntu1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5497-1   CVE-2018-11212, CVE-2018-11213, CVE-2018-11214, CVE-2018-11813,   CVE-2020-14152

Ubuntu Security Notice USN-5497-1

New web targets for the discerning hacker

New web targets for the discerning hacker

Bounty hunting remains a popular business, with a report this month revealing that the vast majority of ethical hackers would like to do more.

The survey, from Belgian bug bounty platform **Intigriti**, found that 96% were keen to spend more time bounty hunting, with two thirds considering it as a full-time career. The biggest draw is the money, cited by nearly half, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

Currently, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students. More than one in five, though, get more than a quarter of their total income from bounty payouts.

And for those keen to get stuck in, there’s a new invite-only bug bounty program for the French government’s identity authentication application, **France Identité**, launched earlier this year to complement the country’s new electronic identity cards.

Hosted by Paris-based ethical hacking platform **YesWeHack**, the program has recruited 30 ethical hackers so far, with specific skills relating to the application, particularly cryptography. It will eventually be opened to all, and will run for the mobile app’s lifetime.

Finally, **Google**’s been generous lately, paying out more than $300,000 for reports on a variety of flaws in Google Cloud Platform (GCP) during last year.

Security researcher Sebastian Lutz took first prize, with an award of $133,337, for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources. Second place, meanwhile, went to Hungarian researcher Imre Rad, who earned $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The program, which kicked off in 2019, now represents a fair chunk of the total $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**The latest bug bounty programs for July 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Animal Friends**

**Program provider:**  
Independent

**Program type:**  
Public

**Max reward:**  
£400 ($480)

**Outline:**  
UK pet insurance company Animal Friends has launched a public bug bounty program that’s focused on securing its corporate website, customer portal, vet portal, and sales platform.

**Notes:**  
Discussing the new program, the insurance provider said: “No system is ever perfect, and therefore Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.”

Check out the Animal Friends bug bounty page for more details

**ClickHouse**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time.

**Notes:**  
The main focus of the public program is the open source version of the ClickHouse platform.

Check out the ClickHouse bug bounty page at Bugcrowd for more details

**France Identité**

**Program provider:**  
YesWeHack

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The French government has launched an invite-only bug bounty program for its newly launched identity authentication application, ‘France Identité’.

**Notes:**  
Hosted by Paris-based ethical hacking platform YesWeHack, the program will eventually be opened up to all security researchers and then run for the mobile app’s lifetime.

Check out our recent coverage for more details

**MetaMask**

**Program provider:**  
HackerOne

**Program type:**  
Public

**Max reward:**  
$50,000

**Outline:**  
MetaMask, one of the most widely used wallets for interacting with distributed applications, has launched a bug bounty program offering rewards of up to $50,000 for critical vulnerabilities.

**Notes:**  
MetaMask is particularly seeking reports demonstrating how an attacker could extract the secret recovery phrase or a private key from a wallet, or make a user’s wallet behave in “unexpected ways”.

Check out the MetaMask bug bounty page at HackerOne for more details

**Opera**

**Program provider:**  
Independent

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The developers behind the Opera web browser have launched a private bug bounty program to accompany the existing public program that’s housed on the Bugcrowd platform.

**Notes:**  
There are currently few details relating to this private program, although anyone expressing an interest must already have a Bugcrowd ID.

Check out Opera’s private bug bounty page for more details

**Phemex**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
Cryptocurrency trading platform Phemex has partnered with Bugcrowd to launch a bug bounty program.

**Notes:**  
Researchers have been tasked with finding bugs in the Phemex website and mobile apps. Cross-site scripting (XSS) and denial-of-service (DoS) exploits are out of scope.

Check out the Phemex bug bounty page at Bugcrowd for more details

**Other bug bounty and VDP news this month**

*   The 2022 **President’s Cup Cybersecurity Competition** is due to launch later this summer. Hosted by CISA, the annual national cyber competition aims to identify and reward the best cybersecurity talent in the federal executive workforce. Registration is now open for eligible participants.
*   **GameStop**, **Oanda**, and **PlanetArt** have launched (unpaid) VDPs on HackerOne.
*   Security pro Quinten Bowen has launched a **malware analysis capture-the-flag** (CTF) competition. Registration is free, and the CTF has “beginner to intermediate level flags” associated with static and dynamic analysis.

Curated by James Walker. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for June 2022

Bug Bounty Radar // The latest bug bounty programs for July 2022

A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.

Permalink

Browse files

KVM: x86: avoid calling x86 emulator without a decoded instruction

Whenever x86\_decode\_emulated\_instruction() detects a breakpoint, it
returns the value that kvm\_vcpu\_check\_breakpoint() writes into its
pass-by-reference second argument.  Unfortunately this is completely
bogus because the expected outcome of x86\_decode\_emulated\_instruction
is an EMULATION\_\* value.

Then, if kvm\_vcpu\_check\_breakpoint() does "\*r = 0" (corresponding to
a KVM\_EXIT\_DEBUG userspace exit), it is misunderstood as EMULATION\_OK
and x86\_emulate\_instruction() is called without having decoded the
instruction.  This causes various havoc from running with a stale
emulation context.

The fix is to move the call to kvm\_vcpu\_check\_breakpoint() where it was
before commit 4aa2691 ("KVM: x86: Factor out x86 instruction
emulation with decoding") introduced x86\_decode\_emulated\_instruction().
The other caller of the function does not need breakpoint checks,
because it is invoked as part of a vmexit and the processor has already
checked those before executing the instruction that #GP'd.

This fixes CVE-2022-1852.

Reported-by: Qiuhao Li <qiuhao@sysec.org>
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Fixes: 4aa2691 ("KVM: x86: Factor out x86 instruction emulation with decoding")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220311032801.3467418-2-seanjc@google.com>
\[Rewrote commit message according to Qiuhao's report, since a patch
 already existed to fix the bug. - Paolo\]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

*   Loading branch information

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded instruction · torvalds/linux@fee060c

A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.

CVE-2022-2078

Researchers say the remote-access Trojan ZuoRAT is likely the work of a nation-state and has infected at least 80 different targets.

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

A High Level of Sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

"While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

ZuoRAT can pivot infections to connected devices using one of two methods:

*   DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
*   HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

Intentionally Complex

Black Lotus Labs said the command-and-control infrastructure used in the campaign is intentionally complex in an attempt to conceal what's happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they're later infected.

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker's infrastructure.

The researchers wrote:

_Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection._

The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018. Routers are often overlooked, particularly in the work-from-home era. While organizations often have strict requirements for what devices are allowed to connect, few mandate patching or other safeguards for the devices' routers.

Like most router malware, ZuoRAT can't survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can't be disinfected so easily.

_This story originally appeared on_ _Ars Technica__._

A New, Remarkably Sophisticated Malware Is Attacking Routers

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

Red Hat Security Advisory 2022-5239-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: 389-ds-base security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:5239-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5239  
Issue date:        2022-06-28  
CVE Names:         CVE-2022-0918 CVE-2022-0996  
====================================================================  
1. Summary:

An update for 389-ds-base is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The  
base packages include the Lightweight Directory Access Protocol (LDAP)  
server and command-line utilities for server administration.

Security Fix(es):

* 389-ds-base: sending crafted message could result in DoS (CVE-2022-0918)

* 389-ds-base: expired password was still allowed to access the database  
(CVE-2022-0996)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Log the Auto Member invalid regex rules in the LDAP errors log.  
(BZ#2014768)

Enhancement(s):

* RFE - Provide an option to abort an Auto Member rebuild task.  
(BZ#2018153)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the 389 server service will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2014768 - Log the Auto Member invalid regex rules in the LDAP errors log. [rhel-7.9.z]  
2018153 - RFE - Provide an option to abort an Auto Member rebuild task.  
2055815 - CVE-2022-0918 389-ds-base: sending crafted message could result in DoS  
2064769 - CVE-2022-0996 389-ds-base: expired password was still allowed to access the database

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
389-ds-base-1.3.10.2-16.el7_9.src.rpm

x86_64:  
389-ds-base-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
389-ds-base-1.3.10.2-16.el7_9.src.rpm

x86_64:  
389-ds-base-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
389-ds-base-1.3.10.2-16.el7_9.src.rpm

ppc64le:  
389-ds-base-1.3.10.2-16.el7_9.ppc64le.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.ppc64le.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.ppc64le.rpm

x86_64:  
389-ds-base-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
389-ds-base-1.3.10.2-16.el7_9.src.rpm

ppc64:  
389-ds-base-1.3.10.2-16.el7_9.ppc64.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.ppc64.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.ppc64.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.ppc64.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.ppc64.rpm

ppc64le:  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.ppc64le.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.ppc64le.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.ppc64le.rpm

s390x:  
389-ds-base-1.3.10.2-16.el7_9.s390x.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.s390x.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.s390x.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.s390x.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.s390x.rpm

x86_64:  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
389-ds-base-1.3.10.2-16.el7_9.src.rpm

