CVE-2020-14483

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110 and Niagara Enterprise Security Versions 2.4.31, 2.4.45, 4.8.0.35 to corre...

CVE-2020-14483

CVE-2020-14483 describes a timeout during a TLS handshake that can prevent termination of the connection, causing a Niagara thread hang and necessitating a manual restart. Affected products are Tridium Niagara and Niagara Enterprise Security, specifically: Niagara 4.6.96.28, 4.7.109.20, 4.7.110.3...

SUSE-SU-2020:2233-1 Security update for libvirt

This update for libvirt fixes the following issues: - CVE-2020-14339: Don't leak /dev/mapper/control into QEMU. Use ioctl's to obtain the dependency tree of disks and drop use of libdevmapper. - bsc1161883, bsc1174458 - qemu: Setup emulator thread and cpuset.mems before exec - bsc1171946 - libxl:...

FreeBSD : trafficserver -- resource consumption (6fd773d3-bc5a-11ea-b38d-f0def1d0c3ea)

Bryan Call reports : ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML databa...

Operation on a Resource after Expiration or Release in Jetty Server

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this doub...

[SECURITY] Fedora 31 Update: nspr-4.26.0-1.fc31

NSPR provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing and calendar time, basic memory management malloc and free and shared library linking...

CVE-2019-10580

When kernel thread unregistered listener, Use after free issue happened as the listener clients private data has been already freed in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in...

Design/Logic Flaw

When kernel thread unregistered listener, Use after free issue happened as the listener clients private data has been already freed in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in...

CVE-2019-10580

CVE-2019-10580 describes a local use-after-free in the Qualcomm Snapdragon kernel: when a listener is unregistered, the listener’s private data may already have been freed. Affected are Snapdragon Auto/Compute/Consumer IOT/Industrial IOT/Mobile/Voice & Music/Wearables platforms (listed in the des...

CVE-2019-10580

When kernel thread unregistered listener, Use after free issue happened as the listener clients private data has been already freed in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in...

xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this...

OSV-2020-1030 Heap-buffer-overflow in ih264d_compute_bs_non_mbaff_thread

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16505 Crash type: Heap-buffer-overflow READ 8 Crash state: ih264dcomputebsnonmbaffthread ih264drecondeblkslice ih264drecondeblkthread...

Faxhell - A Bind Shell Using The Fax Service And A DLL Hijack

A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on Ualapi.dll. See our writeup at: https://windows-internals.com/faxing-your-way-to-system/ How to use Build Ualapi.dll and place in c:\windows\system32 Start the Fax service, which will load the DLL and call the export...

Threat Source newsletter for July 2, 2020

Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers. Our latest research you should catch up on is the Valak malware. This information-stealer sneaks its way onto victim machines by hijacking legitimate email threads. The threat actors send their phishing emails and attachments in...

OSV-2020-369 UNKNOWN READ in ot::TimerScheduler::Remove

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13383 Crash type: UNKNOWN READ Crash state: ot::TimerScheduler::Remove ot::Mle::Mle::Stop otThreadSetEnabled...

DEBIAN-CVE-2020-9494

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...

trafficserver -- resource consumption

Bryan Call reports: ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread...

SUSE-SU-2020:1659-1 Security update for guile

This update for guile fixes the following issues: - CVE-2016-8605: Fixed thread-unsafe umask modification bsc1004221...

FF Sandbox Escape (CVE-2020-12388)

By James Forshaw, Project Zero In my previous blog post I discussed an issue with the Windows Kernel’s handling of Restricted Tokens which allowed me to escape the Chrome GPU sandbox. Originally I’d planned to use Firefox for the proof-of-concept as Firefox uses the same effective sandbox level a...

CVE-2020-0232

Function abcpcieissuedmaxfersync creates a transfer object, adds it to the session object then continues to work with it. A concurrent thread could retrieve created transfer object from the session object and delete it using abcpciedmauserxferclean. If this happens, abcpciestartdmaxfer and...