VARIoT IoT vulnerabilities database
| VAR-202012-1547 | CVE-2020-29660 | Linux Kernel Vulnerability in using free memory in |
CVSS V2: 2.1 CVSS V3: 4.4 Severity: MEDIUM |
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. Vendors must CID-c8bcd9c5be24 It is published as.Information may be obtained.
CVE-2020-27825
Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace
ring buffer resizing logic due to a race condition, which could
result in denial of service or information leak.
CVE-2020-27830
Shisong Qin reported a NULL pointer dereference flaw in the Speakup
screen reader core driver.
CVE-2020-28374
David Disseldorp discovered that the LIO SCSI target implementation
performed insufficient checking in certain XCOPY requests. An
attacker with access to a LUN and knowledge of Unit Serial Number
assignments can take advantage of this flaw to read and write to any
LIO backstore, regardless of the SCSI transport settings.
CVE-2020-29568 (XSA-349)
Michael Kurth and Pawel Wieczorkiewicz reported that frontends can
trigger OOM in backends by updating a watched path. A
misbehaving guest can trigger a dom0 crash by continuously
connecting / disconnecting a block frontend.
CVE-2020-36158
A buffer overflow flaw was discovered in the mwifiex WiFi driver
which could result in denial of service or the execution of
arbitrary code via a long SSID value. A privileged user (with root or CAP_NET_ADMIN) can
take advantage of this flaw to cause a kernel panic when inserting
iptables rules.
For the stable distribution (buster), these problems have been fixed in
version 4.19.171-2.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmAXj9pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Tf5Q//RdQojeX7VtJ61PsVXRszZh9DJ3PUo64NheFU+QWUYO7F6NUD3fMxiS9K
I8Sgfsm28x7RBambjW6TZYseJhQd9aSvaANnPdUj/eZ9P3xBhXFM8wzISosUWgfO
2IIV40oOVj943+BzfIQiq1mgQtwLjh3pNTZAEpjnzD96Tc9tXGyW9/3iGkUHIQjv
gUTSvoLIUAI4XfNNUjnok+6kPDyEEIdiwJaGDG+UPZ6HNL/hrG3A4klQc+X7KK5K
NCOzl4Wl5pZN7u2Ietn3sFMsNJkMrsfLlVyj8J9PgNwbFQh/+RuvzFcONlQ8iaD9
kx42gkLwjl+hM2UeCpvQndzwqXKPKc6CjFemDj7KWzVA+KkVBRTXCGb9K9CasZOZ
0e/cu+5rjYGubIE3e/jo3Gmhp/fm9fXHESbruxuP+gjdbKcyrGrokNucjRvp6FPP
rCX+e7OjsZwWGBIcAw+gDAZkDO7PFEoRtlByF2LmxxNvTufZQZHX8NwVyABCdpZi
VQLLeQNXN1pJ4d1NPWgTlKfEmH0sGVQRHCliTkBZmIjvo+y1JClUDBAlWOS4YYQL
4Z4oe1qtOX9z+NkqDqcbgfWw69Q2PipNN3TR5YcBXvOtVhvL+/WFGiooJDqxkdCD
j3wO/r/1gut/bK/OJnjmOB9J5OXP+cHxYtrhPqXFy2Hzkgj1CRU=
=u23W
-----END PGP SIGNATURE-----
. 8) - x86_64
3. Description:
The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
* kernel: out-of-bounds reads in pinctrl subsystem. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: kernel security, bug fix, and enhancement update
Advisory ID: RHSA-2021:4356-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4356
Issue date: 2021-11-09
CVE Names: CVE-2020-0427 CVE-2020-24502 CVE-2020-24503
CVE-2020-24504 CVE-2020-24586 CVE-2020-24587
CVE-2020-24588 CVE-2020-26139 CVE-2020-26140
CVE-2020-26141 CVE-2020-26143 CVE-2020-26144
CVE-2020-26145 CVE-2020-26146 CVE-2020-26147
CVE-2020-27777 CVE-2020-29368 CVE-2020-29660
CVE-2020-36158 CVE-2020-36386 CVE-2021-0129
CVE-2021-3348 CVE-2021-3489 CVE-2021-3564
CVE-2021-3573 CVE-2021-3600 CVE-2021-3635
CVE-2021-3659 CVE-2021-3679 CVE-2021-3732
CVE-2021-20194 CVE-2021-20239 CVE-2021-23133
CVE-2021-28950 CVE-2021-28971 CVE-2021-29155
CVE-2021-29646 CVE-2021-29650 CVE-2021-31440
CVE-2021-31829 CVE-2021-31916 CVE-2021-33200
====================================================================
1. Summary:
An update for kernel is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es):
* kernel: out-of-bounds reads in pinctrl subsystem (CVE-2020-0427)
* kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter
drivers (CVE-2020-24502)
* kernel: Insufficient access control in some Intel(R) Ethernet E810
Adapter drivers (CVE-2020-24503)
* kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810
Adapter drivers (CVE-2020-24504)
* kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)
* kernel: Reassembling fragments encrypted under different keys
(CVE-2020-24587)
* kernel: wifi frame payload being parsed incorrectly as an L2 frame
(CVE-2020-24588)
* kernel: Forwarding EAPOL from unauthenticated wifi client
(CVE-2020-26139)
* kernel: accepting plaintext data frames in protected networks
(CVE-2020-26140)
* kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)
* kernel: accepting fragmented plaintext frames in protected networks
(CVE-2020-26143)
* kernel: accepting unencrypted A-MSDU frames that start with RFC1042
header (CVE-2020-26144)
* kernel: accepting plaintext broadcast fragments as full frames
(CVE-2020-26145)
* kernel: powerpc: RTAS calls can be used to compromise kernel integrity
(CVE-2020-27777)
* kernel: locking inconsistency in tty_io.c and tty_jobctrl.c can lead to a
read-after-free (CVE-2020-29660)
* kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function via a
long SSID value (CVE-2020-36158)
* kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt()
(CVE-2020-36386)
* kernel: Improper access control in BlueZ may allow information disclosure
vulnerability. (CVE-2021-0129)
* kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c
(CVE-2021-3348)
* kernel: Linux kernel eBPF RINGBUF map oversized allocation
(CVE-2021-3489)
* kernel: double free in bluetooth subsystem when the HCI device
initialization fails (CVE-2021-3564)
* kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)
* kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)
* kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)
* kernel: Mounting overlayfs inside an unprivileged user namespace can
reveal files (CVE-2021-3732)
* kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
(CVE-2021-20194)
* kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)
* kernel: fuse: stall on CPU can occur because a retry loop continually
finds the same bad inode (CVE-2021-28950)
* kernel: System crash in intel_pmu_drain_pebs_nhm in
arch/x86/events/intel/ds.c (CVE-2021-28971)
* kernel: protection can be bypassed to leak content of kernel memory
(CVE-2021-29155)
* kernel: improper input validation in tipc_nl_retrieve_key function in
net/tipc/node.c (CVE-2021-29646)
* kernel: lack a full memory barrier may lead to DoS (CVE-2021-29650)
* kernel: local escalation of privileges in handling of eBPF programs
(CVE-2021-31440)
* kernel: protection of stack pointer against speculative pointer
arithmetic can be bypassed to leak content of kernel memory
(CVE-2021-31829)
* kernel: out-of-bounds reads and writes due to enforcing incorrect limits
for pointer arithmetic operations by BPF verifier (CVE-2021-33200)
* kernel: reassembling encrypted fragments with non-consecutive packet
numbers (CVE-2020-26146)
* kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)
* kernel: the copy-on-write implementation can grant unintended write
access because of a race condition in a THP mapcount check (CVE-2020-29368)
* kernel: flowtable list del corruption with kernel BUG at
lib/list_debug.c:50 (CVE-2021-3635)
* kernel: NULL pointer dereference in llsec_key_alloc() in
net/mac802154/llsec.c (CVE-2021-3659)
* kernel: setsockopt System Call Untrusted Pointer Dereference Information
Disclosure (CVE-2021-20239)
* kernel: out of bounds array access in drivers/md/dm-ioctl.c
(CVE-2021-31916)
4. Solution:
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1509204 - dlm: Add ability to set SO_MARK on DLM sockets
1793880 - Unreliable RTC synchronization (11-minute mode)
1816493 - [RHEL 8.3] Discard request from mkfs.xfs takes too much time on raid10
1900844 - CVE-2020-27777 kernel: powerpc: RTAS calls can be used to compromise kernel integrity
1903244 - CVE-2020-29368 kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check
1906522 - CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free
1912683 - CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt()
1913348 - CVE-2020-36158 kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value
1915825 - Allow falling back to genfscon labeling when the FS doesn't support xattrs and there is a fs_use_xattr rule for it
1919893 - CVE-2020-0427 kernel: out-of-bounds reads in pinctrl subsystem.
1921958 - CVE-2021-3348 kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c
1923636 - CVE-2021-20239 kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure
1930376 - CVE-2020-24504 kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers
1930379 - CVE-2020-24502 kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers
1930381 - CVE-2020-24503 kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers
1933527 - Files on cifs mount can get mixed contents when underlying file is removed but inode number is reused, when mounted with 'serverino' and 'cache=strict '
1939341 - CNB: net: add inline function skb_csum_is_sctp
1941762 - CVE-2021-28950 kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode
1941784 - CVE-2021-28971 kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c
1945345 - CVE-2021-29646 kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c
1945388 - CVE-2021-29650 kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS
1946965 - CVE-2021-31916 kernel: out of bounds array access in drivers/md/dm-ioctl.c
1948772 - CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del
1951595 - CVE-2021-29155 kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory
1953847 - [ethtool] The `NLM_F_MULTI` should be used for `NLM_F_DUMP`
1954588 - RHEL kernel 8.2 and higher are affected by data corruption bug in raid1 arrays using bitmaps.
1957788 - CVE-2021-31829 kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory
1959559 - CVE-2021-3489 kernel: Linux kernel eBPF RINGBUF map oversized allocation
1959642 - CVE-2020-24586 kernel: Fragmentation cache not cleared on reconnection
1959654 - CVE-2020-24587 kernel: Reassembling fragments encrypted under different keys
1959657 - CVE-2020-24588 kernel: wifi frame payload being parsed incorrectly as an L2 frame
1959663 - CVE-2020-26139 kernel: Forwarding EAPOL from unauthenticated wifi client
1960490 - CVE-2020-26140 kernel: accepting plaintext data frames in protected networks
1960492 - CVE-2020-26141 kernel: not verifying TKIP MIC of fragmented frames
1960496 - CVE-2020-26143 kernel: accepting fragmented plaintext frames in protected networks
1960498 - CVE-2020-26144 kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header
1960500 - CVE-2020-26145 kernel: accepting plaintext broadcast fragments as full frames
1960502 - CVE-2020-26146 kernel: reassembling encrypted fragments with non-consecutive packet numbers
1960504 - CVE-2020-26147 kernel: reassembling mixed encrypted/plaintext fragments
1960708 - please add CAP_CHECKPOINT_RESTORE to capability.h
1964028 - CVE-2021-31440 kernel: local escalation of privileges in handling of eBPF programs
1964139 - CVE-2021-3564 kernel: double free in bluetooth subsystem when the HCI device initialization fails
1965038 - CVE-2021-0129 kernel: Improper access control in BlueZ may allow information disclosure vulnerability.
1965360 - kernel: get_timespec64 does not ignore padding in compat syscalls
1965458 - CVE-2021-33200 kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier
1966578 - CVE-2021-3573 kernel: use-after-free in function hci_sock_bound_ioctl()
1969489 - CVE-2020-36386 kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c
1971101 - ceph: potential data corruption in cephfs write_begin codepath
1972278 - libceph: allow addrvecs with a single NONE/blank address
1974627 - [TIPC] kernel BUG at lib/list_debug.c:31!
1975182 - CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer [rhel-8.5.0]
1975949 - CVE-2021-3659 kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c
1976679 - blk-mq: fix/improve io scheduler batching dispatch
1976699 - [SCTP]WARNING: CPU: 29 PID: 3165 at mm/page_alloc.c:4579 __alloc_pages_slowpath+0xb74/0xd00
1976946 - CVE-2021-3635 kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50
1976969 - XFS: followup to XFS sync to upstream v5.10 (re BZ1937116)
1977162 - [XDP] test program warning: libbpf: elf: skipping unrecognized data section(16) .eh_frame
1977422 - Missing backport of IMA boot aggregate calculation in rhel 8.4 kernel
1977537 - RHEL8.5: Update the kernel workqueue code to v5.12 level
1977850 - geneve virtual devices lack the NETIF_F_FRAGLIST feature
1978369 - dm writecache: sync with upstream 5.14
1979070 - Inaccessible NFS server overloads clients (native_queued_spin_lock_slowpath connotation?)
1979680 - Backport openvswitch tracepoints
1981954 - CVE-2021-3600 kernel: eBPF 32-bit source register truncation on div/mod
1986138 - Lockd invalid cast to nlm_lockowner
1989165 - CVE-2021-3679 kernel: DoS in rb_per_cpu_empty()
1989999 - ceph omnibus backport for RHEL-8.5.0
1991976 - block: fix New warning in nvme_setup_discard
1992700 - blk-mq: fix kernel panic when iterating over flush request
1995249 - CVE-2021-3732 kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files
1996854 - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc()
6. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
kernel-4.18.0-348.el8.src.rpm
aarch64:
bpftool-4.18.0-348.el8.aarch64.rpm
bpftool-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-4.18.0-348.el8.aarch64.rpm
kernel-core-4.18.0-348.el8.aarch64.rpm
kernel-cross-headers-4.18.0-348.el8.aarch64.rpm
kernel-debug-4.18.0-348.el8.aarch64.rpm
kernel-debug-core-4.18.0-348.el8.aarch64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debug-devel-4.18.0-348.el8.aarch64.rpm
kernel-debug-modules-4.18.0-348.el8.aarch64.rpm
kernel-debug-modules-extra-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-common-aarch64-4.18.0-348.el8.aarch64.rpm
kernel-devel-4.18.0-348.el8.aarch64.rpm
kernel-headers-4.18.0-348.el8.aarch64.rpm
kernel-modules-4.18.0-348.el8.aarch64.rpm
kernel-modules-extra-4.18.0-348.el8.aarch64.rpm
kernel-tools-4.18.0-348.el8.aarch64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-tools-libs-4.18.0-348.el8.aarch64.rpm
perf-4.18.0-348.el8.aarch64.rpm
perf-debuginfo-4.18.0-348.el8.aarch64.rpm
python3-perf-4.18.0-348.el8.aarch64.rpm
python3-perf-debuginfo-4.18.0-348.el8.aarch64.rpm
noarch:
kernel-abi-stablelists-4.18.0-348.el8.noarch.rpm
kernel-doc-4.18.0-348.el8.noarch.rpm
ppc64le:
bpftool-4.18.0-348.el8.ppc64le.rpm
bpftool-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-4.18.0-348.el8.ppc64le.rpm
kernel-core-4.18.0-348.el8.ppc64le.rpm
kernel-cross-headers-4.18.0-348.el8.ppc64le.rpm
kernel-debug-4.18.0-348.el8.ppc64le.rpm
kernel-debug-core-4.18.0-348.el8.ppc64le.rpm
kernel-debug-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debug-devel-4.18.0-348.el8.ppc64le.rpm
kernel-debug-modules-4.18.0-348.el8.ppc64le.rpm
kernel-debug-modules-extra-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-common-ppc64le-4.18.0-348.el8.ppc64le.rpm
kernel-devel-4.18.0-348.el8.ppc64le.rpm
kernel-headers-4.18.0-348.el8.ppc64le.rpm
kernel-modules-4.18.0-348.el8.ppc64le.rpm
kernel-modules-extra-4.18.0-348.el8.ppc64le.rpm
kernel-tools-4.18.0-348.el8.ppc64le.rpm
kernel-tools-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-tools-libs-4.18.0-348.el8.ppc64le.rpm
perf-4.18.0-348.el8.ppc64le.rpm
perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
python3-perf-4.18.0-348.el8.ppc64le.rpm
python3-perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
s390x:
bpftool-4.18.0-348.el8.s390x.rpm
bpftool-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-4.18.0-348.el8.s390x.rpm
kernel-core-4.18.0-348.el8.s390x.rpm
kernel-cross-headers-4.18.0-348.el8.s390x.rpm
kernel-debug-4.18.0-348.el8.s390x.rpm
kernel-debug-core-4.18.0-348.el8.s390x.rpm
kernel-debug-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-debug-devel-4.18.0-348.el8.s390x.rpm
kernel-debug-modules-4.18.0-348.el8.s390x.rpm
kernel-debug-modules-extra-4.18.0-348.el8.s390x.rpm
kernel-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-debuginfo-common-s390x-4.18.0-348.el8.s390x.rpm
kernel-devel-4.18.0-348.el8.s390x.rpm
kernel-headers-4.18.0-348.el8.s390x.rpm
kernel-modules-4.18.0-348.el8.s390x.rpm
kernel-modules-extra-4.18.0-348.el8.s390x.rpm
kernel-tools-4.18.0-348.el8.s390x.rpm
kernel-tools-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-core-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-debuginfo-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-devel-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-modules-4.18.0-348.el8.s390x.rpm
kernel-zfcpdump-modules-extra-4.18.0-348.el8.s390x.rpm
perf-4.18.0-348.el8.s390x.rpm
perf-debuginfo-4.18.0-348.el8.s390x.rpm
python3-perf-4.18.0-348.el8.s390x.rpm
python3-perf-debuginfo-4.18.0-348.el8.s390x.rpm
x86_64:
bpftool-4.18.0-348.el8.x86_64.rpm
bpftool-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-4.18.0-348.el8.x86_64.rpm
kernel-core-4.18.0-348.el8.x86_64.rpm
kernel-cross-headers-4.18.0-348.el8.x86_64.rpm
kernel-debug-4.18.0-348.el8.x86_64.rpm
kernel-debug-core-4.18.0-348.el8.x86_64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debug-devel-4.18.0-348.el8.x86_64.rpm
kernel-debug-modules-4.18.0-348.el8.x86_64.rpm
kernel-debug-modules-extra-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-common-x86_64-4.18.0-348.el8.x86_64.rpm
kernel-devel-4.18.0-348.el8.x86_64.rpm
kernel-headers-4.18.0-348.el8.x86_64.rpm
kernel-modules-4.18.0-348.el8.x86_64.rpm
kernel-modules-extra-4.18.0-348.el8.x86_64.rpm
kernel-tools-4.18.0-348.el8.x86_64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-tools-libs-4.18.0-348.el8.x86_64.rpm
perf-4.18.0-348.el8.x86_64.rpm
perf-debuginfo-4.18.0-348.el8.x86_64.rpm
python3-perf-4.18.0-348.el8.x86_64.rpm
python3-perf-debuginfo-4.18.0-348.el8.x86_64.rpm
Red Hat Enterprise Linux CRB (v. 8):
aarch64:
bpftool-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-debuginfo-common-aarch64-4.18.0-348.el8.aarch64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.aarch64.rpm
kernel-tools-libs-devel-4.18.0-348.el8.aarch64.rpm
perf-debuginfo-4.18.0-348.el8.aarch64.rpm
python3-perf-debuginfo-4.18.0-348.el8.aarch64.rpm
ppc64le:
bpftool-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debug-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-debuginfo-common-ppc64le-4.18.0-348.el8.ppc64le.rpm
kernel-tools-debuginfo-4.18.0-348.el8.ppc64le.rpm
kernel-tools-libs-devel-4.18.0-348.el8.ppc64le.rpm
perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
python3-perf-debuginfo-4.18.0-348.el8.ppc64le.rpm
x86_64:
bpftool-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debug-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-debuginfo-common-x86_64-4.18.0-348.el8.x86_64.rpm
kernel-tools-debuginfo-4.18.0-348.el8.x86_64.rpm
kernel-tools-libs-devel-4.18.0-348.el8.x86_64.rpm
perf-debuginfo-4.18.0-348.el8.x86_64.rpm
python3-perf-debuginfo-4.18.0-348.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYYrdRdzjgjWX9erEAQhs0w//as9X4T+FCf3TAbcNIStxlOK6fbJoAlST
FrgNJnRH3RmT+VxRSLWZcsJQf78kudeJWtMezbGSVREfhCMBCGhKZ7mvVp5P7J8l
bobmdaap3hqkPqq66VuKxGuS+6j0rXXgGQH034yzoX+L/lx6KV9qdAnZZO+7kWcy
SfX0GkLg0ARDMfsoUKwVmeUeNLhPlJ4ZH2rBdZ4FhjyEAG/5yL9JwU/VNReWHjhW
HgarTuSnFR3vLQDKyjMIEEiBPOI162hS2j3Ba/A/1hJ70HOjloJnd0eWYGxSuIfC
DRrzlacFNAzBPZsbRFi1plXrHh5LtNoBBWjl+xyb6jRsB8eXgS+WhzUhOXGUv01E
lJTwFy5Kz71d+cAhRXgmz5gVgWuoNJw8AEImefWcy4n0EEK55vdFe0Sl7BfZiwpD
Jhx97He6OurNnLrYyJJ0+TsU1L33794Ag2AJZnN1PLFUyrKKNlD1ZWtdsJg99klK
dQteUTnnUhgDG5Tqulf0wX19BEkLd/O6CRyGueJcV4h4PFpSoWOh5Yy/BlokFzc8
zf14PjuVueIodaIUXtK+70Zmw7tg09Dx5Asyfuk5hWFPYv856nHlDn7PT724CU8v
1cp96h1IjLR6cF17NO2JCcbU0XZEW+aCkGkPcsY8DhBmaZqxUxXObvTD80Mm7EvN
+PuV5cms0sE=2UUA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
. ==========================================================================
Ubuntu Security Notice USN-4752-1
February 25, 2021
linux-oem-5.6 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.6: Linux kernel for OEM systems
Details:
Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered
that legacy pairing and secure-connections pairing authentication in the
Bluetooth protocol could allow an unauthenticated user to complete
authentication without pairing credentials via adjacent access. A
physically proximate attacker could use this to impersonate a previously
paired Bluetooth device. (CVE-2020-10135)
Jay Shin discovered that the ext4 file system implementation in the Linux
kernel did not properly handle directory access with broken indexing,
leading to an out-of-bounds read vulnerability. A local attacker could use
this to cause a denial of service (system crash). (CVE-2020-14314)
It was discovered that the block layer implementation in the Linux kernel
did not properly perform reference counting in some situations, leading to
a use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash). (CVE-2020-15436)
It was discovered that the serial port driver in the Linux kernel did not
properly initialize a pointer in some situations. A local attacker could
possibly use this to cause a denial of service (system crash).
(CVE-2020-15437)
Andy Nguyen discovered that the Bluetooth HCI event packet parser in the
Linux kernel did not properly handle event advertisements of certain sizes,
leading to a heap-based buffer overflow. A physically proximate remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-24490)
It was discovered that the NFS client implementation in the Linux kernel
did not properly perform bounds checking before copying security labels in
some situations. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2020-25212)
It was discovered that the Rados block device (rbd) driver in the Linux
kernel did not properly perform privilege checks for access to rbd devices
in some situations. A local attacker could use this to map or unmap rbd
block devices. A local attacker could use this
to cause a denial of service. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. A privileged attacker
could use this to cause a denial of service (kernel memory exhaustion). A local attacker in a
guest VM could possibly use this to cause a denial of service (host system
crash). A local attacker
could use this to possibly cause a denial of service (system crash). A local attacker
could use this to expose sensitive information (kernel memory).
(CVE-2020-28588)
It was discovered that the framebuffer implementation in the Linux kernel
did not properly perform range checks in certain situations. A local
attacker could use this to expose sensitive information (kernel memory). A local attacker could use
this to gain unintended write access to read-only memory pages.
(CVE-2020-29368)
Jann Horn discovered that the mmap implementation in the Linux kernel
contained a race condition when handling munmap() operations, leading to a
read-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information.
(CVE-2020-29369)
Jann Horn discovered that the romfs file system in the Linux kernel did not
properly validate file system meta-data, leading to an out-of-bounds read.
An attacker could use this to construct a malicious romfs image that, when
mounted, exposed sensitive information (kernel memory). A local attacker could use this to cause a denial of service
(system crash) or possibly expose sensitive information (kernel memory). A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2020-29661)
It was discovered that a race condition existed that caused the Linux
kernel to not properly restrict exit signal delivery. A local attacker
could possibly use this to send signals to arbitrary processes.
(CVE-2020-35508)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.6.0-1048-oem 5.6.0-1048.52
linux-image-oem-20.04 5.6.0.1048.44
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4752-1
CVE-2020-10135, CVE-2020-14314, CVE-2020-15436, CVE-2020-15437,
CVE-2020-24490, CVE-2020-25212, CVE-2020-25284, CVE-2020-25641,
CVE-2020-25643, CVE-2020-25704, CVE-2020-27152, CVE-2020-27815,
CVE-2020-28588, CVE-2020-28915, CVE-2020-29368, CVE-2020-29369,
CVE-2020-29371, CVE-2020-29660, CVE-2020-29661, CVE-2020-35508
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.6/5.6.0-1048.52
. If you are running a kernel version earlier than the one listed
below, please upgrade your kernel as soon as possible
| VAR-202104-0870 | CVE-2020-9956 | plural Apple Product out-of-bounds read vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0 and iPadOS 14.0. Processing a maliciously crafted font file may lead to arbitrary code execution. plural Apple The product contains an out-of-bounds read vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the RenderGlyph function in libFontParser. Crafted data in a TTF font can trigger a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process
| VAR-202104-0869 | CVE-2020-9955 | plural Apple Out-of-bounds write vulnerabilities in the product |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in watchOS 7.0, tvOS 14.0, iOS 14.0 and iPadOS 14.0, macOS Big Sur 11.0.1. Processing a maliciously crafted image may lead to arbitrary code execution. plural Apple The product contains a vulnerability related to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the DecodeRow function. Crafted data in a KTX image can trigger a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process
| VAR-202104-0163 | CVE-2020-27907 | macOS Out-of-bounds write vulnerability in |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. An application may be able to execute arbitrary code with kernel privileges. macOS Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the AppleIntelKBLGraphics kext. The issue results from the lack of proper locking when performing operations on an object. Apple macOS is a set of dedicated operating systems developed by Apple Corporation for Mac computers. Apple macOS has a security vulnerability. Information
about the security content is also available at
https://support.apple.com/HT212011.
AMD
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-27914: Yu Wang of Didi Research America
CVE-2020-27915: Yu Wang of Didi Research America
App Store
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed by removing the vulnerable
code.
CVE-2020-27941: shrek_wzw
AppleMobileFileIntegrity
Available for: macOS Big Sur 11.0.1
Impact: A malicious application may be able to bypass Privacy
preferences
Description: This issue was addressed with improved checks.
CVE-2020-29621: Wojciech Reguła (@_r3ggi) of SecuRing
Audio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-27910: JunDong Xie and XingWei Lin of Ant Security Light-
Year Lab
Audio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9943: JunDong Xie of Ant Security Light-Year Lab
Audio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9944: JunDong Xie of Ant Security Light-Year Lab
Audio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27916: JunDong Xie of Ant Security Light-Year Lab
Bluetooth
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A remote attacker may be able to cause unexpected application
termination or heap corruption
Description: Multiple integer overflows were addressed with improved
input validation.
CVE-2020-27906: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong
Security Lab
CoreAudio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-27948: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9960: JunDong Xie and XingWei Lin of Ant Security Light-Year
Lab
CVE-2020-27908: JunDong Xie and XingWei Lin of Ant Security Light-
Year Lab
CoreAudio
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-10017: Francis working with Trend Micro Zero Day Initiative,
JunDong Xie of Ant Security Light-Year Lab
CoreText
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2020-27922: Mickey Jin of Trend Micro
FontParser
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-27946: Mateusz Jurczyk of Google Project Zero
FontParser
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-9962: Yiğit Can YILMAZ (@yilmazcanyigit)
FontParser
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27952: an anonymous researcher, Mickey Jin and Junzhi Lu of
Trend Micro
FontParser
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9956: Mickey Jin and Junzhi Lu of Trend Micro Mobile
Security Research Team working with Trend Micro’s Zero Day Initiative
FontParser
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files.
CVE-2020-27931: Apple
CVE-2020-27943: Mateusz Jurczyk of Google Project Zero
CVE-2020-27944: Mateusz Jurczyk of Google Project Zero
Foundation
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A local user may be able to read arbitrary files
Description: A logic issue was addressed with improved state
management.
CVE-2020-10002: James Hutchins
Graphics Drivers
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-27947: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
Graphics Drivers
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-29612: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
HomeKit
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: An attacker in a privileged network position may be able to
unexpectedly alter application state
Description: This issue was addressed with improved setting
propagation.
CVE-2020-9978: Luyi Xing, Dongfang Zhao, and Xiaofeng Wang of Indiana
University Bloomington, Yan Jia of Xidian University and University
of Chinese Academy of Sciences, and Bin Yuan of HuaZhong University
of Science and Technology
Image Processing
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27919: Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Xingwei
Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-29616: zhouat working with Trend Micro Zero Day Initiative
ImageIO
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-27924: Lei Sun
CVE-2020-29618: XingWei Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-29611: Ivan Fratric of Google Project Zero
ImageIO
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: Processing a maliciously crafted image may lead to heap
corruption
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-29617: XingWei Lin of Ant Security Light-Year Lab
CVE-2020-29619: XingWei Lin of Ant Security Light-Year Lab
ImageIO
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab
CVE-2020-27923: Lei Sun
Intel Graphics Driver
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-10015: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
CVE-2020-27897: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.
and Luyi Xing of Indiana University Bloomington
Intel Graphics Driver
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-27907: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
Kernel
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A malicious application may be able to determine kernel
memory layout
Description: A logic issue was addressed with improved state
management.
CVE-2020-10016: Alex Helie
Kernel
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2020-27921: Linus Henze (pinauten.de)
Kernel
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: A malicious application may cause unexpected changes in
memory belonging to processes traced by DTrace
Description: This issue was addressed with improved checks to prevent
unauthorized actions.
CVE-2020-27949: Steffen Klee (@_kleest) of TU Darmstadt, Secure
Mobile Networking Lab
Kernel
Available for: macOS Big Sur 11.0.1
Impact: A malicious application may be able to elevate privileges
Description: This issue was addressed with improved entitlements.
CVE-2020-29620: Csaba Fitzl (@theevilbit) of Offensive Security
libxml2
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An integer overflow was addressed through improved input
validation.
CVE-2020-27911: found by OSS-Fuzz
libxml2
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-27920: found by OSS-Fuzz
libxml2
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-27926: found by OSS-Fuzz
libxpc
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A malicious application may be able to break out of its
sandbox
Description: A parsing issue in the handling of directory paths was
addressed with improved path validation.
CVE-2020-10014: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
Logging
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A local attacker may be able to elevate their privileges
Description: A path handling issue was addressed with improved
validation.
CVE-2020-10010: Tommy Muir (@Muirey03)
Model I/O
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-13524: Aleksandar Nikolic of Cisco Talos
Model I/O
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2020-10004: Aleksandar Nikolic of Cisco Talos
NSRemoteView
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved restrictions.
CVE-2020-27901: Thijs Alkemade of Computest Research Division
Power Management
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A malicious application may be able to determine kernel
memory layout
Description: A logic issue was addressed with improved state
management.
CVE-2020-10007: singi@theori working with Trend Micro Zero Day
Initiative
Quick Look
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: Processing a maliciously crafted document may lead to a cross
site scripting attack
Description: An access issue was addressed with improved access
restrictions.
CVE-2020-10012: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu
of Palo Alto Networks (paloaltonetworks.com)
Ruby
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A remote attacker may be able to modify the file system
Description: A path handling issue was addressed with improved
validation.
CVE-2020-27896: an anonymous researcher
System Preferences
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved state
management.
CVE-2020-10009: Thijs Alkemade of Computest Research Division
WebRTC
Available for: macOS Big Sur 11.0.1
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-15969: an anonymous researcher
Wi-Fi
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7
Impact: An attacker may be able to bypass Managed Frame Protection
Description: A denial of service issue was addressed with improved
state handling.
CVE-2020-27898: Stephan Marais of University of Johannesburg
Installation note:
macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security
Update 2020-007 Mojave may be obtained from the Mac App Store or
Apple's Software Downloads web site:
https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl/YBj8ACgkQZcsbuWJ6
jjCVjw//QGrhMvU+nyuS1UwWs7rcqDJDNh0Zb7yUJali2Bdc9/l++i2pLFbmAwes
7AYCag+T3h3aP7YJAN13zb8KBmUcmnWkWupfx8kEGqHxSXnQTXvaEI59RyCobOCj
OVPtboPMH1d94+6dABMp9kiLAHoZezm3hdF8ShT2Hqgq2TB16wZsa/EvhJVSaduA
7RttG6EHBTin6UU3M/+vcfJWqkg4O0YuZpQaconDa5Pd81jpUMeduzfRvS5i+PVS
cehtHPWjCN15+sQ29q11yhP3v+sYh0DJEl2LWaBnDo2TlC1gHx70H5ZsAFLHChcd
rXkl1tm6GV3UWVhFq0jQc1DP+IwbuL6jHI/wIjYx7itk9XECppyhhiuImOaLiIUH
CBgAjwVHY1GUdTH97iPEQFF61v3sjpRLleLMZW7+9ZTt4pEDwMVHk9vKgVK5BUa6
lrKWtBHL3AtaXtxC9y8XGe3IYEBLAszHMUJfF1BR+D/niDRlztvoj72/3PPwtk2t
tuUE9RGzpSXCQ1CX6vW7zS2ddVmQfJqcPX721k4OVpFNlMXkjZkm2Q/xwr5qq99v
Up9BA+ITksthGYfGAY5bBV1LsjK1NtdNHQGpZe4l9bu4ONgUvmL8iBb/LnS6wKB1
HGcdHEmXvbx+Akl/fvTdG8RSvyoYuFJHkuYv0DMWiri8yN1q+C4=
=osnP
-----END PGP SIGNATURE-----
| VAR-202104-0002 | CVE-2020-10015 | macOS Out-of-bounds write vulnerability in |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. An application may be able to execute arbitrary code with kernel privileges. macOS Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the AppleIntelKBLGraphics kext. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated array. Apple macOS is a set of dedicated operating systems developed by Apple Corporation for Mac computers. There is a security vulnerability in Apple macOs. Please keep an eye on CNNVD or manufacturer announcements.
The specific flaw exists within the AppleIntelKBLGraphics kext.
CVE-2020-27941: shrek_wzw
AppleMobileFileIntegrity
Available for: macOS Big Sur 11.0.1
Impact: A malicious application may be able to bypass Privacy
preferences
Description: This issue was addressed with improved checks. working with Trend Micro Zero Day
Initiative
CVE-2020-27897: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.
CVE-2020-27921: Linus Henze (pinauten.de)
Kernel
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.7, macOS
Big Sur 11.0.1
Impact: A malicious application may cause unexpected changes in
memory belonging to processes traced by DTrace
Description: This issue was addressed with improved checks to prevent
unauthorized actions.
Information about the security content is also available at
https://support.apple.com/HT211931.
AMD
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-27914: Yu Wang of Didi Research America
CVE-2020-27915: Yu Wang of Didi Research America
Entry added December 14, 2020
App Store
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed by removing the vulnerable
code.
CVE-2020-27903: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
Audio
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-27910: JunDong Xie and XingWei Lin of Ant Security Light-
Year Lab
Audio
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27916: JunDong Xie of Ant Security Light-Year Lab
Audio
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab
Audio
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab
Bluetooth
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to cause unexpected application
termination or heap corruption
Description: Multiple integer overflows were addressed with improved
input validation.
CVE-2020-27906: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong
Security Lab
CoreAudio
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-27908: JunDong Xie and XingWei Lin of Ant Security Light-
Year Lab
CVE-2020-27909: Anonymous working with Trend Micro Zero Day
Initiative, JunDong Xie and XingWei Lin of Ant Security Light-Year
Lab
CVE-2020-9960: JunDong Xie and XingWei Lin of Ant Security Light-Year
Lab
Entry added December 14, 2020
CoreAudio
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-10017: Francis working with Trend Micro Zero Day Initiative,
JunDong Xie of Ant Security Light-Year Lab
CoreCapture
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9949: Proteas
CoreGraphics
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro
Crash Reporter
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A local attacker may be able to elevate their privileges
Description: An issue existed within the path validation logic for
symlinks.
CVE-2020-10003: Tim Michaud (@TimGMichaud) of Leviathan
CoreText
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2020-27922: Mickey Jin of Trend Micro
Entry added December 14, 2020
CoreText
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted text file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-9999: Apple
Entry updated December 14, 2020
Disk Images
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9965: Proteas
CVE-2020-9966: Proteas
Finder
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Users may be unable to remove metadata indicating where files
were downloaded from
Description: The issue was addressed with additional user controls.
CVE-2020-27894: Manuel Trezza of Shuggr (shuggr.com)
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-9962: Yiğit Can YILMAZ (@yilmazcanyigit)
Entry added December 14, 2020
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27952: an anonymous researcher, Mickey Jin and Junzhi Lu of
Trend Micro
Entry added December 14, 2020
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9956: Mickey Jin and Junzhi Lu of Trend Micro Mobile
Security Research Team working with Trend Micro’s Zero Day Initiative
Entry added December 14, 2020
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files.
CVE-2020-27931: Apple
Entry added December 14, 2020
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted font may lead to arbitrary
code execution. Apple is aware of reports that an exploit for this
issue exists in the wild.
CVE-2020-27930: Google Project Zero
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-27927: Xingwei Lin of Ant Security Light-Year Lab
Foundation
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A local user may be able to read arbitrary files
Description: A logic issue was addressed with improved state
management.
CVE-2020-10002: James Hutchins
HomeKit
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An attacker in a privileged network position may be able to
unexpectedly alter application state
Description: This issue was addressed with improved setting
propagation.
CVE-2020-9978: Luyi Xing, Dongfang Zhao, and Xiaofeng Wang of Indiana
University Bloomington, Yan Jia of Xidian University and University
of Chinese Academy of Sciences, and Bin Yuan of HuaZhong University
of Science and Technology
Entry added December 14, 2020
ImageIO
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9955: Mickey Jin of Trend Micro, Xingwei Lin of Ant Security
Light-Year Lab
Entry added December 14, 2020
ImageIO
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-27924: Lei Sun
Entry added December 14, 2020
ImageIO
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27912: Xingwei Lin of Ant Security Light-Year Lab
CVE-2020-27923: Lei Sun
Entry updated December 14, 2020
ImageIO
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9876: Mickey Jin of Trend Micro
Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-10015: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
CVE-2020-27897: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.,
and Luyi Xing of Indiana University Bloomington
Entry added December 14, 2020
Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-27907: ABC Research s.r.o. working with Trend Micro Zero Day
Initiative
Entry added December 14, 2020
Image Processing
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2020-27919: Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Xingwei
Lin of Ant Security Light-Year Lab
Entry added December 14, 2020
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2020-9967: Alex Plaskett (@alexjplaskett)
Entry added December 14, 2020
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9975: Tielei Wang of Pangu Lab
Entry added December 14, 2020
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A race condition was addressed with improved state
handling.
CVE-2020-27921: Linus Henze (pinauten.de)
Entry added December 14, 2020
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue existed resulting in memory corruption.
This was addressed with improved state management.
CVE-2020-27904: Zuozhi Fan (@pattern_F_) of Ant Group Tianqong
Security Lab
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An attacker in a privileged network position may be able to
inject into active connections within a VPN tunnel
Description: A routing issue was addressed with improved
restrictions.
CVE-2019-14899: William J. Tolley, Beau Kujath, and Jedidiah R.
Crandall
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to disclose kernel
memory. Apple is aware of reports that an exploit for this issue
exists in the wild.
Description: A memory initialization issue was addressed.
CVE-2020-27950: Google Project Zero
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to determine kernel
memory layout
Description: A logic issue was addressed with improved state
management.
CVE-2020-9974: Tommy Muir (@Muirey03)
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-10016: Alex Helie
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges. Apple is aware of reports that an exploit for
this issue exists in the wild.
CVE-2020-27932: Google Project Zero
libxml2
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-27917: found by OSS-Fuzz
CVE-2020-27920: found by OSS-Fuzz
Entry updated December 14, 2020
libxml2
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An integer overflow was addressed through improved input
validation.
CVE-2020-27911: found by OSS-Fuzz
libxpc
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved validation.
CVE-2020-9971: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
Entry added December 14, 2020
libxpc
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to break out of its
sandbox
Description: A parsing issue in the handling of directory paths was
addressed with improved path validation.
CVE-2020-10014: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
Logging
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A local attacker may be able to elevate their privileges
Description: A path handling issue was addressed with improved
validation.
CVE-2020-10010: Tommy Muir (@Muirey03)
Mail
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to unexpectedly alter
application state
Description: This issue was addressed with improved checks.
CVE-2020-9941: Fabian Ising of FH Münster University of Applied
Sciences and Damian Poddebniak of FH Münster University of Applied
Sciences
Messages
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A local user may be able to discover a user’s deleted
messages
Description: The issue was addressed with improved deletion.
CVE-2020-9988: William Breuer of the Netherlands
CVE-2020-9989: von Brunn Media
Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2020-10011: Aleksandar Nikolic of Cisco Talos
Entry added December 14, 2020
Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted USD file may lead to
unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-13524: Aleksandar Nikolic of Cisco Talos
Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Opening a maliciously crafted file may lead to unexpected
application termination or arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2020-10004: Aleksandar Nikolic of Cisco Talos
NetworkExtension
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to elevate privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9996: Zhiwei Yuan of Trend Micro iCore Team, Junzhi Lu and
Mickey Jin of Trend Micro
NSRemoteView
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved restrictions.
CVE-2020-27901: Thijs Alkemade of Computest Research Division
Entry added December 14, 2020
NSRemoteView
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to preview files it does
not have access to
Description: An issue existed in the handling of snapshots.
CVE-2020-27900: Thijs Alkemade of Computest Research Division
PCRE
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Multiple issues in pcre
Description: Multiple issues were addressed by updating to version
8.44.
CVE-2019-20838
CVE-2020-14155
Power Management
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to determine kernel
memory layout
Description: A logic issue was addressed with improved state
management.
CVE-2020-10007: singi@theori working with Trend Micro Zero Day
Initiative
python
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Cookies belonging to one origin may be sent to another origin
Description: Multiple issues were addressed with improved logic.
CVE-2020-27896: an anonymous researcher
Quick Look
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious app may be able to determine the existence of
files on the computer
Description: The issue was addressed with improved handling of icon
caches.
CVE-2020-9963: Csaba Fitzl (@theevilbit) of Offensive Security
Quick Look
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing a maliciously crafted document may lead to a cross
site scripting attack
Description: An access issue was addressed with improved access
restrictions.
CVE-2020-10012: Heige of KnownSec 404 Team
(https://www.knownsec.com/) and Bo Qu of Palo Alto Networks
(https://www.paloaltonetworks.com/)
Ruby
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to modify the file system
Description: A path handling issue was addressed with improved
validation.
CVE-2020-27896: an anonymous researcher
Ruby
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: When parsing certain JSON documents, the json gem can be
coerced into creating arbitrary objects in the target system
Description: This issue was addressed with improved checks.
CVE-2020-10663: Jeremy Evans
Safari
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A spoofing issue existed in the handling of URLs.
CVE-2020-9945: Narendra Bhati From Suma Soft Pvt. Ltd. Pune (India)
@imnarendrabhati
Safari
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to determine a user's
open tabs in Safari
Description: A validation issue existed in the entitlement
verification.
CVE-2020-9977: Josh Parnham (@joshparnham)
Safari
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2020-9942: an anonymous researcher, Rahul d Kankrale
(servicenger.com), Rayyan Bijoora (@Bijoora) of The City School, PAF
Chapter, Ruilin Yang of Tencent Security Xuanwu Lab, YoKo Kho
(@YoKoAcc) of PT Telekomunikasi Indonesia (Persero) Tbk, Zhiyang
Zeng(@Wester) of OPPO ZIWU Security Lab
Sandbox
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A local user may be able to view senstive user information
Description: An access issue was addressed with additional sandbox
restrictions.
CVE-2020-9969: Wojciech Reguła of SecuRing (wojciechregula.blog)
SQLite
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2020-9991
SQLite
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to leak memory
Description: An information disclosure issue was addressed with
improved state management.
CVE-2020-9849
SQLite
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating SQLite to
version 3.32.3.
CVE-2020-15358
SQLite
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A maliciously crafted SQL query may lead to data corruption
Description: This issue was addressed with improved checks.
CVE-2020-13631
SQLite
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2020-13434
CVE-2020-13435
CVE-2020-9991
SQLite
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory corruption issue was addressed with improved
state management.
CVE-2020-13630
Symptom Framework
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A local attacker may be able to elevate their privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-27899: 08Tc3wBB working with ZecOps
Entry added December 14, 2020
System Preferences
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A logic issue was addressed with improved state
management.
CVE-2020-10009: Thijs Alkemade of Computest Research Division
TCC
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application with root privileges may be able to
access private information
Description: A logic issue was addressed with improved restrictions.
CVE-2020-10008: Wojciech Reguła of SecuRing (wojciechregula.blog)
Entry added December 14, 2020
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-27918: Liu Long of Ant Security Light-Year Lab
Entry updated December 14, 2020
Wi-Fi
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: An attacker may be able to bypass Managed Frame Protection
Description: A denial of service issue was addressed with improved
state handling.
CVE-2020-27898: Stephan Marais of University of Johannesburg
Xsan
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)
Impact: A malicious application may be able to access restricted
files
Description: This issue was addressed with improved entitlements.
CVE-2020-10006: Wojciech Reguła (@_r3ggi) of SecuRing
Additional recognition
802.1X
We would like to acknowledge Kenana Dalle of Hamad bin Khalifa
University and Ryan Riley of Carnegie Mellon University in Qatar for
their assistance.
Entry added December 14, 2020
Audio
We would like to acknowledge JunDong Xie and XingWei Lin of Ant-
financial Light-Year Security Lab, an anonymous researcher for their
assistance.
Bluetooth
We would like to acknowledge Andy Davis of NCC Group, Dennis Heinze
(@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their
assistance.
Entry updated December 14, 2020
Clang
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.
Core Location
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for
their assistance.
Crash Reporter
We would like to acknowledge Artur Byszko of AFINE for their
assistance.
Entry added December 14, 2020
Directory Utility
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing
for their assistance.
iAP
We would like to acknowledge Andy Davis of NCC Group for their
assistance.
Kernel
We would like to acknowledge Brandon Azad of Google Project Zero,
Stephen Röttger of Google for their assistance.
libxml2
We would like to acknowledge an anonymous researcher for their
assistance.
Entry added December 14, 2020
Login Window
We would like to acknowledge Rob Morton of Leidos for their
assistance.
Photos Storage
We would like to acknowledge Paulos Yibelo of LimeHats for their
assistance.
Quick Look
We would like to acknowledge Csaba Fitzl (@theevilbit) and Wojciech
Reguła of SecuRing (wojciechregula.blog) for their assistance.
Safari
We would like to acknowledge Gabriel Corona and Narendra Bhati From
Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati for their
assistance.
Security
We would like to acknowledge Christian Starkjohann of Objective
Development Software GmbH for their assistance.
System Preferences
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive
Security for their assistance.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl/YDPwACgkQZcsbuWJ6
jjANmhAAoj+ZHNnH2pGDFl2/jrAtvWBtXg8mqw6NtNbGqWDZFhnY5q7Lp8WTx/Pi
x64A4F8bU5xcybnmaDpK5PMwAAIiAg4g1BhpOq3pGyeHEasNx7D9damfqFGKiivS
p8nl62XE74ayfxdZGa+2tOVFTFwqixfr0aALVoQUhAWNeYuvVSgJXlgdGjj+QSL+
9vW86kbQypOqT5TPDg6tpJy3g5s4hotkfzCfxA9mIKOg5e/nnoRNhw0c1dzfeTRO
INzGxnajKGGYy2C3MH6t0cKG0B6cH7aePZCHYJ1jmuAVd0SD3PfmoT76DeRGC4Ri
c8fGD+5pvSF6/+5E+MbH3t3D6bLiCGRFJtYNMpr46gUKKt27EonSiheYCP9xR6lU
ChpYdcgHMOHX4a07/Oo8vEwQrtJ4JryhI9tfBel1ewdSoxk2iCFKzLLYkDMihD6B
1x/9MlaqEpLYBnuKkrRzFINW23TzFPTI/+i2SbUscRQtK0qE7Up5C+IUkRvBGhEs
MuEmEnn5spnVG2EBcKeLtJxtf/h5WaRFrev72EvSVR+Ko8Cj0MgK6IATu6saq8bV
kURL5empvpexFAvVQWRDaLgGBHKM+uArBz2OP6t7wFvD2p1Vq5M+dMrEPna1JO/S
AXZYC9Y9bBRZfYQAv7nxa+uIXy2rGTuQKQY8ldu4eEHtJ0OhaB8=
=T5Y8
-----END PGP SIGNATURE-----
| VAR-202012-1410 | CVE-2020-9202 | Huawei of te mobile Vulnerability in insecure storage of critical information in |
CVSS V2: 2.1 CVSS V3: 4.4 Severity: MEDIUM |
There is an information disclosure vulnerability in TE Mobile software versions V600R006C10,V600R006C10SPC100. Due to the improper storage of some information in certain specific scenario, the attacker can gain information in the victim's device to launch the attack, successful exploit could cause information disclosure
| VAR-202012-1408 | CVE-2020-9200 | Huawei of iManager NetEco 6000 In CSV Vulnerability in neutralizing math elements in files |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device. Huawei of iManager NetEco 6000 for, CSV A vulnerability exists regarding the neutralization of formula elements in files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Huawei Imanager Neteco 6000 is a platform provided by China's Huawei (Huawei) to provide management methods for data center infrastructure. The platform can implement unified management for medium and large data centers and multi-data centers. Through U-level fine-grained management of assets in the data center, dynamic balance and optimization of power, cooling, space, network ports and other means can improve the resources in the data center. utilization rate
| VAR-202012-0725 | CVE-2020-27730 | NGINX Controller Path traversal vulnerability in agents |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. NGINX Controller The agent contains a path traversal vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. F5 NGINX Controller Agent has a permission and access control vulnerability that could allow an attacker to escalate privileges and run arbitrary code as an agent (root) process
| VAR-202012-1279 | CVE-2020-8286 | curl Vulnerability in Certificate Verification |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. curl Contains a certificate validation vulnerability.Information may be tampered with. HAXX libcurl is an open source client-side URL transfer library developed by Haxx (HAXX) in Sweden. The product supports protocols such as FTP, SFTP, TFTP and HTTP. A security vulnerability exists in libcurl that could be exploited by an attacker to read or write data in a session by acting as a man-in-the-middle through low-level OCSP authentication on libcurl.
CVE-2020-8177
sn reported that curl could be tricked by a malicious server into
overwriting a local file when using th -J (--remote-header-name) and
-i (--include) options in the same command line.
CVE-2020-8231
Marc Aldorasi reported that libcurl might use the wrong connection
when an application using libcurl's multi API sets the option
CURLOPT_CONNECT_ONLY, which could lead to information leaks.
CVE-2020-8284
Varnavas Papaioannou reported that a malicious server could use the
PASV response to trick curl into connecting back to an arbitrary IP
address and port, potentially making curl extract information about
services that are otherwise private and not disclosed.
CVE-2020-8285
xnynx reported that libcurl could run out of stack space when using
tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION).
CVE-2020-8286
It was reported that libcurl didn't verify that an OCSP response
actually matches the certificate it is intended to.
CVE-2021-22876
Viktor Szakats reported that libcurl does not strip off user
credentials from the URL when automatically populating the Referer
HTTP request header field in outgoing HTTP requests.
CVE-2021-22890
Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3,
libcurl could confuse session tickets arriving from the HTTPS proxy
as if they arrived from the remote server instead. This could allow
an HTTPS proxy to trick libcurl into using the wrong session ticket
for the host and thereby circumvent the server TLS certificate check.
For the stable distribution (buster), these problems have been fixed in
version 7.64.0-4+deb10u2.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAmBkQCoACgkQbwzL4CFi
Ryg6Gg/+LqhhJ8+D7skevVkYzxHzdH2yT/XMeoYp0D37yHmEfH9PyjXwfplG+XEw
/xwFRBK8qxD1ja+rQddYyeTvi1OMnMgMS3UsRHlfeMnLxh2+oHnvHDYG848npUEZ
Rq4YFoc/n9YTAJZP/G4oiuBeXqH2Sqa5hSNT6VrYfRciCxkYnzA78b85KpI8aYyR
lhfiJMNpwrqDbt/QzblpELBkGMIV402VeiqDwHfcVzm2E810xXQNLvPMbWtvDYkA
TSrNsdqfuFr1tuQSZY6CGSWEyXtB/tOo8+pvUixlJMBWJMl5TXEcJkD5ckehx0yb
C3n9yapfklxHiG9lD4zwwIJDqd3Y4SxdDiSlUC4OhdvpwniMygX0S3ICaPA4iac/
cWanml0Fop3OmRy+vQURTd3sADoT5HoRSUXZVU+HdTrRaEt2xs5okZkWSd3yr4Ux
i+HgjUAFkkk8DLRB68Bbpx1LGxFGQT7L8yd4wsWINXlzASIP1A5dnNfE5w0VWOHG
3KDq47wNfjuiZC8GXW+HQCxz5MijnS8Y/Egl0OozNFDwEitNBZEsIjpZaZBdZIwi
UFfcK7+u/y/TRY54rA4erkdcHFwpYW5EZVGdb7Z+WPWVlzw0ImXrM68LSAhHQaqW
1Hx4VwwwTsMIPnrx2kriRiiDPOW1r5Kip3yHa+QZLedSRGibQWk=
=001T
-----END PGP SIGNATURE-----
. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP. Description:
This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages
that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Pack
Apache Server 2.4.37 Service Pack 7 and includes bug fixes and
enhancements. Refer to the Release Notes for information on the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* curl: Use-after-free in TLS session handling when using OpenSSL TLS
backend (CVE-2021-22901)
* httpd: NULL pointer dereference on specially crafted HTTP/2 request
(CVE-2021-31618)
* libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)
* curl: FTP PASV command response can cause curl to connect to arbitrary
host (CVE-2020-8284)
* curl: Malicious FTP server can trigger stack overflow when
CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285)
* curl: Inferior OCSP verification (CVE-2020-8286)
* curl: Leak of authentication credentials in URL via automatic Referer
(CVE-2021-22876)
* curl: TLS 1.3 session ticket mix-up with HTTPS proxy host
(CVE-2021-22890)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. Applications using the APR libraries, such as httpd, must be
restarted for this update to take effect. Bugs fixed (https://bugzilla.redhat.com/):
1847916 - CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect
1902667 - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host
1902687 - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
1906096 - CVE-2020-8286 curl: Inferior OCSP verification
1941964 - CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer
1941965 - CVE-2021-22890 curl: TLS 1.3 session ticket mix-up with HTTPS proxy host
1963146 - CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSSL TLS backend
1968013 - CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
6. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update
Advisory ID: RHSA-2021:2479-01
Product: Red Hat OpenShift Container Storage
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2479
Issue date: 2021-06-17
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708
CVE-2019-3842 CVE-2019-9169 CVE-2019-13012
CVE-2019-14866 CVE-2019-25013 CVE-2020-8231
CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
CVE-2020-8927 CVE-2020-9948 CVE-2020-9951
CVE-2020-9983 CVE-2020-13434 CVE-2020-13543
CVE-2020-13584 CVE-2020-13776 CVE-2020-15358
CVE-2020-24977 CVE-2020-25659 CVE-2020-25678
CVE-2020-26116 CVE-2020-26137 CVE-2020-27618
CVE-2020-27619 CVE-2020-27783 CVE-2020-28196
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-36242 CVE-2021-3139 CVE-2021-3177
CVE-2021-3326 CVE-2021-3449 CVE-2021-3450
CVE-2021-3528 CVE-2021-20305 CVE-2021-23239
CVE-2021-23240 CVE-2021-23336
====================================================================
1. Summary:
Updated images that fix one security issue and several bugs are now
available for Red Hat OpenShift Container Storage 4.6.5 on Red Hat
Enterprise Linux 8 from Red Hat Container Registry.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Storage is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Container Storage is a highly scalable, production-grade
persistent storage for stateful applications running in the Red Hat
OpenShift Container Platform. In addition to persistent storage, Red Hat
OpenShift Container Storage provisions a multicloud data management service
with an S3 compatible API.
Security Fix(es):
* NooBaa: noobaa-operator leaking RPC AuthToken into log files
(CVE-2021-3528)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Bug Fix(es):
* Currently, a newly restored PVC cannot be mounted if some of the
OpenShift Container Platform nodes are running on a version of Red Hat
Enterprise Linux which is less than 8.2, and the snapshot from which the
PVC was restored is deleted.
Workaround: Do not delete the snapshot from which the PVC was restored
until the restored PVC is deleted. (BZ#1962483)
* Previously, the default backingstore was not created on AWS S3 when
OpenShift Container Storage was deployed, due to incorrect identification
of AWS S3. With this update, the default backingstore gets created when
OpenShift Container Storage is deployed on AWS S3. (BZ#1927307)
* Previously, log messages were printed to the endpoint pod log even if the
debug option was not set. With this update, the log messages are printed to
the endpoint pod log only when the debug option is set. (BZ#1938106)
* Previously, the PVCs could not be provisioned as the `rook-ceph-mds` did
not register the pod IP on the monitor servers, and hence every mount on
the filesystem timed out, resulting in CephFS volume provisioning failure.
With this update, an argument `--public-addr=podIP` is added to the MDS pod
when the host network is not enabled, and hence the CephFS volume
provisioning does not fail. (BZ#1949558)
* Previously, OpenShift Container Storage 4.2 clusters were not updated
with the correct cache value, and hence MDSs in standby-replay might report
an oversized cache, as rook did not apply the `mds_cache_memory_limit`
argument during upgrades. With this update, the `mds_cache_memory_limit`
argument is applied during upgrades and the mds daemon operates normally.
(BZ#1951348)
* Previously, the coredumps were not generated in the correct location as
rook was setting the config option `log_file` to an empty string since
logging happened on stdout and not on the files, and hence Ceph read the
value of the `log_file` to build the dump path. With this update, rook does
not set the `log_file` and keeps Ceph's internal default, and hence the
coredumps are generated in the correct location and are accessible under
`/var/log/ceph/`. (BZ#1938049)
* Previously, Ceph became inaccessible, as the mons lose quorum if a mon
pod was drained while another mon was failing over. With this update,
voluntary mon drains are prevented while a mon is failing over, and hence
Ceph does not become inaccessible. (BZ#1946573)
* Previously, the mon quorum was at risk, as the operator could erroneously
remove the new mon if the operator was restarted during a mon failover.
With this update, the operator completes the same mon failover after the
operator is restarted, and hence the mon quorum is more reliable in the
node drains and mon failover scenarios. (BZ#1959983)
All users of Red Hat OpenShift Container Storage are advised to pull these
new images from the Red Hat Container Registry.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod
1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b
1951348 - [GSS][CephFS] health warning "MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files" for the standby-replay
1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore
1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files
1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version]
1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover
1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout
1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod
5. References:
https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2017-14502
https://access.redhat.com/security/cve/CVE-2019-2708
https://access.redhat.com/security/cve/CVE-2019-3842
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-13012
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2020-8231
https://access.redhat.com/security/cve/CVE-2020-8284
https://access.redhat.com/security/cve/CVE-2020-8285
https://access.redhat.com/security/cve/CVE-2020-8286
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-9948
https://access.redhat.com/security/cve/CVE-2020-9951
https://access.redhat.com/security/cve/CVE-2020-9983
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-13543
https://access.redhat.com/security/cve/CVE-2020-13584
https://access.redhat.com/security/cve/CVE-2020-13776
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-24977
https://access.redhat.com/security/cve/CVE-2020-25659
https://access.redhat.com/security/cve/CVE-2020-25678
https://access.redhat.com/security/cve/CVE-2020-26116
https://access.redhat.com/security/cve/CVE-2020-26137
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-27619
https://access.redhat.com/security/cve/CVE-2020-27783
https://access.redhat.com/security/cve/CVE-2020-28196
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2020-36242
https://access.redhat.com/security/cve/CVE-2021-3139
https://access.redhat.com/security/cve/CVE-2021-3177
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-3449
https://access.redhat.com/security/cve/CVE-2021-3450
https://access.redhat.com/security/cve/CVE-2021-3528
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/cve/CVE-2021-23239
https://access.redhat.com/security/cve/CVE-2021-23240
https://access.redhat.com/security/cve/CVE-2021-23336
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYMtu/9zjgjWX9erEAQh6fhAAm9UPxF0e8ubzCEae+bkQAduwCkzpQ0ND
Q1/UcDAAc4ueEhBrwXPhOLrgfBj+VG+QA19YZcNPzbW7I48RGjCm5WccnUyEbFAo
FKTspCZW7FkXKBU15u58c/sFCGa4/Yuu+IpqCMuZ6lR2g9WHIBKdVtaB4y59AyfS
v59cAorqZ3AoTX4lVys6HfDGySQWlg5P8t6ST72cUJjESi6U0HV00P7ECU2SFxCF
HXA4gbXbZ1EPb/1+UkRRnXemJuT8SaRFRTrzj9woTrVAGQFvn+yjxLbZxVZb0WDd
6QeNpiJNICfL+/ExvEmGQucf7NcekYPWud11pnRUfQ+Uqsj+I7YoaepXAAolLzvN
kAVVpFNsWADOVz7BrfSKoo4b38UCFOEUSd2d1ijCNE96Q9XyNUpn+kZqz0/wpBQC
L+E5N9kEuaLyDBoI0wJAfoqU1NY4Cvl6lIMDgHUv2CE10zxhFwHCDulAfcQgxNQG
sIbpSgSegq9HfZSDxa6Rtrox1I7oGhnBy10sIwUUH1+fxAusUk+Xrxf8hUv8KgDz
V144yrGwN/6KVxh74A60bJX3ai12l6fC8bkmsxg5K1r/Dk4tUkQeXNdBbaK/rEKO
AQs7YDab/0VA2qKtXDRkbnzqBRSbamDNOO/jd28nGMoclaIRHCzQgJRFv6Qb6dwT
RCrstqAM5QQ=DHD0
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
.
