Stage up a slew of new CVEs, and also fix up the CVE tables a little

content/cve.md

@@ -96,6 +96,14 @@ For issues involving other parties, please see additional requirements, below. N
 
 When we publish CVEs, we will tend to use this [template], adjusted to taste.
 
+<style>
+.nowrap-cve-cell-table td:first-child { white-space: nowrap; }
+</style>
+
+### 2023 Disclosures
+
+<div class="nowrap-cve-cell-table">
+
 | CVE              | Meeting   | Issue                                      |
 | ---------------- | --------- | ------------------------------------------ |
 | [CVE-2023-0666]  | 0x00c7    | **Wireshark RTPS Parsing Buffer Overflow** |
@@ -105,20 +113,43 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste.
 | [CVE-2023-2906]  | 0x00c8    | **Wireshark CP2179 divide by zero** |
 | [CVE-2023-4504]  | 0x00c9    | **CUPS/libppd PostScript Parsing Heap Overflow** |
 | [CVE-2023-5841]  | 0x00cd    | **OpenEXR Heap Overflow in Scanline Deep Data Parsing** |
+
+### 2024 Disclosures
+
+| CVE              | Meeting   | Issue                                      |
+| ---------------- | --------- | ------------------------------------------ |
 | [CVE-2024-2053]  | 0x00d1    | **Artica Proxy Unauthenticated LFI Protection Bypass** |
 | [CVE-2024-2054]  | 0x00d1    | **Artica Proxy Unauthenticated PHP Deserialization** |
 | [CVE-2024-2055]  | 0x00d1    | **Artica Proxy Unauthenticated File Manage** |
 | [CVE-2024-2056]  | 0x00d1    | **Artica Proxy Loopback Services Remotely Accessible Unauthenticated** |
 | [CVE-2024-4224]  | 0x00d3    | **TP-Link TL-SG1016DE XSS** |
+
+### 2025 Disclosures
+
+| CVE              | Meeting   | Issue                                      |
+| ---------------- | --------- | ------------------------------------------ |
 | [CVE-2025-2894]  | 0x00de    | **Unitree Go1 Backdoor Control Channel** |
+| [CVE-2025-3459]  | 0x00df    | **onsemi Quantenna transmit_file ArgInj** |
+| [CVE-2025-3460]  | 0x00df    | **onsemi Quantenna set_tx_pow ArgInj** |
+| [CVE-2025-3461]  | 0x00df    | **onsemi Quantenna Telent Missing Auth** |
+| [CVE-2025-32455] | 0x00df    | **onsemi Quantenna router_command run_cmd ArgInj** |
+| [CVE-2025-32456] | 0x00df    | **onsemi Quantenna router_command put_file_to_qtn ArgInj** |
+| [CVE-2025-32457] | 0x00df    | **onsemi Quantenna router_command get_file_from_qtn ArgInj** |
+| [CVE-2025-32458] | 0x00df    | **onsemi Quantenna router_command get_syslog_from_qtn ArgInj** |
+| [CVE-2025-32459] | 0x00df    | **onsemi Quantenna router_command sync_time ArgInj** |
+| [CVE-2025-35004] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MFIP ArgInj** |
+| [CVE-2025-35005] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MFMAC ArgInj** |
+| [CVE-2025-35006] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MFPORTFWD ArgInj** |
+| [CVE-2025-35007] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MFRULE ArgInj** |
+| [CVE-2025-35008] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MMNAME ArgInj** |
+| [CVE-2025-35009] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MNNETSP ArgInj** |
+| [CVE-2025-35010] | 0x00df    | **Microhard Bullet-LTE/IPn4Gii AT+MNPINGTM ArgInj** |
+
+</div>
 
 ## Reserved CVEs
 
-We've reserved the following CVEs for upcoming publication.
-
-| CVE             | Meeting   |
-| --------------- | --------- |
-| None yet!       | 0x00xx    |
+We've reserved some number of CVEs, but it's all quite secretive and sneaky to avoid the dreaded [RBP Goblins](https://cve.mitre.org/cve/cna/RBP_Policy_v1-0.pdf). We'll publish when we publish.
 
 ### Contact
 
@@ -147,3 +178,18 @@ Vulnerabilities involving other parties must be either (1) presented at a regula
 [CVE-2024-2056]: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt
 [CVE-2024-4224]: {{< baseurl >}}cves/cve-2024-4224/
 [CVE-2025-2894]: {{< baseurl >}}cves/cve-2025-2894/
+[CVE-2025-3459]: {{< baseurl >}}cves/cve-2025-3459/
+[CVE-2025-3460]: {{< baseurl >}}cves/cve-2025-3460/
+[CVE-2025-3461]: {{< baseurl >}}cves/cve-2025-3461/
+[CVE-2025-32455]: {{< baseurl >}}cves/cve-2025-32455/
+[CVE-2025-32456]: {{< baseurl >}}cves/cve-2025-32456/
+[CVE-2025-32457]: {{< baseurl >}}cves/cve-2025-32457/
+[CVE-2025-32458]: {{< baseurl >}}cves/cve-2025-32458/
+[CVE-2025-32459]: {{< baseurl >}}cves/cve-2025-32459/
+[CVE-2025-35004]: {{< baseurl >}}cves/cve-2025-35004/
+[CVE-2025-35005]: {{< baseurl >}}cves/cve-2025-35005/
+[CVE-2025-35006]: {{< baseurl >}}cves/cve-2025-35006/
+[CVE-2025-35007]: {{< baseurl >}}cves/cve-2025-35007/
+[CVE-2025-35008]: {{< baseurl >}}cves/cve-2025-35008/
+[CVE-2025-35009]: {{< baseurl >}}cves/cve-2025-35009/
+[CVE-2025-35010]: {{< baseurl >}}cves/cve-2025-35010/

content/cves/CVE-2025-32455.md

@@ -0,0 +1,62 @@
+---
+title: CVE-2025-32455
+aliases:
+  - /cves/CVE-2025-32455.html
+---
+
+# CVE-2025-32455: ON Semiconductor Quantenna router_command.sh run_cmd Argument Injection
+
+[AHA!] has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!'s standard [disclosure policy] on June 8, 2025. [CVE-2025-32455] has been assigned to this issue.
+
+Any questions about this disclosure should be directed to cve@takeonme.org.
+
+# Executive Summary
+
+Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of [CWE-88](https://cwe.mitre.org/data/definitions/88.html), "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS [7.7](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
+
+# Technical Details
+
+The run_cmd function of the router_command.sh script is vulnerable to command injection. Observe the following code snippet:
+
+```
+if [ "$1" == "run_cmd" ] ; then
+        chmod a+x $2
+        $2
+fi
+```
+
+There is no sanitization on the second argument, allowing an attacker to put any command they want in there and it will run. An example of remote exploitation of this vulnerability would be to use the qcsapi rpc service to run the run_script command on the router_command.sh script as follows:
+
+```
+qcsapi_sockrpc run_script router_command.sh run_cmd "\`/usr/sbin/inetd\`"
+```
+
+This would cause a telnet service to spawn on the affected chip, but the command could be anything and would run as root.
+
+# Attacker Value
+
+Assuming the implementor of the Quantenna Wi-Fi chip has failed to disable the qcsapi rpc service in their end product, an attacker can use this vulnerability to run any command as root, noting especially the ability to enable the telnet service (and thus, chaining this issue with the issue described in [CVE-2025-3461]). This, in turn, can allow the attacker to essentially take complete control of the Quantenna Wi-Fi chip remotely, without authentication.
+
+Note that it may be tricky to identify what end products incorporate this chipset. If you're aware of this chipset in use in your Wi-Fi access point, please feel free to share, as end-users are unlikely to be capable of working around this issue on their own.
+
+# Credit
+
+This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae of Keysight.
+
+# Timeline
+
+* 2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
+* 2025-04-02 (Wed): Contact initiated to support@onsemi.com
+* 2025-04-08 (Tue): Discovered and contact established with psirt@onsemi.com.
+* 2025-04-11 (Fri): Acknowledged by the vendor
+* 2025 (April and May): Various communications about this and other discovered issues between AHA! and the vendor
+* 2025-05-19 (Mon): Draft best practices report shared with AHA!
+* 2025-05-30 (Fri): Best practices guidance [published by the vendor](https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices)
+* 2025-06-08 (Sun): Public disclosure of [CVE-2025-32455]
+
+----
+
+[AHA!]: https://takeonme.org
+[disclosure policy]: https://takeonme.org/cve.html
+[CVE-2025-32455]: https://www.cve.org/CVERecord?id=CVE-2025-32455
+[CVE-2025-3461]: https://www.cve.org/CVERecord?id=CVE-2025-3461

content/cves/CVE-2025-32456.md

@@ -0,0 +1,60 @@
+---
+title: CVE-2025-32456
+aliases:
+  - /cves/CVE-2025-32456.html
+---
+
+# CVE-2025-32456: ON Semiconductor Quantenna router_command.sh put_file_to_qtn Argument Injection
+
+[AHA!] has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!'s standard [disclosure policy] on June 8, 2025. [CVE-2025-32456] has been assigned to this issue.
+
+Any questions about this disclosure should be directed to cve@takeonme.org.
+
+# Executive Summary
+
+Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of [CWE-88](https://cwe.mitre.org/data/definitions/88.html), "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS [7.7](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
+
+# Technical Details
+
+The put_file_to_qtn function of the router_command.sh script is vulnerable to command injection. Observe the following code snippet:
+
+```
+if [ "$1" == "put_file_to_qtn" ] ; then
+        tftp -g $2 -r $3 -l $4
+fi
+```
+There is no sanitization on the second, third, or fourth argument, allowing an attacker to put any command they want in there and it will run. An example of remote exploitation of this vulnerability would be to use the qcsapi rpc service to run the run_script command on the router_command.sh script as follows:
+
+```
+qcsapi_sockrpc run_script router_command.sh put_file_to_qtn "1;/usr/sbin/inetd$IFS#"
+```
+
+This would cause a telnet service to spawn on the affected chip, but the command could be anything and would run as root.
+
+# Attacker Value
+
+Assuming the implementor of the Quantenna Wi-Fi chip has failed to disable the qcsapi rpc service in their end product, an attacker can use this vulnerability to run any command as root, noting especially the ability to enable the telnet service (and thus, chaining this issue with the issue described in [CVE-2025-3461]). This, in turn, can allow the attacker to essentially take complete control of the Quantenna Wi-Fi chip remotely, without authentication.
+
+Note that it may be tricky to identify what end products incorporate this chipset. If you're aware of this chipset in use in your Wi-Fi access point, please feel free to share, as end-users are unlikely to be capable of working around this issue on their own.
+
+# Credit
+
+This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae of Keysight.
+
+# Timeline
+
+* 2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
+* 2025-04-02 (Wed): Contact initiated to support@onsemi.com
+* 2025-04-08 (Tue): Discovered and contact established with psirt@onsemi.com.
+* 2025-04-11 (Fri): Acknowledged by the vendor
+* 2025 (April and May): Various communications about this and other discovered issues between AHA! and the vendor
+* 2025-05-19 (Mon): Draft best practices report shared with AHA!
+* 2025-05-30 (Fri): Best practices guidance [published by the vendor](https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices)
+* 2025-06-08 (Sun): Public disclosure of [CVE-2025-32456]
+
+----
+
+[AHA!]: https://takeonme.org
+[disclosure policy]: https://takeonme.org/cve.html
+[CVE-2025-32456]: https://www.cve.org/CVERecord?id=CVE-2025-32456
+[CVE-2025-3461]: https://www.cve.org/CVERecord?id=CVE-2025-3461

content/cves/CVE-2025-32457.md

@@ -0,0 +1,60 @@
+---
+title: CVE-2025-32457
+aliases:
+  - /cves/CVE-2025-32457.html
+---
+
+# CVE-2025-32457: ON Semiconductor Quantenna router_command.sh get_file_from_qtn Argument Injection
+
+[AHA!] has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!'s standard [disclosure policy] on June 8, 2025. [CVE-2025-32457] has been assigned to this issue.
+
+Any questions about this disclosure should be directed to cve@takeonme.org.
+
+# Executive Summary
+
+Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of [CWE-88](https://cwe.mitre.org/data/definitions/88.html), "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS [7.7](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
+
+# Technical Details
+
+The get_file_from_qtn function of the router_command.sh script is vulnerable to command injection. Observe the following code snippet:
+
+```if [ "$1" == "get_file_from_qtn" ] ; then
+        tftp -p $2 -r $4 -l $3
+fi
+```
+
+There is no sanitization on the second, third, or fourth argument, allowing an attacker to put any command they want in there and it will run. An example of remote exploitation of this vulnerability would be to use the qcsapi rpc service to run the run_script command on the router_command.sh script as follows:
+
+```
+qcsapi_sockrpc run_script router_command.sh get_file_from_qtn "1;/usr/sbin/inetd$IFS#"
+```
+
+This would cause a telnet service to spawn on the affected chip, but the command could be anything and would run as root.
+
+# Attacker Value
+
+Assuming the implementor of the Quantenna Wi-Fi chip has failed to disable the qcsapi rpc service in their end product, an attacker can use this vulnerability to run any command as root, noting especially the ability to enable the telnet service (and thus, chaining this issue with the issue described in [CVE-2025-3461]). This, in turn, can allow the attacker to essentially take complete control of the Quantenna Wi-Fi chip remotely, without authentication.
+
+Note that it may be tricky to identify what end products incorporate this chipset. If you're aware of this chipset in use in your Wi-Fi access point, please feel free to share, as end-users are unlikely to be capable of working around this issue on their own.
+
+# Credit
+
+This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae of Keysight.
+
+# Timeline
+
+* 2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
+* 2025-04-02 (Wed): Contact initiated to support@onsemi.com
+* 2025-04-08 (Tue): Discovered and contact established with psirt@onsemi.com.
+* 2025-04-11 (Fri): Acknowledged by the vendor
+* 2025 (April and May): Various communications about this and other discovered issues between AHA! and the vendor
+* 2025-05-19 (Mon): Draft best practices report shared with AHA!
+* 2025-05-30 (Fri): Best practices guidance [published by the vendor](https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices)
+* 2025-06-08 (Sun): Public disclosure of [CVE-2025-32457]
+
+----
+
+[AHA!]: https://takeonme.org
+[disclosure policy]: https://takeonme.org/cve.html
+[CVE-2025-32457]: https://www.cve.org/CVERecord?id=CVE-2025-32457
+[CVE-2025-3461]: https://www.cve.org/CVERecord?id=CVE-2025-3461

