Red Hat Security Advisory 2022-5526-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: squid:4 security update  
Advisory ID:       RHSA-2022:5526-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5526  
Issue date:        2022-07-07  
CVE Names:         CVE-2021-46784  
====================================================================  
1. Summary:

An update for the squid:4 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Squid is a high-performance proxy caching server for web clients,  
supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

* squid: DoS when processing gopher server responses (CVE-2021-46784)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the squid service will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2100721 - CVE-2021-46784 squid: DoS when processing gopher server responses

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.src.rpm  
squid-4.15-3.module+el8.6.0+15801+8fa20c64.1.src.rpm

aarch64:  
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm  
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm  
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm  
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.aarch64.rpm  
squid-4.15-3.module+el8.6.0+15801+8fa20c64.1.aarch64.rpm  
squid-debuginfo-4.15-3.module+el8.6.0+15801+8fa20c64.1.aarch64.rpm  
squid-debugsource-4.15-3.module+el8.6.0+15801+8fa20c64.1.aarch64.rpm

ppc64le:  
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm  
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm  
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm  
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.ppc64le.rpm  
squid-4.15-3.module+el8.6.0+15801+8fa20c64.1.ppc64le.rpm  
squid-debuginfo-4.15-3.module+el8.6.0+15801+8fa20c64.1.ppc64le.rpm  
squid-debugsource-4.15-3.module+el8.6.0+15801+8fa20c64.1.ppc64le.rpm

s390x:  
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm  
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm  
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm  
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.s390x.rpm  
squid-4.15-3.module+el8.6.0+15801+8fa20c64.1.s390x.rpm  
squid-debuginfo-4.15-3.module+el8.6.0+15801+8fa20c64.1.s390x.rpm  
squid-debugsource-4.15-3.module+el8.6.0+15801+8fa20c64.1.s390x.rpm

x86_64:  
libecap-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm  
libecap-debuginfo-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm  
libecap-debugsource-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm  
libecap-devel-1.0.1-2.module+el8.1.0+4044+36416a77.x86_64.rpm  
squid-4.15-3.module+el8.6.0+15801+8fa20c64.1.x86_64.rpm  
squid-debuginfo-4.15-3.module+el8.6.0+15801+8fa20c64.1.x86_64.rpm  
squid-debugsource-4.15-3.module+el8.6.0+15801+8fa20c64.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46784  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFj/NzjgjWX9erEAQhUOA//QaRq6JfxhCp5xvfXkTIuDmwHlytCwIxP  
8RtPL3ADqCGI0iyh00YCq44oPOpw8e746a1VeZiB8HbZ4/PcUfCZY7pE/E3B7/ke  
k2Q+oaez4I3w+yZj8hN2OLVl/eBH//tDBXCB0uyg5blcpS56xQjlYfX04ZaKD3WX  
ClbvBvFTNYwu4cmaXTERNgBiD0SiiadHyAAQavJhpWWlGlumxgu0Jxkqus1UbCkR  
PU2Qi5ZKRoxeSzwluKTcz2JJPAgsYJvB/2xzPrygfBfLTqIkPTOTd2rYKxryEE05  
NYuBs4gVkS8cKkMf1wtfiXnc2rXkvpYwrDJtEmkGN5oB8HfC+V4G5EqfTVrhtTI1  
kiIeuEHVFjvNBHX7okZjhCz9Do3c86gVIb8UunUOykPENYk3ijMqRujilB7vM9WY  
chvrMS5xIfFRWr4JpXeq8pBxujCOwnQBUQ9yzCFqQpVYApLECL/7dO/1vbHkwRzw  
6SeDwNddsaB9hjhF2hZlevztdybL8sX3daKYyssQKLkTTXEketM2WBDlqN+j5qs8  
1QZ4AtgyS/2gHyorfY4uK6OtWyOgnOY19+rX3aJRCyE+g/ljQgFtiZWA+KeSWnNp  
Ao66n8lHheDWilf1vCSx0x04RyJ+dtdHH38Dnai4Ta4cMjTRn2CKOYWKFn50BCD3  
1CXNL6QbsSU=hQkc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5526-01

Red Hat Security Advisory 2022-5542-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: squid security update  
Advisory ID:       RHSA-2022:5542-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5542  
Issue date:        2022-07-11  
CVE Names:         CVE-2021-46784  
====================================================================  
1. Summary:

An update for squid is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Squid is a high-performance proxy caching server for web clients,  
supporting FTP, Gopher, and HTTP data objects.

