Red Hat Security Advisory 2024-1278-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include out of bounds write and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1278.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kpatch-patch security update  
Advisory ID:        RHSA-2024:1278-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1278  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2023-3390  
====================================================================

Summary: 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-3390

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2220892  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908

Red Hat Security Advisory 2024-1278-03

A closed-door presentation for House lawmakers late last year portrayed American anti-war protesters as having possible ties to Hamas in an effort to kill privacy reforms to a major US spy program.

At a private meeting about the reauthorization of a major United States surveillance program late last year, the Republican chairman of the US House Permanent Select Committee on Intelligence (HPSCI) presented an image of Americans protesting the war in Gaza while implying possible ties between the protesters and Hamas, an allegation that was used to illustrate why surveillance reforms may prove detrimental to national security, WIRED has learned. Sources who attended the meeting say it alarmed Republicans who are pursuing new limits on the US government's power to warrantlessly access the communications of US citizens.

In December, as many as 200 Republican staffers gathered behind closed doors to hear a presentation by House Intelligence chair Mike Turner, one of several such meetings that day aimed at shoring up support for a US surveillance program known as Section 702.

House lawmakers were expected to cast votes the following day to determine which of two rival bills would become law. While both aimed to reauthorize the 702 program, they shared little else in common. The first bill was backed by Turner and Jim Himes—HPSCI's leading Democrat—and had the support of the US intelligence community. The second, a bill chock full of privacy reforms, had been introduced by the House Judiciary Committee and was opposed by the Biden White House.

While Turner addressed the Republican staffers, representatives from the intelligence community conducted their own briefing with Democrats on Capitol Hill. Both meetings were designed to dissuade House members from supporting the privacy reforms offered under the Judiciary bill—chiefly among them, an amendment that would force the FBI to obtain warrants before accessing the communications of Americans collected under the 702 program—phone calls, emails, and text messages intercepted by US spies in the process of eavesdropping on foreigners overseas.

The briefing conducted by Turner at roughly 2 pm EST on December 11 carried on for more than an hour. Roughly 15 minutes into the presentation, two slides were introduced referencing American protesters. The implication, sources present for the briefing tell WIRED, was that the demonstrators were suspected of having ties to Hamas, which the US government classifies as a terrorist organization.

A spokesperson for the House Intelligence Committee said in an email on Friday that the protesters depicted in the slide had “responded to what appears to be a Hamas solicitation.”

A WIRED review of the slides shown by Turner casts doubt on that claim. Notably, while the two slides were portrayed as being related to a single protest in November outside Senate majority leader Chuck Schumer's Brooklyn residence, WIRED has since learned that the slides reference two separate events that occurred nearly a month apart.

What’s more, the allegation that the protesters were following Hamas' lead is based on a post on X that contains false information about who organized one of these two events.

Three Republican staffers who attended Turner’s briefing that day tell WIRED the images immediately set off alarms. Section 702 authorizes the government to surveil foreigners located physically overseas, they said, but not Americans or individuals on US soil. Even while Turner spoke, a few staffers began privately debating whether what Turner described was a lawful use of the program.

While eavesdropping on foreigners is permitted, doing so for the explicit purpose of gaining access to an American’s communications—a practice commonly referred to as “reverse targeting”—is strictly forbidden.

"At the outset of the presentation, he's running through slides, making his case for why 702 reauthorization is needed,” a senior Republican aide tells WIRED. “Then he throws up that photo. The framing was: ‘Here are protesters outside of Chuck Schumer's house. We need to be able to use 702 to query these people.’”

Another aide in attendance said: "The sentiment was that \[Turner\] wanted to know if these people were talking to Hamas. That's how I interpreted why he brought up those slides."

