VARIoT IoT vulnerabilities database

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows local attacks involving the USB or OBD-II interface. An attacker can bypass the code-signing protection mechanism for firmware updates, and consequently obtain a root shell. plural BMW In the series Head Unit HU_NBT ( alias Infotainment) The component contains a vulnerability related to failure of the protection mechanism.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HeadUnitHU_NBT (Infotainment) component is a system of infotainment systems. There are security holes in the HeadUnitHU_NBT component on several BMW cars (cars produced in 2012-2018). BMW Infotainment System Telematics/Control Unit/Central Gateway Module are prone to the following multiple security vulnerabilities: 1. A local code-execution vulnerability 2. A security-bypass vulnerability 3. A denial-of-service vulnerability 4. Multiple remote code-execution vulnerabilities An attacker can leverage these issues to execute arbitrary code with root privileges, bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a remote attack via Bluetooth when in pairing mode, leading to a Head Unit reboot. plural BMW In the series Head Unit HU_NBT ( alias Infotainment) The component contains a vulnerability related to failure of the protection mechanism.Service operation interruption (DoS) There is a possibility of being put into a state. HeadUnitHU_NBT (Infotainment) component is a system of infotainment systems. There are security holes in the HeadUnitHU_NBT component on several BMW cars (cars produced in 2012-2018). A remote attacker can use this vulnerability to cause HeadUnit to restart with Bluetooth. BMW Infotainment System Telematics/Control Unit/Central Gateway Module are prone to the following multiple security vulnerabilities: 1. A local code-execution vulnerability 2. A security-bypass vulnerability 3. A denial-of-service vulnerability 4. Multiple remote code-execution vulnerabilities An attacker can leverage these issues to execute arbitrary code with root privileges, bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions

The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series vehicles produced in 2012 through 2018 allows a local attack when a USB device is plugged in. plural BMW In the series Head Unit HU_NBT ( alias Infotainment) The component contains a vulnerability related to failure of the protection mechanism.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HeadUnitHU_NBT (Infotainment) component is a system of infotainment systems. There are security holes in the HeadUnitHU_NBT component on several BMW cars (cars produced in 2012-2018). There are currently no detailed vulnerability descriptions. BMW Infotainment System Telematics/Control Unit/Central Gateway Module are prone to the following multiple security vulnerabilities: 1. A local code-execution vulnerability 2. A security-bypass vulnerability 3. A denial-of-service vulnerability 4. Multiple remote code-execution vulnerabilities An attacker can leverage these issues to execute arbitrary code with root privileges, bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions

Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a. Has speculative execution function CPU Is vulnerable to a cache-side channel attack. "Variant 4" Or "SpectreNG" It is called. Has speculative execution function CPU The following vulnerabilities have been reported that perform cache timing side-channel attacks against. * CVE-2018-3639 (Variant 4 "SpectreNG") : Speculative Store Bypass (SSB) * CVE-2018-3640 (Variant 3a) : Rogue System Register Read (RSRE) For more information, Project Zero <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1528">bug report</a> , Intel security advisory <a href="https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html">INTEL-SA-00115</a> and ARM <a href="https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability">whitepaper</a> Please refer to. This vulnerability has been announced in the past <a href="https://www.kb.cert.org/vuls/id/584653"> Vulnerability </a> CVE-2017-5753 (Variant 1 "Spectre") , CVE-2017-5715 (Variant 2 "Spectre") , CVE-2017-5754 (Variant 3 "Meltdown") To be similar to "SpectreNG" It is reported with the name.By using a cache timing side channel attack, a third party who can access as a local user may be able to read arbitrary privilege data or system register values. CPUhardware is firmware that runs in the central processor for managing and controlling the CPU. A number of CPUHardwares have information disclosure vulnerabilities. The vulnerability is caused by a race condition in the CPU cache processing. Local attackers can exploit vulnerabilities to obtain sensitive information through side channel analysis. Multiple CPU Hardwares are prone to an information-disclosure vulnerability. AMD, ARM, and Intel CPUs are all CPU (central processing unit) products from different manufacturers. For the stable distribution (stretch), these problems have been fixed in version 3.20180703.2~deb9u1. We recommend that you upgrade your intel-microcode packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and Security Update 2018-005 Sierra are now available and address the following: afpserver Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A remote attacker may be able to attack AFP servers through HTTP clients Description: An input validation issue was addressed with improved input validation. CVE-2018-4295: Jianjun Chen (@whucjj) from Tsinghua University and UC Berkeley AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4410: an anonymous researcher working with Trend Micro's Zero Day Initiative AppleGraphicsControl Available for: macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4417: Lee of the Information Security Lab Yonsei University working with Trend Micro's Zero Day Initiative APR Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Multiple buffer overflow issues existed in Perl Description: Multiple issues in Perl were addressed with improved memory handling. CVE-2017-12613: Craig Young of Tripwire VERT CVE-2017-12618: Craig Young of Tripwire VERT ATS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4411: lilang wu moony Li of Trend Micro working with Trend Micro's Zero Day Initiative ATS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4308: Mohamed Ghannam (@_simo36) CFNetwork Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative CoreAnimation Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4415: Liang Zhuo working with Beyond Security's SecuriTeam Secure Disclosure CoreCrypto Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An attacker may be able to exploit a weakness in the Miller-Rabin primality test to incorrectly identify prime numbers Description: An issue existed in the method for determining prime numbers. This issue was addressed by using pseudorandom bases for testing of primes. CVE-2018-4398: Martin Albrecht, Jake Massimo and Kenny Paterson of Royal Holloway, University of London, and Juraj Somorovsky of Ruhr University, Bochum CoreFoundation Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to elevate privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4412: The UK's National Cyber Security Centre (NCSC) CUPS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: In certain configurations, a remote attacker may be able to replace the message content from the print server with arbitrary content Description: An injection issue was addressed with improved validation. CVE-2018-4153: Michael Hanselmann of hansmi.ch CUPS Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4406: Michael Hanselmann of hansmi.ch Dictionary Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Parsing a maliciously crafted dictionary file may lead to disclosure of user information Description: A validation issue existed which allowed local file access. This was addressed with input sanitization. CVE-2018-4346: Wojciech ReguAa (@_r3ggi) of SecuRing Dock Available for: macOS Mojave 10.14 Impact: A malicious application may be able to access restricted files Description: This issue was addressed by removing additional entitlements. CVE-2018-4403: Patrick Wardle of Digita Security dyld Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel. CVE-2018-3639: Jann Horn (@tehjh) of Google Project Zero (GPZ), Ken Johnson of the Microsoft Security Response Center (MSRC) EFI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A local user may be able to modify protected parts of the file system Description: A configuration issue was addressed with additional restrictions. CVE-2018-4342: Timothy Perfitt of Twocanoes Software Foundation Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A denial of service issue was addressed with improved validation. CVE-2018-4304: jianan.huang (@Sevck) Grand Central Dispatch Available for: macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4426: Brandon Azad Heimdal Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-3646: Baris Kasikci, Daniel Genkin, Ofir Weisse, and Thomas F. Wenisch of University of Michigan, Mark Silberstein and Marina Minkin of Technion, Raoul Strackx, Jo Van Bulck, and Frank Piessens of KU Leuven, Rodrigo Branco, Henrique Kawakami, Ke Sun, and Kekai Hu of Intel Corporation, Yuval Yarom of The University of Adelaide Hypervisor Available for: macOS Sierra 10.12.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption vulnerability was addressed with improved locking. CVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team ICU Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing a maliciously crafted string may lead to heap corruption Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4394: an anonymous researcher Intel Graphics Driver Available for: macOS Sierra 10.12.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4334: Ian Beer of Google Project Zero Intel Graphics Driver Available for: macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: A validation issue was addressed with improved input sanitization. CVE-2018-4396: Yu Wang of Didi Research America CVE-2018-4418: Yu Wang of Didi Research America Intel Graphics Driver Available for: macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4350: Yu Wang of Didi Research America IOGraphics Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4422: an anonymous researcher working with Trend Micro's Zero Day Initiative IOHIDFamily Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation CVE-2018-4408: Ian Beer of Google Project Zero IOKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4402: Proteas of Qihoo 360 Nirvan Team IOKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A malicious application may be able to break out of its sandbox Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4341: Ian Beer of Google Project Zero CVE-2018-4354: Ian Beer of Google Project Zero IOUserEthernet Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4401: Apple IPSec Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to gain elevated privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4371: Tim Michaud (@TimGMichaud) of Leviathan Security Group Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed by removing the vulnerable code. CVE-2018-4420: Mohamed Ghannam (@_simo36) Kernel Available for: macOS High Sierra 10.13.6 Impact: A malicious application may be able to leak sensitive user information Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions. CVE-2018-4399: Fabiano Anemone (@anoane) Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4340: Mohamed Ghannam (@_simo36) CVE-2018-4419: Mohamed Ghannam (@_simo36) CVE-2018-4425: cc working with Trend Micro's Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro's Zero Day Initiative Kernel Available for: macOS Sierra 10.12.6 Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4259: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4286: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4287: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4288: Kevin Backhouse of Semmle and LGTM.com CVE-2018-4291: Kevin Backhouse of Semmle and LGTM.com Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An application may be able to read restricted memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2018-4413: Juwei Lin (@panicaII) of TrendMicro Mobile Security Team Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An attacker in a privileged network position may be able to execute arbitrary code Description: A memory corruption issue was addressed with improved validation. CVE-2018-4407: Kevin Backhouse of Semmle Ltd. Kernel Available for: macOS Mojave 10.14 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2018-4424: Dr. Silvio Cesare of InfoSect Login Window Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A local user may be able to cause a denial of service Description: A validation issue was addressed with improved logic. CVE-2018-4348: Ken Gannon of MWR InfoSecurity and Christian Demko of MWR InfoSecurity Mail Available for: macOS Mojave 10.14 Impact: Processing a maliciously crafted mail message may lead to UI spoofing Description: An inconsistent user interface issue was addressed with improved state management. CVE-2018-4389: Dropbox Offensive Security Team, Theodor Ragnar Gislason of Syndis mDNSOffloadUserClient Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team MediaRemote Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions. This ensures that implementation specific system registers cannot be leaked via a speculative execution side-channel. CVE-2018-3640: Innokentiy Sennovskiy from BiZone LLC (bi.zone), Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (sysgo.com) NetworkExtension Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Connecting to a VPN server may leak DNS queries to a DNS proxy Description: A logic issue was addressed with improved state management. CVE-2018-4369: an anonymous researcher Perl Available for: macOS Sierra 10.12.6 Impact: Multiple buffer overflow issues existed in Perl Description: Multiple issues in Perl were addressed with improved memory handling. CVE-2018-6797: Brian Carpenter Ruby Available for: macOS Sierra 10.12.6 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple issues in Ruby were addressed in this update. CVE-2017-898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: Processing a maliciously crafted S/MIME signed message may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2018-4400: Yukinobu Nagayasu of LAC Co., Ltd. Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: A local user may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2018-4395: Patrick Wardle of Digita Security Spotlight Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to execute arbitrary code with system privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4393: Lufeng Li Symptom Framework Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro's Zero Day Initiative WiFi Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4368: Milan Stute and Alex Mariotto of Secure Mobile Networking Lab at Technische UniversitA$?t Darmstadt Additional recognition Calendar We would like to acknowledge an anonymous researcher for their assistance. iBooks We would like to acknowledge Sem VoigtlA$?nder of Fontys Hogeschool ICT for their assistance. Kernel We would like to acknowledge Brandon Azad for their assistance. LaunchServices We would like to acknowledge Alok Menghrajani of Square for their assistance. Quick Look We would like to acknowledge lokihardt of Google Project Zero for their assistance. Security We would like to acknowledge Marinos Bernitsas of Parachute for their assistance. Terminal We would like to acknowledge an anonymous researcher for their assistance. Installation note: macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, and Security Update 2018-005 Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlvYkgYpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3EcGQ// QbUbTOZRgxcStGZjs+qdXjeaXI6i1MKaky7o/iYCXf87crFu79PCsXyPU1jeMvoS tgDxz7ornlyaxR4wcSYzfcuIeY2ZH+dkxc7JJHQbKTW1dWYHpXUUzzNm+Ay/Gtk+ 2EIAgJ9oUf8FARR5cmcKBZfLFVdc40vpM3bBCV4m2Kr5KiDsqZKdZTujBQRccAsO HKRbhDecw0WX/CfEbLprs86uIXFMIoifhmh8LMebjzIQn2ozoFG6R31vMMHeDpir zf0xlVCJrJy/XywmkodhBWWrUWcM0hfsJ8EmyIBwFEYUxFhOV3D+x3rStd2kjyNL LG9oWclxDkjImQXdrL8IRAQfZvcVQFZK2vSGCYfRN0LY105sxjPjeIsJ0RORzcSN 2mlDR1UuTosk0GleDbmhv/ornfOc537UebwuHVWU5LpPNFkvY1Cv8zPrQAHewuod TmktkNuv2x2fgw9g7ntE88UBF9JMC+Ofs/FgJ67RkoT4R39P7VvaztHlmxmr/rIw TrSs7TDVqciz+DOMRKxyNPI1cpXM5ITCTvgbY4+RWwaFJzfgY+Gc+sldvVcb1x9I LlsI19MA0bsvi+ReOcLbWYuEHaVhVqZ7LndxR9m2gJ39L9jff+dOsSlznF4OLs+S t7Rz6i2mOpe6vXobkTUmml3m3zYIhL3XcdcYpw3U0F8= =uhgi -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2018-0012.1 Severity: Moderate Synopsis: VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue Issue date: 2018-05-21 Updated on: 2018-06-28 CVE number: CVE-2018-3639 1. Summary VMware vSphere, Workstation and Fusion updates enable Hypervisor- Assisted Guest Mitigations for Speculative Store Bypass issue. The mitigations in this advisory are categorized as Hypervisor- Assisted Guest Mitigations described by VMware Knowledge Base article 54951. KB54951 also covers CVE-2018-3640 mitigations which do not require VMware product updates. 2. Relevant Products VMware vCenter Server (VC) VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description vCenter Server, ESXi, Workstation, and Fusion update speculative execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (GOS) can remediate the Speculative Store bypass issue (CVE-2018-3639) using the Speculative-Store- Bypass-Disable (SSBD) control bit. This issue may allow for information disclosure in applications and/or execution runtimes which rely on managed code security mechanisms. Based on current evaluations, we do not believe that CVE-2018-3639 could allow for VM to VM or Hypervisor to VM Information disclosure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-3639 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround =========== ======= ======= ======== ==================== ========== VC 6.7 Any Moderate 6.7.0b * None VC 6.5 Any Moderate 6.5 U2b * None VC 6.0 Any Moderate 6.0 U3f * None VC 5.5 Any Moderate 5.5 U3i * None ESXi 6.7 Any Moderate ESXi670-201806401-BG * None ESXi670-201806402-BG ** ESXi 6.5 Any Moderate ESXi650-201806401-BG * None ESXi650-201806402-BG ** ESXi 6.0 Any Moderate ESXi600-201806401-BG * None ESXi600-201806402-BG ** ESXi 5.5 Any Moderate ESXi550-201806401-BG * None ESXi550-201806402-BG ** Workstation 14.x Any Moderate 14.1.2 * None Fusion 10.x OSX Moderate 10.1.2 * None * There are additional VMware and 3rd party requirements for CVE-2018-3639 mitigation beyond applying these updates. Please see VMware Knowledge Base article 55111 for details. ** If available, these ESXi patches apply the required microcode updates. The included microcode updates are documented in the VMware Knowledge Base articles listed in the Solution section. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 6.7.0b Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VC670B&productId=742 &rPId=24511 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670 b-release-notes.html vCenter Server 6.5 U2b Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VC65U2B&productId=61 4&rPId=24437 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u 2b-release-notes.html vCenter Server 6.0 U3f Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3F&productId=49 1&rPId=24398 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u 3f-release-notes.html vCenter Server 5.5 U3i Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VC55U3I&productId=35 3&rPId=24327 Documentation: https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u 3i-release-notes.html VMware ESXi 6.7 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://kb.vmware.com/kb/55920 https://kb.vmware.com/kb/55921 (microcode) VMware ESXi 6.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://kb.vmware.com/kb/55915 https://kb.vmware.com/kb/55916 (microcode) VMware ESXi 6.0 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://kb.vmware.com/kb/55910 https://kb.vmware.com/kb/55911 (microcode) VMware ESXi 5.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://kb.vmware.com/kb/55905 https://kb.vmware.com/kb/55906 (microcode) VMware Workstation Pro, Player 14.1.2 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/go/downloadplayer VMware Fusion Pro / Fusion 10.1.2 Downloads and Documentation: https://www.vmware.com/go/downloadfusion 5. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 https://kb.vmware.com/kb/54951 https://kb.vmware.com/kb/55111 - ------------------------------------------------------------------------ 6. Change log 2018-05-21: VMSA-2018-0012 Initial security advisory in conjunction with the release of Workstation 14.1.2 and Fusion 10.1.2 on 2018-05-21. 2018-06-28: VMSA-2018-0012.1 Updated security advisory in conjunction with the release of vCenter Server 5.5 U3i, 6.0 U3f, 6.5 U2b, 6.7.0b and ESXi 5.5 - 6.7 patches on 2018-06-28. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFbNaFeDEcm8Vbi9kMRAn4NAJ42HgDjfXkcTVfDupwE4KPdPVsf7wCcDaLy aN23XiAmhvFSxcQ5GnJR0ls= =frKv -----END PGP SIGNATURE-----

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4". CPUhardware is firmware that runs in the central processor for managing and controlling the CPU. Multiple CPUHardware information disclosure vulnerabilities. The vulnerability is caused by a race condition in the CPU cache processing. Local attackers can exploit vulnerabilities to obtain sensitive information through side channel analysis. AMD, ARM, and Intel CPUs are all CPU (central processing unit) products from different manufacturers. AMD, ARM, and Intel CPUs have security vulnerabilities. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: libvirt security update Advisory ID: RHSA-2018:3407-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:3407 Issue date: 2018-10-30 CVE Names: CVE-2018-3639 ==================================================================== 1. Summary: An update for libvirt is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.2) - x86_64 3. Description: The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix(es): * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639 virt-ssbd AMD) Note: This is the libvirt side of the CVE-2018-3639 mitigation. Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, libvirtd will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1566890 - CVE-2018-3639 hw: cpu: speculative store bypass 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.2): Source: libvirt-1.2.17-13.el7_2.9.src.rpm x86_64: libvirt-1.2.17-13.el7_2.9.x86_64.rpm libvirt-client-1.2.17-13.el7_2.9.i686.rpm libvirt-client-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-config-network-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-interface-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-lxc-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-network-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-qemu-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-secret-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-storage-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-kvm-1.2.17-13.el7_2.9.x86_64.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.i686.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.x86_64.rpm libvirt-devel-1.2.17-13.el7_2.9.i686.rpm libvirt-devel-1.2.17-13.el7_2.9.x86_64.rpm libvirt-docs-1.2.17-13.el7_2.9.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.2): Source: libvirt-1.2.17-13.el7_2.9.src.rpm x86_64: libvirt-1.2.17-13.el7_2.9.x86_64.rpm libvirt-client-1.2.17-13.el7_2.9.i686.rpm libvirt-client-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-config-network-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-interface-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-lxc-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-network-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-qemu-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-secret-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-storage-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-kvm-1.2.17-13.el7_2.9.x86_64.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.i686.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.x86_64.rpm libvirt-devel-1.2.17-13.el7_2.9.i686.rpm libvirt-devel-1.2.17-13.el7_2.9.x86_64.rpm libvirt-docs-1.2.17-13.el7_2.9.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.2): Source: libvirt-1.2.17-13.el7_2.9.src.rpm x86_64: libvirt-1.2.17-13.el7_2.9.x86_64.rpm libvirt-client-1.2.17-13.el7_2.9.i686.rpm libvirt-client-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-config-network-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-interface-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-lxc-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-network-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-qemu-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-secret-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-driver-storage-1.2.17-13.el7_2.9.x86_64.rpm libvirt-daemon-kvm-1.2.17-13.el7_2.9.x86_64.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.i686.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.x86_64.rpm libvirt-devel-1.2.17-13.el7_2.9.i686.rpm libvirt-devel-1.2.17-13.el7_2.9.x86_64.rpm libvirt-docs-1.2.17-13.el7_2.9.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.2): x86_64: libvirt-daemon-lxc-1.2.17-13.el7_2.9.x86_64.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.x86_64.rpm libvirt-lock-sanlock-1.2.17-13.el7_2.9.x86_64.rpm libvirt-login-shell-1.2.17-13.el7_2.9.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.2): x86_64: libvirt-daemon-lxc-1.2.17-13.el7_2.9.x86_64.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.x86_64.rpm libvirt-lock-sanlock-1.2.17-13.el7_2.9.x86_64.rpm libvirt-login-shell-1.2.17-13.el7_2.9.