Hírolvasó
ESB-2021.1296 - [Appliance] EIPStackGroup OpENer EtherNet/IP: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1296
Advisory (icsa-21-105-02) EIPStackGroup OpENer Ethernet/IP
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: EIPStackGroup OpENer EtherNet/IP
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-27500 CVE-2021-27498 CVE-2021-27482
CVE-2021-27478
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-21-105-02
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-21-105-02)
EIPStackGroup OpENer Ethernet/IP
Original release date: April 15, 2021
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.2
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor : EIPStackGroup
o Equipment : OpENer EtherNet/IP
o Vulnerabilities : Incorrect Conversion Between Numeric Types, Out-of-bounds
Read, Reachable Assertion
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a
denial-of-service condition and data exposure.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of OpENer EtherNet/IP, are affected:
o https://github.com/EIPStackGroup/OpENer/ commits and versions prior to Feb
10, 2021
3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT CONVERSION BETWEEN NUMERIC TYPES CWE-681
A specifically crafted packet sent by an attacker to the affected devices may
cause a denial-of-service condition.
CVE-2021-27478 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:L/A:H ).
3.2.2 OUT-OF-BOUNDS READ CWE-125
A specifically crafted packet sent by an attacker may allow the attacker to
read arbitrary data.
CVE-2021-27482 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).
3.2.3 REACHABLE ASSERTION CWE-617
A specifically crafted packet sent by an attacker may result in a
denial-of-service condition.
CVE-2021-27500 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.4 REACHABLE ASSERTION CWE-617
A specifically crafted packet sent by an attacker may result in a
denial-of-service condition.
CVE-2021-27498 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Austria
3.4 RESEARCHER
Tal Keren and Sharon Brizinov of Claroty reported these vulnerabilities to
CISA.
4. MITIGATIONS
The maintainer of OpENer recommends those affected to apply the latest commits
available.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure that they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize that VPN
is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjhyONLKJtyKPYoAQjUzBAAm6/QX9o/hFSU+kivEgywGrIfv3TQ9Ruu
/RJzf3WHlgzOtO8P/Gt12WqrqrUNTR5x7HQDrbT+0OipdwmvrUG2FGTUvvI9WIjj
NeTIa7PEMB6FVWefhnAZ4E+FTTbieg7/mu8Daynrcp1KF9BAOqJpL57apL8Q5HmG
xOamyj5TeJt2CMIHBN5esf6bcvXa23oBj+OuJijbgxF+ACyGqnu5OKNSpypbw+bx
fIu49unDHpZozV62XNrS+nahniBCVCmxxHDgsz1RfUE9ADoN/mHZ1Vell51c6VVt
9i2F5THthnePfVdrah106HWbYC0ZutlzTM5nIUzTSHRo/Q0osQgkL5RwMeIRg4Yd
BCrfCmk1EC9o9W2KNRBkF3pfoqIWo7Te3Bv75sp2IdE7HVB6yPVqikBG1i3ixkFs
sMVRCVDvdc2E4Xdmdh/6C7Er27Koo47nYXUnuZFaD/wezD0MKodnC4NNVYcUhCbp
9FsUhjatRAiz8Sq+8QSIGyBxRrYcrAMzjfjqYBxDWdoXu8DdDUxHpGcVZ5tpeNPA
9eJ9npXl6gy9qD6MyJcLzixYUL/Qbi/TlFF7u/pkGyXD0xagPJK24IOCP7FqBcvV
q+5SFX6ggag8IMihPQmrm9jGq41iWT77mM3aZNwTML+Bp2OHFgIrxeAivBExcOb6
5a53yjU8+QM=
=RiJ2
-----END PGP SIGNATURE-----
ESB-2021.1295 - [Debian] xorg-server: Increased privileges - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1295
xorg-server security update
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xorg-server
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3472
Reference: ESB-2021.1283
ESB-2021.1227
Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2627
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2627-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
April 15, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : xorg-server
Version : 2:1.19.2-1+deb9u8
CVE ID : CVE-2021-3472
Jan-Niklas Sohn discovered that there was an input validation failure
in the X.Org display server.
Insufficient checks on the lengths of the XInput extension's
ChangeFeedbackControl request could have lead to out of bounds memory
accesses in the X server. These issues can lead to privilege
escalation for authorised clients, particularly on systems where the
X server is running as a privileged user.
For Debian 9 "Stretch", this problem has been fixed in version
2:1.19.2-1+deb9u8.
We recommend that you upgrade your xorg-server packages.
For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmB4E6AACgkQHpU+J9Qx
Hlj6qw//ZBpTkP0Af19OglE2NR3AujsTErxp4lI8sc5LwOlXtnfcVFEpl4kpLBpR
suMrlmkryaedBBl0Zeq8qnoimuMPdhiTing+77I1YW7hNfhwZJdDjLsoVFG5qXe6
D9/fD683vgL4IiKdHxLNfqcaaL8QYm2KmyKLbHsTvQ+12b7pq9TwenbIHGloGV7K
nsTZrXkx37loi5cdYHQLw09qKYXcTaQx+GZ7XH0UgiJi4XJCjY7gr6/4+qnqVYW/
OnpmGYh9SycH1cFHkPfmWDGrBd3omKStkx7keBXXBQVgyyUpIDp9A3J62lM3vX9U
czexLKJTCx77CviBFcJYigi41ST/XT/HCVy2pkvxv7d6KXA+fCKPL7jogBy43Zfy
3d2SL9mH7MxAfP5TVOsmShPrLqY9FGm0MteXjSKX7inoAxJmJx9F2w7JtzfNNDpG
2a0mJABw4ZRRiEL5OlEonAwqExyR+LO6cFA+xWKmZwsy4lMEeOBo3RAzX+U21iLB
wDATwPL0Q97XM3b3iOJShCXr2nWYrNhd2mWFFEewXVEZWvSVqyI9uVtr9FW6/0YJ
LD9jXp1BBbt7/bMZv+KSLVMavKLOu4Vm6bwClKX5NYS1ZRXWVX71XkuId5ntpoco
raxAtjWgda1KidFGStU2ABoFoil4tyWhg7CuB+KCoyfVhIiM4Wg=
=eyBB
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjhteNLKJtyKPYoAQj97g/+M+ZGKGMnX4gqeORmKa5FWvtwnmwCXT5t
OtRl14H/vzDwk+Oyk1zCBlI8aPiduIdaw+IPk88u1C7Glr+4u/aeOdke/nFYYK4+
CZg2EYfPrVDzOtWW6uKDJ5EJTlwYSmDHIgF00UK3nsfqrfHHXjSmjHGaNbqtehou
g0v859VLn0dGq5iRJTk/n+lmYRvsp95zif2aAmkNX8tXcLX/Mwj3dA8Ls9nnsDKd
mupy3mnxleCsEFNBPAjYMIPJU9VE5ugVTYTEW7ut2ENcsJ0J3UpshqT9lBN0I4um
4MRxtNaHjMJ2lofA/2VBASSGZl1mtgrWQbicYV//g5jy8qUGJvCcVYC86fyC9nQ8
IaM8lsvR1YRTpSlwAGwg5gnX22pwgLHoc3Xt8s2A877ZD9YRn5Zbej/ADJVNmIrx
CgPwMEs3cog6GDJN6Jlf8/U46wtd1HIlT7DNl/v4JfmI2pGm5UiX7aRm5rMh+49M
Rh0deT+3EiN8LFAwDn/1y5L8RSXXi4x2B0lHKqw04cx135HhUbIL2usrEEeryOgl
jduJewnXN/7OLSWsrR8cA0O7NfkIxQv0d42hEQ7wYrjqRBgb3X6cbdJ6Cbi34mPW
AE9cZlefxjqPqJRfxiVJr9uL/xZo8w/lKe63igNAtZElbloiZZbtoefJ08QZewa0
RlTeI9lJ7+s=
=OeKL
-----END PGP SIGNATURE-----
ESB-2021.1294 - [RedHat] libldb: Denial of service - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1294
libldb security update
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libldb
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20277
Reference: ESB-2021.1282
ESB-2021.1137
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1213
https://access.redhat.com/errata/RHSA-2021:1214
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: libldb security update
Advisory ID: RHSA-2021:1213-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1213
Issue date: 2021-04-15
CVE Names: CVE-2021-20277
=====================================================================
1. Summary:
An update for libldb is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64
3. Description:
The libldb packages provide an extensible library that implements an
LDAP-like API to access remote LDAP servers, or use local TDB databases.
Security Fix(es):
* samba: Out of bounds read in AD DC LDAP server (CVE-2021-20277)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1941402 - CVE-2021-20277 samba: Out of bounds read in AD DC LDAP server
6. Package List:
Red Hat Enterprise Linux BaseOS EUS (v. 8.2):
Source:
libldb-2.0.7-4.el8_2.src.rpm
aarch64:
ldb-tools-2.0.7-4.el8_2.aarch64.rpm
ldb-tools-debuginfo-2.0.7-4.el8_2.aarch64.rpm
libldb-2.0.7-4.el8_2.aarch64.rpm
libldb-debuginfo-2.0.7-4.el8_2.aarch64.rpm
libldb-debugsource-2.0.7-4.el8_2.aarch64.rpm
libldb-devel-2.0.7-4.el8_2.aarch64.rpm
python3-ldb-2.0.7-4.el8_2.aarch64.rpm
python3-ldb-debuginfo-2.0.7-4.el8_2.aarch64.rpm
ppc64le:
ldb-tools-2.0.7-4.el8_2.ppc64le.rpm
ldb-tools-debuginfo-2.0.7-4.el8_2.ppc64le.rpm
libldb-2.0.7-4.el8_2.ppc64le.rpm
libldb-debuginfo-2.0.7-4.el8_2.ppc64le.rpm
libldb-debugsource-2.0.7-4.el8_2.ppc64le.rpm
libldb-devel-2.0.7-4.el8_2.ppc64le.rpm
python3-ldb-2.0.7-4.el8_2.ppc64le.rpm
python3-ldb-debuginfo-2.0.7-4.el8_2.ppc64le.rpm
s390x:
ldb-tools-2.0.7-4.el8_2.s390x.rpm
ldb-tools-debuginfo-2.0.7-4.el8_2.s390x.rpm
libldb-2.0.7-4.el8_2.s390x.rpm
libldb-debuginfo-2.0.7-4.el8_2.s390x.rpm
libldb-debugsource-2.0.7-4.el8_2.s390x.rpm
libldb-devel-2.0.7-4.el8_2.s390x.rpm
python3-ldb-2.0.7-4.el8_2.s390x.rpm
python3-ldb-debuginfo-2.0.7-4.el8_2.s390x.rpm
x86_64:
ldb-tools-2.0.7-4.el8_2.x86_64.rpm
ldb-tools-debuginfo-2.0.7-4.el8_2.i686.rpm
ldb-tools-debuginfo-2.0.7-4.el8_2.x86_64.rpm
libldb-2.0.7-4.el8_2.i686.rpm
libldb-2.0.7-4.el8_2.x86_64.rpm
libldb-debuginfo-2.0.7-4.el8_2.i686.rpm
libldb-debuginfo-2.0.7-4.el8_2.x86_64.rpm
libldb-debugsource-2.0.7-4.el8_2.i686.rpm
libldb-debugsource-2.0.7-4.el8_2.x86_64.rpm
libldb-devel-2.0.7-4.el8_2.i686.rpm
libldb-devel-2.0.7-4.el8_2.x86_64.rpm
python3-ldb-2.0.7-4.el8_2.i686.rpm
python3-ldb-2.0.7-4.el8_2.x86_64.rpm
python3-ldb-debuginfo-2.0.7-4.el8_2.i686.rpm
python3-ldb-debuginfo-2.0.7-4.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-20277
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYHgsstzjgjWX9erEAQh1qRAAokzog4m8FTlh3ZZXTR3FAbL19TvjBn2p
cJa/OfZQYVY4yx4xMlWvzXH/IMqX7cufCbCu6r28SFHHgO5yJWUy3AeKysMrOYUB
bxwyeW9VVBeSG1XVmzv78aN53LpI792ynab5qWrzMJMjMPPUDqYkPLgs4EXuf/Dq
UqvqNFrcDpxuDrnkyShg/W97YcYdT/nc5A/INX+AnsmMt1CBZME4N4RIFwaVF/Qd
sbsfeCcrY/WqYrzhNG0/ERdeIYcQIXED0OsXiag9OGEXhnbEoqZ8ygqWJyB74wci
OkzXuwQvnmrMm7oIggq3oY1oREt0Eiv4X/flkYhdytaC74c4R7THJvDnrH3dDnPk
trC8A52yPLK+MHLJfEguaO04Omhmz4ZxR5JotAxcc2SClFFp8AnGxux6YHRAaSc9
p/vs5p1LOKpEU9ACGPlI+Q9SA2vlsATTuFTgPno17i2JTOcmU4ok3B1e/opZ5niR
BoCDJD04R7yLC7Cvkv56coB3f0le5EUQcanRXKHuXO5KgauIDb3jel1onu1vwiik
p6sV8qmRDTibpGGTRtTpg0EzXMcDTcsunzgYFobtuma8TMPABYXWfIHoUZDud9KT
9fLh5iQPigglUwblEFM9fJgAyItzQ6KHPFXpa5ZrCNTfUVT4mh13s63bRWKKOeaG
d7q0/dCpMWU=
=TQJ4
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: libldb security update
Advisory ID: RHSA-2021:1214-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1214
Issue date: 2021-04-15
CVE Names: CVE-2021-20277
=====================================================================
1. Summary:
An update for libldb is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
The libldb packages provide an extensible library that implements an
LDAP-like API to access remote LDAP servers, or use local TDB databases.
