m-privacy TightGate-Pro suffers from code execution, insecure permissions, deletion mitigation, and outdated server vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20231122-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: m-privacy TightGate-Pro  
  vulnerable version: Rolling Release, servers with the following package  
                      versions are vulnerable:  
                      tightgatevnc < 4.1.2~1  
                      rsbac-policy-tgpro < 2.0.159  
                      mprivacy-tools < 2.0.406g  
       fixed version: Servers with the following package versions and higher:  
                      mprivacy-tools_2.0.406g  
                      tightgatevnc_4.1.2~1  
                      rsbac-policy-tgpro_2.0.159  
          CVE number: CVE-2023-47250, CVE-2023-47251  
              impact: high  
            homepage: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/  
               found: 2023-08-18  
                  by: Daniel Hirschberger (Office Bochum)  
                      Steven Kurka (Office Essen)  
                      Marco Schillinger (Office Nürnberg)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"TightGate-Pro is a ReCoB system. ReCoBS stands for Remote-Controlled Browser  
System, literally translated 'remote-controlled web browser'. TightGate-Pro  
physically separates the web browser execution environment from the workstation.  
The system thus shields the internal network from the Internet and reliably  
and preventively prevents attacks via the web browser. TightGate-Pro is the  
strongest dedicated ReCoBS, because only physical outsourcing on a hardened  
system permanently withstands attacks. Local virtualisations, sandboxing  
systems or micro-virtualisations do not offer effective protection.  
TightGate-Pro is used in public authorities, financial institutions, industrial  
companies and critical infrastructures – in short, everywhere where “safe  
surfing on the Internet” is indispensable at the workplace and internal  
infrastructures must be reliably protected. TightGate-Pro is BSI-certified  
according to EAL3+."

Source: https://www.m-privacy.de/en/tightgate-pro-safe-surfing/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Code Execution  
Execution of single commands and scripts is possible with the privileges of  
the current user. Code execution is possible with any file type on the  
server and no specific permissions need to be set for the utilized file.

Vendor response (translated):  
"It is intended behavior to execute arbitrary bash scripts. It is not possible  
to execute arbitrary programs and libraries. There is no privilege escalation  
possible with this vulnerability."

We can confirm that it was not possible to escalate privileges during our test.

2) Access to all Desktops (CVE-2023-47250)  
Multiple users are connecting to the same TightGate-Pro server, resulting in  
one instance of the X11 window system. Due to insecure permissions of the  
X11 sockets it is possible for any user to open arbitrary windows on the  
desktop of other users for phishing attacks or installing a keylogger  
directly.

Vendor response (translated):  
"We acknowledge this issue as a important vulnerability. A fix with full  
RSBAC-Jail-Separation and changed Linux-Filesystem permissions is currently  
available in the "Prestable" packages:  
- mprivacy-tools_2.0.406g  
- tightgatevnc_4.1.2~1  
- rsbac-policy-tgpro_2.0.159  
These can be applied by the admin user "update". The updates will be provided  
automatically as Hotfix around 2023-10-24."

3) File Transfer by Abusing the Print function (CVE-2023-47251)  
TightGate-Pro allows printing PDF documents on the host system. Documents are  
transferred to the host, printed and deleted afterwards. An attacker is able  
to control the path of the transferred file and to prevent the automatic  
deletion of the file.

Vendor response (translated):  
"This is not a severe finding but we already fixed it. The fixes are available  
in the packages:  
- mprivacy-tools_2.0.406g  
- tightgatevnc_4.1.2~1

Now the .spool directly is always scanned for malicious data and the VNC- client  
does not transfer files which contain path symbols (e.g. ../)."

4) Outdated Update Server  
Based on disclosed version numbers the update server is running outdated software  
with known vulnerabilities. The criticality of this issue depends on the  
exploitability of these issues.

Vendor response (translated):  
"The old version of thttpd is already known. This is not seen as security-relevant.  
The access to the updateserver requires a previous registration of a customer-  
provided SSH key, which is only available to administrators on the TightGate-Pro  
instance. thttpd is isolated on the updateserver and can only *read* files.

Even if an attacker can write malicious updatepackages, these are still secured  
by a cryptographic signature and would not be installed on TightGate-Pro instances.  
We will eventually replace thttpd with lighthttpd which is still supported."

