CVSS: 5.9EPSS: 69%CPEs: 79EXPL: 3CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
18 Dec 2023 — The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phas... • https://packetstorm.news/files/id/176280 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.8EPSS: 0%CPEs: 23EXPL: 0CVE-2023-6534 – TCP spoofing vulnerability in pf(4)
https://notcve.org/view.php?id=CVE-2023-6534
13 Dec 2023 — In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers. This could allow a malicious actor to execute a denial-of-service attack against hosts behind the firewall. En las versiones de FreeBSD 14.0-RELEASE anteriores a 14-RELEASE-p2, FreeBSD 13.2-RELEASE anteriores a 13.2-RELEASE-p7 y FreeBSD 12.4-RELEASE anteriores a 12.4-RELEASE-p9, el filtro de ... • https://security.freebsd.org/advisories/FreeBSD-SA-23:17.pf.asc •
CVSS: 10.0EPSS: 1%CPEs: 16EXPL: 0CVE-2023-5941 – libc stdio buffer overflow
https://notcve.org/view.php?id=CVE-2023-5941
08 Nov 2023 — In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write space members for write-buffered streams when the write(2) system call returns an error. Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overflow may occur. Such overflow... • https://security.freebsd.org/advisories/FreeBSD-SA-23:15.stdio.asc • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-5368 – msdosfs data disclosure
https://notcve.org/view.php?id=CVE-2023-5368
04 Oct 2023 — On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. This may permit a user with write access to files on a msdosfs filesystem to read unintended data (e.g. from a previously deleted file). En un sistema de archivos msdosfs, las llamadas al sistema 'truncate' o 'ftruncate' bajo ciertas circunstancias llenan el espacio adicional en el archivo con... • https://dfir.ru/2023/11/01/bringing-unallocated-data-back-the-fat12-16-32-case • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-4809 – pf incorrectly handles multiple IPv6 fragment headers
https://notcve.org/view.php?id=CVE-2023-4809
06 Sep 2023 — In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on th... • http://www.openwall.com/lists/oss-security/2023/09/08/5 • CWE-167: Improper Handling of Additional Special Element •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2023-3107 – Remote denial of service in IPv6 fragment reassembly
https://notcve.org/view.php?id=CVE-2023-3107
01 Aug 2023 — A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service. Un conjunto de paquetes ipv6 cuidadosamente diseñados puede desencadenar un desbordamiento de enteros en el cálculo del campo de longitud de la carga útil de un paquete reensamblado por fragmentos. Esto permite a un atacante desencadenar un kernel panic, resultando en una denega... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc • CWE-190: Integer Overflow or Wraparound •
CVSS: 10.0EPSS: 0%CPEs: 19EXPL: 0CVE-2023-3326 – Network authentication attack via pam_krb5
https://notcve.org/view.php?id=CVE-2023-3326
22 Jun 2023 — pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab p... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 6.8EPSS: 0%CPEs: 18EXPL: 0CVE-2023-0751 – GELI silently omits the keyfile if read from stdin
https://notcve.org/view.php?id=CVE-2023-0751
08 Feb 2023 — When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 0CVE-2021-29632
https://notcve.org/view.php?id=CVE-2021-29632
18 Jan 2022 — In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before r370674, 13.0-RELEASE before p6, and 12.2-RELEASE before p12, certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. En FreeBSD versión 13.0-STABLE anteriores a n247428-9352de39c3dc, 12.2-STABLE anteriores a r370674, 13.0-RELEASE anteriores a p6 y 12.2-RELEASE anteriores a p12, en determinadas co... • https://security.freebsd.org/advisories/FreeBSD-SA-22:01.vt.asc •
CVSS: 8.1EPSS: 1%CPEs: 29EXPL: 0CVE-2021-29630
https://notcve.org/view.php?id=CVE-2021-29630
30 Aug 2021 — In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec daemon does not validate the size of a response before writing it to a fixed-sized buffer allowing a malicious attacker in a privileged network position to overwrite the stack of ggatec and potentially execute arbitrary code. En FreeBSD versiones 13.0-STABLE anteriores a n246938-0729ba2f49c9, 12.2-STABLE anteriore... • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:14.ggatec.asc • CWE-787: Out-of-bounds Write •