Security Fix(es):
* samba: Out of bounds read in AD DC LDAP server (CVE-2021-20277)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1941402 - CVE-2021-20277 samba: Out of bounds read in AD DC LDAP server
6. Package List:
Red Hat Enterprise Linux BaseOS EUS (v. 8.1):
Source:
libldb-1.5.4-3.el8_1.src.rpm
aarch64:
ldb-tools-1.5.4-3.el8_1.aarch64.rpm
ldb-tools-debuginfo-1.5.4-3.el8_1.aarch64.rpm
libldb-1.5.4-3.el8_1.aarch64.rpm
libldb-debuginfo-1.5.4-3.el8_1.aarch64.rpm
libldb-debugsource-1.5.4-3.el8_1.aarch64.rpm
libldb-devel-1.5.4-3.el8_1.aarch64.rpm
python3-ldb-1.5.4-3.el8_1.aarch64.rpm
python3-ldb-debuginfo-1.5.4-3.el8_1.aarch64.rpm
ppc64le:
ldb-tools-1.5.4-3.el8_1.ppc64le.rpm
ldb-tools-debuginfo-1.5.4-3.el8_1.ppc64le.rpm
libldb-1.5.4-3.el8_1.ppc64le.rpm
libldb-debuginfo-1.5.4-3.el8_1.ppc64le.rpm
libldb-debugsource-1.5.4-3.el8_1.ppc64le.rpm
libldb-devel-1.5.4-3.el8_1.ppc64le.rpm
python3-ldb-1.5.4-3.el8_1.ppc64le.rpm
python3-ldb-debuginfo-1.5.4-3.el8_1.ppc64le.rpm
s390x:
ldb-tools-1.5.4-3.el8_1.s390x.rpm
ldb-tools-debuginfo-1.5.4-3.el8_1.s390x.rpm
libldb-1.5.4-3.el8_1.s390x.rpm
libldb-debuginfo-1.5.4-3.el8_1.s390x.rpm
libldb-debugsource-1.5.4-3.el8_1.s390x.rpm
libldb-devel-1.5.4-3.el8_1.s390x.rpm
python3-ldb-1.5.4-3.el8_1.s390x.rpm
python3-ldb-debuginfo-1.5.4-3.el8_1.s390x.rpm
x86_64:
ldb-tools-1.5.4-3.el8_1.x86_64.rpm
ldb-tools-debuginfo-1.5.4-3.el8_1.i686.rpm
ldb-tools-debuginfo-1.5.4-3.el8_1.x86_64.rpm
libldb-1.5.4-3.el8_1.i686.rpm
libldb-1.5.4-3.el8_1.x86_64.rpm
libldb-debuginfo-1.5.4-3.el8_1.i686.rpm
libldb-debuginfo-1.5.4-3.el8_1.x86_64.rpm
libldb-debugsource-1.5.4-3.el8_1.i686.rpm
libldb-debugsource-1.5.4-3.el8_1.x86_64.rpm
libldb-devel-1.5.4-3.el8_1.i686.rpm
libldb-devel-1.5.4-3.el8_1.x86_64.rpm
python3-ldb-1.5.4-3.el8_1.i686.rpm
python3-ldb-1.5.4-3.el8_1.x86_64.rpm
python3-ldb-debuginfo-1.5.4-3.el8_1.i686.rpm
python3-ldb-debuginfo-1.5.4-3.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-20277
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYHgd7tzjgjWX9erEAQiBsQ/9E47myd3bomQ/JbZQ98wQfQ68LDU4gI+A
ZB2kIhv5BK3Wh5JNwCYKYGa8rYDovl5Umo3UICmjDtQhukEyUZ9UKFjdskrYNxS8
47l1LGhVW7Rkl6fDpsFCI/G5NLcZ0OrpTheRBcGFYkYNIbYXPXoFz1GDR6XaTEna
AhglvdWEQdtUox68BbpPib23e5IRPUGcM6G00QbA4RmAswK4BKqasbOdgFAmNrVT
3Ox87/OunlMN+k89vTpHvZ7Su57+LJ5zXiVQcljUCJNcQpv8hcTxLsVTdzICCguN
C0chbqm/eVAMZyRxZVuXPSbYUI9Qag4m066FhV303E7urq/m6oTgyH+ECUOaaHdX
NTA0VW38VtGZeEc2p/RNXEWccN4i/b09oLtVhU+PCtBlc44Ddh3DVAa/vNJ/twf4
WT6bLapFkpmMnP58Asxx9VkoK/CndXDrGjjx/W21AMSxpTIFkYL+Udpy1gw5tQer
Fa/t5dYVanbO0FDzJwhVoRjAB9xB44ugaLxapt9wqv16SDSBcgXJMmcV1e2yD8Gy
1A1hsa2ukhVmuwwao4TcTHp3MGDZULEuVGvsC4KsaCrZgX7PBZvSEi+KbD+Ctsvv
Cjo4DKJVKyYumo0Trr+KkwI3lRC5c+lO/Y86OKQ+2RLdLfBVVJL9FFwNVDr1gQXG
+gdfHynpH8w=
=luq2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjhoONLKJtyKPYoAQgjPQ//XjpiePlce0X2J1eHJ+c0QA2miAclQEWc
FvMHouziYY6HbDaV3FePWgL3blcYaJPZA8SPj5NtyGy88azujmDad8ORM3LS61hK
JbWF98cLrjj03RZsFfT+2+KSFKZtT+SygKP+THw9GGc/zJHdKIFhPzRfQVDSHraO
KXJgZ5VrqG+KlUgm58xD8nksrnJKhayKTqJbAEBSS9nOd0XWv8GtvMHmjn5YAxKL
jQOldjgRQEQrgMUrubq8LuNF+mHQp1iDh7dqMXuADzPY+yGzynhkMD7Kt7UFzXeq
cu0h8a5QMM7qlNlEitFwh4rgPlhDEgabFisfAxdBySiI5YaC8+EzAXMLntG9+tDs
jpA4kT7WEPIomGxqVZYzAuZdWWpD5rwMfHd+nCk3pfEjVkZsAxxRAyxosnnb/8MI
rwwFpmZ6URmUES/0Z0TKaIdcjgkCdtm7zUW2SrBmX5la/uSUUJgdX0WfYqqzNycT
yLdUhz+oc8IOoleaw+eYdhoO8+uTFCD8yX2rHq+xm4Hzn5U/2r9A26YR7vFpURVU
UzVk84cjHPZ0RbB02Enz7N0gEyrQ8uug6tLCdQOgoFAr7hrJj5mGFcLjFNETdXot
WPQiCUImLoC74KjLN961JWlxibsQ5cYHGhW4Nzp2sGH7was/PoAV6cjJ7g8Is6om
TLUVolrn6Xk=
=MEr8
-----END PGP SIGNATURE-----
ESB-2021.1293 - [Appliance] McAfee Web Gateway Products: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1293
Status and updates for OpenSSL vulnerabilities
(CVE-2021-3450 and 2021-3449)
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Web Gateway (MWG)
McAfee Web Gateway Cloud Service (MWGCS)
Publisher: McAfee
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3450 CVE-2021-3449
Reference: ESB-2021.1278
ESB-2021.1191
ESB-2021.1180
ESB-2021.1120
Original Bulletin:
https://kc.mcafee.com/corporate/index?page=content&id=SB10356
- --------------------------BEGIN INCLUDED TEXT--------------------
McAfee Security Bulletin - Status and updates for OpenSSL vulnerabilities
(CVE-2021-3450 and 2021-3449)
Security Bulletins ID : SB10356
Last Modified : 4/14/2021
Summary
First Published: April 14, 2021
+-----------------------------------------------------------------------------+
| CVE Information: |
+--------------------------+--------------------------------------------------+
| Impact of | Low - see the Vulnerability Description section |
| Vulnerabilities: | below |
+---------------+----------+-------+-----------------------+------------------+
| | | CVSS | | |
| CVE IDs | Severity | v3.1 | Affected Products | Impact of |
| | Rating | Base | | Vulnerabilities |
| | | Score | | |
+---------------+----------+-------+-----------------------+------------------+
| | | | See the McAfee | CWE-295 - |
| CVE-2021-3450 | High | 7.4 | Product Vulnerability | Improper |
| | | | Status table below | Certificate |
| | | | | Validation |
+---------------+----------+-------+-----------------------+------------------+
| | | | See the McAfee | CWE-476 - NULL |
| CVE-2021-3449 | Medium | 5.9 | Product Vulnerability | Pointer |
| | | | Status table below | Dereference |
+---------------+----------+-------+-----------------------+------------------+
| Highest CVSS v3.1 Base | High |
| Score: | |
+--------------------------+--------------------------------------------------+
| Recommendations: | Deploy the fixes as they are made available. |
+--------------------------+--------------------------------------------------+
| Security Bulletin | None |
| Replacement: | |
+--------------------------+--------------------------------------------------+
| Affected Models: | See the McAfee Product Vulnerability Status |
| | table below for platform details. |
+--------------------------+--------------------------------------------------+
| Location of updated | http://www.mcafee.com/us/downloads/ |
| software: | downloads.aspx |
+--------------------------+--------------------------------------------------+
To receive email notification when this Security Bulletin is updated, click
Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
o Vulnerability Description
o Remediation
o Frequently Asked Questions (FAQs)
o Resources
o Disclaimer
Vulnerability Description
OpenSSL released a security advisory against version 1.1.1 with 1.1.1k
containing the fix. Some McAfee products are using 1.0.2 (with an extended
Support contract) and are not vulnerable.
1. CVE-2021-3150
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check. An error in the implementation of this check
meant that the result of a previous check to confirm that certificates in
the chain are valid CA certificates was overwritten. This effectively
bypasses the check that non-CA certificates must not be able to issue other
certificates. If a "purpose" has been configured then there is a subsequent
opportunity for checks that the certificate is a valid CA. All of the named
"purpose" values implemented in libcrypto perform this check. Therefore,
where a purpose is set the certificate chain will still be rejected even
when the strict flag has been used. A purpose is set by default in libssl
client and server certificate verification routines, but it can be
overridden or removed by an application. In order to be affected, an
application must explicitly set the X509_V_FLAG_X509_STRICT verification
flag and either not set a purpose for the certificate verification or, in
the case of TLS client or server applications, override the default
purpose. OpenSSL versions 1.1.1h and newer are affected by this issue.
Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is
not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected
1.1.1h-1.1.1j).
https://nvd.nist.gov/vuln/detail/CVE-2021-3450
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-3450
2. CVE-2021-3149
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello
omits the signature_algorithms extension (where it was present in the
initial ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and a
denial of service attack. A server is only vulnerable if it has TLSv1.2 and
renegotiation enabled (which is the default configuration). OpenSSL TLS
clients are not impacted by this issue. All OpenSSL 1.1.1 versions are
affected by this issue. Users of these versions should upgrade to OpenSSL
1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL
1.1.1k (Affected 1.1.1-1.1.1j).
https://nvd.nist.gov/vuln/detail/CVE-2021-3449
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-3449
McAfee Product Vulnerability Status
This Security Bulletin will be updated as additional information is available.
+-----------------------------------------------------------------------------+
|Update Availability |
+---------------------------------------+-------+-----------------------------+
|Product |Version|CVE-2021-3450 and |
| | |CVE-2021-3449 |
+---------------------------------------+-------+-----------------------------+
|Vulnerable and Updated |
+---------------------------------------+-------+-----------------------------+
|McAfee Web Gateway (MWG) |All |10.1.1, 9.2.10, 8.2.19 |
+---------------------------------------+-------+-----------------------------+
|McAfee Web Gateway Cloud Service |All |10.1.1, 9.2.10, 8.2.19 |
|(MWGCS) | | |
+---------------------------------------+-------+-----------------------------+
|Not Vulnerable |
+---------------------------------------+-------+-----------------------------+
|Advanced Threat Defense (ATD) |All | |
+---------------------------------------+-------+-----------------------------+
|Appliance Data Monitor (ADM) |All | |
+---------------------------------------+-------+-----------------------------+
|Data Exchange Layer (DXL) Broker |All | |
+---------------------------------------+-------+-----------------------------+
|Data Loss Prevention (DLP) |All | |
|Prevent and Monitor | | |
+---------------------------------------+-------+-----------------------------+
|McAfee Active Response (MAR) Server |All | |
+---------------------------------------+-------+-----------------------------+
|Network Security Manager (NSM) Linux |All | |
+---------------------------------------+-------+-----------------------------+
|Network Security Platform (NSP) |All | |
+---------------------------------------+-------+-----------------------------+
|Network Threat Behavior Analysis (NTBA)|All | |
+---------------------------------------+-------+-----------------------------+
|SIEM Enterprise Security Manager |All | |
+---------------------------------------+-------+-----------------------------+
|Threat Intelligence Exchange (TIE) |All | |
|Server | | |
+---------------------------------------+-------+-----------------------------+
For a description of each product, see: https://www.mcafee.com/enterprise/en-us
/products/a-z.html .
Remediation
To remediate this issue, go to the Product Downloads site , and download the
applicable product update/hotfix file:
+-------+-------+------+--------------+
|Product|Version|Type |Release Date |
+-------+-------+------+--------------+
| |10.1.1,| | |
|MWG |9.2.10,|Update|April 14, 2021|
| |8.2.19 | | |
+-------+-------+------+--------------+
| |10.1.1,| | |
|MWGCS |9.2.10,|Update|April 14, 2021|
| |8.2.19 | | |
+-------+-------+------+--------------+
Download and Installation Instructions
For instructions to download McAfee product updates and hotfixes, see: KB56057
- - How to download Enterprise product updates and documentation . Review the
Release Notes and the Installation Guide for instructions on how to install
these updates. All documentation is available at https://docs.mcafee.com .
Frequently Asked Questions (FAQs)
How do I know if my McAfee product is vulnerable or not
For endpoint products:
Use the following instructions for endpoint or client-based products:
1. Right-click the McAfee tray shield icon on the Windows taskbar.
2. Select Open Console .
3. In the console, select Action Menu .
4. In the Action Menu, select Product Details . The product version displays.
For ePO/server products:
Use the following instructions for server-based products:
o Check the version and build of ePO that is installed. For instructions,
see: KB52634 - How to determine what update is installed for ePO .
o Create a query in ePO for the product version of the product installed
within your organization.
For Appliances:
Use the following instructions for Appliance-based products:
1. Open the Administrator's User Interface (UI).
2. Click the About link. The product version displays.
For DLPe ePO Extension:
Use the following instructions:
1. Log on to the ePO server.
2. Click Menu , Data Protection , DLP Policy .
3. Inside the DLP console click Help , About . The product version displays.
What is CVSS
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of assessing
the criticality of a vulnerability. This system offers an unbiased criticality
score between 0 and 10 that customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, visit the CVSS
website at: https://www.first.org/cvss/ .
When calculating CVSS scores, McAfee has adopted a philosophy that fosters
consistency and repeatability. Our guiding principle for CVSS scoring is to
score the exploit under consideration by itself. We consider only the immediate
and direct impact of the exploit under consideration. We do not factor into a
score any potential follow-on exploits that might be made possible by the
successful exploitation of the issue being scored.
Where can I find a list of all Security Bulletins
All Security Bulletins are published on our external PSIRT website at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see
Security Bulletins for McAfee Enterprise products on this website click
Enterprise Security Bulletins . Security Bulletins are retired (removed) once a
product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to McAfee
If you have information about a security issue or vulnerability with a McAfee
product, visit the McAfee PSIRT website for instructions at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an
issue, click Report a Security Vulnerability .
How does McAfee respond to this and any other reported security flaws
Our key priority is the security of our customers. If a vulnerability is found
within any McAfee software or services, we work closely with the relevant
security software development team to ensure the rapid and effective
development of a fix and communication plan.
McAfee only publishes Security Bulletins if they include something actionable
such as a workaround, mitigation, version update, or hotfix. Otherwise, we
would simply be informing the hacker community that our products are a target,
putting our customers at greater risk. For products that are updated
automatically, a non-actionable Security Bulletin might be published to
acknowledge the discoverer.
View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/
threat-center/product-security-bulletins.aspx by clicking About PSIRT .
Resources
To contact Technical Support, log on to the ServicePortal and go to the Create
a Service Request page at https://support.mcafee.com/ServicePortal/faces/
serviceRequests/createSR :
o If you are a registered user, type your User ID and Password, and then
click Log In .
o If you are not a registered user, click Register and complete the required
fields. Your password and logon instructions will be emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without
warranty of any kind. McAfee disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall McAfee or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if McAfee or its suppliers have
been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are
intended to outline our general product direction, and they should not be
relied on in making a purchasing decision. The product release dates are for
information purposes only, and may not be incorporated into any contract. The
product release dates are not a commitment, promise, or legal obligation to
deliver any material, code, or functionality. The development, release, and
timing of any features or functionality described for our products remains at
our sole discretion and may be changed or canceled at any time
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjhj+NLKJtyKPYoAQhF+BAAkyedDKyRa+WsmOGRQ4uvlL5vQpbmEmx/
8TvTqzpmnfFAzqdxvUzcGeGJuOaJu/9zX+GfUNboCKJyIaonylQa7PUlw0TkCNnK
G8L+H98VSOTFe/4eT0B44NffGfoNcVIw4qyC6GHAzzDqJYGgI3POnuKU0UKmXRpZ
URfRMPZEh4INjka+w0Sc66eCgs1ZA3hsX8+1AtNr+jgsKRdxn2yoCfzvatlJF/Xe
BnxtinQ7i7rElD5uq3SNGQVcUALaH53js7I4+Yt1m5D03eP7YFDOUzNc+IAegW7V
7qPZDMPGZBVxe97PzqRL1HnhXwEvrhJ+OWWTKVfhMhvqLa0Pi+SiPoZIy3EK9CKE
5zfGwZXPWGY7baBPgaSLKuCrdeOUhZZGHFTnr38ReDdgT+7npbeOEAWSaKgXRmVa
1p49I9ZdAhPJzjwT7XvxQKITtpZvFBt4Gagv6kt+MJHpoW3XV2Rj9g5l974G18Jz
T5sCEpQ3nTm0oor+ezig0BSmZ1hWSfsaPXpWJUqcGCmVLAKngeiT3Oijxj7xc/mp
7+opS4SNjNDy98e4Pm3553fwEZ9OlFGIFgyW04s+ZhYkhk+urJIQ8lI1wVLDLIHu
OVnCM/RINGBr9XpWvR5rAdZs/hGBFeQBlJi2KP3hFnwPPaeuUj/BozjsFZpHyNiK
fBECPF30mzw=
=zd2f
-----END PGP SIGNATURE-----
ESB-2021.1292 - [Win] McAfee Data Loss Prevention (DLP) Endpoint for Windows: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1292
Data Loss Prevention Endpoint for Windows update fixes two
vulnerabilities (CVE-2021-23886 and CVE-2021-23887)
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Data Loss Prevention (DLP) Endpoint for Windows
Publisher: McAfee
Operating System: Windows
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23887 CVE-2021-23886
Original Bulletin:
https://kc.mcafee.com/corporate/index?page=content&id=SB10357
- --------------------------BEGIN INCLUDED TEXT--------------------
McAfee Security Bulletin - Data Loss Prevention Endpoint for Windows update
fixes two vulnerabilities (CVE-2021-23886 and CVE-2021-23887)
Security Bulletins ID : SB10357
Last Modified : 4/14/2021
Summary
First Published: April 14, 2021
+----------------+-----------+--------------+----------------+--------+--------+
| | | | | |CVSS |
| |Impacted | |Impact of |Severity|v3.1 |
|Product: |Versions: |CVE ID: |Vulnerabilities:|Ratings:|Base/ |
| | | | | |Temporal|
| | | | | |Scores: |
+----------------+-----------+--------------+----------------+--------+--------+
|Data Loss | | |CWE-755: | | |
|Prevention (DLP)|Prior to HF| |Improper | |5.5 / |
|Endpoint for |11.6.100.41|CVE-2021-23886|Handling of |Medium |5.0 |
|Windows | | |Exceptional | | |
| | | |Conditions | | |
+----------------+-----------+--------------+----------------+--------+--------+
| | | |CWE-269: | | |
|DLP Endpoint for|Prior to HF|CVE-2021-23887|Privilege |High |7.8 / |
|Windows |11.6.100.41| |escalation | |7.0 |
| | | |vulnerability | | |
+----------------+-----------+--------------+----------------+--------+--------+
|Recommendations:|Install or update DLP Endpoint for Windows to HF 11.6.100.41 |
+----------------+-------------------------------------------------------------+
|Security | |
|Bulletin |None |
|Replacement: | |
+----------------+-------------------------------------------------------------+
|Location of | |
|updated |http://www.mcafee.com/us/downloads/downloads.aspx |
|software: | |
+----------------+-------------------------------------------------------------+
To receive email notification when this Security Bulletin is updated, click
Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
o Vulnerability Description
o Remediation
o Acknowledgments
o Frequently Asked Questions (FAQs)
o Resources
o Disclaimer
Vulnerability Description
1. CVE-2021-23886
Denial of Service vulnerability in McAfee Data Loss Prevention (DLP)
Endpoint for Windows prior to 11.6.100 allows a local, low privileged,
attacker to cause a BSoD through suspending a process, modifying the
processes memory and restarting it. This is triggered by the hdlphook
driver reading invalid memory.
https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2021-23886
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-23886
2. CVE-2021-23887
Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP)
Endpoint for Windows prior to 11.6.100 allows a local, low privileged,
attacker to write to arbitrary controlled kernel addresses. This is
achieved by launching applications, suspending them, modifying the memory
and restarting them when they are monitored by McAfee DLP through the
hdlphook driver.
https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2021-23887
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-23887
Remediation
To remediate this issue, customers should update to DLP Endpoint for Windows HF
11.6.100.41.
Go to the Product Downloads site , and download the applicable product hotfix
file:
+------------------------+--------------+------+--------------+
|Product |Version |Type |Release Date |
+------------------------+--------------+------+--------------+
|DLP Endpoint for Windows|HF 11.6.100.41|Hotfix|April 14, 2021|
+------------------------+--------------+------+--------------+
Download and Installation Instructions
For instructions to download McAfee product updates and hotfixes, see: KB56057
- - How to download Enterprise product updates and documentation . Review the
Release Notes and the Installation Guide for instructions on how to install
these updates. All documentation is available at https://docs.mcafee.com .
Acknowledgments
McAfee credits the following for responsibly reporting these flaws.
CVE-2021-23886 - Assaf Kachlon from Morphisec
CVE-2021-23887 - Andry Diment from Morphisec
Frequently Asked Questions (FAQs)
How do I know if my McAfee product is vulnerable or not
For endpoint products:
Use the following instructions for endpoint or client-based products:
1. Right-click the McAfee tray shield icon on the Windows taskbar.
2. Select Open Console .
3. In the console, select Action Menu .
4. In the Action Menu, select Product Details . The product version displays.
What is CVSS
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of assessing
the criticality of a vulnerability. This system offers an unbiased criticality
score between 0 and 10 that customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, visit the CVSS
website at: https://www.first.org/cvss/ .