Security Fix(es):

* squid: DoS when processing gopher server responses (CVE-2021-46784)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the squid service will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2100721 - CVE-2021-46784 squid: DoS when processing gopher server responses

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:  
squid-3.5.20-17.el7_9.7.src.rpm

ppc64:  
squid-3.5.20-17.el7_9.7.ppc64.rpm  
squid-debuginfo-3.5.20-17.el7_9.7.ppc64.rpm  
squid-migration-script-3.5.20-17.el7_9.7.ppc64.rpm

ppc64le:  
squid-3.5.20-17.el7_9.7.ppc64le.rpm  
squid-debuginfo-3.5.20-17.el7_9.7.ppc64le.rpm  
squid-migration-script-3.5.20-17.el7_9.7.ppc64le.rpm

s390x:  
squid-3.5.20-17.el7_9.7.s390x.rpm  
squid-debuginfo-3.5.20-17.el7_9.7.s390x.rpm  
squid-migration-script-3.5.20-17.el7_9.7.s390x.rpm

x86_64:  
squid-3.5.20-17.el7_9.7.x86_64.rpm  
squid-debuginfo-3.5.20-17.el7_9.7.x86_64.rpm  
squid-migration-script-3.5.20-17.el7_9.7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
squid-debuginfo-3.5.20-17.el7_9.7.ppc64.rpm  
squid-sysvinit-3.5.20-17.el7_9.7.ppc64.rpm

ppc64le:  
squid-debuginfo-3.5.20-17.el7_9.7.ppc64le.rpm  
squid-sysvinit-3.5.20-17.el7_9.7.ppc64le.rpm

s390x:  
squid-debuginfo-3.5.20-17.el7_9.7.s390x.rpm  
squid-sysvinit-3.5.20-17.el7_9.7.s390x.rpm

x86_64:  
squid-debuginfo-3.5.20-17.el7_9.7.x86_64.rpm  
squid-sysvinit-3.5.20-17.el7_9.7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
squid-3.5.20-17.el7_9.7.src.rpm

x86_64:  
squid-3.5.20-17.el7_9.7.x86_64.rpm  
squid-debuginfo-3.5.20-17.el7_9.7.x86_64.rpm  
squid-migration-script-3.5.20-17.el7_9.7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
squid-debuginfo-3.5.20-17.el7_9.7.x86_64.rpm  
squid-sysvinit-3.5.20-17.el7_9.7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46784  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFkBtzjgjWX9erEAQiEtw//Sd27/zmHD1P0pBH8YEa1OHqOZh71Jk6A  
1ygjvpLKK5rF/E6CIMpTgAyDAGK4fxyvL+kMr3Kg6xzmC3X8vZ2zT/UIXu2adI+o  
jTds4nBA6+ALHHKSJXZQlWwvzg0U0xyKVgSGkN2+BA9Gvfou+DTpYGluZ95O42Yc  
DQnsgVb0WBVqDb6xQDgPFHBuaPc9xhwEq2GTunJt2Qv0Q/VJvxXJTzcBr8F7F7y7  
ARB974Iwhr5UkqBcQu1Dz80Urdw6VfWLl6lrSfuITD2hvBsy7jLM8Iyegw0bwTx9  
uFjWyyy/QI9uhj1PkYnkKypmFIMGkFeZ2wAisDjUimVgEv0Q6ex+knwxUjIYAI6z  
rlSGRt5QnrI/PkW/Cvz7zyn+SCef2ZBbb5XMZRrCvZ9qK328SUNmqYwSlOmjMLTQ  
cuFeE3SWOiD8+zvag4lyzUfsrCY3ALWiMBIdUGUGtYRFNI3mcG/KwwFAVoE0lCaq  
KOZiThiVmF8YQdWh0pnBDmIQ7emkyXckcdSGNp3yHdxy9GvtwHKOHsFv329M8D/w  
O17ok3yWZ5QZ90QyGMeig+mBhic7p61P6jVEjgZuh4IxOXh/rsjh5Wnqu7MbyDzk  
U4pA+6S5DQ7GFAKvNasK0UiKkVxZth1xOs5gZxnQ+H/7DLgUuP7lOBUfzhOMt69r  
GeTvRNOaiqoüwp  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5542-01

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.

**Abstract**

Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of Synology DiskStation Manager (DSM).

**Affected Products**

Product

Severity

Fixed Release Availability

DSM 6.2

Moderate

Upgrade to 6.2.3-25423 or above.

VS Firmware 2.3

Moderate

Pending

**Mitigation**

None

**Detail**

*   CVE-2022-27610
    *   Severity: Moderate
    *   CVSS3 Base Score: 6.5
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
    *   Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.

**Acknowledgement**

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group

**Revision**

Revision

Date

Description

1

2020-04-29

Initial public release.

2

2022-07-27

Disclosed vulnerability details.

CVE-2022-27610: Synology_SA_20_06 | Synology Inc.

Rizin v0.4.0 and below was discovered to contain an integer overflow via the function get_long_object(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted binary.

**Crash**

In Rizin of the current version, an integer overflow is found in get\_long\_object(). It further leads to a heap buffer overflow. The attacker can launch the DoS attack with a malformed binary.

**Work environment**

Questions

Answers

OS/arch/bits (mandatory)

Linux 5.18.6-arch1-1

File format of the file you reverse (mandatory)

malformed

Architecture/bits of the file (mandatory)

malformed

rizin -v full output, **not truncated** (mandatory)

rizin 0.5.0 @ linux-x86-64 commit: 74e499a, build: 2022-06-25\_\_09:14:00

**Expected behavior**

run normally

**Actual behavior**

crash

**Steps to reproduce the behavior**

Open the attached file (after unzip) with Rizin.

**Additional Logs, screenshots, source code, configuration dump, ...**

input.zip

ERROR: Undefined type in free\_object (0)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x14)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x2)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x40)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x40)
ERROR: Undefined type in get\_object (0x0)
ERROR: Undefined type in get\_object (0x0)
ERROR: Copy not implemented for type 7b
../librz/bin/format/pyc/marshal.c:202:18: runtime error: signed integer overflow: 1162871039 \* 15 cannot be represented in type 'int'
=================================================================
==2965413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa62f4647ff at pc 0x7fa63e73190d bp 0x7fffe4547ef0 sp 0x7fffe4547ee0
WRITE of size 1 at 0x7fa62f4647ff thread T0
    #0 0x7fa63e73190c in get\_long\_object ../librz/bin/format/pyc/marshal.c:219
    #1 0x7fa63e73190c in get\_object ../librz/bin/format/pyc/marshal.c:1099
    #2 0x7fa63e7332e5 in get\_code\_object ../librz/bin/format/pyc/marshal.c:948
    #3 0x7fa63e7305a3 in get\_object ../librz/bin/format/pyc/marshal.c:1054
    #4 0x7fa63e7342a6 in get\_sections\_symbols\_from\_code\_objects ../librz/bin/format/pyc/marshal.c:1204
    #5 0x7fa63e439e26 in symbols ../librz/bin/p/bin\_pyc.c:126
    #6 0x7fa63e30551b in rz\_bin\_object\_set\_items ../librz/bin/bobj.c:419
    #7 0x7fa63e30a21d in rz\_bin\_object\_new ../librz/bin/bobj.c:282
    #8 0x7fa63e2e5ca4 in rz\_bin\_file\_new\_from\_buffer ../librz/bin/bfile.c:277
    #9 0x7fa63e2f2675 in rz\_bin\_open\_buf ../librz/bin/bin.c:283
    #10 0x7fa63e2f3f72 in rz\_bin\_open\_io ../librz/bin/bin.c:341
    #11 0x7fa63c5fe1a3 in core\_file\_do\_load\_for\_io\_plugin ../librz/core/cfile.c:727
    #12 0x7fa63c5fe1a3 in rz\_core\_bin\_load ../librz/core/cfile.c:974
    #13 0x7fa645326b1d in rz\_main\_rizin ../librz/main/rizin.c:1147
    #14 0x7fa64482928f  (/usr/lib/libc.so.6+0x2928f)
    #15 0x7fa644829349 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x29349)
    #16 0x55c82ec2f964 in \_start (/usr/local/bin/rizin+0x2964)

