What is TP-Link Archer AX21 (AX1800)?

TP-Link Archer AX21 (AX1800) is a line of consumer-oriented Wi-Fi routers.

What is the attack?

A command injection vulnerability exists in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 that allows an unauthenticated attacker to inject commands and obtain root access via a POST request. The issue has been assigned CVE-2023-1389. The vulnerability has a CVSS base score of 8.8 and is rated HIGH.

Why is this significant?

This is significant because attackers have reportedly started to exploit CVE-2023-1389 in real time attacks. Furthermore, proof-of-concept (PoC) code is publicly available, and various reports have stated that the Mirai malware was deployed to vulnerable TP-Link Archer AX21 devices. CISA added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog on May 1st, 2023. As such, patches should be applied as soon as possible.

What is the vendor solution?

According to the TP-Link Advisory, The Archer AX21, if linked to a TP-Link ID, will automatically receive update notifications in the web administration interface and Tether application. TP-Link strongly recommends that you download and update to the latest firmware for this product model as soon as possible.

What FortiGuard Coverage is available?

FortiGuard Labs has the following IPS signature in place for CVE-2023-1389:

TP-Link.Archer.AX21.Unauthenticated.Command.Injection
FortiGuard Labs has the following AV signatures in place for the reported Mirai malware variants that were deployed as a result of successful exploitation of CVE-2023-1389:
ELF/Mirai.A!tr
ELF/Mirai.BL!tr
BASH/Mirai.4C55!trLinux/Redis.TSU!tr
Network IOCs related to the Mirai variants are blocked by Webfiltering..

Read More

What is Win32k?

Win32k is a system component in Microsoft Windows OS that controls graphic and UI functions at the kernel level. Win32k is responsible for rendering fonts, icons, buttons, and other graphical elements in Windows. It is integral to the OS and any issues affecting Win32k may cause system instability or crashes.

What is the Attack?

An Elevation of Privilege (EoP) vulnerability exists in Win32K kernel that allows an attacker to obtain SYSTEM privileges. The issue has been assigned CVE-2023-29336. No further details are available from Microsoft. The vulnerability has a CVSS base score of 7.8 and is rated HIGH.

Why is this Significant?

This is significant because attackers have reportedly started to exploit CVE-2023-29336 in real time attacks. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on May 9th, 2023. As such, patches should be applied as soon as possible.

What is the Vendor Solution?

Microsoft has issued a patch for this on May 9th, 2023.

What FortiGuard Coverage is available?

FortiGuard Labs has the following IPS signature in place that will prevent exploitation of CVE-2023-29336: MS.Windows.Win32k.CVE-2023-29336.Elevation.of.Privilege

Read More

It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)

Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)

It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)

David Hildenbrand discovered that a race condition existed in the memory
manager of the Linux kernel when handling copy-on-write with shared memory
pages. A local attacker could use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2022-2590)

It was discovered that the sound subsystem in the Linux kernel contained a
race condition in some situations. A local attacker could use this to cause
a denial of service (system crash). (CVE-2022-3303)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-3586)

It was discovered that a race condition existed in the EFI capsule loader
driver in the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless
driver in the Linux kernel contained a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that the USB core subsystem in the Linux kernel did not
properly handle nested reset events. A local attacker with physical access
could plug in a specially crafted USB device to cause a denial of service
(kernel deadlock). (CVE-2022-4662)

It was discovered that a race condition existed in the Xen transport layer
implementation for the 9P file system protocol in the Linux kernel, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (guest crash) or expose sensitive information (guest
kernel memory). (CVE-2023-1859)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

Read More

It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)

It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1872)

Read More

It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed.

Read More

FEDORA-FLATPAK-2023-7e5aea7865

Packages in this update:

firefox-stable-3820230510081153.1

Update description:

Update to 113.0

Update to 112.0.2

Read More

FEDORA-2023-bf311772cf

Packages in this update:

nispor-1.2.11-1.fc37

Update description:

Upgrade to 1.2.11

Read More

FEDORA-2023-b19f236bc7

Packages in this update:

mingw-LibRaw-0.21.1-3.fc38

Update description:

Backport fix for CVE-2023-1729.

Read More

FEDORA-2023-88c87f6191

Packages in this update:

mingw-LibRaw-0.20.2-9.fc37

Update description:

Backport fix for CVE-2023-1729.

Read More

David Marchand discovered that Open vSwitch incorrectly handled IP packets
with the protocol set to 0. A remote attacker could possibly use this issue
to cause a denial of service.

Read More