1288H V5; 2288H V5 Security Vulnerabilities

M-02 - Malicious users can set their hooks to contracts that will always revert, causing Claimers to get their tx to claim the user's prizes to be reverted

Lines of code Vulnerability details Title M-02 - Malicious users can set their hooks to contracts that will always revert, causing Claimers to get their tx to claim the user's prizes to be reverted Original Issue M-02 - Unintended or Malicious Use of Prize Winners' Hooks Details The previous...

Mageia: Security Advisory (MGASA-2023-0250)

The remote host is missing an update for...

Updated kernel-linus packages fix security vulnerabilities

This kerne-linusl update is based on upstream 5.15.126 and fixes or adds mitigations for atleast the following security issues: Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated.....

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.126 and fixes or adds mitigations for atleast the following security issues: Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user...

Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security's p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting...

H-08 MitigationConfirmed

Lines of code https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/main/src/PrizePool.sol#L314-L318 Vulnerability details Original Issue H-08 - Increasing reserves breaks PrizePool accounting Details The previous implementation to increase reserves in the PrizePool contract didn't take into....

Vault will stop participating in draws in case if they deposited maximum assets to the underlying vault

Lines of code Vulnerability details Impact Vault will stop participating in draws in case if they deposited maximum assets to the underlying vault. Proof of Concept Vault contract has maxMint function. This function first checks allowed amount to mint in the PtVault and then also checks amount...

M-10 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem There was unsafe cast in the _getTier function and warden has stated, that in case if value will be bigger than uint96.max, then wrong prize amount will be used. Solution Pool together has increased Tier.prizeSize variable...

H-09 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem In the report i have described some vaults that will not work in the designed system. Example of such vault will be any vault that has withdraw limit. In this case _yieldVault.maxWithdraw call will not return actual amount...

H-05 Unmitigated

Lines of code Vulnerability details Issue not mitigated About the problem sponsor function allows caller to delegate his shares to the special address. In this case caller losses ability to win prizes. Previous version of code had sponsor function, which allowed to deposit funds on behalf of owner....

CVE-2023-39745

TP-Link TL-WR940N V2, TP-Link TL-WR941ND V5 and TP-Link TL-WR841N V8 were discovered to contain a buffer overflow via the component /userRpm/AccessCtrlAccessRulesRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...

CVE-2023-39747

TP-Link WR841N V8, TP-Link TL-WR940N V2, and TL-WR941ND V5 were discovered to contain a buffer overflow via the radiusSecret parameter at...

Buffer overflow

TP-Link TL-WR940N V2, TP-Link TL-WR941ND V5 and TP-Link TL-WR841N V8 were discovered to contain a buffer overflow via the component /userRpm/AccessCtrlAccessRulesRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...

Buffer overflow

TP-Link WR841N V8, TP-Link TL-WR940N V2, and TL-WR941ND V5 were discovered to contain a buffer overflow via the radiusSecret parameter at...

CVE-2023-39745

TP-Link TL-WR940N V2, TP-Link TL-WR941ND V5 and TP-Link TL-WR841N V8 were discovered to contain a buffer overflow via the component /userRpm/AccessCtrlAccessRulesRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...

Auctions run at significantly different speeds for different prize tiers

Lines of code https://github.com/GenerationSoftware/pt-v5-claimer/blob/main/src/Claimer.sol#L136 https://github.com/GenerationSoftware/pt-v5-claimer/blob/main/src/Claimer.sol#L262-L264 https://github.com/GenerationSoftware/pt-v5-claimer/blob/main/src/Claimer.sol#L223-L250...

M-02 Unmitigated

Lines of code https://github.com/GenerationSoftware/pt-v5-claimer/blob/main/src/Claimer.sol#L163 Vulnerability details Comments In the previous implementation a malicious user could set arbitrary vault hooks for afterClaimPrize and beforeClaimPrize that could be used to gas grief the claimer or...

CVE-2023-39747

TP-Link WR841N V8, TP-Link TL-WR940N V2, and TL-WR941ND V5 were discovered to contain a buffer overflow via the radiusSecret parameter at...

Malicious code in python-cos-sdk-v5 (PyPI)

-= Per source details. Do not edit below this line.=- Source: checkmarx (9d23946b30370561c42df798c468626c8ec508cdf6f0fc22cc34bb67f2fa187e) Malicious Typosquatting packages campaign targeting developers, steals cloud service credentials Source: google-open-source-security...

Network Mirroring in Siemens RUGGEDCOM

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

​Resource Allocation in Siemens RUGGEDCOM

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

[SECURITY] Fedora 38 Update: krb5-1.21-3.fc38

Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted...

Fedora: Security Advisory for krb5 (FEDORA-2023-ca086f015c)

The remote host is missing an update for...

VMware vRealize Log Insight Unauthenticated RCE

VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the.....

CVE-2023-39269

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M2200NC, RUGGEDCOM M969,....

CVE-2023-24845

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M2200NC, RUGGEDCOM M969,....

Design/Logic Flaw

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M2200NC, RUGGEDCOM M969,....

Design/Logic Flaw

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M2200NC, RUGGEDCOM M969,....

CVE-2023-39269

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M2200NC, RUGGEDCOM M969,....

CVE-2023-24845

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M2200NC, RUGGEDCOM M969,....

Code leaks are causing an influx of new ransomware actors

Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging. This trend is already continuing this year. Since 2021,...

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry...

VaultBooster liquidations can revert due to discrepancy in liquidatable balance value

Lines of code https://github.com/GenerationSoftware/pt-v5-vault-boost/blob/9d640051ab61a0fdbcc9500814b7f8242db9aec2/src/VaultBooster.sol#L201-L203 https://github.com/GenerationSoftware/pt-v5-vault-boost/blob/9d640051ab61a0fdbcc9500814b7f8242db9aec2/src/VaultBooster.sol#L249-L257...

Wrong Type for Time Related Variable

Lines of code https://github.com/GenerationSoftware/pt-v5-cgda-liquidator/blob/7f95bcacd4a566c2becb98d55c1886cadbaa8897/src/LiquidationPair.sol#L340 Vulnerability details Impact uint8, uint16 was used as Type to declare Time Related Variable in the LiquidationPair.sol contract, this totally wrong.....

swapExactAmountOut() no deadline protection

Lines of code Vulnerability details Impact no deadline protection , users may suffer losses Proof of Concept LiquidationRouter.swapExactAmountOut() use for swap tokens. However, currently only _amountInMax slippage protection is provided, and not deadline protection like the common AMMS...

_computeRewardFraction logic looks susceptible to manipulation around the edges.

Lines of code Vulnerability details Impact if __auctionElapsedTime is 0, it returns the full reward fraction Proof of Concept The RewardLib.fractionalReward calculates the reward fraction linearly based on the elapsed time. When __auctionElapsedTime is 0, fractionalReward will return 1 (full...

Risk of silent overflow in rngComplete rewards cast

Lines of code Vulnerability details Impact The rngComplete function uses the rewards function from the RewardLib library to calculates the rewards that should be given, the _rewards returned by the rewards function are of type uint256 but before proceeding to the reward transfer (the call to...

Integer underflow/overflow is possible in some of the timestamp calculations if sequenceOffset or auctionDuration are set maliciously

Lines of code Vulnerability details Impact An attacker could exploit this to make _auctionElapsedTime return a low value when it should be high, thereby manipulating the reward calculation. Proof of Concept The vulnerability comes from the subtraction (currentTime - sequenceOffset) which could...

Potential Near-Zero Scenarios for purchasePrice in the Continuous Gradual Dutch Auction

Lines of code https://github.com/GenerationSoftware/pt-v5-cgda-liquidator/blob/7f95bcacd4a566c2becb98d55c1886cadbaa8897/src/LiquidationPair.sol#L294-L319...

An attacker could manipulate the _rngAuctionResult to unfairly distribute more rewards to themselves

Lines of code Vulnerability details Impact When the rewards are calculated using _computeRewards(), the attacker's inflated rewardFraction will be used, giving them a bigger share Proof of Concept The _rngAuctionResult passed to rngComplete() is stored directly into the auctionResults array...

The system is subjected to Cross-Contract Reentrancy due to Insufficient validation for tokens, source and liquidity Pairs

Lines of code Vulnerability details Impact A malicious actor can gain control of the liquidation process which can manipulate the POOL token price Proof of Concept Almost all the pieces of the protocol are open to everyone with no guard, and that can cause a serious problem. consider the following....

REENTRANCY

Lines of code https://github.com/GenerationSoftware/remote-owner/blob/285749ab51e98afc8ebb4e4049a4348d669a3e9d/src/RemoteOwner.sol#L63-L75 https://github.com/GenerationSoftware/pt-v5-vault-boost/blob/9d640051ab61a0fdbcc9500814b7f8242db9aec2/src/VaultBooster.sol#L171-L176...

_computeAvailable() the calculations are wrong

Lines of code Vulnerability details Impact _computeAvailable() incorrect calculations that result in a return value greater than the current balance, causing methods such as liquidate to fail Proof of Concept VaultBooster._computeAvailable() used to count the number of tokens currently available...

Only a relayer should call rngComplete function in RngRelayAuction.sol contract.

Lines of code Vulnerability details Impact An arbitrary user can set a wining number and set a _rewardRecipient to take the rewards Proof of Concept The contract RngRelayAuction is setting a rngAuctionRelayer in the constructor. file: pt-v5-draw-auction/src/RngRelayAuction.sol /// @notice The...

Unchecked Call Return Value

Lines of code https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuctionRelayerDirect.sol#L39 Vulnerability details Impact The functions do not check the return value of low-level calls. This can lock Ether in the contract if the call...

The RngRelayAuction::rngComplete() function can be called by anyone (malicious actor) causing that the draw will be closed using a malicious random number

Lines of code https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L154 https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L170 Vulnerability...

Closing the draw will be compromised if the recipient reward is address(0)

Lines of code https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuction.sol#L170 https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngAuctionRelayerDirect.sol#L36...

integer underflow vulnerability in the _fractionalReward() function

Lines of code Vulnerability details Impact It could cause an integer underflow when calculating the reward fraction, resulting in the attacker getting more rewards than intended. True or false, explain in details, show relevant code and explain proof of co Proof of Concept The...

The absence of proper Access Control in RngRelayAuction::rngComplete() enables anyone to prematurely conclude the Auction Process.

Lines of code Vulnerability details Explanation For the DrawAuction to be successfully completed, a specific sequence of actions must be followed, and each step holds significance. This demands a carefully designed execution flow that considers both the procedure's requirements and the authorized.....

rngComplete() function is vulnerable to an array out of bounds error

Lines of code Vulnerability details Impact A malicious actor can manipulate the AuctionResult[] passed to RewardLib.rewards() to make it return a short _rewards array Proof of Concept The issue is that there is no check that i stays within the bounds of _rewards. If _rewards is shorter than...