By Habiba Rashid
Along with the websites of the central bank, Bankdata—a company that develops IT solutions for the financial industry—was also targeted by a DDoS attack.
This is a post from HackRead.com Read the original post: DDoS Attacks Hit Denmark Central Bank and 7 Private Banks

The official websites of Denmark‘s central bank and seven other private banks in the country were hit by a series of massive DDoS attacks on Tuesday, January 10th, 2022. The attacks caused them to be inaccessible to users, according to the central bank.

Along with the websites of the central bank, Bankdata—a company that develops IT solutions for the financial industry—was also targeted by a DDoS attack.

**What is a DDoS attack?**

A DDoS attack, or Distributed Denial of Service attack, is a malicious cyberattack used to disrupt the availability of a service to its intended users. It’s an attack that attempts to make an online service unavailable by flooding it with an overwhelming amount of traffic from multiple sources.

DDoS attacks are often large-scale and can target web servers, networks, applications, and Internet-connected (IoT) devices. During DDoS attacks, attackers send a huge volume of requests to the targeted resource in order to saturate its network bandwidth or resources.

This forces the server to slow down drastically or even crash completely, making it unavailable for legitimate users. The goal is usually either financial gain through ransom demands or simply disruption and destruction.

**Current Status**

As for the latest attack on Danish banks; a spokesperson for the central bank told Reuters that its website was working normally on Tuesday afternoon, and the attack did not impact the bank’s other systems or day-to-day operations.

Due to the DDoS attack on Bankdata, seven private banks’ websites were affected and could not be accessed, a company spokesperson said. The banks included two of Denmark’s largest, Jyske Bank and Sydbank, they said. 

Sydbank confirmed on its Facebook page that access to its website had been restricted on Tuesday. A Jyske spokesperson confirmed some customers had experienced problems accessing its website on Tuesday.

At the time of writing, all targeted websites, including the National Bank’s website, were restored and available online.

1.  Cloudflare Thwarted Largest Ever HTTPS DDoS Attack
2.  Iran’s Largest Steel Producer Hit By Crippling Cyberattack
3.  Microsoft Alert: DDoS Botnet Hit Private Minecraft Servers
4.  Killnet Hits European Parliament Website with DDoS Attack
5.  Mirai botnet resurfaces with MooBot variant; hits D-Link devices

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

DDoS Attacks Hit Denmark Central Bank and 7 Private Banks

NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can cause a buffer overflow and cause a denial of service or gain code execution

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑42271

NVIDIA baseboard management controller (BMC) contains a vulnerability in the Intelligent Platform Management Interface (IPMI) handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

8.4

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42272

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to code execution, denial of service, or escalation of privileges.

8.1

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42273

NVIDIA BMC contains a vulnerability in libwebsocket, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

8.1

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42274

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42275

NVIDIA BMC contains a vulnerability in the IPMI handler, where an unauthenticated host is allowed to write to a host SPI flash, bypassing secure boot protections. An exploit of this vulnerability may lead to a loss of integrity or denial of service.

7.7

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42276

NVIDIA DGX A100 server contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write, and erase the flash, which may lead to code execution, escalation of privileges, denial of service, or information disclosure. The scope of the impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑42277

NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write, and erase the flash, which may lead to code execution, escalation of privileges, denial of service, or information disclosure. The scope of the impact can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2022‑42278

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can read and write to arbitrary locations within the memory context of the IPMI server process, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42279

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42289

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42290

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42280

NVIDIA BMC contains a vulnerability in the SPX REST authorization handler, where an unauthorized attacker can exploit a path traversal, which may lead to escalation of privileges.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42281

NVIDIA DGX A100 contains a vulnerability in SBIOS in the FsRecovery, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, loss of data integrity, or information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42282

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can access arbitrary files, which may lead to information disclosure.

6.5

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42283

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42284

NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host, which may lead to exposure of user credentials.

6.2

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42285

DGX A100 SBIOS contains a vulnerability in the Pre-EFI Initialization (PEI) phase, where a privileged user can disable SPI flash protection, which may lead to denial of service, escalation of privileges, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42286

DGX A100 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42287

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42288

NVIDIA BMC contains a vulnerability in the IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to information disclosure.

5.3

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA systems affected, firmware versions affected, and the updated version that includes this security update. To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2022‑42276  
CVE‑2022‑42281  
CVE‑2022‑42285  
CVE‑2022‑42286

NVIDIA DGX servers

DGX A100

All SBIOS firmware versions prior to 1.18

SBIOS Firmware 1.18

CVE‑2022‑42271  
CVE‑2022‑42272  
CVE‑2022‑42273  
CVE‑2022‑42274  
CVE‑2022‑42275  
CVE‑2022‑42278  
CVE‑2022‑42279  
CVE‑2022‑42280  
CVE‑2022‑42282  
CVE‑2022‑42283  
CVE‑2022‑42284  
CVE‑2022‑42287  
CVE‑2022‑42288  
CVE‑2022‑42289  
CVE‑2022‑42290

NVIDIA DGX servers

DGX A100

All BMC firmware versions prior to 00.19.07

BMC Firmware 00.19.07

CVE‑2022‑42277

NVIDIA DGX servers

DGX Station A100

All SBIOS firmware versions prior to 10.16

SBIOS Firmware 10.16

**Notes:**

*   To get the updated firmware and SBIOS version listed in the table above, upgrade to the NVIDIA DGX A100 firmware container 22.12.1, or NVIDIA DGX Station A100 firmware container 22.2.1. Firmware updates are available through the NVIDIA Enterprise Support Portal.
    
*   See Security Updates for the version to install.
    
*   NVIDIA recommends that all BMC ports be restricted to a dedicated management network with firewall protection. If remote access to the BMC is required, such as for a system hosted at a co-location provider, the BMC should be accessed through a secure method that provides isolation from the Internet, such as through a VPN server.
    

**Acknowledgements**

All the vulnerabilities addressed in this bulletin were discovered by the NVIDIA Offensive Security Research (OSR) team.

**Additional Information**

AMI has reported potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controllers that may allow user enumeration, unauthorized access, or arbitrary code execution. The NVIDIA DGX A100 BMC is affected by the following AMI vulnerabilities and plans to release an update to address them in May 2023.

*   CVE‑2022‑40259: AMI MegaRAC Redfish Arbitrary Code Execution
*   CVE‑2022‑40242: MegaRAC Default Credentials Vulnerability
*   CVE‑2022‑2827: AMI MegaRAC User Enumeration Vulnerability

The NVIDIA DGX-1, DGX-2, DGX Station A100 and DGX Station systems are not vulnerable to these CVEs.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

2.0

January 10, 2023

Added CVE IDs omitted from the Security Updates table

1.0

December 19, 2022

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2022-42271: NVIDIA DGX A100 Server and DGX Station A100 - December 2022

usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.

**Impact**

Unfortunately it looks like that the usb device bluetooth class includes a buffer overflow related to implementation of net\_buf\_add\_mem. An attacker may interactively write arbitrary amounts of data utilizing the usb hci out endpoint which will be copied to the destination bypassing buffer boundaries resulting in an overflow. Depending on actual implementation this may result in denial of service, security feature bypass or in worst case scenario execution of arbitrary code.

When a Zephyr-powered usb bluetooth device changes status to either configured or resumed the acl\_read\_cb function will be called as implemented in bluetooth\_status\_cb (subsys/usb/class/bluetooth.c).

    static void bluetooth_status_cb(struct usb_cfg_data *cfg,
    enum usb_dc_status_code status,
    const uint8_t *param)
    {
    ARG_UNUSED(cfg);
    
    /* Check the USB status and do needed action if required */
    switch (status) { 
    ... 
     case USB_DC_CONFIGURED:
    LOG_DBG("Device configured");
    if (!configured) {
    configured = true;
    /* Start reading */
    acl_read_cb(bluetooth_ep_data[HCI_OUT_EP_IDX].ep_addr,
       0, NULL);
    }
    break 
     ...
     case USB_DC_RESUME:
    LOG_DBG("Device resumed");
    if (suspended) {
    LOG_DBG("from suspend");
    suspended = false;
    if (configured) {
    /* Start reading */
    acl_read_cb(bluetooth_ep_data[HCI_OUT_EP_IDX].ep_addr,
       0, NULL);
    }
    } else {
    LOG_DBG("Spurious resume event");
    }
    break; 
    

Since initially provided size equals to zero in during execution of acl\_read\_cb up to USB\_MAX\_FS\_BULK\_MPS bytes will be read from the HCI OUT endpoint.

    static void acl_read_cb(uint8_t ep, int size, void *priv)
    {
    static struct net_buf *buf;
    static uint16_t pkt_len;
    uint8_t *data = ep_out_buf;
    if (size == 0) {
    goto restart_out_transfer;
    }
    ...
    restart_out_transfer:
    usb_transfer(bluetooth_ep_data[HCI_OUT_EP_IDX].ep_addr, ep_out_buf,
        sizeof(ep_out_buf), USB_TRANS_READ | USB_TRANS_NO_ZLP,
        acl_read_cb, NULL);
    }
    

