Ubuntu Security Notice 5572-2 - Roger Pau Monné discovered that the Xen virtual block driver in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information. Roger Pau Monné discovered that the Xen paravirtualization frontend in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5572-2August 30, 2022linux-aws vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systemsDetails:Roger Pau Monné discovered that the Xen virtual block driver in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information (guest kernel memory). (CVE-2022-26365)Roger Pau Monné discovered that the Xen paravirtualization frontend in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information (guest kernel memory). (CVE-2022-33740)It was discovered that the Xen paravirtualization frontend in the Linuxkernel incorrectly shared unrelated data when communicating with certainbackends. A local attacker could use this to cause a denial of service(guest crash) or expose sensitive information (guest kernel memory).(CVE-2022-33741)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 ESM:   linux-image-4.4.0-1112-aws      4.4.0-1112.118   linux-image-aws                 4.4.0.1112.109After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5572-2   https://ubuntu.com/security/notices/USN-5572-1   CVE-2022-26365, CVE-2022-33740, CVE-2022-33741

Ubuntu Security Notice USN-5572-2

Ubuntu Security Notice 5586-1 - It was discovered that SDL incorrectly handled memory. An attacker could potentially use this issue to cause a denial of service or other unexpected behavior.

    ==========================================================================Ubuntu Security Notice USN-5586-1August 29, 2022libsdl1.2 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SDL could be made to crash or behave unexpectedly.Software Description:- libsdl1.2: Simple DirectMedia LayerDetails:It was discovered that SDL (Simple DirectMedia Layer) incorrectly handled memory. An attacker could potentially use this issue to causea denial of service or other unexpected behavior.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libsdl1.2debian                 1.2.15+dfsg1-3ubuntu0.1+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5586-1   CVE-2022-34568

Ubuntu Security Notice USN-5586-1

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. Ziming Zhang discovered that the netfilter subsystem in the Linux kernel did not properly validate sets with multiple ranged fields. It was discovered that the implementation of POSIX timers in the Linux kernel did not properly clean up timers in some situations. Various other vulnerabilities were also discovered.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oem - Linux kernel for OEM systems

Details

Aaron Adams discovered that the netfilter subsystem in the Linux kernel  
did not properly handle the removal of stateful expressions in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-1966)

Ziming Zhang discovered that the netfilter subsystem in the Linux kernel  
did not properly validate sets with multiple ranged fields. A local  
attacker could use this to cause a denial of service or execute  
arbitrary code. (CVE-2022-1972)

It was discovered that the implementation of POSIX timers in the Linux  
kernel did not properly clean up timers in some situations. A local  
attacker could use this to cause a denial of service (system crash) or  
execute arbitrary code. (CVE-2022-2585)

It was discovered that the netfilter subsystem of the Linux kernel did  
not prevent one nft object from referencing an nft set in another nft  
table, leading to a use-after-free vulnerability. A local attacker could  
use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-2586)

Zhenpeng Lin discovered that the network packet scheduler implementation  
in the Linux kernel did not properly remove all references to a route  
filter before freeing it in some situations. A local attacker could use  
this to cause a denial of service (system crash) or execute arbitrary  
code. (CVE-2022-2588)

It was discovered that the Linux kernel did not properly restrict access  
to the kernel debugger when booted in secure boot environments. A  
privileged attacker could use this to bypass UEFI Secure Boot  
restrictions. (CVE-2022-21499)

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem  
of the Linux kernel did not properly perform reference counting in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-29581)

Arthur Mongodin discovered that the netfilter subsystem in the Linux  
kernel did not properly perform data validation. A local attacker could  
use this to escalate privileges in certain situations. (CVE-2022-34918)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 89.1  
    azure - 89.1  
    azure - 89.2  
    gcp - 89.1  
    generic - 89.1  
    generic - 89.2  
    gke - 89.1  
    gke - 89.2  
    gkeop - 89.1  
    ibm - 89.1  
    lowlatency - 89.1

