Marco Ivaldi

**Name of the Vulnerable Software and Affected Versions** USG FLEX H series uOS firmware versions from V1.20 through V1.31 **Description** An incorrect permission assignment vulnerability in the PostgreSQL commands could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid. **Recommendations** For USG FLEX H series uOS firmware versions from V1.20 through V1.31, consider disabling the PostgreSQL command processing as a temporary workaround until a patch is available. Restrict access to the Linux shell to minimize the risk of exploitation. Avoid using stolen tokens for administrator-level access until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Eclipse ThreadX versions prior to 6.4.0 **Description** The issue arises from missing parameter checks in the `xQueueCreate()` and `xQueueCreateSet()` functions from the FreeRTOS compatibility API. This could lead to integer wraparound, under-allocations, and heap buffer overflows. **Recommendations** For Eclipse ThreadX versions prior to 6.4.0, update to version 6.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the `xQueueCreate()` and `xQueueCreateSet()` functions until a patch is available. Restrict access to the FreeRTOS compatibility API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Eclipse ThreadX versions prior to 6.4.0 **Description** The issue is related to a missing array size check in the ` Mtxinit()` function within the Xtensa port of Eclipse ThreadX, causing a memory overwrite. The affected file is `ports/xtensa/xcc/src/tx clib lock.c`. **Recommendations** For versions prior to 6.4.0, update to version 6.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the ` Mtxinit()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Eclipse ThreadX NetX Duo versions prior to 6.4.0 **Description** The issue arises when an attacker can control parameters of the ` portable aligned alloc()` function, potentially causing an integer wrap-around and an allocation smaller than expected. This could lead to subsequent heap buffer overflows. **Recommendations** For versions prior to 6.4.0, update to version 6.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the ` portable aligned alloc()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** A stack buffer overflow occurs in the net/at/src/at server.c file. **Recommendations** For RT-Thread versions through 5.0.2, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** An out-of-bounds access occurs in utilities/var export/var export.c. **Recommendations** For RT-Thread versions through 5.0.2, update to a version that fixes the out-of-bounds access issue in utilities/var export/var export.c. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** A stack buffer overflow occurs in the libc/posix/ipc/mqueue.c file. **Recommendations** For RT-Thread versions through 5.0.2, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** A heap buffer overflow occurs in finsh/msh file.c and finsh/msh.c. **Recommendations** For RT-Thread versions through 5.0.2, update to a version later than 5.0.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** The issue is related to a weak random number generation algorithm used in RT-Thread. The algorithm, defined as `seed = 214013L * seed + 2531011L; return (seed >> 16) & 0x7FFF;`, is implemented in the `calc random` function within the `drivers/misc/rt random.c` file. This weakness can potentially lead to predictable random numbers. **Recommendations** For RT-Thread versions through 5.0.2, consider modifying the `calc random` function to utilize a more secure random number generation algorithm until a patch is available. As a temporary workaround, restrict the use of the `calc random` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** The issue is related to an integer signedness error and resultant buffer overflow in the `drivers/wlan/wlan mgmt,c` component. **Recommendations** For RT-Thread versions through 5.0.2, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** A buffer overflow occurs in the utilities/rt-link/src/rtlink.c file. **Recommendations** For RT-Thread versions through 5.0.2, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions 5.0.2 and earlier **Description** A heap buffer overflow occurs in the dfs v2 romfs filesystem. **Recommendations** For RT-Thread versions 5.0.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** A heap buffer overflow occurs in `dfs v2 dfs file` in RT-Thread. **Recommendations** For RT-Thread versions through 5.0.2, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** RT-Thread versions through 5.0.2 **Description** A buffer overflow occurs in utilities/ymodem/ry sy.c because of an incorrect sprintf call or a missing '0' character. **Recommendations** For versions through 5.0.2, update to a version that fixes the buffer overflow issue in utilities/ymodem/ry sy.c. As a temporary workaround, consider restricting access to the vulnerable `ry sy.c` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Common Desktop Environment version 1.6 **Description** The issue is related to a bug in the parser of lpstat, an external command invoked by dtprintinfo, which occurs during the listing of available printer names. This bug allows low-privileged local users to inject arbitrary printer names via the $HOME/.printers file, enabling them to manipulate control flow and disclose memory contents on Solaris 10 systems. It's noted that this vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** For Common Desktop Environment version 1.6, as the product is no longer supported by the maintainer, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Common Desktop Environment version 1.6 **Description** A stack-based buffer overflow in the `ParseColors` function in `libXm` can be exploited by local low-privileged users via the `dtprintinfo` setuid binary to escalate their privileges to root on Solaris 10 systems. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For Common Desktop Environment version 1.6, as a temporary workaround, consider disabling the `dtprintinfo` setuid binary until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libXpm (affected versions not specified) **Description** The issue is related to a flaw in the libXpm library, specifically in the `ParseComment()` function, which can lead to an infinite loop when parsing a file with an unclosed comment. This can result in a Denial of Service (DoS) in the application linked to the library. The vulnerability can be exploited by a remote attacker using a specially crafted XPM file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zyxel USG/ZyWALL series versions 4.09 through 4.71 Zyxel USG FLEX series versions 4.50 through 5.21 Zyxel ATP series versions 4.32 through 5.21 Zyxel VPN series versions 4.30 through 5.21 Zyxel NSG series versions 1.00 through 1.33 Patch 4 Zyxel NXC2500 version 6.10(AAIG.3) and earlier versions Zyxel NAP203 version 6.25(ABFA.7) and earlier versions Zyxel NWA50AX version 6.25(ABYW.5) and earlier versions Zyxel WAC500 version 6.30(ABVS.2) and earlier versions Zyxel WAX510D version 6.30(ABTF.2) and earlier versions **Description** The issue is related to multiple improper input validation flaws in some CLI commands of Zyxel network device firmware, which could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload. This is due to insufficient input validation, allowing an attacker to exploit the vulnerability and potentially cause a denial of service. **Recommendations** For Zyxel USG/ZyWALL series versions 4.09 through 4.71, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series versions 4.50 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel ATP series versions 4.32 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel VPN series versions 4.30 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel NSG series versions 1.00 through 1.33 Patch 4, update to a version outside of this range to mitigate the risk. For Zyxel NXC2500 version 6.10(AAIG.3) and earlier versions, update to a version later than 6.10(AAIG.3) to mitigate the risk. For Zyxel NAP203 version 6.25(ABFA.7) and earlier versions, update to a version later than 6.25(ABFA.7) to mitigate the risk. For Zyxel NWA50AX version 6.25(ABYW.5) and earlier versions, update to a version later than 6.25(ABYW.5) to mitigate the risk. For Zyxel WAC500 version 6.30(ABVS.2) and earlier versions, update to a version later than 6.30(ABVS.2) to mitigate the risk. For Zyxel WAX510D version 6.30(ABTF.2) and earlier versions, update to a version later than 6.30(ABTF.2) to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71 Zyxel USG FLEX series firmware versions 4.50 through 5.21 Zyxel ATP series firmware versions 4.32 through 5.21 Zyxel VPN series firmware versions 4.30 through 5.21 Zyxel NSG series firmware versions 1.00 through 1.33 Patch 4 Zyxel NXC2500 firmware version 6.10(AAIG.3) and earlier versions Zyxel NAP203 firmware version 6.25(ABFA.7) and earlier versions Zyxel NWA50AX firmware version 6.25(ABYW.5) and earlier versions Zyxel WAC500 firmware version 6.30(ABVS.2) and earlier versions Zyxel WAX510D firmware version 6.30(ABTF.2) and earlier versions **Description** A local authenticated attacker could execute arbitrary OS commands by including crafted arguments to the 'packet-trace' CLI command due to an argument injection vulnerability. This vulnerability is related to the lack of measures to neutralize special elements used in the OS command. **Recommendations** For Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series firmware versions 4.50 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel ATP series firmware versions 4.32 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel VPN series firmware versions 4.30 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel NSG series firmware versions 1.00 through 1.33 Patch 4, update to a version outside of this range to mitigate the risk. For Zyxel NXC2500 firmware version 6.10(AAIG.3) and earlier versions, update to a version later than 6.10(AAIG.3) to mitigate the risk. For Zyxel NAP203 firmware version 6.25(ABFA.7) and earlier versions, update to a version later than 6.25(ABFA.7) to mitigate the risk. For Zyxel NWA50AX firmware version 6.25(ABYW.5) and earlier versions, update to a version later than 6.25(ABYW.5) to mitigate the risk. For Zyxel WAC500 firmware version 6.30(ABVS.2) and earlier versions, update to a version later than 6.30(ABVS.2) to mitigate the risk. For Zyxel WAX510D firmware version 6.30(ABTF.2) and earlier versions, update to a version later than 6.30(ABTF.2) to mitigate the risk. As a temporary workaround, consider disabling the 'packet-trace' CLI command until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Solaris versions 10 and 11 **Description** The issue is related to a lack of protection for service data in the Whodo component of Oracle Solaris. It allows a low-privileged attacker with logon access to the infrastructure where Oracle Solaris is executed to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized read access to a subset of Oracle Solaris accessible data. **Recommendations** For Oracle Solaris versions 10 and 11, at the moment, there is no information about a newer version that contains a fix for this vulnerability.