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.2): x86_64: libvirt-daemon-lxc-1.2.17-13.el7_2.9.x86_64.rpm libvirt-debuginfo-1.2.17-13.el7_2.9.x86_64.rpm libvirt-lock-sanlock-1.2.17-13.el7_2.9.x86_64.rpm libvirt-login-shell-1.2.17-13.el7_2.9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-3639 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/ssbd 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW9iN/9zjgjWX9erEAQjl/g/7Bc0UHYOmM8T1J4PHoe3uOtUXPml1LWNM 1OlRVXbaHA/TK1RWYMBM1iot5ENxX99Hk48+WjxMlxt3q5fL+1Tkurheao8aOCFr n/WAl7kwb9ktlzO56K5TxIu/JExuRRkzrNaQ/c77Z4sSUmqoYh7Vu9dW7hdhO6nh aYGXrSmZBdvprYsGucIEJxgGjdyEuu2xKqkmDvL0ZSoKgyY2/PRy4M0GX9BjQzQU 2pfOyfV3drFeQBu0f4dOp4hVlrA5XpaxO08pziutmWfAj/d20sSapwSXS2Kbe4+i lTQqxrpb6cK+Jgi6NI4GmdqhjhtjGi6B3zvsRtwJMivysDF5uOop8xKWnKNWWaC7 iHyOG6k1mf+ScBblIzi6Dgl18/7Jf9Nj6enIJr4v0PGwGMd59STljPsXK+ZUScwL pCkBh/Dn+zpqpGXu5w0T35ufYKpUc/thiTU68SEPX8CKce4jvSWW8AhbxTvJJTT7 TNpd5VIn6I1PSoWfeSx5P9u9NLm89OhD/3wEyjub6pwm4KSVm0sUX1tmVzBIbDNf IhS1DG8QX7ykHwBw35f02FcCIicJF2vWzZUMPYXcNJAe0/SdXY5Wij+0KeOdLHtP RwDOUe9XeUNJRQSEQhKhauWz8aHFXB1A4NJygLCAv4AUKww46MSJ48bei4OsxwgW IWybsXl0TQs=SUZ8 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. (BZ#1599860) 4. (CVE-2018-3639) Jan H. Schonherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. ========================================================================== Ubuntu Security Notice USN-3654-1 May 22, 2018 linux, linux-aws, linux-kvm, vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were addressed in the Linux kernel. (CVE-2018-3639) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the F2FS implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18193) It was discovered that a buffer overflow existed in the Hisilicon HNS Ethernet Device driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18222) It was discovered that the netfilter subsystem in the Linux kernel did not validate that rules containing jumps contained user-defined chains. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1065) It was discovered that the netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1068) It was discovered that a null pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130) It was discovered that the SCTP Protocol implementation in the Linux kernel did not properly validate userspace provided payload lengths in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5803) It was discovered that a double free error existed in the block layer subsystem of the Linux kernel when setting up a request queue. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7480) It was discovered that a memory leak existed in the SAS driver subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-7757) It was discovered that a race condition existed in the x86 machine check handler in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7995) Eyal Itkin discovered that the USB displaylink video adapter driver in the Linux kernel did not properly validate mmap offsets sent from userspace. (CVE-2018-8781) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: linux-image-4.4.0-1026-kvm 4.4.0-1026.31 linux-image-4.4.0-1060-aws 4.4.0-1060.69 linux-image-4.4.0-127-generic 4.4.0-127.153 linux-image-4.4.0-127-generic-lpae 4.4.0-127.153 linux-image-4.4.0-127-lowlatency 4.4.0-127.153 linux-image-4.4.0-127-powerpc-e500mc 4.4.0-127.153 linux-image-4.4.0-127-powerpc-smp 4.4.0-127.153 linux-image-4.4.0-127-powerpc64-emb 4.4.0-127.153 linux-image-4.4.0-127-powerpc64-smp 4.4.0-127.153 linux-image-aws 4.4.0.1060.62 linux-image-generic 4.4.0.127.133 linux-image-generic-lpae 4.4.0.127.133 linux-image-kvm 4.4.0.1026.25 linux-image-lowlatency 4.4.0.127.133 linux-image-powerpc-e500mc 4.4.0.127.133 linux-image-powerpc-smp 4.4.0.127.133 linux-image-powerpc64-emb 4.4.0.127.133 linux-image-powerpc64-smp 4.4.0.127.133 Please note that fully mitigating CVE-2018-3639 (Spectre Variant 4) may require corresponding processor microcode/firmware updates or, in virtual environments, hypervisor updates. On i386 and amd64 architectures, the SSBD feature is required to enable the kernel mitigations. BIOS vendors will be making updates available for Intel processors that implement SSBD and Ubuntu is working with Intel to provide future microcode updates. Ubuntu users with a processor from a different vendor should contact the vendor to identify necessary firmware updates. Ubuntu provided corresponding QEMU updates for users of self-hosted virtual environments in USN 3651-1. Ubuntu users in cloud environments should contact the cloud provider to confirm that the hypervisor has been updated to expose the new CPU features to virtual machines. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Once all virtual machines have shut down, start them again for this update to take effect. Relevant releases/architectures: RHEV-H and VDSM for 7 Hosts ELS - noarch 3. Description: The VDSM service is required by a Virtualization Manager to manage the Linux hosts. VDSM manages and monitors the host's storage, memory and networks as well as virtual machine creation, other host administration tasks, statistics gathering, and log collection. 7.4) - ppc64, ppc64le, s390x, x86_64 3. Software Description: - intel-microcode: Processor microcode for Intel CPUs Details: It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). This vulnerability is also known as Rogue System Register Read (RSRE). Bug Fix(es) and Enhancement(s): These updated kernel packages include also numerous bug fixes and enhancements. Space precludes documenting all of the bug fixes and enhancements in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/articles/3483021 4

