** DISPUTED ** Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake."

**Missing VC runtime**

If you encounter errors during the install or upgrade process that indicate the system can't start the shibd daemon/service process, it's likely that the installer is failing to install the Visual C++ runtime libraries for some reason, and you may have to pre-install those manually. At some point Microsoft is planning to make it impractical for us to redistribute these files with the installer, at which point this workaround is probably going to be universal.

These links may break at some point, but for now the 32-bit and 64-bit runtimes can be found at:

*   https://aka.ms/vs/15/release/VC\_redist.x86.exe
    
*   https://aka.ms/vs/15/release/VC\_redist.x64.exe
    

The top-level link to find them is https://visualstudio.microsoft.com/downloads/ via Other Tools.

*   *   1.1 Missing VC runtime
*   2 Installation
    *   2.1 Restricting ACLs
*   3 Upgrades
*   4 Web Server Overview
    *   4.1 Installation with IIS
    *   4.2 Upgrades with IIS
    *   4.3 Installation with Apache
    *   4.4 Installation with Netscape/Sun/Oracle Java Web Server
    *   4.5 FastCGI Unsupported
*   5 Running the Installer
    *   5.1 Shibboleth Service
    *   5.2 Monitoring the Service
    *   5.3 Failure to Install
        *   5.3.1 Installing with no service start
        *   5.3.2 Starting the Shibboleth Service from the command line
        *   5.3.3 Windows batch file to run MSI installer by drag and drop
*   6 Source Builds
*   7 Initial Testing

**Installation**

The SP is available for Windows with modules for all the supported web servers. There is an installer available for the supported Windows Server versions, 2008 and above.

Earlier Windows and Service Pack versions are **not** usable as of V3.

Desktop versions of Windows that are of subsequent vintage will generally work but are not formally supported.

The Windows installer contains a fourth version field that indicates the patch level within a particular SP release. Initially 0, it will be incremented if patches to software included with but not part of the SP need to be updated (e.g., OpenSSL). Subsequent patch level installers will safely upgrade older versions and the ReleaseNotes will always document exactly what library versions are included in each release.

**Restricting ACLs**

Note that prior to V3.4.1, the installer did not adjust file system ACLs based on your install path. As of that version, we have added changes that are designed to provide full access to the administrative/system accounts and read access to the standard “Users” group (primarily for IIS).

Wherever you choose to install the software, you should consider reviewing and hardening the file and folder access to that location. Most of these folders and files should be read only. The daemon process runs by default as a system account and should already have the necessary access. You should if possible prevent all other access to the private key file(s) as those need not be readable by anything else, and you need not allow any writing of files, or creation of folders or files by any other users.

If you run your web server under a different user account (not a member of the Administrators or Users groups) you will need to adjust the rights if you limit read access, but the web server should not in general require any write access whatsoever to those folders or files, as in-process logging is now routed to the Event Log by default.

**Upgrades**

Upgrading to new releases is handled automatically when the MSI installer is used. The system prevents configuration files from being overwritten and skips "initial install" tasks like generating keys. The Shibboleth daemon is restarted by the package but you will need to restart the web server you're using yourself.

**Web Server Overview****Installation with IIS**

The plugin modules in support of IIS are always installed. If IIS itself is installed you will be prompted "Configure IIS7 module?".  Check this box to actually configure Shibboleth to run with IIS, in practice this can be done with two command.

See this topic for details.

In contrast to older versions, no older IIS6 compatibility tools are needed.

**Upgrades with IIS**

Existing installations configured to work with IIS will continue to do so, with the older ISAPI plugin updated. See this topic for more details, particularly to migrating to the newer plugin.

**Installation with Apache**

The versions of Apache available from the http://www.apachelounge.com/ web site are known to work with the modules that come with the SP package with no known restrictions.

Other versions might work, but they also might not work. Versions with significantly altered header files, such as IBM's or Oracle's will definitely not work unless you build the Shibboleth module from source.

Only Apache 2.2 and 2.4 are supported.

For more details on Apache see this topic.

**Installation with Netscape/Sun/Oracle Java Web Server**

An NSAPI module continues to be included as a transition tool for anybody still using it, but it is deprecated and we suggest moving off it as soon as possible.

