Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.0252 2024-01 Security Bulletin: CTPView: Multiple vulnerabilities in CTPView (CVE-yyyy-nnnn) 11 January 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CTPView Publisher: Juniper Networks Operating System: Juniper Resolution: Patch/Upgrade CVE Names: CVE-2022-22942 CVE-2022-0330 CVE-2021-44790 CVE-2021-39275 CVE-2021-34798 CVE-2021-26691 CVE-2021-4155 CVE-2021-3752 CVE-2021-3621 CVE-2021-3573 CVE-2021-3564 CVE-2021-0920 CVE-2020-0466 CVE-2020-0465 Original Bulletin: https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-CTPView-Multiple-vulnerabilities-in-CTPView-CVE-yyyy-nnnn Comment: CVSS (Max): 9.8 CVE-2021-44790 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Juniper Networks Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Article ID: JSA75736 Product Affected: These issues affect all versions of CTPView. Severity Level: Critical CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Problem: CTPView release 9.1R5 addresses multiple vulnerabilities in 3rd party libraries found in prior releases with updated open source software components. These issues affects Juniper Networks CTPView versions prior to 9.1R5. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. These issues were discovered during external security research. The resolved issues include: +--------------+------------+-------------------------------------------------+ | CVE | CVSS | Summary | +--------------+------------+-------------------------------------------------+ | | |In various methods of hid-multitouch.c, there is | | |6.8 ( |a possible out of bounds write due to a missing | | |CVSS:3.1/ |bounds check. This could lead to local escalation| |CVE-2020-0465 |AV:P/AC:L/ |of privilege with no additional execution | | |PR:N/UI:N/ |privileges needed. User interaction is not needed| | |S:U/C:H/I:H/|for exploitation.Product: AndroidVersions: | | |A:H ) |Android kernelAndroid ID: A-162844689References: | | | |Upstream kernel | +--------------+------------+-------------------------------------------------+ | | |In do_epoll_ctl and ep_loop_check_proc of | | |7.8 ( |eventpoll.c, there is a possible use after free | | |CVSS:3.1/ |due to a logic error. This could lead to local | |CVE-2020-0466 |AV:L/AC:L/ |escalation of privilege with no additional | | |PR:L/UI:N/ |execution privileges needed. User interaction is | | |S:U/C:H/I:H/|not needed for exploitation.Product: | | |A:H ) |AndroidVersions: Android kernelAndroid ID: | | | |A-147802478References: Upstream kernel | +--------------+------------+-------------------------------------------------+ | | |In unix_scm_to_skb of af_unix.c, there is a | | |6.4 ( |possible use after free bug due to a race | | |CVSS:3.1/ |condition. This could lead to local escalation of| |CVE-2021-0920 |AV:L/AC:H/ |privilege with System execution privileges | | |PR:H/UI:N/ |needed. User interaction is not needed for | | |S:U/C:H/I:H/|exploitation.Product: AndroidVersions: Android | | |A:H ) |kernelAndroid ID: A-196926917References: Upstream| | | |kernel | +--------------+------------+-------------------------------------------------+ | |9.8 ( | | | |CVSS:3.1/ |In Apache HTTP Server versions 2.4.0 to 2.4.46 a | |CVE-2021-26691|AV:N/AC:L/ |specially crafted SessionHeader sent by an origin| | |PR:N/UI:N/ |server could cause a heap overflow | | |S:U/C:H/I:H/| | | |A:H ) | | +--------------+------------+-------------------------------------------------+ | |7.5 ( | | | |CVSS:3.1/ |Malformed requests may cause the server to | |CVE-2021-34798|AV:N/AC:L/ |dereference a NULL pointer. This issue affects | | |PR:N/UI:N/ |Apache HTTP Server 2.4.48 and earlier. | | |S:U/C:N/I:N/| | | |A:H ) | | +--------------+------------+-------------------------------------------------+ | |5.5 ( |A flaw double-free memory corruption in the Linux| | |CVSS:3.1/ |kernel HCI device initialization subsystem was | |CVE-2021-3564 |AV:L/AC:L/ |found in the way user attach malicious HCI TTY | | |PR:L/UI:N/ |Bluetooth device. A local user could use this | | |S:U/C:N/I:N/|flaw to crash the system. This flaw affects all | | |A:H ) |the Linux kernel versions starting from 3.13. | +--------------+------------+-------------------------------------------------+ | | |A use-after-free in function hci_sock_bound_ioctl| | | |() of the Linux kernel HCI subsystem was found in| | | |the way user calls ioct HCIUNBLOCKADDR or other | | |6.4 ( |way triggers race condition of the call | | |CVSS:3.1/ |hci_unregister_dev() together with one of the | |CVE-2021-3573 |AV:L/AC:H/ |calls hci_sock_blacklist_add(), | | |PR:H/UI:N/ |hci_sock_blacklist_del(), hci_get_conn_info(), | | |S:U/C:H/I:H/|hci_get_auth_info(). A privileged local user | | |A:H ) |could use this flaw to crash the system or | | | |escalate their privileges on the system. This | | | |flaw affects the Linux kernel versions prior to | | | |5.13-rc5. | +--------------+------------+-------------------------------------------------+ | | |A flaw was found in SSSD, where the sssctl | | |8.8 ( |command was vulnerable to shell command injection| | |CVSS:3.1/ |via the logs-fetch and cache-expire subcommands. | | |AV:N/AC:L/ |This flaw allows an attacker to trick the root | |CVE-2021-3621 |PR:N/UI:R/ |user into running a specially crafted sssctl | | |S:U/C:H/I:H/|command, such as via sudo, to gain root access. | | |A:H ) |The highest threat from this vulnerability is to | | | |confidentiality, integrity, as well as system | | | |availability. | +--------------+------------+-------------------------------------------------+ | | |A use-after-free flaw was found in the Linux | | |7.1 ( |kernel's Bluetooth subsystem in the way user | | |CVSS:3.1/ |calls connect to the socket and disconnect | |CVE-2021-3752 |AV:A/AC:H/ |simultaneously due to a race condition. This flaw| | |PR:L/UI:N/ |allows a user to crash the system or escalate | | |S:U/C:H/I:H/|their privileges. The highest threat from this | | |A:H ) |vulnerability is to confidentiality, integrity, | | | |as well as system availability. | +--------------+------------+-------------------------------------------------+ | |9.8 ( |ap_escape_quotes() may write beyond the end of a | | |CVSS:3.1/ |buffer when given malicious input. No included | |CVE-2021-39275|AV:N/AC:L/ |modules pass untrusted data to these functions, | | |PR:N/UI:N/ |but third-party / external modules may. This | | |S:U/C:H/I:H/|issue affects Apache HTTP Server 2.4.48 and | | |A:H ) |earlier. | +--------------+------------+-------------------------------------------------+ | |5.5 ( |A data leak flaw was found in the way | | |CVSS:3.1/ |XFS_IOC_ALLOCSP IOCTL in the XFS filesystem | |CVE-2021-4155 |AV:L/AC:L/ |allowed for size increase of files with unaligned| | |PR:L/UI:N/ |size. A local attacker could use this flaw to | | |S:U/C:H/I:N/|leak data on the XFS filesystem otherwise not | | |A:N ) |accessible to them. | +--------------+------------+-------------------------------------------------+ | |9.8 ( |A carefully crafted request body can cause a | | |CVSS:3.1/ |buffer overflow in the mod_lua multipart parser | | |AV:N/AC:L/ |(r:parsebody() called from Lua scripts). The | |CVE-2021-44790|PR:N/UI:N/ |Apache httpd team is not aware of an exploit for | | |S:U/C:H/I:H/|the vulnerabilty though it might be possible to | | |A:H ) |craft one. This issue affects Apache HTTP Server | | | |2.4.51 and earlier. | +--------------+------------+-------------------------------------------------+ | |7.8 ( |A random memory access flaw was found in the | | |CVSS:3.1/ |Linux kernel's GPU i915 kernel driver | |CVE-2022-0330 |AV:L/AC:L/ |functionality in the way a user may run malicious| | |PR:L/UI:N/ |code on the GPU. This flaw allows a local user to| | |S:U/C:H/I:H/|crash the system or escalate their privileges on | | |A:H ) |the system. | +--------------+------------+-------------------------------------------------+ | |7.8 ( |The vmwgfx driver contains a local privilege | | |CVSS:3.1/ |escalation vulnerability that allows unprivileged| |CVE-2022-22942|AV:L/AC:L/ |users to gain access to files opened by other | | |PR:L/UI:N/ |processes on the system through a dangling 'file'| | |S:U/C:H/I:H/|pointer. | | |A:H ) | | +--------------+------------+-------------------------------------------------+ Solution: The following software releases have been updated to resolve this specific issue: 9.1R5, and all subsequent releases. This issue is being tracked as PR 1661929 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Use access lists or firewalls to limit access to the device only from trusted hosts. Modification History: 2024-01-10: Initial Publication Related Information: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team Last Updated: 2024-01-10 Created: 2024-01-10 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZZ9ae8kNZI30y1K9AQjR1w/7BPZaqbVNo/pITZc3vkmZhE16gPK5ezkn 58TgqO2gsxIYMm3QRvNKbYLM6a8JcOeMXNleK0yjOJsxEfYTFOnYUcih/hj+4A7P NSZPbZYN4ab9HaFMGpQTpkiH2QWBi8/lh3yuDdMGZDxKL83uLBotUnxpBPJoiOTh LbKyC7fa1P6eVZWkWy8k1dRcwarML9ZEYr2GS6thU5wyBD4rvFUQ2NfYUpE1zztH 4xz/wLxKokhPg/YgerbfIyKFh6UvinqXj+6i3XsPNE90kwwYQAOO+9+AldPwA9No cJlwiVkdrvPq3gQPufW5MRSR5lhKZ8NsqtkgeDMltC8dV5PYo4CKFoJHMj+h3vVV mrK7apr29VPGw8diA7z7VZML1heiiQd1P3v3e5WBRt5E1T1/61HVx7E1P4sDaNfy HSuhBYzNUGKBuvYDtJqVwSoQVz2EXBw3FwQCOLS/tGCJryJRVmDWorhbo3c2YaOA JN/+uRrYGyLG9swMCp0QPiUM8Wimrfjbwpzi5c4ZAQAOOb/scbjfFx8WAcU4StkL kEjyab9YSLutjWUtGxdBJ4jMIJL/4tjKFzriGKlrBVff5p3fEHXgXvkNYwtRxeFV WMHOr+SZk7FhhyBk3+etjo4du4/pPJrwA1gxoSpcmXiNG5psAsc7XGh8hXrGRApH iK9t12oGNZ0= =aAeE -----END PGP SIGNATURE-----