Vulnerabilidades

*** Pendiente de traducción *** Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanSpeed2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

*** Pendiente de traducción *** Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanMTU2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

*** Pendiente de traducción *** Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

*** Pendiente de traducción *** Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the serviceName2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

*** Pendiente de traducción *** Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_4CA50 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hns3: using the num_tqps in the vf driver to apply for resources<br /> <br /> Currently, hdev-&gt;htqp is allocated using hdev-&gt;num_tqps, and kinfo-&gt;tqp<br /> is allocated using kinfo-&gt;num_tqps. However, kinfo-&gt;num_tqps is set to<br /> min(new_tqps, hdev-&gt;num_tqps); Therefore, kinfo-&gt;num_tqps may be smaller<br /> than hdev-&gt;num_tqps, which causes some hdev-&gt;htqp[i] to remain<br /> uninitialized in hclgevf_knic_setup().<br /> <br /> Thus, this patch allocates hdev-&gt;htqp and kinfo-&gt;tqp using hdev-&gt;num_tqps,<br /> ensuring that the lengths of hdev-&gt;htqp and kinfo-&gt;tqp are consistent<br /> and that all elements are properly initialized.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change<br /> <br /> zdi-disclosures@trendmicro.com says:<br /> <br /> The vulnerability is a race condition between `ets_qdisc_dequeue` and<br /> `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.<br /> Attacker requires the capability to create new user and network namespace<br /> in order to trigger the bug.<br /> See my additional commentary at the end of the analysis.<br /> <br /> Analysis:<br /> <br /> static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,<br /> struct netlink_ext_ack *extack)<br /> {<br /> ...<br /> <br /> // (1) this lock is preventing .change handler (`ets_qdisc_change`)<br /> //to race with .dequeue handler (`ets_qdisc_dequeue`)<br /> sch_tree_lock(sch);<br /> <br /> for (i = nbands; i = q-&gt;nstrict &amp;&amp; q-&gt;classes[i].qdisc-&gt;q.qlen)<br /> list_del_init(&amp;q-&gt;classes[i].alist);<br /> qdisc_purge_queue(q-&gt;classes[i].qdisc);<br /> }<br /> <br /> WRITE_ONCE(q-&gt;nbands, nbands);<br /> for (i = nstrict; i nstrict; i++) {<br /> if (q-&gt;classes[i].qdisc-&gt;q.qlen) {<br /> // (2) the class is added to the q-&gt;active<br /> list_add_tail(&amp;q-&gt;classes[i].alist, &amp;q-&gt;active);<br /> q-&gt;classes[i].deficit = quanta[i];<br /> }<br /> }<br /> WRITE_ONCE(q-&gt;nstrict, nstrict);<br /> memcpy(q-&gt;prio2band, priomap, sizeof(priomap));<br /> <br /> for (i = 0; i nbands; i++)<br /> WRITE_ONCE(q-&gt;classes[i].quantum, quanta[i]);<br /> <br /> for (i = oldbands; i nbands; i++) {<br /> q-&gt;classes[i].qdisc = queues[i];<br /> if (q-&gt;classes[i].qdisc != &amp;noop_qdisc)<br /> qdisc_hash_add(q-&gt;classes[i].qdisc, true);<br /> }<br /> <br /> // (3) the qdisc is unlocked, now dequeue can be called in parallel<br /> // to the rest of .change handler<br /> sch_tree_unlock(sch);<br /> <br /> ets_offload_change(sch);<br /> for (i = q-&gt;nbands; i classes[i].qdisc);<br /> // (5) If we call .dequeue between (4) and (5), we will have<br /> // a strong UAF and we can control RIP<br /> q-&gt;classes[i].qdisc = NULL;<br /> WRITE_ONCE(q-&gt;classes[i].quantum, 0);<br /> q-&gt;classes[i].deficit = 0;<br /> gnet_stats_basic_sync_init(&amp;q-&gt;classes[i].bstats);<br /> memset(&amp;q-&gt;classes[i].qstats, 0, sizeof(q-&gt;classes[i].qstats));<br /> }<br /> return 0;<br /> }<br /> <br /> Comment:<br /> This happens because some of the classes have their qdiscs assigned to<br /> NULL, but remain in the active list. This commit fixes this issue by always<br /> removing the class from the active list before deleting and freeing its<br /> associated qdisc<br /> <br /> Reproducer Steps<br /> (trimmed version of what was sent by zdi-disclosures@trendmicro.com)<br /> <br /> ```<br /> DEV="${DEV:-lo}"<br /> ROOT_HANDLE="${ROOT_HANDLE:-1:}"<br /> BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2<br /> PING_BYTES="${PING_BYTES:-48}"<br /> PING_COUNT="${PING_COUNT:-200000}"<br /> PING_DST="${PING_DST:-127.0.0.1}"<br /> <br /> SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"<br /> SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"<br /> SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"<br /> <br /> cleanup() {<br /> tc qdisc del dev "$DEV" root 2&gt;/dev/null<br /> }<br /> trap cleanup EXIT<br /> <br /> ip link set "$DEV" up<br /> <br /> tc qdisc del dev "$DEV" root 2&gt;/dev/null || true<br /> <br /> tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2<br /> <br /> tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \<br /> tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"<br /> <br /> tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2<br /> tc -s qdisc ls dev $DEV<br /> <br /> ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \<br /> &gt;/dev/null 2&gt;&amp;1 &amp;<br /> tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0<br /> tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2<br /> tc -s qdisc ls dev $DEV<br /> tc qdisc del dev "$DEV" parent <br /> ---truncated---

*** Pendiente de traducción *** Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the mac2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: alps - fix use-after-free bugs caused by dev3_register_work<br /> <br /> The dev3_register_work delayed work item is initialized within<br /> alps_reconnect() and scheduled upon receipt of the first bare<br /> PS/2 packet from an external PS/2 device connected to the ALPS<br /> touchpad. During device detachment, the original implementation<br /> calls flush_workqueue() in psmouse_disconnect() to ensure<br /> completion of dev3_register_work. However, the flush_workqueue()<br /> in psmouse_disconnect() only blocks and waits for work items that<br /> were already queued to the workqueue prior to its invocation. Any<br /> work items submitted after flush_workqueue() is called are not<br /> included in the set of tasks that the flush operation awaits.<br /> This means that after flush_workqueue() has finished executing,<br /> the dev3_register_work could still be scheduled. Although the<br /> psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),<br /> the scheduling of dev3_register_work remains unaffected.<br /> <br /> The race condition can occur as follows:<br /> <br /> CPU 0 (cleanup path) | CPU 1 (delayed work)<br /> psmouse_disconnect() |<br /> psmouse_set_state() |<br /> flush_workqueue() | alps_report_bare_ps2_packet()<br /> alps_disconnect() | psmouse_queue_work()<br /> kfree(priv); // FREE | alps_register_bare_ps2_mouse()<br /> | priv = container_of(work...); // USE<br /> | priv-&gt;dev3 // USE<br /> <br /> Add disable_delayed_work_sync() in alps_disconnect() to ensure<br /> that dev3_register_work is properly canceled and prevented from<br /> executing after the alps_data structure has been deallocated.<br /> <br /> This bug is identified by static analysis.

*** Pendiente de traducción *** phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication.

*** Pendiente de traducción *** phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php.

*** Pendiente de traducción *** phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.