Share: Email | Twitter

ID

VDE-2023-009

Published

2023-05-08 15:37 (CEST)

Last update

2023-05-08 15:37 (CEST)

Vendor(s)

ads-tec Industrial IT GmbH

Product(s)

Article No° Product Name Affected Version(s)
DVG-IRF1401, DVG-IRF1421 IRF1000 < 1.5.0
DVG-IRF2200, DVG-IRF2100, DVG-IRF2220, DVG-IRF2621, DVG-IRF2601 IRF2000 < 4.4.0
DVG-IRF3401, DVG-IRF3421, DVG-IRF3801. DVG-IRF3821 IRF3000 < 1.2.0

Vulnerabilities



Last Update
April 11, 2023, 9:02 a.m.
Weakness
Summary
Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data.
Last Update
April 11, 2023, 9:02 a.m.
Weakness
Summary
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
Last Update
April 11, 2023, 9:02 a.m.
Weakness
Summary
The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
Last Update
April 11, 2023, 9:02 a.m.
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary
ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.
Last Update
April 11, 2023, 9:02 a.m.
Weakness
Deserialization of Untrusted Data (CWE-502)
Summary
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
Last Update
April 11, 2023, 9:01 a.m.
Weakness
Use After Free (CWE-416)
Summary
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.
Last Update
Aug. 30, 2024, 9:28 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

Last Update
Aug. 30, 2024, 9:28 a.m.
Weakness
Out-of-bounds Write (CWE-787)
Summary

The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.

Last Update
Aug. 30, 2024, 9:28 a.m.
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Summary

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Summary

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Numeric Errors (CWE-189)
Summary

Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Summary

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Improper Resource Shutdown or Release (CWE-404)
Summary

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Use of Uninitialized Resource (CWE-908)
Summary

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.

Last Update
Aug. 30, 2024, 9:28 a.m.
Weakness
Out-of-bounds Read (CWE-125)
Summary

The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Summary

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

Last Update
Aug. 30, 2024, 9:13 a.m.
Weakness
Permissions, Privileges, and Access Controls (CWE-264)
Summary

The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

Impact

The affected products integrate the vulnerable libraries in a way so that the vulnerabilities can't be exploited remotely without prior authentication.

Solution

Mitigation

It is recommended to disable all user accounts with restricted configuration write permissions if the update to the latest released version cannot be installed immediately.
It is further recommended to use best practice password policies.

Remediation

Update firmware to the latest version available. The issues have been resolved with IRF1000 version 1.5.0, IRF2000 version 4.4.0 and IRF3000 version 1.2.0.

Reported by

The Vulnerabilities were identified by ads-tec.
CERT@VDE coordinated with ads-tec.