Hírolvasó

AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1296 - [Appliance] EIPStackGroup OpENer EtherNet/IP: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1296 Advisory (icsa-21-105-02) EIPStackGroup OpENer Ethernet/IP 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: EIPStackGroup OpENer EtherNet/IP Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-27500 CVE-2021-27498 CVE-2021-27482 CVE-2021-27478 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-21-105-02 - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-21-105-02) EIPStackGroup OpENer Ethernet/IP Original release date: April 15, 2021 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.2 o ATTENTION : Exploitable remotely/low attack complexity o Vendor : EIPStackGroup o Equipment : OpENer EtherNet/IP o Vulnerabilities : Incorrect Conversion Between Numeric Types, Out-of-bounds Read, Reachable Assertion 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause a denial-of-service condition and data exposure. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of OpENer EtherNet/IP, are affected: o https://github.com/EIPStackGroup/OpENer/ commits and versions prior to Feb 10, 2021 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT CONVERSION BETWEEN NUMERIC TYPES CWE-681 A specifically crafted packet sent by an attacker to the affected devices may cause a denial-of-service condition. CVE-2021-27478 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:L/A:H ). 3.2.2 OUT-OF-BOUNDS READ CWE-125 A specifically crafted packet sent by an attacker may allow the attacker to read arbitrary data. CVE-2021-27482 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:N/A:N ). 3.2.3 REACHABLE ASSERTION CWE-617 A specifically crafted packet sent by an attacker may result in a denial-of-service condition. CVE-2021-27500 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.4 REACHABLE ASSERTION CWE-617 A specifically crafted packet sent by an attacker may result in a denial-of-service condition. CVE-2021-27498 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Austria 3.4 RESEARCHER Tal Keren and Sharon Brizinov of Claroty reported these vulnerabilities to CISA. 4. MITIGATIONS The maintainer of OpENer recommends those affected to apply the latest commits available. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjhyONLKJtyKPYoAQjUzBAAm6/QX9o/hFSU+kivEgywGrIfv3TQ9Ruu /RJzf3WHlgzOtO8P/Gt12WqrqrUNTR5x7HQDrbT+0OipdwmvrUG2FGTUvvI9WIjj NeTIa7PEMB6FVWefhnAZ4E+FTTbieg7/mu8Daynrcp1KF9BAOqJpL57apL8Q5HmG xOamyj5TeJt2CMIHBN5esf6bcvXa23oBj+OuJijbgxF+ACyGqnu5OKNSpypbw+bx fIu49unDHpZozV62XNrS+nahniBCVCmxxHDgsz1RfUE9ADoN/mHZ1Vell51c6VVt 9i2F5THthnePfVdrah106HWbYC0ZutlzTM5nIUzTSHRo/Q0osQgkL5RwMeIRg4Yd BCrfCmk1EC9o9W2KNRBkF3pfoqIWo7Te3Bv75sp2IdE7HVB6yPVqikBG1i3ixkFs sMVRCVDvdc2E4Xdmdh/6C7Er27Koo47nYXUnuZFaD/wezD0MKodnC4NNVYcUhCbp 9FsUhjatRAiz8Sq+8QSIGyBxRrYcrAMzjfjqYBxDWdoXu8DdDUxHpGcVZ5tpeNPA 9eJ9npXl6gy9qD6MyJcLzixYUL/Qbi/TlFF7u/pkGyXD0xagPJK24IOCP7FqBcvV q+5SFX6ggag8IMihPQmrm9jGq41iWT77mM3aZNwTML+Bp2OHFgIrxeAivBExcOb6 5a53yjU8+QM= =RiJ2 -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1295 - [Debian] xorg-server: Increased privileges - Existing account

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1295 xorg-server security update 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xorg-server Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-3472 Reference: ESB-2021.1283 ESB-2021.1227 Original Bulletin: http://www.debian.org/lts/security/2021/dla-2627 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2627-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb April 15, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : xorg-server Version : 2:1.19.2-1+deb9u8 CVE ID : CVE-2021-3472 Jan-Niklas Sohn discovered that there was an input validation failure in the X.Org display server. Insufficient checks on the lengths of the XInput extension's ChangeFeedbackControl request could have lead to out of bounds memory accesses in the X server. These issues can lead to privilege escalation for authorised clients, particularly on systems where the X server is running as a privileged user. For Debian 9 "Stretch", this problem has been fixed in version 2:1.19.2-1+deb9u8. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmB4E6AACgkQHpU+J9Qx Hlj6qw//ZBpTkP0Af19OglE2NR3AujsTErxp4lI8sc5LwOlXtnfcVFEpl4kpLBpR suMrlmkryaedBBl0Zeq8qnoimuMPdhiTing+77I1YW7hNfhwZJdDjLsoVFG5qXe6 D9/fD683vgL4IiKdHxLNfqcaaL8QYm2KmyKLbHsTvQ+12b7pq9TwenbIHGloGV7K nsTZrXkx37loi5cdYHQLw09qKYXcTaQx+GZ7XH0UgiJi4XJCjY7gr6/4+qnqVYW/ OnpmGYh9SycH1cFHkPfmWDGrBd3omKStkx7keBXXBQVgyyUpIDp9A3J62lM3vX9U czexLKJTCx77CviBFcJYigi41ST/XT/HCVy2pkvxv7d6KXA+fCKPL7jogBy43Zfy 3d2SL9mH7MxAfP5TVOsmShPrLqY9FGm0MteXjSKX7inoAxJmJx9F2w7JtzfNNDpG 2a0mJABw4ZRRiEL5OlEonAwqExyR+LO6cFA+xWKmZwsy4lMEeOBo3RAzX+U21iLB wDATwPL0Q97XM3b3iOJShCXr2nWYrNhd2mWFFEewXVEZWvSVqyI9uVtr9FW6/0YJ LD9jXp1BBbt7/bMZv+KSLVMavKLOu4Vm6bwClKX5NYS1ZRXWVX71XkuId5ntpoco raxAtjWgda1KidFGStU2ABoFoil4tyWhg7CuB+KCoyfVhIiM4Wg= =eyBB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjhteNLKJtyKPYoAQj97g/+M+ZGKGMnX4gqeORmKa5FWvtwnmwCXT5t OtRl14H/vzDwk+Oyk1zCBlI8aPiduIdaw+IPk88u1C7Glr+4u/aeOdke/nFYYK4+ CZg2EYfPrVDzOtWW6uKDJ5EJTlwYSmDHIgF00UK3nsfqrfHHXjSmjHGaNbqtehou g0v859VLn0dGq5iRJTk/n+lmYRvsp95zif2aAmkNX8tXcLX/Mwj3dA8Ls9nnsDKd mupy3mnxleCsEFNBPAjYMIPJU9VE5ugVTYTEW7ut2ENcsJ0J3UpshqT9lBN0I4um 4MRxtNaHjMJ2lofA/2VBASSGZl1mtgrWQbicYV//g5jy8qUGJvCcVYC86fyC9nQ8 IaM8lsvR1YRTpSlwAGwg5gnX22pwgLHoc3Xt8s2A877ZD9YRn5Zbej/ADJVNmIrx CgPwMEs3cog6GDJN6Jlf8/U46wtd1HIlT7DNl/v4JfmI2pGm5UiX7aRm5rMh+49M Rh0deT+3EiN8LFAwDn/1y5L8RSXXi4x2B0lHKqw04cx135HhUbIL2usrEEeryOgl jduJewnXN/7OLSWsrR8cA0O7NfkIxQv0d42hEQ7wYrjqRBgb3X6cbdJ6Cbi34mPW AE9cZlefxjqPqJRfxiVJr9uL/xZo8w/lKe63igNAtZElbloiZZbtoefJ08QZewa0 RlTeI9lJ7+s= =OeKL -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1294 - [RedHat] libldb: Denial of service - Existing account

