Vulnerabilities

An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established.

Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle.

An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.

Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle.

Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation.This issue affects Yordam Library Automation System: before 20.1.

Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data.This issue affects Mobile Library Application: before 5.0.

IBM Business Automation Workflow <br /> <br /> 22.0.2, 23.0.1, 23.0.2, and 24.0.0<br /> <br /> could allow a privileged user to perform unauthorized activities due to improper client side validation.

CIRCUTOR Q-SMT in its firmware version 1.0.4, could be affected by a denial of service (DoS) attack if an attacker with access to the web service bypasses the authentication mechanisms on the login page, allowing the attacker to use all the functionalities implemented at web level that allow interacting with the device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> codetag: debug: mark codetags for poisoned page as empty<br /> <br /> When PG_hwpoison pages are freed they are treated differently in<br /> free_pages_prepare() and instead of being released they are isolated.<br /> <br /> Page allocation tag counters are decremented at this point since the page<br /> is considered not in use. Later on when such pages are released by<br /> unpoison_memory(), the allocation tag counters will be decremented again<br /> and the following warning gets reported:<br /> <br /> [ 113.930443][ T3282] ------------[ cut here ]------------<br /> [ 113.931105][ T3282] alloc_tag was not set<br /> [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4<br /> [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18<br /> [ 113.943003][ T3282] Tainted: [W]=WARN<br /> [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022<br /> [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.946706][ T3282] sp : ffff800087093a10<br /> [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0<br /> [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000<br /> [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000<br /> [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff<br /> [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210<br /> [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339<br /> [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0<br /> [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff<br /> [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001<br /> [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000<br /> [ 113.957962][ T3282] Call trace:<br /> [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c<br /> [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8<br /> [ 113.960096][ T3282] __folio_put+0xd4/0x120<br /> [ 113.960614][ T3282] folio_put+0x24/0x50<br /> [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0<br /> [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject]<br /> [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc<br /> [ 113.963183][ T3282] simple_attr_write+0x38/0x48<br /> [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80<br /> [ 113.964330][ T3282] full_proxy_write+0x68/0x98<br /> [ 113.964880][ T3282] vfs_write+0xdc/0x4d0<br /> [ 113.965372][ T3282] ksys_write+0x78/0x100<br /> [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30<br /> [ 113.966440][ T3282] invoke_syscall+0x7c/0x104<br /> [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104<br /> [ 113.967652][ T3282] do_el0_svc+0x2c/0x38<br /> [ 113.968893][ T3282] el0_svc+0x3c/0x1b8<br /> [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc<br /> [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0<br /> [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]---<br /> <br /> To fix this, clear the page tag reference after the page got isolated<br /> and accounted for.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: misaligned: Restrict user access to kernel memory<br /> <br /> raw_copy_{to,from}_user() do not call access_ok(), so this code allowed<br /> userspace to access any virtual memory address.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder<br /> <br /> Since commit 13f58267cda3 ("ASoC: soc.h: don&amp;#39;t create dummy Component<br /> via COMP_DUMMY()") dummy codecs declared like this:<br /> <br /> SND_SOC_DAILINK_DEF(dummy,<br /> DAILINK_COMP_ARRAY(COMP_DUMMY()));<br /> <br /> expand to:<br /> <br /> static struct snd_soc_dai_link_component dummy[] = {<br /> };<br /> <br /> Which means that dummy is a zero sized array and thus dais[i].codecs should<br /> not be dereferenced *at all* since it points to the address of the next<br /> variable stored in the data section as the "dummy" variable has an address<br /> but no size, so even dereferencing dais[0] is already an out of bounds<br /> array reference.<br /> <br /> Which means that the if (dais[i].codecs-&gt;name) check added in<br /> commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref<br /> in BYT/CHT boards") relies on that the part of the next variable which<br /> the name member maps to just happens to be NULL.<br /> <br /> Which apparently so far it usually is, except when it isn&amp;#39;t<br /> and then it results in crashes like this one:<br /> <br /> [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011<br /> ...<br /> [ 28.795780] Call Trace:<br /> [ 28.795787] <br /> ...<br /> [ 28.795862] ? strcmp+0x18/0x40<br /> [ 28.795872] 0xffffffffc150c605<br /> [ 28.795887] platform_probe+0x40/0xa0<br /> ...<br /> [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]<br /> <br /> Really fix things this time around by checking dais.num_codecs != 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix double put of @cfile in smb2_set_path_size()<br /> <br /> If smb2_compound_op() is called with a valid @cfile and returned<br /> -EINVAL, we need to call cifs_get_writable_path() before retrying it<br /> as the reference of @cfile was already dropped by previous call.<br /> <br /> This fixes the following KASAN splat when running fstests generic/013<br /> against Windows Server 2022:<br /> <br /> CIFS: Attempting to mount //w22-fs0/scratch<br /> run fstests generic/013 at 2024-09-02 19:48:59<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200<br /> Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176<br /> <br /> CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40<br /> 04/01/2014<br /> Workqueue: cifsoplockd cifs_oplock_break [cifs]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> ? detach_if_pending+0xab/0x200<br /> print_report+0x156/0x4d9<br /> ? detach_if_pending+0xab/0x200<br /> ? __virt_addr_valid+0x145/0x300<br /> ? __phys_addr+0x46/0x90<br /> ? detach_if_pending+0xab/0x200<br /> kasan_report+0xda/0x110<br /> ? detach_if_pending+0xab/0x200<br /> detach_if_pending+0xab/0x200<br /> timer_delete+0x96/0xe0<br /> ? __pfx_timer_delete+0x10/0x10<br /> ? rcu_is_watching+0x20/0x50<br /> try_to_grab_pending+0x46/0x3b0<br /> __cancel_work+0x89/0x1b0<br /> ? __pfx___cancel_work+0x10/0x10<br /> ? kasan_save_track+0x14/0x30<br /> cifs_close_deferred_file+0x110/0x2c0 [cifs]<br /> ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]<br /> ? __pfx_down_read+0x10/0x10<br /> cifs_oplock_break+0x4c1/0xa50 [cifs]<br /> ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]<br /> ? lock_is_held_type+0x85/0xf0<br /> ? mark_held_locks+0x1a/0x90<br /> process_one_work+0x4c6/0x9f0<br /> ? find_held_lock+0x8a/0xa0<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? lock_acquired+0x220/0x550<br /> ? __list_add_valid_or_report+0x37/0x100<br /> worker_thread+0x2e4/0x570<br /> ? __kthread_parkme+0xd1/0xf0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x17f/0x1c0<br /> ? kthread+0xda/0x1c0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x31/0x60<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 1118:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0xaa/0xb0<br /> cifs_new_fileinfo+0xc8/0x9d0 [cifs]<br /> cifs_atomic_open+0x467/0x770 [cifs]<br /> lookup_open.isra.0+0x665/0x8b0<br /> path_openat+0x4c3/0x1380<br /> do_filp_open+0x167/0x270<br /> do_sys_openat2+0x129/0x160<br /> __x64_sys_creat+0xad/0xe0<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 83:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x70<br /> poison_slab_object+0xe9/0x160<br /> __kasan_slab_free+0x32/0x50<br /> kfree+0xf2/0x300<br /> process_one_work+0x4c6/0x9f0<br /> worker_thread+0x2e4/0x570<br /> kthread+0x17f/0x1c0<br /> ret_from_fork+0x31/0x60<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Last potentially related work creation:<br /> kasan_save_stack+0x30/0x50<br /> __kasan_record_aux_stack+0xad/0xc0<br /> insert_work+0x29/0xe0<br /> __queue_work+0x5ea/0x760<br /> queue_work_on+0x6d/0x90<br /> _cifsFileInfo_put+0x3f6/0x770 [cifs]<br /> smb2_compound_op+0x911/0x3940 [cifs]<br /> smb2_set_path_size+0x228/0x270 [cifs]<br /> cifs_set_file_size+0x197/0x460 [cifs]<br /> cifs_setattr+0xd9c/0x14b0 [cifs]<br /> notify_change+0x4e3/0x740<br /> do_truncate+0xfa/0x180<br /> vfs_truncate+0x195/0x200<br /> __x64_sys_truncate+0x109/0x150<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f