Proof of concept:  
-----------------  
1) Code Execution  
Code execution is possible using the context menu of any file in the VNC session  
of TightGate-Pro. Selecting "Öffnen mit" (Open with) in the context menu of any  
file and  selecting the "Benutzerdefinierte Befehlszeile" (custom commandline)  
section of the menu allows to provide a custom shell command to be executed:

[advisory_ce_open_with.png]  
[advisory_ce_custom_command.png]

At this point there are two possible options:  
In case the selected file is a bash script typing `/bin/bash` as custom command  
will execute the script. For this PoC the following script has been used:

```  
#!bin/bash  
echo poc >> /home/user/testuser/Desktop/test/PoC2.txt  
```

In case any other file is selected a complete command can be used as well.  
A possible example is listed below:  
`/bin/bash -c "echo poc >> /home/user/testuser/Desktop/test/PoC2.txt"`

According to vendor, arbitrary code execution is not possible as programs and  
libraries won't be executed.

2) Access to all Desktops (CVE-2023-47250)  
A normal user without special permissions has read and write access to all X11  
sockets stored in the temp folder of the user TightGate-Pro, visible in the  
following screenshot:

[advisory_desktop_access_x11_perms.png]

This allows any user for example to open dialogue boxes on the desktop of the  
currently connected users as shown in the following screenshots. The command  
used is listed below.

`/bin/bash -c 'for i in $(ls /home/tmpdir/tmp510/.X11-unix | cut -b 2-); do  
DISPLAY=unix:"$i".0 zenity --password --username & done;'`

[advisory_desktop_access_gui_triggered.png]

As it can be seen in the following screenshot any input to the dialogue boxes  
can be read by the attacker.

[advisory_desktop_access_result.png]

3) File Transfer by Abusing the Print function (CVE-2023-47251)  
File transfers can be triggered for PDF files which are stored in the  
`/home/user/.spool/<username>` directory. By setting a relative path as file  
name, the file can be stored in any user directory on the host system.  
In case the file name contains Unicode characters, deletion of the file is  
not executed after transfer and closing of the print prompt. To store a file  
on the user's desktop, the name `..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf`  
can be used. The transfer can then be triggered by sending the  
signal `SIGUSR2` to the `Xtightgatevnc` process:

```  
cp eicar.pdf '/home/user/.spool/<username>/..\\..\\..\\..\\..\\Desktop\\Ỻeicar.pdf'  
pkill -u $USER --signal SIGUSR2 Xtightgatevnc  
```

In addition, this file transfer does not check if any malicious files are  
transferred to the host system. The following screenshot shows the warning of  
a malware scanner after an eicar testfile was transferred. It is therefore  
possible to circumvent the malware scanner of TightGate-Pro which only runs  
if the intended way of transfer, namely the TightGate-Schleuse, is used.

[advisory_file_transfer_mal_file.png]

4) Outdated Update Server  
Access to the update server is possible with the ssh key stored at  
`/etc/cu/id_ed25519` and ssh port forwarding. The ssh key is customized  
for each customer. Root access is needed to retrieve the key.  
The command used for the forwarding is listed below:

```  
ssh -N -L 8000:localhost:85 tgpro13@update.m-privacy.de -i id_ed25519 -v  
```

Afterwards access is possible at `http:127.0.0.1:8000`.  
The server headers return the version of the webserver:  
`thttpd/2.25b 29dec2003`

[advisory_outdated_server.png]

This version has in sum four known vulnerabilities (high and medium) listed:  
* CVE-2006-1078  
* CVE-2006-1079  
* CVE-2007-0664  
* CVE-2009-4491

Vulnerable / tested versions:  
-----------------------------  
A TightGate-Pro server with the following package versions was used  
for testing:

* tightgatevnc < 4.1.2~1  
* rsbac-policy-tgpro < 2.0.159  
* mprivacy-tools < 2.0.406g

Vendor contact timeline:  
------------------------  
2023-10-11: Contacting vendor through info@m-privacy.de via GPG  
2023-10-13: CEO of m-privacy phones us and thanks us for the advisory,  
             a developer will send us a written statement next week.  
2023-10-16: Received a written statement of their lead developer;  
             the vulnerabilities #2 (Access to all Desktops) and  
             #3 (File Transfer by Abusing the Print function) are  
             confirmed and a fix is available  
             #1 is seen as a feature not a bug, #4 is claimed to be  
             prevented by hardening measures on the server, also  
             thttpd will be replaced by lighthttpd in the future.  
2023-10-24: We ask for some clarifications regarding software  
             versions and advisory publication date.  
2023-10-29: Vendor provides software version information and asks us  
             to publish the advisory after 2023-11-06.  
2023-11-22: Public release of security advisory.

Solution:  
---------  
Install the "Prestable" packages or wait until they are available as hotfix:  
* mprivacy-tools_2.0.406g  
* tightgatevnc_4.1.2~1  
* rsbac-policy-tgpro_2.0.159

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger, Steven Kurka, Marco Schillinger / @2023

m-privacy TightGate-Pro Code Execution / Insecure Permissions

Ubuntu Security Notice 6402-2 - USN-6402-1 fixed vulnerabilities in LibTomMath. This update provides the corresponding updates for Ubuntu 23.10. It was discovered that LibTomMath incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code and cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6402-2  
November 27, 2023

libtommath vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10

Summary:

LibTomMatch could be made to execute arbitrary code or  
denial of service if it received a specially crafted input.

Software Description:  
- libtommath: multiple-precision integer library [development files]

Details:

USN-6402-1 fixed vulnerabilities in LibTomMath. This update  
provides the corresponding updates for Ubuntu 23.10.

Original advisory details:

 It was discovered that LibTomMath incorrectly handled certain inputs.  
 An attacker could possibly use this issue to execute arbitrary code  
 and cause a denial of service (DoS).

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  libtommath1                     1.2.0-6ubuntu0.23.10.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6402-2  
  https://ubuntu.com/security/notices/USN-6402-1  
  CVE-2023-36328

Package Information:  
  https://launchpad.net/ubuntu/+source/libtommath/1.2.0-6ubuntu0.23.10.1

Ubuntu Security Notice USN-6402-2

Ubuntu Security Notice 6502-2 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6502-2November 27, 2023linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oracle: Linux kernel for Oracle Cloud systemsDetails:Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleemdiscovered that the InfiniBand RDMA driver in the Linux kernel did notproperly check for zero-length STAG or MR registration. A remote attackercould possibly use this to execute arbitrary code. (CVE-2023-25775)Yu Hao discovered that the UBI driver in the Linux kernel did not properlycheck for MTD with zero erasesize during device attachment. A localprivileged attacker could use this to cause a denial of service (systemcrash). (CVE-2023-31085)Manfred Rudigier discovered that the Intel(R) PCI-Express Gigabit (igb)Ethernet driver in the Linux kernel did not properly validate receivedframes that are larger than the set MTU size, leading to a buffer overflowvulnerability. An attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-45871)Maxim Levitsky discovered that the KVM nested virtualization (SVM)implementation for AMD processors in the Linux kernel did not properlyhandle x2AVIC MSRs. An attacker in a guest VM could use this to cause adenial of service (host kernel crash). (CVE-2023-5090)It was discovered that the SMB network file sharing protocol implementationin the Linux kernel did not properly handle certain error conditions,leading to a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2023-5345)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   linux-image-6.2.0-1016-oracle   6.2.0-1016.17   linux-image-oracle              6.2.0.1016.16After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6502-2   https://ubuntu.com/security/notices/USN-6502-1   CVE-2023-25775, CVE-2023-31085, CVE-2023-45871, CVE-2023-5090,   CVE-2023-5345Package Information:   https://launchpad.net/ubuntu/+source/linux-oracle/6.2.0-1016.17

Ubuntu Security Notice USN-6502-2

Ubuntu Security Notice 6516-1 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6516-1  
November 27, 2023

linux-intel-iotg, linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem  
discovered that the InfiniBand RDMA driver in the Linux kernel did not  
properly check for zero-length STAG or MR registration. A remote attacker  
could possibly use this to execute arbitrary code. (CVE-2023-25775)

Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in  
the Linux kernel contained a race condition, leading to a null pointer  
dereference vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-31083)

Yu Hao discovered that the UBI driver in the Linux kernel did not properly  
check for MTD with zero erasesize during device attachment. A local  
privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-31085)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a null pointer dereference vulnerability in some  
situations. A local privileged attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3772)

Manfred Rudigier discovered that the Intel(R) PCI-Express Gigabit (igb)  
Ethernet driver in the Linux kernel did not properly validate received  
frames that are larger than the set MTU size, leading to a buffer overflow  
vulnerability. An attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-45871)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1045-intel-iotg  5.15.0-1045.51  
   linux-image-intel-iotg          5.15.0.1045.45

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1045-intel-iotg  5.15.0-1045.51~20.04.1  
   linux-image-intel               5.15.0.1045.51~20.04.35  
   linux-image-intel-iotg          5.15.0.1045.51~20.04.35

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6516-1  
   CVE-2023-25775, CVE-2023-31083, CVE-2023-31085, CVE-2023-3772,  
   CVE-2023-45871

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1045.51

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1045.51~20.04.1

Ubuntu Security Notice USN-6516-1

SmartNode SN200 versions 3.21.2-23021 and below suffer from a remote command execution vulnerability.

