Linux Vulnerabilities of the Week: August 2, 2021
1. Out-of-bounds write in ANGLE in Google Chrome (< 91.0.4472.101)
Severity: Important CVSS Score: 8.8
This is a flaw in ANGLE. Exploiting this vulnerability, a remote attacker can potentially perform out-of-bounds memory access via a crafted HTML page.
The highest threat from this flaw is to data confidentiality and integrity as well as system availability.
Syxscore Risk Alert
This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack and no privileges.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-30547
2. A heap buffer overflow in libsndfile 1.0.30 affecting Red Hat Enterprise Linux 7 and 8
Severity: Important CVSS Score: 8.8
This is a heap buffer overflow in libsndfile, exploiting which an attacker can execute arbitrary code via a crafted WAV file.
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Syxscore Risk Alert
This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack and no privileges.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-3246
3. A missing length check of forwarded messages in the Linux PTP package
Severity: Important CVSS Score: 8.8
Using a missing length check when forwarding a PTP message between ports, a remote attacker can cause a data leak, crash, or remote code execution. This flaw affects Linux PTP versions before 3.1.1, before 2.0.1, before 1.9.3, before 1.8.1, before 1.7.1, before 1.6.1, and before 1.5.1.
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Syxscore Risk Alert
This vulnerability has a major risk as although this requires some privileges, it can be exposed over any network with a low complexity attack and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-3570
4. A use-after-free vulnerability in WebKitGTK 2.30.4
Severity: Important CVSS Score: 8.8
Due to this flaw, if a remote attacker tricks a local user into visiting a specially crafted malicious webpage, it can result in a potential data leak and further memory corruption.
The highest threat from this vulnerability is to data confidentiality and integrity.
Syxscore Risk Alert
This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack and no privileges.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-21775
5. Django 2.2, 3.x, and 3.2 vulnerability
Severity: Important CVSS Score: 7.5
In Django leading zeros in octal literals aren’t prohibited in IP addresses. Exploiting this flaw, a remote unprivileged attacker can bypass access control that is based on IP addresses and launch an SSRF, RFI, or LFI attack.
The highest threat from this vulnerability is to data integrity.
Syxscore Risk Alert
This vulnerability has a major risk as it can be exposed over any network, with a low complexity attack, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-33571
Try Linux Patching with Syxsense
Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.
