Solar Designer

**Nome do Software Vulnerável e Versões Afetadas** Linux kernel versões anteriores a 7.0.8 Linux kernel versões anteriores a 6.18.31 Linux kernel versões anteriores a 6.12.89 Linux kernel versões anteriores a 6.6.139 Linux kernel versões anteriores a 6.1.173 Linux kernel versões anteriores a 5.15.207 Linux kernel versões anteriores a 5.10.256 **Description** Um problema de gerenciamento inadequado de privilégios existe na função `get dumpable()`. A lógica referente à capacidade de despejo (dumpability) de uma tarefa — originalmente destinada a determinar se uma tarefa pode criar um core dump — era usada incorretamente por `ptrace may access()` para verificar permissões independentemente do ponteiro de gerenciamento de memória (MM). Isso inclui threads sem memória virtual (VM), como threads do kernel. Esta falha permite que um usuário local não privilegiado escale privilégios para root, execute comandos arbitrários e exponha informações sensíveis, incluindo chaves privadas de host SSH e o arquivo de hash de senhas `/etc/shadow`. O problema é descrito como uma condição de corrida (race condition) no tratamento de acesso do ptrace que pode permitir o roubo de descritores de arquivo privilegiados durante o encerramento do processo. A exploração em instalações padrão de distribuições principais como Debian, Ubuntu e Fedora requer que o módulo Reliable Datagram Sockets (RDS) esteja carregado, que o `io ring` esteja habilitado, um binário SUID-root legível e suporte x86 64. **Recommendations** Atualizar para a versão 7.0.8 ou superior. Atualizar para a versão 6.18.31 ou superior. Atualizar para a versão 6.12.89 ou superior. Atualizar para a versão 6.6.139 ou superior. Atualizar para a versão 6.1.173 ou superior. Atualizar para a versão 5.15.207 ou superior. Atualizar para a versão 5.10.256 ou superior. Como medida paliativa temporária, configure `sysctl kernel.yama.ptrace scope=2`.

Nome do software vulnerável e versões afetadas: OpenSSH versões 8.7 e 8.8 Descrição: Foi descoberta uma vulnerabilidade de condição de corrida na forma como os sinais são tratados pelo servidor do OpenSSH (sshd). Se um invasor remoto não se autenticar dentro de um período de tempo definido, o manipulador SIGALRM do sshd é chamado de forma assíncrona. No entanto, esse manipulador de sinais chama várias funções que não são seguras para sinais assíncronos, por exemplo, syslog(). Como consequência de um ataque bem-sucedido, no pior cenário, um invasor pode ser capaz de executar código remotamente (RCE) como um usuário sem privilégios executando o servidor sshd. A vulnerabilidade afeta as versões 8.7 e 8.8 do OpenSSH, incluindo suas versões portáteis correspondentes, e estima-se que possa afetar mais de 98 milhões de sistemas. Recomendações: Para resolver o problema nas versões 8.7 e 8.8 do OpenSSH, defina o parâmetro LoginGraceTime como 0 na configuração do sshd. Esse método bloqueia efetivamente a vulnerabilidade. Além disso, recomenda-se atualizar para uma versão mais recente do OpenSSH que inclua a correção para essa vulnerabilidade. O AlmaLinux 9 lançou um patch para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** grub2 (versões afetadas não especificadas) **Descrição** Uma falha no utilitário grub2-set-bootflag do grub2 pode levar a uma negação de serviço. O problema ocorre quando o programa cria um arquivo temporário com o novo conteúdo do grubenv e é encerrado antes de renomeá-lo para o arquivo grubenv original, fazendo com que o arquivo temporário não seja removido. Isso pode fazer com que o sistema de arquivos fique cheio de arquivos temporários quando o utilitário é invocado várias vezes, levando a uma falta de inodes ou blocos livres no sistema de arquivos. A vulnerabilidade está relacionada à limpeza incompleta de recursos temporários ou auxiliares. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Botan versions prior to 2.1.0 **Description** The issue concerns bcrypt password hashing in Botan, where passwords with a length between 57 and 72 characters are not handled correctly. This incorrect handling makes it easier for attackers to determine the cleartext password. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of passwords with lengths between 57 and 72 characters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VMware Tools versions prior to 12.2.5 VMware vCenter (affected versions not specified) **Description** A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. The vulnerability is related to errors in the authentication procedure of the vgauth module in VMware Tools. Exploitation of this issue may allow an attacker to affect the confidentiality and integrity of protected information. Chinese state-sponsored group UNC3886 has been exploiting this vulnerability since 2021 to backdoor Windows, Linux, and PhotonOS systems. **Recommendations** For VMware Tools versions prior to 12.2.5, update to version 12.2.5 or later to resolve the issue. For VMware vCenter, update to the latest version to account for this vulnerability. As a temporary workaround, consider restricting access to the vulnerable vgauth module until a patch is available. Avoid using the vulnerable authentication mechanism in host-to-guest operations until the issue is resolved. At the moment, there is no additional information about other mitigation measures.

**Nome do software vulnerável e versões afetadas** Versões do kernel do openEuler de 4.19.90 a 4.19.90-2401.3 Versões do kernel do openEuler de 5.10.0-60.18.0 a 5.10.0-183.0.0 **Descrição** O problema está relacionado a um estouro de inteiro na função `ext4 write inline data end()` do kernel do openEuler no Linux, especificamente nos módulos do sistema de arquivos. Isso permite um estouro de inteiro forçado, o que pode afetar a confidencialidade, a integridade e a disponibilidade das informações protegidas. **Recomendações** Para as versões do kernel openEuler 4.19.90 a 4.19.90-2401.3, atualize para a versão 4.19.90-2401.3 ou posterior. Para as versões do kernel openEuler 5.10.0-60.18.0 a 5.10.0-183.0.0, atualize para a versão 5.10.0-183.0.0 ou posterior. Como solução temporária, considere restringir o acesso aos módulos do sistema de arquivos vulneráveis até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** cron versions 3.0pl1-128 through 3.0pl1-128ubuntu2 **Description** The issue is related to the cron package, where the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the `chown` and `chmod` programs. This can be exploited by an attacker to gain elevated privileges. **Recommendations** For cron versions 3.0pl1-128 through 3.0pl1-128ubuntu2, consider disabling the postinst maintainer script as a temporary workaround to minimize the risk of exploitation. Restrict access to the `chown` and `chmod` programs to prevent unsafe usage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.10.8 **Description** The issue is related to the `ping unhash` function in the Linux kernel, specifically in the `net/ipv4/ping.c` file. It is associated with inadequate access control. The exploitation of this issue can allow a local attacker to cause a denial of service by utilizing access to the `IPPROTO ICMP` protocol value in a socket system call. This can lead to a system panic. **Recommendations** For Linux kernel versions prior to 4.10.8, update to version 4.10.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `IPPROTO ICMP` protocol value in socket system calls to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.5.2 **Description** The issue concerns the IPv4 implementation in the Linux kernel, which fails to properly handle the destruction of device objects. This allows guest OS users to cause a denial of service, resulting in a host OS networking outage, by arranging for a large number of IP addresses. **Recommendations** For Linux kernel versions prior to 4.5.2, update to version 4.5.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Password Generator (aka Pwgen) versions prior to 2.07 **Description** The issue allows context-dependent attackers to guess passwords via a brute-force attack because weak non-tty passwords are generated. **Recommendations** For versions prior to 2.07, update to version 2.07 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GNU Wget versions 1.12 and earlier wget versions prior to 1.12-r2 **Description** The issue allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename. This could possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. Exploitation of this issue may lead to a breach of confidentiality, integrity, and availability of protected information and can be carried out remotely. **Recommendations** For GNU Wget versions 1.12 and earlier, update to a version later than 1.12 to resolve the issue. For wget versions prior to 1.12-r2, update to version 1.12-r2 or later to fix the problem. As a temporary workaround, consider disabling the use of server-provided filenames for determining the destination filename of a download until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libwww-perl versions prior to 5.835 **Description** The issue allows remote servers to create or overwrite files through a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename. This can possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. The problem arises because the software does not reject downloads to filenames that begin with a . (dot) character. **Recommendations** For versions prior to 5.835, update to version 5.835 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `lwp-download` function to minimize the risk of exploitation. Avoid using the `lwp-download` function with untrusted URLs or servers until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel version 2.6.9 Description: The issue concerns the z90crypt unlocked ioctl function in the z90crypt driver, which fails to perform a capability check for the Z90QUIESCE operation. This allows local users with euid 0 privileges to cause a driver outage. Recommendations: For Linux kernel version 2.6.9, consider disabling the z90crypt driver or restricting its use to prevent exploitation until a fix is available.