**FastCGI Unsupported**

As of V3, we no longer provide modules for FastCGI on Windows due to lack of formal support for the underlying FastCGI library.

**Running the Installer**

The installer is run in the usual way and can be run without a UI.

The following properties can be set

Property

Description

KEYGEN_EXTRAS

Allows extra parameters to be passed to the keygen command used during installation. For instance,

1
msiexec /i shibboleth-sp-3.0.0-win64.msi KEYGEN_EXTRAS="-h newSP.department.univerity.edu"

allows the addition of a subjectAltName in the generated certificate.

ALWAYS_START_SERVICE

Set this to FALSE to prevent the installer from starting the shibd service. This can be useful to debug installations (see below).

**Shibboleth Service**

Once installation is complete, you'll need to run the Shibboleth daemon, shibd, at all times that the SP is in use. shibd is a console application that is usually installed as a Windows service.

*   To run the process in console mode for testing or to diagnose major problems, supply a -console parameter when running it.
    
*   If shibd won't start, use the -check option from the command line to echo most logging information to the console for debugging.
    

Other parameters can be used to install (or remove) shibd from the service database and subsequent control is generally via the Service Control Manager applet.

**Monitoring the Service**

Newer versions of Windows support automatic restart of failed services. We suggest using this feature to restart shibd when it fails. Although stability is good, maximum reliability will be achieved by monitoring the process.

**Failure to Install**

The most common reason for the installation failing is that the Shibboleth service (above) does not start correctly. First, refer to the note at the top of this page and rule that out. If that doesn't bear fruit, in order to debug this you can instruct the installer to **not** try to start the service by specifying that the  ALWAYS\_START\_SERVICE property contain the value FALSE.  Do this from the command line:

****Installing with no service start****

1
c:\> msiexec /i Installer.msi ALWAYS_START_SERVICE=FALSE

You can then use the -check option described above to debug why the service will not start. Usually the problem tends to be a DLL conflict with some existing copy of one of the libraries we ship, but we have generally worked around this risk by renaming all our libraries in ways that tend not to cause conflicts.

Once this is completed you can start the service manually.

****Starting the Shibboleth Service from the command line****

1
c:\> sc start shibd_default

In some situations attempting the installer may appear to do nothing when double-clicked, and if invoked with _msiexec /i_ on the command line may throw the error "This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package." If this occurs, a viable workaround has found to be to create a new .bat file containing the msi install command listed below, and then drag the downloaded msi onto it.

****Windows batch file to run MSI installer by drag and drop****

1
msiexec /i %1

**Source Builds**

We do not recommend this option, but we have a description of the process.

**Initial Testing**

CVE-2023-22947: Install on Windows - Service Provider 3

# Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability

## <a name="executive-summary"></a>Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint.
## Discussion

Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/80449

### <a name="mitigation-factors"></a>Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

## <a name="affected-software"></a>Affected software

* Any .NET 6.0 application running on .NET 6.0.12 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

### <a name=".NET 6"></a>.NET 6

Package name | Affected version | Patched version
------------ | ---------------- | -------------------------
[Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)|>= 6.0.0, < 6.0.12|6.0.13
[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)|>= 6.0.0, < 6.0.12|6.0.13

## Advisory FAQ

### <a name="how-affected"></a>How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.

### <a name="how-fix"></a>How do I fix the issue?

* To fix the issue please install the latest version of .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET  SDKs.
* If you have .NET Core 3.1 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;
* If you are using one of the affected packages, please update to the patched version listed above. 

```
.NET Core SDK (reflecting any global.json):

 Version:   6.0.300
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 6.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  6.0.300 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
```

* If you're using .NET 6.0, you should download and install Runtime 6.0.13 or SDK 6.0.113 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

## Other Information

### Reporting Security Issues

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <https://aka.ms/corebounty>.

### Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

### Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

### External Links

[CVE-2023-21538]( https://www.cve.org/CVERecord?id=CVE-2023-21538)

### Revisions

V1.0 (January 10, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-01-10_

**Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability****Executive summary**

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint.

**Discussion**

Discussion for this issue can be found at dotnet/runtime#80449

**Mitigation factors**

Microsoft has not identified any mitigating factors for this vulnerability.

**Affected software**

*   Any .NET 6.0 application running on .NET 6.0.12 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

**.NET 6**

Package name

Affected version

Patched version

Microsoft.NetCore.App.Runtime.linux-arm

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-musl-arm

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-musl-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-musl-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.linux-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.osx-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.osx-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-arm

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-arm64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-x64

\>= 6.0.0, < 6.0.12

6.0.13

Microsoft.NetCore.App.Runtime.win-x86

\>= 6.0.0, < 6.0.12

6.0.13

**Advisory FAQ****How do I know if I am affected?**

If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.

**How do I fix the issue?**

*   To fix the issue please install the latest version of .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
*   If you have .NET Core 3.1 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
*   If you are using one of the affected packages, please update to the patched version listed above.

    .NET Core SDK (reflecting any global.json):
    
     Version:   6.0.300
     Commit:    8473146e7d
    
    Runtime Environment:
    
     OS Name:     Windows
     OS Version:  10.0.18363
     OS Platform: Windows
     RID:         win10-x64
     Base Path:   C:\Program Files\dotnet\sdk\6.0.300\
    
    Host (useful for support):
    
      Version: 6.0.5
      Commit:  8473146e7d
    
    .NET Core SDKs installed:
    
      6.0.300 [C:\Program Files\dotnet\sdk]
    
    .NET Core runtimes installed:
    
      Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
      Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
    
    To install additional .NET Core runtimes or SDKs:
      https://aka.ms/dotnet-download
    

*   If you're using .NET 6.0, you should download and install Runtime 6.0.13 or SDK 6.0.113 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

**Other Information****Reporting Security Issues**

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

**Support**

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

**Disclaimer**

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

**External Links**

CVE-2023-21538

**Revisions**

V1.0 (January 10, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-01-10_

**References**

*   GHSA-8f7f-vqg5-jrv9
*   https://nvd.nist.gov/vuln/detail/CVE-2023-21538

GHSA-8f7f-vqg5-jrv9: .NET Denial of Service Vulnerability

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

Microsoft's first security update for 2023 contained patches for a whopping 98 vulnerabilities, including one that attackers are actively exploiting and another that is publicly known but has not been exploited yet.

Microsoft identified 11 of the vulnerabilities it disclosed today as being of "critical" severity, meaning organizations using affected products need to prioritize these flaws before addressing the other ones. It rated the remaining 87 as "Important," which is a rating the company uses to describe vulnerabilities that, if exploited, could compromise the confidentiality, integrity, or availability of user data but are often not remotely executable or requires some level of user interaction.

**Bugs in Frequently Attacked Products**

Several of the vulnerabilities in the January 2023 security update affect products that are favorite attacker targets. Five of them, for instance, impact Microsoft Exchange Server and three — including one of the most severe flaws in this month's update — are in SharePoint.

"The volume is definitely concerning, especially given the Exchange patches and SharePoint updates," says Dustin Childs, communication manager for Trend Micro's Zero Day Initiative (ZDI) which reported 25 of the bugs that Microsoft closed today. "These are common targets — and targets that often don’t get patched," he notes. "There are also updates submitted by the National Security Agency and Canada’s Communications Security Establishment. That may raise an eyebrow or two."

Multiple security researchers identified a Microsoft SharePoint Server security feature bypass vulnerability CVE-2023-21743 as one that organizations need to jump on right away because of the risk it presents. The bug allows an unauthenticated attacker to bypass authentication and make an anonymous connection to an affected SharePoint server. One complicating factor with the vulnerability for enterprise security teams is that patching alone is not sufficient to mitigate the threat it presents. In addition, they also need to trigger a SharePoint upgrade, which Microsoft has included in this month's security update to protect against exploit activity, Microsoft said.

"This is not a 'patch it and move on' sort of bug," Childs says. "To fully address this vulnerability, admins need to take additional steps as outlined in the update documentation."

