Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3570
ICS Advisory | ICSA-23-166-11 Siemens SIMATIC S7-1500 TM MFP Linux Kernel
23 June 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SIMATIC S7-1500 TM MFP Linux Kernel
Publisher: ICS-CERT
Operating System: Linux variants
Resolution: Mitigation
CVE Names: CVE-2023-26607 CVE-2023-23559 CVE-2023-23455
CVE-2023-23454 CVE-2023-1095 CVE-2023-1077
CVE-2023-0590 CVE-2023-0466 CVE-2023-0465
CVE-2023-0464 CVE-2023-0286 CVE-2023-0215
CVE-2022-47946 CVE-2022-47929 CVE-2022-47520
CVE-2022-47518 CVE-2022-43750 CVE-2022-42896
CVE-2022-42895 CVE-2022-42722 CVE-2022-42721
CVE-2022-42720 CVE-2022-42719 CVE-2022-42703
CVE-2022-42432 CVE-2022-42329 CVE-2022-42328
CVE-2022-41850 CVE-2022-41849 CVE-2022-41674
CVE-2022-41222 CVE-2022-41218 CVE-2022-40768
CVE-2022-40307 CVE-2022-39190 CVE-2022-39188
CVE-2022-36946 CVE-2022-36879 CVE-2022-36280
CVE-2022-36123 CVE-2022-34918 CVE-2022-32296
CVE-2022-32250 CVE-2022-26373 CVE-2022-21505
CVE-2022-21166 CVE-2022-21125 CVE-2022-21123
CVE-2022-20572 CVE-2022-20566 CVE-2022-20422
CVE-2022-20421 CVE-2022-4662 CVE-2022-4450
CVE-2022-4304 CVE-2022-4139 CVE-2022-4129
CVE-2022-4095 CVE-2022-3649 CVE-2022-3646
CVE-2022-3635 CVE-2022-3633 CVE-2022-3629
CVE-2022-3628 CVE-2022-3625 CVE-2022-3621
CVE-2022-3606 CVE-2022-3594 CVE-2022-3586
CVE-2022-3565 CVE-2022-3564 CVE-2022-3545
CVE-2022-3534 CVE-2022-3524 CVE-2022-3521
CVE-2022-3303 CVE-2022-3169 CVE-2022-3115
CVE-2022-3104 CVE-2022-3028 CVE-2022-2978
CVE-2022-2959 CVE-2022-2905 CVE-2022-2663
CVE-2022-2602 CVE-2022-2588 CVE-2022-2586
CVE-2022-2503 CVE-2022-2327 CVE-2022-2274
CVE-2022-2153 CVE-2022-2097 CVE-2022-2078
CVE-2022-2068 CVE-2022-1882 CVE-2022-1852
CVE-2022-1679 CVE-2022-1473 CVE-2022-1462
CVE-2022-1434 CVE-2022-1343 CVE-2022-1292
CVE-2022-1184 CVE-2022-1012 CVE-2022-0171
CVE-2021-33655 CVE-2021-4037 CVE-2021-3759
CVE-2018-13405
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-166-11
Comment: CVSS (Max): 9.8 CVE-2022-1292 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-166-11)
Siemens SIMATIC S7-1500 TM MFP Linux Kernel
Release Date
June 15, 2023
As of January 10, 2023, CISA will no longer be updating ICS security advisories
for Siemens product vulnerabilities beyond the initial advisory. For the most
up-to-date information on vulnerabilities in this advisory, please see Siemens'
ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely / low attack complexity / public exploits
available
o Vendor: Siemens ProductCERT
o Equipment: SIMATIC S7-1500 TM MFP
o Vulnerabilities: Multiple vulnerabilities
2. RISK EVALUATION
Exploitation of these vulnerabilities could lead to denial-of-service, crashing
the application, arbitrary code execution, privilege escalation, and expose
sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products from Siemens are affected:
o SIMATIC S7-1500 TM MFP - Linux Kernel: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A memory overflow vulnerability was found in the Linux kernel's ipc
functionality of the memcg subsystem, in the way a user calls the semget
function multiple times, creating semaphores. This flaw allows a local user to
starve the resources, causing a denial of service. The highest threat from this
vulnerability is to system availability.
CVE-2021-3759 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.2 IMPROPER ACCESS CONTROL CWE-284
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic
of the LInux kernel that allows local users to create files for the XFS
file-system with an unintended group ownership and with group execution and
SGID permission bits set, in a scenario where a directory is SGID and belongs
to a certain group and is writable by a user who is not a member of this group.
This can lead to excessive permissions granted in case when they should not.
This vulnerability is similar to the previous CVE-2018-13405 and adds the
missed fix for the XFS.
CVE-2021-4037 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.3 OUT-OF-BOUNDS WRITE CWE-787
When sending malicious data to kernel by ioctl cmd FBIOPUT_VSCREENINFO, kernel
will write memory out of bounds.
CVE-2021-33655 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:H/A:H ).
3.2.4 INCOMPLETE CLEANUP CWE-459
A flaw was found in the Linux kernel. The existing KVM SEV API has a
vulnerability that allows a non-root (host) user-level application to crash the
host kernel by creating a confidential guest VM instance in AMD CPU that
supports Secure Encrypted Virtualization (SEV).
CVE-2022-0171 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.5 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
A memory leak problem was found in the TCP source port generation algorithm in
net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an
attacker to information leak and may cause a denial of service problem.
CVE-2022-1012 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:H ).
3.2.6 USE AFTER FREE CWE-416
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the
Linux kernel's filesystem sub-component. This flaw allows a local attacker with
a user privilege to cause a denial of service.
CVE-2022-1184 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.7 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78
Under certain circumstances, the command line OCSP verify function reports
successful verification when the verification has failed. In this case, the
incorrect successful response will also be accompanied by error messages
showing the failure and contradicting the successful result.
CVE-2022-1292 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.8 IMPROPER CERTIFICATE VALIDATION CWE-295
Under certain circumstances, the command line OCSP verify function reports
successful verification when the verification actually failed. In this case the
incorrect successful response will also be accompanied by error messages
showing the failure and contradicting the apparently successful result.
CVE-2022-1343 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.9 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
When using the RC4-MD5 ciphersuite, which is disabled by default, an attacker
can modify data in transit due to an incorrect use of the AAD data as the MAC
key in OpenSSL 3.0. An attacker is not able to decrypt any communication.
CVE-2022-1434 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.10 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem.
The issue occurs in how a user triggers a race condition using ioctls
TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the
flush_to_ldisc function. This flaw allows a local user to crash the system or
read unauthorized random data from memory.
CVE-2022-1462 has been assigned to this vulnerability. A CVSS v3 base score of
6.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:N/A:H ).
3.2.11 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
The used OpenSSL version improperly reuses memory when decoding certificates or
keys. This can lead to a process termination and denial of service for long
lived processes.
CVE-2022-1473 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.12 USE AFTER FREE CWE-416
A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter
driver in the way a user forces the ath9k_htc_wait_for_target function to fail
with some input messages. This flaw allows a local user to crash or potentially
escalate their privileges on the system.
CVE-2022-1679 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.13 NULL POINTER DEREFERENCE CWE-476
A NULL pointer dereference flaw was found in the Linux kernel's KVM module,
which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/
emulate.c. This flaw occurs while executing an illegal instruction in guest in
the Intel CPU.
CVE-2022-1852 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.14 USE AFTER FREE CWE-416
Under certain circumstances, the command line OCSP verify function reports
successful verification when the verification has failed. The incorrect
successful response will also be accompanied by error messages showing the
failure and contradicting the successful result.
CVE-2022-1882 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.15 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS
COMMAND INJECTION') CWE-78
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitize shell metacharacters to prevent command injection were found
by code review. When the CVE-2022-1292 was fixed it was not discovered that
there are other places in the script where the file names of certificates being
hashed were possibly passed to a command executed through the shell. This
script is distributed by some operating systems in a manner where it is
automatically executed. On such operating systems, an attacker could execute
arbitrary commands with the privileges of the script. Use of the c_rehash
script is considered obsolete and should be replaced by the OpenSSL rehash
command line tool.
CVE-2022-2068 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.16 STACK-BASED BUFFER OVERFLOW CWE-121
A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse()
function .This flaw allows an attacker to trigger a buffer overflow via
nft_set_desc_concat_parse() , causing a denial of service and possibly to run
code.
CVE-2022-2078 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.17 INADEQUATE ENCRYPTION STRENGTH CWE-326
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was preexisting in
the memory that wasn't written. In the special case of "in place" encryption,
sixteen bytes of the plaintext would be revealed. Since OpenSSL does not
support OCB based cipher suites for TLS and DTLS, they are both unaffected.
CVE-2022-2097 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N ).
3.2.18 NULL POINTER DEREFERENCE CWE-476
A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ.
This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER
MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged
local attacker on the host to issue specific ioctl calls, causing a kernel oops
condition that results in a denial of service.
CVE-2022-2153 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.19 OUT-OF-BOUNDS WRITE CWE-787
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation
for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the
RSA implementation with 2048 bit private keys incorrect on such machines and
memory corruption will happen during the computation. Due to the memory
corruption, an attacker may be able to trigger a remote code execution on the
machine performing the computation. SSL/TLS servers or other servers using 2048
bit RSA private keys running on machines supporting AVX512IFMA instructions of
the X86_64 architecture are affected by this issue.
CVE-2022-2274 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.20 DOUBLE FREE CWE-415
Io_uring use work_flags to determine which identity need to grab from the
calling process to make sure it is consistent with the calling process when
executing IORING_OP. Some operations are missing some types, which can lead to
incorrect reference counts which can then lead to a double free. We recommend
upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859.
