CVSS: 8.1EPSS: 0%CPEs: 54EXPL: 44CVE-2024-6387 – Openssh: regresshion - race condition in ssh allows rce/dos
https://notcve.org/view.php?id=CVE-2024-6387
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anteriores de OpenSSH), luego se llama al controlador SIGALRM de sshd de forma asincrónica. Sin embargo, este controlador de señales llama a varias funciones que no son seguras para señales asíncronas, por ejemplo, syslog(). • https://github.com/l0n3m4n/CVE-2024-6387 https://github.com/thegenetic/CVE-2024-6387-exploit https://github.com/d0rb/CVE-2024-6387 https://github.com/devarshishimpi/CVE-2024-6387-Check https://github.com/AiGptCode/ssh_exploiter_CVE-2024-6387 https://github.com/Symbolexe/CVE-2024-6387 https://github.com/xonoxitron/regreSSHion https://github.com/PrincipalAnthony/CVE-2024-6387-Updated-x64bit https://github.com/4lxprime/regreSSHive https://github.com/shamo0/CVE-2024-6387_PoC https:&# • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 0CVE-2023-6660 – NFS client data corruption and kernel memory disclosure
https://notcve.org/view.php?id=CVE-2023-6660
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication. The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network. Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem. • https://security.freebsd.org/advisories/FreeBSD-SA-23:18.nfsclient.asc https://security.netapp.com/advisory/ntap-20240322-0002 •
CVSS: 7.5EPSS: 0%CPEs: 23EXPL: 0CVE-2023-6534 – TCP spoofing vulnerability in pf(4)
https://notcve.org/view.php?id=CVE-2023-6534
In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers. This could allow a malicious actor to execute a denial-of-service attack against hosts behind the firewall. En las versiones de FreeBSD 14.0-RELEASE anteriores a 14-RELEASE-p2, FreeBSD 13.2-RELEASE anteriores a 13.2-RELEASE-p7 y FreeBSD 12.4-RELEASE anteriores a 12.4-RELEASE-p9, el filtro de paquetes pf(4) valida incorrectamente los números de secuencia TCP. Esto podría permitir que un actor malintencionado ejecute un ataque de denegación de servicio contra hosts detrás del firewall. • https://security.freebsd.org/advisories/FreeBSD-SA-23:17.pf.asc https://security.netapp.com/advisory/ntap-20240112-0007 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-5978 – Incorrect libcap_net limitation list manipulation
https://notcve.org/view.php?id=CVE-2023-5978
In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When only a list of resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed. This could permit the application to resolve domain names that were previously restricted. En las versiones 13-RELEASE anteriores a 13-RELEASE-p5 de FreeBSD, bajo ciertas circunstancias el servicio cap_net libcasper(3) valida incorrectamente que las restricciones actualizadas son estrictamente subconjuntos de las restricciones activas. Cuando solo se especificaba una lista de nombres de dominio resolubles sin establecer otras limitaciones, una aplicación podía enviar una nueva lista de dominios que incluyeran entradas que no figuraban anteriormente. • https://security.freebsd.org/advisories/FreeBSD-SA-23:16.cap_net.asc https://security.netapp.com/advisory/ntap-20231214-0003 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 16EXPL: 0CVE-2023-5941 – libc stdio buffer overflow
https://notcve.org/view.php?id=CVE-2023-5941
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write space members for write-buffered streams when the write(2) system call returns an error. Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overflow may occur. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program. En las versiones 12.4-RELEASE anteriores a 12.4-RELEASE-p7 y 13.2-RELEASE anteriores a 13.2-RELEASE-p5 de FreeBSD, la función stdio __sflush() en libc no actualiza correctamente los miembros del espacio de escritura de los objetos FILE para secuencias con búfer de escritura cuando la llamada al sistema write(2) devuelve un error. Dependiendo de la naturaleza de una aplicación que llama a las funciones stdio de libc y la presencia de errores devueltos por la llamada al sistema write(2) (o una rutina de escritura stdio anulada), puede ocurrir un desbordamiento del buffer del heap. • https://security.freebsd.org/advisories/FreeBSD-SA-23:15.stdio.asc https://security.netapp.com/advisory/ntap-20231214-0004 • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •