#ssl

Ubuntu Security Notice 6893-3 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: AFS650, AFS660, AFS665, AFS670, AFS675, AFS677, AFR677 Vulnerabilities: Type Confusion, Use After Free, Double Free, Observable Discrepancy 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy AFS/AFR are affected: AFS650: Version 9.1.08 and prior AFS660-C: Version 7.1.05 and prior AFS665-B: Version 7.1.05 and prior AFS670-V2: Version 7.1.05 and prior AFS670: Version 9.1.08 and prior AFS675: Version 9.1.08 and prior AFS677: Version 9.1.08 and prior AFR677: Version 9.1.08 and prior 3.2 Vulnerability Overview 3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addr...

The initial onboarding stage is a crucial step for both employees and employers. However, this process often involves the practice of sharing temporary first-day passwords, which can expose organizations to security risks. Traditionally, IT departments have been cornered into either sharing passwords in plain text via email or SMS, or arranging in-person meetings to verbally communicate these

The code, the first of its kind, was used to sabotage a heating utility in Lviv at the coldest point in the year—what appears to be yet another innovation in Russia’s torment of Ukrainian civilians.

### Summary The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. There are two points that may log this command, in different files: First, if there is an error during a secret handling, there will be a `subprocess.CalledProcessError`, which will contain the CLI comand + all its args. This is going to be logged in any logging level. This exception, if not caught by the charm, will bubble up to the `/var/log/juju/` logs and syslog journal. Now, on Ubuntu 22.04, these logs are protected with: ``` $ juju ssh -m controller 0 -- ls -la /var/log/juju/ total 224 drwxr-xr-x 2 syslog adm 4096 Jul 14 10:59 . drwxrwxr-x 9 root syslog 4096 Jul 14 10:58 .. -rw-r----- 1 syslog adm 20124 Jul 14 11:10 audit.log -rw-r----- 1 syslog adm 110432 Jul 14 11:10 logsink.log -rw-r----- 1 syslog adm 80783 Ju...

Previously, `MemBio::get_buf` called `slice::from_raw_parts` with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.

### Summary This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. ### Details The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory. The fix would be to enforce a limit on the size of the request being parsed. ### PoC Port-forward to the argocd-serve...

### Summary Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. ### Details DNS Messages are not authenticated. They do not guarantee that - received RRs are authentic - not received RRs do not exist - all or any received records in a response relate to the request Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two. To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!) 1. denote by `QNAME` the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases 2. if the ANSWER section contains a valid PTR RRSet for `QNAME`, return it (and optionally return the list of aliases as well) 3. if the ANSWER section contains a valid CNAME RRSet for `QNAME`, add it to the list of aliases. Set `QNAME` to the CNAME's ta...

This Metasploit module chains two vulnerabilities to achieve authenticated remote code execution against Softing Secure Integration Server version 1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerability when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk. In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system. The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was ...

Adobe Commerce and Magento Open Source are affected by an XML injection vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. Versions Affected include Adobe Commerce and Magento Open Source 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. This exploit uses the arbitrary file reading aspect of the issue to impersonate a user.