**Zero-Day Bug in Windows ALPC**

Another high-priority vulnerability in the January 2023 update is CVE-2023-21674, an actively exploited bug in Windows Advanced Local Procedure Call (ALPC) that allows an attacker to elevate privileges on a compromised system. The zero-day vulnerability impacts all Windows OS versions and could allow an attacker to escape a browser sandbox and gain system level privileges, Microsoft said.

Satnam Narang, senior staff research engineer at Tenable, says that while full details of the bug are not available, it's possible that attackers likely chained the vulnerability with a flaw in a Chromium-based browser or Microsoft Edge to break out of a browser sandbox and gain full system access. 

"Because of the improvements made in browser security, traditional browser exploits by themselves are limited by sandbox technology, restricting an attacker's ability to access the underlying operating system," Narang tells Dark Reading. He says it is likely that an advanced persistent threat group discovered and exploited the vulnerability as part of a targeted attack.

Microsoft described one of the bugs it addressed this month as publicly known but not exploited. The vulnerability, tracked as CVE-2023-21549, exists on the Windows SMB Witness Service and allows an attacker to execute remote procedure call functions normally restricted to privileged accounts only. Microsoft has assigned a score of 8.8 to the vulnerability even though it has assessed the bug as less likely to be exploited.

**A Flood of Privilege-Escalation Flaws**

Two of the 25 bugs that ZDI reported — and which Microsoft patched this month — were Exchange Server elevation-of-privilege vulnerabilities (CVE-2023-21763 and CVE-2023-21764) that resulted from a failed patch for a previous elevation of privilege flaw in Exchange tracked as CVE-2022-41123. "Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM," Childs says.

In total, 39 of the bugs that Microsoft addressed in its latest update enable elevation of privileges, a category of flaw that the company often has rated as being less severe than RCE bugs. This, however, does not mean that organizations can put off addressing them. "Despite their lower score, these vulnerabilities are typically seen in the early stages of an attack and blocking attackers from gaining SYSTEM or domain-level access early in the kill chain can slow down attackers," said Kev Breen, director of cyber-threat research at Immersive Labs in a statement.

Several of the elevation of privilege bugs in the January update affect the Windows Kernel. Among them are CVE-2023-21772, CVE-2023-21750, CVE-2023-21675 and CVE-2023-21773. "The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7," security vendor Action1 said. Seven of the privilege escalation bugs have low complexity and require low privileges and no user interaction, meaning they are easy to attack, Action1 said.

Other bugs that security researchers identified as being of high priority in Microsoft's January 2023 security update include CVE-2023-21762 and CVE-2023-21745, both of which are spoofing vulnerabilities in Microsoft Exchange Server. "Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks," Breen said. Organizations need to be aware of the risks that such bugs preset and mitigate them, he added.

Microsoft also updated its previous guidance around the recent use of Microsoft-signed drivers in malicious campaigns by cybercriminals. The guidance now includes a block list that blocks attackers from using the compromised certificate in their environment. For their recommended actions, the company said, "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks."

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

**Microsoft** today released updates to fix nearly 100 security flaws in its **Windows** operating systems and other software. Highlights from the first **Patch Tuesday** of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the **U.S. National Security Agency**, and a critical **Microsoft SharePoint Server** bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running **Microsoft SharePoint Server** is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. **Dustin Childs**, head of threat awareness at **Trend Micro’s Zero Day Initiative**, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

**Satnam Narang**, senior staff research engineer at **Tenable**, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

**Kevin Breen** at **Immersive Labs** called special attention to CVE-2023-21563, which is a security feature bypass in **BitLocker**, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two **Microsoft Exchange** vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

**Adobe** released four patches addressing 29 flaws in **Adobe Acrobat** and **Reader**, **InDesign**, **InCopy**, and **Adobe Dimension**. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, January 2023 Edition

A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 14 Dec 2022 23:22:38 +0800
From: Gerald Lee <sundaywind2004@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux Kernel: usb: A use-after-free Write in put\_dev

This was assigned CVE-2022-4382.

=\*=\*=\*=\*=\*=\*=\*=\*=     CREDIT     =\*=\*=\*=\*=\*=\*=\*=\*=

Zhixin Li from Zero-one Security <sundaywind2004@...il.com>


Thanks.


On Tue, Dec 13, 2022 at 2:53 PM Gerald Lee <sundaywind2004@...il.com> wrote:
>
> Hi all,
>
> =\*=\*=\*=\*=\*=\*=\*=\*=   BUG DETAILS  =\*=\*=\*=\*=\*=\*=\*=\*=
>
> This use-after-free violation is caused by a race among the superblock
> operations in the gadgetfs driver. The vulnerability may not be a big
> deal, because the normal user can't execute umount. It could be
> triggered by yanking out a device that is running the gadgetfs side,
> but I don't know how to do that.
>
> C repro is attached.
>
> =\*=\*=\*=\*=\*=\*=\*=\*=     BACKTRACE     =\*=\*=\*=\*=\*=\*=\*=\*=
> BUG: KASAN: use-after-free in instrument\_atomic\_read\_write
> include/linux/instrumented.h:102 \[inline\]
> BUG: KASAN: use-after-free in atomic\_fetch\_sub\_release
> include/linux/atomic/atomic-instrumented.h:176 \[inline\]
> BUG: KASAN: use-after-free in \_\_refcount\_sub\_and\_test
> include/linux/refcount.h:272 \[inline\]
> BUG: KASAN: use-after-free in \_\_refcount\_dec\_and\_test
> include/linux/refcount.h:315 \[inline\]
> BUG: KASAN: use-after-free in refcount\_dec\_and\_test
> include/linux/refcount.h:333 \[inline\]
> BUG: KASAN: use-after-free in put\_dev+0x22/0xd0
> drivers/usb/gadget/legacy/inode.c:159
> Write of size 4 at addr ffff8880436d2040 by task syz-executor.5/7587
>
> CPU: 1 PID: 7587 Comm: syz-executor.5 Not tainted 6.1.0-rc7 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
>  <TASK>
>  \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
>  dump\_stack\_lvl+0xd1/0x138 lib/dump\_stack.c:106
>  print\_address\_description mm/kasan/report.c:284 \[inline\]
>  print\_report+0x15e/0x45d mm/kasan/report.c:395
>  kasan\_report+0xbf/0x1f0 mm/kasan/report.c:495
>  check\_region\_inline mm/kasan/generic.c:183 \[inline\]
>  kasan\_check\_range+0x141/0x190 mm/kasan/generic.c:189
>  instrument\_atomic\_read\_write include/linux/instrumented.h:102 \[inline\]
>  atomic\_fetch\_sub\_release
> include/linux/atomic/atomic-instrumented.h:176 \[inline\]
>  \_\_refcount\_sub\_and\_test include/linux/refcount.h:272 \[inline\]
>  \_\_refcount\_dec\_and\_test include/linux/refcount.h:315 \[inline\]
>  refcount\_dec\_and\_test include/linux/refcount.h:333 \[inline\]
>  put\_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159
>  gadgetfs\_kill\_sb+0x2e/0x60 drivers/usb/gadget/legacy/inode.c:2086
>  deactivate\_locked\_super+0x98/0x160 fs/super.c:332
>  vfs\_get\_super fs/super.c:1190 \[inline\]
>  get\_tree\_single+0x188/0x1d0 fs/super.c:1207
>  vfs\_get\_tree+0x8d/0x2f0 fs/super.c:1531
>  vfs\_fsconfig\_locked fs/fsopen.c:232 \[inline\]
>  \_\_do\_sys\_fsconfig+0x8d6/0xc20 fs/fsopen.c:439
>  do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
>  do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
>  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
> RIP: 0033:0x7f8d5129078d
> Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f8d52024bd8 EFLAGS: 00000246 ORIG\_RAX: 00000000000001af
> RAX: ffffffffffffffda RBX: 00007f8d513cbf80 RCX: 00007f8d5129078d
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
> RBP: 00007f8d512feb02 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffd48293eff R14: 00007ffd48294090 R15: 00007f8d52024d80
>  </TASK>
>
> Allocated by task 7561:
>  kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
>  kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
>  \_\_\_\_kasan\_kmalloc mm/kasan/common.c:371 \[inline\]
