An integer underflow vulnerability exists in the vpnserver OvsProcessData functionality of SoftEther VPN 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An integer underflow vulnerability exists in the vpnserver OvsProcessData functionality of SoftEther VPN 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

SoftEther VPN 5.01.9674  
SoftEther VPN 5.02  
While 5.01.9674 is a development version, it is distributed at the time of writing by Ubuntu and other Debian-based distributions.

**PRODUCT URLS**

SoftEther VPN - https://www.softether.org/

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-191 - Integer Underflow (Wrap or Wraparound)

**DETAILS**

SoftEther is a multi-platform VPN project that provides both server and client code to connect over a variety of VPN protocols, including Wireguard, PPTP, SSTP, L2TP, etc. SoftEther has a variety of features for both enterprise and personal use, and enables Nat Traversal out-of-the-box for remote-access setups behind firewalls.

Among the various VPN protocols that SoftEther can talk in, by default, OpenVPN code can be reached via any of the open TCP ports. Based on the start of the input buffer, we can either hit the OpenVPN code or the Wireguard code, or even the normal HTTPS server for management of the VPN configuration itself:

    bool ProtoHandleConnection(PROTO *proto, SOCK *sock, const char *protocol)
    {
        const PROTO_IMPL *impl;
        void *impl_data = NULL;
    
        UCHAR *buf;
        TCP_RAW_DATA *recv_raw_data;
        FIFO *send_fifo;
        INTERRUPT_MANAGER *im;
        SOCK_EVENT *se;
    
        if (proto == NULL || sock == NULL)
        {
            return false;
        }
    
        {
            const PROTO_CONTAINER *container = NULL;
            wchar_t *proto_name;
            LIST *options;
    
            if (protocol != NULL)
            {
                UINT i;
                for (i = 0; i < LIST_NUM(proto->Containers); ++i)
                {
                    const PROTO_CONTAINER *tmp = LIST_DATA(proto->Containers, i);
                    if (StrCmp(tmp->Name, protocol) == 0)
                    {
                        container = tmp;
                        break;
                    }
                }
            }
            else
            {
                UCHAR tmp[PROTO_CHECK_BUFFER_SIZE]; // 2 bytes
    
                if (Peek(sock, tmp, sizeof(tmp)) == 0)
                {
                    return false;
                }
    
                container = ProtoDetect(proto, PROTO_MODE_TCP, tmp, sizeof(tmp)); // [1] 
            }
    

Unless a protocol is explicitly passed to the ProtoHandleConnection function, we end up iterating over all the loaded proto->Containers and calling the container’s ProtoDetect() function at \[1\]:

    const PROTO_CONTAINER *ProtoDetect(const PROTO *proto, const PROTO_MODE mode, const UCHAR *data, const UINT size)
    {
        UINT i;
    
        if (proto == NULL || data == NULL || size == 0)
        {
            return NULL;
        }
    
        for (i = 0; i < LIST_NUM(proto->Containers); ++i)
        {
            const PROTO_CONTAINER *container = LIST_DATA(proto->Containers, i);
            const PROTO_IMPL *impl = container->Impl;
    
            if (ProtoEnabled(proto, container->Name) == false)
            {
                Debug("ProtoDetect(): skipping %s because it's disabled\n", container->Name);
                continue;
            }
    
            if (impl->IsPacketForMe != NULL && impl->IsPacketForMe(mode, data, size)) // [2]
            {
                Debug("ProtoDetect(): %s detected\n", container->Name);
                return container;
            }
        }
    
        Debug("ProtoDetect(): unrecognized protocol\n");
        return NULL;
    }
    

ProtoDetect() boils down to answering the question: Is this packet designated for this specific protocol? And so each container calls its Impl->IsPacketForMe at \[2\]. To understand what functions underpin the IsPacketForMe function pointer, let us quickly look to see where protocols actually get loaded:

    PROTO *ProtoNew(CEDAR *cedar)
    {
        PROTO *proto;
    
        if (cedar == NULL)
        {
            return NULL;
        }
    
        proto = Malloc(sizeof(PROTO));
        proto->Cedar = cedar;
        proto->Containers = NewList(ProtoContainerCompare);
        proto->Sessions = NewHashList(ProtoSessionHash, ProtoSessionCompare, 0, true);
    
        AddRef(cedar->ref);
    
        // WireGuard
        Add(proto->Containers, ProtoContainerNew(WgsGetProtoImpl()));   // [3]
        // OpenVPN
        Add(proto->Containers, ProtoContainerNew(OvsGetProtoImpl()));   // [4]
        // SSTP
        Add(proto->Containers, ProtoContainerNew(SstpGetProtoImpl()));  // [5]
    
        proto->UdpListener = NewUdpListener(ProtoHandleDatagrams, proto, &cedar->Server->ListenIP);
    
        return proto;
    }
    

Clearly written above, we can see that the only VPN protocols enabled by default in SoftEther are WireGuard \[3\], OpenVPN \[4\] and SSTP \[5\]. Since we only care about OpenVPN in this advisory, only the OvsGetProtoImpl function will follow:

    const PROTO_IMPL *OvsGetProtoImpl()
    {
        static const PROTO_IMPL impl =
        {
            OvsName,
            OvsOptions,
            NULL,
            OvsInit,
            OvsFree,
            OvsIsPacketForMe,
            OvsProcessData,
            OvsProcessDatagrams
        };
    
        return &impl;
    }
    

Wrapped by the most simple function, OvsGetProtoImpl() returns a set of function pointers to our proto->Containers. As such, we must now look at the OvsIsPacketForMe function and subsequently OvsProcessData:

    // Check whether it's an OpenVPN packet
    bool OvsIsPacketForMe(const PROTO_MODE mode, const void *data, const UINT size)
    {
        if (data == NULL || size < 2)
        {
            return false;
        }
    
        if (mode == PROTO_MODE_TCP)  // [6]
        {
            const UCHAR *raw = data;
            if (raw[0] == 0x00 && raw[1] == 0x0E)
            {
                return true;
            }
        }
        else if (mode == PROTO_MODE_UDP)
        {
            OPENVPN_PACKET *packet = OvsParsePacket(data, size);
            if (packet == NULL)
            {
                return false;
            }
    
