VARIoT IoT vulnerabilities database
| VAR-202002-0361 | CVE-2019-5142 | Moxa AWK-3131A In firmware OS Command injection vulnerabilities |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa
| VAR-202002-0355 | CVE-2019-5136 | Moxa AWK-3131A Access Control Error Vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Moxa AWK-3131A There is a permission management vulnerability in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa
| VAR-202002-0366 | CVE-2019-5165 | Moxa AWK-3131A Authentication vulnerability in firmware |
CVSS V2: 6.5 CVSS V3: 7.2 Severity: HIGH |
An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability. Moxa AWK-3131A There is an authentication vulnerability in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa.
There is a security hole in the handling of host names in Moxa AWK-3131A using firmware 1.13
| VAR-202002-0365 | CVE-2019-5162 | Moxa AWK-3131A Privilege management vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Moxa AWK-3131A There is a permission management vulnerability in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. No detailed vulnerability details are provided at this time
| VAR-202002-0363 | CVE-2019-5148 | Moxa AWK-3131A Integer underflow vulnerability in firmware |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An exploitable denial-of-service vulnerability exists in ServiceAgent functionality of the Moxa AWK-3131A, firmware version 1.13. A specially crafted packet can cause an integer underflow, triggering a large memcpy that will access unmapped or out-of-bounds memory. An attacker can send this packet while unauthenticated to trigger this vulnerability. Moxa AWK-3131A There is an integer underflow vulnerability in the firmware.Service operation interruption (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa.
Moxa AWK-3131A has a buffer overflow vulnerability. No detailed vulnerability details are provided at this time
| VAR-202002-0359 | CVE-2019-5140 | Moxa AWK-3131A In firmware OS Command injection vulnerabilities |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from the fact that the network system or product did not properly filter the special elements in the process of constructing executable commands from external input data. An attacker could use this vulnerability to execute an illegal command
| VAR-202002-0362 | CVE-2019-5143 | Moxa AWK-3131A Format string vulnerability in firmware |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable format string vulnerability exists in the iw_console conio_writestr functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted time server entry can cause an overflow of the time server buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless switch from Moxa
| VAR-202002-0364 | CVE-2019-5153 | Moxa AWK-3131A Classic buffer overflow vulnerability in firmware |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable remote code execution vulnerability exists in the iw_webs configuration parsing functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause an overflow of an error message buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. Moxa AWK-3131A A classic buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. An attacker could use this vulnerability to execute code
| VAR-202002-0360 | CVE-2019-5141 | Moxa AWK-3131A In firmware OS Command injection vulnerabilities |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. (DoS) It may be put into a state. Moxa AWK-3131A is a wireless access device from Moxa. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data
| VAR-202003-1707 | CVE-2020-9054 | ZyXEL pre-authentication command injection in weblogin.cgi |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. plural ZyXEL Included in the product weblogin.cgi Is vulnerable to the execution of arbitrary commands. OS Command injection (CWE-78) - CVE-2020-9054 ZyXEL In multiple products offered by CGI Executable file weblogin.cgi Authentication is done using. About this vulnerability ZyXEL Made NAS Exploit codes for products are available on the Internet. Zyxel Technology is a provider of network broadband systems and solutions for internationally renowned brands. main
Products include DSL central office and terminal equipment, router equipment, network security equipment, wireless local area communication equipment,
It also provides full-range broadband network application integration solutions for Chinese enterprises, such as network telephones and Ethernet switches.
Multiple ZyXEL network-attached storage (NAS) devices have security holes
| VAR-202002-0332 | CVE-2019-20044 | Zsh Vulnerability in improper checking for deleted privileges in |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid(). Zsh Is vulnerable to improper checking of removed privileges.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. An attacker can exploit this vulnerability to restore the original permissions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202003-55
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Zsh: Privilege escalation
Date: March 25, 2020
Bugs: #711136
ID: 202003-55
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in Zsh might allow an attacker to escalate privileges.
Background
==========
A shell designed for interactive use, although it is also a powerful
scripting language.
Impact
======
An attacker could escalate privileges.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Zsh users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/zsh-5.8"
References
==========
[ 1 ] CVE-2019-20044
https://nvd.nist.gov/vuln/detail/CVE-2019-20044
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202003-55
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2020 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
.
Installation note:
Apple TV will periodically check for software updates. ==========================================================================
Ubuntu Security Notice USN-5325-1
March 14, 2022
zsh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Zsh.
Software Description:
- zsh: shell with lots of features
Details:
Sam Foxman discovered that Zsh incorrectly handled certain inputs.
(CVE-2019-20044)
It was discovered that Zsh incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-45444)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.10:
zsh 5.8-6ubuntu0.1
zsh-static 5.8-6ubuntu0.1
Ubuntu 20.04 LTS:
zsh 5.8-3ubuntu1.1
zsh-static 5.8-3ubuntu1.1
Ubuntu 18.04 LTS:
zsh 5.4.2-3ubuntu3.2
zsh-static 5.4.2-3ubuntu3.2
Ubuntu 16.04 ESM:
zsh 5.1.1-1ubuntu2.3+esm1
zsh-static 5.1.1-1ubuntu2.3+esm1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-05-26-3 macOS Catalina 10.15.5, Security Update
2020-003 Mojave, Security Update 2020-003 High Sierra
macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security
Update 2020-003 High Sierra are now available and address the
following:
Accounts
Available for: macOS Catalina 10.15.4
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
input validation.
CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt
AirDrop
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A remote attacker may be able to cause a denial of service
Description: A denial of service issue was addressed with improved
input validation.
CVE-2020-9826: Dor Hadad of Palo Alto Networks
AppleMobileFileIntegrity
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-9842: Linus Henze (pinauten.de)
AppleUSBNetworking
Available for: macOS Catalina 10.15.4
Impact: Inserting a USB device that sends invalid messages may cause
a kernel panic
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9804: Andy Davis of NCC Group
Audio
Available for: macOS Catalina 10.15.4
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero
Day Initiative
Audio
Available for: macOS Catalina 10.15.4
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero
Day Initiative
Bluetooth
Available for: macOS Catalina 10.15.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9831: Yu Wang of Didi Research America
Calendar
Available for: macOS Catalina 10.15.4
Impact: Importing a maliciously crafted calendar invitation may
exfiltrate user information
Description: This issue was addressed with improved checks.
CVE-2020-3882: Andy Grant of NCC Group
CVMS
Available for: macOS Catalina 10.15.4
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2020-9856: @jinmo123, @setuid0x0_, and @insu_yun_en of
@SSLab_Gatech working with Trend Micro’s Zero Day Initiative
DiskArbitration
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to break out of its
sandbox
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9847: Zhuo Liang of Qihoo 360 Vulcan Team
Find My
Available for: macOS Catalina 10.15.4
Impact: A local attacker may be able to elevate their privileges
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2020-9855: Zhongcheng Li(CK01) of Topsec Alpha Team
FontParser
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend
Micro Zero Day Initiative
ImageIO
Available for: macOS Catalina 10.15.4
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3878: Samuel Groß of Google Project Zero
ImageIO
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9789: Wenchao Li of VARAS@IIE
CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab
Intel Graphics Driver
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9822: ABC Research s.r.o
IPSec
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9837: Thijs Alkemade of Computest
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to determine another
application's memory layout
Description: An information disclosure issue was addressed by
removing the vulnerable code.
CVE-2020-9797: an anonymous researcher
Kernel
Available for: macOS Catalina 10.15.4
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: An integer overflow was addressed through improved input
validation.
CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A local user may be able to read kernel memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9811: Tielei Wang of Pangu Lab
CVE-2020-9812: Derrek (@derrekr6)
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A logic issue existed resulting in memory corruption.
This was addressed with improved state management.
CVE-2020-9813: Xinru Chi of Pangu Lab
CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9809: Benjamin Randazzo (@____benjamin)
ksh
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A local user may be able to execute arbitrary shell commands
Description: An issue existed in the handling of environment
variables. This issue was addressed with improved validation.
CVE-2019-14868
NSURL
Available for: macOS Mojave 10.14.6
Impact: A malicious website may be able to exfiltrate autofilled data
in Safari
Description: An issue existed in the parsing of URLs. This issue was
addressed with improved input validation.
CVE-2020-9857: Dlive of Tencent Security Xuanwu Lab
PackageKit
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to gain root privileges
Description: A permissions issue existed. This issue was addressed
with improved permission validation.
CVE-2020-9817: Andy Grant of NCC Group
PackageKit
Available for: macOS Catalina 10.15.4
Impact: A malicious application may be able to modify protected parts
of the file system
Description: An access issue was addressed with improved access
restrictions.
CVE-2020-9851: Linus Henze (pinauten.de)
Python
Available for: macOS Catalina 10.15.4
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-9793
Sandbox
Available for: macOS Catalina 10.15.4
Impact: A malicious application may be able to bypass Privacy
preferences
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)
Security
Available for: macOS Catalina 10.15.4
Impact: A file may be incorrectly rendered to execute JavaScript
Description: A validation issue was addressed with improved input
sanitization.
CVE-2020-9788: Wojciech Reguła of SecuRing
(https://wojciechregula.blog)
SIP
Available for: macOS Catalina 10.15.4
Impact: A non-privileged user may be able to modify restricted
network settings
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9824: Csaba Fitzl (@theevilbit) of Offensive Security
SQLite
Available for: macOS Catalina 10.15.4
Impact: A malicious application may cause a denial of service or
potentially disclose memory contents
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9794
System Preferences
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with improved state
handling.
CVE-2020-9839: @jinmo123, @setuid0x0_, and @insu_yun_en of
@SSLab_Gatech working with Trend Micro’s Zero Day Initiative
USB Audio
Available for: macOS Catalina 10.15.4
Impact: A USB device may be able to cause a denial of service
Description: A validation issue was addressed with improved input
sanitization.
CVE-2020-9792: Andy Davis of NCC Group
Wi-Fi
Available for: macOS Catalina 10.15.4
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: A double free issue was addressed with improved memory
management.
CVE-2020-9844: Ian Beer of Google Project Zero
Wi-Fi
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9830: Tielei Wang of Pangu Lab
Wi-Fi
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-9834: Yu Wang of Didi Research America
Wi-Fi
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A local user may be able to read kernel memory
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2020-9833: Yu Wang of Didi Research America
Wi-Fi
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9832: Yu Wang of Didi Research America
WindowServer
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An integer overflow was addressed through improved input
validation.
CVE-2020-9841: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
zsh
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS
Catalina 10.15.4
Impact: A local attacker may be able to elevate their privileges
Description: An authorization issue was addressed with improved state
management.
CVE-2019-20044: Sam Foxman
Additional recognition
CoreBluetooth
We would like to acknowledge Maximilian von Tschitschnitz of
Technical University Munich and Ludwig Peuckert of Technical
University Munich for their assistance.
CoreText
We would like to acknowledge Jiska Classen (@naehrdine) and Dennis
Heinze (@ttdennis) of Secure Mobile Networking Lab for their
assistance.
Endpoint Security
We would like to acknowledge an anonymous researcher for their
assistance.
ImageIO
We would like to acknowledge Lei Sun for their assistance.
IOHIDFamily
We would like to acknowledge Andy Davis of NCC Group for their
assistance.
IPSec
We would like to acknowledge Thijs Alkemade of Computest for their
assistance.
Login Window
We would like to acknowledge Jon Morby and an anonymous researcher
for their assistance.
Sandbox
We would like to acknowledge Jason L Lang of Optum for their
assistance.
Spotlight
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
Installation note:
macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security
Update 2020-003 High Sierra may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.64
iQIcBAEDCAAGBQJezZcfAAoJEAc+Lhnt8tDNIQYP/0YN+/T85WC7RJjAlRrUDduD
ZO0e76d2C1jNgZWsYmXnrEPwfRYAEPLcKgb/SxAlwlRNFqex9CNu2sD1aA3GZBIO
MaektARuncqh06rl8BjbakS4HQs675vUEjoJS9H2d0pq2dSEIjOtH1agJwtGIeNS
wHBFlUnQzI42hurYeq7fxRdiByf+Z3mKEBt6wlVtaWjqcMfG9sroj9H58RLiqSNm
VNfU4eZNPrG49kbTf4IC2JvvKg18hrUZqIcjbV/56+kPBl4+USIxh/5ECJHV/cDD
BEe64M2I1LiY0lq6neoOeHvBiiIvUq9EUW2PBnfcbo3V1D35mm6td+WnO3Buqo6f
EEkjfIwtq7fI10ZPYYjiUayrQyfqmM3x14JcxDsHzlerT6NNRTg3g2ls0seQK9Lt
8IDbkrseOR0JFukR1njC+cAk4RbDFue5cUJK6Js1nGvFwLN0kHFIhh9jFKgccgH7
bKSLDAdB+kSxBOshDDmYyNS+KRzXEWIsBU8ZbNAbRDANWqm4lcPffKWcG7zIdiMQ
JLUclRURf35AoFmJ0F1BZSRzFuHr1Dvh23SjNK7H9i/mD05+rY6esh5ZKco+6Yqe
pW/EOXEAs/J06xUytABH3SkFmQSzlIPuFrXa8qAskHhFp/E8yLehyefoY+AZJjal
sLrLBIOxQCTskSFoExP8
=2eah
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: zsh security update
Advisory ID: RHSA-2020:0892-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0892
Issue date: 2020-03-18
CVE Names: CVE-2019-20044
====================================================================
1. Summary:
An update for zsh is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The zsh shell is a command interpreter usable as an interactive login shell
and as a shell script command processor. Zsh resembles the ksh shell (the
Korn shell), but includes many enhancements. Zsh supports command-line
editing, built-in spelling correction, programmable command completion,
shell functions (with autoloading), a history mechanism, and more.
