Chris Bellows

**Name of the Vulnerable Software and Affected Versions** Renesas SmartBond versions DA14691, DA14695, DA14697, and DA14699 **Description** An issue was discovered where the bootrom function responsible for validating the Flash Product Header directly uses a user-controllable size value (`Length of Flash Config Section`) to control a read from the QSPI device into a fixed sized buffer, resulting in a buffer overflow and execution of arbitrary code. **Recommendations** For Renesas SmartBond versions DA14691, DA14695, DA14697, and DA14699, consider disabling the bootrom function responsible for validating the Flash Product Header until a patch is available. Restrict access to the QSPI device to minimize the risk of exploitation. Avoid using the `Length of Flash Config Section` value in the affected bootrom function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Renesas SmartBond versions DA14691, DA14695, DA14697, and DA14699 **Description** An issue was discovered where the Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its value to be modified without invalidating the signature used for secureboot image verification. Because the encryption engine for on-the-fly decryption uses AES in CTR mode without authentication, an attacker-modified Nonce can result in execution of arbitrary code. **Recommendations** For Renesas SmartBond versions DA14691, DA14695, DA14697, and DA14699, consider disabling the use of AES in CTR mode without authentication as a temporary workaround until a patch is available. Restrict access to the unsigned header to minimize the risk of exploitation. Avoid modifying the Nonce value in the unsigned header until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plixer Scrutinizer versions prior to 19.3.1 **Description** An issue was discovered in Plixer Scrutinizer that exposes debug logs to unauthenticated users at the "/debug/" URL path. With knowledge of valid IP addresses and source types, an unauthenticated attacker can download debug logs containing application-related information. **Recommendations** For versions prior to 19.3.1, update to version 19.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/debug/" URL path until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Plixer Scrutinizer versions prior to 19.3.1 **Description** An issue was discovered in the /fcgi/scrut fcgi.fcgi endpoint, specifically in the `csvExportReport` endpoint action `generateCSV`, which is vulnerable to SQL injection through the `sorting` parameter. This allows an unauthenticated user to execute arbitrary SQL statements in the context of the application's backend database server. **Recommendations** For versions prior to 19.3.1, update to version 19.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/fcgi/scrut fcgi.fcgi` endpoint or disabling the `generateCSV` action in the `csvExportReport` endpoint until a patch is available. Avoid using the `sorting` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Plixer Scrutinizer versions prior to 19.3.1 **Description** An issue was discovered in the /fcgi/scrut fcgi.fcgi endpoint. The `csvExportReport` endpoint action `generateCSV` does not require authentication, allowing an unauthenticated user to export a report and access the results. **Recommendations** For versions prior to 19.3.1, update to version 19.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/fcgi/scrut fcgi.fcgi` endpoint or disabling the `generateCSV` action in the `csvExportReport` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ASUS GT-AC2900 versions prior to 3.0.0.4.386.42643 Lyra Mini versions prior to 3.0.0.4 384 46630 **Description** The administrator application on ASUS GT-AC2900 and Lyra Mini devices allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This issue relates to the `handle request` function in `router/httpd/httpd.c` and `auth check` in `web hook.o`. An attacker-supplied value of `0` matches the device's default value of `0` in some situations. There have been attempts to exploit this issue, with 379,868 attempts reported as failed due to a tiny error. **Recommendations** For ASUS GT-AC2900 versions prior to 3.0.0.4.386.42643, update to version 3.0.0.4.386.42643 or later. For Lyra Mini versions prior to 3.0.0.4 384 46630, update to version 3.0.0.4 384 46630 or later. As a temporary workaround, consider disabling the remote access features from WAN to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Aironet Access Points (affected versions not specified) **Description** The issue is related to insufficient input validation for a specific command in the implementation of a CLI command, which could allow an authenticated, local attacker to overwrite files in the flash memory of the device. An attacker could exploit this by issuing a command with crafted arguments, potentially allowing them to overwrite or create files with data already present in other files hosted on the affected device. **Recommendations** For Cisco Aironet Access Points, consider restricting access to the vulnerable CLI command until a patch is available. As a temporary workaround, avoid using crafted arguments with specific commands to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.