Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: implement lockless setsockopt(SO_PEEK_OFF)<br /> <br /> syzbot reported a lockdep violation [1] involving af_unix<br /> support of SO_PEEK_OFF.<br /> <br /> Since SO_PEEK_OFF is inherently not thread safe (it uses a per-socket<br /> sk_peek_off field), there is really no point to enforce a pointless<br /> thread safety in the kernel.<br /> <br /> After this patch :<br /> <br /> - setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.<br /> <br /> - skb_consume_udp() no longer has to acquire the socket lock.<br /> <br /> - af_unix no longer needs a special version of sk_set_peek_off(),<br /> because it does not lock u-&gt;iolock anymore.<br /> <br /> As a followup, we could replace prot-&gt;set_peek_off to be a boolean<br /> and avoid an indirect call, since we always use sk_set_peek_off().<br /> <br /> [1]<br /> <br /> WARNING: possible circular locking dependency detected<br /> 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted<br /> <br /> syz-executor.2/30025 is trying to acquire lock:<br /> ffff8880765e7d80 (&amp;u-&gt;iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789<br /> <br /> but task is already holding lock:<br /> ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]<br /> ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]<br /> ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:<br /> lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br /> lock_sock_nested+0x48/0x100 net/core/sock.c:3524<br /> lock_sock include/net/sock.h:1691 [inline]<br /> __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415<br /> sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046<br /> ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801<br /> ___sys_recvmsg net/socket.c:2845 [inline]<br /> do_recvmmsg+0x474/0xae0 net/socket.c:2939<br /> __sys_recvmmsg net/socket.c:3018 [inline]<br /> __do_sys_recvmmsg net/socket.c:3041 [inline]<br /> __se_sys_recvmmsg net/socket.c:3034 [inline]<br /> __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034<br /> do_syscall_64+0xf9/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> <br /> -&gt; #0 (&amp;u-&gt;iolock){+.+.}-{3:3}:<br /> check_prev_add kernel/locking/lockdep.c:3134 [inline]<br /> check_prevs_add kernel/locking/lockdep.c:3253 [inline]<br /> validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869<br /> __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137<br /> lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br /> __mutex_lock_common kernel/locking/mutex.c:608 [inline]<br /> __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752<br /> unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789<br /> sk_setsockopt+0x207e/0x3360<br /> do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307<br /> __sys_setsockopt+0x1ad/0x250 net/socket.c:2334<br /> __do_sys_setsockopt net/socket.c:2343 [inline]<br /> __se_sys_setsockopt net/socket.c:2340 [inline]<br /> __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340<br /> do_syscall_64+0xf9/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> <br /> other info that might help us debug this:<br /> <br /> Possible unsafe locking scenario:<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> lock(sk_lock-AF_UNIX);<br /> lock(&amp;u-&gt;iolock);<br /> lock(sk_lock-AF_UNIX);<br /> lock(&amp;u-&gt;iolock);<br /> <br /> *** DEADLOCK ***<br /> <br /> 1 lock held by syz-executor.2/30025:<br /> #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]<br /> #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]<br /> #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193<br /> <br /> stack backtrace:<br /> CPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0<br /> Hardware name: Google Google C<br /> ---truncated---

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to conduct a CSRF attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as deleting users from the device.

A vulnerability in the Out-of-Band (OOB) Plug and Play (PnP) feature of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to read arbitrary files.<br /> <br /> This vulnerability is due to an unauthenticated provisioning web server. An attacker could exploit this vulnerability through direct web requests to the provisioning server. A successful exploit could allow the attacker to read sensitive files in the PnP container that could facilitate further attacks on the PnP infrastructure.

A vulnerability in Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by sending crafted requests to the web UI. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as accessing password or log files or uploading and deleting existing files from the system.

A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.<br /> <br /> This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.<br /> <br /> This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials.

A vulnerability in Cisco Nexus Dashboard could allow an authenticated, remote attacker to learn cluster deployment information on an affected device.<br /> <br /> This vulnerability is due to improper access controls on a specific API endpoint. An attacker could exploit this vulnerability by sending queries to the API endpoint. A successful exploit could allow an attacker to access metrics and information about devices in the Nexus Dashboard cluster.

A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. <br /> <br /> This vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic.

A vulnerability in the web-based interface of Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against an authenticated user of the interface.<br /> <br /> This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device.<br /> <br /> This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. To successfully exploit this vulnerability, the attacker would need valid Super Admin credentials.

A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) could allow a low-privileged, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.<br /> <br /> This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.