A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials. mySCADA myPRO Contains a vulnerability in the use of hard-coded credentials.Information may be obtained and information may be altered

The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860. Radio Thermostat CT50 and CT80 Contains an input validation vulnerability.Information may be tampered with. Radio Thermostat CT50 and CT80 are touch screen thermostat products of American Radio Thermostat Company. This product manages heating and cooling systems in homes. Local HTTP API is one of the local HTTP interfaces

On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious user can forge an HTTP request to inject operating system commands that can be executed on the device with higher privileges, aka remote code execution. D-Link DIR-550A and DIR-604M The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link DIR-550A and DIR-604M are both D-Link wireless router products. A remote code execution vulnerability exists in D-LinkDIR-550A and DIR-604M2.10KR and earlier

totemomail Encryption Gateway before 6.0_b567 allows remote attackers to obtain sensitive information about user sessions and encryption key material via a JSONP hijacking attack. totemomail Encryption Gateway Contains an information disclosure vulnerability.Information may be obtained. A security vulnerability exists in previous versions of totemomailEncryptionGateway6.0_b567

On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious user can use a default TELNET account to get unauthorized access to vulnerable devices, aka a backdoor access vulnerability. D-Link DIR-550A and DIR-604M Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link DIR-550A and DIR-604M are both D-Link wireless router products. Security vulnerabilities existed in D-LinkDIR-550A and DIR-604M2.10KR and earlier

procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users. procps-ng Contains an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Procps-ng Procps is prone to the following security vulnerabilities: 1. A local security-bypass vulnerability 2. A local privilege-escalation vulnerability 3. A local denial-of-service vulnerability 4. Multiple local integer-overflow vulnerabilities 5. A stack-based buffer-overflow vulnerability Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201805-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: procps: Multiple vulnerabilities Date: May 30, 2018 Bugs: #656022 ID: 201805-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in procps, the worst of which could result in the execution of arbitrary code. Background ========== A bunch of small useful utilities that give information about processes using the /proc filesystem. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-process/procps < 3.3.15-r1 >= 3.3.15-r1 Description =========== Multiple vulnerabilities have been discovered in procps. Please review the CVE identifiers referenced below for details. Impact ====== A local attacker could execute arbitrary code, escalate privileges, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All procps users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-process/procps-3.3.15-r1" References ========== [ 1 ] CVE-2018-1120 https://nvd.nist.gov/vuln/detail/CVE-2018-1120 [ 2 ] CVE-2018-1121 https://nvd.nist.gov/vuln/detail/CVE-2018-1121 [ 3 ] CVE-2018-1122 https://nvd.nist.gov/vuln/detail/CVE-2018-1122 [ 4 ] CVE-2018-1123 https://nvd.nist.gov/vuln/detail/CVE-2018-1123 [ 5 ] CVE-2018-1124 https://nvd.nist.gov/vuln/detail/CVE-2018-1124 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201805-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

In Delta Electronics Automation TPEditor version 1.89 or prior, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution. Delta Electronics Automation TPEditor Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Delta Industrial Automation TPEditor is a programming software for Delta Electronics' Delta Text Panel running on Windows. Failed attempts will likely result in denial-of-service conditions

In GE PACSystems RX3i CPE305/310 version 9.20 and prior, RX3i CPE330 version 9.21 and prior, RX3i CPE 400 version 9.30 and prior, PACSystems RSTi-EP CPE 100 all versions, and PACSystems CPU320/CRU320 RXi all versions, the device does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable. plural GE The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. PACSystems RX3i CPE305/310, RX3i CPE330, RX3i CPE 400 are all GE programmable programmable controller products. GE PACSystems are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the device to reboot and change its state, denying service to legitimate users. GE PACSystems RX3i CPE305, etc. A security vulnerability exists in several GE products due to the program not properly validating input

All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 allow reading the configuration file by an unauthenticated user. plural Phoenix Contact FL SWITCH The product contains an information disclosure vulnerability.Information may be obtained. PhoenixContact is a German provider of industrial automation, connectivity and interface solutions for critical infrastructure applications such as communications, critical manufacturing and information technology. PhoenixContactmanagedFLSWITCH has an information disclosure vulnerability that allows unauthenticated attackers to read the device's profile content. An OS command-execution vulnerability 2. An information-disclosure vulnerability 3. Multiple stack-based buffer-overflow vulnerabilities Attackers can exploit these issues to execute arbitrary code, execute arbitrary OS commands, obtain sensitive information, and perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition

All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 are prone to buffer overflows when handling very large cookies (a different vulnerability than CVE-2018-10728). plural Phoenix Contact FL SWITCH The product contains a buffer error vulnerability. This vulnerability CVE-2018-10728 Is a different vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PHOENIXCONTACTFLSWITCH3xxx, 4xxx and 48xxxSeries are all different series of switch devices from the Phoenix Contact group in Germany. A stack buffer overflow vulnerability exists in PHOENIXCONTACTFLSWITCH3xxx, 4xxx, and 48xxxSeries products using firmware versions 1.0 through 1.32. A remote attacker could exploit the vulnerability to gain unauthorized access to the switch operating system files and to inject executable code into the operating system. An OS command-execution vulnerability 2. An information-disclosure vulnerability 3. Multiple stack-based buffer-overflow vulnerabilities Attackers can exploit these issues to execute arbitrary code, execute arbitrary OS commands, obtain sensitive information, and perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition

All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 are prone to OS command injection. PhoenixContact is a German provider of industrial automation, connectivity and interface solutions for critical infrastructure applications such as communications, critical manufacturing and information technology. PhoenixContactmanagedFLSWITCH has a command injection vulnerability. If the configuration file can be transferred to the switch or transferred from the switch, the attacker can upgrade the firmware to execute any OSshell command. An OS command-execution vulnerability 2. An information-disclosure vulnerability 3. Multiple stack-based buffer-overflow vulnerabilities Attackers can exploit these issues to execute arbitrary code, execute arbitrary OS commands, obtain sensitive information, and perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition

All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 are prone to buffer overflows (a different vulnerability than CVE-2018-10731). plural Phoenix Contact FL SWITCH The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PhoenixContact is a German provider of industrial automation, connectivity and interface solutions for critical infrastructure applications such as communications, critical manufacturing and information technology. PhoenixContactmanagedFLSWITCH has a buffer overflow vulnerability that allows an attacker to insert a specially crafted cookie into a GET request to cause a buffer overflow, thereby triggering a denial of service attack and executing arbitrary code. An OS command-execution vulnerability 2. An information-disclosure vulnerability 3. Multiple stack-based buffer-overflow vulnerabilities Attackers can exploit these issues to execute arbitrary code, execute arbitrary OS commands, obtain sensitive information, and perform unauthorized actions. Failed exploit attempts will likely cause a denial-of-service condition

Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest. The Medtronic N'Vision Clinician Programmer is a small, portable device that provides a single programming platform for Medtronic nerve graft therapy devices. The Medtronic N'Vision Clinician Programmer has an information disclosure vulnerability that allows an attacker to exploit sensitive information. Medtronic N'Vision Clinician Programmer is prone to an information-disclosure vulnerability. The vulnerability is caused by the program not encrypting PII and PHI

PrinterOn Enterprise 4.1.3 stores the Active Directory bind credentials using base64 encoding, which allows local users to obtain credentials for a domain user by reading the cps_config.xml file. PrinterOn Contains information disclosure vulnerabilities and certificate / password management vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PrinterOn Enterprise is a set of secure cloud printing solutions from PrinterOn Canada. The solution supports printing from laptops, desktops, and mobile devices to connected printers. There is an information disclosure vulnerability in PrinterOn Enterprise 4.1.3, which stems from the fact that the program uses base64 encoding to store credentials

PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored XSS vulnerabilities via the (1) department field in the printer configuration, (2) description field in the print server configuration, and (3) username field for authentication to print as guest. PrinterOn Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. PrinterOn Enterprise is a set of secure cloud printing solutions from PrinterOn Canada. The solution supports printing from laptops, desktops, and mobile devices to connected printers