Fabian Yamaguchi

**Nome do Software Vulnerável e Versões Afetadas** Versões do Graylog anteriores à 6.0.14 Versões do Graylog anteriores à 6.1.10 Versões do Graylog anteriores à 6.2.0 **Descrição** O Graylog é uma plataforma de gerenciamento de logs. Existe uma vulnerabilidade na qual cookies de sessão do usuário podem ser obtidos ao enviar um formulário HTML dentro de um campo de Etapa de Remediação de Definição de Evento. Para explorar isso com sucesso, um atacante requer uma conta de usuário com a capacidade de criar definições de evento e permissões para visualizar alertas. Um Input ativo capaz de receber dados de formulário, como um Input HTTP, TCP raw ou syslog, também deve estar presente no servidor Graylog. **Recomendações** As versões do Graylog anteriores à 6.0.14 devem ser atualizadas para a versão 6.0.14 ou posterior. As versões do Graylog anteriores à 6.1.10 devem ser atualizadas para a versão 6.1.10 ou posterior. As versões do Graylog anteriores à 6.2.0 devem ser atualizadas para a versão 6.2.0 ou posterior.

**Nome do software vulnerável e versões afetadas** Versões do Graylog 2.0.0 a 5.1.10 Versões do Graylog 5.2.0 a 5.2.3 **Descrição** A vulnerabilidade permite que classes arbitrárias sejam carregadas e instanciadas por meio de uma solicitação HTTP PUT para o endpoint “/api/system/cluster config/”. O sistema de configuração de cluster do Graylog utiliza nomes de classe totalmente qualificados como chaves de configuração e, para validar a existência da classe solicitada, o Graylog carrega a classe utilizando o carregador de classes. Se um usuário com as permissões adequadas realizar a solicitação, classes arbitrárias com construtores String de 1 argumento podem ser instanciadas, executando código arbitrário durante a instanciação da classe. No caso de uso específico de `java.io.File`, o comportamento da pilha interna do servidor web levará à exposição de informações ao incluir todo o conteúdo do arquivo na resposta à solicitação REST. **Recomendações** Para as versões 2.0.0 a 5.1.10 do Graylog, atualize para a versão 5.1.11 ou posterior. Para as versões 5.2.0 a 5.2.3 do Graylog, atualize para a versão 5.2.4 ou posterior. Como solução temporária, considere restringir o acesso ao endpoint “/api/system/cluster config/” para minimizar o risco de exploração. Restrinja o acesso à classe `java.io.File` para evitar a exposição de informações. Certifique-se de que apenas usuários autorizados com as permissões `clusterconfigentry:create` e `clusterconfigentry:edit` possam realizar solicitações ao endpoint vulnerável.

**Nome do software vulnerável e versões afetadas** Versões do Graylog 4.3.0 a 5.1.10 Versões do Graylog 4.3.0 a 5.2.3 **Descrição** A vulnerabilidade permite que se realize uma reautenticação utilizando um cookie de sessão existente para reutilizar esse ID de sessão, mesmo que seja com credenciais de usuário diferentes. Isso poderia ser usado para obter acesso elevado a uma sessão de login existente do Graylog, desde que o usuário mal-intencionado conseguisse injetar com sucesso seu cookie de sessão no navegador de outra pessoa. A complexidade de tal ataque é alta, pois requer a apresentação de uma tela de login falsificada e a injeção de um cookie de sessão em um navegador existente, potencialmente por meio de um ataque de cross-site scripting. Nenhum ataque desse tipo foi descoberto. O uso de expiração curta de sessão e logouts explícitos de sessões não utilizadas podem ajudar a limitar o vetor de ataque. Um proxy poderia ser utilizado para limpar o cookie de `autenticação` da URL do servidor Graylog para o endpoint “/api/system/sessions”, já que esse é o único vulnerável. **Recomendações** Para as versões 4.3.0 a 5.1.10 do Graylog, atualize para a versão 5.1.11 ou posterior para resolver o problema. Para as versões 4.3.0 a 5.2.3 do Graylog, atualize para a versão 5.2.4 ou posterior para resolver o problema. Como solução alternativa temporária, considere usar expiração curta de sessão e logouts explícitos de sessões não utilizadas para limitar o vetor de ataque. Restrinja o acesso ao endpoint “/api/system/sessions” limpando o cookie `authentication` da URL do servidor Graylog usando um proxy.

**Name of the Vulnerable Software and Affected Versions** libarchive versions prior to 3.2.1 **Description** The issue is related to an integer overflow in the ISO9660 writer, which can be triggered by verifying filename lengths when writing an ISO9660 archive. This can lead to a buffer overflow, causing a denial of service or potentially allowing remote attackers to execute arbitrary code. **Recommendations** For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ISO9660 writer to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC media player versions prior to 2.1.6 **Description** The issue is related to errors in checking the length of string containers in the MP4 demultiplexer of the VideoLAN VLC media player. Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service via a specially crafted .MP4 file. The `MP4 ReadBox String` function is specifically vulnerable, allowing remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow attacks. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of .MP4 files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VLC media player versions prior to 2.1.6 **Description** The issue is related to an integer underflow in the MP4 demuxer, specifically in the MP4 ReadBox String function. This can be exploited by remote attackers using a specially crafted MP4 file with a box size less than 7, potentially allowing them to execute arbitrary code or cause a denial of service. The vulnerability is associated with errors in checking the length of string containers. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of MP4 files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC media player versions prior to 2.1.6 **Description** The issue is related to an integer truncation in the MP4 Demuxer of the VideoLAN VLC media player. This can be exploited by remote attackers to cause a denial of service or possibly execute arbitrary code via a specially crafted .MP4 file. The problem arises from an incorrect cast operation from a 64-bit integer to a 32-bit integer in the `MP4 ReadBox String` function. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of .MP4 files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC media player versions prior to 2.1.6 **Description** The issue is related to an integer truncation in the automated updater, specifically in the GetUpdateFile function, which allows remote attackers to conduct buffer overflow attacks. This can lead to the execution of arbitrary code or cause a denial of service, resulting in an application crash. The attack can be performed via a crafted file containing an overly long string argument. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider disabling the automated updater until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VLC media player versions prior to 2.1.6 **Description** The issue is related to a buffer overflow in the RTP streaming code, specifically in the `rtp packetize xiph config` function, due to improper bounds checking. This allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted file containing an overly long string argument. The vulnerability can be exploited by a specially crafted ogg file, potentially leading to memory corruption or arbitrary code execution. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider disabling the RTP streaming functionality until a patch is available. Restrict access to potentially malicious files, especially those containing overly long string arguments, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VLC media player versions prior to 2.1.6 VLC media player versions 2.2.x prior to 2.2.1 **Description** The issue is related to an integer overflow in the Encode function, specifically in the Schroedinger codec, which can lead to a buffer overflow. This allows remote attackers to execute arbitrary code or cause a denial of service via a crafted file. The vulnerability is due to improper bounds checking in the Schroedinger- and Dirac- encoders. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later. For versions 2.2.x prior to 2.2.1, update to version 2.2.1 or later. As a temporary workaround, consider disabling the Schroedinger and Dirac encoders until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pidgin versions prior to 2.10.8 **Description** The issue allows a remote attacker to cause a denial of service by manipulating OIM XML headers or via crafted SOAP responses, OIM XML responses, or Content-Length headers, leading to a NULL pointer dereference and crash. **Recommendations** For versions prior to 2.10.8, update to version 2.10.8 or later to resolve the issue. As a temporary workaround, consider restricting access to MSN protocol functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.1 **Description** The issue allows local users to cause a denial of service by leveraging root privileges for a zero-length write operation in the `lbs debugfs write` function. **Recommendations** For versions prior to 3.12.1, update to version 3.12.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.12.1 **Description** The issue is related to the `aac send raw srb` function in the Linux kernel, which does not properly validate a certain size value. This can be exploited by local users with `CAP SYS ADMIN` privileges to cause a denial of service or possibly have other unspecified impacts via a crafted SRB command using the `FSACTL SEND RAW SRB` ioctl call. Local users can potentially elevate their privileges by exploiting the `aacraid` driver. **Recommendations** For Linux kernel versions through 3.12.1, consider restricting access to the `FSACTL SEND RAW SRB` ioctl call to minimize the risk of exploitation. As a temporary workaround, consider disabling the `aac send raw srb` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.1 **Description** The issue allows local users to cause a denial of service or possibly have unspecified other impact via an SNMP ioctl call with a length value that is incompatible with the command-buffer size. This is due to a buffer overflow in the `qeth snmp command` function in `drivers/s390/net/qeth core main.c`. The `ioctl` call `IOC QETH ADP SET SNMP CONTROL` is involved in the system call. **Recommendations** For Linux kernel versions prior to 3.12.1, update to version 3.12.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `qeth snmp command` function until a patch is available. Avoid using the `IOC QETH ADP SET SNMP CONTROL` ioctl call with incompatible length values in the command-buffer size until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to a buffer overflow in the exitcode proc write function, which can be exploited by local users with write privileges to the /proc/exitcode file. This could potentially allow users to cause a denial of service or have other unspecified impacts, possibly including privilege escalation. The estimated number of potentially affected devices is not specified. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting write access to the /proc/exitcode file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to multiple buffer overflows in the Linux kernel, specifically in the drivers/staging/wlags49 h2/wl priv.c file. This can be exploited by local users with the CAP NET ADMIN capability to cause a denial of service or possibly have other unspecified impacts. The exploitation is related to the `wvlan uil put info` and `wvlan set station nickname` functions when a long station-name string is provided. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting the CAP NET ADMIN capability to minimize the risk of exploitation. Additionally, avoid providing long station-name strings to prevent triggering the buffer overflows in the `wvlan uil put info` and `wvlan set station nickname` functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue allows local users to obtain sensitive information from kernel stack memory. This is due to the mp get count function in drivers/staging/sb105x/sb pci mp.c not initializing a certain data structure, which can be exploited via a TIOCGICOUNT ioctl call. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the TIOCGICOUNT ioctl call to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue allows local users to obtain sensitive information from kernel memory. This is due to the bcm char ioctl function in drivers/staging/bcm/Bcmchar.c not initializing a certain data structure, which can be exploited via an IOCTL BCM GET DEVICE DRIVER INFO ioctl call. **Recommendations** For versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the bcm char ioctl function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12 **Description** The issue is related to multiple integer overflows in Alchemy LCD frame-buffer drivers. Local users can create a read-write memory mapping for the entirety of kernel memory and gain privileges via crafted `mmap` operations. This is related to the `au1100fb fb mmap` function in `drivers/video/au1100fb.c` and the `au1200fb fb mmap` function in `drivers/video/au1200fb.c`. **Recommendations** For Linux kernel versions prior to 3.12, update to version 3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the `au1100fb fb mmap` and `au1200fb fb mmap` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Libav versions 0.5.x through 0.5.8 Libav versions 0.6.x through 0.6.5 Libav versions 0.7.x through 0.7.5 Libav versions 0.8.x through 0.8.1 **Description** The issue is related to a heap-based buffer overflow in the `vqa decode chunk` function within the VQA codec of libavcodec. This can be triggered by remote attackers using a crafted VQA media file where the image size is not a multiple of the block size, potentially leading to a denial of service or arbitrary code execution. **Recommendations** For Libav versions 0.5.x through 0.5.8, update to version 0.5.9 or later. For Libav versions 0.6.x through 0.6.5, update to version 0.6.6 or later. For Libav versions 0.7.x through 0.7.5, update to version 0.7.6 or later. For Libav versions 0.8.x through 0.8.1, update to version 0.8.2 or later.