Ubuntu 18.04 LTS  
    aws - 89.1  
    azure - 89.1  
    gcp - 89.1  
    generic - 89.1  
    gke - 89.1  
    gke - 89.2  
    gkeop - 89.1  
    gkeop - 89.2  
    ibm - 89.1  
    lowlatency - 89.1  
    oem - 89.1

Ubuntu 16.04 ESM  
    aws - 89.1  
    azure - 89.1  
    gcp - 89.1  
    generic - 89.1  
    lowlatency - 89.1  
    lowlatency - 89.2

Ubuntu 22.04 LTS  
    aws - 89.1  
    azure - 89.1  
    gcp - 89.1  
    generic - 89.1  
    gke - 89.1  
    ibm - 89.1  
    lowlatency - 88.1

Ubuntu 14.04 ESM  
    generic - 89.1  
    lowlatency - 89.1

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws-5.15 - 5.15.0-1000  
    linux-aws - 5.4.0-1009  
    linux-azure-5.15 - 5.15.0-1069  
    linux-azure - 5.4.0-1010  
    linux-gcp-5.15 - 5.15.0-1000  
    linux-gcp - 5.4.0-1009  
    linux-gke-5.15 - 5.15.0-1000  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm-5.15 - 5.15.0-1000  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-azure - 4.15.0-1063  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2022-1966  
-   CVE-2022-1972  
-   CVE-2022-2585  
-   CVE-2022-2586  
-   CVE-2022-2588  
-   CVE-2022-21499  
-   CVE-2022-29581  
-   CVE-2022-34918

Kernel Live Patch Security Notice LSN-0089-1

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.


**Comments ()**

**Files changed (7)**

*   +3 \-0
    
    M src/changes/changes.xml
*   +18 \-2
    
    M src/main/java/org/yaml/snakeyaml/LoaderOptions.java
*   +27 \-1
    
    M src/main/java/org/yaml/snakeyaml/composer/Composer.java
*   +6 \-4
    
    M src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java
*   +17 \-4
    
    M src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java
*   +17 \-4
    
    M src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java
*   +5 \-7
    
    M src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java

**File src/changes/changes.xml Modified**

*   Ignore whitespace
*   Hide word diff

         <release version="1.31" date="in Git" description="Maintenance">

\+            <action dev="asomov" type="fix" issue="525">

\+                Restrict nested depth for collections to avoid DoS attacks (detected by OSS-Fuzz)

             <action dev="asomov" type="add" issue="525">

                 Add test for stackoverflow

**File src/main/java/org/yaml/snakeyaml/LoaderOptions.java Modified**

*   Ignore whitespace
*   Hide word diff

     private boolean allowRecursiveKeys = false;

     private boolean processComments = false;

     private boolean enumCaseSensitive = true;

\+    private int nestingDepthLimit = 50;

     public boolean isAllowDuplicateKeys() {

         return allowDuplicateKeys;

\-     \* Restrict the amount of aliases for collections (sequences and mappings) to avoid https://en.wikipedia.org/wiki/Billion\_laughs\_attack

\+     \* Restrict the amount of aliases for collections (sequences and mappings)

\+     \* to avoid https://en.wikipedia.org/wiki/Billion\_laughs\_attack

      \* @param maxAliasesForCollections set max allowed value (50 by default)

     public void setMaxAliasesForCollections(int maxAliasesForCollections) {

\-     \* Allow recursive keys for mappings. By default it is not allowed.

\+     \* Allow recursive keys for mappings. By default, it is not allowed.

      \* This setting only prevents the case when the key is the value. If the key is only a part of the value

      \* (the value is a sequence or a mapping) then this case is not recognized and always allowed.

      \* @param allowRecursiveKeys - false to disable recursive keys

     public void setEnumCaseSensitive(boolean enumCaseSensitive) {

         this.enumCaseSensitive = enumCaseSensitive;

\+    public int getNestingDepthLimit() {

\+        return nestingDepthLimit;

\+     \* Set max depth of nested collections. When the limit is exceeded an exception is thrown.

\+     \* Aliases/Anchors are not counted.