CVE-2022-2327 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.21 IMPROPER AUTHENTICATION CWE-287
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin
builds on this property to restrict module/firmware loads to just the trusted
root filesystem. Device-mapper table reloads currently allow users with root
privileges to switch out the target with an equivalent dm-linear target and
bypass verification till reboot. This allows root to bypass LoadPin and can be
used to load untrusted and unverified kernel modules and firmware, which
implies arbitrary kernel execution and persistence for peripherals that do not
verify firmware updates. We recommend upgrading past commit
4caae58406f8ceb741603eee460d79bacca9b1b5.
CVE-2022-2503 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:H/A:H ).
3.2.22 USE AFTER FREE CWE-416
A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/
nf_tables_api.c function in the Linux kernel. This flaw allows a local,
privileged attacker to cause a use-after-free problem at the time of table
deletion, possibly leading to local privilege escalation.
CVE-2022-2586 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:H/A:H ).
3.2.23 IMPROPER INPUT VALIDATION CWE-20
Zhenpeng Lin discovered that the network packet scheduler implementation in the
Linux kernel did not properly remove all references to a route filter before
freeing it in some situations. A local attacker could use this to cause a
denial of service (system crash) or execute arbitrary code.
CVE-2022-2588 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.24 IMPROPER INPUT VALIDATION CWE-20
A flaw was found in the Linux kernel. A race issue occurs between an io_uring
request and the Unix socket garbage collector, allowing an attacker local
privilege escalation.
CVE-2022-2602 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.25 IMPROPER RESTRICTION OF COMMUNICATION CHANNEL TO INTENDED ENDPOINTS
CWE-923
An issue was found in the Linux kernel in nf_conntrack_irc where the message
handling can be confused and incorrectly matches the message. A firewall may be
able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc
configured.
CVE-2022-2663 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.26 OUT-OF-BOUNDS READ CWE-125
An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem
in how a user calls the bpf_tail_call function with a key larger than the
max_entries of the map. This flaw allows a local user to gain unauthorized
access to data.
CVE-2022-2905 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.27 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
A race condition was found in the Linux kernel's watch queue due to a missing
lock in pipe_resize_ring(). The specific flaw exists within the handling of
pipe buffers. The issue results from the lack of proper locking when performing
operations on an object. This flaw allows a local user to crash the system or
escalate their privileges on the system.
CVE-2022-2959 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.28 USE AFTER FREE CWE-416
A flaw use after free in the Linux kernel NILFS file system was found in the
way user triggers function security_inode_alloc to fail with following call to
function nilfs_mdt_destroy. A local user could use this flaw to crash the
system or potentially escalate their privileges on the system.
CVE-2022-2978 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.29 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
A race condition was found in the Linux kernel's IP framework for transforming
packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred
simultaneously. This flaw could allow a local attacker to potentially trigger
an out-of-bounds write or leak kernel heap memory by performing an
out-of-bounds read and copying it into a socket.
CVE-2022-3028 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.30 NULL POINTER DEREFERENCE CWE-476
An issue was discovered in the Linux kernel through 5.16-rc6.
lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value
of kmalloc() and will cause the null pointer dereference.
CVE-2022-3104 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.31 NULL POINTER DEREFERENCE CWE-476
An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset
in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc
() and will cause the null pointer dereference.
CVE-2022-3115 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.32 IMPROPER INPUT VALIDATION CWE-20
A flaw was found in the Linux kernel. A denial of service flaw may occur if
there is a consecutive request of the NVME_IOCTL_RESET and the
NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a
PCIe link disconnect.
CVE-2022-3169 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.33 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
A race condition flaw was found in the Linux kernel sound subsystem due to
improper locking. It could lead to a NULL pointer dereference while handling
the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio
group) could use this flaw to crash the system, resulting in a denial of
service condition.
CVE-2022-3303 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.34 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
A vulnerability has been found in Linux Kernel and classified as problematic.
This vulnerability affects the function kcm_tx_work of the file net/kcm/
kcmsock.c of the component kcm. The manipulation leads to race condition. It is
recommended to apply a patch to fix this issue. VDB-211018 is the identifier
assigned to this vulnerability.
CVE-2022-3521 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C ).
3.2.35 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
A vulnerability was found in Linux Kernel. It has been declared as problematic.
Affected by this vulnerability is the function ipv6_renew_options of the
component IPv6 Handler. The manipulation leads to memory leak. The attack can
be launched remotely. It is recommended to apply a patch to fix this issue. The
identifier VDB-211021 was assigned to this vulnerability.
CVE-2022-3524 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.36 USE AFTER FREE CWE-416
A vulnerability classified as critical has been found in Linux Kernel. Affected
is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the
component libbpf. The manipulation leads to use after free. It is recommended
to apply a patch to fix this issue. The identifier of this vulnerability is
VDB-211032.