Name of the Vulnerable Software and Affected Versions: Linux kernel version 2.6.16 Description: A race condition exists in the do add counters function in netfilter for the Linux kernel, allowing local users with CAP NET ADMIN capabilities to read kernel memory. This is achieved by triggering the race condition to produce a size value inconsistent with allocated memory, resulting in a buffer over-read in IPT ENTRY ITERATE. Recommendations: For Linux kernel version 2.6.16, consider restricting access to the do add counters function or applying configuration changes to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux versions prior to 2.6.16-rc3 Description: The issue is related to an integer overflow in the do replace function in netfilter for Linux. This can be exploited by local users with CAP NET ADMIN rights to cause a buffer overflow in the copy from user function, particularly when using virtualization solutions such as OpenVZ. Recommendations: For Linux versions prior to 2.6.16-rc3, update to version 2.6.16-rc3 or later to resolve the issue. As a temporary workaround, consider restricting the use of CAP NET ADMIN rights to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ISC DHCP versions 3.0.1rc12 through 3.0.1rc13 **Description** The issue is related to a buffer overflow in the logging capability for the DHCP daemon. This can be triggered by remote attackers sending multiple hostname options in various DHCP messages, such as DISCOVER, OFFER, REQUEST, ACK, or NAK messages. The vulnerability can cause a denial of service, resulting in a server crash, and potentially allow the execution of arbitrary code when a long string is generated while writing to a log file. **Recommendations** For ISC DHCP versions 3.0.1rc12 and 3.0.1rc13, consider disabling the logging capability for the DHCP daemon until a patch is available. Restrict access to the DHCP daemon to minimize the risk of exploitation. Avoid using the hostname options in DHCP messages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ISC DHCP versions 3.0.1rc12 through 3.0.1rc13 **Description** The issue arises when the DHCP daemon (DHCPD) for ISC DHCP is compiled in environments lacking the vsnprintf function, leading to the use of C include files that define vsnprintf to use the less safe vsprintf function. This can result in buffer overflow vulnerabilities, enabling a denial of service (server crash) and possibly allowing the execution of arbitrary code. **Recommendations** For versions 3.0.1rc12 and 3.0.1rc13, consider compiling the DHCP daemon in an environment that provides the vsnprintf function to mitigate the risk of buffer overflow vulnerabilities. As a temporary workaround, restrict access to the DHCP service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSH-portable versions 3.6.1p1 and earlier **Description** The issue allows remote attackers to determine valid usernames via a timing attack when a user does not exist, due to the immediate sending of an error message with PAM support enabled. This can lead to a violation of confidentiality. The vulnerability can be exploited remotely. **Recommendations** For OpenSSH-portable versions 3.6.1p1 and earlier, consider disabling PAM support as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel versions prior to 2.4.26 Red Hat Linux kernel versions prior to 2.4.26 Gentoo Linux aa-sources versions prior to 2.4.23-r2 **Description** The issue affects the kernel packages in various Linux distributions, including Debian GNU/Linux and Red Hat Linux. The vulnerabilities can be exploited by a local or remote attacker to compromise the confidentiality, integrity, and availability of protected information. The exploitation can lead to information leaks, allowing privileged users to obtain portions of kernel memory. **Recommendations** For Debian GNU/Linux kernel versions prior to 2.4.26, update to version 2.4.26 or later. For Red Hat Linux kernel versions prior to 2.4.26, update to version 2.4.26 or later. For Gentoo Linux aa-sources versions prior to 2.4.23-r2, update to version 2.4.23-r2 or later. As a temporary workaround, consider restricting access to the vulnerable kernel components until a patch is available.