Vulnerabilities

There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensitive information required for authentication.

The specific flaw exists within the Bluetooth stack developed by Alps Alpine of the Infotainment ECU manufactured by Bosch. The issue results from the lack of proper boundary validation of user-supplied data, which can result in a stack-based buffer overflow when receiving a specific packet on the established upper layer L2CAP channel. An attacker can leverage this vulnerability to obtain remote code execution on the Infotainment ECU with root privileges.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The Infotainment ECU manufactured by Bosch uses a RH850 module for CAN communication. RH850 is connected to infotainment over the INC interface through a custom protocol. There is a vulnerability during processing requests of this protocol on the V850 side which allows an attacker with code execution on the infotainment main SoC to perform code execution on the RH850 module and subsequently send arbitrary CAN messages over the connected CAN bus.<br /> <br /> <br /> <br /> First identified on Nissan Leaf ZE1 manufactured in 2020.

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the &amp;#39;save_custom_user_profile_fields&amp;#39; function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the &amp;#39;ec_store_admin_access&amp;#39; parameter during a profile update and gain store manager access to the site.

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the &amp;#39;render_svg&amp;#39; function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the &amp;#39;checkWithoutToken&amp;#39; function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb/client: fix memory leak in smb2_open_file()<br /> <br /> Reproducer:<br /> <br /> 1. server: directories are exported read-only<br /> 2. client: mount -t cifs //${server_ip}/export /mnt<br /> 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct<br /> 4. client: umount /mnt<br /> 5. client: sleep 1<br /> 6. client: modprobe -r cifs<br /> <br /> The error message is as follows:<br /> <br /> =============================================================================<br /> BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()<br /> -----------------------------------------------------------------------------<br /> <br /> Object 0x00000000d47521be @offset=14336<br /> ...<br /> WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577<br /> ...<br /> Call Trace:<br /> <br /> kmem_cache_destroy+0x94/0x190<br /> cifs_destroy_request_bufs+0x3e/0x50 [cifs]<br /> cleanup_module+0x4e/0x540 [cifs]<br /> __se_sys_delete_module+0x278/0x400<br /> __x64_sys_delete_module+0x5f/0x70<br /> x64_sys_call+0x2299/0x2ff0<br /> do_syscall_64+0x89/0x350<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ...<br /> kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]<br /> WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Fix PTP NULL pointer dereference during VSI rebuild<br /> <br /> Fix race condition where PTP periodic work runs while VSI is being<br /> rebuilt, accessing NULL vsi-&gt;rx_rings.<br /> <br /> The sequence was:<br /> 1. ice_ptp_prepare_for_reset() cancels PTP work<br /> 2. ice_ptp_rebuild() immediately queues PTP work<br /> 3. VSI rebuild happens AFTER ice_ptp_rebuild()<br /> 4. PTP work runs and accesses NULL vsi-&gt;rx_rings<br /> <br /> Fix: Keep PTP work cancelled during rebuild, only queue it after<br /> VSI rebuild completes in ice_rebuild().<br /> <br /> Added ice_ptp_queue_work() helper function to encapsulate the logic<br /> for queuing PTP work, ensuring it&amp;#39;s only queued when PTP is supported<br /> and the state is ICE_PTP_READY.<br /> <br /> Error log:<br /> [ 121.392544] ice 0000:60:00.1: PTP reset successful<br /> [ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 121.392712] #PF: supervisor read access in kernel mode<br /> [ 121.392720] #PF: error_code(0x0000) - not-present page<br /> [ 121.392727] PGD 0<br /> [ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary)<br /> [ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC<br /> [ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]<br /> [ 121.393042] Call Trace:<br /> [ 121.393047] <br /> [ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice]<br /> [ 121.393202] kthread_worker_fn+0xa2/0x260<br /> [ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]<br /> [ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10<br /> [ 121.393371] kthread+0x10d/0x230<br /> [ 121.393382] ? __pfx_kthread+0x10/0x10<br /> [ 121.393393] ret_from_fork+0x273/0x2b0<br /> [ 121.393407] ? __pfx_kthread+0x10/0x10<br /> [ 121.393417] ret_from_fork_asm+0x1a/0x30<br /> [ 121.393432]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: tegra210-quad: Protect curr_xfer check in IRQ handler<br /> <br /> Now that all other accesses to curr_xfer are done under the lock,<br /> protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the<br /> spinlock. Without this protection, the following race can occur:<br /> <br /> CPU0 (ISR thread) CPU1 (timeout path)<br /> ---------------- -------------------<br /> if (!tqspi-&gt;curr_xfer)<br /> // sees non-NULL<br /> spin_lock()<br /> tqspi-&gt;curr_xfer = NULL<br /> spin_unlock()<br /> handle_*_xfer()<br /> spin_lock()<br /> t = tqspi-&gt;curr_xfer // NULL!<br /> ... t-&gt;len ... // NULL dereference!<br /> <br /> With this patch, all curr_xfer accesses are now properly synchronized.<br /> <br /> Although all accesses to curr_xfer are done under the lock, in<br /> tegra_qspi_isr_thread() it checks for NULL, releases the lock and<br /> reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().<br /> There is a potential for an update in between, which could cause a NULL<br /> pointer dereference.<br /> <br /> To handle this, add a NULL check inside the handlers after acquiring<br /> the lock. This ensures that if the timeout path has already cleared<br /> curr_xfer, the handler will safely return without dereferencing the<br /> NULL pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macvlan: fix error recovery in macvlan_common_newlink()<br /> <br /> valis provided a nice repro to crash the kernel:<br /> <br /> ip link add p1 type veth peer p2<br /> ip link set address 00:00:00:00:00:20 dev p1<br /> ip link set up dev p1<br /> ip link set up dev p2<br /> <br /> ip link add mv0 link p2 type macvlan mode source<br /> ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20<br /> <br /> ping -c1 -I p1 1.2.3.4<br /> <br /> He also gave a very detailed analysis:<br /> <br /> <br /> <br /> The issue is triggered when a new macvlan link is created with<br /> MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or<br /> MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan<br /> port and register_netdevice() called from macvlan_common_newlink()<br /> fails (e.g. because of the invalid link name).<br /> <br /> In this case macvlan_hash_add_source is called from<br /> macvlan_change_sources() / macvlan_common_newlink():<br /> <br /> This adds a reference to vlan to the port&amp;#39;s vlan_source_hash using<br /> macvlan_source_entry.<br /> <br /> vlan is a pointer to the priv data of the link that is being created.<br /> <br /> When register_netdevice() fails, the error is returned from<br /> macvlan_newlink() to rtnl_newlink_create():<br /> <br /> if (ops-&gt;newlink)<br /> err = ops-&gt;newlink(dev, &amp;params, extack);<br /> else<br /> err = register_netdevice(dev);<br /> if (err

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Prevent excessive number of frames<br /> <br /> In this case, the user constructed the parameters with maxpacksize 40<br /> for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer<br /> size for each data URB is maxpacksize * packets, which in this example<br /> is 40 * 6 = 240; When the user performs a write operation to send audio<br /> data into the ALSA PCM playback stream, the calculated number of frames<br /> is packsize[0] * packets = 264, which exceeds the allocated URB buffer<br /> size, triggering the out-of-bounds (OOB) issue reported by syzbot [1].<br /> <br /> Added a check for the number of single data URB frames when calculating<br /> the number of frames to prevent [1].<br /> <br /> [1]<br /> BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487<br /> Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506<br /> Call Trace:<br /> copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487<br /> prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611<br /> prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333