Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: A USB Linux Gadget is a device which has a UDC (USB Device Controller) and can be connected to a USB Host to extend it with additional functions like a serial port or a mass storage capability.

Another way to integrate Modern USB gadgets on Linux with systemd: Users create a separate directory for each gadget they want to have, give their gadget a personality by specifying a vendor ID, product ID, and a USB string (eg visible after running lsusb -v as root), then In that directory create the configuration they want and instantiate the USB functions they want (both by creating the corresponding directory), and finally associate the function with the configuration via a symlink. At this point, the composition of the gadget is already in memory, but not bound to any UDC. To activate a gadget, the UDC name must be written to the UDC property in the gadget’s configfs directory – the gadget is then bound to this specific UDC (and a UDC cannot be used by multiple gadgets). Available UDC names are at /sys/class/udc. The gadget can only be successfully enumerated by the USB host after it is bound to the UDC.

Vulnerability details: In drivers/usb/gadget/udc/udc-xilinx[.]c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

References to Advisories: https://github.com/torvalds/linux/commit/7f14c7227f342d9932f9b918893c8814f86d2a0d

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: SR9700 is a type of USB to Ethernet Converter and is compatible with USB 1.1 protocol, the design merge SR9700 device driver (sr9700[.]c) into the Linux Kernel. The buffers used by the kernel to manage network packets are referred to as sk_buffs in Linux.

The buffers are always allocated as at least two separate components: a fixed size header of type struct sk_buff; and a variable length area large enough to hold all or part of the data of a single packet.

Vulnerability details: An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700[.]c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

Remedy: Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9da0b56fe27206b49f39805f7dcda8a89379062

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Writing a device name to this file will cause the kernel binds devices to a compatible driver.

Vulnerability details: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()

On the reception of packets with an invalid packet type, the memory of the allocated socket buffers is never freed. Add a default case that frees these to avoid a memory leak.

Typically, memory leaks occur because allocated memory is not freed and you lose a pointer to the allocated block. As a result, a memory leak occurs.

Status: Remedy has been released on October 2021 – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1d0688421449718c6c5f46e458a378c9b530ba18

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: SAP SE — SE stands for societas Europaea, a public company registered in accordance with the European Union corporate law.

SAP NetWeaver is a software stack for many of SAP SE’s applications. The SAP NetWeaver Application Server, sometimes referred to as WebAS, is the runtime environment for the SAP applications and all of the mySAP Business Suite runs on SAP WebAS: supplier relationship management (SRM), customer relationship management (CRM), supply chain management (SCM), product lifecycle management (PLM), enterprise resource planning (ERP), transportation management system (TMS)….copy from wiki

Vulnerability details: SAP NetWeaver Enterprise Portal – versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website.

*Cross site scripting attacks can be broken down into two types: stored and reflected.

Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user’s browser. The script is embedded into a link, and is only activated once that link is clicked on.

Impact: The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of victim’s web browser.

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Generally, suppliers have the right to keep design defect information from being released to the public. This CVE record was publicly released on March 9, 2022. But if you try to look in the local Windows directory (c:\windows\system32). You found that at least two of the[ .] dlls have been updated. They are hal[.]dll and ci[.]dll. Both files are closely related to ntoskrnl[.]exe. My guess is more based on this design limitation of ci[.]dll .

Ci[.] dll runs a feature that validates the integrity of a system file or drive whenever it is loaded into memory. This is an important Windows component and should not be removed. The Microsoft Windows operating system exhibits a graphical user interface and made its first appearance in November, 1985.

Virtual Secure Mode (VSM) has to be enabled in a special policy in the Group Policy Editor (gpedit[. ]msc): Computer Configuration -> Administrative templates -> System -> Device Guard -> Turn on Virtualization Based Security. Enable this policy and select Secure Boot option in Select Platform security level.

Vulnerability details: Certain versions of Windows from Microsoft contain the following vulnerability: Windows NT OS Kernel Elevation of Privilege Vulnerability.

Official announcement – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: youtube-dl is a command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and it is not platform specific. It should work on your Unix box, on Windows or on macOS. It is released to the public domain, which means you can modify it, redistribute it or use it however you like.

Cope with Alltube, it make you easily download videos from YouTube, Dailymotion, Vimeo and other websites. Web GUI for youtube-dl. Contribute to Rudloff/alltube development by creating an account on GitHub. How do I download from Alltube? Clicking on the icon will open up the pop-up window. The extension will attempt to find the list of video qualities for the video in the watch page. The list of video will be displayed. To download the video, just click on the ‘Download’ button of the video quality.

Vulnerability details: Certain versions of Alltube from Rudloff contain the following vulnerability:

alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability.

Remedy: Please refer to link – https://github.com/Rudloff/alltube/commit/3d092891044f2685ed66c73c870a021bee319c37

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: A block device, is, by definition, a device that stores or reads data in blocks. This means, always a certain amount of data is transmitted at every operation. How big that block is, highly depends on the protocol used. A network block device (NBD) is a standard protocol for Linux for exporting a block device over a network. NBDs are device nodes whose content is offered by a remote system. Generally, Linux users make use of NBDs to gain access to any storage device that does not reside in the local machine physically, but in a remote machine.

Vulnerability details: In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages.

All variables allocated by malloc is stored in heap memory. When malloc is called, the pointer that returns from malloc will always be a pointer to “heap memory”.

NAMELEN =n specifies the length of effect names in tables and output data sets to be n characters, where n value is -1.
when namelen = -1, malloc will allocate a very small buffer, but socket_read will read a 0xffffffff, thus causing a heap overflow.

Report security problem of nbd, please refer to the link – https://lists.debian.org/nbd/2022/01/msg00037.html

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: The ST21NFCA is a single chip designed for supporting 13.56 MHz contactless communication, including Near Field Communication (NFC) functions in the three operating modes: card emulation, reader and peer-to-peer communication. Furthermore, it is a system on chip solution able to be compliant with NFC communication
system embedded in a mobile phone.

The kernel used by Android is the Linux kernel. Since the Linux kernel and Android are open source it is possible to build custom kernels with different configuration settings. These kernels can then replace the default kernel supplied with your device.

Vulnerability details: st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.

Ref: EVT_TRANSACTION. This event notifies the terminal host that it shall launch an application associated to an NFC application in a UICC host.

It appears that there are some buffer overflows in EVT_TRANSACTION.This happens because the length parameters that are passed to memcpy come directly from skb->data is not protected in any way.

Remedy: For more details, please refer to the link – https://github.com/torvalds/linux/commit/4fbcc1a4cb20fe26ad0225679c536c80f1648221

Preface: The reason why do I concerns this open source routing module? Because I predicted that vendors might used this routing module in their products. A well know idea is that routing device will select Linux system as a based OS.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It was created as a fork from Quagga. FRRouting is distributed under the terms of the GNU General Public License v2 (GPL2). It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP. FRR is a large project developed by many different groups.

Vulnerability details: Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message[.]c.

Informed by related party that there are two programming syntax which causes design weakness.

Line 143: the condition should be i + 1 >= alen instead of i + 1 > alen. Otherwise, overflows will happen at 147.

Line 148: the condition should be i + len + 2 > alen instead of i + len > alen. We need include extra two bytes, a[i] and a[i + 1] in this check.

Additional information: Int, short for “integer,” is a fundamental variable type built into the compiler and used to define numeric variables holding whole numbers. Other data types include float and double. C, C++, C# and many other programming languages recognize int as a data type.
Under the C++ standard, what you are doing is undefined behavior. The memory layout of unsigned and signed ints is not guaranteed.

Status: In the moment, no vendors claim that there products was impacted by this package/module. Let’s keep our eye open to see whether there are security updates in this matter.