Monthly Archives: September 2023

Advisories

ZDI-23-1342: Synology RT6600ax info.cgi Exposure of Sensitive Data Information Disclosure Vulnerability

Read Time:7 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Synology RT6600ax routers. Authentication is not required to exploit this vulnerability.

Read More

Advisories

redis-7.2.1-1.fc39

Read Time:31 Second

FEDORA-2023-5a7cc198c2

Packages in this update:

redis-7.2.1-1.fc39

Update description:

Redis 7.2.1 Released Wed 06 Sep 2023 15:00:00 IDT

Upgrade urgency SECURITY: See security fixes below.

Security Fixes

(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and,
as a result, may grant users executing this command access to keys that are not
explicitly authorized by the ACL configuration.

Bug Fixes

Fix crashes when joining a node to an existing 7.0 Redis Cluster (#12538)
Correct request_policy and response_policy command tips on for some admin /
configuration commands (#12545, #12530)

Read More

News

Smashing Security podcast #338: Catfishing services, bad sports, and another cockup

Read Time:22 Second

AI news is bad news, an online service to catch your cheating partner, and an IoT-enabled dick cage fails to keep a grip on its own security.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.

Plus don’t miss our featured interview with Alex Lawrence, principal security architect at Sysdig.

Read More

Advisories

USN-6351-1: Linux kernel (GKE) vulnerabilities

Read Time:1 Minute, 38 Second

It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate MFT flags in certain situations. An
attacker could use this to construct a malicious NTFS image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2022-48425)

Zi Fan Tan discovered that the binder IPC implementation in the Linux
kernel contained a use-after-free vulnerability. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-21255)

It was discovered that a race condition existed in the f2fs file system in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to construct a malicious f2fs image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2023-2898)

It was discovered that the DVB Core driver in the Linux kernel did not
properly handle locking events in certain situations. A local attacker
could use this to cause a denial of service (kernel deadlock).
(CVE-2023-31084)

Yang Lan discovered that the GFS2 file system implementation in the Linux
kernel could attempt to dereference a null pointer in some situations. An
attacker could use this to construct a malicious GFS2 image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2023-3212)

It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer sizes in certain operations, leading to an out-of-
bounds read vulnerability. A remote attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information.
(CVE-2023-38426, CVE-2023-38428)

It was discovered that the KSMBD implementation in the Linux kernel did not
properly calculate the size of certain buffers. A remote attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-38429)

Read More