Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22\_01.webgui Security Advisory pfSense Topic: File overwrite vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2022-01-12 Credits: Yutaka WATANABE of Ierae Security, Inc. via JPCERT/CC CVE ID: CVE-2022-26019 Affects: pfSense CE software versions < 2.6.0 pfSense Plus software versions < 22.01 Corrected: 2021-08-06 15:40:00 UTC (pfSense CE 2.6.0) 2021-08-06 15:40:30 UTC (pfSense Plus 22.01) 0. Revision History v1.1 2022-03-08 Removed JVN ID, added CVE ID, added missing commit hash, updated solution information. v1.0 2022-01-12 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description An arbitrary file overwrite vulnerability was found in services\_ntpd\_gps.php, a component of the pfSense CE and pfSense Plus software WebGUI, on pfSense CE version 2.5.2, pfSense Plus version 21.05.2, and earlier versions of both. The gpsport parameter was not validated properly when set in services\_ntpd\_gps.php or during NTP setup in services.inc. A relative path in the parameter could have been leveraged to overwrite an existing file on the firewall with the contents of the gpsinitcmd configuration parameter. To exploit this, all of the following must be true: \* The attacker must have authenticated access to the GUI \* The attacker must have sufficient privileges to access services\_ntpd\_gps.php \* The attacker must have sufficient privileges to alter the firewall configuration \* "Check baud rate before sending init commands" on services\_ntpd\_gps.php must be unchecked III. Impact An attacker meeting all of the necessary conditions to exploit the vulnerability could overwrite an existing file on the firewall with arbitrary contents. This method could be used for code execution, privilege escalation, information disclosure, denial of service, or other negative outcomes. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. V. Solution Users can upgrade to pfSense CE software version 2.6.0 or later when available, or pfSense Plus software version 22.01 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version 2.5.2 and possibly on earlier versions. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ pfSense/master bf21f67bbe2d1694ad1ad72728623dded9ace426 0d3747aaa90dc3ad7729b68be8c9727d44b743c7 fbf4a07f41f93745850adf5a3b1ea345628693ab plus/plus-master bf21f67bbe2d1694ad1ad72728623dded9ace426 0d3747aaa90dc3ad7729b68be8c9727d44b743c7 fbf4a07f41f93745850adf5a3b1ea345628693ab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VII. References The latest revision of this advisory is available at \-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWRYACgkQE7mH/ZIU +NrLZhAAibWli7PiTgy23f/ylrye5BDXtvqrNVbwMzChGm432r3k1XyYC0qtFujV HD4dIHDhi0GO8dyZO0caMKpfkOs1q8ntfn12eJn7cUzusgoPNqwP8gfm/jNZEZ1A nnYgVGGp1kfIv/YytHFlRhfQ93odAZ663R5kWWZ9ZzvHBvA4nOS+CApphGRmoQ5K ItjbnfslBrrUpcUPgHQd6rBRiix8OGx5fNbrCv9G0+Vai0Jmw7mtuwan9UZyIwuJ S3cyaz9jsuKiUcnK9oVfyuaWxSbN41fs3GkHdO+GMZk/sUPdLlIdVJmMwvRBhUbe Sr//xUN1eMH8JUzScXttQZk2JScr+dgX1L2bJz2cCIo5ZLzJ4t8MqOhiXoJKxqqW VySmej4a2tQGK3ZZSD+9aFhiJlYr9vSjWlAbAYkkPfoI+83qr/E3z+TPBc4JcPNx wrzAMVdECAt1r3HNNNXwhdYZ+rHyr+SQ/jWeL8i6wRRvltOf/BygDzbTb/mqyR1B Kl4ybMSgUayb0Tb8t7f6QWjqBKHcK8Ummini83Yv2/uEPzH2dtLwla+PZYIVoaqc 6hWHWGv8kDGEIQ64wU0FhArRIPEPMtDZd6coyaKEIVr7rSjbZ7hnkd5JR0PK0n6i 4X6M21wIEkv9jr8Ds5n97cWxXBVrVHIQwCfh8z/ESGg503MSHv0= =WKlk -----END PGP SIGNATURE-----

CVE-2022-26019

PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.