content/cves/CVE-2025-32458.md

@@ -0,0 +1,62 @@
+---
+title: CVE-2025-32458
+aliases:
+  - /cves/CVE-2025-32458.html
+---
+
+# CVE-2025-32458: ON Semiconductor Quantenna router_command.sh get_syslog_from_qtn Argument Injection
+
+[AHA!] has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!'s standard [disclosure policy] on June 8, 2025. [CVE-2025-32458] has been assigned to this issue.
+
+Any questions about this disclosure should be directed to cve@takeonme.org.
+
+# Executive Summary
+
+Quantenna Wi-Fi chips ship with a local control script that is vulnerable to command injection. This is an instance of [CWE-88](https://cwe.mitre.org/data/definitions/88.html), "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS [7.7](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
+
+# Technical Details
+
+The get_syslog_from_qtn function of the router_command.sh script is vulnerable to command injection. Observe the following code snippet:
+
+```if [ "$1" == "get_syslog_from_qtn" ] ; then
+        logmsg -t time `uptime`
+        logmsg -t time `date`
+        tftp -p $2 -r syslog.qtn -l /tmp/syslog.log
+fi
+```
+
+There is no sanitization on the second argument, allowing an attacker to put any command they want in there and it will run. An example of remote exploitation of this vulnerability would be to use the qcsapi rpc service to run the run_script command on the router_command.sh script as follows:
+
+```
+qcsapi_sockrpc run_script router_command.sh get_syslog_from_qtn "1;/usr/sbin/inetd$IFS#"
+```
+
+This would cause a telnet service to spawn on the affected chip, but the command could be anything and would run as root.
+
+# Attacker Value
+
+Assuming the implementor of the Quantenna Wi-Fi chip has failed to disable the qcsapi rpc service in their end product, an attacker can use this vulnerability to run any command as root, noting especially the ability to enable the telnet service (and thus, chaining this issue with the issue described in [CVE-2025-3461]). This, in turn, can allow the attacker to essentially take complete control of the Quantenna Wi-Fi chip remotely, without authentication.
+
+Note that it may be tricky to identify what end products incorporate this chipset. If you're aware of this chipset in use in your Wi-Fi access point, please feel free to share, as end-users are unlikely to be capable of working around this issue on their own.
+
+# Credit
+
+This vulnerability was discovered and documented by Ricky "HeadlessZeke" Lawshae of Keysight.
+
+# Timeline
+
+* 2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
+* 2025-04-02 (Wed): Contact initiated to support@onsemi.com
+* 2025-04-08 (Tue): Discovered and contact established with psirt@onsemi.com.
+* 2025-04-11 (Fri): Acknowledged by the vendor
+* 2025 (April and May): Various communications about this and other discovered issues between AHA! and the vendor
+* 2025-05-19 (Mon): Draft best practices report shared with AHA!
+* 2025-05-30 (Fri): Best practices guidance [published by the vendor](https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices)
+* 2025-06-08 (Sun): Public disclosure of [CVE-2025-32458]
+
+----
+
+[AHA!]: https://takeonme.org
+[disclosure policy]: https://takeonme.org/cve.html
+[CVE-2025-32458]: https://www.cve.org/CVERecord?id=CVE-2025-32458
+[CVE-2025-3461]: https://www.cve.org/CVERecord?id=CVE-2025-3461