Linux Vulnerabilities of the Week: December 6, 2021

Linux Vulnerabilities of the Week: December 6, 2021

1. CSRF token bypass in Mailman (<2.1.38)

Severity: Important    CVSS Score: 8.8

A Cross-Site Request Forgery (CSRF) attack can be performed in GNU Mailman due to a CSRF token bypass.

CSRF tokens are not checked against the right type of user when performing admin operations and a token created by a regular user can be used by an admin to perform an admin-level request to set a new admin password or make other changes.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as though it requires user interaction, this can be exposed over any network, with low complexity, and without privileges.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-44227

2. Xen PoD Operation denial of service

Severity: Important    CVSS Score: 8.8

PoD operations on misaligned GFNs T x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages).

The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).

Syxscore Risk Alert

This vulnerability has a major risk as although this needs access to the same network as the device, it can be exposed with a low-complexity attack, low privileges, and without user interaction. Besides, this vulnerability allows a lateral attack to be made, due to the changed jump point.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Changed

CVE Reference(s): CVE-2021-28708

3. Insufficient symlink protection in Node.js ‘tar file’

Severity: Important    CVSS Score: 8.6

This is a flaw in the npm package “tar” (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories.

This flaw allows an untrusted ‘tar file’ to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems.

The highest threat from this vulnerability is to integrity and system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires access to the same network as the device and user interaction to be exploited, it can be exposed with a low-complexity attack, and without privileges. Besides, this vulnerability allows a lateral attack to be made, due to the changed jump point.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Changed

CVE Reference(s): CVE-2021-37701

4. Node.js ‘npmcli/arborist’ library vulnerability

Severity: Important    CVSS Score: 7.8

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command-line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project’s `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system.

Syxscore Risk Alert

This vulnerability has a major risk as although this needs access to the same network as the device and requires user interaction, it can be exposed with a low-complexity attack and without privileges.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-39135

5. Incorrect parsing of HTTP transfer-encoding request header in Apache Tomcat

Severity: Medium       CVSS Score: 5.3

This is a flaw in Apache Tomcat. Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response.

The highest threat from this vulnerability is to integrity.

Syxscore Risk Alert

This vulnerability has a moderate risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-33037

Recent Posts

Topics

Related Posts

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

April 17, 2024
In the News: Why 92% of Security Professionals Worry About Generative AI

In the News: Why 92% of Security Professionals Worry About Generative AI

April 16, 2024
In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

March 29, 2024
In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

March 27, 2024