**Impact**

It is a denial-of-service vulnerability that affects PJSIP users that uses PJSIP's XML parsing in their apps.

**Patches**

The patch is available as commit 856f87c in the master branch.

**For more information**

If you have any questions or comments about this advisory:  
Email us at security@pjsip.org

CVE-2022-24763: Denial-of-service in XML parsing due to an infinite loop

phpshe V1.8 is affected by a denial of service (DoS) attack in the registry's verification code, which can paralyze the target service.

Program download address. http://www.phpshe.com/down/phpshe1.8.rar

Of course, there are packages in this project.(phpshe1.8.rar)

There is a denial of access vulnerability in the registry's verification code. ![image](https://github.com/zpxlz/phpshe/raw/gh-pages/1.png)

I deployed the website with my own server, Click the verification code to refresh the verification code, and then grab the request package, Modify the length and width parameters of the verification code image, and you can see that the returned data is very long, ![image](https://github.com/zpxlz/phpshe/raw/gh-pages/2.png)

I didn't set up many threads, just 50, and my server (4-core 8G) almost crashed. ![image](https://github.com/zpxlz/phpshe/raw/gh-pages/3.png)

CVE-2022-24132: GitHub - zpxlz/phpshe: phpshe

In miniadb, there is a possible way to get read/write access to recovery system properties due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-201308542

_Published February 22, 2022_

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 12L. Android 12L devices with a security patch level of 2022-03-01 or later are protected against these issues (Android 12L, as released on AOSP, will have a default security patch level of 2022-03-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 12L release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Announcements**

*   The issues described in this document are addressed as part of Android 12L. This information is provided for reference and transparency.
*   We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**Android 12L vulnerability details**

The sections below provide details for security vulnerabilities fixed as part of Android 12L. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

**Framework**

   

CVE

References

Type

Severity

CVE-2021-39749

A-205996115

EoP

High

CVE-2021-39743

A-201534884

EoP

Moderate

CVE-2021-39746

A-194696395

EoP

Moderate

CVE-2021-39750

A-206474016

EoP

Moderate

CVE-2021-39752

A-202756848

EoP

Moderate

CVE-2021-39758

A-205130886

EoP

Moderate

CVE-2022-20002

A-198657657

EoP

Moderate

CVE-2021-39744

A-192369136

ID

Moderate

CVE-2021-39745

A-206127671

ID

Moderate

CVE-2021-39747

A-208268457

ID

Moderate

CVE-2021-39748

A-203777141

ID

Moderate

CVE-2021-39751

A-172838801

ID

Moderate

CVE-2021-39753

A-200035185

ID

Moderate

CVE-2021-39755

A-204995407

ID

Moderate

CVE-2021-39756

A-184354287

ID

Moderate

CVE-2021-39757

A-176094662

ID

Moderate

CVE-2021-39754

A-207133709

ID

Moderate

**Media Framework**

   

CVE

References

Type

Severity

CVE-2021-39759

A-180200830

EoP

Moderate

CVE-2021-39760

A-194110526

ID

Moderate

CVE-2021-39761

A-179783181

ID

Moderate

CVE-2021-39762

A-210625816

ID

Moderate

**Platform**

   

CVE

References

Type

Severity

CVE-2021-39741

A-173567719

EoP

Moderate

CVE-2021-39763

A-199176115

EoP

Moderate

CVE-2021-39764

A-170642995

EoP

Moderate

CVE-2021-39767

A-201308542

EoP

Moderate

CVE-2021-39768

A-202017876

EoP

Moderate

CVE-2021-39771

A-198661951

EoP

Moderate

CVE-2021-25393

A-180518134

ID

Moderate

CVE-2021-39739

A-184525194

ID

Moderate

CVE-2021-39740

A-209965112

ID

Moderate

CVE-2021-39742

A-186405602

ID

Moderate

CVE-2021-39765

A-201535427

ID

Moderate

CVE-2021-39766

A-198296421

ID

Moderate

CVE-2021-39769

A-193663287

ID

Moderate

CVE-2021-39770

A-193033501

ID

Moderate

**System**

   

CVE

References

Type

Severity

CVE-2021-39776

A-192614125

EoP

High

CVE-2021-39787

A-202506934

EoP

High

CVE-2021-39772

A-181962322

EoP

Moderate

CVE-2021-39780

A-204992293

EoP

Moderate

CVE-2021-39781

A-195311502

EoP

Moderate

CVE-2021-39782

A-202760015

EoP

Moderate

CVE-2021-39783

A-197960597

EoP

Moderate

CVE-2021-39784

A-200163477

EoP

Moderate

CVE-2021-39786

A-192551247

EoP

Moderate

CVE-2021-39789

A-203880906

EoP

Moderate

CVE-2021-39790

A-186405146

EoP

Moderate

CVE-2021-39773

A-191276656

ID

Moderate

CVE-2021-39775

A-206465854

ID

Moderate

CVE-2021-39777

A-194743207

ID

Moderate

CVE-2021-39778

A-196406138

ID

Moderate

CVE-2021-39779

A-190400974

ID

Moderate

CVE-2021-39788

A-191768014

ID

Moderate

CVE-2021-39791

A-194112606

ID

Moderate

CVE-2021-39774

A-205989472

DoS

Moderate

**Additional Vulnerability details**

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. **These issues are not required for SPL compliance.**

**Android TV**

   

CVE

References

Type

Severity

CVE-2021-1000

A-185190688

EoP

Moderate

CVE-2021-1033

A-185247656

EoP

Moderate

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

Android 12L, as released on AOSP, has a default security patch level of 2022-03-01. Android devices running Android 12L and with a security patch level of 2022-03-01 or later address all issues contained in these security release notes.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**Versions**

  

Version

Date

Notes

1.0

February 22, 2022

Security Release Notes Published

CVE-2021-39767: Android 12L Security Release Notes  |  Android Open Source Project

In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657

CVE-2022-20002: Android 12L Security Release Notes  |  Android Open Source Project

An improper authorization handling flaw was found in Foreman. The Salt plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.

**Note:** If your use of the APIs is failing with an error titled 'API access must use the Authorization header' then you need to read the API Authentication changes announcement

*   
*   
*   
*   
*   
*   

**Bug 1941001** (CVE-2021-3456) - CVE-2021-3456 smart\_proxy\_salt: unauthorized users can execute actions that should be reserved for foreman

Summary: CVE-2021-3456 smart\_proxy\_salt: unauthorized users can execute actions that s...

Keywords:

Status:

CLOSED NOTABUG

Alias:

CVE-2021-3456

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

Blocks:

1940999 1941481

TreeView+

depends on / blocked

Reported:

2021-03-19 18:01 UTC by Yadnyawalk Tale

Modified:

2021-12-14 18:47 UTC (History)

CC List:

13 users (show)

Fixed In Version:

Doc Type:

\---

Doc Text:

An improper authorization handling flaw was found in Foreman. The Salt plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.

Clone Of:

Environment:

Last Closed:

2021-03-30 11:35:14 UTC

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

  

Description Yadnyawalk Tale 2021-03-19 18:01:56 UTC

On Foreman, Salt plugin for smart-proxy introduce a flaw which allows any client to perform actions of Foreman Server.

Comment 1 Yadnyawalk Tale 2021-03-19 18:02:01 UTC

Acknowledgments:

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project

Comment 2 Yadnyawalk Tale 2021-03-19 18:02:03 UTC

Statement:

Red Hat Satellite 6 does not ship smart\_proxy\_salt plugin which is affected by the vulnerability. This flaw affects upstream Foreman only.

Comment 4 Product Security DevOps Team 2021-03-30 11:35:14 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3456

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2021-3456: unauthorized users can execute actions that should be reserved for foreman

A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-478243-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2021-23847
        *   Base Score: 9.8 (Critical)
    *   CVE-2021-23848
        *   Base Score: 8.3 (High)
    *   CVE-2021-23852
        *   Base Score: 4.9 (Medium)
    *   CVE-2021-23853
        *   Base Score: 8.3 (High)
    *   CVE-2021-23854
        *   Base Score: 8.3 (High)
*   **Published:** 09 Jun 2021
*   **Last Updated:** 09 Jun 2021

**Summary**

Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch.

Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.

Customers are strongly advised to upgrade to the fixed versions.

These vulnerabilities were discovered by Alexander Nochvay and Andrey Muravitsky from Kaspersky ICS CERT.

**Affected Products**

*   Bosch CPP Firmware on: CPP4, CPP6, CPP7, CPP7.3, CPP13
    *   CVE-2021-23848
    *   CVE-2021-23852
    *   CVE-2021-23853
*   Bosch CPP Firmware 7.62 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.70 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.72 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.75 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.76 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware < 7.80 B128 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847

**Solution and Mitigations****Software Updates**

The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Platform

Affected/revoked firmware

Fixed firmware

CPP4

7.10

7.10.0095

CPP6

7.60, 7.61

7.62.0005

7.70, 7.80

7.80.0129

AVIOTEC

7.61, 7.72

7.72.0013

CPP7

7.60, 7.61

7.62.0005

7.70, 7.72, 7.80

7.80.0129

CPP7.3

7.60, 7.61, 7.62

7.62.0005

7.70, 7.72, 7.73, 7.80

7.80.0129

CPP13

7.75

7.75.0008

**Firewalling**

Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

**IP Filtering**

The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

**Using certificate based authentication**

To mitigate the critical vulnerability CVE-2021-23847, certificate based user authentication for the camera can be used as the SSL based authentication happens, before the vulnerable component can be accessed. This prevents an unauthenticated attacker from accessing the interface.

**Secure Configuration Environment**

It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS vulnerabilities:

*   No other websites or email content should be opened as long as the session to the camera is active
    
*   No links should be clicked from an untrusted external source that link back to the camera.
    
*   Use a different browser than the system default browser to open a session to the camera as there is no XSS between browsers.
    
*   Always log out and/or close the browser (not only the tab) to clear any session data
    

**Vulnerability Details****CVE-2021-23847**

CVE description: A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device.

Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

*   Problem Type:
    *   CWE-287 Improper Authentication
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 9.8 (Critical)

**CVE-2021-23848**

CVE description: An error in the URL handler may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23852**

CVE description: An authenticated attacker with administrator rights can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

*   Problem Type:
    *   CWE-400 Uncontrolled Resource Consumption
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
    *   Base Score: 4.9 (Medium)

**CVE-2021-23853**

CVE description: Improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs.

*   Problem Type:
    *   CWE-20 Improper Input Validation
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23854**

CVE description: An error in the handling of a page parameter may lead to a reflected cross site scripting (XSS) in the web-based interface.

This issue only affects versions 7.7x and 7.6x. All other versions are not affected.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**Remark**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   09 Jun 2021: Correction of build version number of fixed firmware
*   09 Jun 2021: Initial Publication

**Appendix****Affected Plattforms and Cameras**

**CPP13**

*   AUTODOME inteox 7000i
    
*   MIC inteox 7100i
    

**CPP7.3**

*   AUTODOME IP 4000i
    
*   AUTODOME IP 5000i
    
*   AUTODOME IP starlight 5000i (IR)
    
*   AUTODOME IP starlight 7000i
    
*   DINION IP 3000i
    
*   DINION IP bullet 4000i
    
*   DINION IP bullet 5000
    
*   DINION IP bullet 5000i
    
*   DINION IP bullet 6000i
    
*   FLEXIDOME IP 3000i
    
*   FLEXIDOME IP 4000i
    
*   FLEXIDOME IP 5000i
    
*   FLEXIDOME IP starlight 5000i (IR)
    
*   FLEXIDOME IP starlight 8000i
    
*   MIC IP starlight 7000i
    
*   MIC IP starlight 7100i
    
*   MIC IP ultra 7100i
    
*   MIC IP fusion 9000i
    

**CPP7**

*   DINION IP starlight 6000
    
*   DINION IP starlight 7000
    
*   DINION IP thermal 8000
    
*   FLEXIDOME IP starlight 6000
    
*   FLEXIDOME IP starlight 7000
    
*   DINION IP thermal 9000 RM
    

**CPP6**

*   DINION IP starlight 8000 12MP
    
*   DINION IP ultra 8000 12MP
    
*   DINION IP ultra 8000 12MP with C/CS mount telephoto lens
    
*   FLEXIDOME IP panoramic 6000 12MP 180
    
*   FLEXIDOME IP panoramic 6000 12MP 360
    
*   FLEXIDOME IP panoramic 6000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 6000 12MP 360 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 180
    
