GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_afrt\_box\_read.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_afrt_box_read.mp4       
    [isom] not enough bytes in box afrt: 0 left, reading 1 (file isomedia/box_code_adobe.c, line 713)
    [iso file] Read Box "afrt" (start 0) failed (Invalid IsoMedia File) - skipping
    Error opening file gpac_Direct_leak_afrt_box_read.mp4: Invalid IsoMedia File
    
    =================================================================
    ==10525==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x902c18 in afrt_box_read /root/Desktop/gpac/src/isomedia/box_code_adobe.c:706:35
    
    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

CVE-2022-46490: Memory leak in afrt_box_read function of box_code_adobe.c:706:35 · Issue #2327 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Null pointer dereference filters/dmx\_m2ts.c:343 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_nderef.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [MPEG-2 TS] TS Packet 3 is scrambled - not supported
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [M2TSDmx] Stream type 0x30 not supported - ignoring pid
    filters/dmx_m2ts.c:343:51: runtime error: member access within null pointer of type 'struct GF_InitialObjectDescriptor'
    

**POC**

poc\_nderef.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47094: Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid · Issue #2345 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_gf\_isom\_box\_parse\_ex.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_gf_isom_box_parse_ex.mp4
    [iso file] Failed to uncompress payload for box type !ssx (0x21737378)
    Error opening file gpac_Direct_leak_gf_isom_box_parse_ex.mp4: BitStream Not Compliant
    
    =================================================================
    ==10575==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 1718840668 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x7dfc41 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:166:13
        #2 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8
    
    Direct leak of 4096 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x599d69 in gf_gz_decompress_payload /root/Desktop/gpac/src/utils/base_encoding.c:257:31
        #2 0x7dfc66 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:170:9
        #3 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8
    
    SUMMARY: AddressSanitizer: 1718844764 byte(s) leaked in 2 allocation(s).

CVE-2022-46489: Memory leak in gf_isom_box_parse_ex function of box_funcs.c:166:13 · Issue #2328 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

heap-use-after-free filters/dmx\_m2ts.c:470 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_uaf.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    =================================================================
    ==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
    READ of size 8 at 0x607000004548 thread T0
        #0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
        #1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
    freed by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
        #4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
        #5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
        #6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
        #7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    previously allocated by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
        #4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
        #5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
        #6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
    Shadow bytes around the buggy address:
      0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
      0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
    =>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
      0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==583780==ABORTING
    

**POC**

poc\_uaf.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47093: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid · Issue #2344 · gpac/gpac

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Forget to check the return value of gf_swf_read_header in gf\_sm\_load\_init\_swf. gf_swf_read_header should fall fast if error is detected.

gf\_swf\_read\_header(read);
load->ctx->scene\_width = FIX2INT(read->width);
load->ctx->scene\_height = FIX2INT(read->height);
load->ctx->is\_pixel\_metrics = 1;

**Verison info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile with

    ./configure --enable-sanitizer
    make
    

run with poc.swf (in attachment)

    ./MP4Box import -add poc.swf
    

crash triggered

    [TXTLoad] Unknown text format for poc.swf
    Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
    Blacklisting txtin as output from fin and retrying connections
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
    ==215517==The signal is caused by a READ memory access.
        #0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
        #1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
        #2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
        #3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
        #4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
        #7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
    ==215517==ABORTING
    

**Gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    2667		load->ctx->scene_width = FIX2INT(read->width);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
    *RAX  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
     RBX  0xfffecf4d70a ◂— 0x0
     RCX  0xfffecf4d6ea ◂— 0x0
     RDX  0x0
    *RDI  0x615100000035 ◂— 0x0
     RSI  0x0
    *R8   0x611000008528 ◂— 0xa9
     R9   0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R10  0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
     R11  0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R12  0x6110000084f0 ◂— 9 /* '\t' */
    *R13  0x6150fffffffd ◂— 0x0
    *R14  0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
    *R15  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
    *RBP  0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
    *RSP  0x7fff67a6b810 ◂— 0xf4dc4ae
    *RIP  0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
    ────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
     ► 0x7f2d4fe54afb <gf_sm_load_init_swf+747>    cvttss2si ecx, dword ptr [r13 + 0x38]
       0x7f2d4fe54b01 <gf_sm_load_init_swf+753>    shr    rax, 3
       0x7f2d4fe54b05 <gf_sm_load_init_swf+757>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7f2d4fe54b0c <gf_sm_load_init_swf+764>    jne    gf_sm_load_init_swf+2550                <gf_sm_load_init_swf+2550>
     