When calculating CVSS scores, McAfee has adopted a philosophy that fosters
consistency and repeatability. Our guiding principle for CVSS scoring is to
score the exploit under consideration by itself. We consider only the immediate
and direct impact of the exploit under consideration. We do not factor into a
score any potential follow-on exploits that might be made possible by the
successful exploitation of the issue being scored.
What are the CVSS scoring metrics
1. CVE-2021-23886: Denial of Service in DLP Endpoint for Windows
+------------------------+--------------------+
|Base Score |5.5 |
+------------------------+--------------------+
|Attack Vector (AV) |Local (L) |
+------------------------+--------------------+
|Attack Complexity (AC) |Low (L) |
+------------------------+--------------------+
|Privileges Required (PR)|Low (L) |
+------------------------+--------------------+
|User Interaction (UI) |None (N) |
+------------------------+--------------------+
|Scope (S) |Unchanged (U) |
+------------------------+--------------------+
|Confidentiality (C) |None (N) |
+------------------------+--------------------+
|Integrity (I) |None (N) |
+------------------------+--------------------+
|Availability (A) |High (H) |
+------------------------+--------------------+
|Temporal Score (Overall)|5.0 |
+------------------------+--------------------+
|Exploitability (E) |Proof-of-Concept (P)|
+------------------------+--------------------+
|Remediation Level (RL) |Official Fix (O) |
+------------------------+--------------------+
|Report Confidence (RC) |Confirmed (C) |
+------------------------+--------------------+
NOTE: The below CVSS version 3.1 vector was used to generate this score.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:L/AC:L/PR:L/
UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C&version=3.1
2. CVE-2021-23887: Privilege escalation in DLP Endpoint for Windows
+------------------------+--------------------+
|Base Score |7.8 |
+------------------------+--------------------+
|Attack Vector (AV) |Local (L) |
+------------------------+--------------------+
|Attack Complexity (AC) |Low (L) |
+------------------------+--------------------+
|Privileges Required (PR)|Low (L) |
+------------------------+--------------------+
|User Interaction (UI) |None (N) |
+------------------------+--------------------+
|Scope (S) |Unchanged (U) |
+------------------------+--------------------+
|Confidentiality (C) |High (H) |
+------------------------+--------------------+
|Integrity (I) |High (H) |
+------------------------+--------------------+
|Availability (A) |High (H) |
+------------------------+--------------------+
|Temporal Score (Overall)|7.0 |
+------------------------+--------------------+
|Exploitability (E) |Proof-of-Concept (P)|
+------------------------+--------------------+
|Remediation Level (RL) |Official Fix (O) |
+------------------------+--------------------+
|Report Confidence (RC) |Confirmed (C) |
+------------------------+--------------------+
NOTE: The below CVSS version 3.1 vector was used to generate this score.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:L/AC:L/PR:L/
UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1
Where can I find a list of all Security Bulletins
All Security Bulletins are published on our external PSIRT website at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see
Security Bulletins for McAfee Enterprise products on this website click
Enterprise Security Bulletins . Security Bulletins are retired (removed) once a
product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to McAfee
If you have information about a security issue or vulnerability with a McAfee
product, visit the McAfee PSIRT website for instructions at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an
issue, click Report a Security Vulnerability .
How does McAfee respond to this and any other reported security flaws
Our key priority is the security of our customers. If a vulnerability is found
within any McAfee software or services, we work closely with the relevant
security software development team to ensure the rapid and effective
development of a fix and communication plan.
McAfee only publishes Security Bulletins if they include something actionable
such as a workaround, mitigation, version update, or hotfix. Otherwise, we
would simply be informing the hacker community that our products are a target,
putting our customers at greater risk. For products that are updated
automatically, a non-actionable Security Bulletin might be published to
acknowledge the discoverer.
View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/
threat-center/product-security-bulletins.aspx by clicking About PSIRT .
Resources
To contact Technical Support, log on to the ServicePortal and go to the Create
a Service Request page at https://support.mcafee.com/ServicePortal/faces/
serviceRequests/createSR :
o If you are a registered user, type your User ID and Password, and then
click Log In .
o If you are not a registered user, click Register and complete the required
fields. Your password and logon instructions will be emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without
warranty of any kind. McAfee disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall McAfee or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if McAfee or its suppliers have
been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are
intended to outline our general product direction, and they should not be
relied on in making a purchasing decision. The product release dates are for
information purposes only, and may not be incorporated into any contract. The
product release dates are not a commitment, promise, or legal obligation to
deliver any material, code, or functionality. The development, release, and
timing of any features or functionality described for our products remains at
our sole discretion and may be changed or canceled at any time
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjhf+NLKJtyKPYoAQiUew//X9tCbJbfIBRzLgYOiIe+H9KeUvpakxw4
3+nxJTDTRiE/QZhiHjEPTgaiY/nYWWigoExS6DHXNFRuxxUrSYmQGcNaAdC2ecY5
ty+aMdsAp+jlihYGxEOfpQv/687i0olCrt3gl3JhmfiHTuU94avKogWIdEPLw0xO
fsi/ivYa6Y0DWHVkIzxq5SZcFqnOExNtAbqzfDBhPCiEZh8IglfCe1ogwg9qhvAJ
FSwe/9a/f+X5EKFhWwDI394bFLDHXXltwUsyfjuGD7DNfOPUWUmD7HcQFVywQPFU
50ScJ52lEUlZPGHVPmIXI26S+xPMF43CKTQ5qJEaMHH+lHOaavkvVQlLB3SMObEt
NXP6/pxx3og4N7M7yhtMZ3xmbWiQ50FY7c3X3kQJo/NtXDjXF0xm7wNiFR0Y2Qhv
/a9sTyrAH+gMUwzKolOo91u+rq9nOscAJrTCGwkDiDAMXiu8aNWG27q5bAziEIjz
/NifQJQdgOqGxlZatlpgesDJ2VFD3wHDC9CpspRirp0LVVSdH6NNm48DaRQC8cC7
EpvnOBsIMpDWz9BiBMqAJml2Te2R5VM7Lue3XkN1IJMjV4XNpH/f3GYFIREdjUoL
f1W4ggWhK7tiPqO4w+oYfKQegEn2OsbMVf+c2MTQKRI+aRr/VL8azs1dWa5698e8
ka0ua5Op5i0=
=tcpw
-----END PGP SIGNATURE-----
ESB-2021.1291 - [Appliance] McAfee Content Security Reporter (CSR): Access confidential data - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1291
Content Security Reporter update fixes one vulnerability (CVE-2021-23884)
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Content Security Reporter (CSR)
Publisher: McAfee
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23884
Original Bulletin:
https://kc.mcafee.com/corporate/index?page=content&id=SB10353
- --------------------------BEGIN INCLUDED TEXT--------------------
McAfee Security Bulletin - Content Security Reporter update fixes one
vulnerability (CVE-2021-23884)
Security Bulletins ID : SB10353
Last Modified : 4/14/2021
Summary
First Published: April 14, 2021
+----------------+---------+--------------+-----------------+--------+--------+
| | | | | |CVSS |
| |Impacted | |Impact of |Severity|v3.1 |
|Product: |Versions:|CVE ID: |Vulnerabilities: |Ratings:|Base/ |
| | | | | |Temporal|
| | | | | |Scores: |
+----------------+---------+--------------+-----------------+--------+--------+
| | | |CWE-319: | | |
|Content Security|Prior to | |Cleartext | |4.3 / |
|Reporter (CSR) |2.8.0 |CVE-2021-23884|Transmission of |Medium |3.9 |
| | | |Sensitive | | |
| | | |Information | | |
+----------------+---------+--------------+-----------------+--------+--------+
|Recommendations:|Upgrade to CSR 2.8.0 |
+----------------+------------------------------------------------------------+
|Security | |
|Bulletin |None |
|Replacement: | |
+----------------+------------------------------------------------------------+
|Location of | |
|updated |http://www.mcafee.com/us/downloads/downloads.aspx |
|software: | |
+----------------+------------------------------------------------------------+
To receive email notification when this Security Bulletin is updated, click
Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
o Vulnerability Description
o Remediation
o Acknowledgments
o Frequently Asked Questions (FAQs)
o Resources
o Disclaimer
Vulnerability Description
This feature is only available through on-premises ePO servers. The attacker
would need to be on the same network as the ePO server, and know an ePO
administrator's credentials, to exploit this vulnerability. The credentials for
obtaining logs from Web Gateway and Web Gateway Cloud Server are configured in
different parts of the ePO extension. The best practice is to have different
passwords for each service. The passwords exposed through this vulnerability
are stored encrypted in the CSR database, both before and post this fix.
CVE-2021-23884
Cleartext Transmission of Sensitive Information vulnerability in the ePO
Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an
ePO administrator to view the unencrypted password of the McAfee Web Gateway
(MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only
user used to retrieve log files for analysis in CSR.
https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2021-23884
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2021-23884
Remediation
To remediate this issue, upgrade to CSR 2.8.0.
Go to the Product Downloads site , and download the applicable product update
file:
+-------+-------+-----+--------------+
|Product|Version|Type |Release Date |
+-------+-------+-----+--------------+
|CSR |2.8.0 |Minor|April 14, 2021|
+-------+-------+-----+--------------+
Download and Installation Instructions
For instructions to download McAfee product updates and hotfixes, see: KB56057
- - How to download Enterprise product updates and documentation . Review the
Release Notes and the Installation Guide for instructions on how to install
these updates. All documentation is available at https://docs.mcafee.com .
Acknowledgments
McAfee credits Derrick Berg from Eastman Kodak Company for responsibly
reporting this flaw.
Frequently Asked Questions (FAQs)
How do I know if my McAfee product is vulnerable or not
For endpoint products:
Use the following instructions for endpoint or client-based products:
1. Right-click the McAfee tray shield icon on the Windows taskbar.
2. Select Open Console .
3. In the console, select Action Menu .
4. In the Action Menu, select Product Details . The product version displays.
What is CVSS
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of assessing
the criticality of a vulnerability. This system offers an unbiased criticality
score between 0 and 10 that customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, visit the CVSS
website at: https://www.first.org/cvss/ .
When calculating CVSS scores, McAfee has adopted a philosophy that fosters
consistency and repeatability. Our guiding principle for CVSS scoring is to
score the exploit under consideration by itself. We consider only the immediate
and direct impact of the exploit under consideration. We do not factor into a
score any potential follow-on exploits that might be made possible by the
successful exploitation of the issue being scored.
What are the CVSS scoring metrics
CVE-2021-23884: Clear text exposure of password in CSR ePO extension
+------------------------+--------------------+
|Base Score |4.3 |
+------------------------+--------------------+
|Attack Vector (AV) |Adjacent Network (A)|
+------------------------+--------------------+
|Attack Complexity (AC) |Low (L) |
+------------------------+--------------------+
|Privileges Required (PR)|High (H) |
+------------------------+--------------------+
|User Interaction (UI) |Required (R) |
+------------------------+--------------------+
|Scope (S) |Unchanged (U) |
+------------------------+--------------------+
|Confidentiality (C) |High (H) |
+------------------------+--------------------+
|Integrity (I) |None (N) |
+------------------------+--------------------+
|Availability (A) |None (N) |
+------------------------+--------------------+
|Temporal Score (Overall)|3.9 |
+------------------------+--------------------+
|Exploitability (E) |Proof-of-Concept (P)|
+------------------------+--------------------+
|Remediation Level (RL) |Official Fix (O) |
+------------------------+--------------------+
|Report Confidence (RC) |Confirmed (C) |
+------------------------+--------------------+
NOTE: The below CVSS version 3.1 vector was used to generate this score.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:A/AC:L/PR:H/UI:R
/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C&version=3.1
Where can I find a list of all Security Bulletins
All Security Bulletins are published on our external PSIRT website at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see
Security Bulletins for McAfee Enterprise products on this website click
Enterprise Security Bulletins . Security Bulletins are retired (removed) once a
product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to McAfee
If you have information about a security issue or vulnerability with a McAfee
product, visit the McAfee PSIRT website for instructions at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an
issue, click Report a Security Vulnerability .
