David Chen

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.1 Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.8.38 Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.7.23 **Description** A low-privileged user without the `admin` or `power` Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections created by the Splunk Secure Gateway app. This issue is due to missing access control and incorrect ownership of the data in those KVStore collections, where the `nobody` user owned the data. **Recommendations** For Splunk Enterprise versions prior to 9.4.1, update to version 9.4.1 or later. For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.8.38, update to version 3.8.38 or later. For Splunk Secure Gateway app on Splunk Cloud Platform versions prior to 3.7.23, update to version 3.7.23 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.10.158-1.nutanix.20221209.el7.x86 64 **Description** The issue is related to a racy check in the free pages function of the Linux kernel, which can cause page corruption. This corruption can lead to crashes and other issues. The problem arises from the check PageHead being racy because at this point, the reference to the page has already been dropped. As a result, even if a compound page is used, the page can already be freed, and PageHead can return false, causing the freeing of all tail pages and resulting in a double free. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823G version 1.02B03 **Description** The issue is related to incorrect access control in the SetWLanRadioSettings function of the D-Link DIR-823G router's firmware, allowing remote attackers to enable Guest Wi-Fi. This can be achieved by sending a specially crafted POST request to the /bin/goahead web service, exploiting the vulnerability in the SetWLanRadioSettings HNAP API. **Recommendations** For D-Link DIR-823G version 1.02B03, consider disabling the `SetWLanRadioSettings()` function or restricting access to the `/bin/goahead` web service until a patch is available. Additionally, limit the use of Guest Wi-Fi to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823G version 1.02B03 **Description** An issue was discovered in the /bin/goahead binary, allowing remote attackers to reset the router without authentication via the "SetFactoryDefault" HNAP API endpoint "/bin/goahead". This incorrect access control enables an attacker to achieve a denial-of-service attack without authentication. **Recommendations** For D-Link DIR-823G version 1.02B03, as a temporary workaround, consider restricting access to the SetFactoryDefault HNAP API endpoint "/bin/goahead" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823G firmware 1.02B03 **Description** An issue was discovered allowing remote attackers to get sensitive information, such as MAC addresses, about all clients in the WLAN via the "GetClientInfo HNAP API" endpoint. This is due to incorrect access control, enabling information disclosure without authentication. **Recommendations** For firmware 1.02B03, as a temporary workaround, consider restricting access to the GetClientInfo HNAP API endpoint until a patch is available. Avoid using the GetClientInfo function in the HNAP API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823G firmware 1.02B03 **Description** The issue is related to incorrect access control in the /bin/goahead executable, allowing remote attackers to hijack the DNS service configuration of all clients in the WLAN without authentication. This can be achieved via the `SetWanSettings` HNAP API. The vulnerability is associated with errors in access control, which can be exploited by a remote attacker to intercept the DNS service configuration through the API interface using the `SetWanSettings` function. **Recommendations** For D-Link DIR-823G firmware 1.02B03, as a temporary workaround, consider restricting access to the `/bin/goahead` executable and the `SetWanSettings` HNAP API to minimize the risk of exploitation. Avoid using the `SetWanSettings` function in the affected API until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823G versions through 1.02B03 **Description** The issue exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary operating system commands. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as the `/HNAP1` request. An attacker can execute any command remotely when they control this input. **Recommendations** For versions through 1.02B03, consider disabling the HNAP API functions until a patch is available to prevent exploitation. Restrict access to the `/HNAP1` request to minimize the risk of remote command execution. Avoid using untrusted input from the request body in the system function to prevent arbitrary OS command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-823G devices with firmware through 1.02B03 **Description** An issue allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named `Address`. Consequently, an attacker can execute any command remotely when they control this input. The vulnerability is related to insufficient input data cleaning used in commands. **Recommendations** For D-Link DIR-823G devices with firmware through 1.02B03, consider disabling the `GetNetworkTomographyResult` function until a patch is available to prevent exploitation via the `/HNAP1` request. Restrict access to the `Address` input parameter to minimize the risk of arbitrary command execution.