Linux Vulnerabilities of the Week: July 26, 2021

Linux Vulnerabilities of the Week: July 26, 2021

1. Out-of-bounds write in ANGLE in Google Chrome (< 91.0.4472.101)

Severity: Important    CVSS Score: 8.8

This is a flaw in ANGLE. Exploiting this vulnerability, a remote attacker can potentially perform out-of-bounds memory access via a crafted HTML page.

The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

 Syxscore Risk Alert

This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack and no privileges.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-30547

2. An out-of-bounds memory write flaw in the Linux kernel affecting Red Hat Enterprise Linux 7 and 8

Severity: Important    CVSS Score: 7.8

This is a flaw in the Linux kernel’s joystick devices subsystem before 5.9-rc1, in the way the user calls ioctl JSIOCSBTNMAP. A local attacker can use this flaw to crash the system or escalate their privileges on the system.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this needs access to the same network as the device, it can be exploited with a low complexity attack, low privileges, and without user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-3612

3. Incorrect comparison during range check elimination in OpenJDK

Severity: Important    CVSS Score: 7.5

This is a flaw in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). The vulnerability is difficult to exploit as attacks require human interaction from a person other than the attacker.

Using this vulnerability, an unauthenticated attacker with network access via multiple protocols can compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires user interaction and a complex attack to be exploited, it can be exposed over any network with no privileges.

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-2388

4. Out-of-bounds write in the Linux kernel’s fs/seq_file.c

Severity: Important    CVSS Score: 7.0

Exploiting this flaw, a local attacker with a user privilege can escalate their privileges to root gaining access to out-of-bound memory, which can result in a system crash or a leak of internal kernel information.

The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this needs access to the same network as the device and the complexity of an attack is high, it requires low privileges and no user interaction.

  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-33909

5. race condition for removal of the HCI controller in the kernel affecting Red Hat Enterprise Linux 7

Severity: Important    CVSS Score: 7.0

This is a flaw in the Linux kernel’s handling of the removal of Bluetooth HCI controllers. It allows a local attacker to exploit a race condition, leading to corrupted memory and possible privilege escalation.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this needs access to the same network as the device and requires a complex attack to be exploited, it needs low privileges and no user interaction.

  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-32399

Try Linux Patching with Syxsense

Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Recent Posts

Topics

Related Posts

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

April 17, 2024
In the News: Why 92% of Security Professionals Worry About Generative AI

In the News: Why 92% of Security Professionals Worry About Generative AI

April 16, 2024
In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

March 29, 2024
In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

March 27, 2024