Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()<br /> <br /> rtw8822b_set_antenna() can be called from userspace when the chip is<br /> powered off. In that case a WARNING is triggered in<br /> rtw8822b_config_trx_mode() because trying to read the RF registers<br /> when the chip is powered off returns an unexpected value.<br /> <br /> Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when<br /> the chip is powered on.<br /> <br /> ------------[ cut here ]------------<br /> write RF mode table fail<br /> WARNING: CPU: 0 PID: 7183 at rtw8822b.c:824 rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b]<br /> CPU: 0 UID: 0 PID: 7183 Comm: iw Tainted: G W OE 6.17.5-arch1-1 #1 PREEMPT(full) 01c39fc421df2af799dd5e9180b572af860b40c1<br /> Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021<br /> RIP: 0010:rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b]<br /> Call Trace:<br /> <br /> rtw8822b_set_antenna+0x57/0x70 [rtw88_8822b 370206f42e5890d8d5f48eb358b759efa37c422b]<br /> rtw_ops_set_antenna+0x50/0x80 [rtw88_core 711c8fb4f686162be4625b1d0b8e8c6a5ac850fb]<br /> ieee80211_set_antenna+0x60/0x100 [mac80211 f1845d85d2ecacf3b71867635a050ece90486cf3]<br /> nl80211_set_wiphy+0x384/0xe00 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]<br /> ? netdev_run_todo+0x63/0x550<br /> genl_family_rcv_msg_doit+0xfc/0x160<br /> genl_rcv_msg+0x1aa/0x2b0<br /> ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]<br /> ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]<br /> ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda]<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> netlink_rcv_skb+0x59/0x110<br /> genl_rcv+0x28/0x40<br /> netlink_unicast+0x285/0x3c0<br /> ? __alloc_skb+0xdb/0x1a0<br /> netlink_sendmsg+0x20d/0x430<br /> ____sys_sendmsg+0x39f/0x3d0<br /> ? import_iovec+0x2f/0x40<br /> ___sys_sendmsg+0x99/0xe0<br /> ? refill_obj_stock+0x12e/0x240<br /> __sys_sendmsg+0x8a/0xf0<br /> do_syscall_64+0x81/0x970<br /> ? do_syscall_64+0x81/0x970<br /> ? ksys_read+0x73/0xf0<br /> ? do_syscall_64+0x81/0x970<br /> ? count_memcg_events+0xc2/0x190<br /> ? handle_mm_fault+0x1d7/0x2d0<br /> ? do_user_addr_fault+0x21a/0x690<br /> ? exc_page_fault+0x7e/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/tests: shmem: Hold reservation lock around madvise<br /> <br /> Acquire and release the GEM object&amp;#39;s reservation lock around calls<br /> to the object&amp;#39;s madvide operation. The tests use<br /> drm_gem_shmem_madvise_locked(), which led to errors such as show below.<br /> <br /> [ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140<br /> <br /> Only export the new helper drm_gem_shmem_madvise() for Kunit tests.<br /> This is not an interface for regular drivers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/tests: shmem: Hold reservation lock around purge<br /> <br /> Acquire and release the GEM object&amp;#39;s reservation lock around calls<br /> to the object&amp;#39;s purge operation. The tests use<br /> drm_gem_shmem_purge_locked(), which led to errors such as show below.<br /> <br /> [ 58.709128] WARNING: CPU: 1 PID: 1354 at drivers/gpu/drm/drm_gem_shmem_helper.c:515 drm_gem_shmem_purge_locked+0x51c/0x740<br /> <br /> Only export the new helper drm_gem_shmem_purge() for Kunit tests.<br /> This is not an interface for regular drivers.

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants.<br /> <br /> <br /> <br /> <br /> This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0.<br /> <br /> <br /> <br /> <br /> The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.<br /> <br /> <br /> <br /> <br /> Users are recommended to upgrade to version 4.22.0.1, which fixes this issue.<br /> <br /> <br /> <br /> <br /> As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.<br /> <br /> <br /> Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure&amp;#39;s resources and lead to denial of service conditions.<br /> <br /> Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys.<br /> <br /> Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.<br /> <br /> Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user&amp;#39;s backups and attach the volume to their own VMs.<br /> <br /> Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.<br /> <br /> Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.