Vulnerabilities

Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to the PAM to access unauthorized PAM entries via a specific set of permissions.<br /> <br />

<br /> A memory corruption vulnerability in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.<br /> <br />

In Eclipse ThreadX NetX Duo before 6.4.0, if an attacker can control <br /> parameters of __portable_aligned_alloc() could cause an integer <br /> wrap-around and an allocation smaller than expected. This could cause <br /> subsequent heap buffer overflows.

A vulnerability has been found in Tenda AC7 15.03.06.44 and classified as critical. Affected by this vulnerability is the function formSetCfm of the file /goform/setcfm. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257935. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() <br /> functions from the FreeRTOS compatibility API <br /> (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing <br /> parameter checks. This could lead to integer wraparound, <br /> under-allocations and heap buffer overflows.

In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the <br /> Xtensa port was missing an array size check causing a memory overwrite. <br /> The affected file was ports/xtensa/xcc/src/tx_clib_lock.c

The image upload component allows SVG files and the regular expression used to remove script tags can be bypassed by using a Cross Site Scripting payload which does not match the regular expression; one example of this is the inclusion of whitespace within the script tag. An attacker must target an authenticated user with permissions to access this feature, however once uploaded the payload is also accessible to unauthenticated users.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t abort filesystem when attempting to snapshot deleted subvolume<br /> <br /> If the source file descriptor to the snapshot ioctl refers to a deleted<br /> subvolume, we get the following abort:<br /> <br /> BTRFS: Transaction aborted (error -2)<br /> WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c<br /> CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014<br /> RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027<br /> RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840<br /> RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998<br /> R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe<br /> R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80<br /> FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> ? __warn+0x81/0x130<br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> ? report_bug+0x171/0x1a0<br /> ? handle_bug+0x3a/0x70<br /> ? exc_invalid_op+0x17/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> create_pending_snapshots+0x92/0xc0 [btrfs]<br /> btrfs_commit_transaction+0x66b/0xf40 [btrfs]<br /> btrfs_mksubvol+0x301/0x4d0 [btrfs]<br /> btrfs_mksnapshot+0x80/0xb0 [btrfs]<br /> __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]<br /> btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]<br /> btrfs_ioctl+0x8a6/0x2650 [btrfs]<br /> ? kmem_cache_free+0x22/0x340<br /> ? do_sys_openat2+0x97/0xe0<br /> __x64_sys_ioctl+0x97/0xd0<br /> do_syscall_64+0x46/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> RIP: 0033:0x7fe20abe83af<br /> RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af<br /> RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003<br /> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry<br /> BTRFS info (device vdc: state EA): forced readonly<br /> BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.<br /> BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry<br /> <br /> This happens because create_pending_snapshot() initializes the new root<br /> item as a copy of the source root item. This includes the refs field,<br /> which is 0 for a deleted subvolume. The call to btrfs_insert_root()<br /> therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then<br /> finds the root and returns -ENOENT if refs == 0, which causes<br /> create_pending_snapshot() to abort.<br /> <br /> Fix it by checking the source root&amp;#39;s refs before attempting the<br /> snapshot, but after locking subvol_sem to avoid racing with deletion.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Ensure visibility when inserting an element into tracing_map<br /> <br /> Running the following two commands in parallel on a multi-processor<br /> AArch64 machine can sporadically produce an unexpected warning about<br /> duplicate histogram entries:<br /> <br /> $ while true; do<br /> echo hist:key=id.syscall:val=hitcount &gt; \<br /> /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger<br /> cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist<br /> sleep 0.001<br /> done<br /> $ stress-ng --sysbadaddr $(nproc)<br /> <br /> The warning looks as follows:<br /> <br /> [ 2911.172474] ------------[ cut here ]------------<br /> [ 2911.173111] Duplicates detected: 1<br /> [ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408<br /> [ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)<br /> [ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1<br /> [ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01<br /> [ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018<br /> [ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408<br /> [ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408<br /> [ 2911.185310] sp : ffff8000a1513900<br /> [ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001<br /> [ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008<br /> [ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180<br /> [ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff<br /> [ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8<br /> [ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731<br /> [ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c<br /> [ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8<br /> [ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000<br /> [ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480<br /> [ 2911.194259] Call trace:<br /> [ 2911.194626] tracing_map_sort_entries+0x3e0/0x408<br /> [ 2911.195220] hist_show+0x124/0x800<br /> [ 2911.195692] seq_read_iter+0x1d4/0x4e8<br /> [ 2911.196193] seq_read+0xe8/0x138<br /> [ 2911.196638] vfs_read+0xc8/0x300<br /> [ 2911.197078] ksys_read+0x70/0x108<br /> [ 2911.197534] __arm64_sys_read+0x24/0x38<br /> [ 2911.198046] invoke_syscall+0x78/0x108<br /> [ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8<br /> [ 2911.199157] do_el0_svc+0x28/0x40<br /> [ 2911.199613] el0_svc+0x40/0x178<br /> [ 2911.200048] el0t_64_sync_handler+0x13c/0x158<br /> [ 2911.200621] el0t_64_sync+0x1a8/0x1b0<br /> [ 2911.201115] ---[ end trace 0000000000000000 ]---<br /> <br /> The problem appears to be caused by CPU reordering of writes issued from<br /> __tracing_map_insert().<br /> <br /> The check for the presence of an element with a given key in this<br /> function is:<br /> <br /> val = READ_ONCE(entry-&gt;val);<br /> if (val &amp;&amp; keys_match(key, val-&gt;key, map-&gt;key_size)) ...<br /> <br /> The write of a new entry is:<br /> <br /> elt = get_free_elt(map);<br /> memcpy(elt-&gt;key, key, map-&gt;key_size);<br /> entry-&gt;val = elt;<br /> <br /> The "memcpy(elt-&gt;key, key, map-&gt;key_size);" and "entry-&gt;val = elt;"<br /> stores may become visible in the reversed order on another CPU. This<br /> second CPU might then incorrectly determine that a new key doesn&amp;#39;t match<br /> an already present val-&gt;key and subse<br /> ---truncated---

The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.

The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.

The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.