0x7fa62f4647ff is located 1 bytes to the left of 65799105-byte region \[0x7fa62f464800,0x7fa633324bc1)
allocated by thread T0 here:
    #0 0x7fa6460bfa89 in \_\_interceptor\_malloc /usr/src/debug/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:69
    #1 0x7fa63e72e907 in get\_long\_object ../librz/bin/format/pyc/marshal.c:205
    #2 0x7fa63e72e907 in get\_object ../librz/bin/format/pyc/marshal.c:1099
    #3 0x7fa63e7332e5 in get\_code\_object ../librz/bin/format/pyc/marshal.c:948
    #4 0x7fa63e7305a3 in get\_object ../librz/bin/format/pyc/marshal.c:1054
    #5 0x7fa63e7342a6 in get\_sections\_symbols\_from\_code\_objects ../librz/bin/format/pyc/marshal.c:1204
    #6 0x7fa63e439e26 in symbols ../librz/bin/p/bin\_pyc.c:126
    #7 0x7fa63e30551b in rz\_bin\_object\_set\_items ../librz/bin/bobj.c:419
    #8 0x7fa63e30a21d in rz\_bin\_object\_new ../librz/bin/bobj.c:282
    #9 0x7fa63e2e5ca4 in rz\_bin\_file\_new\_from\_buffer ../librz/bin/bfile.c:277
    #10 0x7fa63e2f2675 in rz\_bin\_open\_buf ../librz/bin/bin.c:283
    #11 0x7fa63e2f3f72 in rz\_bin\_open\_io ../librz/bin/bin.c:341
    #12 0x7fa63c5fe1a3 in core\_file\_do\_load\_for\_io\_plugin ../librz/core/cfile.c:727
    #13 0x7fa63c5fe1a3 in rz\_core\_bin\_load ../librz/core/cfile.c:974
    #14 0x7fa645326b1d in rz\_main\_rizin ../librz/main/rizin.c:1147
    #15 0x7fa64482928f  (/usr/lib/libc.so.6+0x2928f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../librz/bin/format/pyc/marshal.c:219 in get\_long\_object
Shadow bytes around the buggy address:
  0x0ff545e848a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff545e848e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff545e848f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0ff545e84900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff545e84940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2965413==ABORTING

CVE-2022-34612: An integer overflow is found in get_long_object() · Issue #2738 · rizinorg/rizin

By Deeba Ahmed
Researchers have identified as many as eleven critical vulnerabilities in different versions of Nuki Smart Locks. The IT…
This is a post from HackRead.com Read the original post: Critical Vulnerabilities Exposed Nuki Smart Locks to a Plethora of Attack Options

****Researchers have identified as many as eleven critical vulnerabilities in different versions of Nuki Smart Locks.****

The IT security researchers at Manchester, England-based NCC Group have released a technical advisory explaining how Nuki Smart Locks were vulnerable to a plethora of attack possibilities.

It is worth noting that Nuki Home Solutions is a Graz, Austria-based supplier of smart home solutions in Europe. Here is a detailed overview of the eleven flaws in Nuki’s locks.

**Lack of Certificate Validation on TLS Communications**

This flaw is tracked as CVE-2022-32509 and affects Nuki Smart Lock version 3.0. As per the NCC Group research, the company didn’t implement SSL/TLS certificate validation on its Smart lock and Bridge devices. Without SSL/TLS certificate validation, attackers can perform man-in-the-middle attacks and access network traffic sent through an encrypted channel.

