Vulnerabilidades

*** Pendiente de traducción *** Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers.This issue affects Beefull App: before 24.07.2025.

*** Pendiente de traducción *** Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured.<br /> <br /> <br /> The issue occurs in the following cases:<br /> <br /> * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n";<br /> * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n".

*** Pendiente de traducción *** A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured.<br /> <br /> <br /> The issue occurs in the following cases:<br /> <br /> * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n";<br /> * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n".

*** Pendiente de traducción *** A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above.

*** Pendiente de traducción *** A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent.<br /> <br /> This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.

*** Pendiente de traducción *** If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.

*** Pendiente de traducción *** The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.

*** Pendiente de traducción *** Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.

*** Pendiente de traducción *** Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files.

*** Pendiente de traducción *** An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker with access to a signed third-party or demo certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization during authentication on the Control-M/Agent.<br /> <br /> The Control-M/Agent contains hardcoded certificates which are only trusted as fallback if an empty kdb keystore is used; they are never trusted if a PKCS#12 keystore is used. All of these certificates are now expired.<br /> <br /> <br /> In addition, the Control-M/Agent default kdb and PKCS#12 keystores contain trusted third-party certificates (external recognized CAs and default self-signed demo certificates) which are trusted for client authentication.

*** Pendiente de traducción *** Control-M/Agents use a kdb or PKCS#12 keystore by default, and the default keystore password is well known and documented.<br /> <br /> An attacker with read access to the keystore could access sensitive data using this password.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().<br /> <br /> syzbot reported the splat below. [0]<br /> <br /> When atmtcp_v_open() or atmtcp_v_close() is called via connect()<br /> or close(), atmtcp_send_control() is called to send an in-kernel<br /> special message.<br /> <br /> The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.<br /> Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.<br /> <br /> The notable thing is struct atmtcp_control is uAPI but has a<br /> space for an in-kernel pointer.<br /> <br /> struct atmtcp_control {<br /> struct atmtcp_hdr hdr; /* must be first */<br /> ...<br /> atm_kptr_t vcc; /* both directions */<br /> ...<br /> } __ATM_API_ALIGN;<br /> <br /> typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;<br /> <br /> The special message is processed in atmtcp_recv_control() called<br /> from atmtcp_c_send().<br /> <br /> atmtcp_c_send() is vcc-&gt;dev-&gt;ops-&gt;send() and called from 2 paths:<br /> <br /> 1. .ndo_start_xmit() (vcc-&gt;send() == atm_send_aal0())<br /> 2. vcc_sendmsg()<br /> <br /> The problem is sendmsg() does not validate the message length and<br /> userspace can abuse atmtcp_recv_control() to overwrite any kptr<br /> by atmtcp_control.<br /> <br /> Let&amp;#39;s add a new -&gt;pre_send() hook to validate messages from sendmsg().<br /> <br /> [0]:<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI<br /> KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]<br /> CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025<br /> RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]<br /> RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297<br /> Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c<br /> RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203<br /> RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c<br /> RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd<br /> R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000<br /> R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff<br /> FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0<br /> Call Trace:<br /> <br /> vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> __sock_sendmsg+0x219/0x270 net/socket.c:729<br /> ____sys_sendmsg+0x505/0x830 net/socket.c:2614<br /> ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668<br /> __sys_sendmsg net/socket.c:2700 [inline]<br /> __do_sys_sendmsg net/socket.c:2705 [inline]<br /> __se_sys_sendmsg net/socket.c:2703 [inline]<br /> __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f8d7e96a4a9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9<br /> RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005<br /> RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f<br /> R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac<br /> R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250<br /> <br /> Modules linked in: