CVSS: 8.1EPSS: 54%CPEs: 54EXPL: 100CVE-2024-6387 – Openssh: regresshion - race condition in ssh allows rce/dos
https://notcve.org/view.php?id=CVE-2024-6387
01 Jul 2024 — A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anter... • https://packetstorm.news/files/id/179290 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 6.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-6660 – NFS client data corruption and kernel memory disclosure
https://notcve.org/view.php?id=CVE-2023-6660
13 Dec 2023 — When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to dat... • https://security.freebsd.org/advisories/FreeBSD-SA-23:18.nfsclient.asc •
CVSS: 7.8EPSS: 0%CPEs: 23EXPL: 0CVE-2023-6534 – TCP spoofing vulnerability in pf(4)
https://notcve.org/view.php?id=CVE-2023-6534
13 Dec 2023 — In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers. This could allow a malicious actor to execute a denial-of-service attack against hosts behind the firewall. En las versiones de FreeBSD 14.0-RELEASE anteriores a 14-RELEASE-p2, FreeBSD 13.2-RELEASE anteriores a 13.2-RELEASE-p7 y FreeBSD 12.4-RELEASE anteriores a 12.4-RELEASE-p9, el filtro de ... • https://security.freebsd.org/advisories/FreeBSD-SA-23:17.pf.asc •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-5978 – Incorrect libcap_net limitation list manipulation
https://notcve.org/view.php?id=CVE-2023-5978
08 Nov 2023 — In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints. When only a list of resolvable domain names was specified without setting any other limitations, an application could submit a new list of domains including include entries not previously listed. This could permit the application to resolve domain names that were previously restricted. En las versio... • https://security.freebsd.org/advisories/FreeBSD-SA-23:16.cap_net.asc • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 16EXPL: 0CVE-2023-5941 – libc stdio buffer overflow
https://notcve.org/view.php?id=CVE-2023-5941
08 Nov 2023 — In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write space members for write-buffered streams when the write(2) system call returns an error. Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overflow may occur. Such overflow... • https://security.freebsd.org/advisories/FreeBSD-SA-23:15.stdio.asc • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5370 – arm64 boot CPUs may lack speculative execution protections
https://notcve.org/view.php?id=CVE-2023-5370
04 Oct 2023 — On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0. En la CPU 0, se llama a la verificación del workaround de SMCCC antes de que se haya inicializado el soporte de SMCCC. Esto resultó en que no se instalaran workarounds de ejecución especulativa en la CPU 0. • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc • CWE-665: Improper Initialization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5369 – copy_file_range insufficient capability rights check
https://notcve.org/view.php?id=CVE-2023-5369
04 Oct 2023 — Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK capability. This incorrect privilege check enabled sandboxed processes with only read or write but no seek capability on a file descriptor to read data from or write data to an arbitrary location within the file corresponding to that fil... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc • CWE-273: Improper Check for Dropped Privileges •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-5368 – msdosfs data disclosure
https://notcve.org/view.php?id=CVE-2023-5368
04 Oct 2023 — On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. This may permit a user with write access to files on a msdosfs filesystem to read unintended data (e.g. from a previously deleted file). En un sistema de archivos msdosfs, las llamadas al sistema 'truncate' o 'ftruncate' bajo ciertas circunstancias llenan el espacio adicional en el archivo con... • https://dfir.ru/2023/11/01/bringing-unallocated-data-back-the-fat12-16-32-case • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-4809 – pf incorrectly handles multiple IPv6 fragment headers
https://notcve.org/view.php?id=CVE-2023-4809
06 Sep 2023 — In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on th... • http://www.openwall.com/lists/oss-security/2023/09/08/5 • CWE-167: Improper Handling of Additional Special Element •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-3494 – bhyve privileged guest escape via fwctl
https://notcve.org/view.php?id=CVE-2023-3494
01 Aug 2023 — The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. Malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root, mitigated by th... • https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •