Currently browsing: General

VU#709991: Netatalk contains multiple error and memory management vulnerabilities

VU#709991: Netatalk contains multiple error and memory management vulnerabilities

Overview
There are six new vulnerabilities in the latest release of Netatalk (3.1.12) that could allow for Remote Code Execution as well as Out-of-bounds Read.
Description
Below are the new CVEs. Per ZDI:
CVE-2022-0194
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2022-23121
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2022-23122
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2022-23124
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
CVE-2022-23125
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2022-23123
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
For more detailed information, please review the Netatalk announcement. Also available for reference are releases detailing the information from ZDI & Western Digital.
Netatalk does not regularly receive security updates, is receiving security research attention, and is difficlut to get right because reverse engineering a proprietary protocol. WD has removed Netatalk code from NAS firmware. We suggest Samba+vfs_fruit for longer term use (more likely to get security updates in a timely way).
(see samba vfs_fruit vuls).
Impact
An unauthenticated, remote attacker can execute arbitrary code on affected installations of Netatalk.
Solution
Netatalk has released version 3.1.13.
Acknowledgements
Thanks to ZDI, Western Digital, and Netatalk for researching and coordinating these vulnerabilities.
This document was written by James Stanley and Art Manion.

Read more
VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations

VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations

Overview
Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks.
Description
The UEFI standard provides an open specification that defines a software interface between an operating system (OS) and the device hardware on the system. UEFI can interface directly with hardware below the OS using SMM, a high-privilege CPU mode. SMM operations are closely managed by the CPU using a dedicated portion of memory called the SMRAM. The SMM can only be entered through System Management Interrupt (SMI) Handlers using a communication buffer. SMI Handlers are essentially a system-call to access the CPU’s SMRAM from its current operating mode, typically Protected Mode.
A race condition involving the access and validation of the SMRAM can be achieved using DMA timing attacks that rely on time-of-use (TOCTOU) conditions. An attacker can use well-timed probing to try and overwrite the contents of SMRAM with arbitrary data, leading to attacker code being executed with the same elevated-privileges available to the CPU (i.e., Ring -2 mode). The asynchronous nature of SMRAM access via DMA controllers enables the attacker to perform such unauthorized access and bypass the verifications normally provided by the SMI Handler API.
The Intel-VT and Intel VT-d technologies provide some protection against DMA attacks using Input-Output Memory Management Unit (IOMMU) to address DMA threats. Although IOMMU can protect from DMA hardware attacks, SMI Handlers vulnerable to RingHopper may still be abused. SMRAM verification involving validation of nested pointers adds even more complexity when analyzing how various SMI Handlers are used in UEFI.
Impact
An attacker with either local or remote administrative privileges can exploit DMA timing attacks to elevate privileges beyond the operating system and execute arbitrary code in SMM mode (Ring -2). These attacks can be invoked from the OS using vulnerable SMI Handlers. In some cases, the vulnerabilities can be triggered in the UEFI early boot phases (as well as sleep and recovery) before the operating system is fully initialized.
A successful attack enables any of the following impacts:
Invalidation or bypass of UEFI security features (SecureBoot, Intel BootGuard).
Installation of persistent software that cannot be easily detected or erased.
Creation of backdoors and back communications channels to exfiltrate sensitive data
Interruption of system execution leading to permanent shutdown.
Because these attacks are against UEFI supported firmware, OS and EDR solutions may have diminished visibility into unauthorized access.
Solution
Install the latest stable version of UEFI firmware provided by your PC vendor or by the reseller of your computing environments. See the links below for resources and updates provided by specific vendors to address these issues.
If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), check (fwupdmgr get-updates) and apply the firmware updates provided by LVFS using fwupdmgr update as appropriate.
Acknowledgements
Thanks to the Intel iStare researchers Jonathan Lusky and Benny Zeltser who discovered and reported this vulnerability.
This document was written by Vijay Sarvepalli and Jeffrey S. Havrilla.

Read more
VU#794340: OpenSSL 3.0.0 to 3.0.6 decodes some punycode email addresses in X.509 certificates improperly

VU#794340: OpenSSL 3.0.0 to 3.0.6 decodes some punycode email addresses in X.509 certificates improperly

Overview
Two buffer overflow vulnerabilities were discovered in OpenSSL versions 3.0.0 through 3.0.6. These vulnerabilities were introduced in version 3.0.0 with the inclusion of support for punycode email address parsing for X.509 certificates. OpenSSL’s assessment of the severity of the vulnerabilities has reduced from CRITICAL to HIGH, and OpenSSL 3.0.7 addresses the issues.
Description
Two buffer overflows have been reported in the OpenSSL 3.0.x branch prior to version 3.0.7 that, when exploited, may lead to denial of services or, in some cases, remote code execution in the vulnerable target environment. OpenSSL client and server implementations that use the vulnerable libraries are affected. The server implementation also requires that TLS client authentication is enabled in order to attack, and potentially exploit, a vulnerable target. OpenSSL provides details:
* Fixed two buffer overflows in punycode decoding functions.

A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to
have signed the malicious certificate or for the application to continue
certificate verification despite failure to construct a path to a trusted
issuer.

In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.

An attacker can craft a malicious email address to overflow
an arbitrary number of bytes containing the `.` character (decimal 46)
on the stack. This buffer overflow could result in a crash (causing a
denial of service).
([CVE-2022-3786])

An attacker can craft a malicious email address to overflow four
attacker-controlled bytes on the stack. This buffer overflow could
result in a crash (causing a denial of service) or potentially remote code
execution depending on stack layout for any given platform/compiler.
([CVE-2022-3602])

OpenSSL versions 1.1.1 and 1.0.2 are not affected.
CERT/CC is unaware of any exploitation of this vulnerability at this time.
Impact
Successful exploitation could lead to denial of service or remote execution of arbitrary code in the target environment.
Solution
Any services depending on versions of OpenSSL 3.0.x prior to OpenSSL 3.0.7 should be upgraded to version 3.0.7 or later. Operators may also consider temporarily disabling TLS client authentication until applying an update.
Acknowledgements
Thanks to OpenSSL for coordinating and remediating the vulnerability. Polar Bear is credited as having discovered CVE–2022-3602. Viktor Dukhovni is reported as the source of CVE-2022-3786.
This document was written by Kevin Stephens, Eric Hatleback, Vijay Sarvepalli, and Jeffrey S. Havrilla.

Read more

VU#730793: Heimdal Kerbos vulnerable to remotely triggered NULL pointer dereference

Overview
The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.
Description
A flawed logical condition allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.
Impact
An attacker can use a specially crafted network packet to cause a vulnerable application to crash.
Solution
The latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix.
Acknowledgements
Thanks to the International Continence Society for reporting this issue.
This document was written by Kevin Stephens.

Read more