Vulnerabilities

A CWE-425 “Direct Request ('Forced Browsing')” vulnerability in the “measure” functionality of the web application allows a remote unauthenticated attacker to access confidential measure information. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-613 “Insufficient Session Expiration” vulnerability in the web application, due to the session cookie “sessionid” lasting two weeks, facilitates session hijacking attacks against victims. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-1269 “Product Released in Non-Release Configuration” vulnerability in the Django web framework used by the web application (due to the “debug” configuration parameter set to “True”) allows a remote unauthenticated attacker to access critical information and have other unspecified impacts to the confidentiality, integrity, and availability of the application. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-250 “Execution with Unnecessary Privileges” vulnerability in the embedded Chromium browser (due to the binary being executed with the “--no-sandbox” option and with root privileges) exacerbates the impacts of successful attacks executed against the browser. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-184 “Incomplete List of Disallowed Inputs” vulnerability in the embedded Chromium browser (concerning the handling of alternative URLs, other than “ http://localhost” ) allows a physical attacker to read arbitrary files on the file system, alter the configuration of the embedded browser, and have other unspecified impacts to the confidentiality, integrity, and availability of the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-552 “Files or Directories Accessible to External Parties” vulnerability in the embedded Chromium browser allows a physical attacker to arbitrarily download/upload files to/from the file system, with unspecified impacts to the confidentiality, integrity, and availability of the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-434 “Unrestricted Upload of File with Dangerous Type” vulnerability in the “file_configuration” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

A CWE-425 “Direct Request ('Forced Browsing')” vulnerability in the “file_configuration” functionality of the web application allows a remote unauthenticated attacker to access confidential configuration files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qcom-rng - ensure buffer for generate is completely filled<br /> <br /> The generate function in struct rng_alg expects that the destination<br /> buffer is completely filled if the function returns 0. qcom_rng_read()<br /> can run into a situation where the buffer is partially filled with<br /> randomness and the remaining part of the buffer is zeroed since<br /> qcom_rng_generate() doesn&amp;#39;t check the return value. This issue can<br /> be reproduced by running the following from libkcapi:<br /> <br /> kcapi-rng -b 9000000 &gt; OUTFILE<br /> <br /> The generated OUTFILE will have three huge sections that contain all<br /> zeros, and this is caused by the code where the test<br /> &amp;#39;val &amp; PRNG_STATUS_DATA_AVAIL&amp;#39; fails.<br /> <br /> Let&amp;#39;s fix this issue by ensuring that qcom_rng_read() always returns<br /> with a full buffer if the function returns success. Let&amp;#39;s also have<br /> qcom_rng_generate() return the correct value.<br /> <br /> Here&amp;#39;s some statistics from the ent project<br /> (https://www.fourmilab.ch/random/) that shows information about the<br /> quality of the generated numbers:<br /> <br /> $ ent -c qcom-random-before<br /> Value Char Occurrences Fraction<br /> 0 606748 0.067416<br /> 1 33104 0.003678<br /> 2 33001 0.003667<br /> ...<br /> 253 � 32883 0.003654<br /> 254 � 33035 0.003671<br /> 255 � 33239 0.003693<br /> <br /> Total: 9000000 1.000000<br /> <br /> Entropy = 7.811590 bits per byte.<br /> <br /> Optimum compression would reduce the size<br /> of this 9000000 byte file by 2 percent.<br /> <br /> Chi square distribution for 9000000 samples is 9329962.81, and<br /> randomly would exceed this value less than 0.01 percent of the<br /> times.<br /> <br /> Arithmetic mean value of data bytes is 119.3731 (127.5 = random).<br /> Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).<br /> Serial correlation coefficient is 0.159130 (totally uncorrelated =<br /> 0.0).<br /> <br /> Without this patch, the results of the chi-square test is 0.01%, and<br /> the numbers are certainly not random according to ent&amp;#39;s project page.<br /> The results improve with this patch:<br /> <br /> $ ent -c qcom-random-after<br /> Value Char Occurrences Fraction<br /> 0 35432 0.003937<br /> 1 35127 0.003903<br /> 2 35424 0.003936<br /> ...<br /> 253 � 35201 0.003911<br /> 254 � 34835 0.003871<br /> 255 � 35368 0.003930<br /> <br /> Total: 9000000 1.000000<br /> <br /> Entropy = 7.999979 bits per byte.<br /> <br /> Optimum compression would reduce the size<br /> of this 9000000 byte file by 0 percent.<br /> <br /> Chi square distribution for 9000000 samples is 258.77, and randomly<br /> would exceed this value 42.24 percent of the times.<br /> <br /> Arithmetic mean value of data bytes is 127.5006 (127.5 = random).<br /> Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).<br /> Serial correlation coefficient is 0.000468 (totally uncorrelated =<br /> 0.0).<br /> <br /> This change was tested on a Nexus 5 phone (msm8974 SoC).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ<br /> <br /> The commit referenced in the Fixes tag removed the &amp;#39;break&amp;#39; from the else<br /> branch in qcom_rng_read(), causing an infinite loop whenever &amp;#39;max&amp;#39; is<br /> not a multiple of WORD_SZ. This can be reproduced e.g. by running:<br /> <br /> kcapi-rng -b 67 &gt;/dev/null<br /> <br /> There are many ways to fix this without adding back the &amp;#39;break&amp;#39;, but<br /> they all seem more awkward than simply adding it back, so do just that.<br /> <br /> Tested on a machine with Qualcomm Amberwing processor.

A CWE-122 “Heap-based Buffer Overflow” vulnerability in the “logger_generic” function of the “Ax_rtu” binary allows a remote authenticated attacker to trigger a memory corruption in the context of the binary. This may result in a Denial-of-Service (DoS) condition, possibly in the execution of arbitrary code with the same privileges of the process (root), or have other unspecified impacts on the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.