Jeff Naft, the HPSCI spokesperson, says the purpose of the slides was to illustrate that, even if the protesters did have ties to Hamas, they would “not be subject to surveillance” under the 702 program. “702 is not used to target protesters," he says. “702 is used on foreign terrorist organizations, like Hamas. Chairman Turner’s presentation was a distinction exercise to explain the difference between a US person and Hamas.”

WIRED's sources, who are not authorized to discuss closed-door briefings and requested anonymity to do so, describe this as a conflation of two separate issues—a tactic, they say, that has become commonplace in the debate over the program’s future. “Yes, it’s true, you cannot ‘target’ protesters under 702,” one aide, a legislative director for a Republican lawmaker, says. “But that doesn’t mean the FBI doesn't still have the power to access those emails or listen to their calls if it wants.”

Under the 702 program—authorized under the Foreign Intelligence Surveillance Act (FISA)—the term “target” refers to foreign individuals whose communications are primarily sought after by US spies. But a person needn't be a “target” (or a foreigner, for that matter) for the US government to intercept their calls or emails. Nor does a person need to be a “target” for the FBI to access and review those conversations, a practice that privacy advocates have come to call a “backdoor search.”

The government’s claim that 702 is not used to _target_ protesters may be misleading to those not steeped in the program’s specifics. Between 2020 and early 2021, the FBI conducted “tens of thousands” of queries related to “civil unrest” in the United States. Even had those queries been lawful, the FBI would never have referred to those Americans as “targets.” For people whose communications are being accessed, it’s a distinction without much of a difference.

A Biden administration official tells WIRED that it was made clear at the briefing that individuals “can never be queried due to the fact that they participated in a protest.” Any suggestion to the contrary, they said, is inaccurate. “US person queries of lawfully collected 702 data are based on information such as contact with a foreign terrorist, since such queries must be reasonably likely to return foreign intelligence information,” the official says.

The bar for justifying a query, though, is far below “contact with a terrorist,” according to Elizabeth Goitein, a senior director at the Brennan Center for Justice at the NYU School of Law. “The law’s definition of ‘foreign intelligence’ is extremely broad and sweeps far beyond matters relating to terrorism or espionage,” she says.

A query for an American's communications may be allowed, for instance, if it's deemed necessary for “purposes of security," Goitein says, noting that the term “security” isn't defined. The information sought by the government can merely be necessary to understand the “conduct of foreign affairs,” something that the Center for Strategic & International Studies says may apply to “almost any activity.”

Last year, the FISA court approved three definitions of foreign intelligence information, adds Goitein. One of them is simply information related to “foreign governments and related entities.”

James Czerniawski, a senior policy analyst at Americans for Prosperity, a libertarian think tank, says the idea that US protesters could be queried under 702 without a warrant, simply based on accusations of harboring overseas ties, represents “an affront to Americans' privacy.”

"It manifests why trust has eroded in the very institutions meant to protect us, and it represents a material threat to the millions of Americans who will undoubtedly soon join protests,” Czerniawski says, “no matter what happens in November.”

Beyond what the slides represented to Turner’s audience at the time, they are more controversial now for reasons that weren't quite apparent during that December 11 briefing.

The first of Turner's slides includes a photograph of anti-war activists sitting cross-legged at an intersection in Brooklyn’s Park Slope neighborhood, arms interlocked. The second slide features a tweet by Matthew Foldi, a conservative staff writer at the Washington Free Beacon. It also relates to a protest outside of Schumer’s home. The implication of Foldi’s tweet, sources say, was that the protesters in both cases had gotten their marching orders overseas from an organization Foldi referred to as a “Hamas front group.”

Regardless of whether Turner and his staff bought into the claim, there are several issues with this portrayal, and HPSCI had no evidence on hand to support the allegation—not to staff members in December and not last week when questioned by WIRED about the veracity of the claim.

The first of the two slides, showing protesters sitting in the street, can be traced back to a demonstration on October 13, organized by the US nonprofit Jewish Voice for Peace. Thousands of Americans had attended protests across New York City that day.

According to a local news report, several rabbis as well as descendants of Holocaust survivors were among the 57 people arrested for blocking traffic near Schumer’s home. New York State Assembly members Zohran Mamdani and Marcela Mitaynes were also present and were issued citations for acts of civil disobedience. Statements gathered from journalists at the scene show the demonstration was being closely monitored by the FBI’s New York field office. But aside from a few “scuffles” with counter-protesters earlier in the day, there are no reports of the protests turning violent.

Sean Vitka, a policy director at the civil-liberties-focused nonprofit Demand Progress, says Congress enacted FISA specifically to stop the FBI from spying on protesters. "Spying on protesters is ice in the heart of democracy—and if someone trolling the ‘other side’s’ protest on Twitter is cause to spy on those protesters, we have an enormous problem,” he says.

The second slide in Turner’s presentation featured the tweet by Foldi, which likewise references a march on Schumer’s home. That protest, however, took place nearly a month after the first. HPSCI's claim that Hamas may have incited the demonstration appears solely based on this remark by Foldi, who claims the protesters were responding to a call issued by a pro-Palestinian group known as Samidoun.

However, that wasn't the case.

The only evidence of the Palestinian group’s involvement is that the protest was included on a calendar maintained by Samidoun on its website. The calendar currently lists more than 5,000 protests that have taken place around the world, from Australia and England to Finland, Nigeria, Iceland, and Japan. The same site bears a disclaimer that notes the list includes protests not organized by Samidoun, and visitors are encouraged to submit details about events being organized in their respective countries.

Foldi went on to portray Samidoun as having been “banned from Germany and booted from numerous payment processors over suspicions of acting as a Hamas front group.”

A German branch of Samidoun was dissolved in November, but not as a result of evidence it had ties to Hamas. Rather, the group, formed to protest the imprisonment of Palestinians, was accused of spreading “anti-Jewish conspiracy theories,” an allegation that the organizers vehemently deny, while noting their ranks boast many Jewish members.

For obvious reasons, Germany has some of the strictest antisemitism laws in the world, enabling Berlin to issue blanket bans against protests aimed at raising awareness of the humanitarian crisis in Gaza. Such bans would be unlawful in the United States under its constitution.

Branches of Samidoun have also faced bans by payment processors overseas. This also happens frequently in the United States. The bar for being banned by a payment processor is notably far below having terrorism ties.

Payment processors last year severed ties with a French branch of the group, known as Collectif Palestine Vaincra, a result of the French government attempting to dissolve the organization under allegations it was “anti-Jewish.” This attempt was blocked by a French court in May, however, after it rules the Macron government's allegations of “antisemitism” against the group were “unfounded.”

Neither Foldi nor Samidoun immediately responded to requests for comment.

That the chairman of a US intelligence committee chose such questionable examples during a presentation aimed at garnering support for a US surveillance authority gave many Republican staffers pause.

None of the House sources who spoke to WIRED work for lawmakers that could be credibly accused of showing anything but support for the Israeli government. Yet all agreed the issue of domestic surveillance transcends political ideology—one of the purest examples of the “pendulum politics” that define America’s two-party system.

“What we know for sure is this,” a Republican aide says, “However the government decides to treat left-wing protesters today, that’s how we should expect protesters in our party to be treated under future administrations.”

A House Democratic staffer—half-jokingly referencing the Cold War doctrine of “mutually assured annihilation”—says that they agreed “wholeheartedly” with the sentiment. “Our fates are aligned,” they say. “That's the best defense we have.”

“Political protest is literally how America was founded. It’s in our DNA,” says Jason Pye, senior policy analyst at the nonprofit FreedomWorks. “Whether you agree with these protesters or not is irrelevant.”

US Lawmaker Cited NYC Protests in a Defense of Warrantless Spying

Red Hat Security Advisory 2024-1269-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.2 Telecommunications Update Service. Issues addressed include null pointer, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1269.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security update  
Advisory ID:        RHSA-2024:1269-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1269  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2022-3545  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.2 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* net/sched: sch_hfsc UAF (CVE-2023-4623)

* use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* inactive elements in nft_pipapo_walk (CVE-2023-6817)

* out-of-bounds write in qfq_change_class function (CVE-2023-31436)

* nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* nfp: use-after-free in area_cache_get() (CVE-2022-3545)

* vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

* Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982)

* null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (CVE-2022-41858)

* fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-3545

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/7027704  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2144379  
https://bugzilla.redhat.com/show_bug.cgi?id=2161310  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2220892  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139

Red Hat Security Advisory 2024-1269-03

Red Hat Security Advisory 2024-1268-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service. Issues addressed include null pointer, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1268.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:1268-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1268  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2022-3545  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001,ZDI-CAN-20721)

* hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982,Downfall)

* kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip   (CVE-2022-41858)

* kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

Bug Fix(es):

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (JIRA:RHEL-1203)

* How to reduce or prevent thousands of kworker/events_freezable_power_efficient threads being created every time multipath -ll is run (JIRA:RHEL-15054)

* kernel: net/sched: sch_hfsc UAF (JIRA:RHEL-16461)

* [SanityOnly][kernel]BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:35 at: sock_map_update_elem_sys+0x85/0x2a0 (JIRA:RHEL-6126)

* kernel: hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (JIRA:RHEL-9246)

* ipoib mcast lockup fix (JIRA:RHEL-19695)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-3545

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2144379  
https://bugzilla.redhat.com/show_bug.cgi?id=2161310  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2220892  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139

Red Hat Security Advisory 2024-1268-03

Red Hat Security Advisory 2024-1253-03 - An update for kpatch-patch-5_14_0-70_64_1, kpatch-patch-5_14_0-70_70_1, kpatch-patch-5_14_0-70_75_1, kpatch-patch-5_14_0-70_80_1, and kpatch-patch-5_14_0-70_85_1 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include privilege escalation and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1253.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel live patch module security update  
Advisory ID:        RHSA-2024:1253-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1253  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2023-2163  
====================================================================

Summary: 

An update for kpatch-patch-5_14_0-70_64_1, kpatch-patch-5_14_0-70_70_1, kpatch-patch-5_14_0-70_75_1, kpatch-patch-5_14_0-70_80_1, and kpatch-patch-5_14_0-70_85_1 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-2163

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2225201  
https://bugzilla.redhat.com/show_bug.cgi?id=2237760  
https://bugzilla.redhat.com/show_bug.cgi?id=2240249  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2255498

Red Hat Security Advisory 2024-1253-03

Red Hat Security Advisory 2024-1251-03 - An update for kpatch-patch-5_14_0-362_13_1, kpatch-patch-5_14_0-362_18_1, and kpatch-patch-5_14_0-362_8_1 is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1251.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch security updateAdvisory ID:        RHSA-2024:1251-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1251Issue date:         2024-03-12Revision:           03CVE Names:          CVE-2024-0646====================================================================Summary: An update for kpatch-patch-5_14_0-362_13_1, kpatch-patch-5_14_0-362_18_1, and kpatch-patch-5_14_0-362_8_1 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.Security Fix(es):* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0646References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2253908

Red Hat Security Advisory 2024-1251-03

Red Hat Security Advisory 2024-1250-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include memory exhaustion, null pointer, out of bounds access, out of bounds write, privilege escalation, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1250.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:1250-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1250  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2022-0480  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

'Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Security Fix(es):

* kernel: use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)

* kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

* kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

* kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: out-of-bounds access in relay_file_read (CVE-2023-3268)

* kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (CVE-2023-4459)

* hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982,Downfall)

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* kernel: Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue ()

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

* kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

* kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)

* kernel: A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list (CVE-2023-5717)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: use-after-free in IPv4 IGMP (CVE-2023-6932)

* kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Bug Fix(es):

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (JIRA:RHEL-1104)

* [SanityOnly][kernel]BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:35 at: sock_map_update_elem_sys+0x85/0x2a0 (JIRA:RHEL-17572)

* kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (JIRA:RHEL-18084)

* kernel: NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19463)

* kernel: hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (JIRA:RHEL-8592)

* kernel: A heap out-of-bounds write (JIRA:RHEL-18008)

* kernel: Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19356)

* kernel: A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19454)

* kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (JIRA:RHEL-8978)

* kernel: use-after-free in smb2_is_status_io_timeout() (JIRA:RHEL-15167)

* kernel: various flaws (JIRA:RHEL-16148)

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-19001)

* kernel: refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20307)

* RHEL9.0 - s390/qeth: recovery and set offline lose routes and IPv6 addr (JIRA:RHEL-17885)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22092)

* dm multipath device suspend deadlocks waiting on a flush request (JIRA:RHEL-19103)

* 5.14.0-70.87.1.el9_0: aarch64 BUG: arch topology borken / the CLS domain not a subset of the MC domain (JIRA:RHEL-22501)

* RHEL-9.0 TEST-17-Setup-struct-perf-event-attr / bz1308907 test failure on Ice Lake (JIRA:RHEL-23085)

* Unbounded memory usage by TCP for receive buffers (JIRA:RHEL-16127)

* kernel: use-after-free in IPv4 IGMP (JIRA:RHEL-21648)

* rbd: don't move requests to the running list on errors (JIRA:RHEL-23861)

* kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)

* kernel: GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546)

* kernel: vmxgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-0480

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2049700  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2154178  
https://bugzilla.redhat.com/show_bug.cgi?id=2161310  
https://bugzilla.redhat.com/show_bug.cgi?id=2187813  
https://bugzilla.redhat.com/show_bug.cgi?id=2187931  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2215502  
https://bugzilla.redhat.com/show_bug.cgi?id=2219268  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225201  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2230094  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2237760  
https://bugzilla.redhat.com/show_bug.cgi?id=2240249  
https://bugzilla.redhat.com/show_bug.cgi?id=2246945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2255283  
https://bugzilla.redhat.com/show_bug.cgi?id=2255498  
https://bugzilla.redhat.com/show_bug.cgi?id=2256279  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695

Red Hat Security Advisory 2024-1250-03

Red Hat Security Advisory 2024-1248-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1248.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security update  
Advisory ID:        RHSA-2024:1248-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1248  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2023-4244  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

* kernel: netfilter: use-after-free in nft_trans_gc_catchall_sync leads to privilege escalation (CVE-2024-0193)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: Use-after-free in nft_verdict_dump due to a race between set GC and transaction (CVE-2023-4244)

* kernel: A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list (CVE-2023-5717)

* kernel: NULL pointer dereference in nvmet_tcp_build_iovec (CVE-2023-6356)

* kernel: NULL pointer dereference in nvmet_tcp_execute_request (CVE-2023-6535)

* kernel: NULL pointer dereference in __nvmet_req_complete (CVE-2023-6536)

* kernel: Out-Of-Bounds Read vulnerability in smbCalcSize (CVE-2023-6606)

* kernel: OOB Access in smb2_dump_detail (CVE-2023-6610)

* kernel: use-after-free in amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c (CVE-2023-51042)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4244

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2235306  
https://bugzilla.redhat.com/show_bug.cgi?id=2246945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253611  
https://bugzilla.redhat.com/show_bug.cgi?id=2253614  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2254052  
https://bugzilla.redhat.com/show_bug.cgi?id=2254053  
https://bugzilla.redhat.com/show_bug.cgi?id=2254054  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139  
https://bugzilla.redhat.com/show_bug.cgi?id=2255653  
https://bugzilla.redhat.com/show_bug.cgi?id=2259866