Security Fix(es):
* zsh: insecure dropping of privileges when unsetting PRIVILEGED option
(CVE-2019-20044)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
zsh-4.3.11-11.el6_10.src.rpm
i386:
zsh-4.3.11-11.el6_10.i686.rpm
zsh-debuginfo-4.3.11-11.el6_10.i686.rpm
x86_64:
zsh-4.3.11-11.el6_10.x86_64.rpm
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
zsh-debuginfo-4.3.11-11.el6_10.i686.rpm
zsh-html-4.3.11-11.el6_10.i686.rpm
x86_64:
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
zsh-html-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
zsh-4.3.11-11.el6_10.src.rpm
x86_64:
zsh-4.3.11-11.el6_10.x86_64.rpm
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
zsh-html-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
zsh-4.3.11-11.el6_10.src.rpm
i386:
zsh-4.3.11-11.el6_10.i686.rpm
zsh-debuginfo-4.3.11-11.el6_10.i686.rpm
ppc64:
zsh-4.3.11-11.el6_10.ppc64.rpm
zsh-debuginfo-4.3.11-11.el6_10.ppc64.rpm
s390x:
zsh-4.3.11-11.el6_10.s390x.rpm
zsh-debuginfo-4.3.11-11.el6_10.s390x.rpm
x86_64:
zsh-4.3.11-11.el6_10.x86_64.rpm
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
zsh-debuginfo-4.3.11-11.el6_10.i686.rpm
zsh-html-4.3.11-11.el6_10.i686.rpm
ppc64:
zsh-debuginfo-4.3.11-11.el6_10.ppc64.rpm
zsh-html-4.3.11-11.el6_10.ppc64.rpm
s390x:
zsh-debuginfo-4.3.11-11.el6_10.s390x.rpm
zsh-html-4.3.11-11.el6_10.s390x.rpm
x86_64:
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
zsh-html-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
zsh-4.3.11-11.el6_10.src.rpm
i386:
zsh-4.3.11-11.el6_10.i686.rpm
zsh-debuginfo-4.3.11-11.el6_10.i686.rpm
x86_64:
zsh-4.3.11-11.el6_10.x86_64.rpm
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
zsh-debuginfo-4.3.11-11.el6_10.i686.rpm
zsh-html-4.3.11-11.el6_10.i686.rpm
x86_64:
zsh-debuginfo-4.3.11-11.el6_10.x86_64.rpm
zsh-html-4.3.11-11.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20044
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXnIt29zjgjWX9erEAQi4TQ/9HVNAwGdPF8aA0BtkIqVJ6/uh7NIrtGFM
YBtcMngBSsnkvIsBZspUhf+UHqtiO2fRJ0tcXgXy5l+S5vRzIG3Jh9oDe8sv3HPu
XAu7twvBTPMkSCoCpa7r9ZcgtIdKLskmt9t+lpglgSa5Fuj8QJO6RM5DsmIaX+x8
khnGQO3AzgsKSpmJhB+CcXSbRsDX+D9xtwrOWzE9gBowUAjb+loMcv74/1AcxyWE
6RZuZI58nppx1uTbvpJz/VnU89VsRUupANO847WAzSGBKQ/i0/eoXIiqJIkojWQO
yI+XrprXzSheZAe+GTBJ+0eRohu41cVPDdB6LIEeRVm5/uGANVGV2t3DzMS8Uo6a
ztXgVoobHcjemJ6A+DQW+UpM4RybHuW+d8z5SryNoYW2IHj1D5N5E1P58bqh6d39
Bc0IFuMbeVnF3vXxxe5WhvDRQ2+TTW/BWy5lk3bNjQaRb8QFPabuEL4+NV10RNM2
z4QwOuI8tOIqbecIg+WjaAuL76rQNn8kZ+xAXC9TCPf12J+GpjEQa22KyL72Zmro
KDiPaI3gZSSmVFmbU6DF3JjJCvjb+XCbm2Se5RfB7CunRQGJomZF+9C2OvbfNZSk
w3MRUUEOouL8Wy+Ws57mWrirRw0BNvvemYoKmNd5Jgf2ZRA0RjIgOx9PPvJQ1Fdj
Z7m01LL4Vug=QFxN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 8) - aarch64, ppc64le, s390x, x86_64
3
| VAR-202002-0331 | CVE-2019-20481 | MIELE XGW 3000 ZigBee Gateway Vulnerability regarding inadequate protection of credentials in |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480. MIELE XGW 3000 ZigBee Gateway Exists in an inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
| VAR-202002-1706 | No CVE | Zhejiang Univision Technology Network Video Recorder has file upload vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Zhejiang Yushi Technology Co., Ltd. is a global public safety and intelligent transportation solution provider.
A file upload vulnerability exists in the video recorder of Zhejiang Univision Technology Network. Attackers can use the vulnerability to obtain the administrator rights of the affected system.
| VAR-202002-1696 | No CVE | WECON PLC Editor has a buffer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
WECON PLC Editor is a programming software for Programmable Logic Controllers (PLC) from WECON Technologies.
WECON PLC Editor has a buffer overflow vulnerability, which can be exploited by an attacker to cause a denial of service or execute code with the permission of the application.
| VAR-202002-1369 | CVE-2020-8862 | D-Link DAP-2610 Authentication vulnerability in firmware |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the lack of proper password checking. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-10082. Zero Day Initiative To this vulnerability ZDI-CAN-10082 Was numbered.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DAP-2610 is a wireless AC1300 Wave 2 dual-band PoE access point
| VAR-202002-1368 | CVE-2020-8861 | D-Link DAP-1330 Authentication vulnerabilities in |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper handling of cookies. An attacker can leverage this vulnerability to execute arbitrary code on the router. Was ZDI-CAN-9554. Zero Day Initiative To this vulnerability ZDI-CAN-9554 Was numbered.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DAP-1330 is a N300 Wi-Fi range extender
| VAR-202002-1705 | No CVE | Schneider M580 has a denial of service vulnerability (CNVD-2020-04564) |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Schneider Electric SA is a global electrical company headquartered in France.
Schneider M580 has a denial of service vulnerability. An attacker can use this vulnerability to send a carefully constructed 0x60 function code data message, which causes the PLC to enter a fatal failure mode. It can only return to normal after manual power cycle.
| VAR-202002-1697 | No CVE | Schneider M580 has a denial of service vulnerability (CNVD-2020-04561) |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Schneider Electric SA is a global electrical company headquartered in France.
There is a denial of service vulnerability in schneider M580, which can be exploited by an attacker to cause a denial of service.
| VAR-202002-1701 | No CVE | Schneider M580 has a denial of service vulnerability (CNVD-2020-04565) |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Schneider Electric SA is a global electrical company headquartered in France.
Schneider M580 has a denial-of-service vulnerability. An attacker can use this vulnerability to send a carefully constructed 0x29 function code data message, which causes the PLC to enter a fatal failure mode. It can only return to normal after manual power cycle.
| VAR-202002-1702 | No CVE | Logical Defect Vulnerability in Shijiazhuang Hejia Technology Co., Ltd. Computer Room Dynamic Monitoring System |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The equipment room moving ring monitoring system is a monitoring function of the equipment room's important environment and power equipment, including environmental equipment monitoring (temperature, humidity, smoke, flooding, precision air conditioning, ordinary air conditioning, new fans, etc.), power equipment monitoring (power distribution, Generator, UPS, battery, lightning arrester, etc.), security equipment monitoring (fire protection, access control, video, etc.), etc.
Shijiazhuang Hejia Technology Co., Ltd.'s computer room dynamic ring monitoring system has a logical flaw. An attacker can use this vulnerability to reset the administrator and other user passwords.