            OvsFreePacket(packet);
            return true;
        }
    
        return false;
    }
    

Since we’re talking TCP, we hit the branch at \[6\]. The only thing that determines whether or not a packet is treated as OpenVPN traffic is if it starts with “\\x00\\x0E”. Continuing on, we now examine where the actual processing of data occurs in OvsProcessData:

    bool OvsProcessData(void *param, TCP_RAW_DATA *in, FIFO *out)
    {
        bool ret = true;
        UINT i;
        OPENVPN_SERVER *server = param;
        UCHAR buf[OPENVPN_TCP_MAX_PACKET_SIZE];  // 2000, 0x7d0  
    
        if (server == NULL || in == NULL || out == NULL)
        {
            return false;
        }
    
        // Separate to a list of datagrams by interpreting the data received from the TCP socket
        while (true)
        {
            UDPPACKET *packet;
            USHORT payload_size, packet_size;
            FIFO *fifo = in->Data;
            const UINT fifo_size = FifoSize(fifo);
    
            if (fifo_size < sizeof(USHORT))
            {
                // Non-arrival
                break;
            }
    
            // The beginning of a packet contains the data size
            payload_size = READ_USHORT(FifoPtr(fifo));           // [7]
            packet_size = payload_size + sizeof(USHORT);         // [8] 
    
            if (payload_size == 0 || packet_size > sizeof(buf))
            {
                ret = false;
                Debug("OvsProcessData(): Invalid payload size: %u bytes\n", payload_size);
                break;
            }
    
            if (fifo_size < packet_size) // fifo_size ends up being actual size of bytes recvd...
            {
                // Non-arrival
                break;
            }
    
    
        if (ReadFifo(fifo, buf, packet_size) != packet_size)    // [9]
        {
            ret = false;
            Debug("OvsProcessData(): ReadFifo() failed to read the packet\n");
            break;
        }
    
        // Insert packet into the list  // only a dos since we're oob'ing into thread stack data
        packet = NewUdpPacket(&in->SrcIP, in->SrcPort, &in->DstIP, in->DstPort, Clone(buf + sizeof(USHORT), payload_size), payload_size);  // [10]
        Add(server->RecvPacketList, packet);
    }
    
    // Process the list of received datagrams
    OvsRecvPacket(server, server->RecvPacketList, OPENVPN_PROTOCOL_TCP); // [11]
    

Starting out, because of our required “\\x00\\x0e” start to our packet, we hit the READ_USHORT at \[7\], and payload_size is naturally 0xe. The subsequent 0xe bytes get read in at \[9\], and then a UDP packet is created at \[10\] to pass the packet on for further processing at \[11\]. We need not go further, however, since the vulnerability lies plainly above. When hitting the next iteration of the while (true) loop, there is no requirement for our buffer to start with “\\x00\\x0e”. As such, if our next two bytes are, say, “\\xFF\\xFF”, then the payload_size gets set to 0xFFFF at \[7\], while the packet_size ushort gets set to 0x1 at \[8\]. Thus we read in a single byte at \[9\], which passes the return value check, and a new UDP packet is created with a length of payload_size at \[10\] (not packet_size).

While normally this would just read in out-of-bounds data from the buf stack buffer and pass it into further processing, since we’re in a linux thread, there’s usually a guard page at the bottom of the thread stack like so:

      0x7f5d00000000     0x7f5d00063000    0x63000        0x0  rw-p   // buf @ 0x7f5d00045abe
      0x7f5d486c6000     0x7f5d486c7000     0x1000        0x0  ---p   // guard pages
      0x7f5d486c7000     0x7f5d486f8000    0x31000        0x0  rw-p   // next thread 
    

Apparently the OvsProcessData function is not far up enough in the backtrace, and so our 0xFFFF read on the stack ends up hitting the guard page and causing a crash. This might behave differently if we are on a Windows SoftEther server; it has not been tested.

**Crash Information**

    Thread 22 "vpnserver" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7f5d486c5380 (LWP 1214911)]
    __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:708
    708     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
    <(^.^)>#bt
    #0  __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:708
    #1  0x00007f5d49959e1c in Clone (addr=addr@entry=0x7f5d486c3e52, size=size@entry=65535) at /softether/SoftEtherVPN_orig/src/Mayaqua/Memory.c:3790
    #2  0x00007f5d49ae7253 in OvsProcessData (param=0x7f5d0001d710, in=0x7f5d0000fa40, out=0x7f5d0000bbe0) at /softether/SoftEtherVPN_orig/src/Cedar/Proto_OpenVPN.c:171
    #3  0x00007f5d49acfc0a in ProtoHandleConnection (proto=0x558a14d696d0, sock=sock@entry=0x7f5d1c007080, protocol=protocol@entry=0x0) at /softether/SoftEtherVPN_orig/src/Cedar/Proto.c:590
    #4  0x00007f5d49aa6213 in ConnectionAccept (c=c@entry=0x7f5d0000df40) at /softether/SoftEtherVPN_orig/src/Cedar/Connection.c:3027
    #5  0x00007f5d49ac3142 in TCPAcceptedThread (param=<optimized out>, t=<optimized out>) at /softether/SoftEtherVPN_orig/src/Cedar/Listener.c:181
    #6  TCPAcceptedThread (t=<optimized out>, param=<optimized out>) at /softether/SoftEtherVPN_orig/src/Cedar/Listener.c:140
    #7  0x00007f5d4995443d in ThreadPoolProc (param=0x7f5cfc00c730, t=0x7f5cfc00c500) at /softether/SoftEtherVPN_orig/src/Mayaqua/Kernel.c:872
    #8  ThreadPoolProc (t=0x7f5cfc00c500, param=0x7f5cfc00c730) at /softether/SoftEtherVPN_orig/src/Mayaqua/Kernel.c:827
    #9  0x00007f5d499907d1 in UnixDefaultThreadProc (param=0x7f5cfc0072e0) at /softether/SoftEtherVPN_orig/src/Mayaqua/Unix.c:1594
    #10 0x00007f5d49759b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
    #11 0x00007f5d497eba00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    

**VENDOR RESPONSE**

Vendor pull request on Github: https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1824

**TIMELINE**

2023-04-03 - Vendor Disclosure  
2023-04-03 - Initial Vendor Contact  
2023-04-17 - Vendor Patch Release  
2023-10-12 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2023-22308: TALOS-2023-1737 || Cisco Talos Intelligence Group

A denial-of-service vulnerability exists in the vpnserver EnSafeHttpHeaderValueStr functionality of SoftEther VPN 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service.

**SUMMARY**

A denial-of-service vulnerability exists in the vpnserver EnSafeHttpHeaderValueStr functionality of SoftEther VPN 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

SoftEther VPN 5.01.9674  
SoftEther VPN 5.02  
While 5.01.9674 is a development version, it is distributed at the time of writing by Ubuntu and other Debian-based distributions.

**PRODUCT URLS**

SoftEther VPN - https://www.softether.org/

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-125 - Out-of-bounds Read

**DETAILS**

SoftEther is a multi-platform VPN project that provides both server and client code to connect over a variety of VPN protocols, including Wireguard, PPTP, SSTP, L2TP, etc. SoftEther has a variety of features for both enterprise and personal use, and enables Nat Traversal out-of-the-box for remote-access setups behind firewalls.

To various ends, SoftEther VPN server accepts and parses HTTP connections by default on all of its configured TCP ports. Out of the box this means TCP ports 443, 992, 1194 and 5555. Assuming that our incoming packet does not look like any of the other supported TCP protocols, we eventually get to the ServerAccept function:

    // Server accepts a connection from client
    bool ServerAccept(CONNECTION *c)
    {
        bool ret = false;
        UINT err;
        PACK *p;
        char username_real[MAX_SIZE];
        char method[MAX_SIZE]; // 512
        char hubname[MAX_SIZE];
        char username[MAX_SIZE];
        char groupname[MAX_SIZE];
        UCHAR session_key[SHA1_SIZE];
        UCHAR ticket[SHA1_SIZE];
    
        // [...]
    
        // Validate arguments
        if (c == NULL)
        {
            return false;
        }
    
        // [...]
    
        // Receive the signature
        Debug("Downloading Signature...\n");
        error_detail_2 = NULL;
        if (ServerDownloadSignature(c, &error_detail_2) == false){  // [1] 
            //[...]
            goto CLEANUP;
        }
    

Assorted initialization and an unruly amount of stack variables are skipped just so we can quickly see the first branching piece of code we hit at \[1\] in ServerDownloadSignature:

    // Download the signature
    bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
    {
        HTTP_HEADER *h;
        UCHAR *data;
        UINT data_size;
        SOCK *s;
        UINT num = 0, max = 19;
        SERVER *server;
        char *vpn_http_target = HTTP_VPN_TARGET2;
        // Validate arguments
        if (c == NULL)
        {
            return false;
        }
    
        server = c->Cedar->Server;
    
        s = c->FirstSock;          // [2]
    
        while (true)
        {
            bool not_found_error = false;
    
            num++;
            if (num > max)
            {
                // Disconnect
                Disconnect(s);
                c->Err = ERR_CLIENT_IS_NOT_VPN;
    
                *error_detail_str = "HTTP_TOO_MANY_REQUEST";
                return false;
            }
            // Receive a header
            h = RecvHttpHeader(s);  // [3]
            if (h == NULL)
            {
    
        // [...]
    

The SOCK *s variable is our client’s socket \[2\], which we then pass into the RecvHttpHeader function at \[3\] to actually read bytes and process the data:

    // Receive an HTTP header
    HTTP_HEADER *RecvHttpHeader(SOCK *s)
    {
        TOKEN_LIST *token = NULL;
        char *str = NULL;
        HTTP_HEADER *header = NULL;
        // Validate arguments
        if (s == NULL)
        {
            return NULL;
        }
    
        // Get the first line
        str = RecvLine(s, HTTP_HEADER_LINE_MAX_SIZE); // [4]
        if (str == NULL)
        {
            return NULL;
        }
    
        // Split into tokens
        token = ParseToken(str, " "); 
    
        FreeSafe(PTR_TO_PTR(str));
    
        if (token->NumTokens < 3)
        {
            FreeToken(token);
            return NULL;
        }
    
        // Creating a header object
        header = NewHttpHeader(token->Token[0], token->Token[1], token->Token[2]);
        FreeToken(token);
    
        if (StrCmpi(header->Version, "HTTP/0.9") == 0)
        {
            // The header ends with this line
            return header;
        }
    
        // Get the subsequent lines
        while (true)   
        {
            str = RecvLine(s, HTTP_HEADER_LINE_MAX_SIZE);  // [5]
            Trim(str);
            if (IsEmptyStr(str))
            {
                // End of header
                FreeSafe(PTR_TO_PTR(str)); 
                break;
            }
    
            if (AddHttpValueStr(header, str) == false) // [6] 
            {
                FreeSafe(PTR_TO_PTR(str)); 
                FreeHttpHeader(header);
                header = NULL;
                break;
            }
    
            FreeSafe(PTR_TO_PTR(str));
        }
    
        return header;
    }
    

To start, at \[4\], RecvLine reads in at max 0x1000 bytes or until it reads a “\\r\\n”. This line is split into the basic HTTP headers, and, assuming that’s all well and good, we enter the loop at \[5\] to continue reading the rest of the data. Again reading until 0x1000 bytes or “\\r\\n”, we take each line of the HTTP header and pass it into the AddHttpValueStr function at \[6\]. A quick digression before we delve into AddHttpValueStr: All of the parsed data is added into the HTTP_HEADER struct, which is just three pointers for the Method, Target and Version, and then a LIST * object which holds all of the actual HTTP headers:

    // HTTP header
    struct HTTP_HEADER
    {
        char *Method;                   // Method
        char *Target;                   // Target
        char *Version;                  // Version
        LIST *ValueList;                // Value list
    };
    

Continuing into AddHttpValueStr:

    // Adds the HTTP value contained in the string to the HTTP header
    bool AddHttpValueStr(HTTP_HEADER* header, char *string)
    {
        HTTP_VALUE *value = NULL;
        UINT pos = 0;
        char *value_name = NULL;
        char *value_data = NULL;
    
        // Validate arguments
        if (header == NULL || IsEmptyStr(string))
        {
            return false;
        }
    
        // Sanitize string
        EnSafeHttpHeaderValueStr(string, ' '); // [7]
    
        // Get the position of the colon
        pos = SearchStr(string, ":", 0);  // [8]
        if (pos == INFINITE)
        {
            // The colon does not exist
            return false;
        }
    
        if ((pos + 1) >= StrLen(string))
        {
            // There is no data
            return false;
        }
    
        // Divide into the name and the data
        value_name = Malloc(pos + 1);
        Copy(value_name, string, pos);
        value_name[pos] = 0;
        value_data = &string[pos + 1]; 
    
        value = NewHttpValue(value_name, value_data); // [9] 
        if (value == NULL)
        {
            Free(value_name);
            return false;
        }
    
        Free(value_name);
    
        AddHttpValue(header, value); // [10] 
    
        return true;
    }
    

At \[7\], there is some escaping and processing done on our char *string parameter that was passed in. Soon after, the string is separated at the colon \[8\], allocations are made to contain copies of the split string \[9\] and we finally add a new entry to the HTTP_HEADER->ValueList at \[10\]. We need not go much further, so let us examine the EnSafeHttpHeaderValueStr function to see how the input HTTP header string gets processed:

    // Replace '\r' and '\n' with the specified character.
    // If the specified character is a space (unsafe), the original character is removed.
    void EnSafeHttpHeaderValueStr(char *str, char replace)
    {
        UINT length = 0;
        UINT index = 0;
    
        // Validate arguments
        if (str == NULL)
        {
            return;
        }
    
        length = StrLen(str);
        while (index < length)
        {
            if (str[index] == '\r' || str[index] == '\n')
            {
                if (replace == ' ')
                {
                    Move(&str[index], &str[index + 1], length - index); // [11]
                }
                else
                {
                    str[index] = replace;
                }
            }
            else if (str[index] == '\\')
            {
                if (str[index + 1] == 'r' || str[index + 1] == 'n') 
                {
                    if (replace == ' ')
                    {
                        Move(&str[index], &str[index + 2], length - index); // [12]
                        index--;   
                    }             
                    else
                    {
                        str[index] = str[index + 1] = replace;
                        index++;
                    }
                }
            }
            index++;
        }
    }
    

To sum up this function, each character is checked to see if there’s a “\\r”, “\\n”, “\\\\r” or “\\\\n”. If there is, it is replaced with the char replace, or the entire string is shifted backwards by one or two bytes. While the code at \[11\] is valid because the char *str parameter is null terminated, and as such can never read out of bounds, the line at \[12\] is a different story. Since our Move function copies from [index + 2] and the length is length - index, every copy this line makes will hit the null terminator and the byte immediately after. As such, any HTTP header passed into this function that contains a “\\\\r” or “\\\\n” will cause a one-byte out-of-bounds read to happen. And at least for the code path we have followed above, our input char *str is allocated on the heap, which means that with very careful heap manipulation, we can cause this single byte to be the first byte of an unmapped page or non-readable page in memory, resulting in a server crash and denial of service.

**Crash Information**

    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /softether/SoftEtherVPN/src/Mayaqua/Encrypt.c:4725:20 in 
    =================================================================
    ==89041==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040001a58bb at pc 0x565370d9394f bp 0x7f2598180410 sp 0x7f259817fbe0
    READ of size 26 at 0x6040001a58bb thread T30
        #0 0x565370d9394e in __asan_memmove (/softether/asan_build/vpnserver+0xa094e) (BuildId: 78a21100df0def7d4dc91631945f35b3269dac3a)
        #1 0x7f259c6e1099 in Move /softether/SoftEtherVPN/src/Mayaqua/Memory.c:3822:2
        #2 0x7f259c7e4218 in EnSafeHttpHeaderValueStr /softether/SoftEtherVPN/src/Mayaqua/Str.c:2082:6
        #3 0x7f259c689be1 in AddHttpValueStr /softether/SoftEtherVPN/src/Mayaqua/HTTP.c:929:2
        #4 0x7f259c68b890 in RecvHttpHeader /softether/SoftEtherVPN/src/Mayaqua/HTTP.c:1145:7
        #5 0x7f259d94168b in ServerDownloadSignature /softether/SoftEtherVPN/src/Cedar/Protocol.c:5791:7
        #6 0x7f259d91dc91 in ServerAccept /softether/SoftEtherVPN/src/Cedar/Protocol.c:1228:6
        #7 0x7f259d677def in ConnectionAccept /softether/SoftEtherVPN/src/Cedar/Connection.c:3077:6
        #8 0x7f259d760478 in TCPAcceptedThread /softether/SoftEtherVPN/src/Cedar/Listener.c:181:2
        #9 0x7f259c6ac632 in ThreadPoolProc /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:872:3
        #10 0x7f259c844b63 in UnixDefaultThreadProc /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1594:2
        #11 0x7f259c094b42 in start_thread nptl/./nptl/pthread_create.c:442:8
        #12 0x7f259c1269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    0x6040001a58bb is located 0 bytes to the right of 43-byte region [0x6040001a5890,0x6040001a58bb)
    allocated by thread T30 here:
        #0 0x565370d941ce in malloc (/softether/asan_build/vpnserver+0xa11ce) (BuildId: 78a21100df0def7d4dc91631945f35b3269dac3a)
        #1 0x7f259c83b386 in UnixMemoryAlloc /softether/SoftEtherVPN/src/Mayaqua/Unix.c:2043:6
        #2 0x7f259c6dfb9e in InternalMalloc /softether/SoftEtherVPN/src/Mayaqua/Memory.c:3692:10
        #3 0x7f259c6df2da in MallocEx /softether/SoftEtherVPN/src/Mayaqua/Memory.c:3523:8
        #4 0x7f259c793df1 in RecvLine /softether/SoftEtherVPN/src/Mayaqua/Network.c:19506:11
        #5 0x7f259c68b8aa in RecvHttpHeader /softether/SoftEtherVPN/src/Mayaqua/HTTP.c:1136:9
        #6 0x7f259d94168b in ServerDownloadSignature /softether/SoftEtherVPN/src/Cedar/Protocol.c:5791:7
        #7 0x7f259d91dc91 in ServerAccept /softether/SoftEtherVPN/src/Cedar/Protocol.c:1228:6
        #8 0x7f259d677def in ConnectionAccept /softether/SoftEtherVPN/src/Cedar/Connection.c:3077:6
        #9 0x7f259d760478 in TCPAcceptedThread /softether/SoftEtherVPN/src/Cedar/Listener.c:181:2
        #10 0x7f259c6ac632 in ThreadPoolProc /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:872:3
        #11 0x7f259c844b63 in UnixDefaultThreadProc /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1594:2
        #12 0x7f259c094b42 in start_thread nptl/./nptl/pthread_create.c:442:8
    
    Thread T30 created by T27 here:
        #0 0x565370d7d64c in __interceptor_pthread_create (/softether/asan_build/vpnserver+0x8a64c) (BuildId: 78a21100df0def7d4dc91631945f35b3269dac3a)
        #1 0x7f259c83d677 in UnixInitThread /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1673:6
        #2 0x7f259c6ae087 in NewThreadInternal /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:1200:7
        #3 0x7f259c6ad525 in NewThreadNamed /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:997:10
        #4 0x7f259c770bcb in ConnectEx5 /softether/SoftEtherVPN/src/Mayaqua/Network.c:14692:8
        #5 0x7f259c7279e7 in ConnectEx4 /softether/SoftEtherVPN/src/Mayaqua/Network.c:14556:9
        #6 0x7f259c7279e7 in ConnectEx3 /softether/SoftEtherVPN/src/Mayaqua/Network.c:14552:9
        #7 0x7f259c7279e7 in ConnectEx2 /softether/SoftEtherVPN/src/Mayaqua/Network.c:14548:9
        #8 0x7f259c7279e7 in ConnectEx /softether/SoftEtherVPN/src/Mayaqua/Network.c:14544:9
        #9 0x7f259c7279e7 in GetMyPrivateIP /softether/SoftEtherVPN/src/Mayaqua/Network.c:4405:6
        #10 0x7f259c726e32 in RUDPIpQueryThread /softether/SoftEtherVPN/src/Mayaqua/Network.c:4345:8
        #11 0x7f259c6ac632 in ThreadPoolProc /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:872:3
        #12 0x7f259c844b63 in UnixDefaultThreadProc /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1594:2
        #13 0x7f259c094b42 in start_thread nptl/./nptl/pthread_create.c:442:8
    
    Thread T27 created by T25 here:
        #0 0x565370d7d64c in __interceptor_pthread_create (/softether/asan_build/vpnserver+0x8a64c) (BuildId: 78a21100df0def7d4dc91631945f35b3269dac3a)
        #1 0x7f259c83d677 in UnixInitThread /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1673:6
        #2 0x7f259c6ae087 in NewThreadInternal /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:1200:7
        #3 0x7f259c6ad525 in NewThreadNamed /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:997:10
        #4 0x7f259c72f950 in NewRUDP /softether/SoftEtherVPN/src/Mayaqua/Network.c:5351:22
        #5 0x7f259c71bdf2 in NewRUDPServer /softether/SoftEtherVPN/src/Mayaqua/Network.c:5178:6
        #6 0x7f259c71bdf2 in ListenRUDPEx /softether/SoftEtherVPN/src/Mayaqua/Network.c:2504:6
        #7 0x7f259d7632cb in ListenerTCPMainLoop /softether/SoftEtherVPN/src/Cedar/Listener.c:405:9
        #8 0x7f259d765924 in ListenerThread /softether/SoftEtherVPN/src/Cedar/Listener.c:563:3
        #9 0x7f259c6ac632 in ThreadPoolProc /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:872:3
        #10 0x7f259c844b63 in UnixDefaultThreadProc /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1594:2
        #11 0x7f259c094b42 in start_thread nptl/./nptl/pthread_create.c:442:8
    
    Thread T25 created by T0 here:
        #0 0x565370d7d64c in __interceptor_pthread_create (/softether/asan_build/vpnserver+0x8a64c) (BuildId: 78a21100df0def7d4dc91631945f35b3269dac3a)
        #1 0x7f259c83d677 in UnixInitThread /softether/SoftEtherVPN/src/Mayaqua/Unix.c:1673:6
        #2 0x7f259c6ae087 in NewThreadInternal /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:1200:7
        #3 0x7f259c6ad525 in NewThreadNamed /softether/SoftEtherVPN/src/Mayaqua/Kernel.c:997:10
        #4 0x7f259d768069 in NewListenerEx5 /softether/SoftEtherVPN/src/Cedar/Listener.c:821:6
        #5 0x7f259d76799e in NewListenerEx4 /softether/SoftEtherVPN/src/Cedar/Listener.c:772:9
        #6 0x7f259da20f4b in SiNewServerEx /softether/SoftEtherVPN/src/Cedar/Server.c:10934:10
        #7 0x7f259d9e8e51 in SiNewServer /softether/SoftEtherVPN/src/Cedar/Server.c:10795:9
        #8 0x7f259d9e8e51 in StStartServer /softether/SoftEtherVPN/src/Cedar/Server.c:6696:12
        #9 0x7f259c848901 in UnixExecService /softether/SoftEtherVPN/src/Mayaqua/Unix.c:2560:3
        #10 0x7f259c849566 in UnixServiceMain /softether/SoftEtherVPN/src/Mayaqua/Unix.c:2765:3
        #11 0x7f259c84917a in UnixService /softether/SoftEtherVPN/src/Mayaqua/Unix.c:2679:5
        #12 0x7f259c029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/softether/asan_build/vpnserver+0xa094e) (BuildId: 78a21100df0def7d4dc91631945f35b3269dac3a) in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c088002cac0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
      0x0c088002cad0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 02
      0x0c088002cae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c088002caf0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
      0x0c088002cb00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
    =>0x0c088002cb10: fa fa 00 00 00 00 00[03]fa fa fd fd fd fd fd fd
      0x0c088002cb20: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      0x0c088002cb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c088002cb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c088002cb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c088002cb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==89041==ABORTING
    

**VENDOR RESPONSE**

Vendor pull request on Github: https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1829

**TIMELINE**

2023-04-11 - Vendor Disclosure  
2023-04-22 - Vendor Patch Release  
2023-10-12 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2023-23581: TALOS-2023-1741 || Cisco Talos Intelligence Group

Debian Linux Security Advisory 5525-1 - Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix, which might result in denial of service, information disclosure or privilege escalation.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5525-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 11, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sambaCVE ID         : CVE-2023-3961 CVE-2023-4091 CVE-2023-4154 CVE-2023-42669                 CVE-2023-42670Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix, which might result in denial ofservice, information disclosure or privilege escalation.For the stable distribution (bookworm), these problems have been fixed inversion 2:4.17.12+dfsg-0+deb12u1.We recommend that you upgrade your samba packages.For the detailed security status of samba please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sambaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUm5ZQACgkQEMKTtsN8TjbcbRAAqOaI9Jxx/E7BqJBYFkbXikQJp/EIGs79DXeeR/iPdElJVSPgEe6FdJh4rpQlYQM8cHq/satLr0/6nLLBAAEg8QKuibBI2qQXnHBKeY2U5NRjOo0IGDEJYfQXDxGtt/A11LGmx5tZTOMkMPtAr6wqwcVu0dBLNwD5V1FIV1iynoDwjxOVAYJSlpBhfwfwAF70SMByQI81+4L4oRqHQIfgrQEppguFBIrjJp038teTRaDA4KWwBATexdwiEwdyppYelMJX57BxW4TBIaEwup2LX37Dt+d52xD4NtTEX5+bauygZIFrV7KAFOi/3gMcCmFwHVe13vxCz8Idy+OQSUpAXUIHbi0bEr4w0ahF0N6+A5E/SC196X4/YL1xT+92RVviiRO6X5QZZ1ye6gPdlUiB+2shRtSkHL4ymYFvlhPEkDKSSHHzN+VVm05WyJD4vK+sfrgW5UPDoi+feuIVkr79n2VLJNhkl7RcphGMd2n6580UjpoIW65HrtwEYwxPJWJWq6w1tFj2D+PuIrNeGFAaBHy64slNym6aHNwiN8M2NpZm/5YnlFz5cS5PS1W3l8bLDwdH4jOzuiafQdVIiMF+sr3RSWklPSXZsWLjLj2RS1KYfuAtcgZPrTfeYuKGJkQ5xPeIvTni8MhTCNt6QDG8G+SU1y6vKDdegK25ih4No/w=OHBQ-----END PGP SIGNATURE-----

Debian Security Advisory 5525-1

Debian Linux Security Advisory 5524-1 - Kevin Backhouse discovered an out-of-bounds array access in Libcue, a library for parsing CD metadata, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5524-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 11, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libcueCVE ID         : CVE-2023-43641Kevin Backhouse discovered an out-of-bounds array access in Libcue, alibrary for parsing CD metadata, which could result in the execution ofarbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 2.2.1-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2.2.1-4+deb12u1.We recommend that you upgrade your libcue packages.For the detailed security status of libcue please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libcueFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUm5a4ACgkQEMKTtsN8TjbTjQ//USLpGR9QpAIp6HVz5CUfOOYS3SabPbdNIxIxFj7B175rHH+7ZwFcu1Ox2D2AIS7jOEaMoD6H5ixmk01jG9pe1puF660Fx7f9tZkmyGhJMdHF6UmG76B/vGNmFZToXeIYFvQu54iGUSYgl99r8kQIeRPIF3AImgQnShVSSJDBBDgOqr0pWfMLoHiV5M2v2U4RQmpjw7IKXNr5gcS7mTt/Kyhba8x2WzPcG8SMew5/8/TRjxU1b+DH58EsFoJ1Ou9p2oFcYJpuEklcfilW04kEyDJ5JVyj8AOXkfuwECVehH4iOofAJdKcb/ZX2KvUdZZh+niWet59ZleJ4nvJedtAjJcFkLa9NEyfJewOkZB/FBq7vMNv+aVQqhRAREoFnA0mIRaupFSbS8wYCEDL9mavBFMv8nv/5mQ1AyDrC/pk3QcNf0qnOsJFPMAK/lBxC3775CWN0tIVFtBhxX8bsdquYQlBUzzG8cr3usLYvT1OwK07nVj+SDKRimTuGeRuBZGa08GZ7cjrlXvqLNBHWISaRgX7BjY53rDVKhg3qLJJ3xj9KneN2JJkkat8/xGXBpNkiU23D33YTFYA5CRXzAJO/T6MMHAzmqDIZ9e79oRG8WazOwUCLjCLfCghLY4brLsT86IwYCrlw9SxyfDXZelFO8xa+vkhUl/68os95udZ0NU=zzmh-----END PGP SIGNATURE-----

Debian Security Advisory 5524-1

Debian Linux Security Advisory 5523-1 - Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5523-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 11, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-38545 CVE-2023-38546

Two security issues were found in Curl, an easy-to-use client-side URL  
transfer library and command line tool:

CVE-2023-38545

    Jay Satiro discovered a buffer overflow in the SOCKS5 proxy handshake.

CVE-2023-38546

    It was discovered that under some circumstances libcurl was  
    susceptible to cookie injection.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7.74.0-1.3+deb11u10.

For the stable distribution (bookworm), these problems have been fixed in  
version 7.88.1-10+deb12u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUmR4AACgkQEMKTtsN8  
TjbtKBAAtJ6fPT/1ZwS+elK/8gzKI3xJFgfS6k/F5o5go30i82fFGK8k7aZNzTrw  
NQAPQ+DdWN4Nvm65qHXf8ME6jSNpnfmSSJ7k/RWVet8BJ3gMxOyBUOqAzK8CP5y1  
xW4Dnma3+EfA4g+f0fiJ8d5xTie29P+uo7qvKeUg1eCAbsUhoEortvkOtKSm/9wh  
hHq6h12LXFrDArEuOzKJZk58bo9xeMe/1BV3YdGh63lrRsz/RR/zFd51OLqn5Dgl  
eJRGwHe7pXIbaCI3mncEa0y6PHQMCZWrKdQxQC5BL4Ggut+Y2nVRMexZKzLD83Rl  
nrrD8LknLAr9QSNBjoMdf1s1rR7vboKNxYFtXcGf6nqFECQuSL4VihbJMIltUzpc  
LE4ppZxmrOs0Q78SFP+Xq5w1zMHg+2NIRx7EHDaGObvv4t3l/PoOXWI81wPxioKa  
zzxLAEVDI2Sfc6Qw/a1GmiIkEbEjhCW+LBUeOhLEfzd56W/7enCGrRFzrS6hKsbz  
Ibp2lPt6755ixpFsJ8PsVTEZ8C9jV41n8tL06BEG8+wSAc+1cHMJQ+0ceQxuXiTF  
Lrorm4rKgx76o8naAG+wPeg3rUawadAkhQzyUXKC1HqEDqcdIJhM+GL4qNI+ErPr  
E2w1K1Qo0g+1CUcYHdNTP6O3IklUwBiyJJeSn5q/AWZYH8aKdKc=  
=+znC  
-----END PGP SIGNATURE-----

Debian Security Advisory 5523-1

Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5522-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 10, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487  
                 CVE-2023-45648

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2023-24998

    Denial of service. Tomcat uses a packaged renamed copy of Apache Commons  
    FileUpload to provide the file upload functionality defined in the Jakarta  
    Servlet specification. Apache Tomcat was, therefore, also vulnerable to the  
    Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to  
    the number of request parts processed. This resulted in the possibility of  
    an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

    Open redirect. If the ROOT (default) web application is configured to use  
    FORM authentication then it is possible that a specially crafted URL could  
    be used to trigger a redirect to an URL of the attackers choice.

CVE-2023-42795

    Information Disclosure. When recycling various internal objects, including  
    the request and the response, prior to re-use by the next request/response,  
    an error could cause Tomcat to skip some parts of the recycling process  
    leading to information leaking from the current request/response to the  
    next.

CVE-2023-44487

    DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)

CVE-2023-45648

    Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A  
    specially crafted, invalid trailer header could cause Tomcat to treat a  
    single request as multiple requests leading to the possibility of request  
    smuggling when behind a reverse proxy.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.0.43-2~deb11u7.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUlyBRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBnhAAk1o0EDLnX1zaS0Xnz9jybhd9XdXat1HwZXvV3XFRGVXu5+r2bKH+KQjU  
0GJ6koP3KDt10DrI8DzOq+9Msu0/TbPYAZKDHPjPYfcUqXRmwRrvTXtq5cbR5v3+  
JxgJhiqjQYb1DYiDLC5iU+6aryrZg2ma1i81lG5v8N1TDfaCHzbZiMpyeYEABkd7  
eKX3tzngoK9UaIgYVBxrjnM9bPRWnRFJRBMu/hs4VS6gxqzAaZT72Tcaf0Vf3t1s  
Es5IMgrhBC0Q2Amlm3N5z37p0nlhnJdNC3dAHetRCy92g9/KsjB/1BZfYY7rM8wV  
WwvB5WwQ0T4eRqKmc8yY86sUdfXkhPqz1oFDbnNgxtBjMm2z/of9pNEm+2NCpv9P  
3MpCIKsEWiGH8+uleGuFhAHoWeUYjDNJjH1di6+PYZoBaEJ8eiXct/THBt/0nvFR  
Nh6AFDqi1Hi5/GdPK71eFRDsXOwgSuRg1ZRJtJP1W/dYEiczP89l0CM04PwxEAn2  
dbE2ZCUQmIzQdng4OAHt+ze+QDini4HtoRJnQHq4P/QUIEQAE9C0hOIMMnrtpqIY  
A77Qa1bBVqDgLlhvSmpSrVigmfyXSpmtfc9G0KXcq5IAvr75jZ0PNuIk/VTyklYj  
e3g3nA1rbB1jlx6cvPqWBFItXW8800mJ0CXHb8EN8jKdB5BnooY=  
=6KYM  
-----END PGP SIGNATURE-----

Debian Security Advisory 5522-1

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.
Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.
The two

Vulnerability / Endpoint Security

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.

Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.

The two vulnerabilities that been weaponized as zero-days are as follows -

*   **CVE-2023-36563** (CVSS score: 6.5) - An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes
*   **CVE-2023-41763** (CVSS score: 5.3) - A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft said in an advisory for CVE-2023-36563.

"Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file."

Also fixed by Redmond are dozens of flaws impacting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that could lead to remote code execution and denial-of-service (DoS).

The security update further resolves a severe privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8) that could permit an attacker to impersonate and login as another user via a brute-force attack.

The tech giant has also released an update for CVE-2023-44487, also referred to as the HTTP/2 Rapid Reset attack, which has been exploited by unknown actors as a zero-day to stage hyper-volumetric distributed denial-of-service (DDoS) attacks.

"While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised," it said.

Finally, Microsoft has announced that Visual Basic Script (aka VBScript), which is often exploited for malware distribution, is being deprecated, adding, "in future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos, and
*   VMware

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

An issue was discovered in Ethernut Nut/OS 5.1. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. While the ISN generator seems to adhere to RFC 793 (where a global 32-bit counter is incremented roughly every 4 microseconds), proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.

**Nut/OS Downloads**

**Stable Version 5.1**

ethernut-5.1.0-1.exe  
Executable installation for Windows PCs.

ethernut-5.1.0-1.tar.gz  
Source code package for Linux and OS X. More details are available here.

**Latest Beta Version**

ethernut-5.2.4.exe  
Executable installation for Windows PCs.

ethernut-5.2.4.tar.gz  
Source code package for Linux and OS X. More details are available here.

**Code Repository**

The cutting edge development version is available in an Apache Subversion repository at ethernut.svn.sourceforge.net.

If you like to work locally with Git on the Subversion repository, get the bare repository at ethernut-code.git.tar.gz.  
Unpack the tar file with

tar fxz ethernut-code.git.tar.gz

change to the Ethernut code directory with

cd ethernut-code

and checkout the files

git checkout -- .

You can stay up to date with

git svn rebase

**Previous Releases**

Versions, which are no longer maintained, can be downloaded from the archive.