How does McAfee respond to this and any other reported security flaws
Our key priority is the security of our customers. If a vulnerability is found
within any McAfee software or services, we work closely with the relevant
security software development team to ensure the rapid and effective
development of a fix and communication plan.
McAfee only publishes Security Bulletins if they include something actionable
such as a workaround, mitigation, version update, or hotfix. Otherwise, we
would simply be informing the hacker community that our products are a target,
putting our customers at greater risk. For products that are updated
automatically, a non-actionable Security Bulletin might be published to
acknowledge the discoverer.
View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/
threat-center/product-security-bulletins.aspx by clicking About PSIRT .
Resources
To contact Technical Support, log on to the ServicePortal and go to the Create
a Service Request page at https://support.mcafee.com/ServicePortal/faces/
serviceRequests/createSR :
o If you are a registered user, type your User ID and Password, and then
click Log In .
o If you are not a registered user, click Register and complete the required
fields. Your password and logon instructions will be emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without
warranty of any kind. McAfee disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall McAfee or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if McAfee or its suppliers have
been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are
intended to outline our general product direction, and they should not be
relied on in making a purchasing decision. The product release dates are for
information purposes only, and may not be incorporated into any contract. The
product release dates are not a commitment, promise, or legal obligation to
deliver any material, code, or functionality. The development, release, and
timing of any features or functionality described for our products remains at
our sole discretion and may be changed or canceled at any time
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjfGONLKJtyKPYoAQjL+BAAiJ+ejhFXxG2IqkXZ60Kdh0PZLD1JdNI5
UQ3cTjt3YyQj5hjmRlyYLHHuiA2Dha4IiW7OB/QNOFrB6yXY7Qwz6yWkoxlkohPD
r1eMVYoF0VekjOs8o+1FPqI0nTaOCDF1l5Qz4AfUAyQfjVuFsqAUwXae3kOiUV+/
Nt7waNJytESg+ShzW9vZERjLvzRb05bxWpD/NjCVDB879CN8Qdw4NhcGVPysAPOT
oF5R7bEF2ZrIcShgZ6/Z6SdijdtKr7FYW4rX1y3nhknMLH3+u7nmpBjeHKcYx4qX
ztv5vl7a2+MdosCk61z/30eTLQ0TgH/VNzVsUtNp4nuBSYGVo0FVjhWaevt8MdJ5
IhE2fPklVJE2LFhiTagiHBG0JnUgr0WeTeKTIezCs6PDcrlCoxj8agX7SawsToL1
TE2jd3LdWQWSAsFnvHPE1n03tPUTV2Cz3kY20BfUS7OdnOZswhhLmZu86ePwFYWB
1VejGJXQP4gKrM2uMVUF9AejSB1XhyOQskRk5amteiket6tTqrqZ3A8EaEGdvfnM
Uiyt9gddF9OTcZXkA7agMPkssa1noNcOrZ8jNf5B+ALxotuV3aZtiJweJyYrvTX6
tT8769BDYv6IEH8umb/pvq7lpIUdTh/2C7al7Cob1rmjtwvUL2WbX/6Yhs9lPtkW
yCxRT55NEDM=
=l/1b
-----END PGP SIGNATURE-----
ESB-2021.1290 - [Appliance] McAfee Advanced Threat Defense (ATD): Access confidential data - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1290
Advanced Threat Defense update fixes two vulnerabilities
(CVE-2020-7269 and CVE-2020-7270)
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee Advanced Threat Defense (ATD)
Publisher: McAfee
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-7270 CVE-2020-7269
Original Bulletin:
https://kc.mcafee.com/corporate/index?page=content&id=SB10336
- --------------------------BEGIN INCLUDED TEXT--------------------
McAfee Security Bulletin - Advanced Threat Defense update fixes two
vulnerabilities (CVE-2020-7269 and CVE-2020-7270)
Security Bulletins ID : SB10336
Last Modified : 4/14/2021
Summary
First Published: April 14, 2021
+----------------+---------+-------------+------------------+--------+--------+
| | | | | |CVSS |
| |Impacted | |Impact of |Severity|v3.1 |
|Product: |Versions:|CVE ID: |Vulnerabilities: |Ratings:|Base/ |
| | | | | |Temporal|
| | | | | |Scores: |
+----------------+---------+-------------+------------------+--------+--------+
| | | |CWE-200: | | |
|Advanced Threat |Prior to | |Exposure of | |4.9 / |
|Defense (ATD) |4.12.2 |CVE-2020-7269|Sensitive |Medium |4.4 |
| | | |Information to an | | |
| | | |Unauthorized Actor| | |
+----------------+---------+-------------+------------------+--------+--------+
| | | |CWE-200: | | |
| |Prior to | |Exposure of | |4.9 / |
|ATD |4.12.2 |CVE-2020-7270|Sensitive |Medium |4.4 |
| | | |Information to an | | |
| | | |Unauthorized Actor| | |
+----------------+---------+-------------+------------------+--------+--------+
|Recommendations:|Update to ATD 4.12.2 |
+----------------+------------------------------------------------------------+
|Security | |
|Bulletin |None |
|Replacement: | |
+----------------+------------------------------------------------------------+
|Location of | |
|updated |http://www.mcafee.com/us/downloads/downloads.aspx |
|software: | |
+----------------+------------------------------------------------------------+
To receive email notification when this Security Bulletin is updated, click
Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
o Vulnerability Description
o Remediation
o Acknowledgments
o Frequently Asked Questions (FAQs)
o Resources
o Disclaimer
Vulnerability Description
CVE-2020-7269
Exposure of Sensitive Information in the web interface in McAfee Advanced
Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view
sensitive unencrypted information via a carefully crafted HTTP request
parameter. The risk is partially mitigated if your ATD instances are deployed
as recommended with no direct access from the Internet to them.
https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2020-7269
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-7269
CVE-2020-7270
Exposure of Sensitive Information in the web interface in McAfee Advanced
Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view
sensitive unencrypted information via a carefully crafted HTTP request
parameter. The risk is partially mitigated if your ATD instances are deployed
as recommended with no direct access from the Internet to them.
https://web.nvd.nist.gov/view/vuln/detailvulnId=CVE-2020-7270
https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2020-7270
Remediation
To remediate this issue, go to the Product Downloads site , and download the
latest version. See the Frequently Asked Questions section for the path to
upgrade from older versions to this version.
+-------+-------+------+--------------+
|Product|Version|Type |Release Date |
+-------+-------+------+--------------+
|ATD |4.12.2 |Update|April 14, 2021|
+-------+-------+------+--------------+
Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation,
updates, and hotfixes. Review the Release Notes and the Installation Guide for
instructions on how to install these updates. All documentation is available at
https://docs.mcafee.com .
Migration
See the Migration Guide for instructions to get to a protected version.
IMPORTANT: When upgrading to the appropriate ATD version with the fix, you must
use the migration package. Failure to use the correct migration package causes
installation failures and requires a reimage of the appliance.
Acknowledgments
McAfee credits hoangcuongflp for responsibly reporting these flaws.
Frequently Asked Questions (FAQs)
How do I know if my McAfee product is vulnerable or not
For Appliances:
Use the following instructions for Appliance-based products:
1. Open the Administrator's User Interface (UI).
2. Click the About link. The product version displays.
Is ATD 4.12.2 deployable to all ATD appliance models
ATD Update 4.12.2 is applicable to all ATD models - both physical and virtual.
What are the steps needed to get to a protected version
+---------------+-------------------------+-----------------------------------+
| Starting | Total Number of Steps | |
| Version | to Upgrade to Fixed | Upgrade Path |
| | Version | |
+---------------+-------------------------+-----------------------------------+
| 4.0.x | 4 | 4.0.x > 4.4.0 > 4.8.0 > 4.12.0 > |
| | | 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.2.x | 4 | 4.2.0 > 4.4.0 > 4.8.0 > 4.12.0 > |
| | | 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.4.x | 3 | 4.4.x > 4.8.0 > 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.6.0 | 3 | 4.6.0 > 4.10.0 > 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.6.2 | 3 | 4.6.2 > 4.10.0 > 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.8.0 | 2 | 4.8.0 > 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.8.2 | 2 | 4.8.2 > 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.10 | 2 | 4.10.0 > 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
| 4.12.0 | 1 | 4.12.0 > 4.12.2 |
+---------------+-------------------------+-----------------------------------+
NOTES:
o See Supported Upgrade Paths .
o If you are running ATD version 3.8.x or earlier, McAfee strongly recommends
a reimage of the ATD appliance directly to version 4.10. This reimage
minimizes the number of upgrade steps and avoids potential upgrade
failures. See Migration Criteria .
o Installation could take a minimum of 30 minutes and up to two hours. The
time depends on the number of virtual machines and the database size in the
deployment.
What are the migration packages recommended by version
+---------+--------------------------------+-------------------------------------------------+
| Version | File Name | SHA |
+---------+--------------------------------+-------------------------------------------------+
| 3.8.0 | system-3.8.0.29.58939.msu | 3BC121C870AC49FEF57EF406E40055B8867B3150369F013 |
| | | E4395B5555A65FB3C |
+---------+--------------------------------+-------------------------------------------------+
| 4.2.x | migration-4.2.0.20.64069.msu | 9CF6A0D7DC9CD8CD713F73FFAD3C81C12A1F3CFD0BF82 |
| | | 713D79ABB069FEF1AEF |
+---------+--------------------------------+-------------------------------------------------+
| 4.4.x | migration-4.4.0.26.a6835a.msu | 0FF4B2434FD24F13F3D23DBFC8C8E63F7F8B979991A2AC8 |
| | | 7F61B2362447CCF3B |
+---------+--------------------------------+-------------------------------------------------+
| 4.6.0 | migration-4.6.0.21.517580.msu | E9AD833DCCC47626B7AB48B6440CABC1183709A7F0BFE5 |
| | | 4AD454DF2D993C99D5 |
+---------+--------------------------------+-------------------------------------------------+
| 4.6.2 | system-4.6.2.13.8d1e42.msu | ED4A39A9E16237EF863F7E380799C49946DBACE0ABF1D |
| | | 96225723AB4775F7FAF |
+---------+--------------------------------+-------------------------------------------------+
| 4.8.0 | migration-4.8.0.17.c4d13a.msu | 58AF249F1F248B826127ECC861EBE5D50E61501C27376A |
| | | B5893FE5E5370620A5 |
+---------+--------------------------------+-------------------------------------------------+
| 4.8.2 | system-4.8.2.13.cc86f4.msu | 2E95F1A25D7E5369A7DCA795A840B765D221C188 |
+---------+--------------------------------+-------------------------------------------------+
| 4.10.0 | system-4.10.0.13.4e84a5.msu | 2E95F1A25D7E5369A7DCA795A840B765D221C188 |
+---------+--------------------------------+-------------------------------------------------+
| 4.12.0 | migration-4.12.0b.3.908cef.msu | d85c2ccd78ce452d80ded02a6fe2387a |
+---------+--------------------------------+-------------------------------------------------+
| 4.12.2 | system-4.12.2.9.c38d50.msu | 78f79ade611382c0876b3d348e0040cc |
+---------+--------------------------------+-------------------------------------------------+
What is CVSS
CVSS, or Common Vulnerability Scoring System, is the result of the National
Infrastructure Advisory Council's effort to standardize a system of assessing
the criticality of a vulnerability. This system offers an unbiased criticality
score between 0 and 10 that customers can use to judge how critical a
vulnerability is and plan accordingly. For more information, visit the CVSS
website at: https://www.first.org/cvss/ .
When calculating CVSS scores, McAfee has adopted a philosophy that fosters
consistency and repeatability. Our guiding principle for CVSS scoring is to
score the exploit under consideration by itself. We consider only the immediate
and direct impact of the exploit under consideration. We do not factor into a
score any potential follow-on exploits that might be made possible by the
successful exploitation of the issue being scored.
