Vulnerabilities

Command injection vulnerability exists in the “Logging” page of the web-based configuration utility. An authenticated user with low privileged network access for the configuration utility can execute arbitrary commands on the underlying OS to obtain root SSH access to the TropOS 4th Gen device.

By making minor configuration changes to the TropOS 4th Gen device, an authenticated user with the ability to run user level shell commands can enable access via secure shell (SSH) to an unrestricted root shell. This is possible through abuse of a particular set of scripts and executables that allow for certain commands to be run as root from an unprivileged context.

The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()<br /> <br /> Starting with commit dd26c1a23fd5 ("PCI: rcar-host: Switch to<br /> msi_create_parent_irq_domain()"), the MSI parent IRQ domain is NULL because<br /> the object of type struct irq_domain_info passed to:<br /> <br /> msi_create_parent_irq_domain() -&gt;<br /> irq_domain_instantiate()() -&gt;<br /> __irq_domain_instantiate()<br /> <br /> has no reference to the parent IRQ domain. Using msi-&gt;domain-&gt;parent as an<br /> argument for generic_handle_domain_irq() leads to below error:<br /> <br /> "Unable to handle kernel NULL pointer dereference at virtual address"<br /> <br /> This error was identified while switching the upcoming RZ/G3S PCIe host<br /> controller driver to msi_create_parent_irq_domain() (which was using a<br /> similar pattern to handle MSIs (see link section)), but it was not tested<br /> on hardware using the pcie-rcar-host controller driver due to lack of<br /> hardware.<br /> <br /> [mani: reworded subject and description]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Explicitly check accesses to bpf_sock_addr<br /> <br /> Syzkaller found a kernel warning on the following sock_addr program:<br /> <br /> 0: r0 = 0<br /> 1: r2 = *(u32 *)(r1 +60)<br /> 2: exit<br /> <br /> which triggers:<br /> <br /> verifier bug: error during ctx access conversion (0)<br /> <br /> This is happening because offset 60 in bpf_sock_addr corresponds to an<br /> implicit padding of 4 bytes, right after msg_src_ip4. Access to this<br /> padding isn&amp;#39;t rejected in sock_addr_is_valid_access and it thus later<br /> fails to convert the access.<br /> <br /> This patch fixes it by explicitly checking the various fields of<br /> bpf_sock_addr in sock_addr_is_valid_access.<br /> <br /> I checked the other ctx structures and is_valid_access functions and<br /> didn&amp;#39;t find any other similar cases. Other cases of (properly handled)<br /> padding are covered in new tests in a subsequent patch.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv, bpf: Sign extend struct ops return values properly<br /> <br /> The ns_bpf_qdisc selftest triggers a kernel panic:<br /> <br /> Unable to handle kernel paging request at virtual address ffffffffa38dbf58<br /> Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000<br /> [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000<br /> Oops [#1]<br /> Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)]<br /> CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G W OE 6.17.0-rc1-g2465bb83e0b4 #1 NONE<br /> Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024<br /> epc : __qdisc_run+0x82/0x6f0<br /> ra : __qdisc_run+0x6e/0x6f0<br /> epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550<br /> gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180<br /> t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0<br /> s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001<br /> a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000<br /> a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049<br /> s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000<br /> s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0<br /> s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000<br /> s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000<br /> t5 : 0000000000000000 t6 : ff60000093a6a8b6<br /> status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d<br /> [] __qdisc_run+0x82/0x6f0<br /> [] __dev_queue_xmit+0x4c0/0x1128<br /> [] neigh_resolve_output+0xd0/0x170<br /> [] ip6_finish_output2+0x226/0x6c8<br /> [] ip6_finish_output+0x10c/0x2a0<br /> [] ip6_output+0x5e/0x178<br /> [] ip6_xmit+0x29a/0x608<br /> [] inet6_csk_xmit+0xe6/0x140<br /> [] __tcp_transmit_skb+0x45c/0xaa8<br /> [] tcp_connect+0x9ce/0xd10<br /> [] tcp_v6_connect+0x4ac/0x5e8<br /> [] __inet_stream_connect+0xd8/0x318<br /> [] inet_stream_connect+0x3e/0x68<br /> [] __sys_connect_file+0x50/0x88<br /> [] __sys_connect+0x96/0xc8<br /> [] __riscv_sys_connect+0x20/0x30<br /> [] do_trap_ecall_u+0x256/0x378<br /> [] handle_exception+0x14a/0x156<br /> Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer<br /> is treated as a 32bit value and sign extend to 64bit in epilogue. This<br /> behavior is right for most bpf prog types but wrong for struct ops which<br /> requires RISC-V ABI.