*   FLEXIDOME IP panoramic 7000 12MP 360
    
*   FLEXIDOME IP panoramic 7000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 360 IVA
    

**CPP4**

*   AUTODOME IP 4000 HD
    
*   AUTODOME IP 5000 HD
    
*   AUTODOME IP 5000 IR
    
*   AUTODOME 7000 series
    
*   DINION HD 1080p
    
*   DINION HD 1080p HDR
    
*   DINION HD 720p
    
*   DINION imager 9000 HD
    
*   DINION IP bullet 4000
    
*   DINION IP bullet 5000
    
*   DINION IP 4000 HD
    
*   DINION IP 5000 HD
    
*   DINION IP 5000 MP
    
*   DINION IP starlight 7000 HD
    
*   FLEXIDOME corner 9000 MP
    
*   FLEXIDOME HD 1080p
    
*   FLEXIDOME HD 1080p HDR
    
*   FLEXIDOME HD 720p
    
*   Vandal-proof FLEXIDOME HD 1080p
    
*   Vandal-proof FLEXIDOME HD 1080p HDR
    
*   Vandal-proof FLEXIDOME HD 720p
    
*   FLEXIDOME IP micro 2000 HD
    
*   FLEXIDOME IP micro 2000 IP
    
*   FLEXIDOME IP indoor 4000 HD
    
*   FLEXIDOME IP indoor 4000 IR
    
*   FLEXIDOME IP outdoor 4000 HD
    
*   FLEXIDOME IP outdoor 4000 IR
    
*   FLEXIDOME IP indoor 5000 HD
    
*   FLEXIDOME IP indoor 5000 MP
    
*   FLEXIDOME IP micro 5000 MP
    
*   FLEXIDOME IP outdoor 5000 HD
    
*   FLEXIDOME IP outdoor 5000 MP
    
*   FLEXIDOME IP panoramic 5000
    
*   IP bullet 4000 HD
    
*   IP bullet 5000 HD
    
*   IP micro 2000
    
*   IP micro 2000 HD
    
*   MIC IP dynamic 7000
    
*   MIC IP starlight 7000
    
*   TINYON IP 2000 family

CVE-2021-23850: Multiple vulnerabilities in Bosch IP cameras

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-25598

SWHKD 1.1.5 unsafely uses the /tmp/swhkd.pid pathname. There can be an information leak or denial of service.

Thanks to @uncomfyhalomacro who packaged swhkd from open suse repos, a multitude of security vulnerabilities were discovered by @mgerstner which primarily arose due to my incompetence and lack of careful review of all pull requests. I apologize for this.

The following CVE's have been fixed in this release:

    CVE-2022-27815
    CVE-2022-27814
    CVE-2022-27819
    CVE-2022-27818
    CVE-2022-27816
    

Only CVE-2022-27817 remains as it is a genuinely difficult problem to solve for us right now. After a short conversation with Kenny Levinsen ( author of seatd ) we came to the conclusion that it's not possible to get access of a seat without complete control of the session hence any compositor which is launched after swhkd won't work. We can however get the fd's of the devices, release the seat, and then pass it along to evdev but that will require a complete application rewrite.

@mgerstner did suggest to try systemd context switching with elogind for supporting various inits. As far as I can tell this implementation will have a time complexity of O(2^n) so as the number of seats increase, swhkd will start to lag because there is a considerable amount of cold start to swhkd after which the application runs fine.

I'd also like to point out that the above solution will **NOT** be portable. Distributions that decide to not build elogind support into their init systems will not be able to run swhkd and hence it's not a path that I'd fancy even if it were to fix the problem.

For now CVE-2022-27817 will probably remain stale. For single user ( single seat ) systems swhkd will function just fine.

Tag

#dos