During next callback of acl\_read\_cb size is up to USB\_MAX\_FS\_BULK\_MPS bytes, buf is null so a buffer buf will be allocated in either BT\_BUF\_H4 or BT\_BUF\_ACL\_OUT pool (depending on used mode) by bt\_buf\_get\_tx. Next pkt\_len is determined by analysing the read data by hci\_pkt\_get\_len.

     if (buf == NULL) {
    /*
    * Obtain the first chunk and determine the length
    * of the HCI packet.
    */
    if (IS_ENABLED(CONFIG_USB_DEVICE_BLUETOOTH_VS_H4) &&
       bt_hci_raw_get_mode() == BT_HCI_RAW_MODE_H4) {
    buf = bt_buf_get_tx(BT_BUF_H4, K_FOREVER, data, size);
    pkt_len = hci_pkt_get_len(buf, &data[1], size - 1);
    LOG_DBG("pkt_len %u, chunk %u", pkt_len, size);
    } else {
    buf = bt_buf_get_tx(BT_BUF_ACL_OUT, K_FOREVER, data, size);
    pkt_len = hci_pkt_get_len(buf, data, size);
    LOG_DBG("pkt_len %u, chunk %u", pkt_len, size);
    }
    

The provided payload needs to be crafted in such a manner that pkt\_len != 0 && pkt\_len != buf->len. This way the buffer will not be unreferenced or put in the rx\_queue. Another read of USB\_MAX\_FS\_BULK\_MPS from the host will be executed followed by acl\_read\_cb callback.

Since buf is not null this time a branch involving net\_buf\_add\_mem will be executed.

     if (buf == NULL) {
    /*
    * Obtain the first chunk and determine the length
    * of the HCI packet.
    */
    ...
    }
    if (pkt_len == 0) {
    LOG_ERR("Failed to get packet length");
    net_buf_unref(buf);
    buf = NULL;
    }
    } else {
    /*
    * Take over the next chunk if HCI packet is
    * larger than USB_MAX_FS_BULK_MPS.
    */
    net_buf_add_mem(buf, data, size);
    LOG_DBG("len %u, chunk %u", buf->len, size);
    }
    
    net_buf_add_mem relies on net_buf_simple_add_mem.
    
    static inline void *net_buf_add_mem(struct net_buf *buf, const void *mem, size_t len)
    {
            return net_buf_simple_add_mem(&buf->b, mem, len);
    }
    

net\_buf\_simple\_add\_mem copies len bytes of data from mem to the address returned by net\_buf\_simple add. In this case mem points to ep\_out\_buf containing data read over usb, len equals to the number of bytes read.

    void *net_buf_simple_add_mem(struct net_buf_simple *buf, const void *mem, size_t len)
    {
            NET_BUF_SIMPLE_DBG("buf %p len %zu", buf, len);
            return memcpy(net_buf_simple_add(buf, len), mem, len);
    }
    

net\_buf\_simple\_add does not assure that enough room is available in the buffer, it only increments buf->len by provided len and returns the original buffer tail.

    void *net_buf_simple_add(struct net_buf_simple *buf, size_t len)
    {
            uint8_t *tail = net_buf_simple_tail(buf);
            NET_BUF_SIMPLE_DBG("buf %p len %zu", buf, len);
            __ASSERT_NO_MSG(net_buf_simple_tailroom(buf) >= len);
            buf->len += len;
            return tail;
    }
    

After execution flow returns to acl\_read\_cb the buffer won't be put into rx\_queue as pkt\_len != buf->len and another usb read will be performed. The cycle of calls of usb reads followed by net\_buf\_add\_mem calls can be executed for an arbitrary number of times (until zero bytes are read) allowing a large buffer overflow.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2022-02-12

CVE-2021-3966: Usb bluetooth device ACL read cb buffer overflow

A buffer overflow vulnerability in the parameter of web server in Zyxel Nebula NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to cause denial-of-service (DoS) conditions by sending a crafted authorization request.

**CVE: CVE-2022-43389, CVE-2022-43390, CVE-2022-43391, CVE-2022-43392****Summary**

Zyxel is aware of multiple vulnerabilities reported by Positive Technologies and advises users to install the applicable firmware updates for optimal protection.

**What are the vulnerabilities?**

CVE-2022-43389

A buffer overflow vulnerability in the library of the web server in some 5G NR/4G LTE CPE devices, which could allow a remote unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device. Note that the WAN access is disabled by default on most devices.

CVE-2022-43390

A command injection vulnerability in the CGI program of some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender devices, which could allow a remote authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request. Note that the WAN access is disabled by default on most devices.

CVE-2022-43391

A buffer overflow vulnerability in the parameter of the CGI program in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender devices, which could allow a remote authenticated attacker to cause DoS conditions by sending a crafted HTTP request. Note that the WAN access is disabled by default on most devices.

CVE-2022-43392

A buffer overflow vulnerability in the parameter of web server in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender devices, which could allow a remote authenticated attacker to cause DoS conditions by sending a crafted authorization request. Note that the WAN access is disabled by default on most devices.

**What versions are vulnerable—and what should you do?**

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period and released updates to address the vulnerabilities, as shown in the following tables.

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE3202-M437

V1.00(ABWF.1)C0

LTE3316-M604

V2.00(ABMP.6)C0

LTE7480-M804

V1.00(ABRA.6)C0

LTE7490-M904

V1.00(ABQY.5)C0

Nebula FWA510

V1.15(ACGD.3)C0

Nebula FWA710

V1.15(ACGC.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5103

V4.19(ABYC.3)C0

NR5103E

Hotfix available now  
Standard firmware V1.00(ACDJ.0)C0 in Apr. 2023

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

NR7103

V1.00(ACCZ.1)C0

Fiber ONT

EP240P

Hotfix available now  
Standard firmware TBD

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE7480-M804

V1.00(ABRA.6)C0

LTE7490-M904

V1.00(ABQY.5)C0

Nebula NR5101

V1.15(ACCG.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5101

V1.00(ABVC.6)C0

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

DSL/Ethernet CPE

DX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

DX4510-B1

Hotfix available now  
Standard firmware V5.17(ABYL.5)C0 in Jun. 2023

DX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EMG3525-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5523-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5723-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

EX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

EX3510-B0

V5.17(ABUP.7)C0

EX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EX5501-B0

Hotfix available now  
Standard firmware V5.17(ABRY.3.2)C0 in Feb. 2023

EX5510-B0

V5.17(ABQX.7)C0

EX5512-T0

Hotfix available now  
Standard firmware TBD

EX5600-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T0

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

VMG3927-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

VMG4005-B50A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG4005-B60A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG8623-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

VMG8825-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

Fiber ONT

AX7501-B0

Hotfix available now  
Standard firmware V5.17(ABPC.3)C0 in Feb. 2023

PM3100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM5100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM7300-T0

Hotfix available now  
Standard firmware V5.42(ABYY.1)C0 in Feb. 2023

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617-T20B2

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

WiFi extender

WX3100-T0

Hotfix available now  
Standard firmware V5.50(ABVL.1.1)C0 in Feb. 2023

WX3401-B0

Hotfix available now  
Standard firmware V5.17(ABVE.2.1)C0 in Feb. 2023

WX5600-T0

Hotfix available now  
Standard firmware V5.70(ACEB.0.1)C0 in Feb. 2023

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE3301-PLUS

Hotfix available now  
Standard firmware V1.00(ABQU.5)C0 in Feb. 2023

LTE5388-M804

Hotfix available now  
Standard firmware V1.00(ABSQ.4)C0 in Apr. 2023

LTE5398-M904

Hotfix available now  
Standard firmware V1.00(ABQV.3)C0 in Apr. 2023

LTE7240-M403

Hotfix available now  
Standard firmware V2.00(ABMG.6)C0 in May 2023

LTE7461-M602

Hotfix available now  
Standard firmware V2.00(ABQN.6)C0 in May 2023

LTE7480-M804

V1.00(ABRA.6)C0

LTE7480-S905

Hotfix available now  
Standard firmware V1.00(ABVN.6)C0 in May 2023

LTE7485-S905

Hotfix available now  
Standard firmware V2.00(ABQT.6)C0 in May 2023

LTE7490-M904

V1.00(ABQY.5)C0

Nebula LTE3301-PLUS

V1.15(ACCA.3)C0

Nebula LTE7461-M602

V1.15(ACEV.3)C0

Nebula NR5101

V1.15(ACCG.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5101

V1.00(ABVC.6)C0

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

DSL/Ethernet CPE

DX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

DX4510-B1

Hotfix available now  
Standard firmware V5.17(ABYL.5)C0 in Jun. 2023

DX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EMG3525-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5523-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5723-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

EX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

EX3510-B0

V5.17(ABUP.7)C0

EX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EX5501-B0

Hotfix available now  
Standard firmware V5.17(ABRY.3.2)C0 in Feb. 2023

EX5510-B0

V5.17(ABQX.7)C0

EX5512-T0

Hotfix available now  
Standard firmware TBD

EX5600-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T0

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

VMG3927-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

VMG4005-B50A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG4005-B60A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG8623-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

VMG8825-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

Fiber ONT

AX7501-B0

Hotfix available now  
Standard firmware V5.17(ABPC.3)C0 in Feb. 2023

PM3100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM5100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM7300-T0

Hotfix available now  
Standard firmware V5.42(ABYY.1)C0 in Feb. 2023

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617-T20B2

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

WiFi extender

WX3100-T0

Hotfix available now  
Standard firmware V5.50(ABVL.1.1)C0 in Feb. 2023

WX3401-B0

Hotfix available now  
Standard firmware V5.17(ABVE.2.1)C0 in Feb. 2023

WX5600-T0

Hotfix available now  
Standard firmware V5.70(ACEB.0.1)C0 in Feb. 2023

Product

Affected model

Patch availability\*

5G NR/4G LTE CPE

LTE3301-PLUS

Hotfix available now  
Standard firmware V1.00(ABQU.5)C0 in Feb. 2023

LTE5388-M804

Hotfix available now  
Standard firmware V1.00(ABSQ.4)C0 in Apr. 2023

LTE5398-M904

Hotfix available now  
Standard firmware V1.00(ABQV.3)C0 in Apr. 2023

LTE7240-M403

Hotfix available now  
Standard firmware V2.00(ABMG.6)C0 in May 2023

LTE7461-M602

Hotfix available now  
Standard firmware V2.00(ABQN.6)C0 in May 2023

LTE7480-M804

V1.00(ABRA.6)C0

LTE7480-S905

Hotfix available now  
Standard firmware V1.00(ABVN.6)C0 in May 2023

LTE7485-S905

Hotfix available now  
Standard firmware V2.00(ABQT.6)C0 in May 2023

LTE7490-M904

V1.00(ABQY.5)C0

Nebula LTE3301-PLUS

V1.15(ACCA.3)C0

Nebula LTE7461-M602

V1.15(ACEV.3)C0

Nebula NR5101

V1.15(ACCG.3)C0

Nebula NR7101

V1.15(ACCC.3)C0

NR5101

V1.00(ABVC.6)C0

NR7101

V1.00(ABUV.7)C0

NR7102

V1.00(ABYD.2)C0

DSL/Ethernet CPE

DX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

DX4510-B1

Hotfix available now  
Standard firmware V5.17(ABYL.5)C0 in Jun. 2023

DX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EMG3525-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5523-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

EMG5723-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

EX3301-T0

Hotfix available now  
Standard firmware V5.50(ABVY.3.4)C0 in Feb. 2023

EX3510-B0

V5.17(ABUP.7)C0

EX5401-B0

Hotfix available now  
Standard firmware V5.17(ABYO.3.1)C0 in Feb. 2023

EX5501-B0

Hotfix available now  
Standard firmware V5.17(ABRY.3.2)C0 in Feb. 2023

EX5510-B0

V5.17(ABQX.7)C0

EX5512-T0

Hotfix available now  
Standard firmware TBD

EX5600-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T0

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

EX5601-T1

Hotfix available now  
Standard firmware V5.70(ACDZ.0.1)C0 in Feb. 2023

VMG3927-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

VMG4005-B50A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG4005-B60A

Hotfix available now  
Standard firmware V5.17(ABQA.2)C0 in Feb. 2023

VMG8623-T50B

Hotfix available now  
Standard firmware V5.50(ABPM.7.3)C0 in Feb. 2023

VMG8825-T50K

Hotfix available now  
Standard firmware V5.50(ABOM.8.2)C0 in Feb. 2023

Fiber ONT

AX7501-B0

Hotfix available now  
Standard firmware V5.17(ABPC.3)C0 in Feb. 2023

PM3100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM5100-T0

Hotfix available now  
Standard firmware V5.42(ACBF.1.1)C0 in Feb. 2023

PM7300-T0

Hotfix available now  
Standard firmware V5.42(ABYY.1)C0 in Feb. 2023

PM7320-B0

Hotfix available now  
Standard firmware TBD

PMG5317-T20B

Hotfix available now  
Standard firmware TBD

PMG5617-T20B2

Hotfix available now  
Standard firmware TBD

PMG5617GA

Hotfix available now  
Standard firmware TBD

PMG5622GA

Hotfix available now  
Standard firmware TBD

WiFi extender

WX3100-T0

Hotfix available now  
Standard firmware V5.50(ABVL.1.1)C0 in Feb. 2023

WX3401-B0

Hotfix available now  
Standard firmware V5.17(ABVE.2.1)C0 in Feb. 2023

WX5600-T0

Hotfix available now  
Standard firmware V5.70(ACEB.0.1)C0 in Feb. 2023

\*For the patch firmware without a download link, please reach out to your local Zyxel support team for the file.

Please note that the table does NOT include customized models for internet service providers (ISPs).

For ISPs, please contact your Zyxel sales or service representatives for further details.

For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.

For end-users who purchased the Zyxel devices on your own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit our forum for further assistance.

**Got a question?**

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

**Acknowledgment**

Thanks to Positive Technologies for reporting the issues to us.

**Revision history**

2023-1-11: Initial release

CVE-2022-43392: Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and WiFi extenders | Zyxel Networks

An improper check for unusual or exceptional conditions in the HTTP request processing function of Zyxel GS1920-24v2 firmware prior to V4.70(ABMH.8)C0, which could allow an unauthenticated attacker to corrupt the contents of the memory and result in a denial-of-service (DoS) condition on a vulnerable device.

CVE: CVE-2022-43393

Summary

Zyxel has released patches for some switches affected by a denial-of-service (DoS) vulnerability. Users are advised to install them for optimal protection.

What is the vulnerability?

An improper check for unusual or exceptional conditions in the HTTP request processing function of some Zyxel switch versions could allow an attacker to corrupt the contents of the memory and result in a DoS condition on an affected device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Since switches are mostly deployed in a local area network (LAN) environment, most potential DoS attacks can be reduced by firewalls or security gateways. Furthermore, for optimal protection, we suggest that users set more stringent management rules for remote access to their switches, such as by restricting HTTP or HTTPS requests to remotely access the device management interface or by limiting remote access by specific IP addresses.

Affected model

Affected version

Patch availability

GS1350-6HP

V4.70(ABPI.4)C0

V4.70(ABPI.5)C0

GS1350-12HP

V4.70(ABPJ.4)C0

V4.70(ABPJ.5)C0

GS1350-18HP

V4.70(ABPK.4)C0

V4.70(ABPK.5)C0

GS1350-26HP

V4.70(ABPL.4)C0

V4.70(ABPL.5)C0

GS1915-8

V4.70(ACAP.2)C0

V4.70(ACAP.3)C0

GS1915-8EP

V4.70(ACAQ.2)C0

V4.70(ACAQ.3)C0

GS1915-24E

V4.70(ACDR.2)C0

V4.70(ACDR.3)C0

GS1915-24EP

V4.70(ACDS.2)C0

V4.70(ACDS.3)C0

GS1920-24v2

V4.70(ABMH.7)C0

V4.70(ABMH.8)C0

GS1920-48v2

V4.70(ABMJ.7)C0

V4.70(ABMJ.8)C0

GS1920-24HPv2

V4.70(ABMI.7)C0

V4.70(ABMI.8)C0

GS1920-48HPv2

V4.70(ABMK.7)C0

V4.70(ABMK.8)C0

GS2220-10

V4.70(ABRO.5)C0

V4.70(ABRO.6)C0

GS2220-28

V4.70(ABRQ.5)C0

V4.70(ABRQ.6)C0

GS2220-50

V4.70(ABRS.5)C0

V4.70(ABRS.6)C0

GS2220-10HP

V4.70(ABRP.5)C0

V4.70(ABRP.6)C0

GS2220-28HP

V4.70(ABRR.5)C0

V4.70(ABRR.6)C0

GS2220-50HP

V4.70(ABRT.5)C0

V4.70(ABRT.6)C0

XGS1930-28

V4.70(ABHT.3)C0

V4.70(ABHT.5)C0

XGS1930-28HP

V4.70(ABHS.3)C0

V4.70(ABHS.5)C0

XGS1930-52

V4.70(ABHU.3)C0

V4.70(ABHU.5)C0

XGS1930-52HP

V4.70(ABHV.3)C0

V4.70(ABHV.5)C0

XS1930-10

V4.70(ABQE.5)C0

V4.80(ABQE.0)C0

XS1930-12HP

V4.70(ABQF.5)C0

V4.80(ABQF.0)C0

XS1930-12F

V4.70(ABZV.5)C0

V4.80(ABZV.0)C0

XGS2210-28

V4.70(AAZJ.1)C0

V4.70(AAZJ.2)C0

XGS2210-52

V4.70(AAZK.1)C0

V4.70(AAZK.2)C0

XGS2210-28HP

V4.70(AAZL.1)C0

V4.70(AAZL.2)C0

XGS2210-52HP

V4.70(AAZM.1)C0

V4.70(AAZM.2)C0

XGS2220-30

V4.80(ABXN.0)C0

V4.80(ABXN.1)C0

XGS2220-30HP

V4.80(ABXO.0)C0

V4.80(ABXO.1)C0

XGS2220-30F

V4.80(ABYE.0)C0

V4.80(ABYE.1)C0

XGS2220-54

V4.80(ABXP.0)C0

V4.80(ABXP.1)C0

XGS2220-54HP

V4.80(ABXQ.0)C0

V4.80(ABXQ.1)C0

XGS2220-54FP

V4.80(ACCE.0)C0

V4.80(ACCE.1)C0

XGS4600-32

V4.70(ABBH.3)C0

V4.70(ABBH.4)C0

XGS4600-32F

V4.70(ABBI.3)C0

V4.70(ABBI.4)C0

XGS4600-52F

V4.70(ABIK.3)C0

V4.70(ABIK.4)C0

XMG1930-30

V4.70(ACAR.0)

V4.80(ACAR.0)

XMG1930-30HP

V4.70(ACAS.0)

V4.80(ACAS.0)

XS3800-28

V4.80(ABML.0)C0

V4.80(ABML.1)C0

MGS3500-24S

4.10(ABBR.1)C0

4.10(ABBR.2)C0\*

MGS3520-28

4.10(AATN.4)C0

4.10(AATN.5)C0\*

MGS3520-28

4.10(ABQM.1)C0

4.10(ABQM.2)C0\*

MGS3520-28F

4.10(AATM.3)C0

4.10(AATM.4)C0\*

MGS3530-28

4.10(ACEM.1)C0

4.10(ACEM.2)C0\*

MGS3530-28

4.10(ACFJ.0)C0

4.10(ACFJ.1)C0\*

\*Please reach out to your local Zyxel support team for the file.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Acknowledgment

Thanks to Positive Technologies for reporting the issue to us.

Revision history

2023-1-11: Initial release.

**Have a question?**

We are always here to help!

Contact us

CVE-2022-43393: Zyxel security advisory for DoS vulnerability of switches | Zyxel Networks

# Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability

## <a name="executive-summary"></a>Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint.
## Discussion

Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/80449

### <a name="mitigation-factors"></a>Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

## <a name="affected-software"></a>Affected software

* Any .NET 6.0 application running on .NET 6.0.12 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

### <a name=".NET 6"></a>.NET 6

Package name | Affected version | Patched version
------------ | ---------------- | -------------------------
[Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)|>= 6.0.0, < 6.0.12|6.0.13

## Advisory FAQ

### <a name="how-affected"></a>How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.

### <a name="how-fix"></a>How do I fix the issue?

* To fix the issue please install the latest version of .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET  SDKs.
* If you have .NET Core 3.1 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;
* If you are using one of the affected packages, please update to the patched version listed above. 

```
.NET Core SDK (reflecting any global.json):

 Version:   6.0.300
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 6.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  6.0.300 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
```

* If you're using .NET 6.0, you should download and install Runtime 6.0.13 or SDK 6.0.113 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

## Other Information

### Reporting Security Issues

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <https://aka.ms/corebounty>.

### Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

### Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

### External Links

[CVE-2023-21538]( https://www.cve.org/CVERecord?id=CVE-2023-21538)

### Revisions

V1.0 (January 10, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-01-10_

**Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability****Executive summary**

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint.

**Discussion**

Discussion for this issue can be found at dotnet/runtime#80449

**Mitigation factors**

Microsoft has not identified any mitigating factors for this vulnerability.

**Affected software**

*   Any .NET 6.0 application running on .NET 6.0.12 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

**.NET 6**

Package name

Affected version

Patched version

Microsoft.NetCore.App.Runtime.linux-arm

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-musl-arm

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-musl-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-musl-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.osx-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.osx-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-arm

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-x86

\>= 6.0.0, < 6.0.12

6.0.13

**Advisory FAQ****How do I know if I am affected?**

If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.

**How do I fix the issue?**

*   To fix the issue please install the latest version of .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
*   If you have .NET Core 3.1 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
*   If you are using one of the affected packages, please update to the patched version listed above.

    .NET Core SDK (reflecting any global.json):
    
     Version:   6.0.300
     Commit:    8473146e7d
    
    Runtime Environment:
    
     OS Name:     Windows
     OS Version:  10.0.18363
     OS Platform: Windows
     RID:         win10-x64
     Base Path:   C:\Program Files\dotnet\sdk\6.0.300\
    
    Host (useful for support):
    
      Version: 6.0.5
      Commit:  8473146e7d
    
    .NET Core SDKs installed:
    
      6.0.300 [C:\Program Files\dotnet\sdk]
    
    .NET Core runtimes installed:
    
      Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
      Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
    
    To install additional .NET Core runtimes or SDKs:
      https://aka.ms/dotnet-download
    

*   If you're using .NET 6.0, you should download and install Runtime 6.0.13 or SDK 6.0.113 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

**Other Information****Reporting Security Issues**

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

**Support**

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

**Disclaimer**

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

**External Links**

CVE-2023-21538

**Revisions**

V1.0 (January 10, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-01-10_

**References**

*   GHSA-8f7f-vqg5-jrv9
*   https://nvd.nist.gov/vuln/detail/CVE-2023-21538

GHSA-8f7f-vqg5-jrv9: .NET Denial of Service Vulnerability

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability.

CVE-2023-21557

An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 21 Dec 2022 12:10:03 +0100
From: Ilya Maximets <i.maximets@....org>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>,
 Qian Chen <cq674350529@...il.com>, John Helmert III <ajak@...too.org>
Subject: Re: \[ADVISORY\] LLDP underflow while parsing malformed Auto Attach TLV
 (Open vSwitch)

On 12/20/22 22:39, Ilya Maximets wrote:
> Description
> ===========
> 
> Multiple versions of Open vSwitch are vulnerable to crafted LLDP
> packets causing denial of service, and data underflow attacks.
> Triggering the vulnerabilities requires LLDP processing to be enabled
> for a specific port.  Open vSwitch versions prior to 2.4.0 are not
> vulnerable.
> 
> The Common Vulnerabilities and Exposures project (cve.mitre.org)
> did not assign the identifier to this issue yet.  The identifier will
> be communicated separately.

Following CVE identifiers have been allocated for the issue (one per
TLV type since they can have a slightly different effect):

 - CVE-2022-4337 for Out-of-Bounds Read in Organization Specific TLV
 - CVE-2022-4338 for Integer Underflow in Organization Specific TLV

The fix referenced in this advisory covers both issues.

> This issue does not affect the \`lldpd'
> project, although they share a code base.  The issue is related to
> parsing the Auto Attach TLVs, which is specific to the Open vSwitch
> implementation.
> 
> 
> Mitigation
> ==========
> 
> For any version of Open vSwitch, preventing LLDP packets from reaching
> Open vSwitch mitigates the vulnerability.  We do not recommend
> attempting to mitigate the vulnerability this way because of the
> following difficulties:
> 
>     - Open vSwitch obtains packets before the iptables host firewall,
>       so ebtables on the Open vSwitch host cannot ordinarily block the
>       vulnerability.
> 
>     - If Open vSwitch is configured to receive and transmit LLDP
>       messages, the required functionality will need to be disabled
>       potentially disrupting the network.
> 
> We have found that Open vSwitch is subject to a denial of service, and
> possibly a remote code execution exploit when LLDP processing is enabled
> on an interface.  By default, interfaces are not configured to process
> LLDP messages.
> 
> 
> Fix
> ===
> 
> Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer are
> applied to the appropriate branches, and the original patch is located
> at:
> 
>    https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
> 
> Recommendation
> ==============
> 
> We recommend that users of Open vSwitch apply the respective patch, or
> upgrade to a known patched version of Open vSwitch.  These include:
> 
> \* 3.0.3
> \* 2.17.5
> \* 2.16.6
> \* 2.15.7
> \* 2.14.8
> \* 2.13.10
> 
> 
> Acknowledgments
> ===============
> 
> The Open vSwitch team wishes to thank the reporter:
> 
>   Qian Chen <cq674350529@...il.com>
> 

**Download attachment "**OpenPGP\_0xB9F7EC77C829BF96.asc**" of type "**application/pgp-keys**" (4740 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (841 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4337: security - Re: [ADVISORY] LLDP underflow while parsing malformed Auto Attach TLV (Open vSwitch)

Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability.

CVE-2023-21757

Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2023-21677, CVE-2023-21758.

Tag

#dos