Extreme Networks

Our deepest apologies for the lack of content on this board so far this year. There was a bug preventing us from posting on this board, but that has now been fixed. Please find the SAs that have come out so far this year in this article, and we will return to our usual format of one post per SA moving forward. Thank you very much for your patience during this time. 

SA-2024-001 - Terrapin attack via SSH (CVE-2023-48795)
The SSH transport protocol with certain OpenSSH extensions allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack.

 

SA-2024-002 - OpenSSh ssh-add (CVE-2023-28531)

Ssh-add in OpenSSH adds smartcard keys to ssh-agent without the intended per-hop destination constraints.

 

SA-2024-003 - OpenSSH command injection (CVE-2023-51385)

In ssh in OpenSSH, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations.

 

SA-2024-004 - Row hammer attacks (multiple CVEs)

Row hammer has been demonstrated to perform a wide variety of attacks on systems by modifying vulnerable areas of DRAM using aggressive memory operations to alter adjacent DRAM states. Carefully crafted code that targets specific memory locations is required to conduct an exploit.

 

SA-2024-005 - OpenSSH RSA Key Denial of Service (CVE-2023-6237)

A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes, and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

 

SA-2024-006 - OpenSSL PKCS12 file crash (CVE-2024-0727)

A flaw found when processing a maliciously formatted PKCS12 file may cause OpenSSL to crash, resulting in a potential Denial of Service attack.

 

SA-2024-007 - Samba password lockout race condition (CVE-2021-20251)

A flaw was found in Samba that may allow a race condition in the password lockout code, which may lead to the risk of brute force attacks being successful if special conditions are met.

 

SA-2024-008 - Windows Kerberos RC4-HMAC Elevation of Privilege (CVE-2022-37966)

In Windows Kerberos, an unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.

 

SA-2024-009 - Samba AD RC4-HMAC Elevation of Privilege (CVE-2022-45141)

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability is assumed that RC4-HMAC is weak, and vulnerable. Samba Active Directory DCs will issue RC4-HMAC encrypted tickets despite the target server supporting better encryption.

 

SA-2024-010 - libcurl HTTP/2 trailer out-of-bounds read (CVE-2018-1000005)

libcurl contains an outbounds read in code handling HTTP/2 trailers, potentially causing future trailers to be messed up due to a stored size being one byte less than required. This could lead to a crash or large data being passed to client write, potentially causing denial-of-service or information disclosure.

 

SA-2024-011 - libcurl HTTP authentication leak (CVE-2018-1000007)

It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.

 

SA-2024-012 - Debug Information Disclosure in Kubernetes (CVE-2019-11248)

The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information, such as internal Kubelet memory addresses and configuration, or cause limited denial of service.

 

SA-2024-013 - OpenSSH Username Enumeration Bailout Delay (CVE-2018-15473)

OpenSSH is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

 

SA-2024-014 - OpenSSH GSS2 Username Enumeration (CVE-2018-15919)

Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect the existence of users on a target system when GSS2 is in use.

 

SA-2024-015 - OpenSSH scp Command Injection (CVE-2020-15778)

scp in OpenSSH allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument.

 

SA-2024-016 - Linux use-after-free Race Condition. (CVE-2023-51781)

A use-after-free flaw was found in the Linux kernel's atalk_ioctl in net/appletalk/ddp.c, due to a race condition in atalk_recvmsg. This flaw allows an attacker to possibly gain unauthorized access, escalate privileges, or cause the system to crash.

 

SA-2024-017 - GnuTLS Rejects Certificate Chain (CVE-2024-0567)

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

 

SA-2024-019 - less LESSCLOSE shell_quote vulnerability (CVE-2022-48624)

Some versions of LESS omit shell_quote calls in LESSCLOSE, which can lead to injection vulnerability and arbitrary command execution.

 

SA-2024-020 - Postfix SMTP smuggling (CVE-2023-51764)

A flaw was found in some SMTP server configurations in Postfix that allows a remote attacker to break out email message data to "smuggle" SMTP commands and send spoofed emails.

 

SA-2024-021 - libxml2 vulnerability (CVE-2024-25062)

Some versions of libxml2 may be vulnerable when DTD validation and XInclude expansion are enabled, which could result in a use-after-free.

 

SA-2024-022 - libuv hostname truncation (CVE-2024-24806)

libuv incorrectly truncated certain hostnames, which could be exploited by carefully crafted hostnames to bypass certain checks.

 

SA-2024-023 - UDP network loop (CVE-2024-2169)

An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.

 

SA-2024-024 - Niagara uncontrolled resource consumption (CVE-2024-1309)

Uncontrolled Resource Consumption vulnerability in Niagara Framework on Windows, Linux, and QNX allows Content Spoofing.

 

SA-2024-025 - NTP denial of service (CVE-2009-3563)

ntp_request.c in ntpd in NTP allows remote attackers to cause a denial of service by using MODE_PRIVATE to send a spoofed request or response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.

 

SA-2024-026 - Linux Kernel Race Condition (CVE-2023-2006)

A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.

 

SA-2024-027 - Linux use-after-free in Netfilter nf_tables (CVE-2023-32233)

In the Linux kernel, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.

 

SA-2024-028 - Apache OFBiz Pre-authentication RCE (CVE-2023-51467)

The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF).

 

SA-2024-029 - xz malicious code (CVE-2024-3094)

Some upstream versions of xz were found to contain malicious code. Using complex obfuscations, the liblzma build process could be forced to extract a prebuilt object file that could modify specific functions in the liblzma code leading to a sshd backdoor.

 

SA-2024-030 - OpenSSL DH check function (CVE-2023-3446)

The DH_check() function in OpenSSL can cause slow performance when checking long DH keys or parameters. This can lead to a Denial of Service attack if the keys or parameters are obtained from an untrusted source. The function checks various aspects of the supplied key or parameters, potentially using the supplied modulus value even if it's too large. Other OpenSSL functions, such as DH_check_ex() and EVP_PKEY_param_check(), may also be affected.

 

SA-2024-031 - OpenSSH Destination Constraints of Private Keys (CVE-2023-51384)

In ssh-agent in OpenSSH, certain destination constraints can be incompletely applied. When destination constraints are specified during the addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

 

SA-2024-032 - AES-SIV Cipher (CVE-2023-2975)

The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries, which are unauthenticated as a consequence. Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding, or reordering such empty entries, as these are ignored by the OpenSSL implementation.

 

SA-2024-033 - jQuery remote XSS attack (CVE-2014-6071)

jQuery allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to the use of the text method inside after.

 

SA-2024-034 - Logjam DHE Export (CVE-2015-4000)

In the TLS protocol, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, it does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

 

SA-2024-035 - Linux kernel netfilter use-after-free (CVE-2024-1086)

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop errors within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error that resembles NF_ACCEPT.

 

SA-2024-036 - AsyncSSH Rogue Extension Negotiation (CVE-2023-46445)

An issue in AsyncSSH allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka "Rogue Extension Negotiation."

 

SA-2024-037 - AsyncSSH Rouge Session Attack (CVE-2023-46446)

An issue in AsyncSSH allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka "Rogue Session Attack."

 

SA-2024-038 - Apache Tomcat HTTP Request Smuggling (CVE-2020-1935)

In Apache Tomcat, the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

 

SA-2024-039 - Apache JServ Protocol DoS (CVE-2020-1938)

Apache Tomcat is susceptible to a vulnerability that, when successfully exploited, could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

 

SA-2024-040 - HTTP2 CONTINUATION Frames OOM crash (CVE-2024-2653)

Early versions of amphp/http-client with HTTP/2 support will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash

 

SA-2024-041 - Unbounded memory growth TLS (CVE-2024-2511)

An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service. This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used but not if early_data support is also configured and the default anti-replay protection is in use.

 

SA-2024-042 - EXOS Privilege Escalation via Python MMI (CVE-2024-27453)

A vulnerability was discovered in EXOS that enables an attacker to use a crafted request to the Machine-to-Machine Interface (MMI) Python method in order to escalate privileges from the read-only user account to root.

 

SA-2024-043 - unixODBC Out of Bounds Stack Write Flaw (CVE-2024-1013)

An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.

 

SA-2024-044 - nghttp2 Reading Unbounded Number of CONTINUATION Frames (CVE-2024-28182)

The nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.

 

SA-2024-045 - zlib heap-based buffer over-read (CVE-2022-37434)

zlib has a heap-based buffer over-read or buffer overflow in inflate.c via a large gzip header extra field.

 

SA-2024-046 - Pygments Parse Programming Language DoS (CVE-2021-27291)

In pygments, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

 

SA-2024-047 - Pygments Infinite Loop in SMLLexer (CVE-2021-20270)

An infinite loop in SMLLexer in Pygments may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

 

SA-2024-048 - HTTP2 Resource Loops Vulnerability (CVE-2019-9513)

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

 

SA-2024-049 - HTTP2 Window Size Manipulation (CVE-2019-9511)

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

 

SA-2024-050 - cURL Heap Buffer Overflow (CVE-2019-5482)

Heap buffer overflow in the TFTP protocol handler in cURL.

 

Please let me know if we can clarify anything from these SAs; and again, thank you so much for your patience while we resolved the bug on this page.