       0x7f2d4fe54b12 <gf_sm_load_init_swf+770>    mov    rsi, qword ptr [r12 + 0x18]
       0x7f2d4fe54b17 <gf_sm_load_init_swf+775>    test   rsi, rsi
       0x7f2d4fe54b1a <gf_sm_load_init_swf+778>    je     gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b20 <gf_sm_load_init_swf+784>    test   sil, 7
       0x7f2d4fe54b24 <gf_sm_load_init_swf+788>    jne    gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b2a <gf_sm_load_init_swf+794>    lea    rdx, [rsi + 0x18]
       0x7f2d4fe54b2e <gf_sm_load_init_swf+798>    cmp    rsi, -0x18
    ──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
       2662         read->flags = load->swf_import_flags;
       2663         read->flat_limit = FLT2FIX(load->swf_flatten_limit);
       2664         load->loader_priv = read;
       2665 
       2666         gf_swf_read_header(read);
     ► 2667         load->ctx->scene_width = FIX2INT(read->width);
       2668         load->ctx->scene_height = FIX2INT(read->height);
       2669         load->ctx->is_pixel_metrics = 1;
       2670 
       2671         if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
       2672                 swf_report(read, GF_OK, "ActionScript disabled");
    ──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
    01:0008│     0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
    02:0010│     0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
    03:0018│     0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
    04:0020│     0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    05:0028│     0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
    06:0030│     0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
    07:0038│     0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    ────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7f2d4fe54afb gf_sm_load_init_swf+747
       f 1   0x7f2d4fdcc260 gf_sm_load_init+896
       f 2   0x7f2d504e4ceb ctxload_process+2283
       f 3   0x7f2d5024abcd gf_filter_process_task+3181
       f 4   0x7f2d5020aaf4 gf_fs_thread_proc+2244
       f 5   0x7f2d502173ef gf_fs_run+447
       f 6   0x7f2d4fc59fd2 gf_media_import+16210
       f 7   0x565119c9faed import_file+15133
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    

**Backtrace**

    pwndbg> bt
    #0  0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    #1  0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
    #2  0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
    #3  0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
    #4  0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
    #5  0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
    #6  0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
    #7  0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
    #8  0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
    #9  mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
    #10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
    #12 0x0000565119c30cb5 in _start ()
    

**Credit**

xdchase

**POC**

poc-segfault.zip

CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_cols\_width\_ctb\[pps->num\_tile\_cols\] = uni\_size\_ctb; // when pps->num\_tile\_cols == 30, overflow at pps->tile\_cols\_width\_ctb
	pps->num\_tile\_cols++;
}

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof3.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10964:28: runtime error: index 30 out of bounds for type 'u32 [30]'

CVE-2022-47088: Another Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2340 · gpac/gpac

Categories: Android
Categories: News
Tags: 2023-01-01

Tags:  2023-01-05

Tags:  Google

Tags:  Android

Tags:  CVE-2022-42719

Tags:  CVE-2022-42720

Tags:  CVE-2022-42721

Tags:  mac80211

Tags:  CVE-2022-41674

Tags:  Qualcomm

Tags:  CVE-2022-22088

Google has published its first security bulletin of 2023 with details of vulnerabilities affecting Android devices. It includes fixes for 60 security issues.



(Read more...)




The post Google patches 60 vulnerabilities in first Android update of 2023 appeared first on Malwarebytes Labs.

Google has published its first security bulletin of 2023 with details of security vulnerabilities affecting Android devices. Patch level 2023-01-01 includes 20 issues and patch level 2023-01-05 includes fixes for another 40 issues.

The Android security patch level refers to a monthly manifest of security patches rolled out by Google in an effort to close up security holes and malicious code exploits in the Android OS. The more recent your patch level, the less vulnerable your device is to security exploits.

The vulnerabilities that stand out the most in this round are three critical and one high severity vulnerabilities in the Android kernel. But there are some other critical issues to keep an eye on.

**Mitigation**

If your Android phone is at patch level 2023-01-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication. However, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device's Android version number, security update level, and Google Play system level in your Settings app. You'll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

**Kernel**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below are details for the three critical ones in the kernel.

CVE-2022-42719: A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.

CVE-2022-42720: Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.

CVE-2022-42721: A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.

**mac80211**

mac80211 is a framework which driver developers can use to write drivers for SoftMAC wireless devices. SoftMAC devices allow for a finer control of the hardware, allowing for 802.11 frame management to be done in software for them, for both parsing and generation of 802.11 wireless frames.

The main purpose of a wireless LAN is to transport data. The 802.11 standard defines various frame types that stations use for communications, as well as managing and controlling the wireless link. 802.11 defines a data frame type that carries packets from higher layers, such as web pages, printer control data, etc., within the body of the frame.

All three critical vulnerabilities in the kernel require a remote attacker to be on the local network and they need to be able to inject WLAN frames to successfully exploit the remote code execution (RCE) vulnerabilities.

**WLAN**

Another option for attackers that are able to inject WLAN frames is the also critical vulnerability listed as CVE-2022-41674 which is an issue in the Linux kernel before 5.19.16. Attackers could inject WLAN frames and cause a buffer overflow in the ieee80211\_bss\_info\_update function in net/mac80211/scan.c.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

**Qualcomm**

Another critical vulnerability lies in the Qualcomm Bluetooth component and is listed as CVE-2022-22088. The description of the vulnerability says it’s a memory corruption in Bluetooth HOST due to buffer overflow while parsing the command response received from remote. The vulnerability has a CVSS score of 9.8 (out of 10). The vulnerability only applies to devices with certain Qualcomm chipsets. A full list of those chipsets can be found in the Qualcomm January 2023 Security Bulletin by looking at the details for this CVE number.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google patches 60 vulnerabilities in first Android update of 2023

A vulnerability exists in the ClearPass OnGuard macOS agent that allows for an attacker with local macOS instance access to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that is of a sensitive nature in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-020 CVE: CVE-2002-20001, CVE-2022-43530, CVE-2022-43531, CVE-2022-43532, CVE-2022-43533, CVE-2022-43534, CVE-2022-43535, CVE-2022-43536, CVE-2022-43537, CVE-2022-43538, CVE-2022-43539, CVE-2022-43540 Publication Date: 2022-Dec-06 Status: Confirmed Severity: High Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following software versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.7 and below - ClearPass Policy Manager 6.9.x: 6.9.12 and below Versions of ClearPass Policy Manager that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other Aruba products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated SQL Injection Vulnerabilities in ClearPass Policy Manager Web-based Management Interface (CVE-2022-43530, CVE-2022-43531) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster. Internal references: ATLCP-175, ATLCP-186 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Luke Young (bugcrowd.com/bored-engineer) and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-43532) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLCP-195 Severity: High CVSSv3.x Overall Score: 8.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Local Privilege Escalation in ClearPass OnGuard macOS Agent (CVE-2022-43533) --------------------------------------------------------------------- A vulnerability in the ClearPass OnGuard macOS agent could allow malicious users on a macOS instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with root level privileges on the macOS instance. Internal references: ATLCP-204 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty Program. Local Privilege Escalation in ClearPass OnGuard Linux Agent (CVE-2022-43534) --------------------------------------------------------------------- A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with root level privileges on the Linux instance. Internal references: ATLCP-215 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty Program. Local Privilege Escalation in ClearPass OnGuard Windows Agent (CVE-2022-43535) --------------------------------------------------------------------- A vulnerability in the ClearPass OnGuard Windows agent could allow malicious users on a Windows instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with NT AUTHORITY\\SYSTEM level privileges on the Windows instance. Internal references: ATLCP-214 Severity: High CVSSv3 Overall Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty Program. Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial-of-service attack. Internal Reference: ATLCP-173 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Please see the following link for more details: https://www.researchgate.net/publication/2401745\_Security\_Issues\_in\_the\_Diffie-Hellman\_Key\_Agreement\_Protocol Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-43536, CVE-2022-43537, CVE-2022-43538) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-194, ATLCP-213, ATLCP-220 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Sensitive Information Disclosure in ClearPass Policy Manager Cluster via Privileged Network Position (CVE-2022-43539) --------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster. Internal Reference: ATLCP-221 Severity: Medium CVSSv3.x Overall Score: 5.7 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Discovery: This vulnerability was discovered and reported by the Vancouver Clinic. Sensitive Information Disclosure in ClearPass OnGuard macOS Agent (CVE-2022-43540) --------------------------------------------------------------------- A vulnerability exists in the ClearPass OnGuard macOS agent that allows for an attacker with local macOS instance access to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that is of a sensitive nature. Internal Reference: ATLCP-206 Severity: Medium CVSSv3.x Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty Program. Resolution ========== Upgrade ClearPass Policy Manager to one of the following versions with the fixes to resolve all issues noted in the details section. - ClearPass Policy Manager 6.11.x: 6.11.0 and above - ClearPass Policy Manager 6.10.x: 6.10.8 and above - ClearPass Policy Manager 6.9.x: 6.9.13 and above Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - ClearPass Policy Manager 6.11.x - ClearPass Policy Manager 6.10.x - ClearPass Policy Manager 6.9.x For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm For ClearPass 6.11.x The ClearPass Policy Manager Hardening guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Dec-06 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNhJlsXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmxIgf/YflQbiMGZ15m4dDg6m8kro7s sSNp+LtEM0RGgfOdhqch9lnz04tXGeaYGCuxPV2s40UW4OnhKgcj2NB8Hv8BFKbH t/mqo4XKQneFIhX9usSHg6yJzmcQcEuKsGtin+JJ6wkDFVCRclRBByvUk40sRkup YvUtikiEh73nxFKyEla+oETh81hhFspGf+vzTQt2TcN9bJIKSMI73jTTf5W18fi6 mNuj9nV7ZHCN+b29KmWfwZjyX8eS+MwTpiKU2eC5V3oX63x78jDCejl27ZrwffE4 0JZ/W1oFoZ5SRjj16VEgHeXfi0+XYeLfac8AQE/jMtdyvvo+dOGY+/KDohEgBg== =wYw8 -----END PGP SIGNATURE-----

CVE-2022-43540

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.

  

**Summary**

IBM Sterling B2B Integrator has addressed the session mismangement vulnerability in Dashboard.

**Vulnerability Details**

**CVEID:**   CVE-2022-22371  
**DESCRIPTION:**   IBM Sterling B2B Integrator Standard Edition does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221195 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.6

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.0.5, 6..1.1.0 - 6.1.1.1, 6.1.2.0

  

**Remediation/Fixes**

**Product**

**Version**

**APAR**

**Remediation & Fix**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.6

IT41026

Apply 6.0.3.7

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.0.5  
6.1.1.0 - 6.1.1.1  
6.1.2.0

IT41026

Apply 6.1.0.6, 6.1.1.2 or 6.1.2.1

The version 6.0.3.7, 6.1.0.6, 6.1.1.2 and 6.1.2.1 are available on Fix Central. 

The container version of 6.1.2.1 is available in IBM Entitled Registry with following tags.  

*   cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1 for IBM Sterling B2B Integrator
*   cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1 for IBM Sterling File Gateway

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

28 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"Dashboard","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"6.0.0.0 - 6.1.2.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

Tag

#linux