x86_64:  
389-ds-base-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-libs-1.3.10.2-16.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
389-ds-base-debuginfo-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-devel-1.3.10.2-16.el7_9.x86_64.rpm  
389-ds-base-snmp-1.3.10.2-16.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0918  
https://access.redhat.com/security/cve/CVE-2022-0996  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrtJ9dzjgjWX9erEAQhbSw/9EKCfVLZliIIrgAs4fWfl+3n4wx+PkL+1  
wLEE+DS5Kv18MhR9W78jK3K8g72As9k1+gSEPmYeixHhU3PtMLEIgHoZjGtWkjK2  
eOzIxHrf3Bn8+lHncWRs5RV7wXkyEmBeFJ9UIgzRvrr9BywDhJb2N0IKmQjMbikm  
rJhAMxB5x5OXX9ZrVwa+sSJlLsTZ4AJy2a03NtuY6UINleuALiBhpQmD/EyYMxoG  
yWl/r9lxiuZ7A5tnJW7Kh0Xc/elonFv9l+MPVNNO5Erq/Pa0e/Zs2RE+M2Nb14NY  
B2LXp4bSepoK/N2deBapkWR4RjMotJQSl7llEzcvXJYQr2W2oi4d5Yz7ziKgD+xB  
yopPBWisR91quqwUm9DP5nE+sf0jzvt+y+I0Laac3+dF4EwhCkqWCj6zL+YnNhng  
2nunhyrDzNoEz9MA52XGfr6WaDv4USo8W+cBj6hziZjs8UtFGAZin7YGvLptTd18  
7ZEHeju+mF1Yh+vrYO3Kvsbc0XFnPWPPg/ZUE2UEhFFFjGm+ZgFgLc0qv+cZ/C+7  
CgnKmcGlYErXwmHv4siHniJQN0K6CXrGiYFaZPKgBwoej13SMkQSXWJu5+WLvOjO  
+9d7efJozAZ6bQMh7T4DInBZvKu43Xd25DTavWPT/xXv5IgS41aQXzJ9LuAywGrJ  
MObDInu5V2M=sAb0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5239-01

Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.

**ebike-jammer**

Joy Ebike Wolf 2022 variant crash and deny key fob lock request

This is a report about a cyber security issue identified in Joy ebike wolf

Summary: Joy ebike Wolf variant manufactured in 2022 has a feature to lock or unlock/drive the vehicle via ebike key fob. In this vehicle, if the unlock/drive command is sniffed by Hackrf and replayed, vehicle will get unlock but it will deny lock request

Affected Product: Joy ebike Wolf, Manufacturing year 2022

Addition details URL: https://www.joyebike.com/product/wolf-bike/

Detailed report

Required Setup:

Joy ebike Wolf, Manufacturing year 2022 Joy ebike vehicle keys. Hackrf with antenna

Following steps shall be followed to achieve the Proof of concept:

1.  Activate Hackrf in rx mode on 433.92 MHz
2.  Press unlock/drive button on key fob
3.  Hackrf captures the unlock frame command.
4.  Lock the vehicle with a key.
5.  Now replay the command which is captured.
6.  Vehicle gets unlocked and is able to drive.
7.  Press lock button on key fob
8.  Vehicle deny lock button pressed from key fob and stay in unlock state.

Additional Note: Further analysis is not conducted, but multiple commands can be replayed.

Video proof of concept:

https://drive.google.com/file/d/1XDDXC2q8ZZYeujjrw4f0mW2jMsYtSGLF/view?usp=sharing

**Credits : Nikhil Bogam, Krutarth Raut and Neelam Verma**

CVE-2022-30467: ebike-jammer/README.md at main · nsbogam/ebike-jammer

RSSHub is an open source, extensible RSS feed generator. In commits prior to 5c4177441417 passing some special values to the `filter` and `filterout` parameters can cause an abnormally high CPU. This results in an impact on the performance of the servers and RSSHub services which may lead to a denial of service. This issue has been fixed in commit 5c4177441417 and all users are advised to upgrade. There are no known workarounds for this issue.

**Denial of Service (DoS) vulnerability**

**Package**

No package listed

**Affected versions**

versions after 4671720f4c5e1aaaad8fcc1dce684b6546baf2ff

**Patched versions**

5c4177441417b44a6e45c3c63e9eac2504abeb5b

**Description**

**Impact**

Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.

**Patches**

It is fixed in 5c41774 , please update to this or the later versions as soon as possible.

**References**

Full report: #10045

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/DIYgod/RSSHub/issues
*   Email us at i@diygod.me

**Credits**

@Rongronggg9

Tag

#dos