CVE-2022-3534 has been assigned to this vulnerability. A CVSS v3 base score of
8.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.37 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A vulnerability has been found in Linux Kernel and classified as critical.
Affected by this vulnerability is the function area_cache_get of the file
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component
IPsec. The manipulation leads to use after free. It is recommended to apply a
patch to fix this issue. The identifier VDB-211045 was assigned to this
vulnerability.
CVE-2022-3545 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.38 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A vulnerability classified as critical was found in Linux Kernel. Affected by
this vulnerability is the function l2cap_reassemble_sdu of the file net/
bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to
use after free. It is recommended to apply a patch to fix this issue. The
associated identifier of this vulnerability is VDB-211087.
CVE-2022-3564 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.39 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A vulnerability, which was classified as critical, has been found in Linux
Kernel. Affected by this issue is the function del_timer of the file drivers/
isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to
use after free. It is recommended to apply a patch to fix this issue. The
identifier of this vulnerability is VDB-211088.
CVE-2022-3565 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.40 USE AFTER FREE CWE-416
A flaw was found in the Linux kernel's networking code. A use-after-free was
found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb
field after the same SKB had been enqueued (and freed) into a child qdisc. This
flaw allows a local, unprivileged user to crash the system, causing a denial of
service.
CVE-2022-3586 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.41 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
A vulnerability was found in Linux Kernel. It has been declared as problematic.
Affected by this vulnerability is the function intr_callback of the file
drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging
of excessive data. The attack can be launched remotely. It is recommended to
apply a patch to fix this issue. The associated identifier of this
vulnerability is VDB-211363.
CVE-2022-3594 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:L ).
3.2.42 NULL POINTER DEREFERENCE CWE-476
A vulnerability was found in Linux Kernel. It has been classified as
problematic. This affects the function find_prog_by_sec_insn of the file tools/
lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer
dereference. It is recommended to apply a patch to fix this issue. The
identifier VDB-211749 was assigned to this vulnerability.
CVE-2022-3606 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.43 NULL POINTER DEREFERENCE CWE-476
A vulnerability was found in Linux Kernel. It has been classified as
problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs
/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer
dereference. It is possible to launch the attack remotely. It is recommended to
apply a patch to fix this issue. The identifier of this vulnerability is
VDB-211920.
CVE-2022-3621 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.44 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A vulnerability was found in Linux Kernel. It has been classified as critical.
This affects the function devlink_param_set/devlink_param_get of the file net/
core/devlink.c of the component IPsec. The manipulation leads to use after
free. It is recommended to apply a patch to fix this issue. The identifier
VDB-211929 was assigned to this vulnerability.
CVE-2022-3625 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.45 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi
driver. This issue occurs when a user connects to a malicious USB device. This
can allow a local user to crash the system or escalate their privileges.
CVE-2022-3628 has been assigned to this vulnerability. A CVSS v3 base score of
6.6 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:P/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.46 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
A vulnerability was found in Linux Kernel. It has been declared as problematic.
This vulnerability affects the function vsock_connect of the file net/vmw_vsock
/af_vsock.c. The manipulation leads to memory leak. It is recommended to apply
a patch to fix this issue. VDB-211930 is the identifier assigned to this
vulnerability.
CVE-2022-3629 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.47 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
A vulnerability classified as problematic has been found in Linux Kernel.
Affected is the function j1939_session_destroy of the file net/can/j1939/
transport.c. The manipulation leads to memory leak. It is recommended to apply
a patch to fix this issue. The identifier of this vulnerability is VDB-211932.
CVE-2022-3633 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:L ).
3.2.48 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A vulnerability, which was classified as critical, has been found in Linux
Kernel. Affected by this issue is the function tst_timer of the file drivers/
atm/idt77252.c of the component IPsec. The manipulation leads to use after
free. It is recommended to apply a patch to fix this issue. VDB-211934 is the
identifier assigned to this vulnerability.
CVE-2022-3635 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.49 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
A vulnerability, which was classified as problematic, has been found in Linux
Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/
nilfs2/segment.c of the component BPF. The manipulation leads to memory leak.
The attack may be initiated remotely. It is recommended to apply a patch to fix
this issue. The identifier VDB-211961 was assigned to this vulnerability.
CVE-2022-3646 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C ).
3.2.50 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER
CWE-119
A vulnerability was found in Linux Kernel. It has been classified as
problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/
inode.c of the component BPF. The manipulation leads to use after free. It is
possible to launch the attack remotely. It is recommended to apply a patch to
fix this issue. The identifier of this vulnerability is VDB-211992.
CVE-2022-3649 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.51 USE AFTER FREE CWE-416
A use-after-free flaw was found in Linux kernel before 5.19.2. This issue
occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an
attacker to launch a local denial of service attack and gain escalation of
privileges.
