CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5370 – arm64 boot CPUs may lack speculative execution protections
https://notcve.org/view.php?id=CVE-2023-5370
On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0. En la CPU 0, se llama a la verificación del workaround de SMCCC antes de que se haya inicializado el soporte de SMCCC. Esto resultó en que no se instalaran workarounds de ejecución especulativa en la CPU 0. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc https://security.netapp.com/advisory/ntap-20231124-0005 • CWE-665: Improper Initialization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5369 – copy_file_range insufficient capability rights check
https://notcve.org/view.php?id=CVE-2023-5369
Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that file descriptor. Antes de la corrección, la llamada al sistema copy_file_range verificó solo las capabilities CAP_READ y CAP_WRITE en los descriptores de archivos de entrada y salida, respectivamente. Usar un desplazamiento es lógicamente equivalente a buscar, y la llamada al sistema debe requerir adicionalmente la capability CAP_SEEK. Esta verificación de privilegios incorrecta permitió que los procesos aislados con solo lectura o escritura pero sin capacidad de búsqueda en un descriptor de archivo leyeran o escribieran datos en una ubicación arbitraria dentro del archivo correspondiente a ese descriptor de archivo. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc https://security.netapp.com/advisory/ntap-20231124-0009 • CWE-273: Improper Check for Dropped Privileges •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2023-5368 – msdosfs data disclosure
https://notcve.org/view.php?id=CVE-2023-5368
On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. This may permit a user with write access to files on a msdosfs filesystem to read unintended data (e.g. from a previously deleted file). En un sistema de archivos msdosfs, las llamadas al sistema 'truncate' o 'ftruncate' bajo ciertas circunstancias llenan el espacio adicional en el archivo con datos no asignados del dispositivo de disco subyacente, en lugar de cero bytes. Esto puede permitir que un usuario con acceso de escritura a archivos en un sistema de archivos msdosfs lea datos no deseados (por ejemplo, de un archivo previamente eliminado). • https://dfir.ru/2023/11/01/bringing-unallocated-data-back-the-fat12-16-32-case https://security.FreeBSD.org/advisories/FreeBSD-SA-23:12.msdosfs.asc https://security.netapp.com/advisory/ntap-20231124-0004 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2023-4809 – pf incorrectly handles multiple IPv6 fragment headers
https://notcve.org/view.php?id=CVE-2023-4809
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host. En el procesamiento de paquetes pf con una regla 'scrub fragment reassemble', un paquete que contenga múltiples encabezados de fragmentos IPv6 se reensamblaría y luego se procesaría inmediatamente. Es decir, un paquete con múltiples encabezados de extensión de fragmentos no sería reconocido como el payload final correcto. • http://www.openwall.com/lists/oss-security/2023/09/08/5 http://www.openwall.com/lists/oss-security/2023/09/08/6 http://www.openwall.com/lists/oss-security/2023/09/08/7 https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc https://security.netapp.com/advisory/ntap-20231221-0009 • CWE-167: Improper Handling of Additional Special Element •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-3494 – bhyve privileged guest escape via fwctl
https://notcve.org/view.php?id=CVE-2023-3494
The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. Malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root, mitigated by the capabilities assigned through the Capsicum sandbox available to the bhyve process. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc https://security.netapp.com/advisory/ntap-20230831-0006 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •