VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202409-0080 CVE-2024-44400 D-Link Systems, Inc.  of  di-8400  Command injection vulnerability in firmware CVSS V2: 9.0
CVSS V3: 9.8
Severity: CRITICAL
A vulnerability was discovered in DI_8400-16.07.26A1, which has been classified as critical. This issue affects the upgrade_filter_asp function in the upgrade_filter.asp file. Manipulation of the path parameter can lead to command injection. D-Link Systems, Inc. of di-8400 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The D-Link DI-8400 is a D-Link router designed for medium-to-large enterprise networks. It supports up to 360 concurrent users and features a full Gigabit Ethernet port configuration. This vulnerability, exploited through the upgrade_filter_asp command injection attack, could allow an attacker to execute arbitrary commands
VAR-202409-0398 CVE-2024-45678 plural  Yubico  Observable inconsistency vulnerabilities in products CVSS V2: -
CVSS V3: 4.2
Severity: MEDIUM
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected. yubikey 5c nfc firmware, YubiKey 5 NFC firmware, yubikey 5c firmware etc. Yubico The product contains an observable inconsistency vulnerability.Information may be obtained
VAR-202409-0113 CVE-2024-6119 Multiple vulnerabilities in Siemens SINEC OS third-party components CVSS V2: 7.2
CVSS V3: 7.5
Severity: HIGH
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on the SINEC operating system with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Multiple vulnerabilities in third-party components of Siemens' SINEC OS could allow attackers to gain control of the server. ========================================================================== Ubuntu Security Notice USN-6986-1 September 03, 2024 openssl vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: OpenSSL could be made to crash or expose sensitive information if it received a specially crafted certificate. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libssl3t64 3.0.13-0ubuntu3.4 openssl 3.0.13-0ubuntu3.4 Ubuntu 22.04 LTS libssl3 3.0.2-0ubuntu1.18 openssl 3.0.2-0ubuntu1.18 After a standard system update you need to reboot your computer to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5764-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 03, 2024 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2024-6119 David Benjamin reported a flaw in the X.509 name checks in OpenSSL, a Secure Sockets Layer toolkit, which may cause an application performing certificate name checks to crash, resulting in denial of service. Additional details can be found in the upstream advisory: https://openssl-library.org/news/secadv/20240903.txt For the stable distribution (bookworm), this problem has been fixed in version 3.0.14-1~deb12u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbXW1pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RXThAAjRoSSUyNd4LR8nETi9XB31OkPVx0KrvU2hfIRnPUHHb3hOoi8vEKxdqh gd1pHtEKUBB3TBkXnyMuQ1p79+wuIjvV6Jr7uEPK0w2GdvC0KaF4+cohRDB7Xpjk +AjVFprvljePzgR9BcX1LWX/Bj6k7j8Jit4hkSDxeWn2W4NvCk9+1FMaHPa1PCmX Axo83qzlJg/SMcI5s19No3TzY9z9RdXH622J6hZk/DUZi6YMSryxCoAuU7ur/Ol8 zGH8RG9THiC4hcnAnNjOrqAJqlLzoLgFxykwrvYGwWk//fsQsCeR2HXNQJiPBKq0 QyoXP0WFgIbjnQlRfJI2gxwr5KWn77sNnc2vGZ8HXScj+pKOxrdHyp6a3kaZ99AN DCU5UAo36wSUhZyX9I8nNxjZmb2w5fbeFnHkI2xx2onoLeUjv4hzipS4VS0OP5Th qXhXGjLng4L0bIc5Ad/LuC4T/PnXuwfDgMnAQHHM0zjQcDih/TaTfXn1v+j67FIV BxiqD5EI07ms/jysbmpydB4z2Fwl0D09goEtbO2m2ZE+BU4o8dQIk6UB7KiKTBcy VS3uTR7ZG9AbomfHceh9/3ycI0FMTXUXlifU9v3Btuwpb3DnjCwJKaoAEQNrfuV1 OjqV29oZd2ye2bwAC2uveAnS0wxe+26Gsr+PhmdUFSGSAPeULt4= =KHr5 -----END PGP SIGNATURE----- . Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8935.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: edk2 security update Advisory ID: RHSA-2024:8935-03 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2024:8935 Issue date: 2024-11-06 Revision: 03 CVE Names: CVE-2024-6119 ==================================================================== Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es): * openssl: Possible denial of service in X.509 name checks (CVE-2024-6119) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: https://access.redhat.com/articles/11258 CVEs: CVE-2024-6119 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2306158
VAR-202409-2319 No CVE Beijing Xingwang Ruijie Network Technology Co., Ltd. EG2000K has a file upload vulnerability CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Ruijie Networks, founded in 2003, is an industry-leading ICT infrastructure and solution provider. Beijing Xingwang Ruijie Network Technology Co., Ltd. EG2000K has a file upload vulnerability that can be exploited by attackers to obtain server permissions.
VAR-202409-2597 No CVE H3C ER6300 has an information leakage vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
ER6300 is a high-performance full-gigabit router for Internet cafes launched by H3C. H3C Technologies Co., Ltd. ER6300 has an information leakage vulnerability, which can be exploited by attackers to obtain sensitive information.
VAR-202409-0013 CVE-2024-33060 Use of freed memory vulnerability in multiple Qualcomm products CVSS V2: -
CVSS V3: 8.4
Severity: HIGH
Memory corruption when two threads try to map and unmap a single node simultaneously. 315 5g iot firmware, AQT1000 firmware, AR8031 Multiple Qualcomm products, such as firmware, contain vulnerabilities related to use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Inside of fastrpc_mmap_find, there exists the following code to search for ADSP_MMAP_HEAP_ADDR or ADSP_MMAP_REMOTE_HEAP_ADDR allocations:hlist_for_each_entry_safe(map, n, &me->maps, hn) { if (va >= map->va && va + len <= map->va + map->len && map->fd == fd) { if (refs) { if (map->refs + 1 == INT_MAX) { spin_unlock_irqrestore(&me->hlock, irq_flags); return -ETOOMANYREFS; } map->refs++; } match = map; break; } } This code is wrong at a couple different levels, particularly in the case of a fastrpc_mmap_create-->fastrpc_mmap_find call coming from userland such as in the FASTRPC_IOCTL_MEM_MAP ioctl. I think this code path may not be intended to be reachable from userland at all - although even for requests issued from kernel-land, the contract for this code appears to have some correctness issues. This code uses map->va for finding an associated mapping which for these heap addresses comes from a call to dma_alloc_attrs inside of fastrpc_alloc_cma_memory. dma_alloc_attrs has two different modes of operation - one returns a kernel virtual address to the allocated memory, and the other returns a struct page pointer that serves as an opaque cookie for the allocated memory. We have the latter case for this invocation of dma_alloc_attrs because of the DMA_ATTR_NO_KERNEL_MAPPING flag applied in fastrpc_mmap_create_remote_heap. We can see this looking at the debugfs-visible global file in the adsprpc directory:=================================== GMAPS ==================================== fd |phys |size |va -------------------------------------------------------------------------------- -1 |0xE883A000 |0x1000 |0xFFFFFFFE01A20E80 -1 |0xE8839000 |0x1000 |0xFFFFFFFE01A20E40 -1 |0xE8838000 |0x1000 |0xFFFFFFFE01A20E00 -1 |0xE8837000 |0x1000 |0xFFFFFFFE01A20DC0 -1 |0xE8836000 |0x1000 |0xFFFFFFFE01A20D80 -1 |0xE8835000 |0x1000 |0xFFFFFFFE01A20D40 0 |0xE8834000 |0x1000 |0xFFFFFFFE01A20D00 0 |0xE8833000 |0x1000 |0xFFFFFFFE01A20CC0 0 |0xE8832000 |0x1000 |0xFFFFFFFE01A20C80 -1 |0xE8900000 |0x200000 |0xFFFFFFFE01A24000 This means we end up comparing a userland supplied value against a kernel page pointer - behavior of the kernel ioctl FASTRPC_IOCTL_MEM_MAP differs in userland visible ways based on the outcome of the comparison, meaning that userland can leak kernel page pointer addresses by "guessing" a possible address and observing the resulting error code. Here is the output from the attached PoC on a Samsung S23: dm1q:/data/local/tmp $ ./poc Detected address 0xfffffffe01c00000 Final address: 0xfffffffe01a24000 Additionally, because map->va is a struct page pointer as opposed to a genuine address to the underlying buffer, the usage of map->va + map->len is incorrect, and can lead to there being multiple map matches for the same calling parameters. **This bug is subject to a 90-day disclosure deadline. If a fix for this** **issue is made available to users before the end of the 90-day deadline,** **this bug report will become public 30 days after the fix was made** **available. Otherwise, this bug report will become public at the deadline.** The scheduled deadline is 2024-09-22. **For more details, see the Project Zero vulnerability disclosure policy:** **https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-** **policy.html** Related CVE Number: CVE-2024-33060
