Solar Designer

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 7.0.8 Linux kernel versions prior to 6.18.31 Linux kernel versions prior to 6.12.89 Linux kernel versions prior to 6.6.139 Linux kernel versions prior to 6.1.173 Linux kernel versions prior to 5.15.207 Linux kernel versions prior to 5.10.256 **Description** An improper privilege management issue exists in the `get dumpable()` function. The logic regarding the dumpability of a task—originally intended to determine if a task can create a core dump—was incorrectly used by `ptrace may access()` to check permissions independently of the memory management (MM) pointer. This includes threads without a virtual memory (VM), such as kernel threads. This flaw allows an unprivileged local user to escalate privileges to root, execute arbitrary commands, and disclose sensitive information, including SSH host private keys and the `/etc/shadow` password hash file. The issue is described as a race condition in ptrace access handling that may allow the theft of privileged file descriptors during process shutdown. Exploitation on default installations of major distributions like Debian, Ubuntu, and Fedora requires the Reliable Datagram Sockets (RDS) module to be loaded, `io ring` to be enabled, a readable SUID-root binary, and x86 64 support. **Recommendations** Update to version 7.0.8 or newer. Update to version 6.18.31 or newer. Update to version 6.12.89 or newer. Update to version 6.6.139 or newer. Update to version 6.1.173 or newer. Update to version 5.15.207 or newer. Update to version 5.10.256 or newer. As a temporary workaround, set `sysctl kernel.yama.ptrace scope=2`.

Name of the Vulnerable Software and Affected Versions: OpenSSH versions 8.7 and 8.8 Description: A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server. The vulnerability affects OpenSSH versions 8.7 and 8.8, including their corresponding portable releases, and is estimated to potentially affect over 98 million systems. Recommendations: To resolve the issue for OpenSSH versions 8.7 and 8.8, set the LoginGraceTime parameter to 0 in the sshd configuration. This method effectively blocks the vulnerability. Additionally, updating to a newer version of OpenSSH that includes the fix for this vulnerability is recommended. AlmaLinux 9 has released a patch for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** grub2 (affected versions not specified) **Description** A flaw in the grub2-set-bootflag utility of grub2 can lead to a denial of service. The issue arises when the program creates a temporary file with new grubenv content and is killed before renaming it to the original grubenv file, resulting in the temporary file not being removed. This can cause the filesystem to fill up with temporary files when the utility is invoked multiple times, leading to a filesystem out of free inodes or blocks. The vulnerability is related to incomplete cleanup of temporary or auxiliary resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Botan versions prior to 2.1.0 **Description** The issue concerns bcrypt password hashing in Botan, where passwords with a length between 57 and 72 characters are not handled correctly. This incorrect handling makes it easier for attackers to determine the cleartext password. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of passwords with lengths between 57 and 72 characters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** VMware Tools versions prior to 12.2.5 VMware vCenter (affected versions not specified) **Description** A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. The vulnerability is related to errors in the authentication procedure of the vgauth module in VMware Tools. Exploitation of this issue may allow an attacker to affect the confidentiality and integrity of protected information. Chinese state-sponsored group UNC3886 has been exploiting this vulnerability since 2021 to backdoor Windows, Linux, and PhotonOS systems. **Recommendations** For VMware Tools versions prior to 12.2.5, update to version 12.2.5 or later to resolve the issue. For VMware vCenter, update to the latest version to account for this vulnerability. As a temporary workaround, consider restricting access to the vulnerable vgauth module until a patch is available. Avoid using the vulnerable authentication mechanism in host-to-guest operations until the issue is resolved. At the moment, there is no additional information about other mitigation measures.

**Name of the Vulnerable Software and Affected Versions** openEuler kernel versions 4.19.90 through 4.19.90-2401.3 openEuler kernel versions 5.10.0-60.18.0 through 5.10.0-183.0.0 **Description** The issue is related to an integer overflow in the `ext4 write inline data end()` function of the openEuler kernel on Linux, specifically in the filesystem modules. This allows for a forced integer overflow, which can impact the confidentiality, integrity, and availability of protected information. **Recommendations** For openEuler kernel versions 4.19.90 through 4.19.90-2401.3, update to version 4.19.90-2401.3 or later. For openEuler kernel versions 5.10.0-60.18.0 through 5.10.0-183.0.0, update to version 5.10.0-183.0.0 or later. As a temporary workaround, consider restricting access to the vulnerable filesystem modules until a patch is available.

**Name of the Vulnerable Software and Affected Versions** cron versions 3.0pl1-128 through 3.0pl1-128ubuntu2 **Description** The issue is related to the cron package, where the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the `chown` and `chmod` programs. This can be exploited by an attacker to gain elevated privileges. **Recommendations** For cron versions 3.0pl1-128 through 3.0pl1-128ubuntu2, consider disabling the postinst maintainer script as a temporary workaround to minimize the risk of exploitation. Restrict access to the `chown` and `chmod` programs to prevent unsafe usage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.10.8 **Description** The issue is related to the `ping unhash` function in the Linux kernel, specifically in the `net/ipv4/ping.c` file. It is associated with inadequate access control. The exploitation of this issue can allow a local attacker to cause a denial of service by utilizing access to the `IPPROTO ICMP` protocol value in a socket system call. This can lead to a system panic. **Recommendations** For Linux kernel versions prior to 4.10.8, update to version 4.10.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `IPPROTO ICMP` protocol value in socket system calls to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.5.2 **Description** The issue concerns the IPv4 implementation in the Linux kernel, which fails to properly handle the destruction of device objects. This allows guest OS users to cause a denial of service, resulting in a host OS networking outage, by arranging for a large number of IP addresses. **Recommendations** For Linux kernel versions prior to 4.5.2, update to version 4.5.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Password Generator (aka Pwgen) versions prior to 2.07 **Description** The issue allows context-dependent attackers to guess passwords via a brute-force attack because weak non-tty passwords are generated. **Recommendations** For versions prior to 2.07, update to version 2.07 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GNU Wget versions 1.12 and earlier wget versions prior to 1.12-r2 **Description** The issue allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename. This could possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. Exploitation of this issue may lead to a breach of confidentiality, integrity, and availability of protected information and can be carried out remotely. **Recommendations** For GNU Wget versions 1.12 and earlier, update to a version later than 1.12 to resolve the issue. For wget versions prior to 1.12-r2, update to version 1.12-r2 or later to fix the problem. As a temporary workaround, consider disabling the use of server-provided filenames for determining the destination filename of a download until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libwww-perl versions prior to 5.835 **Description** The issue allows remote servers to create or overwrite files through a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename. This can possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. The problem arises because the software does not reject downloads to filenames that begin with a . (dot) character. **Recommendations** For versions prior to 5.835, update to version 5.835 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `lwp-download` function to minimize the risk of exploitation. Avoid using the `lwp-download` function with untrusted URLs or servers until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel version 2.6.9 Description: The issue concerns the z90crypt unlocked ioctl function in the z90crypt driver, which fails to perform a capability check for the Z90QUIESCE operation. This allows local users with euid 0 privileges to cause a driver outage. Recommendations: For Linux kernel version 2.6.9, consider disabling the z90crypt driver or restricting its use to prevent exploitation until a fix is available.

Name of the Vulnerable Software and Affected Versions: Linux kernel version 2.6.16 Description: A race condition exists in the do add counters function in netfilter for the Linux kernel, allowing local users with CAP NET ADMIN capabilities to read kernel memory. This is achieved by triggering the race condition to produce a size value inconsistent with allocated memory, resulting in a buffer over-read in IPT ENTRY ITERATE. Recommendations: For Linux kernel version 2.6.16, consider restricting access to the do add counters function or applying configuration changes to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux versions prior to 2.6.16-rc3 Description: The issue is related to an integer overflow in the do replace function in netfilter for Linux. This can be exploited by local users with CAP NET ADMIN rights to cause a buffer overflow in the copy from user function, particularly when using virtualization solutions such as OpenVZ. Recommendations: For Linux versions prior to 2.6.16-rc3, update to version 2.6.16-rc3 or later to resolve the issue. As a temporary workaround, consider restricting the use of CAP NET ADMIN rights to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ISC DHCP versions 3.0.1rc12 through 3.0.1rc13 **Description** The issue is related to a buffer overflow in the logging capability for the DHCP daemon. This can be triggered by remote attackers sending multiple hostname options in various DHCP messages, such as DISCOVER, OFFER, REQUEST, ACK, or NAK messages. The vulnerability can cause a denial of service, resulting in a server crash, and potentially allow the execution of arbitrary code when a long string is generated while writing to a log file. **Recommendations** For ISC DHCP versions 3.0.1rc12 and 3.0.1rc13, consider disabling the logging capability for the DHCP daemon until a patch is available. Restrict access to the DHCP daemon to minimize the risk of exploitation. Avoid using the hostname options in DHCP messages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ISC DHCP versions 3.0.1rc12 through 3.0.1rc13 **Description** The issue arises when the DHCP daemon (DHCPD) for ISC DHCP is compiled in environments lacking the vsnprintf function, leading to the use of C include files that define vsnprintf to use the less safe vsprintf function. This can result in buffer overflow vulnerabilities, enabling a denial of service (server crash) and possibly allowing the execution of arbitrary code. **Recommendations** For versions 3.0.1rc12 and 3.0.1rc13, consider compiling the DHCP daemon in an environment that provides the vsnprintf function to mitigate the risk of buffer overflow vulnerabilities. As a temporary workaround, restrict access to the DHCP service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSH-portable versions 3.6.1p1 and earlier **Description** The issue allows remote attackers to determine valid usernames via a timing attack when a user does not exist, due to the immediate sending of an error message with PAM support enabled. This can lead to a violation of confidentiality. The vulnerability can be exploited remotely. **Recommendations** For OpenSSH-portable versions 3.6.1p1 and earlier, consider disabling PAM support as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel versions prior to 2.4.26 Red Hat Linux kernel versions prior to 2.4.26 Gentoo Linux aa-sources versions prior to 2.4.23-r2 **Description** The issue affects the kernel packages in various Linux distributions, including Debian GNU/Linux and Red Hat Linux. The vulnerabilities can be exploited by a local or remote attacker to compromise the confidentiality, integrity, and availability of protected information. The exploitation can lead to information leaks, allowing privileged users to obtain portions of kernel memory. **Recommendations** For Debian GNU/Linux kernel versions prior to 2.4.26, update to version 2.4.26 or later. For Red Hat Linux kernel versions prior to 2.4.26, update to version 2.4.26 or later. For Gentoo Linux aa-sources versions prior to 2.4.23-r2, update to version 2.4.23-r2 or later. As a temporary workaround, consider restricting access to the vulnerable kernel components until a patch is available.