Bug Fix(es):
* WMCO patch pub-key-hash annotation to Linux node (BZ#1945248)
* LoadBalancer Service type with invalid external loadbalancer IP breaks
the datapath (BZ#1952917)
* Telemetry info not completely available to identify windows nodes
(BZ#1955319)
* WMCO incorrectly shows node as ready after a failed configuration
(BZ#1956412)
* kube-proxy service terminated unexpectedly after recreated LB service
(BZ#1963263)
3. Solution:
For Windows Machine Config Operator upgrades, see the following
documentation:
https://docs.openshift.com/container-platform/4.7/windows_containers/window
s-node-upgrades.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1945248 - WMCO patch pub-key-hash annotation to Linux node
1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM
1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath
1955319 - Telemetry info not completely available to identify windows nodes
1956412 - WMCO incorrectly shows node as ready after a failed configuration
1963263 - kube-proxy service terminated unexpectedly after recreated LB service
5. Bugs fixed (https://bugzilla.redhat.com/):
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
5. JIRA issues fixed (https://issues.jboss.org/):
TRACING-1725 - Elasticsearch operator reports x509 errors communicating with ElasticSearch in OpenShift Service Mesh project
6. Bugs fixed (https://bugzilla.redhat.com/):
1937901 - CVE-2021-27918 golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1965503 - CVE-2021-33196 golang: archive/zip: Malformed archive may cause panic or memory exhaustion
1971445 - Release of OpenShift Serverless Serving 1.16.0
1971448 - Release of OpenShift Serverless Eventing 1.16.0
5
| VAR-202012-0126 | CVE-2020-13988 | Embedded TCP/IP stacks have memory corruption vulnerabilities |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An issue was discovered in Contiki through 3.0. An Integer Overflow exists in the uIP TCP/IP Stack component when parsing TCP MSS options of IPv4 network packets in uip_process in net/ipv4/uip.c. Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.CVE-2020-13984 Not Affected
CVE-2020-13985 Affected
CVE-2020-13986 Affected
CVE-2020-13987 Affected
CVE-2020-13988 Affected
CVE-2020-17437 Affected
CVE-2020-17438 Affected
CVE-2020-17439 Affected
CVE-2020-17440 Affected
CVE-2020-17441 Not Affected
CVE-2020-17442 Not Affected
CVE-2020-17443 Not Affected
CVE-2020-17444 Not Affected
CVE-2020-17445 Not Affected
CVE-2020-17467 Not Affected
CVE-2020-17468 Not Affected
CVE-2020-17469 Not Affected
CVE-2020-17470 Not Affected
CVE-2020-24334 Affected
CVE-2020-24335 Not Affected
CVE-2020-24336 Affected
CVE-2020-24337 Not Affected
CVE-2020-24338 Not Affected
CVE-2020-24339 Not Affected
CVE-2020-24340 Not Affected
CVE-2020-24341 Not Affected
CVE-2020-24383 Not Affected
CVE-2020-25107 Not Affected
CVE-2020-25108 Not Affected
CVE-2020-25109 Not Affected
CVE-2020-25110 Not Affected
CVE-2020-25111 Not Affected
CVE-2020-25112 Not Affected
CVE-2021-28362 Not AffectedCVE-2020-13984 Not Affected
CVE-2020-13985 Affected
CVE-2020-13986 Affected
CVE-2020-13987 Affected
CVE-2020-13988 Affected
CVE-2020-17437 Affected
CVE-2020-17438 Affected
CVE-2020-17439 Affected
CVE-2020-17440 Affected
CVE-2020-17441 Not Affected
CVE-2020-17442 Not Affected
CVE-2020-17443 Not Affected
CVE-2020-17444 Not Affected
CVE-2020-17445 Not Affected
CVE-2020-17467 Not Affected
CVE-2020-17468 Not Affected
CVE-2020-17469 Not Affected
CVE-2020-17470 Not Affected
CVE-2020-24334 Affected
CVE-2020-24335 Not Affected
CVE-2020-24336 Affected
CVE-2020-24337 Not Affected
CVE-2020-24338 Not Affected
CVE-2020-24339 Not Affected
CVE-2020-24340 Not Affected
CVE-2020-24341 Not Affected
CVE-2020-24383 Not Affected
CVE-2020-25107 Not Affected
CVE-2020-25108 Not Affected
CVE-2020-25109 Not Affected
CVE-2020-25110 Not Affected
CVE-2020-25111 Not Affected
CVE-2020-25112 Not Affected
CVE-2021-28362 Not Affected. Siemens SENTRON PAC3200, etc. are all products of German Siemens (Siemens). Siemens SENTRON PAC3200 is a multifunctional power meter for industrial environments. Siemens SENTRON PAC4200 is a multifunctional power meter for industrial environments. Siemens SIRIUS 3RW5 is a soft start device for industrial environments.
The Siemens device has an input verification error vulnerability. Attackers can use this vulnerability to send a specially crafted IP packet to a device located on the same network to trigger a denial of service condition on the device. =========================================================================
Ubuntu Security Notice USN-6259-1
July 27, 2023
open-iscsi vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in Open-iSCSI.
Software Description:
- open-iscsi: Open Source iSCSI implementation
Details:
Jos Wetzels, Stanislav Dashevskyi, and Amine Amri discovered that
Open-iSCSI incorrectly handled certain checksums for IP packets.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-13987)
Jos Wetzels, Stanislav Dashevskyi, Amine Amri discovered that
Open-iSCSI incorrectly handled certain parsing TCP MSS options.
An attacker could possibly use this issue to cause a crash or cause
unexpected behavior. (CVE-2020-13988)
Amine Amri and Stanislav Dashevskyi discovered that Open-iSCSI
incorrectly handled certain TCP data. An attacker could possibly
use this issue to expose sensitive information. (CVE-2020-17437)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
open-iscsi 2.0.874-7.1ubuntu6.4
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
open-iscsi 2.0.874-5ubuntu2.11+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
open-iscsi 2.0.873+git0.3b4b4500-14ubuntu3.7+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6259-1
CVE-2020-13987, CVE-2020-13988, CVE-2020-17437
Package Information:
https://launchpad.net/ubuntu/+source/open-iscsi/2.0.874-7.1ubuntu6.4
| VAR-202012-0974 | CVE-2020-29579 | Express Gateway Docker image Vulnerability in |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. Express Gateway Docker image Contains an unspecified vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state
| VAR-202012-0217 | CVE-2020-15796 | SIMATIC ET 200SP Open Controller and SIMATIC S7-1500 Software Controller Vulnerability regarding uncaught exceptions in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request. Siemens SIMATIC Controller Web Servers is a platform of German Siemens (Siemens) that provides Web-side control for Siemens automation products.
Siemens SIMATIC Controller Web Servers has a security vulnerability
| VAR-202012-0818 | CVE-2020-28218 | Easergy T300 Vulnerability in Improper Restriction of Rendered User Interface Layers or Frames |
CVSS V2: 4.3 CVSS V3: 6.5 Severity: MEDIUM |
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to trick a user into initiating an unintended action. Easergy T300 Is vulnerable to improper restrictions on rendered user interface layers or frames.Information may be tampered with. Easergy T300 is a new generation of distribution network automation intelligent terminal, adhering to the "modularity, flexibility, application-oriented" design concept, can be widely used in medium voltage distribution network management, fault location, isolation and recovery (FLISR), distributed energy integration Internet, energy growth and asset management.
Easergy T300 2.7 and earlier versions have improper limitations on rendering the UI layer or frame. Attackers can use this vulnerability to induce users to initiate other actions
| VAR-202012-0817 | CVE-2020-28217 | Easergy T300 Vulnerability regarding lack of encryption of critical data in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. Easergy T300 There is a vulnerability in the lack of encryption of critical data.Information may be obtained. Easergy T300 is a new generation of distribution network automation intelligent terminal, adhering to the "modularity, flexibility, application-oriented" design concept, can be widely used in medium voltage distribution network management, fault location, isolation and recovery (FLISR), distributed energy integration Internet, energy growth and asset management.
Easergy T300 2.7 and earlier versions have security vulnerabilities
| VAR-202012-0816 | CVE-2020-28216 | Easergy T300 Vulnerability regarding lack of encryption of critical data in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. Easergy T300 There is a vulnerability in the lack of encryption of critical data.Information may be obtained. Easergy T300 is a new generation of distribution network automation intelligent terminal, adhering to the "modularity, flexibility, application-oriented" design concept, can be widely used in medium voltage distribution network management, fault location, isolation and recovery (FLISR), distributed energy integration Internet, energy growth and asset management.
Easergy T300 2.7 and earlier versions have security vulnerabilities
| VAR-202012-0517 | CVE-2020-25228 | LOGO! 8 BM Vulnerability regarding lack of authentication for critical features in |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). A service available on port 10005/tcp of the affected devices could allow complete access to all services without authorization. An attacker could gain full control over an affected device, if he has access to this service. The system manual recommends to protect access to this port. LOGO! 8 BM (SIPLUS variants Including ) There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. SIEMENS LOGO! 8 BM is a programming software for the Windows platform in an industrial environment from Siemens in Germany
| VAR-202012-0520 | CVE-2020-25231 | LOGO! 8 BM and LOGO! Soft Comfort Vulnerability in Using Hard Coded Credentials |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3), LOGO! Soft Comfort (All versions < V8.3). The encryption of program data for the affected devices uses a static key. An attacker could use this key to extract confidential information from protected program files. Siemens LOGO! 8 BM is a programming software for the Windows platform in an industrial environment from Siemens in Germany. Attackers can use the vulnerability to make unauthorized password or configuration changes to any affected device
| VAR-202012-0521 | CVE-2020-25232 | LOGO! 8 BM Vulnerability in using cryptographic algorithms in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Due to the usage of an insecure random number generation function and a deprecated cryptographic function, an attacker could extract the key that is used when communicating with an affected device on port 8080/tcp. LOGO! 8 BM (SIPLUS variants Including ) Is vulnerable to the use of cryptographic algorithms.Information may be obtained. Siemens LOGO! 8 BM is a programming software for the Windows platform in an industrial environment from Siemens in Germany.
Siemens LOGO! 8 BM has a security vulnerability, which can be exploited by attackers to gain full access to all services without authorization
| VAR-202012-0518 | CVE-2020-25229 | LOGO! 8 BM In Capture-replay Authentication bypass vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The implemented encryption for communication with affected devices is prone to replay attacks due to the usage of a static key. An attacker could change the password or change the configuration on any affected device if using prepared messages that were generated for another device. Siemens LOGO! 8 BM is a programming software for the Windows platform in an industrial environment from Siemens in Germany
| VAR-202012-0519 | CVE-2020-25230 | LOGO! 8 BM Vulnerability in using cryptographic algorithms in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Due to the usage of an outdated cipher mode on port 10005/tcp, an attacker could extract the encryption key from a captured communication with the device. LOGO! 8 BM (SIPLUS variants Including ) Is vulnerable to the use of cryptographic algorithms.Information may be obtained. Siemens LOGO! 8 BM is a programming software for the Windows platform in an industrial environment from Siemens in Germany