VAR-202409-0028 CVE-2024-33052 Out-of-bounds write vulnerability in multiple Qualcomm products CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Memory corruption when user provides data for FM HCI command control operations. APQ8017 firmware, AQT1000 firmware, fastconnect 6200 Several Qualcomm products, such as firmware, contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202409-0017 CVE-2024-33051 Out-of-bounds read vulnerability in multiple Qualcomm products CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Transient DOS while processing TIM IE from beacon frame as there is no check for IE length. 315 5g iot firmware, 9206 lte firmware, APQ8017 Multiple Qualcomm products, such as firmware, contain an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202409-2186 CVE-2024-33043 Out-of-bounds read vulnerability in multiple Qualcomm products CVSS V2: -
CVSS V3: 5.5
Severity: MEDIUM
Transient DOS while handling PS event when Program Service name length offset value is set to 255. APQ8017 firmware, AQT1000 firmware, fastconnect 6200 Multiple Qualcomm products, such as firmware, contain an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202409-0034 CVE-2024-33042 Out-of-bounds write vulnerability in multiple Qualcomm products CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Memory corruption when Alternative Frequency offset value is set to 255. APQ8017 firmware, AQT1000 firmware, fastconnect 6200 Several Qualcomm products, such as firmware, contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202409-2177 No CVE tenda A32 wireless router management interface authentication bypass vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
There is a security vulnerability in the web management interface of tenda A32 wireless router. By modifying cookies to specific values, the user name and password authentication can be bypassed to directly obtain administrator operation permissions and manage the router.
VAR-202408-2636 CVE-2024-45492 libexpat project  of  libexpat  Integer overflow vulnerability in CVSS V2: 7.2
CVSS V3: 9.8
Severity: CRITICAL
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). libexpat project of libexpat Exists in an integer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on the SINEC operating system with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Multiple vulnerabilities in third-party components of Siemens' SINEC OS could allow attackers to gain control of the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5770-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 17, 2024 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : expat CVE ID : CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 Shang-Hung Wan discovered multiple vulnerabilities in the Expat XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code. For the stable distribution (bookworm), these problems have been fixed in version 2.5.0-1+deb12u1. We recommend that you upgrade your expat packages. For the detailed security status of expat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbp6EIACgkQEMKTtsN8 Tjb+0hAAsAHl9didzh1S8vHaLH8P8I1XT0302RGP1N6r4BKvjEozuTKml28F3NEK 9IplBZXH8GM6tnF1/gRJf5Dp4YsL7H+nYUjbkZEdLM2TztRoy4wnITxUwqQ7q1ly /bWMuyaoUn9jZu6SA+yEL68DtbXpFbs8IAOE3kqPsbcWvJ7O7LU3Ajjw5aWYwxV0 kdVyI67rBkfWAdyFRjlkxF62+ieR9sjpKNDKK1nmO+I8eEF5E/WOXsfPlzcKwax2 mMhisTscEIvaBSKCaQICCojYbvju8KW8B+NsJMsyRbPoimTyzE2n4VBk0ZNHjv+w sIddwdgzXpWHHRbVtl6zjiZvzxUtphp6tHstxoW8YZQKkQiwqqlpONqXKWG1yR0o pltUr7JjTylDo41M21yK/WizdxFkdrUJi4drKTONekvbhUEaTLaoR/ywYi0Za7T0 sUguAJk25id2px3LdTvMhQywTNmL103LkFfq1WIXL9x+yzYdKos8P3qu9DIaIqms R4dy2xMhiJwVyQXi74Tte9h5n6FXET1Z8MoyxFOVI6SQ5FBXJMmL48r6Uwhb09tH ZL2VNUequSC2L4uGozFFaHvr3M606srokRbo18XvNTNUvApJjAFt/WTnOjKUDuJM 08PjLw6brD/XBR6p/NKX8vMQmmXClyKwB97SG1MYu/MfdJK/7wQ= =bEe8 -----END PGP SIGNATURE-----
VAR-202408-2685 CVE-2024-45491 libexpat project  of  libexpat  Integer overflow vulnerability in CVSS V2: 7.2
CVSS V3: 9.8
Severity: CRITICAL
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). libexpat project of libexpat Exists in an integer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on the SINEC operating system with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Multiple vulnerabilities in third-party components of Siemens' SINEC OS could allow attackers to gain control of the server. ========================================================================== Ubuntu Security Notice USN-7001-2 September 17, 2024 libxmltok vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in libxmltok. Software Description: - libxmltok: XML Parser Toolkit, developer libraries Details: USN-7001-1 fixed vulnerabilities in xmltol library. This update provides the corresponding updates for Ubuntu 24.04 LTS. Original advisory details: Shang-Hung Wan discovered that Expat, contained within the xmltok library, did not properly handle certain function calls when a negative input length was provided. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2024-45490) Shang-Hung Wan discovered that Expat, contained within the xmltok library, did not properly handle the potential for an integer overflow on 32-bit platforms. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2024-45491) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libxmltok1t64 1.2-4.1ubuntu2.24.0.4.1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5770-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 17, 2024 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : expat CVE ID : CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 Shang-Hung Wan discovered multiple vulnerabilities in the Expat XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code. For the stable distribution (bookworm), these problems have been fixed in version 2.5.0-1+deb12u1. We recommend that you upgrade your expat packages. For the detailed security status of expat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbp6EIACgkQEMKTtsN8 Tjb+0hAAsAHl9didzh1S8vHaLH8P8I1XT0302RGP1N6r4BKvjEozuTKml28F3NEK 9IplBZXH8GM6tnF1/gRJf5Dp4YsL7H+nYUjbkZEdLM2TztRoy4wnITxUwqQ7q1ly /bWMuyaoUn9jZu6SA+yEL68DtbXpFbs8IAOE3kqPsbcWvJ7O7LU3Ajjw5aWYwxV0 kdVyI67rBkfWAdyFRjlkxF62+ieR9sjpKNDKK1nmO+I8eEF5E/WOXsfPlzcKwax2 mMhisTscEIvaBSKCaQICCojYbvju8KW8B+NsJMsyRbPoimTyzE2n4VBk0ZNHjv+w sIddwdgzXpWHHRbVtl6zjiZvzxUtphp6tHstxoW8YZQKkQiwqqlpONqXKWG1yR0o pltUr7JjTylDo41M21yK/WizdxFkdrUJi4drKTONekvbhUEaTLaoR/ywYi0Za7T0 sUguAJk25id2px3LdTvMhQywTNmL103LkFfq1WIXL9x+yzYdKos8P3qu9DIaIqms R4dy2xMhiJwVyQXi74Tte9h5n6FXET1Z8MoyxFOVI6SQ5FBXJMmL48r6Uwhb09tH ZL2VNUequSC2L4uGozFFaHvr3M606srokRbo18XvNTNUvApJjAFt/WTnOjKUDuJM 08PjLw6brD/XBR6p/NKX8vMQmmXClyKwB97SG1MYu/MfdJK/7wQ= =bEe8 -----END PGP SIGNATURE----- . The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8859.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: xmlrpc-c security update Advisory ID: RHSA-2024:8859-03 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2024:8859 Issue date: 2024-11-05 Revision: 03 CVE Names: CVE-2024-45491 ==================================================================== Summary: An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC (remote procedure call) over the Internet. It converts an RPC into an XML document, sends it to a remote server using HTTP, and gets back the response in XML. Security Fix(es): * libexpat: Integer Overflow or Wraparound (CVE-2024-45491) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: https://access.redhat.com/articles/11258 CVEs: CVE-2024-45491 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2308616
VAR-202408-2626 CVE-2024-45490 libexpat project  of  libexpat  In  XML  External entity vulnerabilities CVSS V2: 7.2
CVSS V3: 7.5
Severity: HIGH
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. libexpat project of libexpat for, XML There is a vulnerability in an external entity.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on the SINEC operating system with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Multiple vulnerabilities in third-party components of Siemens' SINEC OS could allow attackers to gain control of the server. ========================================================================== Ubuntu Security Notice USN-7001-2 September 17, 2024 libxmltok vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in libxmltok. Software Description: - libxmltok: XML Parser Toolkit, developer libraries Details: USN-7001-1 fixed vulnerabilities in xmltol library. This update provides the corresponding updates for Ubuntu 24.04 LTS. Original advisory details: Shang-Hung Wan discovered that Expat, contained within the xmltok library, did not properly handle certain function calls when a negative input length was provided. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2024-45490) Shang-Hung Wan discovered that Expat, contained within the xmltok library, did not properly handle the potential for an integer overflow on 32-bit platforms. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2024-45491) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libxmltok1t64 1.2-4.1ubuntu2.24.0.4.1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7001-2 https://ubuntu.com/security/notices/USN-7001-1 CVE-2024-45490, CVE-2024-45491 . For the stable distribution (bookworm), these problems have been fixed in version 2.5.0-1+deb12u1. We recommend that you upgrade your expat packages. For the detailed security status of expat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbp6EIACgkQEMKTtsN8 Tjb+0hAAsAHl9didzh1S8vHaLH8P8I1XT0302RGP1N6r4BKvjEozuTKml28F3NEK 9IplBZXH8GM6tnF1/gRJf5Dp4YsL7H+nYUjbkZEdLM2TztRoy4wnITxUwqQ7q1ly /bWMuyaoUn9jZu6SA+yEL68DtbXpFbs8IAOE3kqPsbcWvJ7O7LU3Ajjw5aWYwxV0 kdVyI67rBkfWAdyFRjlkxF62+ieR9sjpKNDKK1nmO+I8eEF5E/WOXsfPlzcKwax2 mMhisTscEIvaBSKCaQICCojYbvju8KW8B+NsJMsyRbPoimTyzE2n4VBk0ZNHjv+w sIddwdgzXpWHHRbVtl6zjiZvzxUtphp6tHstxoW8YZQKkQiwqqlpONqXKWG1yR0o pltUr7JjTylDo41M21yK/WizdxFkdrUJi4drKTONekvbhUEaTLaoR/ywYi0Za7T0 sUguAJk25id2px3LdTvMhQywTNmL103LkFfq1WIXL9x+yzYdKos8P3qu9DIaIqms R4dy2xMhiJwVyQXi74Tte9h5n6FXET1Z8MoyxFOVI6SQ5FBXJMmL48r6Uwhb09tH ZL2VNUequSC2L4uGozFFaHvr3M606srokRbo18XvNTNUvApJjAFt/WTnOjKUDuJM 08PjLw6brD/XBR6p/NKX8vMQmmXClyKwB97SG1MYu/MfdJK/7wQ= =bEe8 -----END PGP SIGNATURE----- . The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9610.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.17.5 security update Advisory ID: RHSA-2024:9610-03 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2024:9610 Issue date: 2024-11-25 Revision: 03 CVE Names: CVE-2024-45490 ==================================================================== Summary: Red Hat OpenShift Container Platform release 4.17.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.17. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.17.5. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2024:9613 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html Security Fix(es): * libexpat: Negative Length Parsing Vulnerability in libexpat (CVE-2024-45490) * libexpat: Integer Overflow or Wraparound (CVE-2024-45491) * libexpat: integer overflow (CVE-2024-45492) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html Solution: CVEs: CVE-2024-45490 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2308615 https://bugzilla.redhat.com/show_bug.cgi?id=2308616 https://bugzilla.redhat.com/show_bug.cgi?id=2308617 https://issues.redhat.com/browse/OCPBUGS-16141 https://issues.redhat.com/browse/OCPBUGS-42835 https://issues.redhat.com/browse/OCPBUGS-42879 https://issues.redhat.com/browse/OCPBUGS-42931 https://issues.redhat.com/browse/OCPBUGS-42949 https://issues.redhat.com/browse/OCPBUGS-42964 https://issues.redhat.com/browse/OCPBUGS-43427 https://issues.redhat.com/browse/OCPBUGS-43657 https://issues.redhat.com/browse/OCPBUGS-43667 https://issues.redhat.com/browse/OCPBUGS-43690 https://issues.redhat.com/browse/OCPBUGS-43778 https://issues.redhat.com/browse/OCPBUGS-43972 https://issues.redhat.com/browse/OCPBUGS-44227 https://issues.redhat.com/browse/OCPBUGS-44357 https://issues.redhat.com/browse/OCPBUGS-44452
VAR-202408-2491 CVE-2024-44778 Vtiger  of  Vtiger CRM  Cross-site scripting vulnerability in CVSS V2: -
CVSS V3: 9.6
Severity: CRITICAL
