Vulnerabilities

Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.  This issue is fixed in version 0.73.3.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: Update rx_bytes on read_skb()<br /> <br /> Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()<br /> calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn&amp;#39;t lie) after<br /> vsock_transport::read_skb().<br /> <br /> While here, also inform the peer that we&amp;#39;ve freed up space and it has more<br /> credit.<br /> <br /> Failing to update rx_bytes after packet is dequeued leads to a warning on<br /> SOCK_STREAM recv():<br /> <br /> [ 233.396654] rx_queue is empty, but rx_bytes is non-zero<br /> [ 233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bcmasp: fix potential memory leak in bcmasp_xmit()<br /> <br /> The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb<br /> in case of mapping fails, add dev_kfree_skb() to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix a possible memory leak<br /> <br /> In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails<br /> driver is not freeing the memory allocated for "rdev-&gt;chip_ctx".

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client&amp;#39;s IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client&amp;#39;s IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client&amp;#39;s IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: systemport: fix potential memory leak in bcm_sysport_xmit()<br /> <br /> The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb<br /> in case of dma_map_single() fails, add dev_kfree_skb() to fix it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop<br /> <br /> Driver waits indefinitely for the fifo occupancy to go below a threshold<br /> as soon as the pacing interrupt is received. This can cause soft lockup on<br /> one of the processors, if the rate of DB is very high.<br /> <br /> Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th<br /> if the loop is taking more time. Pacing will be continuing until the<br /> occupancy is below the threshold. This is ensured by the checks in<br /> bnxt_re_pacing_timer_exp and further scheduling the work for pacing based<br /> on the fifo occupancy.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix out of bound check<br /> <br /> Driver exports pacing stats only on GenP5 and P7 adapters. But while<br /> parsing the pacing stats, driver has a check for "rdev-&gt;dbr_pacing". This<br /> caused a trace when KASAN is enabled.<br /> <br /> BUG: KASAN: slab-out-of-bounds in bnxt_re_get_hw_stats+0x2b6a/0x2e00 [bnxt_re]<br /> Write of size 8 at addr ffff8885942a6340 by task modprobe/4809

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()<br /> <br /> Clang static checker(scan-build) throws below warning：<br /> | drivers/firmware/arm_scmi/driver.c:line 2915, column 2<br /> | Attempt to free released memory.<br /> <br /> When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()<br /> will run twice which causes double free of &amp;#39;dbg-&gt;name&amp;#39;.<br /> <br /> Remove the redundant scmi_debugfs_common_cleanup() to fix this problem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Check the remaining info_cnt before repeating btf fields<br /> <br /> When trying to repeat the btf fields for array of nested struct, it<br /> doesn&amp;#39;t check the remaining info_cnt. The following splat will be<br /> reported when the value of ret * nelems is greater than BTF_FIELDS_MAX:<br /> <br /> ------------[ cut here ]------------<br /> UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49<br /> index 11 is out of range for type &amp;#39;btf_field_info [11]&amp;#39;<br /> CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1<br /> Tainted: [O]=OOT_MODULE<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x57/0x70<br /> dump_stack+0x10/0x20<br /> ubsan_epilogue+0x9/0x40<br /> __ubsan_handle_out_of_bounds+0x6f/0x80<br /> ? kallsyms_lookup_name+0x48/0xb0<br /> btf_parse_fields+0x992/0xce0<br /> map_create+0x591/0x770<br /> __sys_bpf+0x229/0x2410<br /> __x64_sys_bpf+0x1f/0x30<br /> x64_sys_call+0x199/0x9f0<br /> do_syscall_64+0x3b/0xc0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7fea56f2cc5d<br /> ......<br /> <br /> ---[ end trace ]---<br /> <br /> Fix it by checking the remaining info_cnt in btf_repeat_fields() before<br /> repeating the btf fields.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Preserve param-&gt;string when parsing mount options<br /> <br /> In bpf_parse_param(), keep the value of param-&gt;string intact so it can<br /> be freed later. Otherwise, the kmalloc area pointed to by param-&gt;string<br /> will be leaked as shown below:<br /> <br /> unreferenced object 0xffff888118c46d20 (size 8):<br /> comm "new_name", pid 12109, jiffies 4295580214<br /> hex dump (first 8 bytes):<br /> 61 6e 79 00 38 c9 5c 7e any.8.\~<br /> backtrace (crc e1b7f876):<br /> [] kmemleak_alloc+0x4b/0x80<br /> [] __kmalloc_node_track_caller_noprof+0x36e/0x4a0<br /> [] memdup_user+0x32/0xa0<br /> [] strndup_user+0x46/0x60<br /> [] __x64_sys_fsconfig+0x368/0x3d0<br /> [] x64_sys_call+0xff/0x9f0<br /> [] do_syscall_64+0x3b/0xc0<br /> [] entry_SYSCALL_64_after_hwframe+0x4b/0x53

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fsl/fman: Fix refcount handling of fman-related devices<br /> <br /> In mac_probe() there are multiple calls to of_find_device_by_node(),<br /> fman_bind() and fman_port_bind() which takes references to of_dev-&gt;dev.<br /> Not all references taken by these calls are released later on error path<br /> in mac_probe() and in mac_remove() which lead to reference leaks.<br /> <br /> Add references release.