**Stack Buffer Overflow Parsing JSON Responses**

Tracked as CVE-2022-32504, this vulnerability affects Nuki Smart Lock 3.0. The issue can allow an attacker to get arbitrary code execution privilege on the device. The flaw is found in the code that implements the JSON objects parsing received from the SSE WebSocket, leading to a stack buffer overflow.

**Stack Buffer Overflow Parsing HTTP Parameters**

As per NCC Group’s technical writeup, the code responsible for overseeing the HTTP API parameter parsing logic causes a stack buffer overflow. It could be exploited to perform arbitrary code execution. This flaw is tracked as CVE-2022-32502 and was discovered in Nuki Bridge version 1.

**Broken Access Controls in the BLE Protocol**

The flaw is tracked as CVE-2022-32507 and affects Nuki Smart Lock 3.0. Research revealed that inadequate access control measures were used in the Bluetooth Low Energy Nuki API implementation, which could allow users to send out high-privilege commands to the Keyturner without being authorized for it.

1.  The Most Commonly Hacked Smart Home Tech
2.  Hackers can unlock a smartphone with fingerprints on glass of water
3.  Smart Lock vulnerability can give hackers full access to Wi-Fi network
4.  Hackers can clone your lock keys by recording clicks from smartphone
5.  Vulnerable smart alarms allowed hackers to track & turn off car engine

**TAG Exposed via Test Points**

This flaw is classified as CVE-2022-32503 and impacts Nuki Keypad. The TAG Exposed issue exposed the JTAG hardware interfaces on the affected devices.

Exploiting this flaw can allow an attacker to use the JTAG boundary scan feature to control code execution on the processor, debug the firmware, and read/alter the internal/external flash memory content. However, the attacker must have physical access to the circuit board to exploit the scan feature.

**Sensitive Information Sent Over an Unencrypted Channel**

This vulnerability is assigned CVE-2022-32510 and impacts Nuki Bridge version 1. The Bridge exposes the HTTP API using an unencrypted channel to access an administrative interface. The attacker can passively gather communication between the HTTP API and a client after accessing any device connected to the local network. A malicious actor can conveniently impersonate a legit user and access the full set of API endpoints.

**WD Interfaces Exposed via Test Points**

Tracked as CVE-2022-32506, the flaw exposed SWD hardware interfaces and was identified in Nuki smart lock 3.0. The attacker can use the SWD debug feature after having physical access to the circuit board, control the processor’s code execution, and debug the firmware.

SWD test points exposed (Image: Ncc Group)

**Denial of Service via Unauthenticated HTTP API Messages**

This flaw is classified as CVE-2022-32508 and impacts Nuki Bridge version 1. The flaw made devices vulnerable to denial of service (DoS) attacks if the attacker used specially crafted HTTP packets. Thus, impacting access to the Bridge and rendering the device unstable.

**Denial of Service via Unauthenticated BLE packets**

Tracked as CVE-2022-32505, this flaw made the impacted devices vulnerable to DoS attack through specially crafted Bluetooth Low energy packets. This could affect Keyturner’s availability and make the device unstable. Most BLE characteristics were found to be vulnerable to this issue.

**Insecure Invite Keys Implementation**

This flaw impacts the Nuki Smart Lock app version 2.22.5.5 (661). The invite token created for identifying a user during an invitation process is used to encrypt/decrypt the invite keys on the Nuki servers. A threat actor can easily take full control of the servers through this flaw and leak sensitive data.

**Opener Name Could Be Overwritten Without Authentication**

The Nuki Opener is impacted by this vulnerability that emerged from an insecure Opener Bluetooth Low energy implementation, allowing malicious actors to change the BLE device name. The device allowed an unauthenticated attacker to change the BLE device name.

**Current status**

The NCC Group informed Nuki about these flaws on 20th April 2022, and the company quickly responded. On 6th May 2022, Nuki contacted NCC Group regarding the progress on fixes. On 9th June 2022, patches were released for all vulnerabilities, after which NCC Group released a technical advisory.

Critical Vulnerabilities Exposed Nuki Smart Locks to a Plethora of Attack Options

A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information, causing a denial of service.