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1294 libldb security update 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libldb Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-20277 Reference: ESB-2021.1282 ESB-2021.1137 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:1213 https://access.redhat.com/errata/RHSA-2021:1214 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: libldb security update Advisory ID: RHSA-2021:1213-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1213 Issue date: 2021-04-15 CVE Names: CVE-2021-20277 ===================================================================== 1. Summary: An update for libldb is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. Security Fix(es): * samba: Out of bounds read in AD DC LDAP server (CVE-2021-20277) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1941402 - CVE-2021-20277 samba: Out of bounds read in AD DC LDAP server 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.2): Source: libldb-2.0.7-4.el8_2.src.rpm aarch64: ldb-tools-2.0.7-4.el8_2.aarch64.rpm ldb-tools-debuginfo-2.0.7-4.el8_2.aarch64.rpm libldb-2.0.7-4.el8_2.aarch64.rpm libldb-debuginfo-2.0.7-4.el8_2.aarch64.rpm libldb-debugsource-2.0.7-4.el8_2.aarch64.rpm libldb-devel-2.0.7-4.el8_2.aarch64.rpm python3-ldb-2.0.7-4.el8_2.aarch64.rpm python3-ldb-debuginfo-2.0.7-4.el8_2.aarch64.rpm ppc64le: ldb-tools-2.0.7-4.el8_2.ppc64le.rpm ldb-tools-debuginfo-2.0.7-4.el8_2.ppc64le.rpm libldb-2.0.7-4.el8_2.ppc64le.rpm libldb-debuginfo-2.0.7-4.el8_2.ppc64le.rpm libldb-debugsource-2.0.7-4.el8_2.ppc64le.rpm libldb-devel-2.0.7-4.el8_2.ppc64le.rpm python3-ldb-2.0.7-4.el8_2.ppc64le.rpm python3-ldb-debuginfo-2.0.7-4.el8_2.ppc64le.rpm s390x: ldb-tools-2.0.7-4.el8_2.s390x.rpm ldb-tools-debuginfo-2.0.7-4.el8_2.s390x.rpm libldb-2.0.7-4.el8_2.s390x.rpm libldb-debuginfo-2.0.7-4.el8_2.s390x.rpm libldb-debugsource-2.0.7-4.el8_2.s390x.rpm libldb-devel-2.0.7-4.el8_2.s390x.rpm python3-ldb-2.0.7-4.el8_2.s390x.rpm python3-ldb-debuginfo-2.0.7-4.el8_2.s390x.rpm x86_64: ldb-tools-2.0.7-4.el8_2.x86_64.rpm ldb-tools-debuginfo-2.0.7-4.el8_2.i686.rpm ldb-tools-debuginfo-2.0.7-4.el8_2.x86_64.rpm libldb-2.0.7-4.el8_2.i686.rpm libldb-2.0.7-4.el8_2.x86_64.rpm libldb-debuginfo-2.0.7-4.el8_2.i686.rpm libldb-debuginfo-2.0.7-4.el8_2.x86_64.rpm libldb-debugsource-2.0.7-4.el8_2.i686.rpm libldb-debugsource-2.0.7-4.el8_2.x86_64.rpm libldb-devel-2.0.7-4.el8_2.i686.rpm libldb-devel-2.0.7-4.el8_2.x86_64.rpm python3-ldb-2.0.7-4.el8_2.i686.rpm python3-ldb-2.0.7-4.el8_2.x86_64.rpm python3-ldb-debuginfo-2.0.7-4.el8_2.i686.rpm python3-ldb-debuginfo-2.0.7-4.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20277 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYHgsstzjgjWX9erEAQh1qRAAokzog4m8FTlh3ZZXTR3FAbL19TvjBn2p cJa/OfZQYVY4yx4xMlWvzXH/IMqX7cufCbCu6r28SFHHgO5yJWUy3AeKysMrOYUB bxwyeW9VVBeSG1XVmzv78aN53LpI792ynab5qWrzMJMjMPPUDqYkPLgs4EXuf/Dq UqvqNFrcDpxuDrnkyShg/W97YcYdT/nc5A/INX+AnsmMt1CBZME4N4RIFwaVF/Qd sbsfeCcrY/WqYrzhNG0/ERdeIYcQIXED0OsXiag9OGEXhnbEoqZ8ygqWJyB74wci OkzXuwQvnmrMm7oIggq3oY1oREt0Eiv4X/flkYhdytaC74c4R7THJvDnrH3dDnPk trC8A52yPLK+MHLJfEguaO04Omhmz4ZxR5JotAxcc2SClFFp8AnGxux6YHRAaSc9 p/vs5p1LOKpEU9ACGPlI+Q9SA2vlsATTuFTgPno17i2JTOcmU4ok3B1e/opZ5niR BoCDJD04R7yLC7Cvkv56coB3f0le5EUQcanRXKHuXO5KgauIDb3jel1onu1vwiik p6sV8qmRDTibpGGTRtTpg0EzXMcDTcsunzgYFobtuma8TMPABYXWfIHoUZDud9KT 9fLh5iQPigglUwblEFM9fJgAyItzQ6KHPFXpa5ZrCNTfUVT4mh13s63bRWKKOeaG d7q0/dCpMWU= =TQJ4 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: libldb security update Advisory ID: RHSA-2021:1214-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1214 Issue date: 2021-04-15 CVE Names: CVE-2021-20277 ===================================================================== 1. Summary: An update for libldb is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. Security Fix(es): * samba: Out of bounds read in AD DC LDAP server (CVE-2021-20277) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1941402 - CVE-2021-20277 samba: Out of bounds read in AD DC LDAP server 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.1): Source: libldb-1.5.4-3.el8_1.src.rpm aarch64: ldb-tools-1.5.4-3.el8_1.aarch64.rpm ldb-tools-debuginfo-1.5.4-3.el8_1.aarch64.rpm libldb-1.5.4-3.el8_1.aarch64.rpm libldb-debuginfo-1.5.4-3.el8_1.aarch64.rpm libldb-debugsource-1.5.4-3.el8_1.aarch64.rpm libldb-devel-1.5.4-3.el8_1.aarch64.rpm python3-ldb-1.5.4-3.el8_1.aarch64.rpm python3-ldb-debuginfo-1.5.4-3.el8_1.aarch64.rpm ppc64le: ldb-tools-1.5.4-3.el8_1.ppc64le.rpm ldb-tools-debuginfo-1.5.4-3.el8_1.ppc64le.rpm libldb-1.5.4-3.el8_1.ppc64le.rpm libldb-debuginfo-1.5.4-3.el8_1.ppc64le.rpm libldb-debugsource-1.5.4-3.el8_1.ppc64le.rpm libldb-devel-1.5.4-3.el8_1.ppc64le.rpm python3-ldb-1.5.4-3.el8_1.ppc64le.rpm python3-ldb-debuginfo-1.5.4-3.el8_1.ppc64le.rpm s390x: ldb-tools-1.5.4-3.el8_1.s390x.rpm ldb-tools-debuginfo-1.5.4-3.el8_1.s390x.rpm libldb-1.5.4-3.el8_1.s390x.rpm libldb-debuginfo-1.5.4-3.el8_1.s390x.rpm libldb-debugsource-1.5.4-3.el8_1.s390x.rpm libldb-devel-1.5.4-3.el8_1.s390x.rpm python3-ldb-1.5.4-3.el8_1.s390x.rpm python3-ldb-debuginfo-1.5.4-3.el8_1.s390x.rpm x86_64: ldb-tools-1.5.4-3.el8_1.x86_64.rpm ldb-tools-debuginfo-1.5.4-3.el8_1.i686.rpm ldb-tools-debuginfo-1.5.4-3.el8_1.x86_64.rpm libldb-1.5.4-3.el8_1.i686.rpm libldb-1.5.4-3.el8_1.x86_64.rpm libldb-debuginfo-1.5.4-3.el8_1.i686.rpm libldb-debuginfo-1.5.4-3.el8_1.x86_64.rpm libldb-debugsource-1.5.4-3.el8_1.i686.rpm libldb-debugsource-1.5.4-3.el8_1.x86_64.rpm libldb-devel-1.5.4-3.el8_1.i686.rpm libldb-devel-1.5.4-3.el8_1.x86_64.rpm python3-ldb-1.5.4-3.el8_1.i686.rpm python3-ldb-1.5.4-3.el8_1.x86_64.rpm python3-ldb-debuginfo-1.5.4-3.el8_1.i686.rpm python3-ldb-debuginfo-1.5.4-3.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20277 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYHgd7tzjgjWX9erEAQiBsQ/9E47myd3bomQ/JbZQ98wQfQ68LDU4gI+A ZB2kIhv5BK3Wh5JNwCYKYGa8rYDovl5Umo3UICmjDtQhukEyUZ9UKFjdskrYNxS8 47l1LGhVW7Rkl6fDpsFCI/G5NLcZ0OrpTheRBcGFYkYNIbYXPXoFz1GDR6XaTEna AhglvdWEQdtUox68BbpPib23e5IRPUGcM6G00QbA4RmAswK4BKqasbOdgFAmNrVT 3Ox87/OunlMN+k89vTpHvZ7Su57+LJ5zXiVQcljUCJNcQpv8hcTxLsVTdzICCguN C0chbqm/eVAMZyRxZVuXPSbYUI9Qag4m066FhV303E7urq/m6oTgyH+ECUOaaHdX NTA0VW38VtGZeEc2p/RNXEWccN4i/b09oLtVhU+PCtBlc44Ddh3DVAa/vNJ/twf4 WT6bLapFkpmMnP58Asxx9VkoK/CndXDrGjjx/W21AMSxpTIFkYL+Udpy1gw5tQer Fa/t5dYVanbO0FDzJwhVoRjAB9xB44ugaLxapt9wqv16SDSBcgXJMmcV1e2yD8Gy 1A1hsa2ukhVmuwwao4TcTHp3MGDZULEuVGvsC4KsaCrZgX7PBZvSEi+KbD+Ctsvv Cjo4DKJVKyYumo0Trr+KkwI3lRC5c+lO/Y86OKQ+2RLdLfBVVJL9FFwNVDr1gQXG +gdfHynpH8w= =luq2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjhoONLKJtyKPYoAQgjPQ//XjpiePlce0X2J1eHJ+c0QA2miAclQEWc FvMHouziYY6HbDaV3FePWgL3blcYaJPZA8SPj5NtyGy88azujmDad8ORM3LS61hK JbWF98cLrjj03RZsFfT+2+KSFKZtT+SygKP+THw9GGc/zJHdKIFhPzRfQVDSHraO KXJgZ5VrqG+KlUgm58xD8nksrnJKhayKTqJbAEBSS9nOd0XWv8GtvMHmjn5YAxKL jQOldjgRQEQrgMUrubq8LuNF+mHQp1iDh7dqMXuADzPY+yGzynhkMD7Kt7UFzXeq cu0h8a5QMM7qlNlEitFwh4rgPlhDEgabFisfAxdBySiI5YaC8+EzAXMLntG9+tDs jpA4kT7WEPIomGxqVZYzAuZdWWpD5rwMfHd+nCk3pfEjVkZsAxxRAyxosnnb/8MI rwwFpmZ6URmUES/0Z0TKaIdcjgkCdtm7zUW2SrBmX5la/uSUUJgdX0WfYqqzNycT yLdUhz+oc8IOoleaw+eYdhoO8+uTFCD8yX2rHq+xm4Hzn5U/2r9A26YR7vFpURVU UzVk84cjHPZ0RbB02Enz7N0gEyrQ8uug6tLCdQOgoFAr7hrJj5mGFcLjFNETdXot WPQiCUImLoC74KjLN961JWlxibsQ5cYHGhW4Nzp2sGH7was/PoAV6cjJ7g8Is6om TLUVolrn6Xk= =MEr8 -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1293 - [Appliance] McAfee Web Gateway Products: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1293 Status and updates for OpenSSL vulnerabilities (CVE-2021-3450 and 2021-3449) 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Web Gateway (MWG) McAfee Web Gateway Cloud Service (MWGCS) Publisher: McAfee Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-3450 CVE-2021-3449 Reference: ESB-2021.1278 ESB-2021.1191 ESB-2021.1180 ESB-2021.1120 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10356 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - Status and updates for OpenSSL vulnerabilities (CVE-2021-3450 and 2021-3449) Security Bulletins ID : SB10356 Last Modified : 4/14/2021 Summary First Published: April 14, 2021 +-----------------------------------------------------------------------------+ | CVE Information: | +--------------------------+--------------------------------------------------+ | Impact of | Low - see the Vulnerability Description section | | Vulnerabilities: | below | +---------------+----------+-------+-----------------------+------------------+ | | | CVSS | | | | CVE IDs | Severity | v3.1 | Affected Products | Impact of | | | Rating | Base | | Vulnerabilities | | | | Score | | | +---------------+----------+-------+-----------------------+------------------+ | | | | See the McAfee | CWE-295 - | | CVE-2021-3450 | High | 7.4 | Product Vulnerability | Improper | | | | | Status table below | Certificate | | | | | | Validation | +---------------+----------+-------+-----------------------+------------------+ | | | | See the McAfee | CWE-476 - NULL | | CVE-2021-3449 | Medium | 5.9 | Product Vulnerability | Pointer | | | | | Status table below | Dereference | +---------------+----------+-------+-----------------------+------------------+ | Highest CVSS v3.1 Base | High | | Score: | | +--------------------------+--------------------------------------------------+ | Recommendations: | Deploy the fixes as they are made available. | +--------------------------+--------------------------------------------------+ | Security Bulletin | None | | Replacement: | | +--------------------------+--------------------------------------------------+ | Affected Models: | See the McAfee Product Vulnerability Status | | | table below for platform details. | +--------------------------+--------------------------------------------------+ | Location of updated | http://www.mcafee.com/us/downloads/ | | software: | downloads.aspx | +--------------------------+--------------------------------------------------+ To receive email notification when this Security Bulletin is updated, click Subscribe on the right side of the page. You must be logged on to subscribe. Article contents: o Vulnerability Description o Remediation o Frequently Asked Questions (FAQs) o Resources o Disclaimer Vulnerability Description OpenSSL released a security advisory against version 1.1.1 with 1.1.1k containing the fix. Some McAfee products are using 1.0.2 (with an extended Support contract) and are not vulnerable. 1. CVE-2021-3150 The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). https://nvd.nist.gov/vuln/detail/CVE-2021-3450 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-3450 2. CVE-2021-3149 An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). https://nvd.nist.gov/vuln/detail/CVE-2021-3449 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-3449 McAfee Product Vulnerability Status This Security Bulletin will be updated as additional information is available. +-----------------------------------------------------------------------------+ |Update Availability | +---------------------------------------+-------+-----------------------------+ |Product |Version|CVE-2021-3450 and | | | |CVE-2021-3449 | +---------------------------------------+-------+-----------------------------+ |Vulnerable and Updated | +---------------------------------------+-------+-----------------------------+ |McAfee Web Gateway (MWG) |All |10.1.1, 9.2.10, 8.2.19 | +---------------------------------------+-------+-----------------------------+ |McAfee Web Gateway Cloud Service |All |10.1.1, 9.2.10, 8.2.19 | |(MWGCS) | | | +---------------------------------------+-------+-----------------------------+ |Not Vulnerable | +---------------------------------------+-------+-----------------------------+ |Advanced Threat Defense (ATD) |All | | +---------------------------------------+-------+-----------------------------+ |Appliance Data Monitor (ADM) |All | | +---------------------------------------+-------+-----------------------------+ |Data Exchange Layer (DXL) Broker |All | | +---------------------------------------+-------+-----------------------------+ |Data Loss Prevention (DLP) |All | | |Prevent and Monitor | | | +---------------------------------------+-------+-----------------------------+ |McAfee Active Response (MAR) Server |All | | +---------------------------------------+-------+-----------------------------+ |Network Security Manager (NSM) Linux |All | | +---------------------------------------+-------+-----------------------------+ |Network Security Platform (NSP) |All | | +---------------------------------------+-------+-----------------------------+ |Network Threat Behavior Analysis (NTBA)|All | | +---------------------------------------+-------+-----------------------------+ |SIEM Enterprise Security Manager |All | | +---------------------------------------+-------+-----------------------------+ |Threat Intelligence Exchange (TIE) |All | | |Server | | | +---------------------------------------+-------+-----------------------------+ For a description of each product, see: https://www.mcafee.com/enterprise/en-us /products/a-z.html . Remediation To remediate this issue, go to the Product Downloads site , and download the applicable product update/hotfix file: +-------+-------+------+--------------+ |Product|Version|Type |Release Date | +-------+-------+------+--------------+ | |10.1.1,| | | |MWG |9.2.10,|Update|April 14, 2021| | |8.2.19 | | | +-------+-------+------+--------------+ | |10.1.1,| | | |MWGCS |9.2.10,|Update|April 14, 2021| | |8.2.19 | | | +-------+-------+------+--------------+ Download and Installation Instructions For instructions to download McAfee product updates and hotfixes, see: KB56057 - - How to download Enterprise product updates and documentation . Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available at https://docs.mcafee.com . Frequently Asked Questions (FAQs) How do I know if my McAfee product is vulnerable or not For endpoint products: Use the following instructions for endpoint or client-based products: 1. Right-click the McAfee tray shield icon on the Windows taskbar. 2. Select Open Console . 3. In the console, select Action Menu . 4. In the Action Menu, select Product Details . The product version displays. For ePO/server products: Use the following instructions for server-based products: o Check the version and build of ePO that is installed. For instructions, see: KB52634 - How to determine what update is installed for ePO . o Create a query in ePO for the product version of the product installed within your organization. For Appliances: Use the following instructions for Appliance-based products: 1. Open the Administrator's User Interface (UI). 2. Click the About link. The product version displays. For DLPe ePO Extension: Use the following instructions: 1. Log on to the ePO server. 2. Click Menu , Data Protection , DLP Policy . 3. Inside the DLP console click Help , About . The product version displays. What is CVSS CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: https://www.first.org/cvss/ . When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. Where can I find a list of all Security Bulletins All Security Bulletins are published on our external PSIRT website at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see Security Bulletins for McAfee Enterprise products on this website click Enterprise Security Bulletins . Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life). How do I report a product vulnerability to McAfee If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website for instructions at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an issue, click Report a Security Vulnerability . How does McAfee respond to this and any other reported security flaws Our key priority is the security of our customers. If a vulnerability is found within any McAfee software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan. McAfee only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer. View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/ threat-center/product-security-bulletins.aspx by clicking About PSIRT . Resources To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/ serviceRequests/createSR : o If you are a registered user, type your User ID and Password, and then click Log In . o If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you. Disclaimer The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply. Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjhj+NLKJtyKPYoAQhF+BAAkyedDKyRa+WsmOGRQ4uvlL5vQpbmEmx/ 8TvTqzpmnfFAzqdxvUzcGeGJuOaJu/9zX+GfUNboCKJyIaonylQa7PUlw0TkCNnK G8L+H98VSOTFe/4eT0B44NffGfoNcVIw4qyC6GHAzzDqJYGgI3POnuKU0UKmXRpZ URfRMPZEh4INjka+w0Sc66eCgs1ZA3hsX8+1AtNr+jgsKRdxn2yoCfzvatlJF/Xe BnxtinQ7i7rElD5uq3SNGQVcUALaH53js7I4+Yt1m5D03eP7YFDOUzNc+IAegW7V 7qPZDMPGZBVxe97PzqRL1HnhXwEvrhJ+OWWTKVfhMhvqLa0Pi+SiPoZIy3EK9CKE 5zfGwZXPWGY7baBPgaSLKuCrdeOUhZZGHFTnr38ReDdgT+7npbeOEAWSaKgXRmVa 1p49I9ZdAhPJzjwT7XvxQKITtpZvFBt4Gagv6kt+MJHpoW3XV2Rj9g5l974G18Jz T5sCEpQ3nTm0oor+ezig0BSmZ1hWSfsaPXpWJUqcGCmVLAKngeiT3Oijxj7xc/mp 7+opS4SNjNDy98e4Pm3553fwEZ9OlFGIFgyW04s+ZhYkhk+urJIQ8lI1wVLDLIHu OVnCM/RINGBr9XpWvR5rAdZs/hGBFeQBlJi2KP3hFnwPPaeuUj/BozjsFZpHyNiK fBECPF30mzw= =zd2f -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1292 - [Win] McAfee Data Loss Prevention (DLP) Endpoint for Windows: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1292 Data Loss Prevention Endpoint for Windows update fixes two vulnerabilities (CVE-2021-23886 and CVE-2021-23887) 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Data Loss Prevention (DLP) Endpoint for Windows Publisher: McAfee Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-23887 CVE-2021-23886 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10357 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - Data Loss Prevention Endpoint for Windows update fixes two vulnerabilities (CVE-2021-23886 and CVE-2021-23887) Security Bulletins ID : SB10357 Last Modified : 4/14/2021 Summary First Published: April 14, 2021 +----------------+-----------+--------------+----------------+--------+--------+ | | | | | |CVSS | | |Impacted | |Impact of |Severity|v3.1 | |Product: |Versions: |CVE ID: |Vulnerabilities:|Ratings:|Base/ | | | | | | |Temporal| | | | | | |Scores: | +----------------+-----------+--------------+----------------+--------+--------+ |Data Loss | | |CWE-755: | | | |Prevention (DLP)|Prior to HF| |Improper | |5.5 / | |Endpoint for |11.6.100.41|CVE-2021-23886|Handling of |Medium |5.0 | |Windows | | |Exceptional | | | | | | |Conditions | | | +----------------+-----------+--------------+----------------+--------+--------+ | | | |CWE-269: | | | |DLP Endpoint for|Prior to HF|CVE-2021-23887|Privilege |High |7.8 / | |Windows |11.6.100.41| |escalation | |7.0 | | | | |vulnerability | | | +----------------+-----------+--------------+----------------+--------+--------+ |Recommendations:|Install or update DLP Endpoint for Windows to HF 11.6.100.41 | +----------------+-------------------------------------------------------------+ |Security | | |Bulletin |None | |Replacement: | | +----------------+-------------------------------------------------------------+ |Location of | | |updated |http://www.mcafee.com/us/downloads/downloads.aspx | |software: | | +----------------+-------------------------------------------------------------+ To receive email notification when this Security Bulletin is updated, click Subscribe on the right side of the page. You must be logged on to subscribe. Article contents: o Vulnerability Description o Remediation o Acknowledgments o Frequently Asked Questions (FAQs) o Resources o Disclaimer Vulnerability Description 1. CVE-2021-23886 Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. This is triggered by the hdlphook driver reading invalid memory. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2021-23886 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-23886 2. CVE-2021-23887 Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting them when they are monitored by McAfee DLP through the hdlphook driver. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2021-23887 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-23887 Remediation To remediate this issue, customers should update to DLP Endpoint for Windows HF 11.6.100.41. Go to the Product Downloads site , and download the applicable product hotfix file: +------------------------+--------------+------+--------------+ |Product |Version |Type |Release Date | +------------------------+--------------+------+--------------+ |DLP Endpoint for Windows|HF 11.6.100.41|Hotfix|April 14, 2021| +------------------------+--------------+------+--------------+ Download and Installation Instructions For instructions to download McAfee product updates and hotfixes, see: KB56057 - - How to download Enterprise product updates and documentation . Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available at https://docs.mcafee.com . Acknowledgments McAfee credits the following for responsibly reporting these flaws. CVE-2021-23886 - Assaf Kachlon from Morphisec CVE-2021-23887 - Andry Diment from Morphisec Frequently Asked Questions (FAQs) How do I know if my McAfee product is vulnerable or not For endpoint products: Use the following instructions for endpoint or client-based products: 1. Right-click the McAfee tray shield icon on the Windows taskbar. 2. Select Open Console . 3. In the console, select Action Menu . 4. In the Action Menu, select Product Details . The product version displays. What is CVSS CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: https://www.first.org/cvss/ . When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. What are the CVSS scoring metrics 1. CVE-2021-23886: Denial of Service in DLP Endpoint for Windows +------------------------+--------------------+ |Base Score |5.5 | +------------------------+--------------------+ |Attack Vector (AV) |Local (L) | +------------------------+--------------------+ |Attack Complexity (AC) |Low (L) | +------------------------+--------------------+ |Privileges Required (PR)|Low (L) | +------------------------+--------------------+ |User Interaction (UI) |None (N) | +------------------------+--------------------+ |Scope (S) |Unchanged (U) | +------------------------+--------------------+ |Confidentiality (C) |None (N) | +------------------------+--------------------+ |Integrity (I) |None (N) | +------------------------+--------------------+ |Availability (A) |High (H) | +------------------------+--------------------+ |Temporal Score (Overall)|5.0 | +------------------------+--------------------+ |Exploitability (E) |Proof-of-Concept (P)| +------------------------+--------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+--------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+--------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:L/AC:L/PR:L/ UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C&version=3.1 2. CVE-2021-23887: Privilege escalation in DLP Endpoint for Windows +------------------------+--------------------+ |Base Score |7.8 | +------------------------+--------------------+ |Attack Vector (AV) |Local (L) | +------------------------+--------------------+ |Attack Complexity (AC) |Low (L) | +------------------------+--------------------+ |Privileges Required (PR)|Low (L) | +------------------------+--------------------+ |User Interaction (UI) |None (N) | +------------------------+--------------------+ |Scope (S) |Unchanged (U) | +------------------------+--------------------+ |Confidentiality (C) |High (H) | +------------------------+--------------------+ |Integrity (I) |High (H) | +------------------------+--------------------+ |Availability (A) |High (H) | +------------------------+--------------------+ |Temporal Score (Overall)|7.0 | +------------------------+--------------------+ |Exploitability (E) |Proof-of-Concept (P)| +------------------------+--------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+--------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+--------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:L/AC:L/PR:L/ UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 Where can I find a list of all Security Bulletins All Security Bulletins are published on our external PSIRT website at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see Security Bulletins for McAfee Enterprise products on this website click Enterprise Security Bulletins . Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life). How do I report a product vulnerability to McAfee If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website for instructions at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an issue, click Report a Security Vulnerability . How does McAfee respond to this and any other reported security flaws Our key priority is the security of our customers. If a vulnerability is found within any McAfee software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan. McAfee only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer. View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/ threat-center/product-security-bulletins.aspx by clicking About PSIRT . Resources To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/ serviceRequests/createSR : o If you are a registered user, type your User ID and Password, and then click Log In . o If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you. Disclaimer The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply. Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjhf+NLKJtyKPYoAQiUew//X9tCbJbfIBRzLgYOiIe+H9KeUvpakxw4 3+nxJTDTRiE/QZhiHjEPTgaiY/nYWWigoExS6DHXNFRuxxUrSYmQGcNaAdC2ecY5 ty+aMdsAp+jlihYGxEOfpQv/687i0olCrt3gl3JhmfiHTuU94avKogWIdEPLw0xO fsi/ivYa6Y0DWHVkIzxq5SZcFqnOExNtAbqzfDBhPCiEZh8IglfCe1ogwg9qhvAJ FSwe/9a/f+X5EKFhWwDI394bFLDHXXltwUsyfjuGD7DNfOPUWUmD7HcQFVywQPFU 50ScJ52lEUlZPGHVPmIXI26S+xPMF43CKTQ5qJEaMHH+lHOaavkvVQlLB3SMObEt NXP6/pxx3og4N7M7yhtMZ3xmbWiQ50FY7c3X3kQJo/NtXDjXF0xm7wNiFR0Y2Qhv /a9sTyrAH+gMUwzKolOo91u+rq9nOscAJrTCGwkDiDAMXiu8aNWG27q5bAziEIjz /NifQJQdgOqGxlZatlpgesDJ2VFD3wHDC9CpspRirp0LVVSdH6NNm48DaRQC8cC7 EpvnOBsIMpDWz9BiBMqAJml2Te2R5VM7Lue3XkN1IJMjV4XNpH/f3GYFIREdjUoL f1W4ggWhK7tiPqO4w+oYfKQegEn2OsbMVf+c2MTQKRI+aRr/VL8azs1dWa5698e8 ka0ua5Op5i0= =tcpw -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1291 - [Appliance] McAfee Content Security Reporter (CSR): Access confidential data - Existing account