>  \_\_\_\_kasan\_kmalloc mm/kasan/common.c:330 \[inline\]
>  \_\_kasan\_kmalloc+0xa5/0xb0 mm/kasan/common.c:380
>  kmalloc include/linux/slab.h:553 \[inline\]
>  kzalloc include/linux/slab.h:689 \[inline\]
>  dev\_new drivers/usb/gadget/legacy/inode.c:170 \[inline\]
>  gadgetfs\_fill\_super+0x1e4/0x460 drivers/usb/gadget/legacy/inode.c:2041
>  vfs\_get\_super fs/super.c:1169 \[inline\]
>  get\_tree\_single+0xd6/0x1d0 fs/super.c:1207
>  vfs\_get\_tree+0x8d/0x2f0 fs/super.c:1531
>  vfs\_fsconfig\_locked fs/fsopen.c:232 \[inline\]
>  \_\_do\_sys\_fsconfig+0x8d6/0xc20 fs/fsopen.c:439
>  do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
>  do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
>  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
>
> Last potentially related work creation:
>  kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
>  \_\_kasan\_record\_aux\_stack+0xbc/0xd0 mm/kasan/generic.c:481
>  call\_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
>  pwq\_unbound\_release\_workfn+0x26b/0x340 kernel/workqueue.c:3736
>  process\_one\_work+0x9bf/0x1710 kernel/workqueue.c:2289
>  worker\_thread+0x669/0x1090 kernel/workqueue.c:2436
>  kthread+0x2e8/0x3a0 kernel/kthread.c:376
>  ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:306
>
> Second to last potentially related work creation:
>  kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
>  \_\_kasan\_record\_aux\_stack+0xbc/0xd0 mm/kasan/generic.c:481
>  call\_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
>  pwq\_unbound\_release\_workfn+0x26b/0x340 kernel/workqueue.c:3736
>  process\_one\_work+0x9bf/0x1710 kernel/workqueue.c:2289
>  worker\_thread+0x669/0x1090 kernel/workqueue.c:2436
>  kthread+0x2e8/0x3a0 kernel/kthread.c:376
>  ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:306
>
> The buggy address belongs to the object at ffff8880436d2000
>  which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 64 bytes inside of
>  1024-byte region \[ffff8880436d2000, ffff8880436d2400)
>
> The buggy address belongs to the physical page:
> page:ffffea00010db400 refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x436d0
> head:ffffea00010db400 order:3 compound\_mapcount:0 compound\_pincount:0
> flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888012041dc0
> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page\_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp\_mask
> 0x52a20(GFP\_ATOMIC|\_\_GFP\_NOWARN|\_\_GFP\_NORETRY|\_\_GFP\_COMP), pid 6599,
> tgid 6599 (syz-executor.0), ts 29294571719, free\_ts 29285126043
>  prep\_new\_page mm/page\_alloc.c:2539 \[inline\]
>  get\_page\_from\_freelist+0x10b5/0x2d50 mm/page\_alloc.c:4291
>  \_\_alloc\_pages+0x1cb/0x5b0 mm/page\_alloc.c:5558
>  alloc\_pages+0x1aa/0x270 mm/mempolicy.c:2285
>  alloc\_slab\_page mm/slub.c:1794 \[inline\]
>  allocate\_slab+0x213/0x300 mm/slub.c:1939
>  new\_slab mm/slub.c:1992 \[inline\]
>  \_\_\_slab\_alloc+0xa9b/0x13e0 mm/slub.c:3180
>  \_\_slab\_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
>  slab\_alloc\_node mm/slub.c:3364 \[inline\]
>  \_\_kmem\_cache\_alloc\_node+0x199/0x3e0 mm/slub.c:3437
>  kmalloc\_trace+0x26/0x60 mm/slab\_common.c:1045
>  kmalloc include/linux/slab.h:553 \[inline\]
>  kzalloc include/linux/slab.h:689 \[inline\]
>  batadv\_hardif\_add\_interface net/batman-adv/hard-interface.c:864 \[inline\]
>  batadv\_hard\_if\_event+0x8a1/0x1450 net/batman-adv/hard-interface.c:952
>  notifier\_call\_chain+0xb5/0x200 kernel/notifier.c:87
>  call\_netdevice\_notifiers\_info+0xb5/0x130 net/core/dev.c:1945
>  call\_netdevice\_notifiers\_extack net/core/dev.c:1983 \[inline\]
>  call\_netdevice\_notifiers net/core/dev.c:1997 \[inline\]
>  register\_netdevice+0x10bf/0x1670 net/core/dev.c:10090
>  veth\_newlink+0x4d1/0x990 drivers/net/veth.c:1795
>  rtnl\_newlink\_create net/core/rtnetlink.c:3364 \[inline\]
>  \_\_rtnl\_newlink+0x1084/0x17e0 net/core/rtnetlink.c:3581
>  rtnl\_newlink+0x68/0xa0 net/core/rtnetlink.c:3594
>  rtnetlink\_rcv\_msg+0x43e/0xca0 net/core/rtnetlink.c:6091
> page last free stack trace:
>  reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]
>  free\_pages\_prepare mm/page\_alloc.c:1459 \[inline\]
>  free\_pcp\_prepare+0x65c/0xd90 mm/page\_alloc.c:1509
>  free\_unref\_page\_prepare mm/page\_alloc.c:3387 \[inline\]
>  free\_unref\_page+0x1d/0x4d0 mm/page\_alloc.c:3483
>  qlink\_free mm/kasan/quarantine.c:168 \[inline\]
>  qlist\_free\_all+0x6a/0x170 mm/kasan/quarantine.c:187
>  kasan\_quarantine\_reduce+0x184/0x210 mm/kasan/quarantine.c:294
>  \_\_kasan\_slab\_alloc+0x66/0x90 mm/kasan/common.c:302
>  kasan\_slab\_alloc include/linux/kasan.h:201 \[inline\]
>  slab\_post\_alloc\_hook mm/slab.h:737 \[inline\]
>  slab\_alloc\_node mm/slub.c:3398 \[inline\]
>  \_\_kmem\_cache\_alloc\_node+0x2e2/0x3e0 mm/slub.c:3437
>  kmalloc\_trace+0x26/0x60 mm/slab\_common.c:1045
>  kmalloc include/linux/slab.h:553 \[inline\]
>  kzalloc include/linux/slab.h:689 \[inline\]
>  kset\_create lib/kobject.c:937 \[inline\]
>  kset\_create\_and\_add+0x4f/0x1a0 lib/kobject.c:980
>  register\_queue\_kobjects net/core/net-sysfs.c:1766 \[inline\]
>  netdev\_register\_kobject+0x1ca/0x400 net/core/net-sysfs.c:2019
>  register\_netdevice+0xd99/0x1670 net/core/dev.c:10057
>  \_\_ip\_tunnel\_create+0x398/0x570 net/ipv4/ip\_tunnel.c:267
>  ip\_tunnel\_init\_net+0x2ec/0x9f0 net/ipv4/ip\_tunnel.c:1073
>  ops\_init+0xb9/0x680 net/core/net\_namespace.c:135
>  setup\_net+0x5d1/0xc50 net/core/net\_namespace.c:332
>  copy\_net\_ns+0x31c/0x760 net/core/net\_namespace.c:478
>  create\_new\_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
>
> Memory state around the buggy address:
>  ffff8880436d1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff8880436d1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff8880436d2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                            ^
>  ffff8880436d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff8880436d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> =\*=\*=\*=\*=\*=\*=\*=\*=     PATCH     =\*=\*=\*=\*=\*=\*=\*=\*=
>
> The patch has been done by Alan Stern, and it can be found here:
> https://lore.kernel.org/linux-usb/Y5dV11OoM3ojxNHy@rowland.harvard.edu/
>
> Thanks.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-4382: security - Re: Linux Kernel: usb: A use-after-free Write in put_dev

Windows Bluetooth Driver Elevation of Privilege Vulnerability

CVE-2023-21739

Windows Bluetooth Driver Elevation of Privilege Vulnerability.

Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2023-21677, CVE-2023-21758.

CVE-2023-21683

Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability.

CVE-2023-21725

Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability.

Tag

#windows