**Note! Binary code created from version 5.0.4 beta for Cortex-M may contain code with the following license:**

Copyright (c) 2005-2009 Luminary Micro, Inc.  All rights reserved.
Software License Agreement

Luminary Micro, Inc. (LMI) is supplying this software for use solely and
exclusively on LMI's microcontroller products.

The software is owned by LMI and/or its suppliers, and is protected under
applicable copyright laws.  All rights are reserved.  You may not combine
this software with "viral" open-source software in order to form a larger
program.  Any use in violation of the foregoing restrictions may subject
the user to criminal sanctions under applicable laws, as well as to civil
liability for the breach of the terms and conditions of this license.

**We have removed this version.**

**Toolchains****AVR 8-Bit Cross Development****Debian Packages**

packages.debian.org  
Debian official packages.

**Windows Installer**

WinAVR  
is a complete Win32 installation package, which contains the AVR-GCC compiler and many additional tools.

**AVR32 Cross Development**

AVR32 GNU Toolchain  
Atmel offers free development environments for PCs running Linux and Windows.

**ARM Cross Development****Debian Packages**

GNU binary utilities for arm-elf cross development  
This package is a collection of utilities required for the assembly, linking, symbol dumping, object dumping, object copying and other operations for position independent code on ARM targets using the ELF file format.

GNU C compiler for arm-elf cross development  
GNU C cross compiler for ARM targets using the ELF file format.

GNU debugger for arm-elf cross development  
GNU debugger, configured for remote debugging of ARM targets using the ELF file format.

Standard C library for arm-elf cross development  
This C library intended for use on ARM targets using the ELF file format. Newlib is a conglomeration of several library parts, all under free software licenses that make them easily usable on embedded products.

**Windows and Mac OS X**

YAGARTO  
is the recommended toolchain for 32-bit ARM targets.

**Ethernut 5 Specific**

en5flasher-20130719.zip  
Automagic Flasher for Ethernut 5, described on this page. This release of the Linux kernel 3.8.8 additionally contains the binary images of SAMBoot and U-Boot-2013.01.01.

ethernut5-image-20130604.zip  
Ethernut 5 root file system image for Linux 3.8.8, built with Yocto 1.4.

meta-egnite-20130531.tar.bz2  
build-ethernut5-3.8-20130531.tar.bz2  
Files needed to build Yocto for Ethernut 5.

en5pwrman-20110610.zip  
Power management firmware for Ethernut 5, mentioned at the end of this page.

**Previous Releases**

en5flasher-20120308.zip  
Automagic Flasher für Ethernut 5, described on this page. This first release of the Linux kernel 3.2.9 additionally contains the binary images of SAMBoot and U-Boot-2011.03.

console-image-ethernut5-20120308.zip  
First release of the Ethernut 5 Linux root file system image for kernel 3.2.9. Should be installed in conjunction with en5flasher-20120308.zip.

en5flasher-20120305.zip  
Automagic Flasher für Ethernut 5, described on this page. This second release for Linux 2.6.37 contains the binary images of SAMBoot, U-Boot-2011.03 and Linux kernel. The latter now supports USB memory sticks and cameras, PPP over UMTS/GPRS, GPS mice and more. The kernel now runs with data cache enabled.

console-image-ethernut5-20120305.zip  
Second release of the Ethernut 5 Linux root file system image. Should be installed in conjunction with en5flasher-20120305.zip.

egnite-oe-overlay-r2.tar.bz2  
egnite-oe-build-2.6.37-r2.tar.bz2  
OpenEmbedded overlays to build U-Boot, Linux and a root filesystem for Ethernut 5.

en5flasher-20110610.zip  
Automagic flasher for Ethernut 5, described this page.

console-image-ethernut5-20110525.zip  
Ethernut 5 Linux root file system image. Use this first version with en5flasher-20110610.zip.

CVE-2020-27213: Ethernut Download

Debian Linux Security Advisory 5519-1 - Maxim Suhanov discovered multiple vulnerabilities in GURB2's code to handle NTFS filesystems, which may result in a Secure Boot bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5519-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 06, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : grub2CVE ID         : CVE-2023-4692 CVE-2023-4693Maxim Suhanov discovered multiple vulnerabilities in GURB2's code tohandle NTFS filesystems, which may result in a Secure Boot bypass.For the oldstable distribution (bullseye), these problems have been fixedin version 2.06-3~deb11u6.For the stable distribution (bookworm), these problems have been fixed inversion 2.06-13+deb12u1.We recommend that you upgrade your grub2 packages.For the detailed security status of grub2 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/grub2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUgWX5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S1bxAAoIlLLu0nPXCGZRJydLVpVdkgkosdnlLxMR/oN2rTAWG6f1I2VatAPSKErBtRSi32TSuLW3Ir6lY+O7Jk7ONKGGbh4CSD1EcFb1w7sylwHZY5mtpMfS7tCDc2PAasJXSlMXlzRjO0pPCpazYHHmBYAap/JBVc89ZepwleegAoL1UoIaE+eCRliLS9H00CWdIsnr7F22HNsN+SYyK0itHyqtgx6M1F5v7eXaGd5bPbN1mCTV8okBkCEU7hp14+sEQtrFLLPW1WyBzSEMPWtgrVcOgGy2wBqZRK5UoCUDBohCyjcZFig7ZQ6vuTYTbDMwxBeI6ycK8BpccD+8kZqzNKjjgUPlvu92FxflqYjg98GIa9rcBhETEbare5RnwhQteYbr+Yn90hng5xvEXu7CC+7nKm+X4jzM2lHRGm56WCeE26+DQ0JB8J2yu+donTd+vhgLfTgADb9V0nFJh0hecHqh5/n0Jhu5u/ImxhDzbcqlfijNAl42udQmeQa2V6sBWJxabgJhEGeazEGuWHqpqXJk9dc8xuqWYYGmv4Fioi+2TVAI8lsnRbX4qp0MU2hrOCHsnccV0VOvENV3dTzgRO5UqUI0xC88FLckz5JQUjh81dGvezuQ1NQNSEAWamwBka/lqyBTg7AMQEwsiximYYyO4DkSBslzMsNGi5pZCc8rk=+IHG-----END PGP SIGNATURE-----

Debian Security Advisory 5519-1

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

Tag

#debian