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1291 Content Security Reporter update fixes one vulnerability (CVE-2021-23884) 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Content Security Reporter (CSR) Publisher: McAfee Operating System: Network Appliance Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-23884 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10353 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - Content Security Reporter update fixes one vulnerability (CVE-2021-23884) Security Bulletins ID : SB10353 Last Modified : 4/14/2021 Summary First Published: April 14, 2021 +----------------+---------+--------------+-----------------+--------+--------+ | | | | | |CVSS | | |Impacted | |Impact of |Severity|v3.1 | |Product: |Versions:|CVE ID: |Vulnerabilities: |Ratings:|Base/ | | | | | | |Temporal| | | | | | |Scores: | +----------------+---------+--------------+-----------------+--------+--------+ | | | |CWE-319: | | | |Content Security|Prior to | |Cleartext | |4.3 / | |Reporter (CSR) |2.8.0 |CVE-2021-23884|Transmission of |Medium |3.9 | | | | |Sensitive | | | | | | |Information | | | +----------------+---------+--------------+-----------------+--------+--------+ |Recommendations:|Upgrade to CSR 2.8.0 | +----------------+------------------------------------------------------------+ |Security | | |Bulletin |None | |Replacement: | | +----------------+------------------------------------------------------------+ |Location of | | |updated |http://www.mcafee.com/us/downloads/downloads.aspx | |software: | | +----------------+------------------------------------------------------------+ To receive email notification when this Security Bulletin is updated, click Subscribe on the right side of the page. You must be logged on to subscribe. Article contents: o Vulnerability Description o Remediation o Acknowledgments o Frequently Asked Questions (FAQs) o Resources o Disclaimer Vulnerability Description This feature is only available through on-premises ePO servers. The attacker would need to be on the same network as the ePO server, and know an ePO administrator's credentials, to exploit this vulnerability. The credentials for obtaining logs from Web Gateway and Web Gateway Cloud Server are configured in different parts of the ePO extension. The best practice is to have different passwords for each service. The passwords exposed through this vulnerability are stored encrypted in the CSR database, both before and post this fix. CVE-2021-23884 Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2021-23884 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-23884 Remediation To remediate this issue, upgrade to CSR 2.8.0. Go to the Product Downloads site , and download the applicable product update file: +-------+-------+-----+--------------+ |Product|Version|Type |Release Date | +-------+-------+-----+--------------+ |CSR |2.8.0 |Minor|April 14, 2021| +-------+-------+-----+--------------+ Download and Installation Instructions For instructions to download McAfee product updates and hotfixes, see: KB56057 - - How to download Enterprise product updates and documentation . Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available at https://docs.mcafee.com . Acknowledgments McAfee credits Derrick Berg from Eastman Kodak Company for responsibly reporting this flaw. Frequently Asked Questions (FAQs) How do I know if my McAfee product is vulnerable or not For endpoint products: Use the following instructions for endpoint or client-based products: 1. Right-click the McAfee tray shield icon on the Windows taskbar. 2. Select Open Console . 3. In the console, select Action Menu . 4. In the Action Menu, select Product Details . The product version displays. What is CVSS CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: https://www.first.org/cvss/ . When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. What are the CVSS scoring metrics CVE-2021-23884: Clear text exposure of password in CSR ePO extension +------------------------+--------------------+ |Base Score |4.3 | +------------------------+--------------------+ |Attack Vector (AV) |Adjacent Network (A)| +------------------------+--------------------+ |Attack Complexity (AC) |Low (L) | +------------------------+--------------------+ |Privileges Required (PR)|High (H) | +------------------------+--------------------+ |User Interaction (UI) |Required (R) | +------------------------+--------------------+ |Scope (S) |Unchanged (U) | +------------------------+--------------------+ |Confidentiality (C) |High (H) | +------------------------+--------------------+ |Integrity (I) |None (N) | +------------------------+--------------------+ |Availability (A) |None (N) | +------------------------+--------------------+ |Temporal Score (Overall)|3.9 | +------------------------+--------------------+ |Exploitability (E) |Proof-of-Concept (P)| +------------------------+--------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+--------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+--------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:A/AC:L/PR:H/UI:R /S:U/C:H/I:N/A:N/E:P/RL:O/RC:C&version=3.1 Where can I find a list of all Security Bulletins All Security Bulletins are published on our external PSIRT website at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see Security Bulletins for McAfee Enterprise products on this website click Enterprise Security Bulletins . Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life). How do I report a product vulnerability to McAfee If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website for instructions at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an issue, click Report a Security Vulnerability . How does McAfee respond to this and any other reported security flaws Our key priority is the security of our customers. If a vulnerability is found within any McAfee software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan. McAfee only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer. View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/ threat-center/product-security-bulletins.aspx by clicking About PSIRT . Resources To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/ serviceRequests/createSR : o If you are a registered user, type your User ID and Password, and then click Log In . o If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you. Disclaimer The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply. Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjfGONLKJtyKPYoAQjL+BAAiJ+ejhFXxG2IqkXZ60Kdh0PZLD1JdNI5 UQ3cTjt3YyQj5hjmRlyYLHHuiA2Dha4IiW7OB/QNOFrB6yXY7Qwz6yWkoxlkohPD r1eMVYoF0VekjOs8o+1FPqI0nTaOCDF1l5Qz4AfUAyQfjVuFsqAUwXae3kOiUV+/ Nt7waNJytESg+ShzW9vZERjLvzRb05bxWpD/NjCVDB879CN8Qdw4NhcGVPysAPOT oF5R7bEF2ZrIcShgZ6/Z6SdijdtKr7FYW4rX1y3nhknMLH3+u7nmpBjeHKcYx4qX ztv5vl7a2+MdosCk61z/30eTLQ0TgH/VNzVsUtNp4nuBSYGVo0FVjhWaevt8MdJ5 IhE2fPklVJE2LFhiTagiHBG0JnUgr0WeTeKTIezCs6PDcrlCoxj8agX7SawsToL1 TE2jd3LdWQWSAsFnvHPE1n03tPUTV2Cz3kY20BfUS7OdnOZswhhLmZu86ePwFYWB 1VejGJXQP4gKrM2uMVUF9AejSB1XhyOQskRk5amteiket6tTqrqZ3A8EaEGdvfnM Uiyt9gddF9OTcZXkA7agMPkssa1noNcOrZ8jNf5B+ALxotuV3aZtiJweJyYrvTX6 tT8769BDYv6IEH8umb/pvq7lpIUdTh/2C7al7Cob1rmjtwvUL2WbX/6Yhs9lPtkW yCxRT55NEDM= =l/1b -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1290 - [Appliance] McAfee Advanced Threat Defense (ATD): Access confidential data - Existing account

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1290 Advanced Threat Defense update fixes two vulnerabilities (CVE-2020-7269 and CVE-2020-7270) 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Advanced Threat Defense (ATD) Publisher: McAfee Operating System: Network Appliance Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-7270 CVE-2020-7269 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10336 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - Advanced Threat Defense update fixes two vulnerabilities (CVE-2020-7269 and CVE-2020-7270) Security Bulletins ID : SB10336 Last Modified : 4/14/2021 Summary First Published: April 14, 2021 +----------------+---------+-------------+------------------+--------+--------+ | | | | | |CVSS | | |Impacted | |Impact of |Severity|v3.1 | |Product: |Versions:|CVE ID: |Vulnerabilities: |Ratings:|Base/ | | | | | | |Temporal| | | | | | |Scores: | +----------------+---------+-------------+------------------+--------+--------+ | | | |CWE-200: | | | |Advanced Threat |Prior to | |Exposure of | |4.9 / | |Defense (ATD) |4.12.2 |CVE-2020-7269|Sensitive |Medium |4.4 | | | | |Information to an | | | | | | |Unauthorized Actor| | | +----------------+---------+-------------+------------------+--------+--------+ | | | |CWE-200: | | | | |Prior to | |Exposure of | |4.9 / | |ATD |4.12.2 |CVE-2020-7270|Sensitive |Medium |4.4 | | | | |Information to an | | | | | | |Unauthorized Actor| | | +----------------+---------+-------------+------------------+--------+--------+ |Recommendations:|Update to ATD 4.12.2 | +----------------+------------------------------------------------------------+ |Security | | |Bulletin |None | |Replacement: | | +----------------+------------------------------------------------------------+ |Location of | | |updated |http://www.mcafee.com/us/downloads/downloads.aspx | |software: | | +----------------+------------------------------------------------------------+ To receive email notification when this Security Bulletin is updated, click Subscribe on the right side of the page. You must be logged on to subscribe. Article contents: o Vulnerability Description o Remediation o Acknowledgments o Frequently Asked Questions (FAQs) o Resources o Disclaimer Vulnerability Description CVE-2020-7269 Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deployed as recommended with no direct access from the Internet to them. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2020-7269 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-7269 CVE-2020-7270 Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deployed as recommended with no direct access from the Internet to them. https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2020-7270 https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-7270 Remediation To remediate this issue, go to the Product Downloads site , and download the latest version. See the Frequently Asked Questions section for the path to upgrade from older versions to this version. +-------+-------+------+--------------+ |Product|Version|Type |Release Date | +-------+-------+------+--------------+ |ATD |4.12.2 |Update|April 14, 2021| +-------+-------+------+--------------+ Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, updates, and hotfixes. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available at https://docs.mcafee.com . Migration See the Migration Guide for instructions to get to a protected version. IMPORTANT: When upgrading to the appropriate ATD version with the fix, you must use the migration package. Failure to use the correct migration package causes installation failures and requires a reimage of the appliance. Acknowledgments McAfee credits hoangcuongflp for responsibly reporting these flaws. Frequently Asked Questions (FAQs) How do I know if my McAfee product is vulnerable or not For Appliances: Use the following instructions for Appliance-based products: 1. Open the Administrator's User Interface (UI). 2. Click the About link. The product version displays. Is ATD 4.12.2 deployable to all ATD appliance models ATD Update 4.12.2 is applicable to all ATD models - both physical and virtual. What are the steps needed to get to a protected version +---------------+-------------------------+-----------------------------------+ | Starting | Total Number of Steps | | | Version | to Upgrade to Fixed | Upgrade Path | | | Version | | +---------------+-------------------------+-----------------------------------+ | 4.0.x | 4 | 4.0.x > 4.4.0 > 4.8.0 > 4.12.0 > | | | | 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.2.x | 4 | 4.2.0 > 4.4.0 > 4.8.0 > 4.12.0 > | | | | 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.4.x | 3 | 4.4.x > 4.8.0 > 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.6.0 | 3 | 4.6.0 > 4.10.0 > 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.6.2 | 3 | 4.6.2 > 4.10.0 > 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.8.0 | 2 | 4.8.0 > 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.8.2 | 2 | 4.8.2 > 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.10 | 2 | 4.10.0 > 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ | 4.12.0 | 1 | 4.12.0 > 4.12.2 | +---------------+-------------------------+-----------------------------------+ NOTES: o See Supported Upgrade Paths . o If you are running ATD version 3.8.x or earlier, McAfee strongly recommends a reimage of the ATD appliance directly to version 4.10. This reimage minimizes the number of upgrade steps and avoids potential upgrade failures. See Migration Criteria . o Installation could take a minimum of 30 minutes and up to two hours. The time depends on the number of virtual machines and the database size in the deployment. What are the migration packages recommended by version +---------+--------------------------------+-------------------------------------------------+ | Version | File Name | SHA | +---------+--------------------------------+-------------------------------------------------+ | 3.8.0 | system-3.8.0.29.58939.msu | 3BC121C870AC49FEF57EF406E40055B8867B3150369F013 | | | | E4395B5555A65FB3C | +---------+--------------------------------+-------------------------------------------------+ | 4.2.x | migration-4.2.0.20.64069.msu | 9CF6A0D7DC9CD8CD713F73FFAD3C81C12A1F3CFD0BF82 | | | | 713D79ABB069FEF1AEF | +---------+--------------------------------+-------------------------------------------------+ | 4.4.x | migration-4.4.0.26.a6835a.msu | 0FF4B2434FD24F13F3D23DBFC8C8E63F7F8B979991A2AC8 | | | | 7F61B2362447CCF3B | +---------+--------------------------------+-------------------------------------------------+ | 4.6.0 | migration-4.6.0.21.517580.msu | E9AD833DCCC47626B7AB48B6440CABC1183709A7F0BFE5 | | | | 4AD454DF2D993C99D5 | +---------+--------------------------------+-------------------------------------------------+ | 4.6.2 | system-4.6.2.13.8d1e42.msu | ED4A39A9E16237EF863F7E380799C49946DBACE0ABF1D | | | | 96225723AB4775F7FAF | +---------+--------------------------------+-------------------------------------------------+ | 4.8.0 | migration-4.8.0.17.c4d13a.msu | 58AF249F1F248B826127ECC861EBE5D50E61501C27376A | | | | B5893FE5E5370620A5 | +---------+--------------------------------+-------------------------------------------------+ | 4.8.2 | system-4.8.2.13.cc86f4.msu | 2E95F1A25D7E5369A7DCA795A840B765D221C188 | +---------+--------------------------------+-------------------------------------------------+ | 4.10.0 | system-4.10.0.13.4e84a5.msu | 2E95F1A25D7E5369A7DCA795A840B765D221C188 | +---------+--------------------------------+-------------------------------------------------+ | 4.12.0 | migration-4.12.0b.3.908cef.msu | d85c2ccd78ce452d80ded02a6fe2387a | +---------+--------------------------------+-------------------------------------------------+ | 4.12.2 | system-4.12.2.9.c38d50.msu | 78f79ade611382c0876b3d348e0040cc | +---------+--------------------------------+-------------------------------------------------+ What is CVSS CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: https://www.first.org/cvss/ . When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. What are the CVSS scoring metrics 1. CVE-2020-7269 - Sensitive Information Exposure in ATD +------------------------+-------------------------+ |Base Score |4.9 | +------------------------+-------------------------+ |Attack Vector (AV) |Adjacent (A) | +------------------------+-------------------------+ |Attack Complexity (AC) |Low (L) | +------------------------+-------------------------+ |Privileges Required (PR)|Low (L) | +------------------------+-------------------------+ |User Interaction (UI) |Required (R) | +------------------------+-------------------------+ |Scope (S) |Unchanged (U) | +------------------------+-------------------------+ |Confidentiality (C) |Low (L) | +------------------------+-------------------------+ |Integrity (I) |Low (L) | +------------------------+-------------------------+ |Availability (A) |Low (L) | +------------------------+-------------------------+ |Temporal Score (Overall)|4.4 | +------------------------+-------------------------+ |Exploitability (E) |Proof of concept code (P)| +------------------------+-------------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+-------------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+-------------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:A/AC:L/PR:L/ UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C&version=3.1 2. CVE-2020-7270 - Sensitive Information Exposure in ATD +------------------------+-------------------------+ |Base Score |4.9 | +------------------------+-------------------------+ |Attack Vector (AV) |Adjacent (A) | +------------------------+-------------------------+ |Attack Complexity (AC) |Low (L) | +------------------------+-------------------------+ |Privileges Required (PR)|Low (L) | +------------------------+-------------------------+ |User Interaction (UI) |Required (R) | +------------------------+-------------------------+ |Scope (S) |Unchanged (U) | +------------------------+-------------------------+ |Confidentiality (C) |Low (L) | +------------------------+-------------------------+ |Integrity (I) |Low (L) | +------------------------+-------------------------+ |Availability (A) |Low (L) | +------------------------+-------------------------+ |Temporal Score (Overall)|4.4 | +------------------------+-------------------------+ |Exploitability (E) |Proof of concept code (P)| +------------------------+-------------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+-------------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+-------------------------+ NOTE: The below CVSS version 3.1 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:A/AC:L/PR:L/ UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C&version=3.1 Where can I find a list of all Security Bulletins All Security Bulletins are published on our external PSIRT website at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see Security Bulletins for McAfee Enterprise products on this website click Enterprise Security Bulletins . Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life). How do I report a product vulnerability to McAfee If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website for instructions at https:// www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an issue, click Report a Security Vulnerability . How does McAfee respond to this and any other reported security flaws Our key priority is the security of our customers. If a vulnerability is found within any McAfee software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan. McAfee only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer. View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/ threat-center/product-security-bulletins.aspx by clicking About PSIRT . Resources To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/ serviceRequests/createSR : o If you are a registered user, type your User ID and Password, and then click Log In . o If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you. Disclaimer The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply. Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHjfB+NLKJtyKPYoAQjl/A//fhKoyd1A78DvWiUy/DyO4IedqWLzp9CE yOhoJxmO7QJPSpiMBpAtPxeSfLJFJ4yIMBing81x994bMaoA78J6unC/3rS5Ln9m a/c9MCWlv0O7hInctj3yEfd7tC5Zzrsu67dn3hCYop5DZxjZQPJHL2+Crtwi0Sze dfHC36oP2uOQNfat4dPKoD0yRABWAqSQjhH827KAxclLzf39wqhv9P5o199G6rte Im6OC7uF+k1h9g6qqBD09wxR2me/NY7ZsQ3XMKlwjkLvmy0vV+1Hv6+1QJ8aRgmT WM171Ie40HytuEpl/37B3H8A+FQ2xjaIVeHP009bkiHjACjF5T7IVIREQkaEtsni CXrxQMKrEZRlXYWWHJHiycFjHKhnGAstGm/hAhBsB6INvJv/MGGFobhXAkIWEooG xCsFUL2LnkxzMRBsC5GQTRpwsQmjiy4WHwHWka+TKSDHdFzFEhQZ8t0agblLzXH7 ooZ/eDHol+lhqQ23VRp//YbM/C9jxLmUQ5CjGrfacxaXPTGkCqEsbaiNY5hAEW21 j0oQkR5Svy2jthJhvob/6S3fQeITSNsWKlzsE9j6V79xhhoXw3dPyS5W6nd2r2mD 98vZ+SmOE0Wm4ae8MkBnT6wAfu4Rl5C1uRf053cUx3qCD3CUWQ2NGaP3jc3jy7or yHRI1Cy9rwc= =BTT5 -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1289 - [Juniper] Junos OS: Denial of service - Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1289 JSA11149 - 2021-04 Security Bulletin: Junos OS: Kernel panic upon receipt of specific TCPv6 packet on management interface 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-0258 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11149 - --------------------------BEGIN INCLUDED TEXT-------------------- 2021-04 Security Bulletin: Junos OS: Kernel panic upon receipt of specific TCPv6 packet on management interface (CVE-2021-0258) Article ID : JSA11149 Last Updated: 15 Apr 2021 Version : 2.0 Product Affected: This issue affects Junos OS 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4. Problem: A vulnerability in the forwarding of transit TCPv6 packets received on the Ethernet management interface of Juniper Networks Junos OS allows an attacker to trigger a kernel panic, leading to a Denial of Service (DoS). Continued receipt and processing of these transit packets will create a sustained Denial of Service (DoS) condition. This issue only occurs when TCPv6 packets are routed through the management interface. Other transit traffic, and traffic destined to the management interface, are unaffected by this vulnerability. This issue was introduced as part of a TCP Parallelization feature added in Junos OS 17.2, and affects systems with concurrent network stack enabled. This feature is enabled by default, but can be disabled (see WORKAROUND section below). This issue affects Juniper Networks Junos OS: o 17.2R1-S7, 17.2R1-S8, 17.2R3 and later versions prior to 17.2R3-S4; o 17.3 versions prior to 17.3R3-S9; o 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; o 18.1 versions prior to 18.1R3-S11; o 18.2 versions prior to 18.2R3-S5; o 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; o 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; o 19.1 versions prior to 19.1R2-S2, 19.1R3; o 19.2 versions prior to 19.2R1-S5, 19.2R2; o 19.3 versions prior to 19.3R2-S4, 19.3R3; o 19.4 versions prior to 19.4R1-S3, 19.4R2. This issue does not affect Juniper Networks Junos OS 17.2 versions prior to 17.2R1-S7, or any version of 17.2R2. Any configuration with IPv6 enabled on the management interface is vulnerable to this issue. For example: [interfaces fxp0 unit 0 family inet6] Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2021-0258 . Solution: The following software releases have been updated to resolve this specific issue: Junos OS 17.2R3-S4, 17.3R3-S9, 17.4R2-S11, 17.4R3-S2, 18.1R3-S11, 18.2R3-S5, 18.3R2-S4, 18.3R3-S3, 18.4R2-S5, 18.4R3-S4, 19.1R2-S2, 19.1R3, 19.2R1-S5, 19.2R2, 19.3R2-S4, 19.3R3, 19.4R1-S3, 19.4R2, 20.1R1, and all subsequent releases. This issue is being tracked as 1477824 . Workaround: Disable TCP Parallelization: set system kernel-smp-features disable-concurrent-network-stack Implementation: Software releases or updates are available for download at https:// support.juniper.net/support/downloads/ Modification History: 2021-04-14: Initial Publication. 2021-04-15: Further clarification of Junos OS 17.2 affected releases. CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) Severity Level: Medium Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHje9uNLKJtyKPYoAQi+Rw/+OtONGHU0C16g+/nWw7obUGx5Xvr3JHta 6UzdF0vF4C0nXQCXr8brAYFly47cmVgnUFmcFhYx9weTUlu5zxJ3IPd/sCPse+wJ aNz/fHzv9ZvOpGQfKt59o8co8OlWTLGGWVPLL5edBjeIntKZRkb6N4RbhdDl1W0A 8SpChR5ZfIeBHwE+tKcl2SJjkvj25Kuo9T+eTSWGixvQTmcy7tO8tOM/Alk/o8bZ zzkT+tYhGJcrICS/uOD0TEiHnUpX2rZtaF1cf75wjyH3VaeAXr8JcrozHbV1w/aj McmjF3/jTMAsbw6N3T3fhsOI2P2an7kYizeKT//dXFEX5jtpHF5pxi+sdlRqIM+Z aJrVTukvorMl5YnW/jUC6xupHi9b9/Ts9g+KUa62LsrDblOPgRPeQugM1h8Imq5G TuzpzxOSkxUFxBHkDbUISpwPiTUjpAKunK1Lahn2fNrSWoFVDyaDhoefSVUXvsup cgclRmA8Lfq2xK9ahh1lrrpNcxTOpK4EWubYNJyrFSdHVfiifFatn8uAU6w54nN5 QEMWrylJiNYmZ3C08QAq4fOfr8r9TnhjaY7Vgsj2xvYc7ozpr0VrP/iJmWqEYGjq UUsx2IwfGDJGxkNszBtl3iBGuIWB/nCo600HQTHL2D6PBqxiszAJYuBUz1XH0/4K SVXZPo22EZo= =ROJv -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1288 - [Juniper] Juniper Products: Unauthorised access - Existing account

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1288 JSA11140 - 2021-04 Security Bulletin: Junos OS: PTX Series, QFX Series: Due to a race condition input loopback firewall filters applied to interfaces may not operate even when listed in the running configuration. 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS: PTX Series Junos OS: QFX Series Publisher: Juniper Networks Operating System: Juniper Impact/Access: Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-0247 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11140 - --------------------------BEGIN INCLUDED TEXT-------------------- 2021-04 Security Bulletin: Junos OS: PTX Series, QFX Series: Due to a race condition input loopback firewall filters applied to interfaces may not operate even when listed in the running configuration. (CVE-2021-0247) Article ID : JSA11140 Last Updated: 15 Apr 2021 Version : 2.0 Product Affected: This issue affects Junos OS 14.1, 14.1X53, 15.1, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2. Affected platforms: PTX Series, QFX Series. Problem: A Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization) vulnerability in the firewall process (dfwd) of Juniper Networks Junos OS allows an attacker to bypass the firewall rule sets applied to the input loopback filter on any interfaces of a device. This issue is detectable by reviewing the PFE firewall rules, as well as the firewall counters and seeing if they are incrementing or not. For example: show firewall Filter: __default_bpdu_filter__ Filter: FILTER-INET-01 Counters: Name Bytes Packets output-match-inet 0 0 <<<<<< missing firewall packet count This issue affects: Juniper Networks Junos OS: o 14.1X53 versions prior to 14.1X53-D53 on QFX Series; o 14.1 versions 14.1R1 and later versions prior to 15.1 versions prior to 15.1R7-S6 on QFX Series, PTX Series; o 15.1X53 versions prior to 15.1X53-D593 on QFX Series; o 16.1 versions prior to 16.1R7-S7 on QFX Series, PTX Series; o 16.2 versions prior to 16.2R2-S11, 16.2R3 on QFX Series, PTX Series; o 17.1 versions prior to 17.1R2-S11, 17.1R3-S2 on QFX Series, PTX Series; o 17.2 versions prior to 17.2R1-S9, 17.2R3-S3 on QFX Series, PTX Series; o 17.3 versions prior to 17.3R2-S5, 17.3R3-S7 on QFX Series, PTX Series; o 17.4 versions prior to 17.4R2-S9, 17.4R3 on QFX Series, PTX Series; o 18.1 versions prior to 18.1R3-S9 on QFX Series, PTX Series; o 18.2 versions prior to 18.2R2-S6, 18.2R3-S3 on QFX Series, PTX Series; o 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1 on QFX Series, PTX Series; o 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on QFX Series, PTX Series; o 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 on QFX Series, PTX Series; o 19.2 versions prior to 19.2R1-S3, 19.2R2 on QFX Series, PTX Series. This issue impact all filters families (inet, inet6, etc.) yet only on input loopback filters. It does not does not rely upon the location where a filter is set, impacting both logical and physical interfaces. Configuration examples for input filtering are posted on the support site and in product documentation. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2021-0247 . Solution: The following software releases have been updated to resolve this specific issue: Junos OS 14.1X53-D53, 15.1R7-S6, 15.1X53-D593, 16.1R7-S7, 16.2R2-S11, 16.2R3, 17.1R2-S11, 17.1R3-S2, 17.2R1-S9, 17.2R3-S3, 17.3R2-S5, 17.3R3-S7, 17.4R2-S9, 17.4R3, 18.1R3-S9, 18.2R2-S6, 18.2R3-S3, 18.3R1-S7, 18.3R2-S3, 18.3R3-S1, 18.4R1-S5, 18.4R2-S3, 18.4R3, 19.1R1-S4, 19.1R2-S1, 19.1R3, 19.2R1-S3, 19.2R2, 19.3R1, and all subsequent releases. This issue is being tracked as 1430385 . Workaround: There are no viable workarounds for this issue. Implementation: Software releases or updates are available for download at https:// support.juniper.net/support/downloads/ Modification History: 2021-04-14: Initial Publication. 2021-04-15: Removed spurious 18.4R2-S7 release entry in problem description. CVSS Score: 5.1 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L) Severity Level: Medium Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHje5ONLKJtyKPYoAQiMzQ/8DwTqk5HcKojdutRzMbTRaE3qR3Qn8hnU 0yquz/M+oA+TYA0YXK5hBPC9tmdhXkUEP/dtJc6wgeNIiCqNC2WUA3vtK/m3MViD +1lr9W9uB+VBCma68QDGBGdlfQpES/LxAICSu+65setPIc+GwYK7utYrkxTUPnBv 9DXdY+GWyGWXz8OnpR1jjLZpX+teZPGPJQPWm1Ai+aFj0G2m2lx1mxg8+BEz+fTK G+j3cPr/ciauhEEJyp6Tq5s3pYuT5PnoO+KnsTl/nq0L+IWu8HHToqkM1ggmj94s FzGTDThMUOzujeDXgy6Nm2VtflwK9QJsGpxpVpQwstzwrndvX28N2pZWU+RT2Ebo 9husVrgtEdqZFZuOthonQGXUSVc53SaW3+oXgpsUIdVkNLCsu2VnGBJodPHawlOi yPoFumr4/nAmxBiRPPckYLdVATNkjBY8MS19lPQkex3S5FTbrIFHlyIivZkqgAYx MbzW0dJoPmuryvtBRPSfKTbXmTlFTcPMzeJoaY3dQrjyDOCbO2D0p07l+/k+uA02 YiWsYjJmw0AEAuQNMONvwORbU26jXCIvg+fGnCdr3X4e1fKnmeuRAV7rdlWDE8+B /X1oZAXUwkG08E9WK6x9zQ4XxhQCO1khymG3qzUTWvEEFlRLKdVj6dCw3vWHQkGI hb54Y90MoOA= =x5yL -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2021.1171.2 - UPDATE [Cisco] Cisco Small Business RV Series Routers: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1171.2 Cisco Small Business RV Series Routers Link Layer Discovery Protocol Vulnerabilities 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: RV132W ADSL2+ Wireless-N VPN Router RV134W VDSL2 Wireless-AC VPN Router RV160 VPN Router RV160W Wireless-AC VPN Router RV260 VPN Router RV260P VPN Router with PoE RV260W Wireless-AC VPN Router RV320 Dual Gigabit WAN VPN Router RV325 Dual Gigabit WAN VPN Router RV340 Dual WAN Gigabit VPN Router RV340W Dual WAN Gigabit Wireless-AC VPN Router RV345 Dual WAN Gigabit VPN Router RV345P Dual WAN Gigabit PoE VPN Router Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-1309 CVE-2021-1308 CVE-2021-1251 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-multi-lldp-u7e4chCe Revision History: April 16 2021: Vendor updated vulnerable products and products confirmed not vulnerable. April 8 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Small Business RV Series Routers Link Layer Discovery Protocol Vulnerabilities Priority: High Advisory ID: cisco-sa-rv-multi-lldp-u7e4chCe First Published: 2021 April 7 16:00 GMT Last Updated: 2021 April 15 15:38 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvw62392 CSCvw62395 CSCvw62410 CSCvw62411 CSCvw62413 CSCvw62416 CSCvw62417 CSCvw62418 CSCvw94339 CSCvw94341 CSCvw95016 CSCvw95017 CSCvy01220 CVE Names: CVE-2021-1251 CVE-2021-1308 CVE-2021-1309 CWEs: CWE-119 CWE-130 CWE-400 Summary o Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP) implementation for Cisco Small Business RV Series Routers. An unauthenticated, adjacent attacker could execute arbitrary code or cause an affected router to leak system memory or reload. A memory leak or device reload would cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-multi-lldp-u7e4chCe Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco Small Business RV Series Routers if they are running a vulnerable firmware release and have LLDP enabled: RV132W ADSL2+ Wireless-N VPN Router RV134W VDSL2 Wireless-AC VPN Router RV160 VPN Router RV160W Wireless-AC VPN Router RV260 VPN Router RV260P VPN Router with PoE RV260W Wireless-AC VPN Router RV320 Dual Gigabit WAN VPN Router RV325 Dual Gigabit WAN VPN Router RV340 Dual WAN Gigabit VPN Router RV340W Dual WAN Gigabit Wireless-AC VPN Router RV345 Dual WAN Gigabit VPN Router RV345P Dual WAN Gigabit PoE VPN Router For information about which Cisco firmware releases are vulnerable, see the Fixed Software section of this advisory. LLDP Configurations For Cisco RV132W, RV134W, RV320, and RV325 Routers, LLDP is enabled by default on all LAN ports and WAN interfaces. For the following Cisco Small Business Routers, LLDP is enabled by default on the LAN ports and disabled by default on the WAN interfaces: RV160 VPN Router RV160W Wireless-AC VPN Router RV260 VPN Router RV260P VPN Router with PoE RV260W Wireless-AC VPN Router RV340 Dual WAN Gigabit VPN Router RV340W Dual WAN Gigabit Wireless-AC VPN Router RV345 Dual WAN Gigabit VPN Router RV345P Dual WAN Gigabit PoE VPN Router Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following Cisco products: RV016 Multi-WAN VPN Router RV042 Dual WAN VPN Router RV042G Dual Gigabit WAN VPN Router RV082 Dual WAN VPN Router Details o These vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities. Details about the vulnerabilities are as follows: CVE-2021-1309: Cisco Small Business RV Series Routers Link Layer Discovery Protocol Remote Code Execution and Denial of Service Vulnerability A vulnerability in the LLDP implementation for Cisco Small Business RV Series Routers could allow an unauthenticated, adjacent attacker to execute arbitrary code on an affected device or cause the device to reload. This vulnerability is due to missing length validation of certain LLDP packet header fields. An attacker could exploit this vulnerability by sending a malicious LLDP packet to the targeted router. A successful exploit could allow the attacker to execute code on the affected router or cause it to reload unexpectedly, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvw62392 , CSCvw62410 , CSCvw62413 , and CSCvw62416 CVE ID: CVE-2021-1309 Security Impact Rating (SIR): High CVSS Base Score: 8.8 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-1251: Cisco Small Business RV Series Routers Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability A vulnerability in the LLDP implementation for Cisco Small Business RV Series Routers could allow an unauthenticated, adjacent attacker to cause a memory leak on an affected device. This vulnerability is due to missing length validation of certain LLDP packet header fields. An attacker could exploit this vulnerability by sending a malicious LLDP packet to the targeted router. A successful exploit could cause continuous memory consumption on an affected device and eventually cause it to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvw94339 , CSCvw94341 , CSCvw95016 , CSCvw95017 , and CSCvy01220 CVE ID: CVE-2021-1251 Security Impact Rating (SIR): High CVSS Base Score: 7.4 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2021-1308: Cisco Small Business RV Series Routers Link Layer Discovery Protocol Denial of Service Vulnerability A vulnerability in the LLDP implementation for Cisco Small Business RV Series Routers could allow an unauthenticated, adjacent attacker to cause an affected router to reload unexpectedly. This vulnerability is due to missing length validation of certain LLDP packet header fields. An attacker could exploit this vulnerability by sending a malicious LLDP packet to the targeted router. A successful exploit could allow the attacker to cause the affected router to reload unexpectedly, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvw62395 , CSCvw62411 , CSCvw62417 , and CSCvw62418 CVE ID: CVE-2021-1308 Security Impact Rating (SIR): High CVSS Base Score: 7.4 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed firmware release as indicated in the following table(s): Cisco Small Business Fixed Releases RV Series Routers RV132W 1.0.1.15 and later RV134W 1.0.1.21 and later RV160, RV160W, RV260, RV260P, and 1.0.01.03 and later RV260W Refer to End-of-Sale and End-of-Life Announcement for RV320 and RV325 the Cisco RV320 and RV325 Dual Gigabit WAN VPN Router . RV340, RV340W, 1.0.03.21 and later RV345, and RV345P To download the firmware from the Software Center on Cisco.com, do the following: 1. Click Browse all . 2. Choose Routers > Small Business Routers > Small Business RV Series Routers . 3. Choose the appropriate router. 4. Choose Small Business Router Firmware . 5. Choose a release from the left pane of the product page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o Cisco would like to thank Qian Chen of Qihoo 360 Nirvan Team for reporting these vulnerabilities. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-multi-lldp-u7e4chCe Revision History o +---------+------------------------+---------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+------------------------+---------------+--------+-------------+ | | Added that the RV320 | | | | | | and RV325 hardware | | | | | | platforms are | Vulnerable | | | | | vulnerable. Added that | Products, | | | | | RV016, RV042, and | Products | | | | 1.1 | RV082 are not | Confirmed Not | Final | 2021-APR-15 | | | vulnerable. Added | Vulnerable, | | | | | Cisco bug ID | Details, and | | | | | CSCvy01220 to advisory | Fixed | | | | | header and to the | Software | | | | | details for | | | | | | CVE-2021-1251. | | | | +---------+------------------------+---------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2021-APR-07 | | | release. | | | | +---------+------------------------+---------------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHj5UONLKJtyKPYoAQguqBAAo3v+zaSn5bQJ4+b+gGfp/FwJM8bZzsQa 9WpY3278TArYMdQFd0ToXE1bptUYovzKSbhcK7NFtKz34UGjc/AG1IyHbPhIj4DG 0xkKmfm0tR8BnI4BDvrk0EVOKkNuhMruD0F82qgLdDl0Kc2GREfXYrgbfPWvljvG GSZ2KWftCotFhDaslQBH6K8rldUsEtkS1kOABCHG4eyGVi6xDPOU7l4lPKNT6zIz 41s3hDWM2dT7xOmb8Pjdwge3I3Gk+MTfVHny7IC9r6vYPZXjtwvR+G3rmMQRMF0+ 4zMqj+PV75CgVmsVVdy4E8+Qj0yRP6mN5LTiCucq5t0twozMkks5/s8JSPyJVYR3 /79ax9b+kXu7bUNcyPTzgr8D4lq68cN/rOhnC1pTudtxbunhJvYFo6HXuA04q3YY F3QM8mgACMidsyaBPRj30aXHJ8NZm/LhJfPzLmqbblYealhnRJiNGql+sJYV2RZF fmNmFCwWEOzsxJ/OXRa8HeUAZFCjBywL25xiDz/7AiCQpvAOBwbI8vEdnTRqFo1r 3LZCIEBknjciXxTMcTlKCH3/FR/TGM2KT2x+TW2m+pasebTNbVx3ou301imZUZxG A3kTaXpt8E1Pu1aEUlqAuy/kQtQxgE4bl5A7ooZB7Zqvc3p7ImIITlPAvcfuwEmG 5rvB/hknNkA= =Jo9v -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2020.3249.3 - UPDATE [Appliance] FreeType: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3249.3 F5 products: FreeType vulnerability CVE-2015-9382 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FreeType Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-9382 Reference: ESB-2019.3358 Original Bulletin: https://support.f5.com/csp/article/K46641512 Revision History: April 16 2021: Vendor released fixes for BIG-IP Products January 6 2021: Additional vulnerable versions added by vendor September 23 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K46641512: FreeType vulnerability CVE-2015-9382 Original Publication Date: 23 Sep, 2020 Latest Publication Date: 16 Apr, 2021 Security Advisory Description FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. (CVE-2015-9382) Impact An attacker may be able to use a maliciously crafted file to create a buffer overflow and potentially expose small amounts of memory from the PostScript process. Security Advisory Status F5 Product Development has assigned ID 945109 (BIG-IP) and ID 947305 (BIG-IQ) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |16.x |16.0.0 - |None | | | | | | |16.1.0 | | | | | | +------+----------+----------+ | | | | |15.x |15.1.0 - |None | | | | | | |15.1.2 | | | | | |BIG-IP (LTM, AAM, +------+----------+----------+ | | | |Advanced WAF, AFM, |14.x |14.1.0 - |14.1.4.1 | | | | |Analytics, APM, | |14.1.4 | | | |Linux | |ASM, DDHD, DNS, +------+----------+----------+Medium |4.3 |kernel | |FPS, GTM, Link |13.x |13.1.0 - |None | | |(BaseOS) | |Controller, PEM, | |13.1.3 | | | | | |SSLO) +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.6 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |11.6.5.3 | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |8.x |8.0.0 |None | | | | | +------+----------+----------+ | | | | |7.x |7.0.0 - |None | | | | |BIG-IQ Centralized | |7.1.0 | | | |Linux | |Management +------+----------+----------+Medium |4.3 |kernel | | |6.x |6.0.0 - |None | | |(BaseOS) | | | |6.1.0 | | | | | | +------+----------+----------+ | | | | |5.x |5.4.0 |None | | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation Do not allow Postscript files to be uploaded for customization or hosted content. Supplemental Information o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 16.x) o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix and point release matrix o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHkAk+NLKJtyKPYoAQjloA//WQ4ZuAqrQV3WHmKvIpr8jZyTD6UzUCu1 Y+sqr6GtMOcFnhYdoWsQES0qlsMyj+c3siFa/TXRqm24/opzV9TiE+/m7i2JteaY i2d6QDIBmnzcTsL2+DGcqOZGL4BZjVpo7WFlmOquVkyghQUwhMpFo7p37nmR31/M Za9ASQW2oQrF5/R0an7L+ORrwh3jM48OU6D2/35wUF73+7mqCyG4O6IY7jC5gUSa yPI1mXFakVisTZkFRUUlPEjbns0eMpE676aJAnMqPpeR6DPp8XUTOfGITH2Xxf0f njJzBfJFNRwc0x2CSWANITf/efXUIDu5l3RFPw9SxWaltXSdKtUSQRnxRYYnSXt/ GicI0yDgvPXpo5OQRoMq+PaYWMX8vhzvXBtRjSg4Wl1/GLts02Xxbj2aP21iUpl4 1/2Fg1FlRbcydub/d1LDOJf5Q9VEwTOfg0hbDMHgNyqLkSoSN2kpT8uTiDGFvG2D ZLACEus2C3mdOdXCt88f6lY6V19oakfb5cB7LhdwqaqD0Zk/o0mFIOyPwQ1oKhev BVI8Jj7N6rDJgXRnLTDNT2TisOtcpuvXjF6iG2M8I18by8SLxgzed3FIYGhEUOIB 8IgVHd9NsXnPwedopQ2VvEbxy7YqnbWV+htsZ8H77MKX56rUGdF3HEk5+6DIcHCt i7a7aTLAGo8= =AliV -----END PGP SIGNATURE-----
AusCERT - Security Bulletins · 2021. április 16.

ESB-2020.1562.3 - UPDATE [Appliance] F5 BIG-IP and BIG-IQ Products: Execute arbitrary code/commands - Existing account

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1562.3 F5 secure shell vulnerability CVE-2020-5873 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP Products F5 BIG-IQ Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-5873 Original Bulletin: https://support.f5.com/csp/article/K03585731 Revision History: April 16 2021: Vendor released fixes for BIG-IQ Centralized Management. May 14 2020: Vendor released minor update May 1 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K03585731: F5 secure shell vulnerability CVE-2020-5873 Original Publication Date: 30 Apr, 2020 Latest Publication Date: 16 Apr, 2021 Security Advisory Description A user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does not have access to Advanced Shell (bash) can execute arbitrary commands using a maliciously crafted scp request. ( CVE-2020-5873) Impact An authenticated user with Resource Administrator role can run shell commands with elevated privilege. Security Advisory Status F5 Product Development has assigned ID 780601 (BIG-IP), and ID 790469 (BIG-IQ) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-------------------+------+----------+----------+----------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-------------------+------+----------+----------+----------+------+----------+ | |15.x |15.0.0 - |15.1.0 | | | | | | |15.0.1 |15.0.1.1 | | | | | +------+----------+----------+ | | | | |14.x |14.1.0 - |14.1.2.4^2| | | | |BIG-IP (LTM, AAM, | |14.1.2 | | | | | |AFM, Analytics, +------+----------+----------+ | | | |APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.2 |High |7.8 |SSH | |GTM, Link | |13.1.3 | | | | | |Controller, PEM) +------+----------+----------+ | | | | |12.x |12.1.0 - |12.1.5.1 | | | | | | |12.1.5 | | | | | | +------+----------+----------+ | | | | |11.x |11.6.1 - |11.6.5.1 | | | | | | |11.6.5 | | | | | +-------------------+------+----------+----------+----------+------+----------+ | |8.x |None |8.0.0 | | | | | +------+----------+----------+ | | | | |7.x |7.0.0 - |None | | | | | | |7.1.0 | | | | | |BIG-IQ Centralized +------+----------+----------+High |7.8 |SSH | |Management |6.x |6.0.0 - |None | | | | | | |6.1.0 | | | | | | +------+----------+----------+ | | | | |5.x |5.3.0 - |None | | | | | | |5.4.0 | | | | | +-------------------+------+----------+----------+----------+------+----------+ |Traffix SDC |5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-------------------+------+----------+----------+----------+------+----------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer to K5903: BIG-IP software support policy. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation To mitigate this vulnerability, you can limit access to the management and self IP ports and limit login access to trusted users. For more information about securing access to the affected systems: o For BIG-IP or Enterprise Manager systems, refer to K13309: Restricting access to the Configuration utility by source IP address (11.x - 15.x) and K13092: Overview of securing access to the BIG-IP system. o For BIG-IQ systems, refer to K31401771: Restricting access to the BIG-IQ or F5 iWorkflow user interface by source IP address. For BIG-IQ systems, you may need to include addresses of the managed BIG-IP systems, high availability (HA) peers, and DCD nodes, depending on your configuration. Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix and point release matrix o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHkAgONLKJtyKPYoAQikzxAAqeqeCN9ykIlCBY61GerIMDybgi8/LKUf n5bGK+9NDCAq5WDuTneOvtNKhAv/pK1STQeaPsrwkrOcGB+0bQ+xyZsgw5ZaDNNq s40M+MrMgT8bNi9mDOUnJiJcolkA2oCWK7K0phAwH5i9A7lwENM7IURTmLa14qn1 USxzaVETafdhh/TXiBLeWLPq5afNQUV+t7IRSwEY36RWYai20Y8CnOZS17zG8ROG hoyh8edPJ6JZScrN05B1uAwIjihjHuX/VeyKJo9UvKbz//LoA06vzBvxmkL0S0FM OFQzFMbOJhCBX2T9eXXzjVbLvYXKr4a/fUiD2sb4M2rYiwKPJPcplos9MOgPrNyK K+vMZL2V5IZuPE2Zzm/6ZkmT/7vfqZRU+UV/8YqICxKOs5vI0bvbqoN820rUy6+9 UztodUNSHsRWBCTV9FzHKNNmmCd6FTDAYZSsbL5Y7HC0mhvX5RD1J7kDzQJgbINh 5p5EeBNjpUR26iAkuKz9Uei9uXCAyP/MNoh+bKr2NKAZHwW0zL8JB8VyAujRT6Md uyIlFTXHjXaFEaWoAd4PrB0opj/a9GG3ig/OIe8YCxmZdq60tg98+4KQJMGl1vdF jvnCiNxQFIok1I2ETYkQCIIqLzBZO47raHp0ghVEixFoCwuqTRZ1AfkFeYWig6N0 JEF/eOqEZK8= =c7na -----END PGP SIGNATURE-----
NVD: all CVE · 2021. április 16.

CVE-2018-19942

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later)
ECHO Network · 2021. április 16.

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.5

Description. CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.
SANS · 2021. április 16.

ISC Stormcast For Friday, April 16th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7460, (Fri, Apr 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
NVD: all CVE · 2021. április 16.

CVE-2021-27691

Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request. This occurs because the "formSetDebugCfg" function executes glibc's system function with untrusted input.
NVD: all CVE · 2021. április 16.

CVE-2021-27692

Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. This occurs because the "formSetUSBPartitionUmount" function executes the "doSystemCmd" function with untrusted input.
ECHO Network · 2021. április 16.

Name:Wreck – Forscher entdecken weitere Schwachstellen in TCP/IP-Stacks

Gleich acht Sicherheitslücken in bestimmten Versionen der Stack-Implementierungen von Nucleus Net (Siemens), FreeBSD und NetX alias Azure RTOS NetX (Microsoft) melden Sicherheitsforscher der Firma Forescout. Hinzu kommt eine "wiederentdeckte", aber schon lange gepatchte Lücke in IPNet. Die Forscher nenne ihre aktuelle Entdeckung "Name:Wreck".
ECHO Network · 2021. április 16.

Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?

Executive Summary. On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296 , a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coinminer on victims’ devices.
Ubuntu Secutity Notices · 2021. április 16.

USN-4917-1: Linux kernel vulnerabilities

It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. (CVE-2021-3493) Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux kernel did not properly handle faults in copy_from_user() when passing through ioctls to an underlying file system. A local attacker could use this to cause a denial of service (memory exhaustion) or execute arbitrary code. (CVE-2021-3492) Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-29154)