CVE-2022-4095 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.52 IMPROPER LOCKING CWE-667
A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A
missing lock when clearing sk_user_data can lead to a race condition and NULL
pointer dereference. A local user could use this flaw to potentially crash the
system causing a denial of service.
CVE-2022-4129 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.53 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
An incorrect TLB flush issue was found in the Linux kernel's GPU i915 kernel
driver, potentially leading to random memory corruption or data leaks. This
flaw could allow a local user to crash the system or escalate their privileges
on the system.
CVE-2022-4139 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.54 INADEQUATE ENCRYPTION STRENGTH CWE-326
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by
a client to send an encrypted pre-master secret to the server. An attacker that
had observed a genuine connection between a client and a server could use this
flaw to send trial messages to the server and record the time taken to process
them. After a sufficiently large number of messages the attacker could recover
the pre-master secret used for the original connection and thus be able to
decrypt the application data sent over that connection.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:H/A:N ).
3.2.55 DOUBLE FREE CWE-415
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g., "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex
() will return a failure code but will populate the header argument with a
pointer to a buffer that has already been freed. If the caller also frees this
buffer, then a double free will occur. This will most likely lead to a crash.
This could be exploited by an attacker who has the ability to supply malicious
PEM files for parsing to achieve a denial of service attack. The functions
PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and
therefore these functions are also directly affected. These functions are also
called indirectly by a number of other OpenSSL functions including
PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also
vulnerable. Some OpenSSL internal uses of these functions are not vulnerable
because the caller does not free the header argument if PEM_read_bio_ex()
returns a failure code. These locations include the PEM_read_bio_TYPE()
functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL
asn1parse command line application is also impacted by this issue.
CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.56 NON-EXIT ON FAILED INITIALIZATION CWE-455
A flaw incorrect access control in the Linux kernel USB core subsystem was
found in the way user attaches usb device. A local user could use this flaw to
crash the system.
CVE-2022-4662 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.57 USE AFTER FREE CWE-416
In binder_inc_ref_for_node of binder.c, there is a way to corrupt memory due to
a use after free. This could lead to local escalation of privilege with no
additional execution privileges needed. User interaction is not needed for
exploitation. Product: Android Versions: Android kernelAndroid ID: A-239630375
References: Upstream kernel
CVE-2022-20421 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.58 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
In emulation_proc_handler of armv8_deprecated.c, there is a possible way to
corrupt memory due to a race condition. This could lead to local escalation of
privilege with no additional execution privileges needed. User interaction is
not needed for exploitation. Product: Android Versions: Android kernelAndroid
ID: A-237540956References: Upstream kernel
CVE-2022-20422 has been assigned to this vulnerability. A CVSS v3 base score of
7.0 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.59 USE AFTER FREE CWE-416
In l2cap_chan_put of l2cap_core, there is a possible use after free due to
improper locking. This could lead to local escalation of privilege with no
additional execution privileges needed. User interaction is not needed for
exploitation. Product: Android Versions: Android kernelAndroid ID:
A-165329981References: Upstream kernel
CVE-2022-20566 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.60 INCORRECT AUTHORIZATION CWE-863
In verity_target of dm-verity-target.c, there is a possible way to modify
read-only files due to a missing permission check. This could lead to local
escalation of privilege with System execution privileges needed. User
interaction is not needed for exploitation. Product: Android Versions: Android
kernelAndroid ID: A-234475629References: Upstream kernel
CVE-2022-20572 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:H/A:H ).
3.2.61 INCOMPLETE CLEANUP CWE-459
Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors
may allow an authenticated user to potentially enable information disclosure
via local access.
CVE-2022-21123 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.62 INCOMPLETE CLEANUP CWE-459
Incomplete cleanup of microarchitectural fill buffers on some Intel(R)
Processors may allow an authenticated user to potentially enable information
disclosure via local access.
CVE-2022-21125 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.63 INCOMPLETE CLEANUP CWE-459
Incomplete cleanup in specific special register write operations for some Intel
(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access.
CVE-2022-21166 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.64 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305
A bug in the IMA subsystem was discovered which would incorrectly allow kexec
to be used when kernel lockdown was enabled.
CVE-2022-21505 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:H/A:H ).
3.2.65 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Non-transparent sharing of return predictor targets between contexts in some
Intel(R) Processors may allow an authorized user to potentially enable
information disclosure via local access.
CVE-2022-26373 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.66 USE AFTER FREE CWE-416
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local
user (able to create user/net namespaces) to escalate privileges to root
because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
CVE-2022-32250 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.67 OBSERVABLE DISCREPANCY CWE-203
The Linux kernel before 5.17.9 allows TCP servers to identify clients by
observing what source ports are used. This occurs because of use of Algorithm 4
("Double-Hash Port Selection Algorithm") of RFC 6056.
CVE-2022-32296 has been assigned to this vulnerability. A CVSS v3 base score of
3.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:L/I:N/A:N ).
3.2.68 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
An issue was discovered in the Linux kernel through 5.18.9. A type confusion
bug in nft_set_elem_init (leading to a buffer overflow) could be used by a
local attacker to escalate privileges, a different vulnerability than
CVE-2022-32250. (The attacker can obtain root access but must start with an
unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed
in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
CVE-2022-34918 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.69 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The Linux kernel before 5.18.13 lacks a certain clear operation for the block
starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of
service or gain privileges.
CVE-2022-36123 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.70 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in
drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with
device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker
with a user account on the system to gain privilege, causing a denial of
service(DoS).
CVE-2022-36280 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.71 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the Linux kernel through 5.18.14.
xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be
dropped twice.
CVE-2022-36879 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.72 IMPROPER INPUT VALIDATION CWE-20
Nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through
5.18.14 allows remote attackers to cause a denial of service (panic) because,
in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an
skb_pull can encounter a negative skb->len.
CVE-2022-36946 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.73 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before
5.19. Because of a race condition (unmap_mapping_range versus munmap), a device
driver can free a page while it still has stale TLB entries. This only occurs
in situations with VM_PFNMAP VMAs.
CVE-2022-39188 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.74 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel
before 5.19.6. A denial of service can occur upon binding to an already bound
chain.
CVE-2022-39190 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.75 USE AFTER FREE CWE-416
An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/
efi/capsule-loader.c has a race condition with a resultant use-after-free.
CVE-2022-40307 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.76 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to
obtain sensitive information from kernel memory because stex_queuecommand_lck
lacks a memset for the PASSTHRU_CMD case.
CVE-2022-40768 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:N ).
3.2.77 USE AFTER FREE CWE-416
In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there
is a use-after-free caused by refcount races, affecting dvb_demux_open and
dvb_dmxdev_release.
CVE-2022-41218 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.78 USE AFTER FREE CWE-416
Mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale
TLB because an rmap lock is not held during a PUD move.
CVE-2022-41222 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C ).
3.2.79 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in the Linux kernel before 5.19.16. Attackers able to
inject WLAN frames could cause a buffer overflow in the
ieee80211_bss_info_update function in net/mac80211/scan.c.
CVE-2022-41674 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.80 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
Drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race
condition and resultant use-after-free if a physically proximate attacker
removes a USB device while calling open(), aka a race condition between
ufx_ops_open and ufx_usb_disconnect.
CVE-2022-41849 has been assigned to this vulnerability. A CVSS v3 base score of
4.2 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:P/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.81 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
Users can trigger deadlock in Linux netback driver [This CNA information record
relates to multiple CVEs; the text explains which aspects/vulnerabilities
correspond to which CVE.] The patch for XSA-392 introduced another issue which
might result in a deadlock when trying to free the SKB of a packet dropped due
to the XSA-392 handling (CVE-2022-42328). Additionally, when dropping packages
for other reasons the same deadlock could occur in case of netpoll being active
for the interface the xen-netback driver is connected to (CVE-2022-42329).
CVE-2022-41850 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.82 IMPROPER LOCKING CWE-667
Guests can trigger deadlock in Linux netback driver This CNA information record
relates to multiple CVEs; the text explains which aspects/vulnerabilities
correspond to which CVE.] The patch for XSA-392 introduced another issue which
might result in a deadlock when trying to free the SKB of a packet dropped due
to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages
for other reasons the same deadlock could occur in case of netpoll being active
for the interface the xen-netback driver is connected to (CVE-2022-42329).
CVE-2022-42328 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.83 IMPROPER LOCKING CWE-667
Guests can trigger deadlock in Linux netback drive. The patch for XSA-392
introduced another issue which might result in a deadlock when trying to free
the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328).
Additionally when dropping packages for other reasons the same deadlock could
occur in case of netpoll being active for the interface the xen-netback driver
is connected to (CVE-2022-42329).
CVE-2022-42329 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.84 USE OF UNINITIALIZED VARIABLE CWE-457
This vulnerability allows local attackers to disclose sensitive information on
affected installations of the Linux Kernel 6.0-rc2. An attacker must first
obtain the ability to execute high-privileged code on the target system in
order to exploit this vulnerability. The specific flaw exists within the
nft_osf_eval function. The issue results from the lack of proper initialization
of memory prior to accessing it. An attacker can leverage this in conjunction
with other vulnerabilities to execute arbitrary code in the context of the
kernel. Was ZDI-CAN-18540.
CVE-2022-42432 has been assigned to this vulnerability. A CVSS v3 base score of
4.4 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:N/A:N ).
3.2.85 USE AFTER FREE CWE-416
mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to
leaf anon_vma double reuse.
CVE-2022-42703 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.86 USE AFTER FREE CWE-416
A use-after-free in the mac80211 stack when parsing a multi-BSSID element in
the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers
(able to inject WLAN frames) to crash the kernel and potentially execute code.
