Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2604 2021-08 Informational Security Bulletin: Junos Space Log Collector: Multiple vulnerabilities found in Log Collector 20.1R1 3 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Space Log Collector Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20305 CVE-2021-20265 CVE-2021-20233 CVE-2021-20225 CVE-2021-3156 CVE-2020-29661 CVE-2020-29573 CVE-2020-28374 CVE-2020-27779 CVE-2020-27749 CVE-2020-25705 CVE-2020-25647 CVE-2020-25643 CVE-2020-25632 CVE-2020-15862 CVE-2020-15436 CVE-2020-14385 CVE-2020-14372 CVE-2020-14331 CVE-2020-14305 CVE-2020-12825 CVE-2020-12723 CVE-2020-12351 CVE-2020-12321 CVE-2020-12243 CVE-2020-10878 CVE-2020-10543 CVE-2020-8698 CVE-2020-8625 CVE-2020-8622 CVE-2020-7595 CVE-2020-1472 CVE-2019-25013 CVE-2019-20907 CVE-2019-20636 CVE-2019-20388 CVE-2019-20095 CVE-2019-20054 CVE-2019-19956 CVE-2019-19807 CVE-2019-19537 CVE-2019-19530 CVE-2019-19524 CVE-2019-19523 CVE-2019-19447 CVE-2019-19332 CVE-2019-19126 CVE-2019-19063 CVE-2019-19062 CVE-2019-19059 CVE-2019-19058 CVE-2019-19055 CVE-2019-19046 CVE-2019-17498 CVE-2019-17006 CVE-2019-16994 CVE-2019-16233 CVE-2019-16231 CVE-2019-15917 CVE-2019-15807 CVE-2019-14866 CVE-2019-12614 CVE-2019-12450 CVE-2019-11756 CVE-2019-11068 CVE-2019-8696 CVE-2019-8675 CVE-2019-5482 CVE-2018-20843 CVE-2018-20836 CVE-2017-12652 Reference: ASB-2021.0067 ASB-2020.0140 ESB-2021.2263 ESB-2021.2178 ESB-2021.1869 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11209 - --------------------------BEGIN INCLUDED TEXT-------------------- 2021-08 Informational Security Bulletin: Junos Space Log Collector: Multiple vulnerabilities found in Log Collector 20.1R1 Article ID : JSA11209 Last Updated: 02 Aug 2021 Version : 2.0 Product Affected: These issues affect Junos Space Log Collector 20.1, 20.2, 20.3. Problem: Multiple vulnerabilities have been resolved in the Junos Space Log Collector by updating third party software included with Junos Space or by fixing vulnerabilities found during external security research. These issues affect Juniper Networks Junos Space Log Collector o 20.1 version 20.1R1 and later versions prior to 20.3R1. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. These issues were discovered during external security research. Security issues resolved include: CVE CVSS Summary 9.8 ( CVSS:3.0/ CVE-2017-12652 AV:N/AC:L/ libpng before 1.6.32 does not properly check the PR:N/UI:N/ length of chunks against the user limit. S:U/C:H/ I:H/A:H ) 8.1 ( CVSS:3.0/ An issue was discovered in the Linux kernel before CVE-2018-20836 AV:N/AC:H/ 4.20. There is a race condition in smp_task_timedout PR:N/UI:N/ () and smp_task_done() in drivers/scsi/libsas/ S:U/C:H/ sas_expander.c, leading to a use-after-free. I:H/A:H ) 7.5 ( In libexpat in Expat before 2.2.7, XML input CVSS:3.1/ including XML names that contain a large number of CVE-2018-20843 AV:N/AC:L/ colons could make the XML parser consume a high PR:N/UI:N/ amount of RAM and CPU resources while processing S:U/C:N/ (enough to be usable for denial-of-service attacks). I:N/A:H ) 9.8 ( libxslt through 1.1.33 allows bypass of a protection CVSS:3.0/ mechanism because callers of xsltCheckRead and CVE-2019-11068 AV:N/AC:L/ xsltCheckWrite permit access even upon receiving a -1 PR:N/UI:N/ error code. xsltCheckRead can return -1 for a crafted S:U/C:H/ URL that is not actually invalid and is subsequently I:H/A:H ) loaded. 6.8 AV:N/ Improper refcounting of soft token session objects CVE-2019-11756 AC:M/Au:N/ could cause a use-after-free and crash (likely C:P/I:P/ limited to a denial of service). This vulnerability A:P affects Firefox < 71. 