CVE-2022-1651

IBM Sterling Partner Engagement Manager 6.1, 6.2, and Cloud 22.2 do not limit the length of a connection which could cause the server to become unresponsive. IBM X-Force ID: 230932.

  

**Summary**

IBM Sterling Partner Engagement Manager is vulnerable to Slowloris attack is a type of denial-of-service (DoS) attack which targets threaded web servers. The issue has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-35639  
**DESCRIPTION:**   IBM Sterling Partner Engagement Manager do not limit the length of a connection which could cause the server to become unresponsive.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230932 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling Partner Engagement Manager Standard Edition

6.1

IBM Sterling Partner Engagement Manager Standard Edition

6.2

IBM Sterling Partner Engagement Manager on Cloud / SaaS

22.2

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

18 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSKPRS","label":"Partner Engagement Manager"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2022-35639: Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639)

insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33745 / XSA-408 version 3 insufficient TLB flush for x86 PV guests in shadow mode UPDATES IN VERSION 3 ==================== Update hash for metadata file. ISSUE DESCRIPTION ================= For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. IMPACT ====== The known (observed) impact would be a Denial of Service (DoS) affecting the entire host, due to running out of memory. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== All versions of Xen with the XSA-401 fixes applied are vulnerable. Only x86 PV guests can trigger this vulnerability, and only when running in shadow mode. Shadow mode would be in use when migrating guests or as a workaround for XSA-273 (L1TF). MITIGATION ========== Not running x86 PV guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Charles Arnold of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa408.patch xen-unstable - Xen 4.14.x xsa408-4.13.patch Xen 4.13.x $ sha256sum xsa408\* 9411b563c71445d2c95e36aba9d71fa3b9341f0230e4b3e2549a63292df11669 xsa408.meta f49cb67842c7576f1d59b965331956a9fa1f529a8e2da3531d7ebc4eb3f079b3 xsa408.patch 26871efbd3f834dd4af4fbab6f2cb09a83c509e49894f025ee656071419ed995 xsa408-4.13.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLgPzsMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZT5cIAKtisZZvdcSolZ+RHFzAdVEP2lbEW2TyoG6oy0st kMsV/ZSabthow9PiUp48DoZOXSIh/7hn2qyXqx5X0VYjiWOISVRCldm5g4p0+tA/ GN6FztbRR1GargLkvtuWj38K9E7HIqfBRFLbtJD6X97NFSAPeNNZg8nqQPqwkhK+ yeGBjPPO5pTjNwsRt91A1qEttTPjbBpipEcit/qjqqCBxX6NT/pYSE5Ltn2OHm38 eYM25X901rJl0rPsyOeUN312FAL0bEunKVKJbiNcHVBZoR37YoJ5HE5trDxoxPrz XYJdR7gzcB028lbGU4jt9FVHdYCh0htWpdpdWci4A3DCH7U= =C02g -----END PGP SIGNATURE-----

CVE-2022-33745

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in json_parse_array() in mjs.c.

CVE-2021-33438: Minimum information for the vulnerability covered by 32 CVEs.

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on the server where the product is running.

Published:2022/07/25  Last Updated:2022/07/25

**Overview**

untangle provided by Christian Stefanescu contains multiple vulnerabilities.

**Products Affected**

*   untangle 1.2.0 and earlier

**Description**

untangle provided by Christian Stefanescu is a Python library for processing XML documents. untangle contains multiple vulnerabilities listed below.

*   **Improper Restriction of Recursive Entity References in DTDs (CWE-776)** - CVE-2022-33977
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:N/C:N/I:N/A:P
    
    **Base Score: 5.0**
    
*   **Improper Restriction of XML External Entity Reference (CWE-611)** - CVE-2022-31471
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:N/C:P/I:N/A:N
    
    **Base Score: 5.0**
    

**Impact**

*   An attacker may be able to cause a denial-of-service (DoS) condition on the server on which the product is running - CVE-2022-33977
*   An attacker may be able to read the contents of local files - CVE-2022-31471

**Solution**

**Update the software**  
Update the software to the latest version according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Taichi Kotake of Sterra Security Co.,Ltd. / Akatsuki Games Inc. reported these vulnerabilities to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

Tag

#dos