A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. Vtiger of Vtiger CRM Exists in a cross-site scripting vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Additional Information]: PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt= ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page . ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0
VAR-202408-2492 CVE-2024-44777 Vtiger  of  Vtiger CRM  Cross-site scripting vulnerability in CVSS V2: -
CVSS V3: 9.6
Severity: CRITICAL
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. Vtiger of Vtiger CRM Exists in a cross-site scripting vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Additional Information]: PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt= ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page . ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0
VAR-202408-2490 CVE-2024-44779 Vtiger  of  Vtiger CRM  Cross-site scripting vulnerability in CVSS V2: -
CVSS V3: 9.6
Severity: CRITICAL
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. Vtiger of Vtiger CRM Exists in a cross-site scripting vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Additional Information]: PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt= ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page . ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0
VAR-202408-2560 CVE-2024-44776 Vtiger  of  Vtiger CRM  Open redirect vulnerability in CVSS V2: -
CVSS V3: 6.1
Severity: MEDIUM
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL. Vtiger of Vtiger CRM Exists in an open redirect vulnerability.Information may be obtained and information may be tampered with. ------------------------------------------ [VulnerabilityType Other]:Open Redirect ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base] vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:Index of vTiger CRM ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [Impact Information Disclosure]:true ------------------------------------------ [CVE Impact Other]:Redirect a victim to a malicious site ------------------------------------------ [Attack Vectors]:Crafted URL ----------------------------------------- [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference]:http://vtiger.com ------------------------------------------
VAR-202408-2547 CVE-2024-34195 TOTOLINK  of  A3002R  Out-of-bounds write vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK AC1200 Wireless Router A3002R Firmware V1.1.1-B20200824 is vulnerable to Buffer Overflow. In the boa server program's CGI handling function formWlEncrypt, there is a lack of length restriction on the wlan_ssid field. This oversight leads to potential buffer overflow under specific circumstances. For instance, by invoking the formWlanRedirect function with specific parameters to alter wlan_idx's value and subsequently invoking the formWlEncrypt function, an attacker can trigger buffer overflow, enabling arbitrary command execution or denial of service attacks. TOTOLINK of A3002R An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK AC1200 is a dual-band Wi-Fi router from China's TOTOLINK Electronics. TOTOLINK AC1200 has a buffer overflow vulnerability, which is caused by the parameter wlan_idx of the formWlanRedirect function failing to properly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
VAR-202408-3013 CVE-2024-34198 TOTOLINK  of  A3002RU  Classic buffer overflow vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK AC1200 Wireless Router A3002RU V2.1.1-B20230720.1011 is vulnerable to Buffer Overflow. The formWlEncrypt CGI handler in the boa program fails to limit the length of the wlan_ssid field from user input. This allows attackers to craft malicious HTTP requests by supplying an excessively long value for the wlan_ssid field, leading to a stack overflow. This can be further exploited to execute arbitrary commands or launch denial-of-service attacks. TOTOLINK of A3002RU Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK AC1200 is a dual-band Wi-Fi router from China's TOTOLINK Electronics