Hugues Anguelkov

**Nome do software vulnerável e versões afetadas** Versões do kernel Linux até a 5.18.9 **Descrição** Um bug de confusão de tipos na função `nft set elem init`, que leva a um estouro de buffer, poderia ser explorado por um invasor local para escalar privilégios. O invasor pode obter acesso root, mas deve começar com um namespace de usuário sem privilégios para obter acesso CAP NET ADMIN. Esta falha pode ser corrigida em `nft setelem parse data` em `net/netfilter/nf tables api.c`. A exploração utiliza a técnica de desligamento e pode permitir que um invasor obtenha acesso root. **Recomendações** Para versões do kernel Linux até a 5.18.9, atualize para uma versão que inclua a correção para o estouro de buffer em `nft set elem init`. Como solução alternativa temporária, considere restringir o acesso à função `nft setelem parse data` em `net/netfilter/nf tables api.c` para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** Versões do macOS anteriores à 10.14.4 Versões da Atualização de Segurança anteriores à 2019-002 High Sierra Versões da Atualização de Segurança anteriores à 2019-002 Sierra **Descrição** Foi corrigida uma falha lógica por meio de uma validação aprimorada. Um invasor em uma posição privilegiada na rede pode alterar o estado do driver. **Recomendações** Para versões do macOS anteriores à 10.14.4, atualize para o macOS Mojave 10.14.4. Para versões da Atualização de Segurança anteriores à 2019-002 High Sierra, aplique a Atualização de Segurança 2019-002 High Sierra. Para versões da Atualização de Segurança anteriores à 2019-002 Sierra, aplique a Atualização de Segurança 2019-002 Sierra.

**Name of the Vulnerable Software and Affected Versions** Broadcom wl WiFi driver (affected versions not specified) **Description** The issue is related to a heap buffer overflow in the wlc wpa sup eapol function of the Broadcom wl WiFi driver. This can be triggered by supplying a vendor information element with a data length larger than 32 bytes. A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system or cause denial-of-service conditions by sending specially-crafted WiFi packets. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Broadcom wl WiFi driver (affected versions not specified) **Description** The issue is related to a heap buffer overflow in the wlc wpa plumb gtk function of the Broadcom wl WiFi driver. This can be triggered by sending specially-crafted WiFi packets containing data larger than 164 bytes. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Broadcom brcmfmac WiFi driver versions prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff **Description** The issue is related to a heap buffer overflow in the `brcmf wowl nd results` function. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can trigger this overflow. This can be exploited to compromise the host or, in combination with other vulnerabilities, can be used remotely. In the worst-case scenario, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system by sending specially-crafted WiFi packets. More typically, this issue will result in denial-of-service conditions. **Recommendations** For versions prior to commit 1b5e2423164b3670e8bc9170e8bc9174e4762d297990deff, consider disabling the Wake-up on Wireless LAN functionality to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** brcmfmac WiFi driver versions prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f **Description** The issue is related to insufficient input validation in the `is wlc event frame` function of the Broadcom brcmfmac WiFi driver. This can be exploited by a remote, unauthenticated attacker to bypass frame validation, potentially allowing the execution of arbitrary code on a vulnerable system or resulting in denial-of-service conditions. The vulnerability can be triggered by sending specially-crafted WiFi packets. **Recommendations** For versions prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f, consider updating to a version that includes the commit a4176ec356c73a46c07c181c6d04039fafa34a9f or later to resolve the issue. As a temporary workaround, consider restricting the use of USB WiFi dongles to minimize the risk of exploitation.