Buffer Overflow vulnerability in cFilenameInit parameter in browseForDoc function in Foxit Software Foxit PDF Reader version 10.1.0.37527, allows local attackers to cause a denial of service (DoS) via crafted .pdf file.

This website uses cookies to provide you with the best possible experience and to optimize the website to best fit the needs of our visitors. By using this website, you automatically agree to the use of cookies and your IP address. For detailed information on the use of cookies on this website, please see our Privacy Policy .

OK

CVE-2020-35990: PDF Software & Tools Tailored to Your Business | Foxit

An issue was discovered in OFPQueueGetConfigReply in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infinite loop).

The same questions are as follows:

In /ryu/ofproto/ofproto\_v1\_0\_parser.py about line=2077

    class OFPQueueGetConfigReply(MsgBase):
    ....
            offset = ofproto.OFP_QUEUE_GET_CONFIG_REPLY_SIZE
            while offset + ofproto.OFP_PACKET_QUEUE_SIZE <= msg_len:
                queue = OFPPacketQueue.parser(msg.buf, offset)
                msg.queues.append(queue)
    
                offset += queue.len
    

In /ryu/ofproto/ofproto\_v1\_2\_parser.py about line=3187

    class OFPQueueGetConfigReply(MsgBase):
    ....
            length = ofproto.OFP_QUEUE_GET_CONFIG_REPLY_SIZE
            offset = ofproto.OFP_QUEUE_GET_CONFIG_REPLY_SIZE
            while length < msg.msg_len:
                queue = OFPPacketQueue.parser(msg.buf, offset)
                msg.queues.append(queue)
    
                offset += queue.len
                length += queue.len
    

In /ryu/ofproto/ofproto\_v1\_4\_parser.py about line=5763

    class OFPBundleCtrlMsg(MsgBase):
    ....
            msg.bundle_id = bundle_id
            msg.type = type_
            msg.flags = flags
            msg.properties = []
            rest = msg.buf[ofproto.OFP_BUNDLE_CTRL_MSG_SIZE:]
            while rest:
                p, rest = OFPBundleProp.parse(rest)
                msg.properties.append(p)
    

In /ryu/ofproto/ofproto\_v1\_5\_parser.py about line=6864

    class OFPBundleCtrlMsg(MsgBase):
    ....
            msg.bundle_id = bundle_id
            msg.type = type_
            msg.flags = flags
            msg.properties = []
            rest = msg.buf[ofproto.OFP_BUNDLE_CTRL_MSG_SIZE:]
            while rest:
                p, rest = OFPBundleProp.parse(rest)
                msg.properties.append(p)

CVE-2020-35141: Suggestion for OFPQueueGetConfigReply parser with queue.len=0 · Issue #118 · faucetsdn/ryu

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.

      299      } else {
        300          (*outputFunc)(outputStream, "256 array\n", 10);
        301          (*outputFunc)(outputStream, "0 1 255 {1 index exch /.notdef put} for\n", 40);
        302          enc = newEncoding ? newEncoding : (const char **)encoding;
        303          for (i = 0; i < 256; ++i) {
     →  304              if (enc[i]) { // enc == 0
        305                  buf = GooString::format("dup {0:d} /{1:s} put\n", i, enc[i]);
        306                  (*outputFunc)(outputStream, buf->c_str(), buf->getLength());
        307                  delete buf;
        308              }
        309          }
    

enc == 0 in line 304.

       0x7c6e5d <FoFiType1C::convertToType1(char+0> shr    rax, 0x3
         0x7c6e61 <FoFiType1C::convertToType1(char+0> cmp    BYTE PTR [rax+0x7fff8000], 0x0
         0x7c6e68 <FoFiType1C::convertToType1(char+0> jne    0x7c9bfe <FoFiType1C::convertToType1(char const*,  char const**,  bool,  void (*)(void*,  char const*,  int),  void*)+17710>
     →   0x7c6e6e <FoFiType1C::convertToType1(char+0> mov    rdx, QWORD PTR [r15]
         0x7c6e71 <FoFiType1C::convertToType1(char+0> test   rdx, rdx
         0x7c6e74 <FoFiType1C::convertToType1(char+0> je     0x7c6df8 <FoFiType1C::convertToType1(char const*,  char const**,  bool,  void (*)(void*,  char const*,  int),  void*)+5928>
         0x7c6e76 <FoFiType1C::convertToType1(char+0> mov    rax, QWORD PTR [rip+0x926943]        # 0x10ed7c0 <__afl_area_ptr>
         0x7c6e7d <FoFiType1C::convertToType1(char+0> add    BYTE PTR [rax+0x4f23], 0x1
         0x7c6e84 <FoFiType1C::convertToType1(char+0> mov    DWORD PTR fs:[r13+0x0], 0x245f
    
