
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.



Artikkelin numero: 000214659

**Yhteenveto: Dell VxRail remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.**

**Artikkelin sisältö**

**Vaikutus**

Critical

**Tiedot**

**Third-Party** **Component**

**CVE(s)**

**More information**

Dell PowerEdge 14G Server BIOS - Out of Bounds Write Vulnerability

CVE-2023-25537

For more information,  
see DSA-2023-098

Dell PowerEdge Server - OpenSSL

CVE-2023-0215, CVE-2023-0286, CVE-2022-4304, CVE-2022-4450,

For more information,  
see DSA-2023-134

Dell PowerEdge Server - Tianocore EDK2

CVE-2021-38578

For more information,  
see DSA-2023-097

Dell PowerEdge Server - Intel Xeon

CVE-2022-33894, CVE-2022-38087

For more information,  
see DSA-2023-096

Cilium

CVE-2022-29179

For more information,  
see the NVD website

VMware ESXi  
 

CVE-2023-1017, CVE-2023-1018

For more information,  
see VMware’s release notes

CVE-2020-28196

For more information,  
see VMware’s release notes

SUSE

CVE-2023-30630, CVE-2023-29469, CVE-2023-28708, CVE-2023-28642, CVE-2023-28487, CVE-2023-28486, CVE-2023-28484, CVE-2023-28466, CVE-2023-28464, CVE-2023-28328, CVE-2023-28327, CVE-2023-27561, CVE-2023-27538, CVE-2023-27536, CVE-2023-27535, CVE-2023-27534, CVE-2023-27533, CVE-2023-27320, CVE-2023-26545, CVE-2023-25809, CVE-2023-25193, CVE-2023-25173, CVE-2023-25153, CVE-2023-25012, CVE-2023-24998, CVE-2023-24329, CVE-2023-23931, CVE-2023-23559, CVE-2023-23004, CVE-2023-23001, CVE-2023-23000, CVE-2023-22998, CVE-2023-22995, CVE-2023-21843,  CVE-2023-21835, CVE-2023-1981, CVE-2023-1838, CVE-2023-1652, CVE-2023-1637, CVE-2023-1611, CVE-2023-1582, CVE-2023-1513, CVE-2023-1281, CVE-2023-1175, CVE-2023-1170, CVE-2023-1127, CVE-2023-1118, CVE-2023-1095, CVE-2023-1078, CVE-2023-1076, CVE-2023-1075, CVE-2023-0687, CVE-2023-0597, CVE-2023-0512, CVE-2023-0466, CVE-2023-0465, CVE-2023-0464, CVE-2023-0461, CVE-2023-0394, CVE-2023-0361, CVE-2023-0045, CVE-2022-4899, CVE-2022-48303, CVE-2022-4744, CVE-2022-45143, CVE-2022-45061, CVE-2022-41862, CVE-2022-38096, CVE-2022-36280, CVE-2022-36109, CVE-2022-3555, CVE-2022-3523, CVE-2022-28737, CVE-2022-23471, CVE-2021-30560, CVE-2021-30465, CVE-2019-19921, CVE-2017-5753

For more information,  
see the SUSE website

 

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-32463

Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

3.4

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen****Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-06-13

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Artikkelin ominaisuudet**

**Tuote, johon asia vaikuttaa**

VxRail, CloudArray Virtual Edition for VxRail Appliance, VMWare Cloud on Dell EMC VxRail E560F, VMWare Cloud on Dell EMC VxRail E560N, VxRail 460 and 470 Nodes, VxRail Appliance Family, VxRail Appliance Series, VxRail G410, VxRail G Series Nodes , VxRail D Series Nodes, VxRail D560, VxRail D560F, VxRail E Series Nodes, VxRail E460, VxRail E560, VxRail E560 VCF, VxRail E560F, VxRail E560F VCF, VxRail E560N, VxRail E560N VCF, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560 VCF, VxRail G560F, VxRail G560F VCF, VxRail Gen2 Hardware, VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570 VCF, VxRail P570F, VxRail P570F VCF, VxRail P580N, VxRail P580N VCF, VXRAIL P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail S570 VCF, VxRail S670, VxRail Software, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570 VCF, VxRail V570F, VxRail V570F VCF, VXRAIL V670F, VxRail VD-4000R, VxRail VD-4000W, VxRail VD-4000Z, VxRail VD-4510C, VxRail VD-4520C, VxRail VD Series Nodes ...

**Edellinen julkaisupäivä**

22 kesäk. 2023

**Versio**

3

**Artikkelin tyyppi**

Dell Security Advisory

CVE-2023-32463: DSA-2023-200: Security Update for Dell VxRail for Multiple Third-Party Component Vulnerabilities

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

** PSIRT Advisories**

**FortiNAC - java untrusted object deserialization RCE**

**Summary**

A deserialization of untrusted data vulnerability \[CWE-502\] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service.

**Affected Products**

FortiNAC version 9.4.0 through 9.4.2  
FortiNAC version 9.2.0 through 9.2.7  
FortiNAC version 9.1.0 through 9.1.9  
FortiNAC version 7.2.0 through 7.2.1  
FortiNAC 8.8 all versions  
FortiNAC 8.7 all versions  
FortiNAC 8.6 all versions  
FortiNAC 8.5 all versions  
FortiNAC 8.3 all versions

**Solutions**

Please upgrade to FortiNAC version 9.4.3 or above  
Please upgrade to FortiNAC version 9.2.8 or above  
Please upgrade to FortiNAC version 9.1.10 or above  
Please upgrade to FortiNAC version 7.2.2 or above

**Acknowledgement**

Fortinet is pleased to thank Florian Hauser from CODE WHITE for reporting this vulnerability under responsible disclosure.

**Timeline**

2023-06-19: Initial publication

CVE-2023-33299: Fortiguard


A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.
The issue is resolved by upgrading to StreamPipes 0.92.0.



**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-31469

A directory traversal vulnerability in Safe Software FME Server before 2022.2.5 allows an attacker to bypass validation when editing a network-based resource connection, resulting in the unauthorized reading and writing of arbitrary files. Successful exploitation requires an attacker to have access to a user account with write privileges. FME Flow 2023.0 is also a fixed version.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-35801: FME Community

A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.


 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2023-23344: Knowledge Article View HCL - Customer Support

Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_ws_check_packet at /src/capture.c.

Hello, Sngrep developers! We recently ran some fuzz testing on sngrep 1.6.0 and encountered a heap-buffer-overflow bug. The ASAN report is provided below.

\==909699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001137a at pc 0x00000049b787 bp 0x7fa0664f97f0 sp 0x7fa0664f8fb8  
READ of size 4 at 0x60200001137a thread T1  
#0 0x49b786 in \_\_asan\_memcpy (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786)  
#1 0x4d5def in capture\_ws\_check\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:923:9  
#2 0x4d177f in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:444:9  
#3 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)  
#4 0x7fa068127f67 in pcap\_loop (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x11f67)  
#5 0x4cf5c9 in capture\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1042:5  
#6 0x7fa0680f9608 in start\_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread\_create.c:477:8  
#7 0x7fa067ea4132 in \_\_clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

0x60200001137a is located 6 bytes to the right of 4-byte region \[0x602000011370,0x602000011374)  
allocated by thread T1 here:  
#0 0x49c3cd in \_\_interceptor\_malloc (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49c3cd)  
#1 0x4dc743 in packet\_set\_payload /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/packet.c:145:27  
#2 0x4d4bd5 in capture\_packet\_reasm\_tcp /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:788:9  
#3 0x4d1722 in parse\_packet /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:433:21  
#4 0x7fa068139466 (/lib/x86\_64-linux-gnu/libpcap.so.0.8+0x23466)

Thread T1 created by T0 here:  
#0 0x486a8c in pthread\_create (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x486a8c)  
#1 0x4d712c in capture\_launch\_thread /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/capture.c:1027:13  
#2 0x4efb9e in main /home/root/sp/Dataset/Sngrep/sngrep-1.6.0/src/main.c:433:9  
#3 0x7fa067da9082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/root/sp/Fuzz/aflpp\_fuzz/Sngrep/sngrep/sngrep\_1/sngrep+0x49b786) in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c047fffa210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa230: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa  
0x0c047fffa240: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd  
0x0c047fffa250: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa  
\=>0x0c047fffa260: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa 04\[fa\]  
0x0c047fffa270: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fffa2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==909699==ABORTING

**Command To Reproduce the bug:**

./sngrep -N -I $crash\_seed  
The URL of crash\_seed is crash\_seed

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   ndisasm: 1.6.0

Many Thanks.

CVE-2023-36192: heap-buffer-overflow on capture.c:923:9 · Issue #438 · irontec/sngrep

sqlite3 v3.40.1 was discovered to contain a segmentation violation at /sqlite3_aflpp/shell.c.

sqlite3 SEGV on unknown address 0x000000000000

When running sqlite3 like the command below:

./sqlite3 -nonce

the program will cause SEGV on unknown address 0x000000000000 error.

shell.c:26109-26111

        }else if( cli_strcmp(z,"-nonce")==0 ){
          free(data.zNonce);
          data.zNonce = strdup(argv[++i]);
    

**Test Environment**

Ubuntu 20.04, 64 bit sqlite3 (version: 3.40.1)

**How to trigger**

1.  Compile the program with AddressSanitizer
2.  Run command $ ./sqlite3 -nonce

**Details****ASAN report**

    $ ./sqlite3 -nonce  
    ```
    

\==935238==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7d196e5 bp 0x7fffffffc9d0 sp 0x7fffffffc188 T0) ==935238==The signal is caused by a READ memory access. ==935238==Hint: address points to the zero page. #0 0x7ffff7d196e5 /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86\_64/multiarch/strlen-avx2.S:65 #1 0x486902 in strdup (/home/ned158/sp/Dataset/Sqlite3/sqlite3\_aflpp/install/bin/sqlite3+0x486902) #2 0x4e70db in main /home/ned158/sp/Dataset/Sqlite3/sqlite3\_aflpp/shell.c:26111:21 #3 0x7ffff7bb5082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41e6bd in \_start (/home/ned158/sp/Dataset/Sqlite3/sqlite3\_aflpp/install/bin/sqlite3+0x41e6bd)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86\_64/multiarch/strlen-avx2.S:65 ==935238==ABORTING \`\`\`

CVE-2023-36191: SQLite Forum: Report bugs against SQLite.

Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via the ambiguity_error component at /src/clp.c.

Hello, Gifsicle developers! We recently ran some fuzz testing on gifsicle 1.93 and encountered a heap-buffer-overflow bug.

**Command To Reproduce the bug:**

./gifsicle --loopcount=-

**Environment**

*   OS: Ubuntu 20.04
*   gcc 9.4.0
*   gifsicle 1.93

**ASAN Report**

\=================================================================  
\==956047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005a at pc 0x0000004dd2b4 bp 0x7ffcf8c9a7f0 sp 0x7ffcf8c9a7e8  
READ of size 1 at 0x60300000005a thread T0  
#0 0x4dd2b3 in ambiguity\_error /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62  
#1 0x4d17b1 in parse\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1216:9  
#2 0x4d949e in Clp\_Next /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1967:6  
#3 0x5a235f in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1533:15  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#5 0x41d4cd in \_start (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x41d4cd)

0x60300000005a is located 2 bytes to the right of 24-byte region \[0x603000000040,0x603000000058)  
allocated by thread T0 here:  
#0 0x499c7d in \_\_interceptor\_malloc (/home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/install/bin/gifsicle+0x499c7d)  
#1 0x4d4a20 in finish\_string\_list /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1230:50  
#2 0x4d47fc in Clp\_AddStringListType /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:1332:9  
#3 0x5a1e11 in main /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/gifsicle.c:1461:3  
#4 0x7fdb41691082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/sp/Dataset/Gifsicle/gifsicle\_aflpp/src/clp.c:2395:62 in ambiguity\_error  
Shadow bytes around the buggy address:  
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00\[fa\]fa fa 00 00  
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa  
0x0c067fff8020: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==956047==ABORTING

Many Thanks.  
cheng meng da

CVE-2023-36193: heap-buffer-overflow in ambiguity_error · Issue #191 · kohler/gifsicle

Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability

CVE-2023-33141

OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.

The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.

Version 2.4.6 has a patch for this issue.

Expand Up

@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd\_listener\_t \*lis)/\* I - Listener socket \*/

/\*

\* Can't have an unresolved IP address with double-lookups enabled...

\*/

  

httpClose(con\->http);

  

cupsdLogClient(con, CUPSD\_LOG\_WARN,

"Name lookup failed - connection from %s closed!",

"Name lookup failed - closing connection from %s!",

httpGetHostname(con\->http, NULL, 0));

  

httpClose(con\->http);

free(con);

return;

}

Expand Down Expand Up

@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd\_listener\_t \*lis)/\* I - Listener socket \*/

\* with double-lookups enabled...

\*/

  

httpClose(con\->http);

  

cupsdLogClient(con, CUPSD\_LOG\_WARN,

"IP lookup failed - connection from %s closed!",

"IP lookup failed - closing connection from %s!",

httpGetHostname(con\->http, NULL, 0));

  

httpClose(con\->http);

free(con);

return;

}

Expand All

@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd\_listener\_t \*lis)/\* I - Listener socket \*/

  

if (!hosts\_access(&wrap\_req))

{

httpClose(con\->http);

  

cupsdLogClient(con, CUPSD\_LOG\_WARN,

"Connection from %s refused by /etc/hosts.allow and "

"/etc/hosts.deny rules.", httpGetHostname(con\->http, NULL, 0));

  

httpClose(con\->http);

free(con);

return;

}

Expand Down

Source

CVE