Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0252
2024-01 Security Bulletin: CTPView: Multiple vulnerabilities
in CTPView (CVE-yyyy-nnnn)
11 January 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CTPView
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22942 CVE-2022-0330 CVE-2021-44790
CVE-2021-39275 CVE-2021-34798 CVE-2021-26691
CVE-2021-4155 CVE-2021-3752 CVE-2021-3621
CVE-2021-3573 CVE-2021-3564 CVE-2021-0920
CVE-2020-0466 CVE-2020-0465
Original Bulletin:
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-CTPView-Multiple-vulnerabilities-in-CTPView-CVE-yyyy-nnnn
Comment: CVSS (Max): 9.8 CVE-2021-44790 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Juniper Networks
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA75736
Product Affected: These issues affect all versions of CTPView.
Severity Level: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Problem:
CTPView release 9.1R5 addresses multiple vulnerabilities in 3rd party libraries
found in prior releases with updated open source software components.
These issues affects Juniper Networks CTPView versions prior to 9.1R5.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
These issues were discovered during external security research.
The resolved issues include:
+--------------+------------+-------------------------------------------------+
| CVE | CVSS | Summary |
+--------------+------------+-------------------------------------------------+
| | |In various methods of hid-multitouch.c, there is |
| |6.8 ( |a possible out of bounds write due to a missing |
| |CVSS:3.1/ |bounds check. This could lead to local escalation|
|CVE-2020-0465 |AV:P/AC:L/ |of privilege with no additional execution |
| |PR:N/UI:N/ |privileges needed. User interaction is not needed|
| |S:U/C:H/I:H/|for exploitation.Product: AndroidVersions: |
| |A:H ) |Android kernelAndroid ID: A-162844689References: |
| | |Upstream kernel |
+--------------+------------+-------------------------------------------------+
| | |In do_epoll_ctl and ep_loop_check_proc of |
| |7.8 ( |eventpoll.c, there is a possible use after free |
| |CVSS:3.1/ |due to a logic error. This could lead to local |
|CVE-2020-0466 |AV:L/AC:L/ |escalation of privilege with no additional |
| |PR:L/UI:N/ |execution privileges needed. User interaction is |
| |S:U/C:H/I:H/|not needed for exploitation.Product: |
| |A:H ) |AndroidVersions: Android kernelAndroid ID: |
| | |A-147802478References: Upstream kernel |
+--------------+------------+-------------------------------------------------+
| | |In unix_scm_to_skb of af_unix.c, there is a |
| |6.4 ( |possible use after free bug due to a race |
| |CVSS:3.1/ |condition. This could lead to local escalation of|
|CVE-2021-0920 |AV:L/AC:H/ |privilege with System execution privileges |
| |PR:H/UI:N/ |needed. User interaction is not needed for |
| |S:U/C:H/I:H/|exploitation.Product: AndroidVersions: Android |
| |A:H ) |kernelAndroid ID: A-196926917References: Upstream|
| | |kernel |
+--------------+------------+-------------------------------------------------+
| |9.8 ( | |
| |CVSS:3.1/ |In Apache HTTP Server versions 2.4.0 to 2.4.46 a |
|CVE-2021-26691|AV:N/AC:L/ |specially crafted SessionHeader sent by an origin|
| |PR:N/UI:N/ |server could cause a heap overflow |
| |S:U/C:H/I:H/| |
| |A:H ) | |
+--------------+------------+-------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1/ |Malformed requests may cause the server to |
|CVE-2021-34798|AV:N/AC:L/ |dereference a NULL pointer. This issue affects |
| |PR:N/UI:N/ |Apache HTTP Server 2.4.48 and earlier. |
| |S:U/C:N/I:N/| |
| |A:H ) | |
+--------------+------------+-------------------------------------------------+
| |5.5 ( |A flaw double-free memory corruption in the Linux|
| |CVSS:3.1/ |kernel HCI device initialization subsystem was |
|CVE-2021-3564 |AV:L/AC:L/ |found in the way user attach malicious HCI TTY |
| |PR:L/UI:N/ |Bluetooth device. A local user could use this |
| |S:U/C:N/I:N/|flaw to crash the system. This flaw affects all |
| |A:H ) |the Linux kernel versions starting from 3.13. |
+--------------+------------+-------------------------------------------------+
| | |A use-after-free in function hci_sock_bound_ioctl|
| | |() of the Linux kernel HCI subsystem was found in|
| | |the way user calls ioct HCIUNBLOCKADDR or other |
| |6.4 ( |way triggers race condition of the call |
| |CVSS:3.1/ |hci_unregister_dev() together with one of the |
|CVE-2021-3573 |AV:L/AC:H/ |calls hci_sock_blacklist_add(), |
| |PR:H/UI:N/ |hci_sock_blacklist_del(), hci_get_conn_info(), |
| |S:U/C:H/I:H/|hci_get_auth_info(). A privileged local user |
| |A:H ) |could use this flaw to crash the system or |
| | |escalate their privileges on the system. This |
| | |flaw affects the Linux kernel versions prior to |
| | |5.13-rc5. |
+--------------+------------+-------------------------------------------------+
| | |A flaw was found in SSSD, where the sssctl |
| |8.8 ( |command was vulnerable to shell command injection|
| |CVSS:3.1/ |via the logs-fetch and cache-expire subcommands. |
| |AV:N/AC:L/ |This flaw allows an attacker to trick the root |
|CVE-2021-3621 |PR:N/UI:R/ |user into running a specially crafted sssctl |
| |S:U/C:H/I:H/|command, such as via sudo, to gain root access. |
| |A:H ) |The highest threat from this vulnerability is to |
| | |confidentiality, integrity, as well as system |
| | |availability. |
+--------------+------------+-------------------------------------------------+
| | |A use-after-free flaw was found in the Linux |
| |7.1 ( |kernel's Bluetooth subsystem in the way user |
| |CVSS:3.1/ |calls connect to the socket and disconnect |
|CVE-2021-3752 |AV:A/AC:H/ |simultaneously due to a race condition. This flaw|
| |PR:L/UI:N/ |allows a user to crash the system or escalate |
| |S:U/C:H/I:H/|their privileges. The highest threat from this |
| |A:H ) |vulnerability is to confidentiality, integrity, |
| | |as well as system availability. |
+--------------+------------+-------------------------------------------------+
| |9.8 ( |ap_escape_quotes() may write beyond the end of a |
| |CVSS:3.1/ |buffer when given malicious input. No included |
|CVE-2021-39275|AV:N/AC:L/ |modules pass untrusted data to these functions, |
| |PR:N/UI:N/ |but third-party / external modules may. This |
| |S:U/C:H/I:H/|issue affects Apache HTTP Server 2.4.48 and |
| |A:H ) |earlier. |
+--------------+------------+-------------------------------------------------+
| |5.5 ( |A data leak flaw was found in the way |
| |CVSS:3.1/ |XFS_IOC_ALLOCSP IOCTL in the XFS filesystem |
|CVE-2021-4155 |AV:L/AC:L/ |allowed for size increase of files with unaligned|
| |PR:L/UI:N/ |size. A local attacker could use this flaw to |
| |S:U/C:H/I:N/|leak data on the XFS filesystem otherwise not |
| |A:N ) |accessible to them. |
+--------------+------------+-------------------------------------------------+
| |9.8 ( |A carefully crafted request body can cause a |
| |CVSS:3.1/ |buffer overflow in the mod_lua multipart parser |
| |AV:N/AC:L/ |(r:parsebody() called from Lua scripts). The |
|CVE-2021-44790|PR:N/UI:N/ |Apache httpd team is not aware of an exploit for |
| |S:U/C:H/I:H/|the vulnerabilty though it might be possible to |
| |A:H ) |craft one. This issue affects Apache HTTP Server |
| | |2.4.51 and earlier. |
+--------------+------------+-------------------------------------------------+
| |7.8 ( |A random memory access flaw was found in the |
| |CVSS:3.1/ |Linux kernel's GPU i915 kernel driver |
|CVE-2022-0330 |AV:L/AC:L/ |functionality in the way a user may run malicious|
| |PR:L/UI:N/ |code on the GPU. This flaw allows a local user to|
| |S:U/C:H/I:H/|crash the system or escalate their privileges on |
| |A:H ) |the system. |
+--------------+------------+-------------------------------------------------+
| |7.8 ( |The vmwgfx driver contains a local privilege |
| |CVSS:3.1/ |escalation vulnerability that allows unprivileged|
|CVE-2022-22942|AV:L/AC:L/ |users to gain access to files opened by other |
| |PR:L/UI:N/ |processes on the system through a dangling 'file'|
| |S:U/C:H/I:H/|pointer. |
| |A:H ) | |
+--------------+------------+-------------------------------------------------+
Solution:
The following software releases have been updated to resolve this specific
issue: 9.1R5, and all subsequent releases.
This issue is being tracked as PR 1661929 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
Use access lists or firewalls to limit access to the device only from trusted
hosts.
Modification History:
2024-01-10: Initial Publication
Related Information:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
Last Updated: 2024-01-10
Created: 2024-01-10
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZZ9ae8kNZI30y1K9AQjR1w/7BPZaqbVNo/pITZc3vkmZhE16gPK5ezkn
58TgqO2gsxIYMm3QRvNKbYLM6a8JcOeMXNleK0yjOJsxEfYTFOnYUcih/hj+4A7P
NSZPbZYN4ab9HaFMGpQTpkiH2QWBi8/lh3yuDdMGZDxKL83uLBotUnxpBPJoiOTh
LbKyC7fa1P6eVZWkWy8k1dRcwarML9ZEYr2GS6thU5wyBD4rvFUQ2NfYUpE1zztH
4xz/wLxKokhPg/YgerbfIyKFh6UvinqXj+6i3XsPNE90kwwYQAOO+9+AldPwA9No
cJlwiVkdrvPq3gQPufW5MRSR5lhKZ8NsqtkgeDMltC8dV5PYo4CKFoJHMj+h3vVV
mrK7apr29VPGw8diA7z7VZML1heiiQd1P3v3e5WBRt5E1T1/61HVx7E1P4sDaNfy
HSuhBYzNUGKBuvYDtJqVwSoQVz2EXBw3FwQCOLS/tGCJryJRVmDWorhbo3c2YaOA
JN/+uRrYGyLG9swMCp0QPiUM8Wimrfjbwpzi5c4ZAQAOOb/scbjfFx8WAcU4StkL
kEjyab9YSLutjWUtGxdBJ4jMIJL/4tjKFzriGKlrBVff5p3fEHXgXvkNYwtRxeFV
WMHOr+SZk7FhhyBk3+etjo4du4/pPJrwA1gxoSpcmXiNG5psAsc7XGh8hXrGRApH
iK9t12oGNZ0=
=aAeE
-----END PGP SIGNATURE-----