Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.

Google fixed two vulnerabilities in its Chrome web browser as part of an emergency update this week, including a type confusion vulnerability that is already being exploited in the wild.

The type confusion vulnerability (CVE-2022-1364) impacts the JavaScript and WebAssembly engine in the browser. With this kind of flaw, a program will allocate a resource (such as a pointer or object) using one type but will later try to access the resource using an incompatible type. The vulnerability can be exploited to cause the browser to crash, trigger logical errors, or even execute arbitrary code.

"Google is aware that an exploit for CVE-2022-1364 exists in the wild," the company wrote in the alert. Details will be restricted until a majority of users have updated to Chrome version 100.0.4896.127 across the Windows, Linux, and Mac platforms.

The issues also affect other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

The second issue that was fixed appears to be related to issues that were uncovered internally. The alert calls it "various fixes from internal audits, fuzzing, and other initiatives."

This is the third emergency update for Chrome in 2022, and the third zero-day vulnerability patched so far this year. In March, Google (along with Microsoft) fixed a critical flaw to the Chromium v8 JavaScript engine (CVE-2022-1096) that was being actively exploited.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Emergency Update Fixes Chrome Zero-Day

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Hi stb maintainers! I went through the first ten ossfuzz issues (up to and including ossfuzz issue 38394) and put together fixes for them. About half were duplicates of previous issues, but three were new and are fixed in this PR.

I also went through the test files in issues #1289, #1291, #1292, and #1293 and fixed ASan+UBSan reports from loading those issues' repro cases which weren't already fixed by #1223 or #1230.

Here are the bugs, some quick analyses, and their fixes:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22620&q=proj%3Dstb&can=2 :

This is a PNM file with specifies a width of 3333333333. Parsing this integer overflows a signed 32-bit integer.

The fix I chose isn't the most elegant: I check to see if value \* 10 + (\*c - 0) would overflow a signed int, and then propagate an error up two levels. This also makes loading a 0-width or 0-height PNM file more explicitly an error (previously, this would produce an error for other reasons). However, I can think of a few other good ways of fixing this (e.g. simplifying the condition by limiting the maximum size a bit further, or changing value to an unsigned int and letting later error-handing handle it.) Please let me know if you would prefer any of these other ways!

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32803&q=proj%3Dstb&can=2 :

The reproducer file here is a PNG file with a second IDAT chunk with a c.length of 0x68088c86. The IDAT handler increases idata_limit to fit this amount of memory, and then reallocates space for 0xcce48000 bytes, causing an ossfuzz out-of-memory error (since this is greater than ossfuzz's limit of 2560 MB). The stbi__getn call later fails.

I'm not totally sure about my fix for this one, which is to reject IDAT sections larger than 1 GiB (the ossfuzz OOM threshold is 2560 MB). Comparing against the compressed data size would be ideal - but we don't have the data size in a callback context, right?

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36193&q=proj%3Dstb&can=2 :

The reproducer here is a JPEG file that manages to set j->code_bits to -8 in stbi__grow_buffer_unsafe! This results in a left shift of 32 bits on a 32-bit type, which is undefined behavior. This happens by getting into a situation where code\_bits is 1, but the combined length s to read is 9.

This PR checks for this situation and returns an error if it happens.

Issue #1289:

Will post analysis in issue. This PR avoids this crash by bounds-checking c.

Issue #1291, file id\_000154,sig\_06,src\_002783+000969,time\_39921237,op\_splice,rep\_4,trial\_1492432:

Will post analysis in issue. This pull request adds checks to both the h->size[k++] loop in stbi__build_huffman and the "DHT - define huffman table" code to verify that writes are in-bounds.

Since creating this pull request, I also put together fixes for several other files in issues 1292 and 1293:

Issue #1292, files id\_000118,sig\_06,src\_003303,time\_27343468,op\_havoc,rep\_16,trial\_1496823 and id\_000130,sig\_06,src\_002266+002478,time\_16238914,op\_splice,rep\_16,trial\_1492432:

These files all produce signed integer overflows (which are undefined behavior) when decoding the DC coefficient of a JPEG block or when accumulating delta codes (i.e. in the lines data[0] = (shirt) (dc * dequant[0]);, data[0] = (short) (dc * (1 << j->succ_low));, and dc = j->img_comp[b].dc_pred + diff;). This MR adds two functions, stbi__addints_valid and stbi__mul2shorts_valid, that check for overflow of addition of two 32-bit signed ints and multiplication of two signed shorts, respectively; if there's overflow here, we return an error. These two functions are maybe a bit more complex than ideal; maybe wrapping is OK here (in which case, casting to a signed type would make the overflow defined)?

Issue #1293, files id\_000115,sig\_06,src\_003085,time\_21982593,op\_havoc,rep\_8,trial\_1497271, id\_000157,sig\_06,src\_003484,time\_46825823,op\_havoc,rep\_16,trial\_1492432, and id\_000212,sig\_06,src\_005033,time\_18133274,op\_havoc,rep\_4,trial\_1499760:

These are all relatively similar to ossfuzz issue 36193 above: the decoder exhausts its code buffer, then calls stbi__grow_buffer_unsafe (which I think implements NEXTBIT in ITU-T81), which immediately reaches a fill followed by a marker, leaving code\_bits at 0. Any of a number of functions try to read some number of code bits from stbi\_\_jpeg and decrease stbi\_\_jpeg::code\_bits, making it negative (e.g. -8 or -9)! The next time control returns to stbi__grow_buffer_unsafe and a byte is read that's not 0xff, the j->code_buffer |= b << (24 - j->code_bits); line left shifts by more than 32 bits.

I sort of manually patched each of the places where stbi__grow_buffer_unsafe(j); can be called followed by decreasing j->code_bits by making sure that the required number of bits were actually read. If not enough bits were read, I have the code act as if all 0s were read or return an error. This could be better - perhaps the best solution would be to implement NEXTBIT more closely and handle error propagation here? - but seems to work.

Thanks!

CVE-2022-28041: Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292, and 1293 by NeilBickford-NV · Pull Request #1297 · nothings/stb

Citrix XenMobile Server 10.12 through RP11, 10.13 through RP7, and 10.14 through RP4 allows Command Injection.

Welcome to the Citrix Knowledge Center. Our site does not support outdated browser (or earlier) versions. To use our site, please take one of the following actions:

*   Upgrade your version of Internet Explorer. You can find more information here
*   Install the Google Chrome browser. You can find information here
*   Install the Firefox browser. You can find information here

Thank you,

The Citrix Knowledge Services Team

CVE-2022-26151: Search

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2022-26912

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24475, CVE-2022-26891, CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, CVE-2022-26909.

CVE-2022-26909

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24475, CVE-2022-26891, CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, CVE-2022-26912.

Tag

#chrome