What are the CVSS scoring metrics
1. CVE-2020-7269 - Sensitive Information Exposure in ATD
+------------------------+-------------------------+
|Base Score |4.9 |
+------------------------+-------------------------+
|Attack Vector (AV) |Adjacent (A) |
+------------------------+-------------------------+
|Attack Complexity (AC) |Low (L) |
+------------------------+-------------------------+
|Privileges Required (PR)|Low (L) |
+------------------------+-------------------------+
|User Interaction (UI) |Required (R) |
+------------------------+-------------------------+
|Scope (S) |Unchanged (U) |
+------------------------+-------------------------+
|Confidentiality (C) |Low (L) |
+------------------------+-------------------------+
|Integrity (I) |Low (L) |
+------------------------+-------------------------+
|Availability (A) |Low (L) |
+------------------------+-------------------------+
|Temporal Score (Overall)|4.4 |
+------------------------+-------------------------+
|Exploitability (E) |Proof of concept code (P)|
+------------------------+-------------------------+
|Remediation Level (RL) |Official Fix (O) |
+------------------------+-------------------------+
|Report Confidence (RC) |Confirmed (C) |
+------------------------+-------------------------+
NOTE: The below CVSS version 3.1 vector was used to generate this score.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:A/AC:L/PR:L/
UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C&version=3.1
2. CVE-2020-7270 - Sensitive Information Exposure in ATD
+------------------------+-------------------------+
|Base Score |4.9 |
+------------------------+-------------------------+
|Attack Vector (AV) |Adjacent (A) |
+------------------------+-------------------------+
|Attack Complexity (AC) |Low (L) |
+------------------------+-------------------------+
|Privileges Required (PR)|Low (L) |
+------------------------+-------------------------+
|User Interaction (UI) |Required (R) |
+------------------------+-------------------------+
|Scope (S) |Unchanged (U) |
+------------------------+-------------------------+
|Confidentiality (C) |Low (L) |
+------------------------+-------------------------+
|Integrity (I) |Low (L) |
+------------------------+-------------------------+
|Availability (A) |Low (L) |
+------------------------+-------------------------+
|Temporal Score (Overall)|4.4 |
+------------------------+-------------------------+
|Exploitability (E) |Proof of concept code (P)|
+------------------------+-------------------------+
|Remediation Level (RL) |Official Fix (O) |
+------------------------+-------------------------+
|Report Confidence (RC) |Confirmed (C) |
+------------------------+-------------------------+
NOTE: The below CVSS version 3.1 vector was used to generate this score.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvector=AV:A/AC:L/PR:L/
UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C&version=3.1
Where can I find a list of all Security Bulletins
All Security Bulletins are published on our external PSIRT website at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To see
Security Bulletins for McAfee Enterprise products on this website click
Enterprise Security Bulletins . Security Bulletins are retired (removed) once a
product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to McAfee
If you have information about a security issue or vulnerability with a McAfee
product, visit the McAfee PSIRT website for instructions at https://
www.mcafee.com/us/threat-center/product-security-bulletins.aspx . To report an
issue, click Report a Security Vulnerability .
How does McAfee respond to this and any other reported security flaws
Our key priority is the security of our customers. If a vulnerability is found
within any McAfee software or services, we work closely with the relevant
security software development team to ensure the rapid and effective
development of a fix and communication plan.
McAfee only publishes Security Bulletins if they include something actionable
such as a workaround, mitigation, version update, or hotfix. Otherwise, we
would simply be informing the hacker community that our products are a target,
putting our customers at greater risk. For products that are updated
automatically, a non-actionable Security Bulletin might be published to
acknowledge the discoverer.
View our PSIRT policy on the McAfee PSIRT website at https://www.mcafee.com/us/
threat-center/product-security-bulletins.aspx by clicking About PSIRT .
Resources
To contact Technical Support, log on to the ServicePortal and go to the Create
a Service Request page at https://support.mcafee.com/ServicePortal/faces/
serviceRequests/createSR :
o If you are a registered user, type your User ID and Password, and then
click Log In .
o If you are not a registered user, click Register and complete the required
fields. Your password and logon instructions will be emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without
warranty of any kind. McAfee disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall McAfee or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if McAfee or its suppliers have
been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are
intended to outline our general product direction, and they should not be
relied on in making a purchasing decision. The product release dates are for
information purposes only, and may not be incorporated into any contract. The
product release dates are not a commitment, promise, or legal obligation to
deliver any material, code, or functionality. The development, release, and
timing of any features or functionality described for our products remains at
our sole discretion and may be changed or canceled at any time
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHjfB+NLKJtyKPYoAQjl/A//fhKoyd1A78DvWiUy/DyO4IedqWLzp9CE
yOhoJxmO7QJPSpiMBpAtPxeSfLJFJ4yIMBing81x994bMaoA78J6unC/3rS5Ln9m
a/c9MCWlv0O7hInctj3yEfd7tC5Zzrsu67dn3hCYop5DZxjZQPJHL2+Crtwi0Sze
dfHC36oP2uOQNfat4dPKoD0yRABWAqSQjhH827KAxclLzf39wqhv9P5o199G6rte
Im6OC7uF+k1h9g6qqBD09wxR2me/NY7ZsQ3XMKlwjkLvmy0vV+1Hv6+1QJ8aRgmT
WM171Ie40HytuEpl/37B3H8A+FQ2xjaIVeHP009bkiHjACjF5T7IVIREQkaEtsni
CXrxQMKrEZRlXYWWHJHiycFjHKhnGAstGm/hAhBsB6INvJv/MGGFobhXAkIWEooG
xCsFUL2LnkxzMRBsC5GQTRpwsQmjiy4WHwHWka+TKSDHdFzFEhQZ8t0agblLzXH7
ooZ/eDHol+lhqQ23VRp//YbM/C9jxLmUQ5CjGrfacxaXPTGkCqEsbaiNY5hAEW21
j0oQkR5Svy2jthJhvob/6S3fQeITSNsWKlzsE9j6V79xhhoXw3dPyS5W6nd2r2mD
98vZ+SmOE0Wm4ae8MkBnT6wAfu4Rl5C1uRf053cUx3qCD3CUWQ2NGaP3jc3jy7or
yHRI1Cy9rwc=
=BTT5
-----END PGP SIGNATURE-----
ESB-2021.1289 - [Juniper] Junos OS: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1289
JSA11149 - 2021-04 Security Bulletin: Junos OS: Kernel panic upon receipt
of specific TCPv6 packet on management interface
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-0258
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11149
- --------------------------BEGIN INCLUDED TEXT--------------------
2021-04 Security Bulletin: Junos OS: Kernel panic upon receipt of specific TCPv6
packet on management interface (CVE-2021-0258)
Article ID : JSA11149
Last Updated: 15 Apr 2021
Version : 2.0
Product Affected:
This issue affects Junos OS 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1,
19.2, 19.3, 19.4.
Problem:
A vulnerability in the forwarding of transit TCPv6 packets received on the
Ethernet management interface of Juniper Networks Junos OS allows an attacker
to trigger a kernel panic, leading to a Denial of Service (DoS). Continued
receipt and processing of these transit packets will create a sustained Denial
of Service (DoS) condition. This issue only occurs when TCPv6 packets are
routed through the management interface. Other transit traffic, and traffic
destined to the management interface, are unaffected by this vulnerability.
This issue was introduced as part of a TCP Parallelization feature added in
Junos OS 17.2, and affects systems with concurrent network stack enabled. This
feature is enabled by default, but can be disabled (see WORKAROUND section
below).
This issue affects Juniper Networks Junos OS:
o 17.2R1-S7, 17.2R1-S8, 17.2R3 and later versions prior to 17.2R3-S4;
o 17.3 versions prior to 17.3R3-S9;
o 17.4 versions prior to 17.4R2-S11, 17.4R3-S2;
o 18.1 versions prior to 18.1R3-S11;
o 18.2 versions prior to 18.2R3-S5;
o 18.3 versions prior to 18.3R2-S4, 18.3R3-S3;
o 18.4 versions prior to 18.4R2-S5, 18.4R3-S4;
o 19.1 versions prior to 19.1R2-S2, 19.1R3;
o 19.2 versions prior to 19.2R1-S5, 19.2R2;
o 19.3 versions prior to 19.3R2-S4, 19.3R3;
o 19.4 versions prior to 19.4R1-S3, 19.4R2.
This issue does not affect Juniper Networks Junos OS 17.2 versions prior to
17.2R1-S7, or any version of 17.2R2.
Any configuration with IPv6 enabled on the management interface is vulnerable
to this issue. For example:
[interfaces fxp0 unit 0 family inet6]
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was found during internal product security testing or research.
This issue has been assigned CVE-2021-0258 .
Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 17.2R3-S4, 17.3R3-S9, 17.4R2-S11, 17.4R3-S2, 18.1R3-S11,
18.2R3-S5, 18.3R2-S4, 18.3R3-S3, 18.4R2-S5, 18.4R3-S4, 19.1R2-S2, 19.1R3,
19.2R1-S5, 19.2R2, 19.3R2-S4, 19.3R3, 19.4R1-S3, 19.4R2, 20.1R1, and all
subsequent releases.
This issue is being tracked as 1477824 .
Workaround:
Disable TCP Parallelization:
set system kernel-smp-features disable-concurrent-network-stack
Implementation:
Software releases or updates are available for download at https://
support.juniper.net/support/downloads/
Modification History:
2021-04-14: Initial Publication.
2021-04-15: Further clarification of Junos OS 17.2 affected releases.
CVSS Score:
5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHje9uNLKJtyKPYoAQi+Rw/+OtONGHU0C16g+/nWw7obUGx5Xvr3JHta
6UzdF0vF4C0nXQCXr8brAYFly47cmVgnUFmcFhYx9weTUlu5zxJ3IPd/sCPse+wJ
aNz/fHzv9ZvOpGQfKt59o8co8OlWTLGGWVPLL5edBjeIntKZRkb6N4RbhdDl1W0A
8SpChR5ZfIeBHwE+tKcl2SJjkvj25Kuo9T+eTSWGixvQTmcy7tO8tOM/Alk/o8bZ
zzkT+tYhGJcrICS/uOD0TEiHnUpX2rZtaF1cf75wjyH3VaeAXr8JcrozHbV1w/aj
McmjF3/jTMAsbw6N3T3fhsOI2P2an7kYizeKT//dXFEX5jtpHF5pxi+sdlRqIM+Z
aJrVTukvorMl5YnW/jUC6xupHi9b9/Ts9g+KUa62LsrDblOPgRPeQugM1h8Imq5G
TuzpzxOSkxUFxBHkDbUISpwPiTUjpAKunK1Lahn2fNrSWoFVDyaDhoefSVUXvsup
cgclRmA8Lfq2xK9ahh1lrrpNcxTOpK4EWubYNJyrFSdHVfiifFatn8uAU6w54nN5
QEMWrylJiNYmZ3C08QAq4fOfr8r9TnhjaY7Vgsj2xvYc7ozpr0VrP/iJmWqEYGjq
UUsx2IwfGDJGxkNszBtl3iBGuIWB/nCo600HQTHL2D6PBqxiszAJYuBUz1XH0/4K
SVXZPo22EZo=
=ROJv
-----END PGP SIGNATURE-----
ESB-2021.1288 - [Juniper] Juniper Products: Unauthorised access - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1288
JSA11140 - 2021-04 Security Bulletin: Junos OS: PTX Series, QFX Series: Due
to a race condition input loopback firewall filters applied to interfaces
may not operate even when listed in the running configuration.
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS: PTX Series
Junos OS: QFX Series
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-0247
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11140
- --------------------------BEGIN INCLUDED TEXT--------------------
2021-04 Security Bulletin: Junos OS: PTX Series, QFX Series: Due to a race condition
input loopback firewall filters applied to interfaces may not operate even when listed
in the running configuration. (CVE-2021-0247)
Article ID : JSA11140
Last Updated: 15 Apr 2021
Version : 2.0
Product Affected:
This issue affects Junos OS 14.1, 14.1X53, 15.1, 15.1X53, 16.1, 16.2, 17.1,
17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2. Affected platforms: PTX
Series, QFX Series.
Problem:
A Race Condition (Concurrent Execution using Shared Resource with Improper
Synchronization) vulnerability in the firewall process (dfwd) of Juniper
Networks Junos OS allows an attacker to bypass the firewall rule sets applied
to the input loopback filter on any interfaces of a device.
This issue is detectable by reviewing the PFE firewall rules, as well as the
firewall counters and seeing if they are incrementing or not.
For example:
show firewall
Filter: __default_bpdu_filter__
Filter: FILTER-INET-01
Counters:
Name Bytes Packets
output-match-inet 0 0 <<<<<< missing firewall packet count
This issue affects:
Juniper Networks Junos OS:
o 14.1X53 versions prior to 14.1X53-D53 on QFX Series;
o 14.1 versions 14.1R1 and later versions prior to 15.1 versions prior to
15.1R7-S6 on QFX Series, PTX Series;
o 15.1X53 versions prior to 15.1X53-D593 on QFX Series;
o 16.1 versions prior to 16.1R7-S7 on QFX Series, PTX Series;
o 16.2 versions prior to 16.2R2-S11, 16.2R3 on QFX Series, PTX Series;
o 17.1 versions prior to 17.1R2-S11, 17.1R3-S2 on QFX Series, PTX Series;
o 17.2 versions prior to 17.2R1-S9, 17.2R3-S3 on QFX Series, PTX Series;
o 17.3 versions prior to 17.3R2-S5, 17.3R3-S7 on QFX Series, PTX Series;
o 17.4 versions prior to 17.4R2-S9, 17.4R3 on QFX Series, PTX Series;
o 18.1 versions prior to 18.1R3-S9 on QFX Series, PTX Series;
o 18.2 versions prior to 18.2R2-S6, 18.2R3-S3 on QFX Series, PTX Series;
o 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1 on QFX Series, PTX
Series;
o 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on QFX Series, PTX
Series;
o 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 on QFX Series, PTX
Series;
o 19.2 versions prior to 19.2R1-S3, 19.2R2 on QFX Series, PTX Series.
This issue impact all filters families (inet, inet6, etc.) yet only on input
loopback filters.
It does not does not rely upon the location where a filter is set, impacting
both logical and physical interfaces.
Configuration examples for input filtering are posted on the support site and
in product documentation.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2021-0247 .
Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 14.1X53-D53, 15.1R7-S6, 15.1X53-D593, 16.1R7-S7, 16.2R2-S11,
16.2R3, 17.1R2-S11, 17.1R3-S2, 17.2R1-S9, 17.2R3-S3, 17.3R2-S5, 17.3R3-S7,
17.4R2-S9, 17.4R3, 18.1R3-S9, 18.2R2-S6, 18.2R3-S3, 18.3R1-S7, 18.3R2-S3,
18.3R3-S1, 18.4R1-S5, 18.4R2-S3, 18.4R3, 19.1R1-S4, 19.1R2-S1, 19.1R3,
19.2R1-S3, 19.2R2, 19.3R1, and all subsequent releases.
This issue is being tracked as 1430385 .
Workaround:
There are no viable workarounds for this issue.
Implementation:
Software releases or updates are available for download at https://
support.juniper.net/support/downloads/
Modification History:
2021-04-14: Initial Publication.
2021-04-15: Removed spurious 18.4R2-S7 release entry in problem description.
CVSS Score:
5.1 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHje5ONLKJtyKPYoAQiMzQ/8DwTqk5HcKojdutRzMbTRaE3qR3Qn8hnU
0yquz/M+oA+TYA0YXK5hBPC9tmdhXkUEP/dtJc6wgeNIiCqNC2WUA3vtK/m3MViD
+1lr9W9uB+VBCma68QDGBGdlfQpES/LxAICSu+65setPIc+GwYK7utYrkxTUPnBv
9DXdY+GWyGWXz8OnpR1jjLZpX+teZPGPJQPWm1Ai+aFj0G2m2lx1mxg8+BEz+fTK
G+j3cPr/ciauhEEJyp6Tq5s3pYuT5PnoO+KnsTl/nq0L+IWu8HHToqkM1ggmj94s
FzGTDThMUOzujeDXgy6Nm2VtflwK9QJsGpxpVpQwstzwrndvX28N2pZWU+RT2Ebo
9husVrgtEdqZFZuOthonQGXUSVc53SaW3+oXgpsUIdVkNLCsu2VnGBJodPHawlOi
yPoFumr4/nAmxBiRPPckYLdVATNkjBY8MS19lPQkex3S5FTbrIFHlyIivZkqgAYx
MbzW0dJoPmuryvtBRPSfKTbXmTlFTcPMzeJoaY3dQrjyDOCbO2D0p07l+/k+uA02
YiWsYjJmw0AEAuQNMONvwORbU26jXCIvg+fGnCdr3X4e1fKnmeuRAV7rdlWDE8+B
/X1oZAXUwkG08E9WK6x9zQ4XxhQCO1khymG3qzUTWvEEFlRLKdVj6dCw3vWHQkGI
hb54Y90MoOA=
=x5yL
-----END PGP SIGNATURE-----
ESB-2021.1171.2 - UPDATE [Cisco] Cisco Small Business RV Series Routers: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1171.2
Cisco Small Business RV Series Routers Link Layer Discovery
Protocol Vulnerabilities
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: RV132W ADSL2+ Wireless-N VPN Router
RV134W VDSL2 Wireless-AC VPN Router
RV160 VPN Router
RV160W Wireless-AC VPN Router
RV260 VPN Router
RV260P VPN Router with PoE
RV260W Wireless-AC VPN Router
RV320 Dual Gigabit WAN VPN Router
RV325 Dual Gigabit WAN VPN Router
RV340 Dual WAN Gigabit VPN Router
RV340W Dual WAN Gigabit Wireless-AC VPN Router
RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit PoE VPN Router
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-1309 CVE-2021-1308 CVE-2021-1251
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-multi-lldp-u7e4chCe
Revision History: April 16 2021: Vendor updated vulnerable products and products confirmed not vulnerable.
April 8 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Small Business RV Series Routers Link Layer Discovery Protocol
Vulnerabilities
Priority: High
Advisory ID: cisco-sa-rv-multi-lldp-u7e4chCe
First Published: 2021 April 7 16:00 GMT
Last Updated: 2021 April 15 15:38 GMT
Version 1.1: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvw62392 CSCvw62395 CSCvw62410 CSCvw62411 CSCvw62413
CSCvw62416 CSCvw62417 CSCvw62418 CSCvw94339 CSCvw94341
CSCvw95016 CSCvw95017 CSCvy01220
CVE Names: CVE-2021-1251 CVE-2021-1308 CVE-2021-1309
CWEs: CWE-119 CWE-130 CWE-400
Summary
o Multiple vulnerabilities exist in the Link Layer Discovery Protocol (LLDP)
implementation for Cisco Small Business RV Series Routers. An
unauthenticated, adjacent attacker could execute arbitrary code or cause an
affected router to leak system memory or reload. A memory leak or device
reload would cause a denial of service (DoS) condition on an affected
device.
For more information about these vulnerabilities, see the Details section
of this advisory.
Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an
attacker must be in the same broadcast domain as the affected device (Layer
2 adjacent).
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-multi-lldp-u7e4chCe
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco Small Business RV Series
Routers if they are running a vulnerable firmware release and have LLDP
enabled:
RV132W ADSL2+ Wireless-N VPN Router
RV134W VDSL2 Wireless-AC VPN Router
RV160 VPN Router
RV160W Wireless-AC VPN Router
RV260 VPN Router
RV260P VPN Router with PoE
RV260W Wireless-AC VPN Router
RV320 Dual Gigabit WAN VPN Router
RV325 Dual Gigabit WAN VPN Router
RV340 Dual WAN Gigabit VPN Router
RV340W Dual WAN Gigabit Wireless-AC VPN Router
RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit PoE VPN Router
For information about which Cisco firmware releases are vulnerable, see the
Fixed Software section of this advisory.
LLDP Configurations
For Cisco RV132W, RV134W, RV320, and RV325 Routers, LLDP is enabled by
default on all LAN ports and WAN interfaces.
For the following Cisco Small Business Routers, LLDP is enabled by default
on the LAN ports and disabled by default on the WAN interfaces:
RV160 VPN Router
RV160W Wireless-AC VPN Router
RV260 VPN Router
RV260P VPN Router with PoE
RV260W Wireless-AC VPN Router
RV340 Dual WAN Gigabit VPN Router
RV340W Dual WAN Gigabit Wireless-AC VPN Router
RV345 Dual WAN Gigabit VPN Router
RV345P Dual WAN Gigabit PoE VPN Router
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:
RV016 Multi-WAN VPN Router
RV042 Dual WAN VPN Router
RV042G Dual Gigabit WAN VPN Router
RV082 Dual WAN VPN Router
Details
o These vulnerabilities are not dependent on one another. Exploitation of one
of the vulnerabilities is not required to exploit another vulnerability. In
addition, a software release that is affected by one of the vulnerabilities
may not be affected by the other vulnerabilities.
Details about the vulnerabilities are as follows:
CVE-2021-1309: Cisco Small Business RV Series Routers Link Layer Discovery
Protocol Remote Code Execution and Denial of Service Vulnerability
A vulnerability in the LLDP implementation for Cisco Small Business RV
Series Routers could allow an unauthenticated, adjacent attacker to execute
arbitrary code on an affected device or cause the device to reload.
This vulnerability is due to missing length validation of certain LLDP
packet header fields. An attacker could exploit this vulnerability by
sending a malicious LLDP packet to the targeted router. A successful
exploit could allow the attacker to execute code on the affected router or
cause it to reload unexpectedly, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Bug ID(s): CSCvw62392 , CSCvw62410 , CSCvw62413 , and CSCvw62416
CVE ID: CVE-2021-1309
Security Impact Rating (SIR): High
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1251: Cisco Small Business RV Series Routers Link Layer Discovery
Protocol Memory Leak Denial of Service Vulnerability
A vulnerability in the LLDP implementation for Cisco Small Business RV
Series Routers could allow an unauthenticated, adjacent attacker to cause a
memory leak on an affected device.
This vulnerability is due to missing length validation of certain LLDP
packet header fields. An attacker could exploit this vulnerability by
sending a malicious LLDP packet to the targeted router. A successful
exploit could cause continuous memory consumption on an affected device and
eventually cause it to reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Bug ID(s): CSCvw94339 , CSCvw94341 , CSCvw95016 , CSCvw95017 , and
CSCvy01220
CVE ID: CVE-2021-1251
Security Impact Rating (SIR): High
CVSS Base Score: 7.4
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2021-1308: Cisco Small Business RV Series Routers Link Layer Discovery
Protocol Denial of Service Vulnerability
A vulnerability in the LLDP implementation for Cisco Small Business RV
Series Routers could allow an unauthenticated, adjacent attacker to cause
an affected router to reload unexpectedly.
This vulnerability is due to missing length validation of certain LLDP
packet header fields. An attacker could exploit this vulnerability by
sending a malicious LLDP packet to the targeted router. A successful
exploit could allow the attacker to cause the affected router to reload
unexpectedly, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Bug ID(s): CSCvw62395 , CSCvw62411 , CSCvw62417 , and CSCvw62418
CVE ID: CVE-2021-1308
Security Impact Rating (SIR): High
CVSS Base Score: 7.4
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate fixed firmware release
as indicated in the following table(s):
Cisco Small Business Fixed Releases
RV Series Routers
RV132W 1.0.1.15 and later
RV134W 1.0.1.21 and later
RV160, RV160W,
RV260, RV260P, and 1.0.01.03 and later
RV260W
Refer to End-of-Sale and End-of-Life Announcement for
RV320 and RV325 the Cisco RV320 and RV325 Dual Gigabit WAN VPN Router
.
RV340, RV340W, 1.0.03.21 and later
RV345, and RV345P
To download the firmware from the Software Center on Cisco.com, do the
following:
1. Click Browse all .
2. Choose Routers > Small Business Routers > Small Business RV Series
Routers .
