Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-21159: TALOS-2022-1467 || Cisco Talos Intelligence Group

A denial of service vulnerability exists in the parseNormalModeParameters functionality of MZ Automation GmbH libiec61850 1.5.0. A specially-crafted series of network requests can lead to denial of service. An attacker can send a sequence of malformed iec61850 messages to trigger this vulnerability.

CVE
#vulnerability#mac#cisco#dos#git

Summary

A denial of service vulnerability exists in the parseNormalModeParameters functionality of MZ Automation GmbH libiec61850 1.5.0. A specially-crafted series of network requests can lead to denial of service. An attacker can send a sequence of malformed iec61850 messages to trigger this vulnerability.

Tested Versions

MZ Automation GmbH libiec61850 1.5.0

Product URLs

libiec61850 - https://github.com/mz-automation/libiec61850

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-835 - Loop with Unreachable Exit Condition (‘Infinite Loop’)

Details

libiec61850 is a C implementation of the various protocols defined within the IEC61850 specification. Example client/server applications are provided for common use cases. This library can also be used as a building block to integrate IEC61850 communications into a custom client/server application.

When an IEC61850 message containing a Presentation layer with Normal Mode parameters is processed, execution enters the parseNormalModeParameters function in iso_presentation.c. This function loops over the message buffer starting from a provided bufPos position until the endPos position is reached or a failure case is encountered. At the start of each iteration, the BER tag for the current parameter is extracted from the buffer, as shown below.

static int
parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
{
    int endPos = bufPos + totalLength;

    self->calledPresentationSelector.size = 0;
    self->callingPresentationSelector.size = 0;

    bool hasUserData = false;

    while (bufPos < endPos) {
        uint8_t tag = buffer[bufPos++];
        int len;

        if (bufPos == endPos) {
            if (DEBUG_PRES)
                printf("PRES: invalid message\n");
            return -1;
        }

        bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos);

The value of this tag determines how the bytes following should be processed. Three cases in particular are notable: 0xA4, 0x00 and the default.

When the tag 0x00 is encountered, execution just continues on to the next loop iteration and starts processing the next tag. In this case the bufPos variable will be incremented by one when the next tag is read.

case 0x00: /* indefinite length end tag -> ignore */
break;

When an unknown tag is encountered, the buffer position is incremented to skip past it, and execution continues on to the next loop iteration and starts processing the next tag. This allows for longer position jumps within the buffer.

default:
    if (DEBUG_PRES)
        printf("PRES: unknown tag in normal-mode\n");

    bufPos += len;
    break;

When the presentation-context-definition list parameter (0xA4) is encountered, the function parsePresentationContextDefinitionList is used to perform additional parsing. Notably, the result of parsePresentationContextDefinitionList gets placed into the bufPos variable and is not checked before the next loop iteration.

case 0xa4: /* presentation-context-definition list */
    if (DEBUG_PRES)
        printf("PRES: pcd list\n");

    bufPos = parsePresentationContextDefinitionList(self, buffer, len, bufPos);
    break;

parsePresentationContextDefinitionList starts off by calculating the end of the presentation-context-definition list before entering a processing loop where the next tag is extracted and its length decoded.

static int
parsePresentationContextDefinitionList(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
{
    int endPos = bufPos + totalLength;

    while (bufPos < endPos) {
        uint8_t tag = buffer[bufPos++];
        int len;

        bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos);
        if (bufPos < 0)
            return -1;

BerDecoder_decodeLength starts recursively processing the length, returning the result.

int
BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
{
    return BerDecoder_decodeLengthRecursive(buffer, length, bufPos, maxBufPos, 0, 50);
}

Finally, BerDecoder_decodeLengthRecursive is called, and a check is made to determine if the current position is greater than or equal to the maximum allowed buffer. When it is determined to be so, -1 is returned.

static int
BerDecoder_decodeLengthRecursive(uint8_t* buffer, int* length, int bufPos, int maxBufPos, int depth, int maxDepth)
{
    if (bufPos >= maxBufPos){
        return -1;
    }

When this occurs, -1 gets returned up the chain to parsePresentationContextDefinitionList.

static int
parsePresentationContextDefinitionList(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
{
    int endPos = bufPos + totalLength;

    while (bufPos < endPos) {
        uint8_t tag = buffer[bufPos++];
        int len;

        bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos);
        if (bufPos < 0)
            return -1;

Here bufPos is determined to be less than zero and -1 is again returned, this time back to the presentation-context-definition list case within parseNormalModeParameters.

case 0xa4: /* presentation-context-definition list */
    if (DEBUG_PRES)
        printf("PRES: pcd list\n");

    bufPos = parsePresentationContextDefinitionList(self, buffer, len, bufPos);
    break;

This leaves bufPos set to -1 at the start of the next loop iteration, allowing the while condition to pass and begin again.

static int
parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLength, int bufPos)
{
    int endPos = bufPos + totalLength;

    self->calledPresentationSelector.size = 0;
    self->callingPresentationSelector.size = 0;

    bool hasUserData = false;

    while (bufPos < endPos) {
        uint8_t tag = buffer[bufPos++];
        int len;

If a message is properly constructed such that len and bufPos add together to equal endPos, the failure case in BerDecoder_decodeLengthRecursive will be hit and bufPos will be set to -1. Then as long as nothing within the buffer causes bufPos to be greater than endPos, and the presentation-context-definition list continues to be executed. An infinite loop condition will be reached.

Since each connection is handled in its own thread, one of these messages will not be enough to cause a denial of service. However, by sending the message multiple times it is possible to tie up all of the available connections and prevent legitimate communications from getting through to the server. The maximum number of client connections is set to a default value of 100 in stack_config.h, as shown below:

/* number of concurrent MMS client connections the server accepts, -1 for no limit */
#define CONFIG_MAXIMUM_TCP_CLIENT_CONNECTIONS 100

If at least CONFIG_MAXIMUM_TCP_CLIENT_CONNECTIONS malformed messages are sent, all available connections will be stuck in infinite loops, preventing any new connections from being processed

Crash Information

When a known good MMS Initiate Request message is sent to the server, an Initiate Response message is expected to be returned.

"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000000","127.0.0.1","127.0.0.1","TCP","74","46602  >  102 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=3775924408 TSecr=0 WS=128"
"2","0.000010190","127.0.0.1","127.0.0.1","TCP","74","102  >  46602 [SYN, ACK] Seq=0 Ack=1 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3775924408 TSecr=3775924408 WS=128"
"3","0.000019233","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=3775924408 TSecr=3775924408"
"4","0.000144676","127.0.0.1","127.0.0.1","MMS","263","initiate-RequestPDU "
"5","0.000149145","127.0.0.1","127.0.0.1","TCP","66","102  >  46602 [ACK] Seq=1 Ack=198 Win=65408 Len=0 TSval=3775924408 TSecr=3775924408"
"6","0.000207725","127.0.0.1","127.0.0.1","MMS","208","initiate-ResponsePDU "
"7","0.000228681","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [ACK] Seq=198 Ack=143 Win=65408 Len=0 TSval=3775924408 TSecr=3775924408"
"8","0.000280524","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [FIN, ACK] Seq=198 Ack=143 Win=65536 Len=0 TSval=3775924408 TSecr=3775924408"
"9","0.042521649","127.0.0.1","127.0.0.1","TCP","66","102  >  46602 [ACK] Seq=143 Ack=199 Win=65536 Len=0 TSval=3775924450 TSecr=3775924408"
"10","0.042576068","127.0.0.1","127.0.0.1","TCP","66","102  >  46602 [FIN, ACK] Seq=143 Ack=199 Win=65536 Len=0 TSval=3775924450 TSecr=3775924408"
"11","0.042668070","127.0.0.1","127.0.0.1","TCP","66","46602  >  102 [ACK] Seq=199 Ack=144 Win=65536 Len=0 TSval=3775924450 TSecr=3775924450"

After the poc has been run and all available client connections are stuck in a loop, a TCP Reset is received instead of an Initiate Response message.

"No.","Time","Source","Destination","Protocol","Length","Info"
"1408","35.098853688","127.0.0.1","127.0.0.1","TCP","74","46810  >  102 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=3776076062 TSecr=0 WS=128"
"1409","35.098869281","127.0.0.1","127.0.0.1","TCP","74","102  >  46810 [SYN, ACK] Seq=0 Ack=1 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3776076062 TSecr=3776076062 WS=128"
"1410","35.098881077","127.0.0.1","127.0.0.1","TCP","66","46810  >  102 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=3776076062 TSecr=3776076062"
"1411","35.098929987","127.0.0.1","127.0.0.1","MMS","263","initiate-RequestPDU "
"1412","35.098934721","127.0.0.1","127.0.0.1","TCP","66","102  >  46810 [ACK] Seq=1 Ack=198 Win=65408 Len=0 TSval=3776076062 TSecr=3776076062"
"1413","35.099298315","127.0.0.1","127.0.0.1","TCP","66","102  >  46810 [FIN, ACK] Seq=1 Ack=198 Win=65408 Len=0 TSval=3776076063 TSecr=3776076062"
"1414","35.099328069","127.0.0.1","127.0.0.1","TCP","66","102  >  46810 [RST, ACK] Seq=2 Ack=198 Win=65536 Len=0 TSval=3776076063 TSecr=3776076062"

Mitigation

The presentation-context-definition list case could check for failure similar to how the user data parameter (0x61) checks the bufPos value before allowing execution to continue. A diff including this suggested update is shown below:

user@machine:~$ git diff
diff --git a/src/mms/iso_presentation/iso_presentation.c b/src/mms/iso_presentation/iso_presentation.c
index 96fd8a3..38cb9c1 100644
--- a/src/mms/iso_presentation/iso_presentation.c
+++ b/src/mms/iso_presentation/iso_presentation.c
@@ -469,6 +469,11 @@ parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLengt
             if (DEBUG_PRES)
                 printf("PRES: pcd list\n");
             bufPos = parsePresentationContextDefinitionList(self, buffer, len, bufPos);
+
+            if (bufPos < 0){
+                return -1;
+            }
+
             break;
 
         case 0xa5: /* context-definition-result-list */
user@machine:~$

Timeline

2022-02-28 - Public Release

Discovered by Jared Rittle of Cisco Talos.

Related news

CVE-2022-27048: MGate MB3170/MB3270/MB3280/MB3480 Series Protocol Gateways Vulnerability

A vulnerability has been discovered in Moxa MGate which allows an attacker to perform a man-in-the-middle (MITM) attack on the device. This affects MGate MB3170 Series Firmware Version 4.2 or lower. and MGate MB3270 Series Firmware Version 4.2 or lower. and MGate MB3280 Series Firmware Version 4.1 or lower. and MGate MB3480 Series Firmware Version 3.2 or lower.

CVE-2022-28113: GitHub - code-byter/CVE-2022-28113: Unauthenticated RCE exploit for Fantec MWiD25-DS

An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie.

CVE-2022-24851: #170 fixed security issues in profile editor and PDF editor · LDAPAccountManager/lam@3c6f09a

LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1.

CVE-2022-23865: Offensive Security’s Exploit Database Archive

Nyron 1.0 is affected by a SQL injection vulnerability through Nyron/Library/Catalog/winlibsrch.aspx. To exploit this vulnerability, an attacker must inject '"> on the thes1 parameter.

CVE-2022-26594: CVE-2022-26594 XSS vulnerability with form field help text - Liferay Portal - Liferay Faces

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.

CVE-2022-28042: AddressSanitizer: heap-use-after-free in stbi__jpeg_huff_decode · Issue #1289 · nothings/stb

stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.

CVE-2022-28041: Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292, and 1293 by NeilBickford-NV · Pull Request #1297 · nothings/stb

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

CVE-2022-28044: Fix control->suffix being deallocated as heap memory as reported by P… · ckolivas/lrzip@5faf80c

Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.

CVE-2022-27474: Mount4in.github.io/suitecrm.docx at master · Mount4in/Mount4in.github.io

SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.

CVE-2022-1307: Chromium: CVE-2022-1307 Inappropriate implementation in full screen

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1305: Chromium: CVE-2022-1305 Use after free in storage

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1314: Chromium: CVE-2022-1314 Type Confusion in V8

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1364: Chromium: CVE-2022-1364: Type Confusion in V8

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1312: Chromium: CVE-2022-1312 Use after free in storage

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-29144: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-2022-1306: Chromium: CVE-2022-1306 Inappropriate implementation in compositing

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1308: Chromium: CVE-2022-1308 Use after free in BFCache

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1309: Chromium: CVE-2022-1309 Insufficient policy enforcement in developer tools

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1310: Chromium: CVE-2022-1310 Use after free in regular expressions

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-1313: Chromium: CVE-2022-1313 Use after free in tab groups

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-28345: security/SICK-2022-42.md at master · sickcodes/security

The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.

CVE-2022-24850: Build software better, together

Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem.

CVE-2022-24854: Build software better, together

Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.

CVE-2022-24846: Build software better, together

GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.

CVE-2022-24824: SECURITY: Ensure user-agent-based responses are cached separately (st… · discourse/discourse@b72b0da

Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.

CVE-2022-1304: out-of-bounds read/write via crafted filesystem

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

CVE-2021-40405: TALOS-2021-1422 || Cisco Talos Intelligence Group

A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.

CVE-2022-22149: TALOS-2022-1441 || Cisco Talos Intelligence Group

A SQL injection vulnerability exists in the HelpdeskEmailActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVE-2022-21234: TALOS-2022-1443 || Cisco Talos Intelligence Group

An SQL injection vulnerability exists in the EchoAssets.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVE-2021-40390: TALOS-2021-1401 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability.

CVE-2022-21145: TALOS-2022-1442 || Cisco Talos Intelligence Group

A stored cross-site scripting vulnerability exists in the WebUserActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

CVE-2021-40398: TALOS-2021-1411 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the parse_raster_data functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-40422: TALOS-2021-1431 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

CVE-2021-40402: TALOS-2021-1416 || Cisco Talos Intelligence Group

An out-of-bounds read vulnerability exists in the RS-274X aperture macro multiple outline primitives functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.7.1 and 2.8.0. A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-40426: TALOS-2021-1434 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21945: TALOS-2021-1374 || Cisco Talos Intelligence Group

Two heap-based buffer overflow vulnerabilities exist in the TIFF parser functionality of Accusoft ImageGear 19.10. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger these vulnerabilities. Placeholder

CVE-2021-21967: TALOS-2021-1394 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to denial of service. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

CVE-2021-40425: TALOS-2021-1433 || Cisco Talos Intelligence Group

An out-of-bounds read vulnerability exists in the IOCTL GetProcessCommand and B_03 of Webroot Secure Anywhere 21.4. A specially-crafted executable can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability. An out-of-bounds read vulnerability exists in the IOCTL GetProcessCommand and B_03 of Webroot Secure Anywhere 21.4. An IOCTL_B03 request with specific invalid data causes a similar issue in the device driver WRCore_x64. An attacker can issue an ioctl to trigger this vulnerability.

CVE-2021-40392: TALOS-2021-1403 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. Network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to exploit this vulnerability.

CVE-2021-40400: TALOS-2021-1413 || Cisco Talos Intelligence Group

An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-43257: 0029130: CVE-2021-43257: CSV Injection with CSV Export Feature

Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.

CVE-2022-21210: TALOS-2022-1444 || Cisco Talos Intelligence Group

An SQL injection vulnerability exists in the AssetActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVE-2022-25165: CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client - Rhino Security Labs

An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service.

CVE-2021-45228: Find the right app | Microsoft AppSource

An XSS issue was discovered in COINS Construction Cloud 11.12. Due to insufficient neutralization of user input in the description of a task, it is possible to store malicious JavaScript code in the task description. This is later executed when it is reflected back to the user.

CVE-2022-1258: Security Bulletin - McAfee Agent update fixes three vulnerabilities (CVE-2022-1256, CVE-2022-1257, and CVE-2022-1258)

A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server.

CVE-2021-43633: Messaging Web Application in PHP/OOP Free Source Code

Sourcecodester Messaging Web Application 1.0 is vulnerable to stored XSS. If a sender inserts valid scripts into the chat, the script will be executed on the receiver chat.

CVE-2022-26507: Claroty: The Industrial Cybersecurity Company

** UNSUPPORTED WHEN ASSIGNED ** A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829, or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2022-27455: [MDEV-28097] MariaDB UAF issue - Jira

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.

CVE-2022-27445: [MDEV-28081] MariaDB SEGV issue - Jira

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.

CVE-2022-27452: [MDEV-28090] MariaDB SEGV issue - Jira

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.

CVE-2022-27456: [MDEV-28093] MariaDB UAP issue - Jira

MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.

CVE-2022-27444: [MDEV-28080] MariaDB SEGV issue - Jira

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907