Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow.  NOTE: some of these details are obtained from third party information.

*   Skip to content

*   *   Open hybrid cloud
    *   Support
    *   Developers
    *   Partners
    *   Start a trial
    

Log in / Register Account

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

![Support image](https://www.redhat.com/cms/managed-files/support-header.svg)

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

Access to our knowledgebase and tools in our  
award-winning Customer Portal

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

Access to support engineers during standard business hours

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

Access to support engineers 24x7 for high-severity issues

![checkmark](https://www.redhat.com/cms/managed-files/checkmark_green.png)

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

![Top ten logo](https://www.redhat.com/cms/managed-files/top-ten-logo-c_0.png)

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> Red Hat support proved invaluable. Any issues during implementation were solved quickly and transparently.

**Check out our support channels**

**Have questions?**

CVE-2009-0723: Support

MediaTek microchips, as used in NETGEAR devices through 2021-12-13 and other devices, mishandle attempts at Wi-Fi authentication flooding.

Was this article helpful?   Yes     No | 11 people found this helpful in last 30 days

Associated CVE ID: CVE-2021-41788

First published: 2021-12-13

NETGEAR is aware of industry-wide WiFi authentication flooding security vulnerabilities on products containing MediaTek microchips.

NETGEAR is working with MediaTek and plans to release firmware updates that fix these authentication flooding vulnerabilities for all products that are within the security support period, which we will release as they become available.

**Workarounds**

No workarounds are available for this vulnerability.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The WiFi authentication flooding vulnerabilities remain if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

MediaTek

**Common Vulnerability Scoring System**

Rating: Medium

Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit https://bugcrowd.com/netgear. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

For all other issues, visit http://www.netgear.com/about/security/. 

**Revision History**

2021-12-13: Published advisory

Last Updated:12/13/2021 | Article ID: 000064369

**Was this article helpful?**Yes No

**This article applies to:**

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-41788: Security Advisory for WiFi Authentication Flooding Vulnerabilities on Multiple Products, PSV-2021-0299 & PSV-2021-0301 | Answer

Categories: News
Categories: Ransomware
Tags: Brightlight

Tags:  GoAnywhere MFT

Tags:  data breach

Tags:  Cl0p

Following the Cl0p ransomware gang's attacks that leveraged Fortra's GoAnywhereMFT software tool, behavioral health provider Brightline informed customers about a data breach related to the attacks.



(Read more...)




The post Brightline breach hits at least 964,000 people, US records show appeared first on Malwarebytes Labs.

A pediatric behavioral health startup called Brightline informed its customers that their protected health data may have been stolen as part of a separate ransomware attack on a Brightline third-party service provider. 

"Based on the investigation, we identified a limited amount of protected health information/personal information in the files that the unauthorized party acquired, potentially including some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names," wrote Brightline in its public notice online.

Though Brightline did not disclose the number of affected customers, recently updated records with the US Department of Health and Humans Services Office of Civil Rights showed that at least 964,301 people were impacted. 

The third-party service provider at the heart of the data breach is Fortra, which was recently targeted by the Cl0p ransomware gang in a string of attacks that leveraged an undisclosed vulnerability in the file transfer software called GoAnywhereMFT, which Fortra develops and which is used by businesses worldwide. Malwarebytes Labs reported on the vulnerability in February, urging users to deploy a patch. 

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

Brightline was just one of the many victims on the list that Cl0p made using the same vulnerability. The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies.

For many organizations, Brightline offers virtual behavioral and mental health services for the children of benefits-eligible employees. In this light, Brightline has published a list of covered entities impacted by the breach.

Interestingly, the 964,000 number released by the US government may not be complete. 

According to the online resource Databreaches.net, by the end of May 3, 2023, the subtotal number of Brightline patients affected by the GoAnywhere incident stood at 1,081,716.

Another remarkable fact Databreaches.net disclosed is that the listing for Brightline on Cl0p’s leak site has disappeared. This is usually an indicator that the victim has paid, but there might be something else going on in this case, since Brightline has been exemplary at providing public information and details about the breach.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

According to the information provided by Brightline, no Social Security numbers or financial accounts were stolen, nor did the stolen files contain anything related to medical services, conditions, diagnoses, or claims for the plan participant or their dependent.

If you are affected by this data security incident, you should have received or will receive a letter (or letters, if you have dependents) from Brightline. Each letter will have a unique code for the member and/or dependent to register for free identity theft and credit monitoring. Brightline will also have a call center available to answer questions. More information, including frequently asked questions, is available on Brightline’s website.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Brightline breach hits at least 964,000 people, US records show

Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel BIOS Platform Sample Code Advisory**

**Summary: **

Potential security vulnerabilities in Intel BIOS platform sample code for some Intel® Processors may allow escalation of privilege.  Intel is releasing BIOS platform sample code updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2020-8764

Description: Improper access control in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8738

Description: Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8740

Description: Out of bounds write in Intel BIOS platform sample code for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L

CVEID: CVE-2020-8739

Description: Use of potentially dangerous function in Intel BIOS platform sample code for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 4.6 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

**Affected Products:**

2nd Generation Intel® Xeon® Scalable Processors, Intel® Core™ X-series Processors, Intel® Xeon® Processor W Family and Intel® Xeon® Scalable Processors     

*   CVE-2020-8738
*   CVE-2020-8739
*   CVE-2020-8740
*   CVE-2020-8764

Intel® Xeon® Processor D Family, Intel® Xeon® Processor E7 v4 Family and Intel® Xeon® Processor E5 v3 Family, Intel® Xeon® Processor E5 v4 Family

*   CVE-2020-8738
*   CVE-2020-8740
*   CVE-2020-8764

Intel® Xeon® Processor D Family               

*   CVE-2020-8739
*   CVE-2020-8740
*   CVE-2020-8764

Intel® Xeon® Processor E7 v3 Family

*   CVE2020-8764

Intel® Atom® Processor C3XXX

*   CVE-2020-8738

Intel recommends that users of the affected products update to the latest BIOS firmware provided by the system manufacturer that addresses these issues.  

**Acknowledgements:**

Intel would like to thank Dmitry Frolov (CVE-2020-8738) for reporting this issue.

The following issues were found internally by Intel, CVE-2020-8739 and CVE-2020-8764.  Intel would like to thank Brent Holtsclaw for CVE-2020-8740.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/10/2020

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-8738: INTEL-SA-00390

An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege escalation.

CTX338435

{{tooltipText}}

Security Bulletin | High | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}

**Description of Problem**

A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux. 

The vulnerability has the following identifier: 

CVE ID 

Description 

Vulnerability Type 

Pre-conditions 

CVE-2022-21825 

Local privilege Escalation 

CWE-284: Improper Access Control 

Local user access to a system where Citrix Workspace App for Linux has been installed with App Protection. 

This vulnerability only affects Citrix Workspace app for Linux 2012 - 2111 and only exists if App Protection was installed as part of Citrix Workspace app for Linux. This vulnerability does not exist if App Protection is not installed.

Citrix Workspace app for other platforms is not affected by this issue. 

**What Customers Should Do**

This issue has been addressed in the following versions of Citrix Workspace app for Linux:  

*   Citrix Workspace App for Linux 2112 and later versions
    

Citrix strongly recommends that affected customers upgrade to a fixed version as soon as possible. 

The latest version of Citrix Workspace app for Linux is available from the following Citrix website location: 

https://www.citrix.com/downloads/workspace-app/linux/ 

**Acknowledgements**

Citrix thanks Florian Kerber of Siemens CERT for working with us to protect Citrix customers.

**What Citrix is Doing**

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

**Obtaining Support on This Issue**

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

**Subscribe to Receive Alerts**

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

**Reporting Security Vulnerabilities to Citrix**

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

**Changelog**

Date

Change

2022-01-11

Initial Publication

CVE-2022-21825: Citrix Workspace App for Linux Security Update

CTX338435

{{tooltipText}}

Security Bulletin | Severity: High | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}

**Description of Problem**

A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux. 

The vulnerability has the following identifier: 

CVE ID 

Description 

Vulnerability Type 

Pre-conditions 

CVE-2022-21825 

Local privilege Escalation 

CWE-284: Improper Access Control 

Local user access to a system where Citrix Workspace App for Linux has been installed with App Protection. 

This vulnerability only affects Citrix Workspace app for Linux 2012 - 2111 and only exists if App Protection was installed as part of Citrix Workspace app for Linux. This vulnerability does not exist if App Protection is not installed.

Citrix Workspace app for other platforms is not affected by this issue. 

**What Customers Should Do**

This issue has been addressed in the following versions of Citrix Workspace app for Linux:  

*   Citrix Workspace App for Linux 2112 and later versions
    

Citrix strongly recommends that affected customers upgrade to a fixed version as soon as possible. 

The latest version of Citrix Workspace app for Linux is available from the following Citrix website location: 

https://www.citrix.com/downloads/workspace-app/linux/ 

**Acknowledgements**

Citrix thanks Florian Kerber of Siemens CERT for working with us to protect Citrix customers.

**What Citrix is Doing**

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

**Obtaining Support on This Issue**

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

**Subscribe to Receive Alerts**

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

**Reporting Security Vulnerabilities to Citrix**

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

**Changelog**

Date

Change

2022-01-11

Initial Publication

RRX IOB LP version 1.0 suffers from a DNS cache snooping vulnerability.

    Document Title:===============RRX IOB LP v1.0 - DNS Cache Snooping VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2261Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspotRelease Date:=============2022-10-11Vulnerability Laboratory ID (VL-ID):====================================2261Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================MultipleCurrent Estimated Price:========================2.000€ - 3.000€Product & Service Introduction:===============================This product, solution or service ("Product") contains third-party software components listed in this document. These components are Open SourceSoftware licensed under a license approved by the Open Source Initiative (www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")and/or commercial or freeware software components. With respect to the OSS components, the applicable OSS license conditions prevail over any otherterms and conditions covering the Product. The OSS portions of this Product are provided royalty-free and can be used at no charge.If SIEMENS has combined or linked certain components of the Product with/to OSS components licensed under the GNU LGPL version 2 or later as per thedefinition of the applicable license, and if use of the corresponding object file is not unrestricted ("LGPL Licensed Module", whereas the LGPLLicensed Module and the components that the LGPL Licensed Module is combined with or linked to is the "Combined Product"), the following additionalrights apply, if the relevant LGPL license criteria are met: (i) you are entitled to modify the Combined Product for your own use, including but notlimited to the right to modify the Combined Product to relink modified versions of the LGPL Licensed Module, and (ii) you may reverse-engineer theCombined Product, but only to debug your modifications. The modification right does not include the right to distribute such modifications and youshall maintain in confidence any information resulting from such reverse-engineering of a Combined Product.Certain OSS licenses require SIEMENS to make source code available, for example, the GNU General Public License, the GNU Lesser General Public Licenseand the Mozilla Public License. If such licenses are applicable and this Product is not shipped with the required source code, a copy of this sourcecode can be obtained by anyone in receipt of this information during the period required by the applicable OSS licenses by contacting the following address.Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a dns snooping vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.Vulnerability Disclosure Timeline:==================================2020-08-03: Researcher Notification & Coordination (Security Researcher)2020-08-04: Vendor Notification (Security Department)2020-08-27: Vendor Response/Feedback #1 (Security Department)2020-11-10: Vendor Response/Feedback #2 (Security Department)2021-01-30: Security Acknowledgements (Security Department)2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)2022-10-11: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================No User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A dns cache snooping vulnerability has been discovered in the official Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.The vulnerability allows remote attackers to determine resolved sites and name servers to followup with manipulative interactions.The vulnerability allows remote attackers to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attackto build a statistical model regarding company usage of that financial institution. Of course, the attack can also be usead to find B2B partners, web-surfing patterns, externalmail servers, and more. If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees,consultants and potentially users on a guest network or WiFi connection if supported.Proof of Concept (PoC):=======================The dns cache snooping vulnerability can be exploited by remote attackers with wifi guest access without user interaction or privileged user account.For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.--- PoC Session Logs ---Sent a non-recursive query for test.comand received 1 answer: dnsmasq-2.7593.184.216.34Hosts53 / udp / dns   192.168.44.1Solution - Fix & Patch:=======================Improve the cache management via dns to ensure no manipulations can take place.Contact the manufacturer siemens to resolve the issue by an automated or manual patch.2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)The patching process will be delivered by siemens during train maintenance and will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).Security Risk:==============The security risk of the web vulnerability in the siemens hotspot rxx wifi is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comServices:   magazine.vulnerability-lab.com  paste.vulnerability-db.com       infosec.vulnerability-db.comSocial:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab       youtube.com/user/vulnerability0labFeeds:      vulnerability-lab.com/rss/rss.php   vulnerability-lab.com/rss/rss_upcoming.php   vulnerability-lab.com/rss/rss_news.phpPrograms:   vulnerability-lab.com/submit.php   vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.phpAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

RRX IOB LP 1.0 DNS Cache Snooping

Missing Authorization vulnerability in WPOmnia KB Support – WordPress Help Desk and Knowledge Base allows Accessing Functionality Not Properly Constrained by ACLs. Users with a role as low as a subscriber can view other customers.This issue affects KB Support – WordPress Help Desk and Knowledge Base: from n/a through 1.5.88.



**Solution**

 Update to fix

 vPatch available

Update the WordPress KB Support plugin to the latest available version (at least 1.5.89).

Found this useful? Thank Rafshanzani Suhada for reporting this vulnerability. Buy a coffee ☕

Rafshanzani Suhada discovered and reported this Broken Access Control vulnerability in WordPress KB Support Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has been fixed in version 1.5.89.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37890: WordPress KB Support – WordPress Help Desk plugin <= 1.5.88 - Missing Authorization vulnerability - Patchstack

An improper check for unusual or exceptional conditions in the HTTP request processing function of Zyxel GS1920-24v2 firmware prior to V4.70(ABMH.8)C0, which could allow an unauthenticated attacker to corrupt the contents of the memory and result in a denial-of-service (DoS) condition on a vulnerable device.

CVE: CVE-2022-43393

Summary

Zyxel has released patches for some switches affected by a denial-of-service (DoS) vulnerability. Users are advised to install them for optimal protection.

What is the vulnerability?

An improper check for unusual or exceptional conditions in the HTTP request processing function of some Zyxel switch versions could allow an attacker to corrupt the contents of the memory and result in a DoS condition on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Since switches are mostly deployed in a local area network (LAN) environment, most potential DoS attacks can be reduced by firewalls or security gateways. Furthermore, for optimal protection, we suggest that users set more stringent management rules for remote access to their switches, such as by restricting HTTP or HTTPS requests to remotely access the device management interface or by limiting remote access by specific IP addresses.

Affected model

Affected version

Patch availability

GS1350-6HP

V4.70(ABPI.4)C0

V4.70(ABPI.5)C0

GS1350-12HP

V4.70(ABPJ.4)C0

V4.70(ABPJ.5)C0

GS1350-18HP

V4.70(ABPK.4)C0

V4.70(ABPK.5)C0

GS1350-26HP

V4.70(ABPL.4)C0

V4.70(ABPL.5)C0

GS1915-8

V4.70(ACAP.2)C0

V4.70(ACAP.3)C0

GS1915-8EP

V4.70(ACAQ.2)C0

V4.70(ACAQ.3)C0

GS1915-24E

V4.70(ACDR.2)C0

V4.70(ACDR.3)C0

GS1915-24EP

V4.70(ACDS.2)C0

V4.70(ACDS.3)C0

GS1920-24v2

V4.70(ABMH.7)C0

V4.70(ABMH.8)C0

GS1920-48v2

V4.70(ABMJ.7)C0

V4.70(ABMJ.8)C0

GS1920-24HPv2

V4.70(ABMI.7)C0

V4.70(ABMI.8)C0

GS1920-48HPv2

V4.70(ABMK.7)C0

V4.70(ABMK.8)C0

GS2220-10

V4.70(ABRO.5)C0

V4.70(ABRO.6)C0

GS2220-28

V4.70(ABRQ.5)C0

V4.70(ABRQ.6)C0

GS2220-50

V4.70(ABRS.5)C0

V4.70(ABRS.6)C0

GS2220-10HP

V4.70(ABRP.5)C0

V4.70(ABRP.6)C0

GS2220-28HP

V4.70(ABRR.5)C0

V4.70(ABRR.6)C0

GS2220-50HP

V4.70(ABRT.5)C0

V4.70(ABRT.6)C0

XGS1930-28

V4.70(ABHT.3)C0

V4.70(ABHT.5)C0

XGS1930-28HP

V4.70(ABHS.3)C0

V4.70(ABHS.5)C0

XGS1930-52

V4.70(ABHU.3)C0

V4.70(ABHU.5)C0

XGS1930-52HP

V4.70(ABHV.3)C0

V4.70(ABHV.5)C0

XS1930-10

V4.70(ABQE.5)C0

V4.80(ABQE.0)C0

XS1930-12HP

V4.70(ABQF.5)C0

V4.80(ABQF.0)C0

XS1930-12F

V4.70(ABZV.5)C0

V4.80(ABZV.0)C0

XGS2210-28

V4.70(AAZJ.1)C0

V4.70(AAZJ.2)C0

XGS2210-52

V4.70(AAZK.1)C0

V4.70(AAZK.2)C0

XGS2210-28HP

V4.70(AAZL.1)C0

V4.70(AAZL.2)C0

XGS2210-52HP

V4.70(AAZM.1)C0

V4.70(AAZM.2)C0

XGS2220-30

V4.80(ABXN.0)C0

V4.80(ABXN.1)C0

XGS2220-30HP

V4.80(ABXO.0)C0

V4.80(ABXO.1)C0

XGS2220-30F

V4.80(ABYE.0)C0

V4.80(ABYE.1)C0

XGS2220-54

V4.80(ABXP.0)C0

V4.80(ABXP.1)C0

XGS2220-54HP

V4.80(ABXQ.0)C0

V4.80(ABXQ.1)C0

XGS2220-54FP

V4.80(ACCE.0)C0

V4.80(ACCE.1)C0

XGS4600-32

V4.70(ABBH.3)C0

V4.70(ABBH.4)C0

XGS4600-32F

V4.70(ABBI.3)C0

V4.70(ABBI.4)C0

XGS4600-52F

V4.70(ABIK.3)C0

V4.70(ABIK.4)C0

XMG1930-30

V4.70(ACAR.0)

V4.80(ACAR.0)

XMG1930-30HP

V4.70(ACAS.0)

V4.80(ACAS.0)

XS3800-28

V4.80(ABML.0)C0

V4.80(ABML.1)C0

MGS3500-24S

4.10(ABBR.1)C0

4.10(ABBR.2)C0\*

MGS3520-28

4.10(AATN.4)C0

4.10(AATN.5)C0\*

MGS3520-28

4.10(ABQM.1)C0

4.10(ABQM.2)C0\*

MGS3520-28F

4.10(AATM.3)C0

4.10(AATM.4)C0\*

MGS3530-28

4.10(ACEM.1)C0

4.10(ACEM.2)C0\*

MGS3530-28

4.10(ACFJ.0)C0

4.10(ACFJ.1)C0\*

\*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to Positive Technologies for reporting the issue to us.

Revision history

2023-1-11: Initial release.

**Have a question?**

We are always here to help!

Contact us

CVE-2022-43393: Zyxel security advisory for DoS vulnerability of switches | Zyxel Networks

Das U-Boot suffers from a buffer overread vulnerability. An attacker with access to the local network and faster response times than the default DHCP server can trigger a memory leak by responding with malicious DHCP offers to a vulnerable U-Boot DHCP client.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2024-004: Buffer overread in U-Boot DHCP

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2024-42040

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2024-004/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt

Affected products/vendor  
========================

Das U-Boot, https://docs.u-boot.org

Summary  
=======

Das U-Boot (U-Boot) is a widespread open-source boot loader used in   
embedded devices to perform various low-level hardware initialization   
tasks and boot the device's operating system kernel. During an embedded   
security assessment, we identified a buffer overread vulnerability   
(CWE-126) in the DHCP implementation of U-Boot that could leak memory   
onto the network. The amount of leaked data depends on the later use of   
the hostname, DNS-server IP, gateway IP, or other DHCP options in   
unencrypted network traffic. The vulnerability has been present since   
the "Initial revision" commit (3861aa5) from 2002.

Risk  
====

An attacker with access to the local network and faster response times   
than the default DHCP server can trigger a memory leak by responding   
with malicious DHCP offers to a vulnerable U-Boot DHCP client. In the   
current implementation, only 4 Bytes of data can be leaked via gateway   
or DNS server address. When net_hostname would be used and also sent   
over the network, 32 Bytes could be retrieved. When the bp_vend field is   
filled with zeroes besides the magic number, it could also lead the loop   
to continue outside the packet to process data. This can cause further   
data to be leaked when values like 0x1,0x3,0x6, and 0x12 are present in   
that data. When further vulnerabilities can be found they might be   
combined to achieve further harmful impact to the system.

Description  
===========

After U-Boot sends an initial DHCP request, the vulnerable bootp_handler   
gets registered as a callback for incoming packets. The handler first   
checks if the received packet is the expected reply packet. If   
VENDOR_MAGIC is in the first four bytes of bp->bp_vend, the address of   
bp->bp_vend[4] and the total length of the packet is passed to   
bootp_process_vendor (net/bootp.c:381) without being reduced to   
len-(offsetof(struct bootp_hdr,bp_vend)+4). There is also a missing   
check whether the first four bytes of bp->pb_vend[] are in range of the   
packet length before retrieving them to compare with htonl(VENDOR_MAGIC).

In bootp_process_vendor, an incorrect end address is then calculated   
based on the full packet length (net/bootp.c:312) instead of the rest of   
the bp_vend buffer size. Then, the function increases the ext pointer   
until it no longer points to zero bytes within the too-long buffer range   
or when one byte is 0xff. When a none-zero value is discovered the ext   
pointer is passed to bootp_process_vendor_field.

In bootp_process_vendor_field, the de-referenced value of the passed   
pointer is used to select the case for processing the field, and its   
length is de-referenced from ext+1. Based on the selected case, values   
are then copied to variables and buffers like net_gateway.s_addr or   
net_hostname from ext+2. The copied lengths are only limited by the size   
of their destination. The end of the bp_vend structure or the end of the   
packet is never checked in bootp_process_vendor_field.

This allows an attacker, who can respond to DHCP requests, to craft a   
packet that causes the code to copy the contents of the target's RAM   
directly following the received packet into parameters. These parameters   
are sent via the network during later use, leaking the RAM content to   
the attacker.

Solution/Mitigation  
===================

We recommend providing an adequate length to bootp_process_vendor to   
prevent the while loop from stepping outside the packet frame and   
checking in bootp_process_vendor_field if the copied data is still   
within the packet structure's range.

Disclosure timeline  
===================

2024-06-21: Vulnerability discovered  
2024-08-19: Vulnerability reported to public mailing list by request of   
maintainer.

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Simon Diepold   
of SCHUTZWERK GmbH.

References  
==========

Disclaimer  
==========

The information provided in this security advisory is provided "as is" and  
without warranty of any kind. Details of this security advisory may be   
updated  
in order to provide as accurate information as possible. The most recent  
version of this security advisory can be found at SCHUTZWERK GmbH's website  
( https://www.schutzwerk.com ).

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbC+YgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtSeRAAi6OrwHBpbFgKlyqROQnw  
zYxmHTYBiWzBEEmI1zN+iNb5uQlnZXgBoodbEneiRmVQDSiT4zT/DWe3EGV2TlRR  
56hEIGvkvleURqCjwRYeYnPF3Ef/XMTvTu/x08h8UfGr7XNwhwCpANxUTE7aI01b  
jZLa4jDv8vpNd7JKNF32S2Ak6GRjfEE9aEAxUKliNXCA5SU1gYvOWQ+BJ0oth7fN  
grkTKffltk8dUBFy8TsrxcAG5ye4f1Dvm51dU8JNPBLkmouOrEvX1K4UTjvAyD8e  
bCn2dXs2rDLfywrTPV0k2zj3APZiwhYxNA3MaTUGscZAIUMn3WE/cUyYDpQDqOYx  
wrZzz9K59m+x8F6c1lBUxlmU3t9Z15/i/tL6Kropb+HDxjWaLCZPG3dzdlR54/fn  
gvzS393FNWakNNAJIqN2jvvol+zvJGn2rsSsfp5CPEdrQEHgvQa0TkBOpdtFZ/h1  
muVFwj9yDup07yStTXRJHjg2WCH0LdL5x+mDfcBspjLflpVP/0Yj+MnR8e3Eb7v/  
Cb12PeBHww9VObUhgbMecanSn6Epf7Nc5a5wIh5kEWKoviBYNY/0cu7GDN+70PK4  
JhD86Tww5RFJJfkLcJqlCAMC4AkAc7Sq5FS7WTK5Jx3Ymh/+Lsuhx9ENq38VyVGh  
tFe3V0joTUxg7Yy78PoEOrs=  
=XKZo  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm /  HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Search

lenovo warranty check/lookup | check warranty status | lenovo support us