CyberAlerts

Fedora 41 : thunderbird (2025-bd6664e83b)

Description: Nessus Plugin ID 232636 with Critical Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-bd6664e83b advisory. Update to 128.8.0 * https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/ * https://www.thunderbird.net/en-US/thunderbird/128.8.0esr/releasenotes/Tenable has extracted the preceding description block directly from the Fedora security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected thunderbird package. Read more at https://www.tenable.com/plugins/nessus/232636

Source: Tenable Plugins

March 12th, 2025 (4 months ago)

Fedora 40 : vyper (2025-77c63e7236)

Description: Nessus Plugin ID 232637 with Low Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-77c63e7236 advisory. Vyper ver. 0.4.1 ---- Another one small fix ---- Fix for a few known issuesTenable has extracted the preceding description block directly from the Fedora security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected vyper package. Read more at https://www.tenable.com/plugins/nessus/232637

Source: Tenable Plugins

March 12th, 2025 (4 months ago)

FreeBSD : chromium -- multiple security fixes (a02a6d94-fe53-11ef-85f3-a8a1599412c6)

Description: Nessus Plugin ID 232638 with High Severity Synopsis The remote FreeBSD host is missing one or more security-related updates. Description The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the a02a6d94-fe53-11ef-85f3-a8a1599412c6 advisory. Chrome Releases reports: This update includes 5 security fixes:Tenable has extracted the preceding description block directly from the FreeBSD security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/232638

Source: Tenable Plugins

March 12th, 2025 (4 months ago)

CVE-2021-38489

Siemens InsydeH2O Plaintext Storage of a Password (CVE-2021-38489)

Description: Tenable OT Security Plugin ID 503051 with High Severity Synopsis The remote OT asset is affected by a vulnerability. Description An issue was discovered in the the HddPasswordPei driver of the Insyde InsydeH2O 5.x. HDD password is stored in plaintext.This plugin only works with Tenable.ot Please visit https://www.tenable.com/products/tenable-ot for more information. Solution Refer to the vendor advisory. Read more at https://www.tenable.com/plugins/ot/503051

Source: Tenable Plugins

March 12th, 2025 (4 months ago)

CVE-2021-43613

Siemens InsydeH2O Exposure of Sensitive Information to an Unauthorized Actor (CVE-2021-43613)

Description: Tenable OT Security Plugin ID 503052 with Medium Severity Synopsis The remote OT asset is affected by a vulnerability. Description An issue was discovered in Insyde InsydeH2O 5.x, affecting SysPasswordDxe that exposes user and administrator password hashes in runtime UEFI variables, leading to escalation of privilege. This plugin only works with Tenable.ot Please visit https://www.tenable.com/products/tenable-ot for more information. Solution Refer to the vendor advisory. Read more at https://www.tenable.com/plugins/ot/503052

Source: Tenable Plugins

March 12th, 2025 (4 months ago)

CVE-2025-2239

Absolute Path Disclosure Vulnerability in Hillstone Next Generation FireWall

Description: Generation of Error Message Containing Sensitive Information vulnerability in Hillstone Networks Hillstone Next Generation FireWall.This issue affects Hillstone Next Generation FireWall: from 5.5R8P1 before 5.5R8P23.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-21866

powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

Description: In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 T...

EPSS Score: 0.02%

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-21865

gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().

Description: In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_...

EPSS Score: 0.02%

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-21864

tcp: drop secpath at the same time as we currently drop dst

Description: In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions.

EPSS Score: 0.02%

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-21863

io_uring: prevent opcode speculation

Description: In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations.

EPSS Score: 0.02%

Source: CVE

March 12th, 2025 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Fedora 41 : thunderbird (2025-bd6664e83b) Description: Nessus Plugin ID 232636 with Critical Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-bd6664e83b advisory. Update to 128.8.0 * https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/ * https://www.thunderbird.net/en-US/thunderbird/128.8.0esr/releasenotes/Tenable has extracted the preceding description block directly from the Fedora security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected thunderbird package. Read more at https://www.tenable.com/plugins/nessus/232636 Source: Tenable Plugins March 12th, 2025 (4 months ago)
	Fedora 40 : vyper (2025-77c63e7236) Description: Nessus Plugin ID 232637 with Low Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-77c63e7236 advisory. Vyper ver. 0.4.1 ---- Another one small fix ---- Fix for a few known issuesTenable has extracted the preceding description block directly from the Fedora security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected vyper package. Read more at https://www.tenable.com/plugins/nessus/232637 Source: Tenable Plugins March 12th, 2025 (4 months ago)
	FreeBSD : chromium -- multiple security fixes (a02a6d94-fe53-11ef-85f3-a8a1599412c6) Description: Nessus Plugin ID 232638 with High Severity Synopsis The remote FreeBSD host is missing one or more security-related updates. Description The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the a02a6d94-fe53-11ef-85f3-a8a1599412c6 advisory. Chrome Releases reports: This update includes 5 security fixes:Tenable has extracted the preceding description block directly from the FreeBSD security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/232638 Source: Tenable Plugins March 12th, 2025 (4 months ago)
CVE-2021-38489	Siemens InsydeH2O Plaintext Storage of a Password (CVE-2021-38489) Description: Tenable OT Security Plugin ID 503051 with High Severity Synopsis The remote OT asset is affected by a vulnerability. Description An issue was discovered in the the HddPasswordPei driver of the Insyde InsydeH2O 5.x. HDD password is stored in plaintext.This plugin only works with Tenable.ot Please visit https://www.tenable.com/products/tenable-ot for more information. Solution Refer to the vendor advisory. Read more at https://www.tenable.com/plugins/ot/503051 Source: Tenable Plugins March 12th, 2025 (4 months ago)
CVE-2021-43613	Siemens InsydeH2O Exposure of Sensitive Information to an Unauthorized Actor (CVE-2021-43613) Description: Tenable OT Security Plugin ID 503052 with Medium Severity Synopsis The remote OT asset is affected by a vulnerability. Description An issue was discovered in Insyde InsydeH2O 5.x, affecting SysPasswordDxe that exposes user and administrator password hashes in runtime UEFI variables, leading to escalation of privilege. This plugin only works with Tenable.ot Please visit https://www.tenable.com/products/tenable-ot for more information. Solution Refer to the vendor advisory. Read more at https://www.tenable.com/plugins/ot/503052 Source: Tenable Plugins March 12th, 2025 (4 months ago)
CVE-2025-2239	Absolute Path Disclosure Vulnerability in Hillstone Next Generation FireWall Description: Generation of Error Message Containing Sensitive Information vulnerability in Hillstone Networks Hillstone Next Generation FireWall.This issue affects Hillstone Next Generation FireWall: from 5.5R8P1 before 5.5R8P23. CVSS: MEDIUM (5.3) EPSS Score: 0.04% Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-21866	powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Description: In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 T... EPSS Score: 0.02% Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-21865	gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Description: In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_... EPSS Score: 0.02% Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-21864	tcp: drop secpath at the same time as we currently drop dst Description: In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions. EPSS Score: 0.02% Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-21863	io_uring: prevent opcode speculation Description: In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. EPSS Score: 0.02% Source: CVE March 12th, 2025 (4 months ago)