Red Hat Security Advisory 2023-7479-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7479.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.11.54 bug fix and security update  
Advisory ID:        RHSA-2023:7479-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7479  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-5408  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.54. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:7481

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* OpenShift: modification of node role labels (CVE-2023-5408)  
* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-5408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2242173  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-18172  
https://issues.redhat.com/browse/OCPBUGS-19297  
https://issues.redhat.com/browse/OCPBUGS-19930  
https://issues.redhat.com/browse/OCPBUGS-22763  
https://issues.redhat.com/browse/OCPBUGS-22785  
https://issues.redhat.com/browse/OCPBUGS-23041  
https://issues.redhat.com/browse/OCPBUGS-23123  
https://issues.redhat.com/browse/OCPBUGS-23478

Red Hat Security Advisory 2023-7479-01

Red Hat Security Advisory 2023-7478-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7478.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.11.54 security and extras update  
Advisory ID:        RHSA-2023:7478-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7478  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.54. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7479

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7478-01

This is a custom firmware written for the Proxmark3 device. It extends the currently available firmware. This release is nicknamed Faraday.

Proxmark3 4.17511 Custom Firmware

The uninstaller in Fortra Digital Guardian Agent versions prior to 7.9.4 suffers from a cross site scripting vulnerability. Additionally, the Agent Uninstaller handles sensitive data insecurely and caches the Uninstall key in memory. This key can be used to stop or uninstall the application. This allows a locally authenticated attacker with administrative privileges to disable the application temporarily or even remove the application from the system completely.

SEC Consult Vulnerability Lab Security Advisory < 20231123-0 >  
=======================================================================  
               title: Uninstall Key Caching  
             product: Fortra Digital Guardian Agent Uninstaller  
                      (Data Loss Prevention)  
  vulnerable version: Agent: <7.9.4  
       fixed version: Agent: 7.9.4  
          CVE number: CVE-2023-6253  
              impact: High  
            homepage: https://www.fortra.com/product-lines/digital-guardian  
               found: 2023-05-16  
                  by: J. Kruchem (Office Vienna)  
                      B. Gründling (Office Vienna)  
                      D. Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Digital Guardian is proud to be part of Fortra’s comprehensive cybersecurity  
portfolio. Fortra simplifies today’s complex cybersecurity landscape by bringing  
complementary products together to solve problems in innovative ways. These  
integrated, scalable solutions address the fast-changing challenges you face in  
safeguarding your organization. With the help of the powerful protection from  
Digital Guardian and others, Fortra is your relentless ally, here for you every  
step of the way throughout your cybersecurity journey."

Source: https://www.digitalguardian.com/

Business recommendation:  
------------------------  
SEC Consult recommends users of this platform to install the latest update.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting  
The "PDF templates" feature is vulnerable against stored cross-site scripting  
because it allows inserting arbitrary HTML. Therefore, an administrator can  
create a malicious template which contains JavaScript and can send a link to  
this template to authenticated users.

According to the vendor, this feature works as intended and the associated risk  
is low, hence it will not be fixed.

2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253)  
The Agent Uninstaller handles sensitive data insecurely and caches the Uninstall  
key in memory. This key can be used to stop or uninstall the application.  
This allows a locally authenticated attacker with administrative privileges  
to disable the application temporarily or even remove the application from the  
system completely.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting  
According to the vendor, this feature works as intended and the associated risk  
is low, hence it will not be fixed.

When editing PDF templates in the Digital Guardian Management Console (DGMC)  
JavaScript code can be injected. By clicking on "preview" the XSS code gets  
triggered.

The "PDF templates" feature can be found in the System -> Configuration menu.  
Here, a new template can be uploaded, or an existing one can be edited. To  
exploit the issue, malicious JavaScript can be added to a template:

<xss_insert.png>

Afterwards, the XSS is executed when the template is previewed with the  
corresponding button:

<xss_trigger.png>

The attacker can also send the direct link to the template to the victim:  
https://DG_HOST/DigitalGuardian/PopUps/PDFTemplatePreview.aspx?name=XSS.htm

If a victim opens the link while authenticated, the JavaScript code will  
be executed.

2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253)  
When executing the installer of the DG Agent (.msi) the uninstall key is  
pre-configured and can be read out (e.g. via Debugging).

First, the LocalPackage registry hive was identified, which reveals the MSI  
installation package located in the Windows directory:

<registry.png>

The file can be executed without local administrator privileges. When executed  
and clicked "Next", the Uninstall Key is prefilled as can be seen in the  
following figure:

<installer.png>

Note: For demonstration purposes and simplification of the proof of concept, the  
provided administrative access to the management console was used to append a  
unique string to the uninstall key so it can be found in the memory more  
efficiently. An attacker can also find the key without this modification. For  
this purpose, the string "sectest" was appended.

WinDbg can be used to extract this key. WinDbg can simply be attached to the  
process. Afterwards, the execution is paused in WinDbg and the following command  
is used to search for the unique string:  
 > s -u 0 L?FFFFFFFFFFFFFFFF "sectest"

The following figure shows the output of this command (since a very large memory  
space is searched, "Break" can be used to stop WinDbg from searching).

<windbg_1.png>

The memory space before "sectest" needs to be viewed to show the uninstall key.  
The command db 000001c6`165b63a8 can be used to show the memory, as can be seen  
in the following figure:

<windbg_2.png>

Thus, the original uninstall key is "dlpuninstall".

Furthermore, it can be used with the Terminator.exe found in the following path:  
"C:\Program Files\[...]\DLP"

Running the application and supplying the key via an elevated command prompt,  
it terminates all agent processes:

<terminator.png>

This binary can also be used to brute-force the correct Uninstall key, by  
repeatedly calling it with possible Uninstall key candidates:  
\.Terminator.exe <key candidate>

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* Management Console: 8.5.0.0317  
* Agent: 7.8.5.0048

The vendor confirmed that all current and previous versions are affected.

Vendor contact timeline:  
------------------------  
2023-06-12: Contacting vendor through email (info@fortra.com);  
             asking for security contact, no response.  
2023-06-26: Contacting vendor through same email again, no response.  
2023-07-28: Contacting vendor through a more direct email-channel, no response.  
2023-09-14: Sent another email to various email addresses found on the  
             website. Their "security.txt" file only points to inaccessible  
             pages (403 Access denied or 404 for the PGP key).  
2023-09-14: Vendor response (Fortra support contact): forwarded our email to  
             Digital Guardian support team.  
             Support team and product security team reply.  
2023-09-15: Asked for email encryption, received PGP key.  
2023-09-18: Sending encrypted security advisory.  
2023-09-19: Confirmation of receipt, team is working on verification and  
             development.  
2023-10-11: Asking for status update.  
             Vendor response: XSS could be replicated but functionality works  
             as intended and won't be fixed because of limited exposure.  
             Issue 2 could not be verified yet, but engineering has acknowledged  
             it as addressable. Fix is planned for Q4. All current and previous  
             versions are affected.  
2023-10-12: Asking for CVE number and if further input regarding vulnerability 2  
             is needed, no response.  
2023-10-17: Received ticket notification that next maintenance update version  
             7.9.4 should be available for customer testing in the near future.  
2023-11-09: Received ticket notification that version 7.9.4 is now GA for all  
             customers.  
2023-11-13: Sending advisory draft to vendor, asking for CVE number for issue 2  
             again, scheduling advisory release for next week.  
2023-11-17: Vendor response, no CVE number yet, we will request one ourselves.  
2023-11-23: Public release of security advisory.

Solution:  
---------  
The vendor provides an updated Agent version 7.9.4 which can be downloaded  
at the vendor's support page:  
https://www.digitalguardian.com/services/support

Access controls to the management console along with monitoring and preventive  
controls are recommended compensating controls for issue 1 according to the vendor.

Workaround:  
-----------  
To prevent disclosure of the uninstall key (issue 2) change it immediately after  
deploying the DG agent on the system.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult? Send us your application  
https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem, B. Gründling, D. Hirschberger / @2023

Fortra Digital Guardian Agent Uninstaller Cross Site Scripting / UninstallKey Cached

Debian Linux Security Advisory 5568-1 - It was discovered that incorrect memory management in Fast DDS, a C++ implementation of the DDS (Data Distribution Service) might result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5568-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 27, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : fastdds  
CVE ID         : CVE-2023-42459  
Debian Bug     : 1054163

It was discovered that incorrect memory management in Fast DDS, a C++  
implementation of the DDS (Data Distribution Service) might result in  
denial of service.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.9.1+ds-1+deb12u2.

We recommend that you upgrade your fastdds packages.

For the detailed security status of fastdds please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/fastdds

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVk6wsACgkQEMKTtsN8  
Tja2FRAAqpa1Zek52KcYiyQSucpEe6ZLajVfzKeGKvieFrfcf491GDYno3sQhF5w  
2uWRyZ3I1OjJk9uuFWj4ql2IwNs3nudefqR8OCEQk4oSZfnWBX4UWTMiuCncE1+g  
YobKkoWlGDGjpS36lT/GX+L9nfq46ERgZYPqQJjLb6xU+vJzGMo29LVGVDliF4VX  
5n7DZlVbnAWb+swXPp0sIIV/F5EPpdgbygisPSAVynCxF4eFqxQfiCOpkXkBdzKF  
27RSsJQJggfDaXiz11t8zkhWWJQU3pDyrRn79NfkyXc0IPNH4q2C0+vQZ4bHQLFD  
8NuoQqZ5Olqx9Z742z8+jXWpphP7nvEcEhItNFnZNE3EBqJ8T8Aum1NWC4vRSQIR  
8G/Ii9pd8dU7yTBGNbTSqyM8yTzMu4oEuvT309YVC4q3E2P51ZwUpgr7edPZRsXy  
+T8DgzVGgyB+iSVhxmmlUK0encc9O3JfVb0a8mCfM2DUSICJCTkXPYpZB5N4En57  
g8P/AF2u74Rq/y/SFwoJAZyE789wXDQOLTZJSQBmFbCSL+mLNe/8W8ZAl75TS2fE  
2YulahAVceLuy64TLXnOGNHmUiWFeoSY7Ad/NSQyjpCssPP7VcC5sJC94YgEsFey  
2/0mf72nviY4cT5K7D8f2cVnTR74Tc4ICVxbe2SMect/x8IRP/E=  
=eh2N  
-----END PGP SIGNATURE-----

Debian Security Advisory 5568-1

etcd-browser version 87ae63d75260 suffers from a directory traversal vulnerability.

An issue was discovered in server.js in etcd-browser 87ae63d75260. By  
supplying a /../../../ Directory Traversal input to the URL's GET  
request while connecting to the remote server port specified during  
setup, an attacker can retrieve local operating system files from the  
remote system.

------------------------------------------

[Vulnerability Type]  
Directory Traversal

------------------------------------------

[Vendor of Product]  
https://hub.docker.com/r/buddho/etcd-browser

------------------------------------------

[Affected Product Code Base]  
etcd-browser - Unknown

------------------------------------------

[Affected Component]  
the server.js file does not validate the path for files.

------------------------------------------

[Attack Type]  
Remote

------------------------------------------

[Impact Information Disclosure]  
true

------------------------------------------

[CVE Impact Other]  
Allow for a remote arbitrary user to obtain local operating system files

------------------------------------------

[Attack Vectors]  
The attacker must supply a /../../ technique to the server application  
running on the remote port specified during setup

------------------------------------------

[Reference]  
https://hub.docker.com/r/buddho/etcd-browser  
https://hub.docker.com/r/buddho/etcd-browser/tags

------------------------------------------

[Discoverer]  
Kevin Randall

etcd-browser 87ae63d75260 Directory Traversal

Ubuntu Security Notice 6513-2 - USN-6513-1 fixed vulnerabilities in Python. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that Python incorrectly handled certain plist files. If a user or an automated system were tricked into processing a specially crafted plist file, an attacker could possibly use this issue to consume resources, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6513-2  
November 27, 2023

python3.8, python3.10, python3.11 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:  
- python3.11: An interactive high-level object-oriented language  
- python3.10: An interactive high-level object-oriented language  
- python3.8: An interactive high-level object-oriented language

Details:

USN-6513-1 fixed vulnerabilities in Python. This update provides the  
corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and  
Ubuntu 23.04.

Original advisory details:

  It was discovered that Python incorrectly handled certain plist files.  
  If a user or an automated system were tricked into processing a specially  
  crafted plist file, an attacker could possibly use this issue to consume  
  resources, resulting in a denial of service. (CVE-2022-48564)

  It was discovered that Python instances of ssl.SSLSocket were vulnerable  
  to a bypass of the TLS handshake. An attacker could possibly use this  
  issue to cause applications to treat unauthenticated received data before  
  TLS handshake as authenticated data after TLS handshake. (CVE-2023-40217)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3.11                      3.11.4-1~23.04.1

Ubuntu 22.04 LTS:  
   python3.10                      3.10.12-1~22.04.3

Ubuntu 20.04 LTS:  
   python3.8                       3.8.10-0ubuntu1~20.04.9

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6513-2  
   https://ubuntu.com/security/notices/USN-6513-1  
   CVE-2023-40217

Package Information:  
   https://launchpad.net/ubuntu/+source/python3.11/3.11.4-1~23.04.1  
https://launchpad.net/ubuntu/+source/python3.10/3.10.12-1~22.04.3  
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.9

Ubuntu Security Notice USN-6513-2

Loytec LINX-151 with firmware version 7.2.4 and LINX-212 with firmware version 6.2.4 suffer from file disclosure vulnerabilities that leak secrets as well as issues with stories secrets in the clear.

