Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix race between mmput() and do_exit()<br /> <br /> Task A calls binder_update_page_range() to allocate and insert pages on<br /> a remote address space from Task B. For this, Task A pins the remote mm<br /> via mmget_not_zero() first. This can race with Task B do_exit() and the<br /> final mmput() refcount decrement will come from Task A.<br /> <br /> Task A | Task B<br /> ------------------+------------------<br /> mmget_not_zero() |<br /> | do_exit()<br /> | exit_mm()<br /> | mmput()<br /> mmput() |<br /> exit_mmap() |<br /> remove_vma() |<br /> fput() |<br /> <br /> In this case, the work of ____fput() from Task B is queued up in Task A<br /> as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup<br /> work gets executed. However, Task A instead sleep, waiting for a reply<br /> from Task B that never comes (it&amp;#39;s dead).<br /> <br /> This means the binder_deferred_release() is blocked until an unrelated<br /> binder event forces Task A to go back to userspace. All the associated<br /> death notifications will also be delayed until then.<br /> <br /> In order to fix this use mmput_async() that will schedule the work in<br /> the corresponding mm-&gt;async_put_work WQ instead of Task A.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: act_ct: fix skb leak and crash on ooo frags<br /> <br /> act_ct adds skb-&gt;users before defragmentation. If frags arrive in order,<br /> the last frag&amp;#39;s reference is reset in:<br /> <br /> inet_frag_reasm_prepare<br /> skb_morph<br /> <br /> which is not straightforward.<br /> <br /> However when frags arrive out of order, nobody unref the last frag, and<br /> all frags are leaked. The situation is even worse, as initiating packet<br /> capture can lead to a crash[0] when skb has been cloned and shared at the<br /> same time.<br /> <br /> Fix the issue by removing skb_get() before defragmentation. act_ct<br /> returns TC_ACT_CONSUMED when defrag failed or in progress.<br /> <br /> [0]:<br /> [ 843.804823] ------------[ cut here ]------------<br /> [ 843.809659] kernel BUG at net/core/skbuff.c:2091!<br /> [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP<br /> [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2<br /> [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022<br /> [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300<br /> [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89<br /> [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202<br /> [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820<br /> [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00<br /> [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000<br /> [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880<br /> [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900<br /> [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000<br /> [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0<br /> [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 843.894229] PKRU: 55555554<br /> [ 843.898539] Call Trace:<br /> [ 843.902772] <br /> [ 843.906922] ? __die_body+0x1e/0x60<br /> [ 843.911032] ? die+0x3c/0x60<br /> [ 843.915037] ? do_trap+0xe2/0x110<br /> [ 843.918911] ? pskb_expand_head+0x2ac/0x300<br /> [ 843.922687] ? do_error_trap+0x65/0x80<br /> [ 843.926342] ? pskb_expand_head+0x2ac/0x300<br /> [ 843.929905] ? exc_invalid_op+0x50/0x60<br /> [ 843.933398] ? pskb_expand_head+0x2ac/0x300<br /> [ 843.936835] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 843.940226] ? pskb_expand_head+0x2ac/0x300<br /> [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240<br /> [ 843.946904] ip_defrag+0x5d4/0x870<br /> [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]<br /> [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]<br /> [ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]<br /> [ 843.959657] tcf_action_exec+0xa1/0x160<br /> [ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]<br /> [ 843.966010] ? skb_clone+0x53/0xc0<br /> [ 843.969173] tcf_classify+0x24d/0x420<br /> [ 843.972333] tc_run+0x8f/0xf0<br /> [ 843.975465] __netif_receive_skb_core+0x67a/0x1080<br /> [ 843.978634] ? dev_gro_receive+0x249/0x730<br /> [ 843.981759] __netif_receive_skb_list_core+0x12d/0x260<br /> [ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0<br /> [ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]<br /> [ 843.991170] napi_complete_done+0x72/0x1a0<br /> [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]<br /> [ 843.997501] __napi_poll+0x25/0x1b0<br /> [ 844.000627] net_rx_action+0x256/0x330<br /> [ 844.003705] __do_softirq+0xb3/0x29b<br /> [ 844.006718] irq_exit_rcu+0x9e/0xc0<br /> [ 844.009672] common_interrupt+0x86/0xa0<br /> [ 844.012537] <br /> [ 844.015285] <br /> [ 844.017937] asm_common_interrupt+0x26/0x40<br /> [ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20<br /> [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb<br /> ---truncated---

BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application&amp;#39;s privileges. <br /> <br /> <br /> <br /> <br /> <br /> Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker.<br /> <br /> Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200. <br /> <br />

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service (DoS) condition.

Cross-site scripting vulnerability exists in FitNesse all releases, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with specially crafted multiple parameters.

Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.

Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative user. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

Cross-site request forgery vulnerability in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. allows a remote unauthenticated attacker to perform unintended operations on the affected product. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].

Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator&amp;#39;s ID, password, etc. may be altered. As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed under [References].

FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.