<br /> <br /> So let&amp;#39;s sign extend struct ops return values according to the function<br /> model and RISC-V ABI([0]).<br /> <br /> [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: restrict sockets to TCP and UDP<br /> <br /> Recently, syzbot started to abuse NBD with all kinds of sockets.<br /> <br /> Commit cf1b2326b734 ("nbd: verify socket is supported during setup")<br /> made sure the socket supported a shutdown() method.<br /> <br /> Explicitely accept TCP and UNIX stream sockets.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: arm_spe: Prevent overflow in PERF_IDX2OFF()<br /> <br /> Cast nr_pages to unsigned long to avoid overflow when handling large<br /> AUX buffer sizes (&gt;= 2 GiB).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()<br /> <br /> BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186<br /> Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290<br /> <br /> CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x5f0 mm/kasan/report.c:482<br /> kasan_report+0xca/0x100 mm/kasan/report.c:595<br /> hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186<br /> hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738<br /> vfs_listxattr+0xbe/0x140 fs/xattr.c:493<br /> listxattr+0xee/0x190 fs/xattr.c:924<br /> filename_listxattr fs/xattr.c:958 [inline]<br /> path_listxattrat+0x143/0x360 fs/xattr.c:988<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fe0e9fae16d<br /> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3<br /> RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000<br /> RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000<br /> <br /> <br /> Allocated by task 14290:<br /> kasan_save_stack+0x24/0x50 mm/kasan/common.c:47<br /> kasan_save_track+0x14/0x30 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __do_kmalloc_node mm/slub.c:4333 [inline]<br /> __kmalloc_noprof+0x219/0x540 mm/slub.c:4345<br /> kmalloc_noprof include/linux/slab.h:909 [inline]<br /> hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21<br /> hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697<br /> vfs_listxattr+0xbe/0x140 fs/xattr.c:493<br /> listxattr+0xee/0x190 fs/xattr.c:924<br /> filename_listxattr fs/xattr.c:958 [inline]<br /> path_listxattrat+0x143/0x360 fs/xattr.c:988<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> When hfsplus_uni2asc is called from hfsplus_listxattr,<br /> it actually passes in a struct hfsplus_attr_unistr*.<br /> The size of the corresponding structure is different from that of hfsplus_unistr,<br /> so the previous fix (94458781aee6) is insufficient.<br /> The pointer on the unicode buffer is still going beyond the allocated memory.<br /> <br /> This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and<br /> hfsplus_uni2asc_str to process two unicode buffers,<br /> struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.<br /> When ustrlen value is bigger than the allocated memory size,<br /> the ustrlen value is limited to an safe size.

An unauthenticated user can connect to a publicly accessible database using arbitrary credentials. The system grants full access to the database by leveraging a previously authenticated connection through a "mmBackup" application. This flaw allows attackers to bypass authentication mechanisms and gain unauthorized access to database with sensitive data.<br /> <br /> This issue affects Asseco mMedica in versions before 11.9.5.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid overflow while left shift operation<br /> <br /> Should cast type of folio-&gt;index from pgoff_t to loff_t to avoid overflow<br /> while left shift operation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp_metrics: use dst_dev_net_rcu()<br /> <br /> Replace three dst_dev() with a lockdep enabled helper.