Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD
processors utilising speculative execution and branch prediction may allow
unauthorised memory reads via a speculative side-channel attack. A local
attacker could use this to expose sensitive information, including kernel
memory. (CVE-2023-20569)

Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem
discovered that the InfiniBand RDMA driver in the Linux kernel did not
properly check for zero-length STAG or MR registration. A remote attacker
could possibly use this to execute arbitrary code. (CVE-2023-25775)

It was discovered that the USB subsystem in the Linux kernel contained a
race condition while handling device descriptors in certain situations,
leading to a out-of-bounds read vulnerability. A local attacker could
possibly use this to cause a denial of service (system crash).
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a null pointer dereference vulnerability in some
situations. A local privileged attacker could use this to cause a denial of
service (system crash). (CVE-2023-3772)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel did not properly initialize a policy data structure, leading
to an out-of-bounds vulnerability. A local privileged attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information (kernel memory). (CVE-2023-3773)

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did
not properly calculate array offsets, leading to a out-of-bounds write
vulnerability. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-42753)

Bing-Jhong Billy Jheng discovered that the Unix domain socket
implementation in the Linux kernel contained a race condition in certain
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-4622)

Budimir Markovic discovered that the qdisc implementation in the Linux
kernel did not properly validate inner classes, leading to a use-after-free
vulnerability. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-4623)

Read More

FEDORA-EPEL-2023-0e8bb46da1

Packages in this update:

python-waitress-1.4.4-8.el9

Update description:

Security update to fix CVE-2022-24761.

Read More

What is Progress Software WS_FTP?

WS_FTP is a secure file transfer client and server software package from Ipswitch, which is now a part of Progress Software.

What is the Attack?

CVE-2023-40044 is a .NET deserialization vulnerability that affects WS_FTP Server versions prior to 8.7.4 and 8.8.2 with the Ad Hoc Transfer module installed. Successful exploitation of the vulnerability allows unauthenticated attackers to remotely execute commands on the underlying operating system via a specially crafted HTTP request.

CVE-2023-40044 has a CVSS score of 10 (maximum score) and is rated “critical” by Progress Software.

Why is this Significant?

This is significant because CVE-2023-40044 is reportedly being exploited in the wild. With Proof-of-Concept (PoC) being publicly available, attacks that leverage the vulnerability are expected to increase.

FortiGuard Labs recommends that users of vulnerable WS_FTP servers apply the patch as soon as possible.

What is the Vendor Solution?

Progress Software released a patch for CVE-2023-40044 on September 27, 2023.

Progress Software also published patches for other WS_FTP vulnerabilities, including one other critical security bug (CVE-2023-42657), in the same release.

What FortiGuard Coverage is available?

FortiGuard Labs is currently investigating coverage feasibility and will update this Threat Signal once relevant information becomes available.

Read More

FEDORA-2023-1f5f7b9b92

Packages in this update:

thunderbird-115.3.1-1.fc38

Update description:

Rebase / Update to 115.3.1 ;
https://www.thunderbird.net/en-US/thunderbird/115.0/whatsnew/ ;
https://support.mozilla.org/en-US/kb/thunderbird-115-supernova-faq ;
https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes/ ;
https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes/ ;
https://www.thunderbird.net/en-US/thunderbird/115.3.1/releasenotes/

Read More

It was discovered that GNU binutils was not properly performing checks
when dealing with memory allocation operations, which could lead to
excessive memory consumption. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
(CVE-2017-17122, CVE-2017-8421)

It was discovered that GNU binutils was not properly performing bounds
checks when processing debug sections with objdump, which could lead to
an overflow. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue only affected Ubuntu
14.04 LTS. (CVE-2018-20671, CVE-2018-6543)

It was discovered that GNU binutils contained a reachable assertion, which
could lead to an intentional assertion failure when processing certain
crafted DWARF files. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 18.04 LTS.
(CVE-2022-35205)

It was discovered that GNU binutils incorrectly handled memory management
operations in several of its functions, which could lead to excessive
memory consumption due to memory leaks. An attacker could possibly use
these issues to cause a denial of service.
(CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-47011)

It was discovered that GNU binutils was not properly performing bounds
checks when dealing with memory allocation operations, which could lead
to excessive memory consumption. An attacker could possibly use this issue
to cause a denial of service. (CVE-2022-48063)

Read More

Wenchao Li discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.

Read More

The ‘sReferencia’, ‘sDescripcion’, ‘txtCodigo’ and ‘txtDescripcion’ parameters, in the frmGestionStock.aspx and frmEditServicio.aspx files in TCMAN GIM v8.0.1, could allow an attacker to perform persistent XSS attacks.

Read More

TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the ‘SqlWhere’ parameter inside the function ‘BuscarESM’. The exploitation of this vulnerability might allow a remote attacker to directly interact with the database.

Read More

Garuda Linux performs an insecure user creation and authentication that allows any user to impersonate the created account. By creating users from the ‘Garuda settings manager’, an insecure procedure is performed that keeps the created user without an assigned password during some seconds. This could allow a potential attacker to exploit this vulnerability in order to authenticate without knowing the password.

Read More