Cisco Secure ASA contains an improper validation of user-supplied input in HTTP(S) requests that allows an unauthenticated remote attacker to access restricted URL endpoints that are related to remote access VPN. Combined with a buffer overflow in the files_action.lua LUA script, these vulnerabilities may allow unauthenticated remote attackers to execute arbitrary code as root or cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions.
A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets, leading to kernel-level compromise. Exploitation requires no authentication or user interaction-attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10).
A denial of service vulnerability exists in the Local Session Manager (LSM) service when an authenticated attacker connects to the target system and sends specially crafted requests.
This update adds reliability improvements to check if the target is vulnerable.
A denial of service vulnerability exists in Event Logging Service when an authenticated attacker connects to the target system and sends specially crafted requests.
This update adds the CVE-2023-21554 to the vulnerabilities exploited by the module. Also Windows Server 2019 was added to supported systems.
A denial of service vulnerability exists in DHCPv6 service when an unauthenticated attacker connects to the target system and sends specially crafted requests.
A denial of service vulnerability exists in Microsoft Message Queuing when an unauthenticated attacker connects to the target system and sends specially crafted requests.
The cause of the vulnerability is due to the lack of a strict bounds check for the SignaturesOffset field in the Base Block for the base log file (BLF) in CLFS.sys.
There is an integer overflow in the BaseSrvActivationContextCacheDuplicateUnicodeString function in the sxssrv.dll module of the CSRSS process.
The vulnerable function can be accessed from the BaseSrvSxsCreateActivationContextFromMessage CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, so by default it is impossible to pass a large enough UNICODE_STRING to CSRSS. Fortunately, the section size is controlled entirely by the client process, and if an attacker can modify ntdll! CsrpConnectToServer early enough during the start of the process, you'll be able to pass strings larger than 0x10000 in size.
The vulnerable function can be accessed from the BaseSrvSxsCreateActivationContextFromMessage CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, so by default it is impossible to pass a large enough UNICODE_STRING to CSRSS. Fortunately, the section size is controlled entirely by the client process, and if an attacker can modify ntdll! CsrpConnectToServer early enough during the start of the process, you'll be able to pass strings larger than 0x10000 in size.