Advisory ID: SYSS-2023-019  
Product: SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway  
Manufacturer: Patton LLC  
Affected Version(s): <= 3.21.2-23021  
Tested Version(s): 2.21.1-22041, 3.21.2-23021, 3.22.0-23083  
Vulnerability Type: OS Command Injection (CWE-78)  
Vulnerability Type: Improper Access Control (CWE-284)  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2023-07-05  
Public Disclosure: 2023-08-28  
CVE Reference: CVE-2023-41109  
Author of Advisory: Maurizio Ruchay, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

SmartNode SN200 is a VoIP appliance which is manufactured and  
distributed by Patton LLC.

The manufacturer describes the product as follows (see [1]):

"The SmartNode 200 Series of VoIP Analog Telephone Adapter and VoIP Phone  
Adapter Gateways support up to four telephone connections. VoIP Analog Phone  
Adapter integrates legacy Phones and Fax machines into a UCC Environment.  
High-quality voice and reliable fax over any IP network. All-IP does not end  
when analog terminals have to be integrated. Security and quality guaranteed."

Due to an error in the authorization mechanism and improper input validation,  
the device allows unauthenticated adversaries to execute OS commands via  
the web interface.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found an unauthenticated OS command injection vulnerability in  
SmartNode 200 (SN200) devices.

The SN200 devices offer a "Network Diagnostic Commands" feature to  
administrative users. This feature is designed to execute network diagnostic  
commands like ping. However, as SySS GmbH discovered, the feature can be  
used to execute arbitrary system commands.  
Furthermore, a flaw in the authorization mechanism was found. This issue allows  
unauthenticated adversaries to execute system commands via the affected feature.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTTP request shows how the system command "id" is executed  
on the device:

===  
POST /rest/xxxxxxxxxxxxxxx/xxxxxxx?executeAsync HTTP/1.1  
Cookie: AuthToken=; AuthGroup=superuser; UserName=admin  
[... shortened ...]  
Connection: close

{"cmd":"/usr/bin/id","arguments":[]}  
===

The following output from the web interface shows that the command has  
been executed:

===  
*** Command started ***  
[... shortened ...]  
uid=0(root) gid=0(root)

PING 127.0.0.1 (127.0.0.1): 56 data bytes  
64 bytes from 127.0.0.1: seq=0 ttl=64 time=1.025 ms  
64 bytes from 127.0.0.1: seq=1 ttl=64 time=1.781 ms

*** Command completed ***  
===

Especially noteworthy is that an empty cookie "AuthToken" can be used in  
order to bypass the authorization checks.

Since the vulnerability is still active, parts of the PoC have been redacted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

A patch for this issue is not yet available. Therefore, it is recommended to  
disable the vulnerable "Network Diagnostic Commands" feature if possible.  
Furthermore, it is advised to block network access to the HTTP interface  
either on the device directly or via firewall.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-06-28: Vulnerability discovered  
2023-07-05: Vulnerability reported to manufacturer  
2023-08-28: Public disclosure of vulnerability  
2023-10-13: Vulnerability confirmation on the newly released update 3.22.0-23083

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for SmartNode SN200  
     https://www.patton.com/voip-gateway/sn200/  
[2] OWASP OS Command Injection Defense Cheat Sheet  
     https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] SySS Security Advisory SYSS-2023-019  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-019.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Maurizio Ruchay of SySS GmbH.

E-Mail: maurizio.ruchay@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc  
Key ID: 0xEDA7235FA5478A8C  
Key Fingerprint: 9AA6 D02F C74F 3EDE C1CE  AE51 EDA7 235F A547 8A8C

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en

SmartNode SN200 3.21.2-23021 OS Command Injection

Red Hat Security Advisory 2023-7517-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7517.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2023:7517-01Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7517Issue date:         2023-11-27Revision:           01CVE Names:          CVE-2023-39321====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* receptor: golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)* receptor: golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322 )For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional changes for receptor:* Always clean up timed out connections (AAP-16951)* receptor has been updated to 1.4.3Solution:CVEs:CVE-2023-39321References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2237777https://bugzilla.redhat.com/show_bug.cgi?id=2237778

Red Hat Security Advisory 2023-7517-01

Red Hat Security Advisory 2023-7515-01 - The components for Red Hat OpenShift for Windows Containers 9.0.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a privilege escalation vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7515.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift for Windows Containers 9.0.0 security update  
Advisory ID:        RHSA-2023:7515-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7515  
Issue date:         2023-11-27  
Revision:           01  
CVE Names:          CVE-2023-3676  
====================================================================

Summary: 

The components for Red Hat OpenShift for Windows Containers 9.0.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server nodes.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

* kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation (CVE-2023-3676) (CVE-2023-3955)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-3676

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2227126  
https://bugzilla.redhat.com/show_bug.cgi?id=2227128  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-10222  
https://issues.redhat.com/browse/OCPBUGS-10437  
https://issues.redhat.com/browse/OCPBUGS-10572  
https://issues.redhat.com/browse/OCPBUGS-11259  
https://issues.redhat.com/browse/OCPBUGS-11306  
https://issues.redhat.com/browse/OCPBUGS-12971  
https://issues.redhat.com/browse/OCPBUGS-13244  
https://issues.redhat.com/browse/OCPBUGS-13780  
https://issues.redhat.com/browse/OCPBUGS-14700  
https://issues.redhat.com/browse/OCPBUGS-15461  
https://issues.redhat.com/browse/OCPBUGS-19040  
https://issues.redhat.com/browse/OCPBUGS-19949  
https://issues.redhat.com/browse/OCPBUGS-20054  
https://issues.redhat.com/browse/OCPBUGS-20067  
https://issues.redhat.com/browse/OCPBUGS-20191  
https://issues.redhat.com/browse/OCPBUGS-20664  
https://issues.redhat.com/browse/OCPBUGS-22328  
https://issues.redhat.com/browse/OCPBUGS-22711  
https://issues.redhat.com/browse/WINC-1001  
https://issues.redhat.com/browse/WINC-1003  
https://issues.redhat.com/browse/WINC-1004  
https://issues.redhat.com/browse/WINC-1010  
https://issues.redhat.com/browse/WINC-1023  
https://issues.redhat.com/browse/WINC-1025  
https://issues.redhat.com/browse/WINC-1033  
https://issues.redhat.com/browse/WINC-1035  
https://issues.redhat.com/browse/WINC-1037  
https://issues.redhat.com/browse/WINC-1040  
https://issues.redhat.com/browse/WINC-1043  
https://issues.redhat.com/browse/WINC-1090  
https://issues.redhat.com/browse/WINC-1092  
https://issues.redhat.com/browse/WINC-1098  
https://issues.redhat.com/browse/WINC-561  
https://issues.redhat.com/browse/WINC-633  
https://issues.redhat.com/browse/WINC-635  
https://issues.redhat.com/browse/WINC-637  
https://issues.redhat.com/browse/WINC-688  
https://issues.redhat.com/browse/WINC-805  
https://issues.redhat.com/browse/WINC-860  
https://issues.redhat.com/browse/WINC-861  
https://issues.redhat.com/browse/WINC-863  
https://issues.redhat.com/browse/WINC-945  
https://issues.redhat.com/browse/WINC-948  
https://issues.redhat.com/browse/WINC-950  
https://issues.redhat.com/browse/WINC-952  
https://issues.redhat.com/browse/WINC-959  
https://issues.redhat.com/browse/WINC-998  
https://issues.redhat.com/browse/WINC-999

Red Hat Security Advisory 2023-7515-01

Red Hat Security Advisory 2023-7513-01 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7513.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security updateAdvisory ID:        RHSA-2023:7513-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7513Issue date:         2023-11-27Revision:           01CVE Names:          CVE-2023-20569====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw amd: Return Address Predictor vulnerability leading to information disclosure (CVE-2023-20569)* hw: amd: Cross-Process Information Leak (CVE-2023-20593)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20569References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2207625https://bugzilla.redhat.com/show_bug.cgi?id=2217845

Red Hat Security Advisory 2023-7513-01

Red Hat Security Advisory 2023-7512-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7512.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2023:7512-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7512  
Issue date:         2023-11-27  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.5.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7512-01

Red Hat Security Advisory 2023-7511-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7511.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2023:7511-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7511  
Issue date:         2023-11-27  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.5.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902