Posted by Thomas Weber via Fulldisclosure on Jan 14
CyberDanube Security Research 20240109-0
——————————————————————————-
title| Multiple Vulnerabilities
product| Korenix JetNet Series
vulnerable version| See “Vulnerable versions”
fixed version| –
CVE number| CVE-2023-5376, CVE-2023-5347
impact| High
homepage| https://www.korenix.com/
found|…
Posted by Harry Sintonen via Fulldisclosure on Jan 14
Tar does set setuid bit, but tar is not vulnerable. This is not an attack.
The user is responsible for extracting the archives to secure location
and not letting other users access to insecure setuid binaries. See:
https://www.gnu.org/software/tar/manual/html_section/Security.html#Security-rules-of-thumb
These same security considerations also apply to cpio.
Posted by Harry Sintonen via Fulldisclosure on Jan 14
So does for example tar. The same rules that apply to tar also apply to
cpio:
“Extract from an untrusted archive only into an otherwise-empty directory.
This directory and its parent should be accessible only to trusted users.”
This is a user error, not a vulnerability in cpio.
Posted by Georgi Guninski on Jan 14
Hi, thanks for the feedback 🙂
Which version of tar is vulnerable to this attack? I am pretty sure
this was fixed in tar and zip `long long` ago.
tar and zip on fedora 38 are definitely not vulnerable, they clear
the setuid bit.
I continue to suspect this is vulnerability because:
1. There is directory traversal protection for untrusted archives
2. tar and zip and not vulnerable
bash script for setuid files in tar:
#!/bin/bash
mkdir -p…
Posted by fulldisclosure on Jan 14
Am 08.01.24 um 10:25 schrieb Georgi Guninski:
It’s not a vulnerability, as
a) cpio archives must archive that flag as cpio is part of RPM packages
and those
must be able to contain setuid flags. Otherwise, you would need to add
chmod u+s cmds to any %POST
section. Breaking this, would invalidate so many existing packages =>
won’t happen
note: initramfs makes use of cpio as well, but setuid is not needed
here, as it’s…
Posted by SBA – Advisory via Fulldisclosure on Jan 14
MITRE assigned CVE-2023-51059 for this issue.
This vulnerability allows remote attackers to bypass authentication on affected installations of Paessler PRTG Network Monitor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2023-51630.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology RT6600ax routers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5.
