Gangmin Kim

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** The Linux kernel contains an issue related to network packet scheduling. Specifically, the `act ct` action was found to potentially cause a Use-After-Free (UAF) condition when interacting with the defragmentation engine if a packet returns `TC ACT CONSUMED` while held by the engine. This can occur when `act ct` is used in the egress path. To address this, the kernel now restricts `act ct` to only bind to `clsact/ingress` qdiscs and shared blocks. This allows `act ct` to still function in egress scenarios, but only with `clsact`. The `skb` variable is involved in this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The Linux kernel contains an issue within the networking scheduler (`cls u32`) where the `skb header pointer()` function does not fully validate negative offset values. This can lead to out-of-bounds access. The recommended solution is to utilize `skb header pointer careful()` instead. A report and reproduction case were provided by GangMin Kim demonstrating a kernel slab out-of-bounds condition in the `u32 classify()` function. **Recommendations** Utilize `skb header pointer careful()` instead of `skb header pointer()`.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The Linux kernel contains an issue related to the `teql` queuing discipline. The intended design of `teql` is for it to be used only as a root queuing discipline. The issue arises when `teql` is used as a child qdisc under certain conditions, specifically with QFQ and netem. A scenario involving delayed packets and updates to the `lmax` value can lead to a use-after-free condition due to incorrect queue length (`qlen`) management. Specifically, `teql` only updates the parent visible `qlen` at dequeue, and because `peek` always returns NULL, dequeue is never called, leaving the `qlen` at 0. This can cause a dangling pointer to be accessed when a packet is rescheduled. The vulnerable functions involved are `qfq change class` and `qfq deact rm from agg`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions 7.1.14 and 7.2.4 **Description** A difficult to exploit issue exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). An attacker with high privileges who has access to the system where Oracle VM VirtualBox is running can compromise the software. Successful exploitation can lead to a takeover of Oracle VM VirtualBox and may significantly impact other products. **Recommendations** Update Oracle VM VirtualBox to a newer version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions 7.1.14 and 7.2.4 **Description** An easily exploitable issue exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). A high-privileged attacker with access to the infrastructure where Oracle VM VirtualBox runs can compromise the software. Successful attacks can lead to a takeover of Oracle VM VirtualBox and may significantly impact additional products. **Recommendations** Update Oracle VM VirtualBox version 7.1.14 to a newer, fixed version. Update Oracle VM VirtualBox version 7.2.4 to a newer, fixed version.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox version 7.1.10 **Description** An easily exploitable issue exists in the Core component of Oracle VM VirtualBox, allowing a high-privileged attacker with access to the infrastructure where Oracle VM VirtualBox executes to compromise the software. Successful exploitation can result in a takeover of Oracle VM VirtualBox and may significantly impact additional products. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager (SRM) versions prior to 1.3.1-9346-10 **Description** The issue is related to improper neutralization of input during web page generation, which can lead to Cross-site Scripting attacks. Remote authenticated users with administrator privileges can inject arbitrary web script or HTML via unspecified vectors. This can be exploited in the file station functionality of Synology Router Manager. **Recommendations** For Synology Router Manager (SRM) versions prior to 1.3.1-9346-10, update to version 1.3.1-9346-10 or later to resolve the issue. As a temporary workaround, consider restricting access to the file station functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager versions prior to 1.3.1-9346-10 **Description** The issue is related to the DDNS Record component of Synology Router Manager, where improper neutralization of input during web page generation allows for Cross-site Scripting attacks. This can enable a remote attacker with administrator privileges to inject arbitrary web script or HTML. **Recommendations** For versions prior to 1.3.1-9346-10, update to version 1.3.1-9346-10 or later to resolve the issue. As a temporary workaround, consider restricting access to the DDNS Record functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager (SRM) versions prior to 1.3.1-9346-10 **Description** The issue is related to improper neutralization of input during web page generation, also known as Cross-site Scripting, in the WiFi Connect Setting functionality. This allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For Synology Router Manager (SRM) versions prior to 1.3.1-9346-10, update to version 1.3.1-9346-10 or later to resolve the issue. As a temporary workaround, consider restricting access to the WiFi Connect Setting functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager (SRM) versions prior to 1.3.1-9346-10 **Description** The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting'. This allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. The vulnerability is associated with the Router Port Forward functionality in Synology Router Manager. **Recommendations** For Synology Router Manager (SRM) versions prior to 1.3.1-9346-10, update to version 1.3.1-9346-10 or later to resolve the issue. As a temporary workaround, consider restricting access to the Router Port Forward functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Router Manager versions prior to 1.3.1-9346-10 **Description** The issue is related to improper neutralization of input during web page generation, which can lead to Cross-site Scripting attacks. Remote authenticated users with administrator privileges can inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For versions prior to 1.3.1-9346-10, update to version 1.3.1-9346-10 or later to resolve the issue. As a temporary workaround, consider restricting access to the network center policy route functionality in Synology Router Manager until a patch is applied.