\+     \* This is to prevent a DoS attack

\+     \* @param nestingDepthLimit - depth to be accepted (50 by default)

\+    public void setNestingDepthLimit(int nestingDepthLimit) {

\+        this.nestingDepthLimit = nestingDepthLimit;

**File src/main/java/org/yaml/snakeyaml/composer/Composer.java Modified**

*   Ignore whitespace
*   Hide word diff

 import org.yaml.snakeyaml.events.NodeEvent;

 import org.yaml.snakeyaml.events.ScalarEvent;

 import org.yaml.snakeyaml.events.SequenceStartEvent;

\-import org.yaml.snakeyaml.nodes.AnchorNode;

 import org.yaml.snakeyaml.nodes.MappingNode;

 import org.yaml.snakeyaml.nodes.Node;

 import org.yaml.snakeyaml.nodes.NodeId;

     private final LoaderOptions loadingConfig;

     private final CommentEventsCollector blockCommentsCollector;

     private final CommentEventsCollector inlineCommentsCollector;

\+    // keep the nesting of collections inside other collections

\+    private int nestingDepth = 0;

\+    private final int nestingDepthLimit;

     public Composer(Parser parser, Resolver resolver) {

         this(parser, resolver, new LoaderOptions());

                 CommentType.BLANK\_LINE, CommentType.BLOCK);

         this.inlineCommentsCollector = new CommentEventsCollector(parser,

\+        nestingDepthLimit = loadingConfig.getNestingDepthLimit();

             NodeEvent event = (NodeEvent) parser.peekEvent();

             String anchor = event.getAnchor();

\+            increaseNestingDepth();

             // the check for duplicate anchors has been removed (issue 174)

             if (parser.checkEvent(Event.ID.Scalar)) {

                 node = composeScalarNode(anchor, blockCommentsCollector.consume());

                 node = composeMappingNode(anchor);

\+            decreaseNestingDepth();

         recursiveNodes.remove(parent);

     protected Node composeValueNode(MappingNode node) {

         return composeNode(node);

\+     \* Increase nesting depth and fail when it exceeds the denied limit

\+    private void increaseNestingDepth() {

\+        if (nestingDepth > nestingDepthLimit) {

\+            throw new YAMLException("Nesting Depth exceeded max " + nestingDepthLimit);

\+     \* Indicate that the collection is finished and the nesting is decreased

\+    private void decreaseNestingDepth() {

\+        if (nestingDepth > 0) {

\+            throw new YAMLException("Nesting Depth cannot be negative");

**File src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java Modified**

*   Ignore whitespace
*   Hide word diff

\-    public void referencesWithRestrictedAliases() {

\+    public void referencesWithRestrictedNesting() {

         // without alias restriction this size should occupy tons of CPU, memory and time to parse

\-        String bigYAML = createDump(35);

\+        String bigYAML = createDump(depth);

         long time1 = System.currentTimeMillis();

         LoaderOptions settings = new LoaderOptions();

\-        settings.setMaxAliasesForCollections(40);

\+        settings.setMaxAliasesForCollections(1000);

         settings.setAllowRecursiveKeys(true);

\+        settings.setNestingDepthLimit(depth);

         Yaml yaml = new Yaml(settings);

\-            assertEquals("Number of aliases for non-scalar nodes exceeds the specified max=40", e.getMessage());

\+            assertEquals("Nesting Depth exceeded max 35", e.getMessage());

         long time2 = System.currentTimeMillis();

         float duration = (time2 - time1) / 1000;

**File src/test/java/org/yaml/snakeyaml/issues/issue525/FuzzyStackOverflowTest.java Modified**

*   Ignore whitespace
*   Hide word diff

 package org.yaml.snakeyaml.issues.issue525;

+import static org.junit.Assert.assertEquals;

 import static org.junit.Assert.assertTrue;

 import static org.junit.Assert.fail;

+import org.yaml.snakeyaml.LoaderOptions;

 import org.yaml.snakeyaml.Util;

 import org.yaml.snakeyaml.Yaml;

 import org.yaml.snakeyaml.error.YAMLException;

 public class FuzzyStackOverflowTest {

   public void parseOpenUnmatchedMappings() {

       fail("Should report invalid YAML");