3. Choose the appropriate router.
4. Choose Small Business Router Firmware .
5. Choose a release from the left pane of the product page.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o Cisco would like to thank Qian Chen of Qihoo 360 Nirvan Team for reporting
these vulnerabilities.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-multi-lldp-u7e4chCe
Revision History
o +---------+------------------------+---------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+---------------+--------+-------------+
| | Added that the RV320 | | | |
| | and RV325 hardware | | | |
| | platforms are | Vulnerable | | |
| | vulnerable. Added that | Products, | | |
| | RV016, RV042, and | Products | | |
| 1.1 | RV082 are not | Confirmed Not | Final | 2021-APR-15 |
| | vulnerable. Added | Vulnerable, | | |
| | Cisco bug ID | Details, and | | |
| | CSCvy01220 to advisory | Fixed | | |
| | header and to the | Software | | |
| | details for | | | |
| | CVE-2021-1251. | | | |
+---------+------------------------+---------------+--------+-------------+
| 1.0 | Initial public | - | Final | 2021-APR-07 |
| | release. | | | |
+---------+------------------------+---------------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHj5UONLKJtyKPYoAQguqBAAo3v+zaSn5bQJ4+b+gGfp/FwJM8bZzsQa
9WpY3278TArYMdQFd0ToXE1bptUYovzKSbhcK7NFtKz34UGjc/AG1IyHbPhIj4DG
0xkKmfm0tR8BnI4BDvrk0EVOKkNuhMruD0F82qgLdDl0Kc2GREfXYrgbfPWvljvG
GSZ2KWftCotFhDaslQBH6K8rldUsEtkS1kOABCHG4eyGVi6xDPOU7l4lPKNT6zIz
41s3hDWM2dT7xOmb8Pjdwge3I3Gk+MTfVHny7IC9r6vYPZXjtwvR+G3rmMQRMF0+
4zMqj+PV75CgVmsVVdy4E8+Qj0yRP6mN5LTiCucq5t0twozMkks5/s8JSPyJVYR3
/79ax9b+kXu7bUNcyPTzgr8D4lq68cN/rOhnC1pTudtxbunhJvYFo6HXuA04q3YY
F3QM8mgACMidsyaBPRj30aXHJ8NZm/LhJfPzLmqbblYealhnRJiNGql+sJYV2RZF
fmNmFCwWEOzsxJ/OXRa8HeUAZFCjBywL25xiDz/7AiCQpvAOBwbI8vEdnTRqFo1r
3LZCIEBknjciXxTMcTlKCH3/FR/TGM2KT2x+TW2m+pasebTNbVx3ou301imZUZxG
A3kTaXpt8E1Pu1aEUlqAuy/kQtQxgE4bl5A7ooZB7Zqvc3p7ImIITlPAvcfuwEmG
5rvB/hknNkA=
=Jo9v
-----END PGP SIGNATURE-----
ESB-2020.3249.3 - UPDATE [Appliance] FreeType: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3249.3
F5 products: FreeType vulnerability CVE-2015-9382
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FreeType
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-9382
Reference: ESB-2019.3358
Original Bulletin:
https://support.f5.com/csp/article/K46641512
Revision History: April 16 2021: Vendor released fixes for BIG-IP Products
January 6 2021: Additional vulnerable versions added by vendor
September 23 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K46641512: FreeType vulnerability CVE-2015-9382
Original Publication Date: 23 Sep, 2020
Latest Publication Date: 16 Apr, 2021
Security Advisory Description
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c
because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face
operation. (CVE-2015-9382)
Impact
An attacker may be able to use a maliciously crafted file to create a buffer
overflow and potentially expose small amounts of memory from the PostScript
process.
Security Advisory Status
F5 Product Development has assigned ID 945109 (BIG-IP) and ID 947305 (BIG-IQ)
to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |16.0.0 - |None | | | |
| | |16.1.0 | | | | |
| +------+----------+----------+ | | |
| |15.x |15.1.0 - |None | | | |
| | |15.1.2 | | | | |
|BIG-IP (LTM, AAM, +------+----------+----------+ | | |
|Advanced WAF, AFM, |14.x |14.1.0 - |14.1.4.1 | | | |
|Analytics, APM, | |14.1.4 | | | |Linux |
|ASM, DDHD, DNS, +------+----------+----------+Medium |4.3 |kernel |
|FPS, GTM, Link |13.x |13.1.0 - |None | | |(BaseOS) |
|Controller, PEM, | |13.1.3 | | | | |
|SSLO) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.6 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.3 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |8.x |8.0.0 |None | | | |
| +------+----------+----------+ | | |
| |7.x |7.0.0 - |None | | | |
|BIG-IQ Centralized | |7.1.0 | | | |Linux |
|Management +------+----------+----------+Medium |4.3 |kernel |
| |6.x |6.0.0 - |None | | |(BaseOS) |
| | |6.1.0 | | | | |
| +------+----------+----------+ | | |
| |5.x |5.4.0 |None | | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
Do not allow Postscript files to be uploaded for customization or hosted
content.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHkAk+NLKJtyKPYoAQjloA//WQ4ZuAqrQV3WHmKvIpr8jZyTD6UzUCu1
Y+sqr6GtMOcFnhYdoWsQES0qlsMyj+c3siFa/TXRqm24/opzV9TiE+/m7i2JteaY
i2d6QDIBmnzcTsL2+DGcqOZGL4BZjVpo7WFlmOquVkyghQUwhMpFo7p37nmR31/M
Za9ASQW2oQrF5/R0an7L+ORrwh3jM48OU6D2/35wUF73+7mqCyG4O6IY7jC5gUSa
yPI1mXFakVisTZkFRUUlPEjbns0eMpE676aJAnMqPpeR6DPp8XUTOfGITH2Xxf0f
njJzBfJFNRwc0x2CSWANITf/efXUIDu5l3RFPw9SxWaltXSdKtUSQRnxRYYnSXt/
GicI0yDgvPXpo5OQRoMq+PaYWMX8vhzvXBtRjSg4Wl1/GLts02Xxbj2aP21iUpl4
1/2Fg1FlRbcydub/d1LDOJf5Q9VEwTOfg0hbDMHgNyqLkSoSN2kpT8uTiDGFvG2D
ZLACEus2C3mdOdXCt88f6lY6V19oakfb5cB7LhdwqaqD0Zk/o0mFIOyPwQ1oKhev
BVI8Jj7N6rDJgXRnLTDNT2TisOtcpuvXjF6iG2M8I18by8SLxgzed3FIYGhEUOIB
8IgVHd9NsXnPwedopQ2VvEbxy7YqnbWV+htsZ8H77MKX56rUGdF3HEk5+6DIcHCt
i7a7aTLAGo8=
=AliV
-----END PGP SIGNATURE-----
ESB-2020.1562.3 - UPDATE [Appliance] F5 BIG-IP and BIG-IQ Products: Execute arbitrary code/commands - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1562.3
F5 secure shell vulnerability CVE-2020-5873
16 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 BIG-IP Products
F5 BIG-IQ Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-5873
Original Bulletin:
https://support.f5.com/csp/article/K03585731
Revision History: April 16 2021: Vendor released fixes for BIG-IQ Centralized Management.
May 14 2020: Vendor released minor update
May 1 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K03585731: F5 secure shell vulnerability CVE-2020-5873
Original Publication Date: 30 Apr, 2020
Latest Publication Date: 16 Apr, 2021
Security Advisory Description
A user associated with the Resource Administrator role who has access to the
secure copy (scp) utility but does not have access to Advanced Shell (bash) can
execute arbitrary commands using a maliciously crafted scp request. (
CVE-2020-5873)
Impact
An authenticated user with Resource Administrator role can run shell commands
with elevated privilege.
Security Advisory Status
F5 Product Development has assigned ID 780601 (BIG-IP), and ID 790469 (BIG-IQ)
to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases or hotfixes that
address the vulnerability, refer to the following table. For more information
about security advisory versioning, refer to K51812227: Understanding Security
Advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |15.x |15.0.0 - |15.1.0 | | | |
| | |15.0.1 |15.0.1.1 | | | |
| +------+----------+----------+ | | |
| |14.x |14.1.0 - |14.1.2.4^2| | | |
|BIG-IP (LTM, AAM, | |14.1.2 | | | | |
|AFM, Analytics, +------+----------+----------+ | | |
|APM, ASM, DNS, FPS,|13.x |13.1.0 - |13.1.3.2 |High |7.8 |SSH |
|GTM, Link | |13.1.3 | | | | |
|Controller, PEM) +------+----------+----------+ | | |
| |12.x |12.1.0 - |12.1.5.1 | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |11.6.5.1 | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |8.x |None |8.0.0 | | | |
| +------+----------+----------+ | | |
| |7.x |7.0.0 - |None | | | |
| | |7.1.0 | | | | |
|BIG-IQ Centralized +------+----------+----------+High |7.8 |SSH |
|Management |6.x |6.0.0 - |None | | | |
| | |6.1.0 | | | | |
| +------+----------+----------+ | | |
| |5.x |5.3.0 - |None | | | |
| | |5.4.0 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2BIG-IP 14.1.2.4 is not a supported release; please use a later release. Refer
to K5903: BIG-IP software support policy.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can limit access to the management and self
IP ports and limit login access to trusted users. For more information about
securing access to the affected systems:
o For BIG-IP or Enterprise Manager systems, refer to K13309: Restricting
access to the Configuration utility by source IP address (11.x - 15.x) and
K13092: Overview of securing access to the BIG-IP system.
o For BIG-IQ systems, refer to K31401771: Restricting access to the BIG-IQ or
F5 iWorkflow user interface by source IP address. For BIG-IQ systems, you
may need to include addresses of the managed BIG-IP systems, high
availability (HA) peers, and DCD nodes, depending on your configuration.
Supplemental Information
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHkAgONLKJtyKPYoAQikzxAAqeqeCN9ykIlCBY61GerIMDybgi8/LKUf
n5bGK+9NDCAq5WDuTneOvtNKhAv/pK1STQeaPsrwkrOcGB+0bQ+xyZsgw5ZaDNNq
s40M+MrMgT8bNi9mDOUnJiJcolkA2oCWK7K0phAwH5i9A7lwENM7IURTmLa14qn1
USxzaVETafdhh/TXiBLeWLPq5afNQUV+t7IRSwEY36RWYai20Y8CnOZS17zG8ROG
hoyh8edPJ6JZScrN05B1uAwIjihjHuX/VeyKJo9UvKbz//LoA06vzBvxmkL0S0FM
OFQzFMbOJhCBX2T9eXXzjVbLvYXKr4a/fUiD2sb4M2rYiwKPJPcplos9MOgPrNyK
K+vMZL2V5IZuPE2Zzm/6ZkmT/7vfqZRU+UV/8YqICxKOs5vI0bvbqoN820rUy6+9
UztodUNSHsRWBCTV9FzHKNNmmCd6FTDAYZSsbL5Y7HC0mhvX5RD1J7kDzQJgbINh
5p5EeBNjpUR26iAkuKz9Uei9uXCAyP/MNoh+bKr2NKAZHwW0zL8JB8VyAujRT6Md
uyIlFTXHjXaFEaWoAd4PrB0opj/a9GG3ig/OIe8YCxmZdq60tg98+4KQJMGl1vdF
jvnCiNxQFIok1I2ETYkQCIIqLzBZO47raHp0ghVEixFoCwuqTRZ1AfkFeYWig6N0
JEF/eOqEZK8=
=c7na
-----END PGP SIGNATURE-----
CVE-2018-19942
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later)
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.5
Description. CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.
ISC Stormcast For Friday, April 16th, 2021 https://isc.sans.edu/podcastdetail.html?id=7460, (Fri, Apr 16th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
CVE-2021-27691
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request. This occurs because the "formSetDebugCfg" function executes glibc's system function with untrusted input.
CVE-2021-27692
Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. This occurs because the "formSetUSBPartitionUmount" function executes the "doSystemCmd" function with untrusted input.
Name:Wreck – Forscher entdecken weitere Schwachstellen in TCP/IP-Stacks
Gleich acht Sicherheitslücken in bestimmten Versionen der Stack-Implementierungen von Nucleus Net (Siemens), FreeBSD und NetX alias Azure RTOS NetX (Microsoft) melden Sicherheitsforscher der Firma Forescout. Hinzu kommt eine "wiederentdeckte", aber schon lange gepatchte Lücke in IPNet. Die Forscher nenne ihre aktuelle Entdeckung "Name:Wreck".
Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
Executive Summary. On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296 , a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coinminer on victims’ devices.
USN-4917-1: Linux kernel vulnerabilities
It was discovered that the overlayfs implementation in the Linux kernel did
not properly validate the application of file system capabilities with
respect to user namespaces. A local attacker could use this to gain
elevated privileges. (CVE-2021-3493)
Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux
kernel did not properly handle faults in copy_from_user() when passing
through ioctls to an underlying file system. A local attacker could use
this to cause a denial of service (memory exhaustion) or execute arbitrary
code. (CVE-2021-3492)
Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux
kernel did not properly validate computation of branch displacements in
some situations. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2021-29154)