    
    gef➤  print $r15
    $7 = 0x0

    [#0] 0x7c6e6e → FoFiType1C::convertToType1(this=<optimized out>, psName=0x603000019360 "ERGTBC+#3ceoSansIntel", newEncoding=<optimized out>, ascii=<optimized out>, outputFunc=<optimized out>, outputStream=<optimized out>)
    [#1] 0x6346ca → PSOutputDev::setupEmbeddedType1CFont(this=0x619000000f80, font=<optimized out>, id=<optimized out>, psName=<optimized out>)
    [#2] 0x629553 → PSOutputDev::setupFont(this=0x619000000f80, font=<optimized out>, parentResDict=<optimized out>)
    [#3] 0x62630c → PSOutputDev::setupFonts(this=<optimized out>, resDict=0x6070000020f0)
    [#4] 0x622f01 → PSOutputDev::setupResources(this=0x619000000f80, resDict=0x6070000020f0)
    [#5] 0x61da18 → PSOutputDev::writeDocSetup(this=0x619000000f80, catalog=<optimized out>, pageList=<optimized out>, duplexA=<optimized out>)
    [#6] 0x6195db → PSOutputDev::postInit(this=0x619000000f80)
    [#7] 0x6406e9 → PSOutputDev::checkPageSlice(this=<optimized out>, page=<optimized out>, rotateA=<optimized out>, useMediaBox=<optimized out>, crop=0x1, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>)
    [#8] 0xa31aad → Page::displaySlice(this=<optimized out>, out=0x619000000f80, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=<optimized out>, sliceW=<optimized out>, sliceH=<optimized out>, printing=<optimized out>, abortCheckCbk=<optimized out>, abortCheckCbkData=<optimized out>, annotDisplayDecideCbk=<optimized out>, annotDisplayDecideCbkData=<optimized out>, copyXRef=<optimized out>)
    [#9] 0xa31944 → Page::display(this=0x61a0000006a0, out=0x14, hDPI=1.5817496953307363e-153, vDPI=9.041152192150418e+271, rotate=0x0, useMediaBox=0x0, crop=0x0, printing=<optimized out>, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=<optimized out>)

CVE-2020-36024: NULL-Pointer Deference in `FoFiType1C::convertToType1` (#1016) · Issues · poppler / poppler · GitLab

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.

    ==107470==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc5f160fd8 (pc 0x0000004ded5c bp 0x7ffc5f161850 sp 0x7ffc5f160fe0 T0)
        #0 0x4ded5b in __asan_memcpy (/src/poppler_test/build/utils/pdftops+0x4ded5b)
        #1 0x817158 in FoFiType1C::getOp(int, bool, bool*) /src/poppler_test/fofi/FoFiType1C.cc:2620:21
        #2 0x8077bd in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc:1141:15
        #3 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #4 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #5 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #6 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #7 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #8 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #9 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #10 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #11 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #12 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #13 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #14 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #15 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #16 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #17 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #18 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #19 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #20 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #21 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #22 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #23 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #24 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #25 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #26 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #27 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #28 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #29 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #30 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #31 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #32 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #33 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #34 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #35 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #36 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #37 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #38 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #39 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #40 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #41 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
        #42 0x80ad8d in FoFiType1C::cvtGlyph(int, int, GooString*, Type1CIndex const*, Type1CPrivateDict const*, bool) /src/poppler_test/fofi/FoFiType1C.cc
    ...
    ...

This cause segmentation fault without ASAN.

CVE-2020-36023: Stack-Overflow in `FoFiType1C::cvtGlyph` results in Segmentation Fault (#1013) · Issues · poppler / poppler · GitLab

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

**\[FFmpeg-devel\] \[PATCH 7/7\] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer** michael at niedermayer.cc  
_Fri Nov 6 01:11:10 EET 2020_

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc\>
---
 libavcodec/tiff.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 2e45464218..00f0c0ccf7 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1923,14 +1923,17 @@ again:
     has\_strip\_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
     if (has\_tile\_bits && has\_strip\_bits) {
-        av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");
+        int tiled\_dng = s->is\_tiled && is\_dng;
+        av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");
+        if (!tiled\_dng)
+            return AVERROR\_INVALIDDATA;
     }
 
     /\* now we have the data and may start decoding \*/
     if ((ret = init\_image(s, &frame)) < 0)
         return ret;
 
-    if (!s->is\_tiled) {
+    if (!s->is\_tiled || has\_strip\_bits) {
         if (s->strips == 1 && !s->stripsize) {
             av\_log(avctx, AV\_LOG\_WARNING, "Image data size missing\\n");
             s->stripsize = avpkt->size - s->stripoff;
-- 
2.17.1

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the ffmpeg-devel mailing list

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

Integer overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.

author

Michael Niedermayer <michael@niedermayer.cc>

Mon, 1 Mar 2021 12:44:12 +0000 (13:44 +0100)

committer

Michael Niedermayer <michael@niedermayer.cc>

Sun, 14 Mar 2021 22:29:51 +0000 (23:29 +0100)

Fixes: Integer overflow and division by 0  
Fixes: poc-202102-div.mov

Found-by: 1vanChen of NSFOCUS Security Team  
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

  

index b1b504edbf601d8cd59effa71b2edf97791aa0e6..2fc3295e25dedc328a2943673b7c8734570516c1 100644 (file)  

@@ \-114,8 +114,8 @@ char \*av\_timecode\_make\_string(const AVTimecode \*tc, char \*buf, int framenum)

     }

     ff = framenum % fps;

     ss = framenum / fps        % 60;

\-    mm = framenum / (fps\*60)   % 60;

\-    hh = framenum / (fps\*3600);

+    mm = framenum / (fps\*60LL) % 60;

+    hh = framenum / (fps\*3600LL);

     if (tc->flags & AV\_TIMECODE\_FLAG\_24HOURSMAX)

         hh = hh % 24;

     snprintf(buf, AV\_TIMECODE\_STR\_SIZE, "%s%02d:%02d:%02d%c%02d",

CVE-2021-28429: git.ffmpeg.org Git - ffmpeg.git/commitdiff

Ubuntu Security Notice 6278-2 - USN-6278-1 fixed several vulnerabilities in .NET. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that .NET did properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution.

==========================================================================  
Ubuntu Security Notice USN-6278-2  
August 10, 2023

dotnet6, dotnet7 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6278-1 fixed several vulnerabilities in .NET. This update  
provides the corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

   It was discovered that .NET did properly handle the execution of  
   certain commands. An attacker could possibly use this issue to  
   achieve remote code execution. (CVE-2023-35390)

   Benoit Foucher discovered that .NET did not properly implement the  
   QUIC stream limit in HTTP/3. An attacker could possibly use this  
   issue to cause a denial of service. (CVE-2023-38178)

   It was discovered that .NET did not properly handle the disconnection  
   of potentially malicious clients interfacing with a Kestrel server. An  
   attacker could possibly use this issue to cause a denial of service.  
   (CVE-2023-38180)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
    aspnetcore-runtime-6.0           6.0.121-0ubuntu1~22.04.1  
    aspnetcore-runtime-7.0           7.0.110-0ubuntu1~22.04.1  
    dotnet-host 6.0.121-0ubuntu1~22.04.1  
    dotnet-host-7.0                       7.0.110-0ubuntu1~22.04.1  
    dotnet-hostfxr-6.0                   6.0.121-0ubuntu1~22.04.1  
    dotnet-hostfxr-7.0                   7.0.110-0ubuntu1~22.04.1  
    dotnet-runtime-6.0                  6.0.121-0ubuntu1~22.04.1  
    dotnet-runtime-7.0                  7.0.110-0ubuntu1~22.04.1  
    dotnet-sdk-6.0                        6.0.121-0ubuntu1~22.04.1  
    dotnet-sdk-7.0                        7.0.110-0ubuntu1~22.04.1  
    dotnet6 6.0.121-0ubuntu1~22.04.1  
    dotnet7 7.0.110-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
    https://ubuntu.com/security/notices/USN-6278-2  
    https://ubuntu.com/security/notices/USN-6278-1  
    CVE-2023-35390, CVE-2023-38178, CVE-2023-38180

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.121-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.110-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6278-2

A set of 15 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.
The flaws, tracked from CVE-2022-47379 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of

Operational Technology / Vulnerability

A set of 15 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments.

The flaws, tracked from CVE-2022-47379 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities.

"Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS)," Vladimir Tokarev of the Microsoft Threat Intelligence Community said in a report.

While a successful weaponization of the flaws requires user authentication as well as an in-depth knowledge of the proprietary protocol of CODESYS V3, the issues could have serious impacts that could result in shutdowns and malicious tampering of critical automation processes.

The remote code execution bugs, in particular, could be abused to backdoor OT devices and interfere with the functioning of programmable logic controllers (PLCs) in a manner that could pave the way for information theft.

"Exploiting the vulnerabilities requires user authentication as well as bypassing the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) used by both the PLCs," Tokarev explained.

To get past the user authentication barrier, a known vulnerability (CVE-2019-9013, CVSS score: 8.8) is used to steal credentials by means of a replay attack against the PLC, followed by leveraging the flaws to trigger a buffer overflow and gain control of the device.

Patches for the flaws were released in April 2023. A brief description of the issues is as follows -

*   **CVE-2022-47379** - After successful authentication, specific crafted communication requests can cause the CmpApp component to write attacker-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47380 and CVE-2022-47381** - After successful authentication, specific crafted communication requests can cause the CmpApp component to write attacker-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, and CVE-2022-47390** - After successful authentication, specific crafted communication requests can cause the CmpTraceMgr component to write attacker-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47385** - After successful authentication, specific crafted communication requests can cause the CmpAppForce component to write attacker-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

*   **CVE-2022-47391** - Crafted communication requests can cause the affected products to read internally from an invalid address, potentially leading to a denial-of-service condition.

*   **CVE-2022-47392** - After successful authentication, specific crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

*   **CVE-2022-47393** - After successful authentication, specific crafted communication requests can cause the CmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

"With CODESYS being used by many vendors, one vulnerability may affect many sectors, device types, and verticals, let alone multiple vulnerabilities," Tokarev said.

"Threat actors could launch a DoS attack against a device using a vulnerable version of CODESYS to shut down industrial operations or exploit the RCE vulnerabilities to deploy a backdoor to steal sensitive data, tamper with operations, or force a PLC to operate in a dangerous way."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

15 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft's .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio.
It

Endpoint Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft's .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio.

It was addressed by Microsoft as part of its August 2023 Patch Tuesday updates shipped earlier this week, tagging it with an "Exploitation More Likely" assessment.

While exact details surrounding the nature of exploitation are unclear, the Windows maker has acknowledged the existence of a proof-of-concept (PoC) in its advisory. It also said that attacks leveraging the flaw can be pulled off without any additional privileges or user interaction.

"Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems," the company said. "The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."

Affected versions of the software include ASP.NET Core 2.1, .NET 6.0, .NET 7.0, Microsoft Visual Studio 2022 version 17.2, Microsoft Visual Studio 2022 version 17.4, and Microsoft Visual Studio 2022 version 17.6.

To mitigate potential risks, CISA has recommended Federal Civilian Executive Branch (FCEB) agencies to apply vendor-provided fixes for the vulnerability by August 30, 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

Improper access control for some Intel(R) Arc(TM) graphics cards A770 and A750 sold between October of 2022 and December of 2022 may allow an authenticated user to potentially enable denial of service or infomation disclosure via local access.

Tag

#dos