Red Hat Security Advisory 2024-1248-03

Red Hat Security Advisory 2024-1239-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1239.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1239-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1239Issue date:         2024-03-08Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1239-03

By Deeba Ahmed
Cisco announced patches for high-severity vulnerabilities on Wednesday, March 6, 2024.
This is a post from HackRead.com Read the original post: Cisco Fixes High-Severity Code Execution and VPN Hijacking Flaws

Critical security vulnerabilities patched in the Cisco Secure Client VPN application. Update now to protect your VPN connections from credential theft, unauthorized access, and potential code execution. This advisory also details unpatched flaws in Cisco Small Business wireless access points.

Network equipment giant Cisco has addressed critical security flaws impacting its Secure Client enterprise VPN application and endpoint security solutions. For your information, Secure Client is widely used to establish secure Virtual Private Network (VPN) connections. On Wednesday, Cisco announced patches for high-severity vulnerabilities CVE-2024-20337 (CVSS score: 8.2) and CVE-2024-20338 (CVSS score: 7.3).

CVE-2024-20337 is a Carriage Return Line Feed (CRLF) injection vulnerability allowing attackers to execute script code or access sensitive information in a browser if configured with the SAML External Browser feature.

The flaw affects Linux, macOS, and Windows versions of Secure Client, and can be exploited in CRLF injection attacks. CRLF injections are vulnerabilities where attackers inject CR and LF characters into web applications, adding extra headers or causing browsers to ignore original content.

Unauthenticated remote attackers can execute arbitrary scripts or steal sensitive information like users’ valid SAML authentication tokens to establish a remote access VPN session with the affected user’s privileges. However, individual hosts and services would require additional credentials for successful access, Cisco noted in its advisory.

Amazon security researcher Paulos Yibelo Mesfin discovered this flaw and it has been fixed in versions 4.10.04065, 4.10.08025, 5.0, and 5.1.2.42.

> A vulnerability I found in Cisco AnyConnect just got patched. CVE-2024-20337 is a powerful vulnerability. It grants external attackers access to internal networks when network users visit a website under attacker control. Stay vigilant! 🌊🔥⛓️https://t.co/Jy3qz4HJnU
> 
> — Paulos Yibelo (@PaulosYibelo) March 6, 2024

CVE-2024-20338 only affects Cisco Secure Client for Linux and its successful exploitation requires authentication. It can only be exploited by an authenticated, local attacker. The vulnerability allows the attacker to execute arbitrary code on an affected device with root privileges. They can copy a malicious library file to a specific directory and persuade an administrator to restart a specific process. 

Cisco advises enterprise admins to upgrade to one of the fixed versions, as version 5.1.2.42 of the VPN application resolves the bug.

Cisco has announced patches for several medium-severity flaws in AppDynamics Controller and Duo Authentication for Windows Logon and RDP, potentially leading to data leaks and secondary authentication bypass. The tech giant also warned about two flaws in Cisco Small Business 100, 300, and 500 Series wireless access points (APs), tracked as CVE-2024-20335, and CVE-2024-20336.

These flaws allow remote attackers to execute arbitrary code as the root user. However, Cisco won’t patch them because their Wireless APs have reached the end-of-life process. Similarly, the medium-severity flaws will remain unpatched for the same reason. Moreover, Cisco notes that it is not aware of any of these vulnerabilities being exploited in the wild.

Cisco has emphasized the need for cybersecurity vigilance and adopting security best practices. These include regularly updating software, using strong passwords and multi-factor authentication, being cautious with suspicious links, and preferring trustworthy Wi-Fi networks for sensitive VPN connections.

1.  New Cisco Web UI Vulnerability Exploited by Attackers
2.  Cisco Confirms Network Breach After Employee’s Gmail was Hacked
3.  Unpatched Cisco SD-WAN Manager Systems Exposed to DoS Attacks
4.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
5.  Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Tag

#ssl