Ilja Van Sprundel

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** The `Stream EnsureCapacity` function in FreeRDP versions prior to 3.23.0 can create an endless blocking loop. This issue may affect all client and server implementations using FreeRDP. Exploitation is practical on 32bit systems with physical memory greater than or equal to `SIZE MAX`. **Recommendations** Update to version 3.23.0 or later.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is caused by a buffer overflow in the struct qib user sdma pkt fields. Overflowing either `addrlimit` or `bytes togo` can allow userspace to trigger a buffer overflow of kernel memory. The vulnerability can be exploited to gain access to confidential information. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to v5.14-rc1 **Description** The issue is related to insufficient input validation when handling SCTP packets, which may allow a remote attacker to gain unauthorized access to protected information. This could lead to remote information disclosure to an on-path attacker with no additional execution privileges needed. The vulnerability is due to a missing bounds check in functions such as `sctp v6 to sk daddr` and `sctp v4 from addr param`, potentially causing an out of bounds read. User interaction is not required for exploitation. **Recommendations** For Linux kernel versions prior to v5.14-rc1, update to version v5.14-rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to SCTP packets to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to memory corruption in certain functions, including IntLixCrashDumpDmesg, IntLixTaskFetchCmdLine, IntLixFileReadDentry, and IntLixFileGetPath, due to insufficient validation of guest-data input. This may lead to denial of service conditions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to a lack of validation on data read from guest memory in several functions, including IntPeGetDirectory, IntPeParseUnwindData, IntLogExceptionRecord, IntKsymExpandSymbol, and IntLixTaskDumpTree. This lack of validation may lead to out-of-bounds read or cause a Denial of Service (DoS) due to integer overflow in IntPeGetDirectory, Time-of-Check-to-Time-of-Use (TOCTOU) in IntPeParseUnwindData, or insufficient validations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xen versions through 4.13.x **Description** An issue in xenoprof allows guest OS users without active profiling to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. **Recommendations** For Xen versions through 4.13.x, consider disabling the xenoprof feature until a patch is available to prevent unprivileged guests from mapping xenoprof buffers and obtaining sensitive information about other guests.

**Name of the Vulnerable Software and Affected Versions** Xen versions through 4.13.x **Description** An issue in xenoprof allows guest OS users with active profiling to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. The xenoprof code uses the standard Xen shared ring structure for guests with active profiling enabled by the administrator. However, it trusts the guest not to modify buffer size information or head/tail pointers in unexpected ways, which can lead to a host crash (DoS). Privilege escalation cannot be ruled out. **Recommendations** For versions through 4.13.x, consider disabling active profiling for guest OS users until a patch is available to prevent potential exploitation. Restrict access to the xenoprof code to minimize the risk of denial of service or privilege escalation.

**Name of the Vulnerable Software and Affected Versions** FreeBSD versions 12.1-STABLE before r357490 FreeBSD versions 12.1-RELEASE before 12.1-RELEASE-p3 FreeBSD versions 11.3-STABLE before r357489 FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p7 **Description** The issue is related to the incorrect use of a user-controlled pointer in the epair virtual network module. This allowed vnet jailed privileged users to panic the host system and potentially execute arbitrary code in the kernel. **Recommendations** For FreeBSD versions 12.1-STABLE before r357490, update to a version after r357490 to resolve the issue. For FreeBSD versions 12.1-RELEASE before 12.1-RELEASE-p3, update to 12.1-RELEASE-p3 or later to resolve the issue. For FreeBSD versions 11.3-STABLE before r357489, update to a version after r357489 to resolve the issue. For FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p7, update to 11.3-RELEASE-p7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ppp versions 2.4.2 through 2.4.8 **Description** The issue is related to buffer overflow errors in the eap request and eap response functions of the pppd daemon in the Point-to-Point Protocol (PPP). Exploitation of this issue may allow a remote attacker to cause a denial of service or execute arbitrary code using a specially crafted EAP packet. The vulnerability can be exploited by sending specially formatted authentication requests to systems using the PPP or PPPoE protocols, which are commonly used by providers for Ethernet or DSL connections and in some VPNs. **Recommendations** For versions 2.4.2 through 2.4.8, update to a version that fixes the buffer overflow issue in the eap request and eap response functions. As a temporary workaround, consider disabling the `eap request` and `eap response` functions until a patch is available. Restrict access to the vulnerable `eap.c` module to minimize the risk of exploitation. Avoid using the `rhostname` buffer in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD versions prior to 11.1-STABLE FreeBSD versions prior to 11.1-RELEASE-p9 FreeBSD versions prior to 10.4-STABLE FreeBSD versions prior to 10.4-RELEASE-p8 FreeBSD versions prior to 10.3-RELEASE-p28 **Description** The issue is due to insufficient initialization of memory copied to userland, which may disclose small amounts of kernel memory to userland processes. Unprivileged users may be able to access small amounts of privileged kernel data. **Recommendations** For versions prior to 11.1-STABLE, update to 11.1-STABLE or later. For versions prior to 11.1-RELEASE-p9, update to 11.1-RELEASE-p9 or later. For versions prior to 10.4-STABLE, update to 10.4-STABLE or later. For versions prior to 10.4-RELEASE-p8, update to 10.4-RELEASE-p8 or later. For versions prior to 10.3-RELEASE-p28, update to 10.3-RELEASE-p28 or later.

**Name of the Vulnerable Software and Affected Versions** eject versions 2.1.5+deb1+cvs20081104-13.1 and earlier on Debian eject versions before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10 eject versions before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS eject versions before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS eject versions before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS **Description** The issue is related to insufficient error handling in the dmcrypt-get-device utility, which is part of the eject package in Debian and Ubuntu. This utility does not check the return value of the `setuid` or `setgid` function, potentially allowing an attacker to execute code with root privileges that was intended for an unprivileged user. **Recommendations** For eject versions 2.1.5+deb1+cvs20081104-13.1 and earlier on Debian, update to a version later than 2.1.5+deb1+cvs20081104-13.1. For eject versions before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, update to version 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 or later. For eject versions before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, update to version 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 or later. For eject versions before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, update to version 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 or later. For eject versions before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS, update to version 2.1.5+deb1+cvs20081104-9ubuntu0.1 or later. As a temporary workaround, consider restricting the use of the dmcrypt-get-device utility until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11 **Description** The issue is related to the SMBClient component in Apple OS X, which lacks protection of service data. This allows a local attacker to potentially obtain sensitive kernel memory-layout information. The vulnerability can be exploited by a local user to access protected information in the kernel memory. **Recommendations** For Apple OS X versions prior to 10.11, update to version 10.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mac OS X (affected versions not specified) **Description** The issue is caused by a buffer overflow in the IOGraphics component of the Mac OS X operating system. Exploitation of this issue may allow a local attacker to elevate privileges or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OS X versions prior to 10.11 **Description** The issue is related to a buffer overflow in the SMB implementation of the Mac OS X kernel. This can be exploited by a local attacker to gain elevated privileges or cause a denial of service, resulting in memory corruption. **Recommendations** For OS X versions prior to 10.11, update to version 10.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mac OS X (affected versions not specified) **Description** The issue is caused by a buffer overflow in the IOGraphics component of the Mac OS X operating system. Exploitation of this issue may allow a local attacker to elevate privileges or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mac OS X (affected versions not specified) **Description** The issue is caused by a buffer overflow in the IOGraphics component of the Mac OS X operating system. Exploitation of this issue may allow a local attacker to elevate privileges or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mac OS X (affected versions not specified) **Description** The issue is caused by a buffer overflow in the IOGraphics component of the Mac OS X operating system. Exploitation of this issue may allow a local attacker to elevate privileges or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 9 **Description** The issue is related to the IOStorageFamily component in the iOS operating system, which lacks protection for certain internal data. This can be exploited by a local attacker to gain access to sensitive information by manipulating the system's kernel memory. The vulnerability allows local users to obtain sensitive information from kernel memory, although the exact vectors used for this are not specified. **Recommendations** For iOS versions prior to 9, update to version 9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.5 **Description** The issue is caused by a buffer overflow in the IOGraphics component, allowing remote attackers to execute arbitrary code or cause a denial of service via a crafted app, resulting in memory corruption. **Recommendations** For Apple OS X versions prior to 10.10.5, update to version 10.10.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mac OS X (affected versions not specified) **Description** The issue is caused by a buffer overflow in the IOFireWireFamily component of the Mac OS X operating system. Exploitation of this issue may allow a local attacker to elevate their privileges or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.