    [+] CVE                                  : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389  [+] Title                                 : Multiple vulnerabilities in Loytec L-INX Automation Servers[+] Vendor                            : LOYTEC electronics GmbH[+] Affected Product(s)      : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4[+] Affected Components : L-INX Automation Servers[+] Discovery Date              : 01-Sep-2021[+] Publication date           : 03-Nov-2023[+] Discovered by               : Chizuru Toyama of TXOne networks[Vulnerability Description]CVE-2023-46386 : Insecure Permissions'registry.xml' file contains hard-coded clear text credentials for  smtp client account. If an attacker succeeds in getting registry.xml file,  the email account could be compromised. Password should be encrypted.CVE-2023-46387 : Improper Access Control'/var/lib/lgtw/dpal_config.zml' file is accessible via file download API.  'dpal_config.wbx' which is extracted from 'dpal_config.zml' includessensitive configuration information such as smtp client information.   Authentication is required to exploit this vulnerability.http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal_config.zmlCVE-2023-46388 : Insecure Permissions'dpal_config.wbx' file contains hard-coded clear text credentials for  smtp client account. If an attacker succeeds in getting dpal_config.zml file,  the email account could be compromised. Password should be encrypted.CVE-2023-46389 : Improper Access Control'/tmp/registry.xml' file is accessible via file download API.  'registry.xml' includes device configuration information which includessensitive information such as smtp client information. Authentication isrequired to exploit this vulnerability.http://<IP>:<port>/DT?filename=/tmp/registry.xml[Timeline]01-Sep-2021 : Vulnerabilities discovered13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)07-Oct-2022 : ICS CERT reported to vendor (no response)03-Nov-2023 : Public Disclosure

Loytec L-INX Automation Servers Information Disclosure / Cleartext Secrets

Loytec LINX Configurator version 7.4.10 suffers from insecure transit and cleartext hardcoded secret vulnerabilities.

    [+] CVE                                 : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 [+] Title                                : Multiple vulnerabilities in Loytec LINX Configurator [+] Vendor                           : LOYTEC electronics GmbH[+] Affected Product(s)     : LINX Configurator 7.4.10[+] Affected Components : LINX Configurator[+] Discovery Date             : 01-Sep-2021[+] Publication date           : 03-Nov-2023[+] Discovered by               : Chizuru Toyama of TXOne networks[Vulnerability Description] CVE-2023-46383 : Insecure Permissions Loytec LINX Configurator could be connected to Loytec devices with an administrator credential, and it could configure device settings.  Since it uses HTTP Basic Authentication, which transmits usernames  and passwords in base64-encoded cleartext, so anyone could easily steal credentials if they sniff network traffics. Once obtaining the admin password, attackers could connect and control Loytec devices  via LINX configurator.  CVE-2023-46384 :  Insecure Permissions  Following registry key contains hard-coded clear text admin password  for recently connected Loytec device. (password cache) If an attacker  succeeds in getting this registry key value, attackers could connect  and control Loytec devices via LINX configurator.  Key: Computer\HKEY_CURRENT_USER\SOFTWARE\LOYTEC\LOYTEC LINX Configurator\OhioIni  Value name: ftp_pass  Value dada: <admin password> CVE-2023-46385 : Insecure Permissions When Loytec LINX Configurator connects to a device, it sends HTTP GET  request to login. Since cleartext password is passed as an URL parameter,  "password" without sufficient protection, anyone could easily steal  credentials if they sniff network traffics. Once obtaining the admin  password, attackers could connect and control Loytec devices via LINX  configurator. http://<IP>:<port>/webui/config/system?username=admin&password=<admin password>&login=Login[Timeline] 01-Sep-2021 : Vulnerabilities discovered 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response) 07-Oct-2022 : ICS CERT reported to vendor (no response) 03-Nov-2023 : Public Disclosure

Loytec LINX Configurator 7.4.10 Insecure Transit / Cleartext Secrets

A dangling pointer vulnerability is present in WebRTC's PacketRouter due to an SDP SIM group SSRC from one track (e.g., video) colliding with an existing SSRC from a different track (e.g., audio). This inconsistency between the send_modules_map_ and the send_modules_list_ can lead to a use after free.