Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

CVE-2022-34100: AirMedia Binary Hijack

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.

Identifier:

CVE-2022-34100

How is Crestron Affected:

Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue

CVE-2022-34101: AirMedia Rogue DLL

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.

Identifier:

CVE-2022-34101

How is Crestron Affected:

Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.

CVE-2022-34102: AirMedia Command Prompt Hijack

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

Identifier:

CVE-2022-34102

How is Crestron Affected:

Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.

CVE-2022-22707: Lighttpd Denial-of-Service

05/17/22

More information

Threat:

Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.

Identifier:

CVE-2022-22707

How is Crestron Affected:

Crestron devices are not affected because they do not utilize the vulnerable configurations.

CVE-2022-22965: Spring4Shell

03/31/22

More information

Threat:

This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

How is Crestron Affected:

Crestron products do not make use of this framework and as such are not vulnerable.

Resources:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement  
 

CVE-2022-23178: Web Interface Credentials in Cleartext

01/24/22

More information

Threat:

Crestron is aware of an issue discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.

Identifier:

CVE-2022-23178

How is Crestron Affected:

This vulnerability affects the following products:

*   HD-MD4x1-4K-E
*   HD-MD4x2-4K-E
*   HD-MD6x2-4K-E

Crestron recommends placing the devices on an isolated network.  
Note that the following (4KZ) models are NOT affected by this vulnerability and can be used in place of the affected products.

*   HD-MD4x1-4KZ-E
*   HD-MD4x2-4KZ-E
*   HD-MD6x2-4KZ-E

CVE-2018-15473: OpenSSH User Enumeration

01/12/22

More information

Threat:

Crestron is aware of OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.  
 

Identifier:

This vulnerability has been assigned CVE identifier CVE-2018-15473.

How is Crestron Affected:

This vulnerability affects the following products: All 3-Series Control Systems including but not limited to CP3, RMC3, CP3N, PRO3, and all "x52 Series touchscreens" including but not limited to TSW-552, TSW-1052, TSW-752, TSS-752

Crestron 3-Series Control Systems now uses a customized version of OpenSSH. The Crestron version was modified to replace the cryptographic functions with NIST certified alternatives as well as to remove/modify vulnerable components. Crestron continues to monitor OpenSSH vulnerabilities to apply appropriate fixes.

While the TSW and TSS panels noted use OpenSSH 7.5, they don’t support the features related to this vulnerability. Due to these circumstances, Crestron is not susceptible. Newer touchscreens use a later version of OpenSSH which is not susceptible.

Resources:

For more information, please see 3-Series Control System release notes: v.1.601.0050

Apache Log4j

12/15/21

More information

Threat:

From the offiical vulnerability registration: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It was later found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 

Identifier:

CVE-2021-44228, CVE-2021-4104, CVE-2021-45046

How is Crestron Affected:

Crestron has completed a review of all its products and services and have found none which use Log4j and therefore none are affected by this vulnerability.

Resources:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046  
 

NUCLEUS:13

11/09/21

More information

Threat:

A set of vulnerabilities related to the Nucleus Operating System were disclosed by Siemens on November 9, 2021. The official report can be found here and the researcher’s findings can be found here.  
These vulnerabilities have been assigned the following CVEs.

*   CVE-2021-31344 - ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network.
*    CVE-2021-31345 - The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol.
*   CVE-2021-31346 - The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
*   CVE-2021-31881\- When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
*   CVE-2021-31882 - The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions.
*   CVE-2021-31883 - When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
*   CVE-2021-31884 - The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions.
*   CVE-2021-31885 - TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands.
*   CVE-2021-31886 - FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31887 - FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31888 - FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31889 - Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions.
*   CVE-2021-31890 - The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.

Identifier:

2021-31885, 2021-31886, 2021-31887, 2021-31888, 2021-31881, 2021-31882, 2021-31883, 2021-31884, 2021-31344, 2021-31345, 2021-31346, 2021-31889, 2021-31890

How is Crestron Affected:

Crestron has reviewed products utilizing Nucleus and has found none of its products to be affected.

For reference, a partial list of Crestron products utilizing Nucleus follows:

*   2-Series Control Processors – most of these products are discontinued with the notable exceptions of the GLPAC and GL-IPAC
*   DM-MD6X4 and DM-MD6X6
*   DMC-CPU-8/16
*   DMPS3-300-C and DMPS3-300-C-AEC - (Used on Internal Components only - no direct network access)
*   SWAMP and related products
*   CEN-TRACK

Resources:

https://www.forescout.com/research-labs/nucleus-13/  
https://www.siemens.com/cert/advisories

direct link to

*   pdf: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
*   txt: https://cert-portal.siemens.com/productcert/txt/ssa-044112.txt
*   csaf: https://cert-portal.siemens.com/productcert/csaf/ssa-044112.json

ThroughTek's Kalay Platform

08/25/21

More information

Threat:

There is a critical vulnerability that has been discovered that affects the IoT devices that use ThroughTek’s “Kalay” network. Exploiting this vulnerability allows the attacker to listen to live audio, watch real time video data and compromise the credentials on the device for further attacks. This can let the attacker remotely control the device.  
 

Identifier:

This vulnerability has been assigned CVE identifier CVE-2021-28372

How is Crestron Affected:

This vulnerability has no impact on Crestron devices as they do not use the ThroughTek “Kalay” network.  
 

|<  <   **1** 2 3 4 5 6    \>  \>| Pages: 1 of 6

CVE-2022-34102: Crestron Electronics, Inc.

In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.

Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) that's being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.

The patches are part of a cache of just 64 fixed vulnerabilities from Microsoft this week, the fewest for any month this year (and almost a 50% decrease from August). The disclosed bugs affect Microsoft Windows and Windows Components; Azure and Azure Arc; .NET, Visual Studio, .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.

**A Pair of Zero-Day Vulnerabilities**

The actively exploited vulnerability (CVE-2022-37969, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, which is a general-purpose logging subsystem first introduced in Windows 2003 R2 OS and which has shipped with all later versions. An exploit for the bug allows an attacker with initial system access to elevate their privilege to SYSTEM privileges on a zero-click basis.

"No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats," Mike Walters, cybersecurity executive and co-founder of Action1, wrote in an analysis provided to Dark Reading. "It’s recommended that you deploy the patch as soon as possible."

Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) noted that it's likely being deployed in a tidy exploit chain package.

"Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link," he wrote in his Patch Tuesday blog post. "Once they do, additional code executes with elevated privileges to take over a system."

This is one for everyone to patch quickly, he stressed: "Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks."

The other zero-day bug (CVE-2022-23960) exists in Windows 11 for ARM64-based Systems. Microsoft didn't provide any further details, and it was not assigned a CVSS score, but Bharat Jogi, director of vulnerability and threat research at Qualys, offered context in an emailed comment, noting that it's a processor-based speculative execution issue of the sort made infamous with the Spectre and Meltdown attacks. A successful exploit would give attackers access to sensitive information.

"This \[is\] a fix for a vulnerability known as Spectre-BHB that affects ARM64-based systems," he noted. "This vulnerability is a variant of Spectre v2 which has reinvented itself on numerous occasions and has affected various processor architectures since its discovery in 2017."

He added, "This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware, and in some cases, a recompilation of applications and hardening."

**Five Critical Bugs for September**

As mentioned, three of the critical-rated bugs are wormable — i.e., could be used to spread infections from machine to machine with no user interaction.

The most concerning of these is likely CVE-2022-34718, researchers said, which can be found in Windows TCP/IP. It allows a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction; and it can be exploited by sending a specially crafted IPv6 packet to a Windows node where IPsec is enabled.

"That officially puts it into the 'wormable' category and earns it a CVSS rating of 9.8," Childs said. "Definitely test and deploy this update quickly."

It should be noted that it only affects systems with IPv6 enabled and IPsec configured, but this is a common setup.

"If a system doesn’t need the IPsec service, disable it as soon as possible," said Action1's Walters. "This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have."

The other two wormable bugs, CVE-2022-34722 and CVE-2022-34721, are both found in Windows Internet Key Exchange (IKE) Protocol Extensions. They both allow RCE by sending a specially crafted IP packet to a target machine that is running Windows and has IPsec enabled, and both carry a CVSS score of 9.8.

Walters noted that the vulnerability impacts only IKEv1 and not IKEv2. "However, all Windows Servers are affected because they accept both V1 and V2 packets," he wrote. "There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable."

The final two critical bugs (CVE-2022-34700 and CVE-2022-35805) both exist in Dynamics 365 (On-Premises), and "could allow an authenticated user to perform SQL injection attacks and execute commands as db\_owner within their Dynamics 356 database," Childs explained. They have a CVSS score of 8.8.

**Other Vulnerabilities of Note**

As for noncritical flaws to pay attention to first this month, Childs also flagged a denial-of-service bug in Windows DNS server (CVE-2022-34724, CVSS score of 7.5), which can be exploited by remote, unauthenticated attacker to knock out DNS service used to connect to cloud resources and websites.

While there's no chance of code execution, the bug should be treated as critical, he added. "With so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises," Childs said.

Rapid7's Patch Tuesday analysis this month, sent via email, also noted that SharePoint administrators should also be aware of four separate RCE bugs, all rated important (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, and CVE-2022-38009).

And there's a large swath of RCE bugs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver (CVE-2022-34731; CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, and CVE-2022-35840).

"These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file," Greg Wiseman, product manager at Rapid7, explained in the analysis.

Overall, administrators should have an easier time parsing the lighter patch load this month, but ZDI's Childs noted that the smaller collection is in line with the volume of patches from previous September releases. Qualys' Jogi also pointed out that while September's Patch Tuesday clocks in on the lighter side, Microsoft hit a milestone of fixing the 1,000th CVE of the year, meaning the software giant is "likely on track to surpass 2021, which patched 1,200 CVEs in total."

Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service after entering a malformed SQL statement into the Db2expln tool. IBM X-Force ID: 230823.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool.

**Vulnerability Details**

**CVEID:**   CVE-2022-35637  
**DESCRIPTION:**   IBM DbB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service after entering a malformed SQL statement into the Db2expln tool.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230823 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 server editions on all platforms are affected.  

IBM Db2 versions 9.7 and 10.1 are not affected.

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

IT41339

Special Build for V10.5 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86  
Inspur

V11.1

TBD

IT41338

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

IT41312

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

12 Sep 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"10.5, 11.1, 11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-35637: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637)

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

**Commit 36a894ae** authored Aug 21, 2022 by  Committed by **Jason Wang** Sep 02, 2022

Browse files

**net: tulip: Restrict DMA engine to memories**

The DMA engine is started by I/O access and then itself accesses the
I/O registers, triggering a reentrancy bug.

The following log can reveal it:
==5637==ERROR: AddressSanitizer: stack-overflow
    #0 0x5595435f6078 in tulip\_xmit\_list\_update qemu/hw/net/tulip.c:673
    #1 0x5595435f204a in tulip\_write qemu/hw/net/tulip.c:805:13
    #2 0x559544637f86 in memory\_region\_write\_accessor qemu/softmmu/memory.c:492:5
    #3 0x5595446379fa in access\_with\_adjusted\_size qemu/softmmu/memory.c:554:18
    #4 0x5595446372fa in memory\_region\_dispatch\_write qemu/softmmu/memory.c
    #5 0x55954468b74c in flatview\_write\_continue qemu/softmmu/physmem.c:2825:23
    #6 0x559544683662 in flatview\_write qemu/softmmu/physmem.c:2867:12
    #7 0x5595446833f3 in address\_space\_write qemu/softmmu/physmem.c:2963:18
    #8 0x5595435fb082 in dma\_memory\_rw\_relaxed qemu/include/sysemu/dma.h:87:12
    #9 0x5595435fb082 in dma\_memory\_rw qemu/include/sysemu/dma.h:130:12
    #10 0x5595435fb082 in dma...

*   Changes 1

...

...

@@ -70,7 +70,7 @@ static const VMStateDescription vmstate\_pci\_tulip = {

static void tulip\_desc\_read(TULIPState \*s, hwaddr p,

struct tulip\_descriptor \*desc)

{

const MemTxAttrs attrs \= MEMTXATTRS\_UNSPECIFIED;

const MemTxAttrs attrs \= { .memory \= true };

if (s\->csr\[0\] & CSR0\_DBO) {

ldl\_be\_pci\_dma(&s\->dev, p, &desc\->status, attrs);

...

...

@@ -88,7 +88,7 @@ static void tulip\_desc\_read(TULIPState \*s, hwaddr p,

static void tulip\_desc\_write(TULIPState \*s, hwaddr p,

struct tulip\_descriptor \*desc)

{

const MemTxAttrs attrs \= MEMTXATTRS\_UNSPECIFIED;

const MemTxAttrs attrs \= { .memory \= true };

if (s\->csr\[0\] & CSR0\_DBO) {

stl\_be\_pci\_dma(&s\->dev, p, desc\->status, attrs);

...

...

CVE-2022-2962: net: tulip: Restrict DMA engine to memories (36a894ae) · Commits · QEMU / QEMU · GitLab

In the SEPolicy configuration of system apps, there is a possible access to the 'ip' utility due to an insecure default value. This could lead to local information disclosure of network data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219808546References: Upstream kernel

_Published September 6, 2022 Updated September 9, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-09-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-09-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-22822

A-219942275

EoP

High

10, 11, 12, 12L

CVE-2022-23852

A-221255869

EoP

High

10, 11, 12, 12L

CVE-2022-23990

A-221256678

EoP

High

10, 11, 12, 12L

CVE-2022-25314

A-221384482

EoP

High

10, 11, 12, 12L

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20218

A-223907044

EoP

High

12, 12L

CVE-2022-20392

A-213323615 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20393

A-233735886

ID

High

11, 12, 12L

CVE-2022-20197

A-208279300

EoP

Moderate

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20395

A-221855295

EoP

High

11, 12, 12L, 13

CVE-2022-20398

A-221859734

EoP

High

13

CVE-2022-20396

A-234440688

ID

High

12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller, Permission Controller

CVE-2022-20218

MediaProvider

CVE-2022-20395

WiFi

CVE-2022-20398

**2022-09-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local information disclosure of network data with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20399

A-219808546  
Upstream kernel

ID

High

SELinux

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege in system libraries with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2021-4083

A-216408350  
Upstream kernel

EoP

High

Kernel

CVE-2022-29582

A-231494876  
Upstream kernel

EoP

High

fs

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0697

A-238918403\*

High

PowerVR-GPU

CVE-2021-0942

A-238904312\*

High

PowerVR-GPU

CVE-2021-0943

A-238916921\*

High

PowerVR-GPU

CVE-2021-0871

A-238921253\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26447

A-237956326  
M-ALPS06784478\*

High

BT firmware

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20385

A-238379819  
U-1903041\*

High

kernel

CVE-2022-20386

A-238227328  
U-1903099\*

High

Android

CVE-2022-20387

A-238227324  
U-1872920\*

High

Android

CVE-2022-20388

A-238227323  
U-1872920\*

High

Android

CVE-2022-20389

A-238257004  
U-1872920\*

High

Android

CVE-2022-20390

A-238257002  
U-1872920\*

High

Android

CVE-2022-20391

A-238257000  
U-1872920\*

High

Andorid

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22095

A-223210037  
QC-CR#3168780  
QC-CR#3088894

High

Kernel

CVE-2022-25656

A-228101796  
QC-CR#3119439 \[2\]  
QC-CR#2998082 \[2\]

High

Kernel

CVE-2022-25670

A-235102548  
QC-CR#3104235

High

WLAN

CVE-2022-25693

A-235102897  
QC-CR#3141474

High

Display

CVE-2022-25704

A-235102694  
QC-CR#3155069 \[2\]

High

Bluetooth

CVE-2022-25706

A-235102901  
QC-CR#3155132

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25708

A-235102756\*

Critical

Closed-source component

CVE-2022-22066

A-223209292\*

High

Closed-source component

CVE-2022-22074

A-235102567\*

High

Closed-source component

CVE-2022-22081

A-235102758\*

High

Closed-source component

CVE-2022-22089

A-235102568\*

High

Closed-source component

CVE-2022-22091

A-223209291\*

High

Closed-source component

CVE-2022-22092

A-223211216\*

High

Closed-source component

CVE-2022-22093

A-223209815\*

High

Closed-source component

CVE-2022-22094

A-223210036\*

High

Closed-source component

CVE-2022-25669

A-235102508\*

High

Closed-source component

CVE-2022-25686

A-235102899\*

High

Closed-source component

CVE-2022-25688

A-235102421\*

High

Closed-source component

CVE-2022-25690

A-235102422\*

High

Closed-source component

CVE-2022-25696

A-235102900\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-09-01 or later address all issues associated with the 2022-09-01 security patch level.
*   Security patch levels of 2022-09-05 or later address all issues associated with the 2022-09-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-09-01\]
*   \[ro.build.version.security\_patch\]:\[2022-09-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-09-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-09-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

September 6, 2022

Bulletin Published

1.1

September 9, 2022

Bulletin revised to include AOSP links  
Revised CVE Table

CVE-2022-20399: Android Security Bulletin—September 2022  |  Android Open Source Project

Windows DNS Server Denial of Service Vulnerability.

CVE-2022-34724

CVE-2022-35838

.NET Core and Visual Studio Denial of Service Vulnerability.

CVE-2022-38013

Windows Secure Channel Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-35833.

CVE-2022-30196

Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability.

Tag

#dos