| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components. |
| Improper conditions check in the Intel(R) Data Center GPU Max Series 1100 and 1550 products may allow an privileged user to potentially enable denial of service via local access. |
| Improper conditions check for some Intel(R) Wireless Bluetooth(R) products for Windows before version 23.20 may allow a privileged user to potentially enable denial of service via local access. |
| IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270. |
|
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.
|
|
An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the NetworkStack agent daemon (nsagentd) of Juniper Networks Junos OS Evolved allows an unauthenticated network based attacker to cause limited impact to the availability of the system.
If specific packets reach the Routing-Engine (RE) these will be processed normally even if firewall filters are in place which should have prevented this. This can lead to a limited, increased consumption of resources resulting in a Denial-of-Service (DoS), and unauthorized access.
CVE-2023-44196 is a prerequisite for this issue.
This issue affects Juniper Networks Junos OS Evolved:
* 21.3-EVO versions prior to 21.3R3-S5-EVO;
* 21.4-EVO versions prior to 21.4R3-S4-EVO;
* 22.1-EVO version 22.1R1-EVO and later;
* 22.2-EVO version 22.2R1-EVO and later;
* 22.3-EVO versions prior to 22.3R2-S2-EVO, 22.3R3-S1-EVO;
* 22.4-EVO versions prior to 22.4R3-EVO.
This issue doesn't not affected Junos OS Evolved versions prior to 21.3R1-EVO.
|
| The vulnerability is that the Messaging ("com.android.mms") app patched by LG forwards attacker-controlled intents back to the attacker in the exported "com.android.mms.ui.QClipIntentReceiverActivity" activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the "com.lge.message.action.QCLIP" action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the "onActivityResult()" method, they would have access to arbitrary content providers that have the `android:grantUriPermissions="true"` flag set. |
| he vulnerability is that the Call management ("com.android.server.telecom") app patched by LG launches implicit intents that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as contact details and phone numbers. |
| The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as call states, durations, called numbers, contacts info, etc. |
| The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage. |
| The vulnerability is to theft of arbitrary files with system privilege in the LockScreenSettings ("com.lge.lockscreensettings") app in the "com/lge/lockscreensettings/dynamicwallpaper/MyCategoryGuideActivity.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The LockScreenSettings app copies the received file to the "/data/shared/dw/mycategory/wallpaper_01.png" path and then changes the file access mode to world-readable and world-writable. |
| The vulnerability is an intent redirection in LG ThinQ Service ("com.lge.lms2") in the "com/lge/lms/things/ui/notification/NotificationManager.java" file. This vulnerability could be exploited by a third-party app installed on an LG device by sending a broadcast with the action "com.lge.lms.things.notification.ACTION". Additionally, this vulnerability is very dangerous because LG ThinQ Service is a system app (having android:sharedUserId="android.uid.system" setting). Intent redirection in this app leads to accessing arbitrary not exported activities of absolutely all apps. |
|
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.
In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.
In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.
In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.
This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
|
|
On boot, the Pillar eve container checks for the existence and content of
“/config/GlobalConfig/global.json”.
If the file exists, it overrides the existing configuration on the device on boot.
This allows an attacker to change the system’s configuration, which also includes some
debug functions.
This could be used to unlock the ssh with custom “authorized_keys” via the
“debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before.
Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb”
key, allowing VNC access via the “app.allow.vnc” key, and more.
An attacker could easily enable these debug functionalities without triggering the “measured
boot” mechanism implemented by EVE OS, and without marking the device as “UUD”
(“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable and it
is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thereby not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. |
|
On boot, the Pillar eve container checks for the existence and content of
“/config/authorized_keys”.
If the file is present, and contains a supported public key, the container will go on to open
port 22 and enable sshd with the given keys as the authorized keys for root login.
An attacker could easily add their own keys and gain full control over the system without
triggering the “measured boot” mechanism implemented by EVE OS, and without marking
the device as “UUD” (“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable, and
it is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thus not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. |
| PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but
due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the
problem of the config partition not being measured correctly.
Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of
SHA256.
This issue was somewhat mitigated due to all of the PCR extend functions
updating both the values of SHA256 and SHA1 for a given PCR ID.
However, due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as
the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which
means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault”
key, changes to the config partition would still not be measured.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
|
| An issue in animal-art-lab v13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. |
| This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.2. Remote Login sessions may be able to obtain full disk access permissions. |
| The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself. |
|
An implicit intent export vulnerability was reported in the Motorola Phone application, that could allow unauthorized access to a non-exported content provider. |