9.8 ( CVSS:3.0/ file_copy_fallback in gio/gfile.c in GNOME GLib CVE-2019-12450 AV:N/AC:L/ 2.15.0 through 2.61.1 does not properly restrict file PR:N/UI:N/ permissions while a copy operation is in progress. S:U/C:H/ Instead, default permissions are used. I:H/A:H ) An issue was discovered in dlpar_parse_cc_property in 4.7 AV:L/ arch/powerpc/platforms/pseries/dlpar.c in the Linux CVE-2019-12614 AC:M/Au:N/ kernel through 5.1.6. There is an unchecked kstrdup C:N/I:N/ of prop->name, which might allow an attacker to cause A:C a denial of service (NULL pointer dereference and system crash). In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. 6.9 AV:L/ When cpio is used to create TAR archives from paths AC:M/Au:N/ an attacker can write to, the resulting archive may CVE-2019-14866 C:C/I:C/ contain files with permissions the attacker did not A:C have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. 4.7 AV:L/ In the Linux kernel before 5.1.13, there is a memory CVE-2019-15807 AC:M/Au:N/ leak in drivers/scsi/libsas/sas_expander.c when SAS C:N/I:N/ expander discovery fails. This will cause a BUG and A:C denial of service. 6.9 AV:L/ An issue was discovered in the Linux kernel before CVE-2019-15917 AC:M/Au:N/ 5.0.5. There is a use-after-free issue when C:C/I:C/ hci_uart_register_dev() fails in hci_uart_set_proto() A:C in drivers/bluetooth/hci_ldisc.c. 4.7 AV:L/ drivers/net/fjes/fjes_main.c in the Linux kernel CVE-2019-16231 AC:M/Au:N/ 5.2.14 does not check the alloc_workqueue return C:N/I:N/ value, leading to a NULL pointer dereference. A:C 4.7 AV:L/ drivers/scsi/qla2xxx/qla_os.c in the Linux kernel CVE-2019-16233 AC:M/Au:N/ 5.2.14 does not check the alloc_workqueue return C:N/I:N/ value, leading to a NULL pointer dereference. A:C 4.7 ( In the Linux kernel before 5.0, a memory leak exists CVSS:3.1/ in sit_init_net() in net/ipv6/sit.c when CVE-2019-16994 AV:L/AC:H/ register_netdev() fails to register sitn-> PR:L/UI:N/ fb_tunnel_dev, which may cause denial of service, aka S:U/C:N/ CID-07f12b26e21a. I:N/A:H ) 9.8 ( In Network Security Services (NSS) before 3.46, CVSS:3.1/ several cryptographic primitives had missing length CVE-2019-17006 AV:N/AC:L/ checks. In cases where the application calling the PR:N/UI:N/ library did not perform a sanity check on the inputs S:U/C:H/ it could result in a crash due to a buffer overflow. I:H/A:H ) ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ 6.8 AV:N/ ipmi_msghandler.c in the Linux kernel through 5.3.11 CVE-2019-19046 AC:L/Au:S/ allows attackers to cause a denial of service (memory C:N/I:N/ consumption) by triggering ida_simple_get() failure, A:C aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/ 4.9 AV:L/ wireless/nl80211.c in the Linux kernel through 5.3.11 CVE-2019-19055 AC:L/Au:N/ allows attackers to cause a denial of service (memory C:N/I:N/ consumption) by triggering nl80211hdr_put() failures, A:C aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. A memory leak in the alloc_sgtable() function in 4.7 AV:L/ drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the CVE-2019-19058 AC:M/Au:N/ Linux kernel through 5.3.11 allows attackers to cause C:N/I:N/ a denial of service (memory consumption) by A:C triggering alloc_page() failures, aka CID-b4b814fec1a5. Multiple memory leaks in the 4.7 AV:L/ iwl_pcie_ctxt_info_gen3_init() function in drivers/ AC:M/Au:N/ net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in CVE-2019-19059 C:N/I:N/ the Linux kernel through 5.3.11 allow attackers to A:C cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. 4.7 AV:L/ A memory leak in the crypto_report() function in AC:M/Au:N/ crypto/crypto_user_base.c in the Linux kernel through CVE-2019-19062 C:N/I:N/ 5.3.11 allows attackers to cause a denial of service A:C (memory consumption) by triggering crypto_report_alg () failures, aka CID-ffdde5932042. 4.6 ( Two memory leaks in the rtl_usb_probe() function in CVSS:3.1/ drivers/net/wireless/realtek/rtlwifi/usb.c in the CVE-2019-19063 AV:P/AC:L/ Linux kernel through 5.3.11 allow attackers to cause PR:N/UI:N/ a denial of service (memory consumption), aka S:U/C:N/ CID-3f9361695113. I:N/A:H ) An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way 5.6 AV:L/ the Linux kernel's KVM hypervisor handled the CVE-2019-19332 AC:L/Au:N/ 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get C:N/I:P/ CPUID features emulated by the KVM hypervisor. A user A:C or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. 6.8 AV:N/ In the Linux kernel 5.0.21, mounting a crafted ext4 AC:M/Au:N/ filesystem image, performing some operations, and CVE-2019-19447 C:P/I:P/ unmounting can lead to a use-after-free in A:P ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. 4.9 AV:L/ In the Linux kernel before 5.3.7, there is a CVE-2019-19523 AC:L/Au:N/ use-after-free bug that can be caused by a malicious C:N/I:N/ USB device in the drivers/usb/misc/adutux.c driver, A:C aka CID-44efc269db79. 4.9 AV:L/ In the Linux kernel before 5.3.12, there is a CVE-2019-19524 AC:L/Au:N/ use-after-free bug that can be caused by a malicious C:N/I:N/ USB device in the drivers/input/ff-memless.c driver, A:C aka CID-fa3a5a1880c9. 4.9 AV:L/ In the Linux kernel before 5.2.10, there is a CVE-2019-19530 AC:L/Au:N/ use-after-free bug that can be caused by a malicious C:N/I:N/ USB device in the drivers/usb/class/cdc-acm.c driver, A:C aka CID-c52873e5a1ef. 4.7 AV:L/ In the Linux kernel before 5.2.10, there is a race AC:M/Au:N/ condition bug that can be caused by a malicious USB CVE-2019-19537 C:N/I:N/ device in the USB character device driver layer, aka A:C CID-303911cfc5b9. This affects drivers/usb/core/ file.c. In the Linux kernel before 5.3.11, sound/core/timer.c 7.2 AV:L/ has a use-after-free caused by erroneous code AC:L/Au:N/ refactoring, aka CID-e7af6307a8a5. This is related to CVE-2019-19807 C:C/I:C/ snd_timer_open and snd_timer_close_locked. The timeri A:C variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. 7.5 ( CVSS:3.1/ xmlParseBalancedChunkMemoryRecover in parser.c in CVE-2019-19956 AV:N/AC:L/ libxml2 before 2.9.10 has a memory leak related to PR:N/UI:N/ newDoc->oldNs. S:U/C:N/ I:N/A:H ) 4.9 AV:L/ In the Linux kernel before 5.0.6, there is a NULL CVE-2019-20054 AC:L/Au:N/ pointer dereference in drop_sysctl_table() in fs/proc C:N/I:N/ /proc_sysctl.c, related to put_links, aka A:C CID-23da9588037e. 5.5 ( mwifiex_tm_cmd in drivers/net/wireless/marvell/ CVSS:3.1/ mwifiex/cfg80211.c in the Linux kernel before 5.1.6 CVE-2019-20095 AV:L/AC:L/ has some error-handling cases that did not free PR:L/UI:N/ allocated hostcmd memory, aka CID-003b686ace82. This S:U/C:N/ will cause a memory leak and denial of service. I:N/A:H ) 7.5 ( CVSS:3.1/ CVE-2019-20388 AV:N/AC:L/ xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 PR:N/UI:N/ allows an xmlSchemaValidateStream memory leak. S:U/C:N/ I:N/A:H ) 7.2 AV:L/ In the Linux kernel before 5.4.12, drivers/input/ CVE-2019-20636 AC:L/Au:N/ input.c has out-of-bounds writes via a crafted C:C/I:C/ keycode table, as demonstrated by input_set_keycode, A:C aka CID-cb222aed03d7. 7.5 ( CVSS:3.1/ In Lib/tarfile.py in Python through 3.8.3, an CVE-2019-20907 AV:N/AC:L/ attacker is able to craft a TAR archive leading to an PR:N/UI:N/ infinite loop when opened by tarfile.open, because S:U/C:N/ _proc_pax lacks header validation. I:N/A:H ) 5.9 ( CVSS:3.1/ The iconv feature in the GNU C Library (aka glibc or CVE-2019-25013 AV:N/AC:H/ libc6) through 2.32, when processing invalid PR:N/UI:N/ multi-byte input sequences in the EUC-KR encoding, S:U/C:N/ may have a buffer over-read. I:N/A:H ) 7.5 AV:N/ CVE-2019-5482 AC:L/Au:N/ Heap buffer overflow in the TFTP protocol handler in C:P/I:P/ cURL 7.19.4 to 7.65.3. A:P 8.8 ( A buffer overflow issue was addressed with improved CVSS:3.1/ memory handling. This issue is fixed in macOS Mojave CVE-2019-8675 AV:N/AC:L/ 10.14.6, Security Update 2019-004 High Sierra, PR:L/UI:N/ Security Update 2019-004 Sierra. An attacker in a S:U/C:H/ privileged network position may be able to execute I:H/A:H ) arbitrary code. 8.8 ( A buffer overflow issue was addressed with improved CVSS:3.1/ memory handling. This issue is fixed in macOS Mojave CVE-2019-8696 AV:N/AC:L/ 10.14.6, Security Update 2019-004 High Sierra, PR:L/UI:N/ Security Update 2019-004 Sierra. An attacker in a S:U/C:H/ privileged network position may be able to execute I:H/A:H ) arbitrary code. 8.2 ( CVSS:3.1/ Perl before 5.30.3 on 32-bit platforms allows a CVE-2020-10543 AV:N/AC:L/ heap-based buffer overflow because nested regular PR:N/UI:N/ expression quantifiers have an integer overflow. S:U/C:N/ I:L/A:H ) 8.6 ( Perl before 5.30.3 has an integer overflow related to CVSS:3.1/ mishandling of a "PL_regkind[OP(n)] == NOTHING" CVE-2020-10878 AV:N/AC:L/ situation. A crafted regular expression could lead to PR:N/UI:N/ malformed bytecode with a possibility of instruction S:U/C:L/ injection. I:L/A:H ) 7.5 ( CVSS:3.1/ In filter.c in slapd in OpenLDAP before 2.4.50, LDAP CVE-2020-12243 AV:N/AC:L/ search filters with nested boolean expressions can PR:N/UI:N/ result in denial of service (daemon crash). S:U/C:N/ I:N/A:H ) 8.8 ( CVSS:3.1/ Improper buffer restriction in some Intel(R) Wireless CVE-2020-12321 AV:A/AC:L/ Bluetooth(R) products before version 21.110 may allow PR:N/UI:N/ an unauthenticated user to potentially enable S:U/C:H/ escalation of privilege via adjacent access. I:H/A:H ) 8.8 ( CVSS:3.1/ Improper input validation in BlueZ may allow an CVE-2020-12351 AV:A/AC:L/ unauthenticated user to potentially enable escalation PR:N/UI:N/ of privilege via adjacent access. S:U/C:H/ I:H/A:H ) 7.5 ( CVSS:3.1/ regcomp.c in Perl before 5.30.3 allows a buffer CVE-2020-12723 AV:N/AC:L/ overflow via a crafted regular expression because of PR:N/UI:N/ recursive S_study_chunk calls. S:U/C:N/ I:N/A:H ) 5.8 AV:N/ libcroco through 0.6.13 has excessive recursion in CVE-2020-12825 AC:M/Au:N/ cr_parser_parse_any_core in cr-parser.c, leading to C:N/I:P/ stack consumption. A:P An out-of-bounds memory write flaw was found in how 8.1 ( the Linux kernel's Voice Over IP H.323 connection CVSS:3.1/ tracking functionality handled connections on ipv6 CVE-2020-14305 AV:N/AC:H/ port 1720. This flaw allows an unauthenticated remote PR:N/UI:N/ user to crash the system, causing a denial of S:U/C:H/ service. The highest threat from this vulnerability I:H/A:H ) is to confidentiality, integrity, as well as system availability. A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local 6.6 ( attacker attempts to resize the console, calling an CVSS:3.1/ ioctl VT_RESIZE, which causes an out-of-bounds write CVE-2020-14331 AV:P/AC:L/ to occur. This flaw allows a local user with access PR:L/UI:N/ to the VGA console to crash the system, potentially S:U/C:H/ escalating their privileges on the system. The I:H/A:H ) highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows 7.5 ( an attacker with privileged access to craft a CVSS:3.1/ Secondary System Description Table (SSDT) containing CVE-2020-14372 AV:L/AC:H/ code to overwrite the Linux kernel lockdown variable PR:H/UI:N/ content directly into memory. The table is further S:C/C:H/ loaded and executed by the kernel, defeating its I:H/A:H ) Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability. A flaw was found in the Linux kernel before 5.9-rc4. 5.5 ( A failure of the file system metadata validator in CVSS:3.1/ XFS can cause an inode with a valid, user-creatable CVE-2020-14385 AV:L/AC:L/ extended attribute to be flagged as corrupt. This can PR:L/UI:N/ lead to the filesystem being shutdown, or otherwise S:U/C:N/ rendered inaccessible until it is remounted, leading I:N/A:H ) to a denial of service. The highest threat from this vulnerability is to system availability. 10.0 ( An elevation of privilege vulnerability exists when CVSS:3.1/ an attacker establishes a vulnerable Netlogon secure CVE-2020-1472 AV:N/AC:L/ channel connection to a domain controller, using the PR:N/UI:N/ Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon S:C/C:H/ Elevation of Privilege Vulnerability'. I:H/A:H ) 7.2 AV:L/ Net-SNMP through 5.7.3 has Improper Privilege CVE-2020-15862 AC:L/Au:N/ Management because SNMP WRITE access to the EXTEND C:C/I:C/ MIB provides the ability to run arbitrary commands as A:C root. A flaw was found in grub2 in versions prior to 2.06. 8.2 ( The rmmod implementation allows the unloading of a CVSS:3.1/ module used as a dependency without checking if any AV:L/AC:L/ other dependent module is still loaded leading to a CVE-2020-25632 PR:H/UI:N/ use-after-free scenario. This could allow arbitrary S:C/C:H/ code to be executed or a bypass of Secure Boot I:H/A:H ) protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A flaw was found in the HDLC_PPP module of the Linux 7.2 ( kernel in versions before 5.9-rc7. Memory corruption CVSS:3.1/ and a read overflow is caused by improper input CVE-2020-25643 AV:N/AC:L/ validation in the ppp_cp_parse_cr function which can PR:H/UI:N/ cause the system to crash or cause a denial of S:U/C:H/ service. The highest threat from this vulnerability I:H/A:H ) is to data confidentiality and integrity as well as system availability. A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are 7.6 ( read with very little bounds checking and assumes the CVSS:3.1/ USB device is providing sane values. If properly CVE-2020-25647 AV:P/AC:L/ exploited, an attacker could trigger memory PR:N/UI:N/ corruption leading to arbitrary code execution S:C/C:H/ allowing a bypass of the Secure Boot mechanism. The I:H/A:H ) highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that 7.4 ( relies on UDP source port randomization are CVSS:3.1/ indirectly affected as well on the Linux Based AV:N/AC:H/ Products (RUGGEDCOM RM1224: All versions between v5.0 CVE-2020-25705 PR:N/UI:N/ and v6.4, SCALANCE M-800: All versions between v5.0 S:U/C:H/ and v6.4, SCALANCE S615: All versions between v5.0 I:H/A:N ) and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable 6.7 ( contents, using a 1kB stack buffer for temporary CVSS:3.1/ storage, without sufficient bounds checking. If the AV:L/AC:L/ function is called with a command line that CVE-2020-27749 PR:H/UI:N/ references a variable with a sufficiently large S:U/C:H/ payload, it is possible to overflow the stack buffer, I:H/A:H ) corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A flaw was found in grub2 in versions prior to 2.06. 7.5 ( The cutmem command does not honor secure boot locking CVSS:3.1/ allowing an privileged attacker to remove address CVE-2020-27779 AV:L/AC:H/ ranges from memory creating an opportunity to PR:H/UI:N/ circumvent SecureBoot protections after proper triage S:C/C:H/ about grub's memory layout. The highest threat from I:H/A:H ) this vulnerability is to data confidentiality and integrity as well as system availability. In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier 8.1 ( checking in the LIO SCSI target code can be used by CVSS:3.1/ remote attackers to read or write files via directory CVE-2020-28374 AV:N/AC:L/ traversal in an XCOPY request, aka CID-2896c93811e3. PR:L/UI:N/ For example, an attack can occur over a network if S:U/C:H/ the attacker has access to one iSCSI LUN. The I:H/A:N ) attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of 7.5 ( the printf family of functions is an 80-bit long CVSS:3.1/ double with a non-canonical bit pattern, as seen when AV:N/AC:L/ passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 CVE-2020-29573 PR:N/UI:N/ value to sprintf. NOTE: the issue does not affect S:U/C:N/ glibc by default in 2016 or later (i.e., 2.23 or I:N/A:H ) later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference. 7.8 ( CVSS:3.1/ A locking issue was discovered in the tty subsystem CVE-2020-29661 AV:L/AC:L/ of the Linux kernel through 5.9.13. drivers/tty/ PR:L/UI:N/ tty_jobctrl.c allows a use-after-free attack against S:U/C:H/ TIOCSPGRP, aka CID-54ffccbf053b. I:H/A:H ) 7.5 ( CVSS:3.1/ xmlStringLenDecodeEntities in parser.c in libxml2 CVE-2020-7595 AV:N/AC:L/ 2.9.10 has an infinite loop in a certain end-of-file PR:N/UI:N/ situation. S:U/C:N/ I:N/A:H ) BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or 8.1 ( tkey-gssapi-credentialconfiguration options. Although CVSS:3.1/ the default configuration is not vulnerable, GSS-TSIG AV:N/AC:H/ is frequently used in networks where BIND is CVE-2020-8625 PR:N/UI:N/ integrated with Samba, as well as in mixed-server S:U/C:H/ environments that combine BIND servers with Active I:H/A:H ) Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch 6.7 ( A flaw was found in grub2 in versions prior to 2.06. CVSS:3.1/ The option parser allows an attacker to write past AV:L/AC:L/ the end of a heap-allocated buffer by calling certain CVE-2021-20225 PR:H/UI:N/ commands with a large number of specific short forms S:U/C:H/ of options. The highest threat from this I:H/A:H ) vulnerability is to data confidentiality and integrity as well as system availability. A flaw was found in grub2 in versions prior to 2.06. 8.2 ( Setparam_prefix() in the menu rendering code performs CVSS:3.1/ a length calculation on the assumption that AV:L/AC:L/ expressing a quoted single quote will require 3 CVE-2021-20233 PR:H/UI:N/ characters, while it actually requires 4 characters S:C/C:H/ which allows an attacker to corrupt memory by one I:H/A:H ) byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 5.5 ( A flaw was found in the way memory resources were CVSS:3.1/ freed in the unix_stream_recvmsg function in the CVE-2021-20265 AV:L/AC:L/ Linux kernel when a signal was pending. This flaw PR:L/UI:N/ allows an unprivileged local user to crash the system S:U/C:N/ by exhausting available memory. The highest threat I:N/A:H ) from this vulnerability is to system availability. A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions 8.1 ( (GOST DSA, EDDSA & ECDSA) result in the Elliptic CVSS:3.1/ Curve Cryptography point (ECC) multiply function CVE-2021-20305 AV:N/AC:H/ being called with out-of-range scalers, possibly PR:N/UI:N/ resulting in incorrect results. This flaw allows an S:U/C:H/ attacker to force an invalid signature, causing an I:H/A:H ) assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. 7.8 ( Sudo before 1.9.5p2 contains an off-by-one error that CVSS:3.1/ can result in a heap-based buffer overflow, which CVE-2021-3156 AV:L/AC:L/ allows privilege escalation to root via "sudoedit -s" PR:L/UI:N/ and a command-line argument that ends with a single S:U/C:H/ backslash character. I:H/A:H ) Security issues not resolved include: CVE CVSS Summary In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer 5.8 AV:N/ overflow in a bounds check, enabling an attacker to CVE-2019-17498 AC:M/Au:N/ specify an arbitrary (out-of-bounds) offset for a C:P/I:N/A:P subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. 3.3 ( On the x86-64 architecture, the GNU C Library (aka CVSS:3.1/ glibc) before 2.31 fails to ignore the AV:L/AC:L/ LD_PREFER_MAP_32BIT_EXEC environment variable during CVE-2019-19126 PR:L/UI:N/ program execution after a security transition, S:U/C:L/I:N allowing local attackers to restrict the possible /A:N ) mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed 4.0 AV:N/ request, could send a truncated response to that CVE-2020-8622 AC:L/Au:S/ request, triggering an assertion failure, causing C:N/I:N/A:P the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit. 5.5 ( CVSS:3.1/ Improper isolation of shared resources in some Intel CVE-2020-8698 AV:L/AC:L/ (R) Processors may allow an authenticated user to PR:L/UI:N/ potentially enable information disclosure via local S:U/C:H/I:N access. /A:N ) 6.7 ( CVSS:3.1/ Use-after-free vulnerability in fs/block_dev.c in CVE-2020-15436 AV:L/AC:L/ the Linux kernel before 5.8 allows local users to PR:H/UI:N/ gain privileges or cause a denial of service by S:U/C:H/I:H leveraging improper access to a certain error field. /A:H ) Solution: For the resolved CVEs the following software releases have been updated to resolve these specific issues: 20.3R1, and all subsequent releases. For the unresolved CVEs Juniper Networks will not be resolving these issues. Customers should contact their account managers for guidance on migration to other platforms. These issues are being tracked as 1597018 . Workaround: There are no viable workarounds for these issues. To reduce the risk of exploitation utilize common security BCPs to limit the exploitable surface by limiting access to the network and device to trusted systems, administrators, networks and hosts. Further protections can be gained by limiting shell access to only trusted system administrators and employing jump boxes on networks that have no Internet access. Modification History: 2021-08-02: Initial Publication. CVSS Score: 6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Severity Level: Medium Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYQjF6+NLKJtyKPYoAQj8rg/+Nza9kt1sLM0ZlnHE9fNpv+sudmOYdRD+ 6ePC2Erj5kpMqPYcwB9IOThIpw0CIysLvLnBwJgrdBZ4aj+eFttRxfOpH29uB7jD z7RwGUKsUdZRb6PRMgYfpaCuzpM2iPkBlv17DTJsImsvCggmuVSN79BzQOwcYumJ XAATCDkSXVRmrexDxyaYQ0z/a2vIRG2Q1n1YBhAAB7GOWtX2l0o04odjOaovGhnO WgMxf/tLE9hXLk9z2sc+qrKbidm3SWHbYSm0Y6BkPzLK2uqOMpuWZvQ/Wyd9KVBa iY+wIUDJaz4yxrW5d66nzxzmso26XAWsCwHStyGlw8eJ8GrwLyuBN49rZLfb9fXZ y5BFrwO2BM0GYfz7AEAzuNrGes4XKZy7k0UbuXcEP+Gs0QwA9LojheYsp2UB2qM3 3KAIZcO3ee2AsAEsLbB8gxhY+w4EqDTUGXY7F+M2I5u9umkT2HrdR1G6/1QCz9C1 6e6B4feS07kq/mAn0NUEvfDLjlddulcyqU2akbir7G+2FdJjiC4lZjV4mmGkCO0/ YXM7t3+ExExsHny5MiC5gdk3/7PuGL5xCBHd2V2trXMBS7syTqoSUsEH83BPe7+6 RdDONNkT7PaHMzYlVyk0XUN1KpOhJvOwRqzAvMtLxfsheNLbh8NxfS7uaUZi0WIn uiTpN+Nupug= =VH0p -----END PGP SIGNATURE-----