ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. 

Security updates available for Adobe ColdFusion | APSB21-75

**Summary**

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve multiple critical  vulnerabilities that could lead to security feature bypass.   

**Affected Versions**

Update 11 and earlier versions      

Version 1 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

**Product**

**Updated Version**

**Platform**

**Priority rating**

**Availability**

ColdFusion 2018

Update 12

All

2

Tech note      

ColdFusion 2021  

Update 2  

All

2

Tech note

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Numbers**

Use of Inherently Dangerous Function

(CWE-242)

Security feature bypass    

Critical     

7.4  

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2021-40698  

Improper Access Control

(CWE-284)

Security feature bypass    

Critical     

7.4  

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE-2021-40699  

**Acknowledgements**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Brian Reilly (CVE-2021-40699)
*   Rockwell, Edward J (CVE-2021-40698)  
    

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**Adobe Disclaimer**

**License agreement**

By using software of Adobe Incorporated or its subsidiaries ("Adobe"); you agree to the following terms and conditions. If you do not agree with such terms and conditions; do not use the software. The terms of an end user license agreement accompanying a particular software file upon installation or download of the software shall supersede the terms presented below.

The export and re-export of Adobe software products are controlled by the United States Export Administration Regulations and such software may not be exported or re-exported to Cuba; Iran; North Korea; Syria and the Crimea region of Ukraine, or any country to which the United States embargoes goods. In addition; Adobe software may not be distributed to persons on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals. 

By downloading or using an Adobe software product you are certifying that you are not a national of Cuba; Iran; North Korea; Syria, and the Crimea region of Ukraine, or any country to which the United States embargoes goods and that you are not a person on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals. If the software is designed for use with an application software product (the "Host Application") published by Adobe; Adobe grants you a non-exclusive license to use such software with the Host Application only; provided you possess a valid license from Adobe for the Host Application. Except as set forth below; such software is licensed to you subject to the terms and conditions of the End User License Agreement from Adobe governing your use of the Host Application.

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of implied warranties; so the above limitations may not apply to you.

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or limitation of incidental or consequential damages; so the above limitation or exclusion may not apply to you.

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2021-40699: Adobe Security Bulletin

BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).

*   **Cybersecurity**
*   About us
*   Trust center
*   Bulletins and patches
*   Vulnerability disclosures
*   Helpful resources

*   BD Synapsys™– Insufficient Session Expiration

This notification provides product security information and recommendations related to insufficient session expiration vulnerability in specific versions of BD Synapsys™ Informatics Solution. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).

**Products in Scope**

*   BD Synapsys™ – versions 4.20, 4.20 SR1, and 4.30

**Vulnerability Details**

**CVE-2022-30277 -** BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may have an extended period of time to be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).

BD Synapsys™ is a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory. To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys™ workstation.

This vulnerability was discovered by BD through standard internal testing. There have been no reports of this vulnerability being exploited in a laboratory setting.

**Vulnerability Score**

*   CVSS: 5.7 (Medium) CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Rationale: The Base CVSS score is based on exploitability (which includes the attack vector, attack complexity, privileges required and user interaction), scope and potential impact to confidentiality, integrity and availability. In this case, a threat actor would have to have physical access to a workstation running BD Synapsys™. The attack complexity is Low, since no special access or conditions are needed once access to a BD Synapsys™ is obtained. The exploitation requires low-level privileges including access to the physical lab or the hospital network and requires user interaction. The scope of the vulnerability is unchanged as it only impacts the BD Synapsys™. The vulnerability can have a high impact to confidentiality as the system contains sensitive information. The impact to integrity is also High as successful exploitation potentially allows for an unauthorized user to modify BD Synapsys™ data.

**Clinical Risk Assessment and Patient Safety Impact**

BD has assessed this vulnerability for clinical impact and concluded that the probability of an unauthorized physical breach of a BD Synapsys™ workstation would be negligible due to the sequence of events that must occur in a specific order. However, successful exploitation could lead to modification of ePHI, PHI, or PII, which could cause delayed or incorrect treatment.

**Mitigations and Compensating Controls**

BD Synapsys™ v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys™ v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022.

Additionally, BD recommends the following compensating controls for customers using the impacted versions of BD Synapsys™:

*   Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys™.
*   Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys™ workstations.
*   Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys™ workstation.
*   Ensure industry standard network security policies and procedures are followed.

**Additional Resources**

For product- or site-specific concerns, contact your BD service representative.

**Company**

*   Contact us
*   BD code of conduct
*   Careers
*   Inclusion and diversity
*   Sustainability
*   Suppliers
*   News
*   Investors
*   Video gallery
*   External funding program

**Support**

*   Technical support
*   Product security and privacy
*   Live chat
*   Order status
*   Customer portals
*   Alerts and notices
*   Electronic instructions for use
*   COVID-19

CVE-2022-30277: BD Synapsys<sup>™</sup>– Insufficient Session Expiration

The $4.4 billion in crypto is set to be the largest pile of criminal proceeds ever sold off by the US. The former IRS agent who seized the recording-breaking sum, meanwhile, languishes in a Nigerian jail cell.

In November of 2020, a person identified by the US Department of Justice only as “Individual X” sat down with an IRS agent named Tigran Gambaryan and prosecutors at the US Attorney’s office in San Francisco. That unnamed individual typed out the long string of characters of a Bitcoin private key on Gambaryan’s laptop, allowing Gambaryan to move 69,370 bitcoins from Individual X’s bitcoin address to one controlled by the US government.

Over the four years that it has taken the US government to establish legal ownership of that massive sum of bitcoins—identified by the IRS as stolen proceeds of the Silk Road dark-web drug market—its value has grown to a staggering $4.4 billion dollars. The money's forfeiture appears to have been part of a deal that kept Individual X out of prison, though the terms of that deal have never been publicly disclosed.

Instead, in a bizarre twist of fate, it's Gambaryan, the IRS criminal investigator who traced and seized that record-breaking sum of cryptocurrency, who is sitting in a Nigerian jail as those billions finally end up in US coffers.

On Wednesday, the US Supreme Court declined to hear an appeal to a lower court ruling that the US government can seize Individual X's nearly 70,000 bitcoins, which the person allegedly took from the Silk Road more than a decade ago by exploiting a security vulnerability in the market. That stolen drug money has since been claimed by various parties, most recently by a company called Battle Born Investments that sought to appeal the seizure ruling and claimed to have purchased the Silk Road bitcoins through a bankruptcy proceeding. Only now that this appeal has fizzled, four years after the stolen money was tracked down in an investigation led by Gambaryan at IRS Criminal Investigations, can the US government finally take official possession of the wayward bitcoins, which will likely be auctioned off for dollars by the US Marshals Service, as smaller sums of seized cryptocurrency have in the past.

“The Supreme Court's decision not to hear the case means that this is now is going to be forfeited to the United States government,” says Will Frentzen, one of the US prosecutors who handled the Individual X case and is now an attorney at the legal firm Morrison Foerster. “This is the largest ever forfeiture of crypto that will go to the US Treasury.” In fact, thanks to Bitcoin's wild appreciation in recent years, it appears to be the largest ever criminal seizure of money of _any kind_ to be added to the US federal budget. (A seizure following the theft of 120,000 bitcoins from the cryptocurrency exchange Bitfinex was even larger but will likely be repaid to victims and creditors rather than kept by the government.)

Over those same years, however, Gambaryan has taken an even more unlikely path: In 2021, he left the IRS to take a job as the head of investigations at Binance, the world's largest cryptocurrency exchange—a move seen widely as driven by Binance’s belated attempt to clean up its own widespread use for money laundering, which led the company to pay a $4.3 billion criminal fine to the US government last year. When Nigeria followed that fine by accusing Binance of similar criminal misconduct and devaluing the country's national currency, it was Gambaryan who was invited to Abuja to negotiate with the Nigerian government earlier this year. Instead, the Nigerian government detained Gambaryan, took his passport, and has now jailed him for over six months, charging him with money laundering and tax evasion as a proxy for his employer.

“It's beyond bizarre. It's Twilight Zone every day,” says Frentzen, who now has taken on Gambaryan's case in Nigeria as one of his defense attorneys. “His impact as a federal agent was so extensive and so far reaching that he's been out of the government for three years and yet the American government and the American public are still benefiting from his hard work. And he's languishing in a Nigerian jail cell on trumped-up charges. It's really unfathomable.”

Attention to Gambaryan's case has grown in recent months as lawmakers and US officials have increasingly appealed to the Nigerian government to release him on bail or on medical grounds. Gambaryan has suffered from a worsening herniated disc in his back that requires immediate surgery to prevent permanent injury, according to Frentzen. Yet he's been denied medical care in jail, and a video of him entering a courtroom in Abuja with a crutch seems to show a security guard refusing to help Gambaryan walk or to provide him with a wheelchair despite his pleas.

In June, 16 members of Congress called in an open letter for Gambaryan's case to be treated as a hostage situation, and a resolution introduced in the House Foreign Affairs Committee in July urged the White House to apply pressure to Nigeria to free Gambaryan. “I urge the State Department and I urge President Biden: Turn up the heat on Nigeria,” Arkansas representative French Hill, who visited Gambaryan in jail, said in a hearing last month. “Honor the fact that an American citizen has been snatched by a friendly government and put in prison over something he had no responsibility for.”

Over his 10 years at IRS Criminal Investigations, Gambaryan pioneered federal law enforcement's use of cryptocurrency tracing as an investigative technique, with landmark results: From 2014 to 2017, Gambaryan identified two corrupt federal agents who had enriched themselves with cryptocurrency during their investigation of the Silk Road; helped to track down half a billion dollars worth of bitcoins stolen from early crypto exchange Mt. Gox; had a hand in developing a secret crypto tracing method that located the server hosting the massive AlphaBay dark-web crime market; and helped to take down the Welcome to Video crypto-funded child sexual abuse video network, a case that led to 337 arrests around the world and the rescue of 23 children from exploitative situations.

In the wake of that string of cases, Gambaryan and another IRS Criminal Investigations agent, Jeremy Haynie, began in 2017 to trace the 69,370 bitcoins that appeared to have been stolen from the Silk Road in 2012 and 2013 and had sat almost entirely unmoved in the years since. With the help of blockchain analysis and data from seized servers of the criminal BTC-e crypto exchange—the fruits of another of Gambaryan's investigations—the agents were able to identify Individual X as a hacker who had taken the Silk Road's funds and demand that they forfeit them.

As those funds flow into the federal government's accounts, Frentzen hopes that federal officials who have the power to pressure Nigeria to free Gambaryan will remember where that record sum of money came from. “It should be a crystal-clear reminder of the impact that he's had for the American government and for the American people. To have him locked up while the US Treasury is collecting $4.4 billion because of his work, it's really twisted,” Frentzen says. “We urge the US government to continue to work to secure his release and to do so as fast as possible. And we encourage the Nigerians to do the right thing and release him.”

69,000 Bitcoins Are Headed for the US Treasury—While the Agent Who Seized Them Is in Jail

The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.

CVE-2021-24795

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack

CVE-2022-0328

The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack

CVE-2022-0616

In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.

CVE-2020-10676: Announcements

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

![Openwall](https://www.openwall.com/logo.png)

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 22 Apr 2022 02:43:27 +0200
From: David Bouman <dbouman03@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux: UaF due to concurrency issue in io\_uring timeouts

Hello list,

We (Jayden Rivers and David Bouman) are disclosing a bug we found in the 
Linux kernel's io\_uring subsystem. We have written a local privilege 
escalation PoC that can successfully elevate to system root from an 
unprivileged process (in a container). We will be releasing a blog post 
(including exploit code) in a week or two. It should be noted that 
unlike many Linux vulnerabilities that have surfaced recently, 
triggering this one does not require an attacker to have any kind of 
privileges (e.g. in a user namespace). This leaves many systems vulnerable.

We are still looking for a CNA representative that can assign a CVE 
number for this vulnerability; please contact us!

Kernel versions 5.10+ are affected, and linux-stable patches are already 
pushed. The upstream patch commit is 
e677edbcabee849bfdd43f1602bccbecf736a646 ("io\_uring: fix race between 
timeout flush and removal").

When the IORING\_OP\_TIMEOUT (T) and IORING\_OP\_LINK\_TIMEOUT (LT) opcodes 
are combined in a linked submission queue entry, and another request (B) 
finishes, a race might occur: namely, when due to the completion of B, T 
is cancelled (through the completion event count), and LT is canceled by 
its hrtimer at the same time. Whilst T is still being cleaned up, LT is 
already freed by a different execution context, and since they are 
linked, the cleanup of T retains a dangling reference to the now-freed 
LT. Hence, there's a use-after-free.

Exploitation-wise, the attacker can reallocate LT to another \`struct 
io\_kiocb\` and defer the UaF to e.g. a \`struct file\` (this is the 
technique we will describe in aforementioned blog post).

The race window is quite tight and the scenario is complicated, so the 
race can only be won very infrequently in our experience.

It is advised to upgrade your kernel to latest ASAP.

Greetings,

Jayden Rivers & David Bouman

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

![Powered by Openwall GNU/*/Linux](https://www.openwall.com/Owl/artwork/buttons/80x15/Owl-80x15-4.png) ![Powered by OpenVZ](https://www.openwall.com/images/OpenVZ-80x15-cd.png)

CVE-2022-29582: security - Linux: UaF due to concurrency issue in io_uring timeouts

Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Android

Tags:  Qualcomm

Tags:  WLAN

Tags:  CVE-2022-25720

Tags:  CVE-2022-25718

Tags:  CVE-2022-25748

Tags:  CVE-2022-20419

Tags:  ActivityManager

Google has issued patches for 42 vulnerabilities, including four marked critical



(Read more...)




The post Android vulnerabilities could allow arbitrary code execution appeared first on Malwarebytes Labs.

Posted: October 6, 2022 by

Several vulnerabilities have been patched in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. None of the vulnerabilities have been spotted in the wild.

Operating systems contain and manage all the programs and applications that a computer or mobile device is able to run. The Android OS was developed by Google for mobile devices like smartphones, tablets, smart watches, and more, and it's installed on more than 70 percent of the world's mobile phones.

Google'e latest security update for Android patched 42 vulnerabilities. Four of them received the label “critical”, of which three affect Qualcomm components. Qualcomm is a US-based chip maker that specializes in semiconductors, software, and services related to wireless technology.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The critical Qualcomm vulnerabilities all relate to the WLAN component and have the following CVEs:

*   CVE-2022-25748 has a CVSS score of 9.8 out of 10 and could be exploited to trigger memory corruption leading to arbitrary code execution.
*   CVE-2022-25718 has a CVSS score of 9.1 out of 10 and could allow a remote attacker to perform a machine in the middle (MitM) attack.
*   CVE-2022-25720 has a CVSS score of 9.8 out of 10 and could allow a remote attacker to execute arbitrary code on an Android device by sending it send specially crafted traffic.

Looking at the three vulnerabilities listed above it seems that someone has taken a good look at the initial connection and authentication routines inn the Qualcomm WLAN firmware. All three vulnerabilities seem to lie in the initial stages of a connection.

The Group temporal key is used to encrypt all broadcast and multicast traffic between an access point and multiple client devices. It is part of the four-way handshake between an access point and the client device to generate some encryption keys which can be used to encrypt actual data sent over wireless.

The other critical vulnerability is listed as CVE-2022-20419 is a vulnerability in Framework that could lead to local escalation of privilege (EoP) with no additional execution privileges needed. In the bug description we can find that any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. The ActivityManager allows developers to retrieve information about the device the app is running on, like available memory, running processes, and tasks that the user has most recently started or visited.

Google's updates will be rolled out for Android versions 10, 11, 12, 12L, and 13. Since some of the vulnerabilities are in suppliers’ software, not every device will need all the patches.

You can find your device's Android version number, security update level, and Google Play system level in your **Settings** app. You'll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Stay safe, everyone!

**RELATED ARTICLES**

Android vulnerabilities could allow arbitrary code execution

An exploitable integer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dealing with native file systems. An attacker can craft an input that can cause a kernel panic and potentially be leveraged into a full privilege escalation vulnerability. This vulnerability is distinct from CVE-2016-9031.

**Summary**

An exploitable integer overflow exists in the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS\_ADD\_ENTRIES when dealing with native file systems. An attacker can craft an input that can cause a kernel panic and potentially be leveraged into a full privilege escalation vulnerability. This vulnerability is distinct from CVE-2016-9031.

**Tested Versions**

Joyent SmartOS 20161110T013148Z

**Product URLs**

https://www.joyent.com/smartos

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-190: Integer Overflow or Wraparound

**Details**

Joyent SmartOS is an operating system deployed by Joyent to be used as a hypervisor like solution meaning virtual machines will run on top of the system itself. SmartOS is unique in the fact that it is based on a fork of Opensolaris. This leaves many vulnerabilities in the kernel due to the fact that it is not as actively developed as other operating systems. Hyprlofs is a file system specifically designed for SmartOS which allows the creation of new virtual file systems quickly and easily. This was developed and designed to help make their product, Manta, possible.

Most of the controls for Hyprlofs go through the Ioctl calls. An Ioctl is a control function that operates on various streams in this case a file descriptor to the file system. Looking further into that code we can spot the vulnerability. The beginning of the function is shown below.

illumos-joyent-master/usr/src/uts/common/fs/hyprlofs/hyprlof_vnops.c:

        static int
    134    hyprlofs_ioctl(vnode_t *vp, int cmd, intptr_t data, int flag,
            cred_t *cr, int *rvalp, caller_context_t *ct)
        {
            int len, cnt, error; [1]
            ...
            if (secpolicy_hyprlofs_control(cr) != 0)
                return (EPERM);
            if (cmd == HYPRLOFS_ADD_ENTRIES || cmd == HYPRLOFS_RM_ENTRIES) { [2]
                if (model == DATAMODEL_NATIVE) {
                    model = get_udatamodel();
                    hyprlofs_entries_t ebuf;
                    hyprlofs_entry_t *e;
    160           if (copyin((void *)data, &ebuf, sizeof (ebuf)))
                        return (EFAULT);
                    cnt = ebuf.hle_len; [3]
                    if (cnt > MAX_IOCTL_PARAMS) [4]
                        return (EINVAL);
                    len = sizeof (hyprlofs_entry_t) * cnt;
     167          e = kmem_alloc(len, KM_SLEEP); [5]
                    if (copyin((void *)(ebuf.hle_entries), e, len)) { [6]
    

At \[1\] we see that these variables are labeled as integers. Continuing on we see that \[2\] is verifying which command we have chosen and if it is HYPRLOFS\_ADD\_ENTRIES it copies in the data directly from the user. The vulnerability is present at \[3\], when the user supplied length, which is an unsigned integer, becomes cast to a signed integer. This allows us to bypass the check at \[4\] by supplying an integer that is large enough to wrap around to a negative value when cast to an int. This then passes in a large value to malloc causing failure and a NULL to be returned. Since there is no check before use at \[6\], the kernel will subsequently write to the NULL page, leading to a potential privilege escalation from an exploit that has mapped the NULL page in userspace.

**Crash Information**

    ffffff0006b212a0 vpanic()
    ffffff0006b213d0 vmem_xalloc+0x78b(ffffff020140d000, ffffffffffffffe0, 1000, 0, 0, 0, 0, 0)
    ffffff0006b21440 vmem_alloc+0x135(ffffff020140d000, ffffffffffffffe0, 0)
    ffffff0006b21480 kmem_alloc+0x173(ffffffffffffffe0, 0)
    ffffff0006b21d50 hyprlofs_ioctl+0x18b(ffffff0215035980, 4801, fffffd7fffdffb90, 202001, ffffff021413a000, ffffff0006b21ea8, 0)
    ffffff0006b21de0 fop_ioctl+0x55(ffffff0215035980, 4801, fffffd7fffdffb90, 202001, ffffff021413a000, ffffff0006b21ea8, 0)
    ffffff0006b21f00 ioctl+0x9b(3, 4801, fffffd7fffdffb90)
    ffffff0006b21f10 sys_syscall+0x1a2()
    

**Timeline**

2016-12-01 - Vendor Disclosure  
2016-12-12 - Public Release

Discovered by Tyler Bohan of Cisco Talos.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us