RoyalTSX version 6.0.1 suffers from an RTSZ file handling heap memory corruption vulnerability. The application receives SIGABRT after the RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and the Test Connection is clicked the application crashes instantly.

RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption

OPNsense versions 23.1.11_1, 23.7.3, and 23.7.4 suffer from cross site scripting vulnerabilities that can allow for privilege escalation.

Advisory X41-2023-001: Two Vulnerabilities in OPNsense  
===========================================================  
Highest Severity Rating: High  
Confirmed Affected Versions: 23.1.11_1, 23.7.3, 23.7.4  
Confirmed Patched Versions: Commit 484753b2abe3fd0fcdb73d8bf00c3fc3709eb8b7  
Vendor: Deciso B.V. / OPNsense  
Vendor URL: https://opnsense.org  
Credit: X41 D-Sec GmbH, Yasar Klawohn and JM  
Status: Public   
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2023-001-opnsense

Summary and Impact  
------------------  
The OPNsense dashboard displays widgets with information about the system,  
running services, gateways and more. These widgets can be arranged in  
different orders and columns. The values for the number of columns and the  
order of widgets are stored server-side and are the same for all users of an  
OPNsense instance. They are reflected unmodified on every visit. This can be  
abused by a low-privileged attacker to inject their own content into the  
page, enabling a cross-site scripting (XSS) attack that can result in  
privilege escalation.

Product Description  
-------------------  
OPNsense is an open source, FreeBSD-based firewall and routing operating  
system. It includes many features of commercial firewalls and can be managed  
entirely via its web GUI.

Stored XSS in the OPNsense Dashboard via the column_count Parameter  
===================================================================  
Severity Rating: High  
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, Yasar Klawohn

Analysis  
--------  
The number of columns displayed in the dashboard is set via an HTTP POST  
request to /index.php, using the column_count request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the column_count parameter. This input is reflected unmodified in the  
response and on any subsequent visit to the dashboard by any user. Only the  
"Lobby: Login / Logout / Dashboard" permission is required to abuse this  
issue.

Once the server receives the POST request, the column_count parameter is  
written unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    // ...  
    if (!empty($_POST['column_count'])) {  
        $config['widgets']['column_count'] = $_POST['column_count'];  
    } elseif(isset($config['widgets']['column_count'])) {  
        unset($config['widgets']['column_count']);  
    }  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L66-L79

If the column_count parameter is not empty, it is used unmodified: 

// ...  
if ($_SERVER['REQUEST_METHOD'] === 'GET') {  
    $pconfig = $config['widgets'];  
    // ...  
    $pconfig['column_count'] =  
       !empty($pconfig['column_count']) ? $pconfig['column_count'] : 2;  
    // ...  
// from:  
// https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L42

Below, the unmodified value is written:

  
<section class="page-content-main">  
  <form method="post" id="iform">  
    <input type="hidden" value="dashboard" name="origin" id="origin" />  
    <input type="hidden" value="" name="sequence" id="sequence" />  
    <input type="hidden" value="<?= $pconfig['column_count'];?>"  
        name="column_count" id="column_count_input" />  
  </form>  
  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor.  
In the OPNsense dashboard, select "1 column" from the top right and then  
press "save settings". Repeat the POST request and replace the column_count  
variable with

column_count=1"><script>alert(1)</script>

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<form method="post" id="iform">  
      
    <input type="hidden" value="1">  
        <script>alert(1)</script>"  
        name="column_count" id="column_count_input" />  
</form>

This is the stored XSS and can result in privilege escalation. The OPNsense  
developers did apply a Content-Security-Policy, but unfortunately allow  
unsafe-inline and unsafe-eval for scripts, which does not prevent the  
exploitation of this vulnerability.

Stored XSS in the OPNsense Dashboard via the sequence Parameter  
===============================================================  
Severity Rating: High   
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, JM and Yasar Klawohn

Analysis  
--------  
The order in which the widgets are displayed in the Dashboard is set via an  
HTTP POST request to /index.php, using the sequence request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the sequence parameter. This input is reflected unmodified in the response  
and on any subsequent visit to the dashboard by any user. Only the "Lobby:  
Login / Logout / Dashboard" permission is required to abuse this issue.

The order in which widgets are displayed on the dashboard can be set in the  
same POST request, via the sequence parameter. The sequence parameter has the  
following format:

sequence=services_status-container:00000000-col3:show,  
    interface_list-container:00000001-col4:show,  
    gateways-container:00000002-col4:show

Once the server receives the POST request, the sequence parameter is written  
unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    if (!empty($_POST['sequence'])) {  
        $config['widgets']['sequence'] = $_POST['sequence'];  
    } elseif (isset($config['widgets']['sequence'])) {  
        unset($config['widgets']['sequence']);  
    }  
    // ...  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/cbaf7cee1f0a6fabd1ec4c752a5d169c402976dc/src/www/index.php#L66-L80

When serving a GET request, the sequence parameter is returned unmodified,  
starting with a read of its value from the configuration:

// ...  
$pconfig = $config['widgets'];  
// set default dashboard view  
$pconfig['sequence'] = !empty($pconfig['sequence']) ?  
    $pconfig['sequence'] : '';  
// ...  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L39-L41

sequence is then split by comma and further split by colon into name,  
sortKey, and state. The list of widgets is sorted on the server side using  
the sortKey.

$widgetSeqParts = explode(",", $pconfig['sequence']);  
foreach (glob('/usr/local/www/widgets/widgets/*.widget.php') as $php_file) {  
    $widgetItem = array();  
    // [...]  
    foreach ($widgetSeqParts as $seqPart) {  
        $tmp = explode(':', $seqPart);  
        if (count($tmp) == 3 &&  
            explode('-', $tmp[0])[0] == $widgetItem['name']  
        ) {  
            $widgetItem['state'] = $tmp[2];  
            $widgetItem['sortKey'] = $tmp[1];  
        }  
    }  
    $widgetCollection[] = $widgetItem;  
}  
// sort widgets  
usort($widgetCollection, function ($item1, $item2) {  
    return strcmp(strtolower($item1['sortKey']),  
        strtolower($item2['sortKey']));  
});  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L44-L65

Finally, the sortKey is written unescaped into an HTML attribute:

<section  
    class="widgetdiv"  
    data-sortkey="<?=$widgetItem['sortKey'] ?>"  
    id="<?=$widgetItem['name'];?>"  
    style="display:<?=$divdisplay;?>;"  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor. In  
the OPNsense dashboard, reorder the widgets via drag-and-drop, then press  
"save settings".

Repeat the POST request and replace the sequence variable with

sequence=gateways-container:1"><script>alert(1)</script>-col4:show

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<div class="container-fluid">  
      
        <section class="widgetdiv" data-sortkey="1">  
            <script>alert(2)</script>  
            -col4" id="gateways"  style="display:block;">

This is the stored XSS and can result in privilege escalation.

The OPNsense developers did apply a Content-Security-Policy, but  
unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not  
prevent the exploitation of this vulnerability.

Workarounds  
===========

Remove all effective privileges for /index.php* of low-privilege users.

Timeline  
========  
2023-09-13: Problem discovered

2023-09-14: Write-up and discovery of second finding

2023-09-19: Disclosure to Deciso B.V. / OPNsense

2023-09-19: Issue fixed upstream by Deciso B.V. / OPNsense

2023-09-20: CVE requested

2023-09-20: Informed Deciso B.V. / OPNsense that we will make the issues  
public the following day, since the patch is public

2023-09-21: Release of advisory

About X41 D-Sec GmbH  
====================  
X41 is an expert provider for application security services.  
Having extensive industry experience and expertise in the area of information  
security, a strong core security team of world class security experts enables  
X41 to perform premium security services.

Fields of expertise in the area of application security are security centered  
code reviews, binary reverse engineering and vulnerability discovery.  
Custom research and IT security consulting and support services are core  
competencies of X41.

OPNsense 23.1.11_1 / 23.7.3 / 23.7.4 Cross Site Scripting / Privilege Escalation

Debian Linux Security Advisory 5504-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5504-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
September 22, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : bind9  
CVE ID         : CVE-2023-3341 CVE-2023-4236  
Debian Bug     : 1052416 1052417

Several vulnerabilities were discovered in BIND, a DNS server  
implementation.

CVE-2023-3341

    A stack exhaustion flaw was discovered in the control channel code  
    which may result in denial of service (named daemon crash).

CVE-2023-4236

    Robert Story discovered that a flaw in the networking code handling  
    DNS-over-TLS queries could cause named to terminate unexpectedly due  
    to an assertion failure, resulting in denial of service when under  
    high DNS-over-TLS query load conditions.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:9.16.44-1~deb11u1. The oldstable distribution (bullseye) is  
only affected by CVE-2023-3341.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:9.18.19-1~deb12u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUN9DFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Si0hAAjg9Fdxt8ff9UUBfI5B5KhE2hba1+PlJAroM9NHZUzKNNHVb+/0atqxsI  
gJ/6NhFtp2DRWlzHbgFt/lcToOOnzXs7R9RQ3iL3QwXx1vsCq0MGLjR3tsk+hzSC  
vwP02KSo5CcVdyOuHVh7NB9wS+j9ePsBIsEQh+howtIxWZFGd2lE2AxCF0DYU/Gf  
rMjiwt3SWZ+giYJHIehdn8sqdozQhV/WirKYjdXyAWADPIwQoWacHpPU7Du8aT3d  
KeknO34OnaWUVRF7NTxCsYkagTrT40lPaLZuPSeh1dm4U6ODF0Lgv4HOc+rHIaqw  
6a3rkvXtcXvHbzQ+CREWAMN7l50WjpPV1gUwGRj38huF7zI2JAWY8595e8d1J08S  
1i911UzW1diMGLXeV/2Q/8K03LjWMegFJm+4DmUya/lvAW8syxclsIuvl3yHSnXX  
8WSNEQLXjJKB4cX+aB2L/zyYHSbO9+rc19u0c/7/I+n2YuDHXTzsrdlEGDR9p51v  
UqLe7BAN5tUxv0Z+BV0cflFfA5pS1twuKZtjIZztJUSOOQIkmR7Pi8auiV8W+r4V  
pIHyzuq3BC4d5pzaN3H7xNLgqqLn8bk2i8kEp3ApoObtKP6Pozw6NjT3eW0AXaBi  
FYI+LWlEA3c+xONpYx6+G1O26dnNksQ0p1aSl2FSfKBF5rgwVVg=  
=Q0Oq  
-----END PGP SIGNATURE-----

Debian Security Advisory 5504-1

Apple Security Advisory 2023-09-21-7 - macOS Monterey 12.7 addresses a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-7 macOS Monterey 12.7

macOS Monterey 12.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213932.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Additional CVE entries coming soon.

Kernel  
Available for: macOS Monterey  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

macOS Monterey 12.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+UACgkQX+5d1TXa  
Ivodjg/+Lz5oU3oZFmJoiYgTRKvcCVcRb/u8ioWsOxB0ZZQ1Z7o/KCi/ccV09fRy  
zbt72qAzpjseCcfq46hgy+zIuKgbOdXvUJZEOywZuWmPy540sB7YDm/BsinP7ESA  
XTlh1BnKL6kboXMZ0zurdW1kzAMqLjxYp/ku5ySSCG8YWwtjgvmYM7fjoRhj7/rp  
If5mmHkTdlEvRL1OZni3kmP5uMyAAQ5kB/LOwE5euqFJb5mtgAZaXPGZe2UPIaWw  
mHTI3SwyGtEcehuOBi3jArJMI3r/k4qYfOpK5Z3rwJrffdK6ztCMgePKfF7IuWS+  
VRgCnhyL7eu2THyK03m4VwzyuYuUDLYXkFDmEE4K5ymedSjjFaZpF27SOVYGD6G9  
oGoxnJ8k55Ldy6El/caiKb2YNgMD5KPsCCvZRim3o+ADl1E2q5TfU5d9nnG6DPXP  
ZXDb4Q/IQRTlKhunJ6cDA7ZRkQ53A9vIECxHLCeOIC6VALib++8TvdKrjbm2r09d  
1fhMFeSiE3Nak2RwHWHAjNCfL/enIwpGM9kiRZK1QHFCbDm7JM7d5rNW9FLgXXv+  
PlhL3CRgmE2iGDZZJpZavyGcSGqewLmeWAn/gWhzwGRBilKiMpAGPLQlAPd6YOA8  
6p366vYRJ1cITlIJ6KzYhGLrah4iYFErzyyfK8cZy6ajJFJZ01g=  
=nhhn  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-7

Global Socket is a tool for moving data from here to there, securely, fast, and through NAT and firewalls. It uses the Global Socket Relay Network to connect TCP pipes, has end-to-end encryption (using OpenSSL's SRP / RFC-5054), AES-256 and key exchange using 4096-bit Prime, requires no PKI, has Perfect Forward Secrecy, and TOR support.

Global Socket 1.4.41

GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.

GNUnet P2P Framework 0.20.0

Apple Security Advisory 2023-09-21-6 - macOS Ventura 13.6 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-6 macOS Ventura 13.6

macOS Ventura 13.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213931.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Additional CVE entries coming soon.

Kernel  
Available for: macOS Ventura  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Security  
Available for: macOS Ventura  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code  
execution. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

macOS Ventura 13.6 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+UACgkQX+5d1TXa  
IvpVCQ/+PH+bewmpAxIP9LKpZWkBLgiRwd7BnB1GuqC3IjjQebkqq1mBKM9J5aVV  
iNrGOIccwxHKofbcwHda2upOkUOGV7zdi4iO5TV1TgsZoM1HCfkQ/laKMtyEPZj7  
jdOSpR0kr9E1xUN/muIgir3Acy3SHmqq+6tp5JtaIdTV2WvG/w0LSU8bHmroNhB8  
tRWml3mUV9i9HG+kDT+q+bYNdDs7GO1eTAQyOvB6X+pSBVQiClp8r9PbQAPvMw41  
QZQsZGHF1/Oq1A/6FZlBdwgPvqsKyhSsK9HzVgDPuCftdYBCbf7XJ/QkIRi5udrX  
YKuWwYyTjtaDaokPEbQtlw8R60ZL2ecyaF2u8wuhx1m5v2hq6OM3vZemeNgBVmtB  
7TdimeKzvl+IY1gmo34hkHGJ8ILTUExHD+0VhRBsYXYi9cNpV+S2HFUbqkeGtCRL  
fDMaz6jZo8o9WQ69aYLC1Vqn6xwQxUH6+XS8JOzoTfHBtQgJFZ9r9kt/vJlrdCLu  
aFSfU6sdfXcI7aBlTyL+PNF0M5S+P2i6oEqJUnLhMpnD0ESeNZSOr4wfNwNW21/3  
2DtBbdzNXZ7+c2+Ds8xcOXLwHQlLfsD+u5GHbOr5X97PG59OA3GSmumEdn0DFCdJ  
q+VBu5otgp+DIFJ/xsen4pURqRsw17/aOAzyGguoVJ306SRD2Bo=  
=9eKC  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-6

Apple Security Advisory 2023-09-21-5 - watchOS 9.6.3 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-5 watchOS 9.6.3

watchOS 9.6.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213929.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Security  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+QACgkQX+5d1TXa  
IvqEKBAAot3koiHF8bV334s7cFZFe+xUGkFszWH7XR/73NCyKVRJaxjfgHkcJUPZ  
qiEgALnau3mEFagwLu2+hIEJKZLCF5nU7uf0tQOBOjWL/ZUk9DXStAahkBWmom9/  
7mGxRqiEPPduJ8jU3BbxVqbwo3IiNhww8o2bS15o/ByhBopvCtIgJFKVPdWOlnHV  
og85okHBa7uOKzwXIdERl62UuAG6swGc8iTdhDxgrlCqDNQPKTT8Re/+Dzv2htlI  
UI38gp/3wFLhQArmgzIbrU6WLMnMRPn+M/juT1AjuFLY1JkdGd/y+uEmNg/rU8tF  
b4ptEbbuR5mNxhcyx0RIn18pHOv7MV/hYRNtXzCkEH5bxAIlPMFLTRWs8OsqlBlQ  
t4lDnf/u0I50W5F3Bf6BpN4lAJaHFej1vNQtz0CN1sXocBj3LUlWFjK5lFXymWUc  
qKt+1xwXBraDuNGabZua5cZpMXNUL8wAjVv1uZOjmvdB1jHN6FVfyu9oc2ONH+p+  
UigbKwLFqlRjJ/8ee2UhNQFwkXf8wDIud/U0kuftu3xtLFJjZsiFJLBUDQ2XQl7z  
eXDvLYdq6Jvo3qiW2AuUGzVLiw4IDSUZk4U3b8ER37/SEFFOEXEJ05uzwMinYYmD  
qTWm/89O74yzgF6HPKigfzNqePZ4eButFer73hndgja9WvYxSCg=  
=4meq  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-5

Ubuntu Security Notice 6190-2 - USN-6190-1 fixed a vulnerability in AccountsService. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Kevin Backhouse discovered that AccountsService incorrectly handled certain D-Bus messages. A local attacker could use this issue to cause AccountsService to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6190-2  
September 25, 2023

accountsservice vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

AccountsService could be made to crash or run programs if it received  
specially crafted messages.

Software Description:  
- accountsservice: query and manipulate user account information

Details:

USN-6190-1 fixed a vulnerability in AccountsService. This update provides  
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and  
Ubuntu 18.04 LTS.

Original advisory details:

Kevin Backhouse discovered that AccountsService incorrectly handled certain  
D-Bus messages. A local attacker could use this issue to cause  
AccountsService to crash, resulting in a denial of service, or possibly  
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
accountsservice 0.6.45-1ubuntu1.3+esm1  
libaccountsservice0 0.6.45-1ubuntu1.3+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
accountsservice 0.6.40-2ubuntu11.6+esm1  
libaccountsservice0 0.6.40-2ubuntu11.6+esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
accountsservice 0.6.35-0ubuntu7.3+esm3  
libaccountsservice0 0.6.35-0ubuntu7.3+esm3

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6190-2  
https://ubuntu.com/security/notices/USN-6190-1  
CVE-2023-3297

Ubuntu Security Notice USN-6190-2

Ubuntu Security Notice 6365-2 - USN-6365-1 fixed a vulnerability in Open VM Tools. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that Open VM Tools incorrectly handled SAML tokens. A remote attacker could possibly use this issue to bypass SAML token signature verification and perform VMware Tools Guest Operations.

==========================================================================  
Ubuntu Security Notice USN-6365-2  
September 25, 2023

open-vm-tools vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Open VM Tools could allow unintended access to network services.

Software Description:  
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware

Details:

USN-6365-1 fixed a vulnerability in Open VM Tools. This update provides  
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that Open VM Tools incorrectly handled SAML tokens. A  
remote attacker could possibly use this issue to bypass SAML token  
signature verification and perform VMware Tools Guest Operations.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
open-vm-tools 2:11.0.5-4ubuntu0.18.04.3+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
open-vm-tools 2:10.2.0-3~ubuntu0.16.04.1+esm3

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6365-2  
https://ubuntu.com/security/notices/USN-6365-1  
CVE-2023-20900

Source

Packet Storm