CVE-2022-42719 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.87 USE AFTER FREE CWE-416
Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the
Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers
(able to inject WLAN frames) to trigger use-after-free conditions to
potentially execute code.
CVE-2022-42720 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.88 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835
A list management bug in BSS handling in the mac80211 stack in the Linux kernel
5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to
inject WLAN frames) to corrupt a linked list and, in turn, potentially execute
code.
CVE-2022-42721 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.89 NULL POINTER DEREFERENCE CWE-476
There is an infoleak vulnerability in the Linux kernel's net/bluetooth/
l2cap_core.c's l2cap_parse_conf_req function, which can be used to leak kernel
pointers remotely. We recommend upgrading past commit https://github.com/
torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e.
CVE-2022-42722 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.90 ACCESS OF UNINITIALIZED POINTER CWE-824
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/
l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions, which may
allow code execution and leaking kernel memory (respectively) remotely via
Bluetooth. A remote attacker could execute code leaking kernel memory via
Bluetooth if within proximity of the victim. We recommend upgrading past commit
https://github.com/torvalds/linux/commit/
711f8c3fb3db61897080468586b970c87c61d9e4.
CVE-2022-42895 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/UI:N
/S:U/C:H/I:N/A:N ).
3.2.91 USE AFTER FREE CWE-416
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/
l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow
code execution and leaking kernel memory (respectively) remotely via Bluetooth.
A remote attacker could execute code leaking kernel memory via Bluetooth if
within proximity of the victim. We recommend upgrading past commit https://
www.google.com/url https://github.com/torvalds/linux/commit/
711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url.
CVE-2022-42896 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:A/AC:L/PR:N/UI:N
/S:U/C:H/I:H/A:H ).
3.2.92 OUT-OF-BOUNDS WRITE CWE-787
drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x
before 6.0.1 allows a user-space client to corrupt the monitor's internal
memory.
CVE-2022-43750 has been assigned to this vulnerability. A CVSS v3 base score of
6.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:H/UI:N
/S:U/C:H/I:H/A:H ).
3.2.93 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in the Linux kernel before 6.0.11. Missing validation
of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c
in the WILC1000 wireless driver can trigger a heap-based buffer overflow when
copying the list of operating channels from Wi-Fi management frames.
CVE-2022-47518 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.94 OUT-OF-BOUNDS READ CWE-125
An issue was discovered in the Linux kernel before 6.0.11. Missing offset
validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000
wireless driver can trigger an out-of-bounds read when parsing a Robust
Security Network (RSN) information element from a Netlink packet.
CVE-2022-47520 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:H ).
3.2.95 NULL POINTER DEREFERENCE CWE-476
In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic
control subsystem allows an unprivileged user to trigger a denial of service
(system crash) via a crafted traffic control configuration that is set up with
"tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/
sch_api.c.
CVE-2022-47929 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.96 USE AFTER FREE CWE-416
An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A
use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to
crash the kernel, resulting in denial of service. finish_wait can be skipped.
An attack can occur in some situations by forking a process and then quickly
terminating it. NOTE: later kernel versions, such as the 5.15 longterm series,
substantially changed the implementation of io_sqpoll_wait_sq.
CVE-2022-47946 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.97 USE AFTER FREE CWE-416
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications. The function receives a BIO from the caller, prepends a
new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then
returns the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO is
freed, and the function returns a NULL result indicating a failure. However, in
this case, the BIO chain is not properly cleaned up and the BIO passed by the
caller still retains internal pointers to the previously freed filter BIO. If
the caller then goes on to call BIO_pop() on the BIO then a use-after-free will
occur. This will most likely result in a crash. This scenario occurs directly
in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be
called and will subsequently call BIO_pop() on the BIO. This internal function
is in turn called by the public API functions PEM_write_bio_ASN1_stream,
PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1,
SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be
impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7,
i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command
line applications are similarly affected.
CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.98 IMPROPER INPUT VALIDATION CWE-20
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted
by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING. When CRL checking is enabled (i.e., the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:H/PR:N/UI:N
/S:U/C:H/I:N/A:H ).
3.2.99 IMPROPER CERTIFICATE VALIDATION CWE-295
A security vulnerability has been identified in all supported versions of
OpenSSL related to the verification of X.509 certificate chains that include
policy constraints. Attackers may be able to exploit this vulnerability by
creating a malicious certificate chain that triggers exponential use of
computational resources, leading to a denial-of-service (DoS) attack on
affected systems. Policy processing is disabled by default but can be enabled
by passing the `-policy' argument to the command line utilities or by calling
the `X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0464 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H ).
3.2.100 IMPROPER CERTIFICATE VALIDATION CWE-295
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.
Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate. A
malicious CA could use this to deliberately assert invalid certificate policies
in order to circumvent policy checking on the certificate altogether. Policy
processing is disabled by default but can be enabled by passing the `-policy'
argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0465 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N )
3.2.101 IMPROPER CERTIFICATE VALIDATION CWE-295
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable
the certificate policy check when doing certificate verification. However the
implementation of the function does not enable the check which allows
certificates with invalid or incorrect policies to pass the certificate
verification. As suddenly enabling the policy check could break existing
deployments it was decided to keep the existing behavior of the
X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require
OpenSSL to perform certificate policy check need to use
X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by
calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag
argument. Certificate policy checks are disabled by default in OpenSSL and are
not commonly used by applications.
CVE-2023-0466 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:L/A:N ).
3.2.102 USE AFTER FREE CWE-416
A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the
Linux Kernel due to a race problem. This flaw leads to a denial of service
issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()
") not applied yet, then kernel could be affected.
CVE-2023-0590 has been assigned to this vulnerability. A CVSS v3 base score of
4.7 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.103 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
In the Linux kernel, pick_next_rt_entity() may return a type confused entry,
not detected by the BUG_ON condition, as the confused entry will not be NULL,
but list_head.The buggy error condition would lead to a type confused entry
with the list head, which would then be used as a type confused
sched_rt_entity,causing memory corruption.
CVE-2023-1077 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H )
3.2.104 NULL POINTER DEREFERENCE CWE-476
In nf_tables_updtable, if nf_tables_table_enable returns an error,
nft_trans_destroy is called to free the transaction object. nft_trans_destroy()
calls list_del(), but the transaction was never placed on a list -- the list
head is all zeroes, this results in a NULL pointer dereference.
CVE-2023-1095 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.105 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
Cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows
attackers to cause a denial of service (slab-out-of-bounds read) because of
type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT
condition rather than valid classification results).
CVE-2023-23454 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.106 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
Atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows
attackers to cause a denial of service because of type confusion (non-negative
numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid
classification results).
CVE-2023-23455 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:N/I:N/A:H ).
3.2.107 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel
through 6.1.5, there is an integer overflow in an addition.
CVE-2023-23559 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H ).
3.2.108 OUT-OF-BOUNDS READ CWE-125
In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in
fs/ntfs/attrib.c.
CVE-2023-26607 has been assigned to this vulnerability. A CVSS v3 base score of
7.1 has been assigned. The CVSS vector string is ( CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Munich, Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce risk:
o SIMATIC S7-1500 TM MFP - Linux Kernel: Only build and run applications from
trusted sources. Currently no patch is available.
As a general security measure, Siemens strongly recommends to protect network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends to configure the environment
according to Siemens' operational guidelines for Industrial Security and to
follow the recommendations in the product manuals. Additional information on
Industrial Security by Siemens can be found at: https://www.siemens.com/
industrialsecurity .
For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert
/advisories .
As a general security measure, Siemens recommends protecting network access to
devices with appropriate mechanisms. To operate the devices in a protected IT
environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following
recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the
Siemens industrial security webpage .
For more information see the associated Siemens security advisory SSA-794697 in
HTML and CSAF .
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open attachments in unsolicited email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target these vulnerabilities.
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Siemens
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZJTw7ckNZI30y1K9AQjmyA//aYSLgDdtFrJHxaXCMgSa4kA71+/OLOAb
LTxbCasLIqoR5GLaUwUwcNj+JeBYtkqQd72an8UwMT0SecZHREpbaUcvF5mRAdtK
UFIvvZS7Ylf4cIQTqwe147CA651VFYaWbpsriimyn36JMuU1OQeoMJJiF1kFrNbk
CNugqo6WNONNSgYpdjGZ77CqmJv94UlFqA+4yT5xTj2CWr9SGylzQHdTqPi6m2eb
W14W9wC2oFesIdsKaNf8ETNIAs0yHbq/JVJEgyGJnb+OcHOjEHMqN3cmxdKzQ7n/
4HuJi5uZWEiJZ0+nIMZWwD28IAP2PeoCSaiIQwnhpQ1lOAun8VOmDSXlB4wkL6Ev
tZaDq58Zz0tnb5dhN+tNQjVQCxvKFwYeKXA0EzDlXnL4ngRlcosPRxQG6w54r4lz
UyJTDFw8fk+UEMMneHMCbGpGw1P708KDTlIu+hXPh66jeZOz0iaKKGU9MgDflvyX
kBnA2lnX1EmaLZazLCro5pUY0MccaqgAUFVaFHwza4hSQbGZtd2U1MRVu5hN7r2t
IDui5/auJeCoKJ/B9fdS9jDqPrJszKOUl1vfY20YO2dvaYZ3DaoDLBxEuuKN/8t3
NC7ryU8PM4ZVt3o85SmwtIjXlwp8OcuprcKg55HtvxnT3tDr4jCU7NSupx8i4Xiw
CFaqKN4oCFY=
=FWtq
-----END PGP SIGNATURE-----