Sign-up

ID

VAR-202201-0402


CVE

CVE-2022-23096


TITLE

Connman  Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-004293

DESCRIPTION

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read. Connman Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. For the stable distribution (bullseye), these problems have been fixed in version 1.36-2.2+deb11u1. We recommend that you upgrade your connman packages. For the detailed security status of connman please refer to its security tracker page at: https://security-tracker.debian.org/tracker/connman Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmMl6e9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TRZA//QR46xvu66PMnDmLubjco12vyMnfonbCrOI+ZrgQl1OHtIB1/i1/sX/e6 YJfjJpMjIM+9tbGP6wUSPYli4ZjW7fYGipaXJYFYH/Mxq8zleLO7YeO5RGtl7isi trvOcJ0N8Og+KQZHymgxI9zSiAA1cA7VjWtdZjj7izt7fm2VN/xO7Yksecm053tF hBBffflPnOXL/BA75kQ6zK+l4GJKCoqE67zWqirpoFOIzbvQsOInfkG4WBh3fxee dzSjLJ5UjmEkiJC9la9y6TnO64b1nvNkp1akGbqVHmxQrrxcS5QoWvAa4K3mNVI8 l7+lTLxqsodLv6io71pI6UQbvLiyeOBKBycGxbFvnX38GiuO2qjNGrrKUfi77Lj3 23zwbKPiOl3bcBoH6/zhJmJsCR6rREN0uhULnEDMiiEQNVqbTw2RekFSNnSiprhC CvUhaioqcNQ0Km7Uhd23kIdpBcM5lZh3hwSXWuGxpEXyyBAzorn+1rh5l/Zu0x8I OpAbtgG4EaiB4crHBnDE8Tc2ZW/VmilnJF/syrVxL8zx78ZulK+fNmTwNWTV+wRz A5xHsvmR1D0FpBr2uKQ0bq6uDWxajd5kNOmboNnha3UL+EftjgIEW3f3Y4fgHeWx 1io1lrYjacfCEm3uf+NnAjACpwnQzWh41EIJpIDBhI09KB+LDeQ= =qzlf -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ConnMan: Multiple Vulnerabilities Date: October 31, 2023 Bugs: #832028, #863425 ID: 202310-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in ConnMan, the worst of which can lead to remote code execution. Background ========= ConnMan provides a daemon for managing Internet connections. Affected packages ================ Package Vulnerable Unaffected ---------------- ------------------ ------------------- net-misc/connman < 1.42_pre20220801 >= 1.42_pre20220801 Description ========== Multiple vulnerabilities have been discovered in ConnMan. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All ConnMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/connman-1.42_pre20220801" References ========= [ 1 ] CVE-2022-23096 https://nvd.nist.gov/vuln/detail/CVE-2022-23096 [ 2 ] CVE-2022-23097 https://nvd.nist.gov/vuln/detail/CVE-2022-23097 [ 3 ] CVE-2022-23098 https://nvd.nist.gov/vuln/detail/CVE-2022-23098 [ 4 ] CVE-2022-32292 https://nvd.nist.gov/vuln/detail/CVE-2022-32292 [ 5 ] CVE-2022-32293 https://nvd.nist.gov/vuln/detail/CVE-2022-32293 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-21 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.98

sources: NVD: CVE-2022-23096 // JVNDB: JVNDB-2022-004293 // VULHUB: VHN-411973 // VULMON: CVE-2022-23096 // PACKETSTORM: 169386 // PACKETSTORM: 175441

AFFECTED PRODUCTS

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:11.0

Trust: 1.0

vendor:intelmodel:connmanscope:lteversion:1.40

Trust: 1.0

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:connmanmodel:connmanscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-004293 // NVD: CVE-2022-23096

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23096
value: CRITICAL

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2022-23096
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-23096
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202201-2595
value: CRITICAL

Trust: 0.6

VULHUB: VHN-411973
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-23096
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-23096
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-411973
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-23096
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.1

Trust: 2.0

NVD: CVE-2022-23096
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-411973 // VULMON: CVE-2022-23096 // JVNDB: JVNDB-2022-004293 // CNNVD: CNNVD-202201-2595 // NVD: CVE-2022-23096 // NVD: CVE-2022-23096

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.1

problemtype:Out-of-bounds read (CWE-125) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-411973 // JVNDB: JVNDB-2022-004293 // NVD: CVE-2022-23096

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 175441 // CNNVD: CNNVD-202201-2595

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202201-2595

PATCH

title:[SECURITY] [DLA 2915-1] connman security update Debian Security Advisoryurl:https://git.kernel.org/pub/scm/network/connman/connman.git/log/

Trust: 0.8

title:Connman Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=180419

Trust: 0.6

title:Debian CVElist Bug Report Logs: connman: CVE-2022-23096 CVE-2022-23097 CVE-2022-23098url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=fbf02d2c0058862b318dcda12f0708ac

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2022-23096

Trust: 0.1

title:Debian Security Advisories: DSA-5231-1 connman -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=a35ea7e493a595256b90605cc6e8cb63

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-23096 // JVNDB: JVNDB-2022-004293 // CNNVD: CNNVD-202201-2595

EXTERNAL IDS

db:NVDid:CVE-2022-23096

Trust: 3.6

db:OPENWALLid:OSS-SECURITY/2022/01/25/1

Trust: 2.6

db:JVNDBid:JVNDB-2022-004293

Trust: 0.8

db:PACKETSTORMid:169386

Trust: 0.7

db:AUSCERTid:ESB-2023.4078

Trust: 0.6

db:AUSCERTid:ESB-2022.4634

Trust: 0.6

db:CNNVDid:CNNVD-202201-2595

Trust: 0.6

db:VULHUBid:VHN-411973

Trust: 0.1

db:VULMONid:CVE-2022-23096

Trust: 0.1

db:PACKETSTORMid:175441

Trust: 0.1

sources: VULHUB: VHN-411973 // VULMON: CVE-2022-23096 // JVNDB: JVNDB-2022-004293 // PACKETSTORM: 169386 // PACKETSTORM: 175441 // CNNVD: CNNVD-202201-2595 // NVD: CVE-2022-23096

REFERENCES

url:https://www.openwall.com/lists/oss-security/2022/01/25/1

Trust: 2.6

url:https://www.debian.org/security/2022/dsa-5231

Trust: 1.9

url:https://git.kernel.org/pub/scm/network/connman/connman.git/log/

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2022/02/msg00009.html

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-23096

Trust: 1.6

url:https://security.gentoo.org/glsa/202310-21

Trust: 1.2

url:https://packetstormsecurity.com/files/169386/debian-security-advisory-5231-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.4078

Trust: 0.6

url:https://vigilance.fr/vulnerability/connman-three-vulnerabilities-37503

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4634

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-23097

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32292

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-23098

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32293

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004935

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/connman

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

sources: VULHUB: VHN-411973 // VULMON: CVE-2022-23096 // JVNDB: JVNDB-2022-004293 // PACKETSTORM: 169386 // PACKETSTORM: 175441 // CNNVD: CNNVD-202201-2595 // NVD: CVE-2022-23096

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 169386

SOURCES

db:VULHUBid:VHN-411973
db:VULMONid:CVE-2022-23096
db:JVNDBid:JVNDB-2022-004293
db:PACKETSTORMid:169386
db:PACKETSTORMid:175441
db:CNNVDid:CNNVD-202201-2595
db:NVDid:CVE-2022-23096

LAST UPDATE DATE

2024-11-23T20:57:40.131000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-411973date:2022-09-29T00:00:00
db:VULMONid:CVE-2022-23096date:2023-12-21T00:00:00
db:JVNDBid:JVNDB-2022-004293date:2023-04-04T07:58:00
db:CNNVDid:CNNVD-202201-2595date:2023-07-20T00:00:00
db:NVDid:CVE-2022-23096date:2024-11-21T06:47:58.880

SOURCES RELEASE DATE

db:VULHUBid:VHN-411973date:2022-01-28T00:00:00
db:VULMONid:CVE-2022-23096date:2022-01-28T00:00:00
db:JVNDBid:JVNDB-2022-004293date:2023-04-04T00:00:00
db:PACKETSTORMid:169386date:2022-09-28T19:12:00
db:PACKETSTORMid:175441date:2023-10-31T13:14:45
db:CNNVDid:CNNVD-202201-2595date:2022-01-28T00:00:00
db:NVDid:CVE-2022-23096date:2022-01-28T16:15:07.897