     } catch (YAMLException e) {

\-      //TODO FIXME stackoverflow

\+      assertEquals("Nesting Depth exceeded max 50", e.getMessage());

\+  public void parseOpenUnmatchedMappingsWithCustomLimit() {

\+      LoaderOptions options = new LoaderOptions();

\+      options.setNestingDepthLimit(1000);

\+      Yaml yaml = new Yaml(options);

\+      String strYaml = Util.getLocalResource("fuzzer/YamlFuzzer-4626423186325504");

\+      fail("Should report invalid YAML");

\+    } catch (YAMLException e) {

\+      assertEquals("Nesting Depth exceeded max 1000", e.getMessage());

**File src/test/java/org/yaml/snakeyaml/issues/issue526/Fuzzy47027Test.java Modified**

*   Ignore whitespace
*   Hide word diff

 package org.yaml.snakeyaml.issues.issue526;

\-import static org.junit.Assert.assertTrue;

+import static org.junit.Assert.assertEquals;

 import static org.junit.Assert.fail;

+import org.yaml.snakeyaml.LoaderOptions;

 import org.yaml.snakeyaml.Util;

 import org.yaml.snakeyaml.Yaml;

 import org.yaml.snakeyaml.error.YAMLException;

       fail("Should report invalid YAML");

     } catch (YAMLException e) {

\-      //TODO FIXME stackoverflow

\+      assertEquals("Nesting Depth exceeded max 50", e.getMessage());

\+  public void setCustomLimit100() {

\+      LoaderOptions options = new LoaderOptions();

\+      options.setNestingDepthLimit(100);

\+      Yaml yaml = new Yaml(options);

\+      String strYaml = Util.getLocalResource("fuzzer/YamlFuzzer-5427149240139776");

\+      fail("Should report invalid YAML");

\+    } catch (YAMLException e) {

\+      assertEquals("Nesting Depth exceeded max 100", e.getMessage());

**File src/test/java/org/yaml/snakeyaml/issues/issue527/Fuzzy47047Test.java Modified**

*   Ignore whitespace
*   Hide word diff

 package org.yaml.snakeyaml.issues.issue527;

\-import static org.junit.Assert.assertTrue;

+import static org.junit.Assert.assertEquals;

 import static org.junit.Assert.fail;

 public class Fuzzy47047Test {

\-  public void parseOpenUnmatchedSequences\_47047() {

\+  public void parseKeyIndicators\_47047() {

       String strYaml = Util.getLocalResource("fuzzer/YamlFuzzer-5868638424399872");

\-      fail("Should report invalid YAML");

\+      //TODO FIXME fail("Should report invalid YAML");

     } catch (YAMLException e) {

\-      //TODO FIXME it runs for 35 seconds !!!

\+      assertEquals("Nesting Depth exceeded max 25", e.getMessage());

CVE-2022-25857: snakeyaml / snakeyaml - fc30078

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.


Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

    regex = /A(B|C+)+D/
    

This regular expression accomplishes the following:

*   A The string must start with the letter 'A'
*   (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
*   D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
    0.04s user 0.01s system 95% cpu 0.052 total
    
    

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1.  CCC
2.  CC+C
3.  C+CC
4.  C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String

Number of C's

Number of steps

ACCCX

3

38

ACCCCX

4

71

ACCCCCX

5

136

ACCCCCCCCCCCCCCX

14

65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

CVE-2022-25887: Snyk Vulnerability Database | Snyk

Patlite NH-FB v1.46 and below was discovered to contain insufficient firmware validation during the upgrade firmware file upload process. This vulnerability allows authenticated attackers to create and upload their own custom-built firmware and inject malicious code.

**Patlite NH-FB series vulnerability.****Product Description:  
**

The NH-FB series devices from Patlite are network monitoring and real-time notifications of predesignated events and device failures via visual signals and email alerts.

**Affected Products:  
**

All Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) devices from version 1.46 and under.  

**Vulnerability Summary:**

*   Vulnerability 1 \[CVE-2022-35911\] - Unauthenticated Remote Denial of Service.  
    The binary file control (/etc/lighttpd/api/control) allocates a buffer for each read operation that occurs for a request, could allow an unauthenticated, remote attacker to cause a denial of service (memory consumption) by removing expected GET parameter. The vulnerability is due to an insufficient logic condition and does not check if any GET parameters are present during the API the call. An attacker could exploit this vulnerability by sending a high rate of TCP packets to the specific API endpoint control on a targeted device.  
    
*   Vulnerability 2 - Insufficient firmware validation  
    Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) is affected by an insufficient firmware validation during the upgrade firmware file upload process. An authenticated, remote attacker can build his own custom firmware and inject malicious code inside. A successful exploit could allow the attacker to have a full control of the device This issue affects all Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) version 1.46 and under.
    

**Reproduction Steps:**

1.  Unauthenticated Remote Denial of Service.  
    A simple request to the endpoint /api/control/AAAAAAAAAAAAAAAAAA will confuse the program which is theoretically expecting to receive a GET parameter alert (/api/control?alert=1) but as this is not expected for by the program it will cause a denial of service and display the contents of the binary file control after some times keeping loading.  
    

Payload

for i in {0..1000}; do echo "\[$i\]: "; echo -ne "GET /api/control/AAAAAAAAAAAAAAAAAA HTTP/1.1\\r\\nHost: 172.31.42.235\\r\\n\\r\\n" | nc 172.31.42.235 80; done \> /dev/null 2>&1

This loop will consume all the memory of the device and make it temporarily unusable.

Video PoC Patlite memory consumption (dos) - CVE-2022-35911 

2\. Insufficient firmware validation  
This vulnerability gives us the possibility to craft our own custom firmware as there is no firmware validation during the upgrade device process. In the following proof of concept we are going to add a reverse shell payload in the /pns-b/install-web script file that will be triggered when the malicious firmware will be uploaded in the target machine.

Step 1 - Download the Patlite firmware from the offcial website and extract the content.

Step 2 - Let's modify the content of the script /pns-b/install-web to add our reverse shell payload.  

Step 3 - Repack the firmware  

Step 4 - Upload the backdoored firmware in the device, create a listener and wait for the Patlite device to connect to us.  

As you can see, the reverse shell was perfectly executed during the update process. We have now full control on the device with root privilege.

Video PoC Patlite ver1.43 - Insufficient firmware validation 

**Recommendation Fixes / Remediation:**

Vulnerability 1: Just before the function getShareMemoryAddr is called a condition must check if the current request really contains 2 GET parameters.  
  
More info: https://cwe.mitre.org/data/definitions/703.html

Vulnerability 2: To accept an update, the Patlite device needs to verify the respective code signature of all software components included in the firmware update. This integrity protection ensures that no unauthorized entity can modify the firmware image.  
More info: https://cwe.mitre.org/data/definitions/347.html

**Vulnerable Devices Found:**

As of 25Jul2022, there were 5 Patlite NH-FB series devices exposed to the internet and were affected by the vulnerabilities discovered.

**Reference:**

https://www.patlite.co.jp/product/detail0000021462.html  
https://www.patlite.com/network-products/lineup/nh-fb.html

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-38625: Patlite-NH-FB.md

Ubuntu Security Notice 5584-1 - It was discovered that Schroot incorrectly handled certain Schroot names. An attacker could possibly use this issue to break schroot's internal state causing a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5584-1  
August 29, 2022

schroot vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Schroot could be made to denial of service if certain  
schroot names are used.

Software Description:  
- schroot: Execute commands in a chroot environment

Details:

It was discovered that Schroot incorrectly handled certain Schroot names.  
An attacker could possibly use this issue to break schroot's internal  
state causing a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  schroot                         1.6.10-12ubuntu3.1

Ubuntu 20.04 LTS:  
  schroot                         1.6.10-9ubuntu0.1

Ubuntu 18.04 LTS:  
  schroot                         1.6.10-4ubuntu0.1

Ubuntu 16.04 ESM:  
  schroot                         1.6.10-1ubuntu3+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5584-1  
  CVE-2022-2787

Package Information:  
  https://launchpad.net/ubuntu/+source/schroot/1.6.10-12ubuntu3.1  
  https://launchpad.net/ubuntu/+source/schroot/1.6.10-9ubuntu0.1  
  https://launchpad.net/ubuntu/+source/schroot/1.6.10-4ubuntu0.1

Ubuntu Security Notice USN-5584-1

A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.

'2057075?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-0934: Invalid Bug ID

A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.

'2070205?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1184: Invalid Bug ID

A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.

**ImageMagick version**

7.1.0-28

**Operating system**

Linux

**Operating system, version and so on**

OS: Ubuntu 20.04.3 LTS  
Version: ImageMagick 7.1.0-28 Q16-HDRI x86\_64 2022-03-04 https://imagemagick.org  
Copyright: (C) 1999 ImageMagick Studio LLC  
License: https://imagemagick.org/script/license.php  
Features: Cipher DPC HDRI  
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lzma pangocairo png tiff x xml zlib  
Compiler: gcc (4.2)

**Description**

Hello,  
We found a heap overflow vulnerability in magick

**Steps to Reproduce**

build it  
CC=afl-clang-lto CXX=afl-clang-lto++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared --prefix="/root/fuzz/target/imagemagick/ImageMagick/install"

AFL_USE_ASAN=1 make -j24 && make install -j24

run it  
./magick convert poc /dev/null  
output

\=================================================================  
\==1195823==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000181c at pc 0x000000cd5328 bp 0x7ffdacd61fa0 sp 0x7ffdacd61f98  
READ of size 1 at 0x61900000181c thread T0  
#0 0xcd5327 in PushShortPixel /root/fuzz/target/image\_magick/ImageMagick/./MagickCore/quantum-private.h  
#1 0xcd5327 in ImportRGBAQuantum /root/fuzz/target/image\_magick/ImageMagick/MagickCore/quantum-import.c:4232:15  
#2 0xcd5327 in ImportQuantumPixels /root/fuzz/target/image\_magick/ImageMagick/MagickCore/quantum-import.c:4780:7  
#3 0x13e73f2 in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:2052:24  
#4 0x6f9981 in ReadImage /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:728:15  
#5 0x6fe991 in ReadImages /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:1075:9  
#6 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18  
#7 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14  
#8 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10  
#9 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10  
#10 0x7f499b68b0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16  
#11 0x4ce36d in \_start (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x4ce36d)

0x61900000181c is located 10 bytes to the right of 914-byte region \[0x619000001480,0x619000001812)  
allocated by thread T0 here:  
#0 0x54ab1d in malloc (/root/fuzz/target/imagemagick/ImageMagick/install/bin/magick+0x54ab1d)  
#1 0x13e6faf in ReadTIFFImage /root/fuzz/target/imagemagick/ImageMagick/coders/tiff.c:1996:39  
#2 0x6f9981 in ReadImage /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:728:15  
#3 0x6fe991 in ReadImages /root/fuzz/target/image\_magick/ImageMagick/MagickCore/constitute.c:1075:9  
#4 0x157caa5 in ConvertImageCommand /root/fuzz/target/imagemagick/ImageMagick/MagickWand/convert.c:614:18  
#5 0x17191fd in MagickCommandGenesis /root/fuzz/target/imagemagick/ImageMagick/MagickWand/mogrify.c:188:14  
#6 0x580b89 in MagickMain /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:150:10  
#7 0x580b89 in main /root/fuzz/target/imagemagick/ImageMagick/utilities/magick.c:182:10  
#8 0x7f499b68b0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/target/image\_magick/ImageMagick/./MagickCore/quantum-private.h in PushShortPixel  
Shadow bytes around the buggy address:  
0x0c327fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff8300: 00 00 02\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==1195823==ABORTING

**Images**

poc.zip

Tag

#dos