Linux Vulnerabilities of the Week: January 29, 2021
Are you caught up on January's Linux vulnerabilities? See this week's top issues and keep your IT environment protected.
1. Samba update for Amzn1 (Amazon AWS), Red Hat Enterprise 6, 7, 8 & Red Hat Storage 3
Vendor Severity: Critical
CVSS Score: 10
A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges.
CVE Reference(s): CVE-2020-14318, CVE-2020-14323, CVE-2020-1472
2. Libxslt update for Amzn1 (Amazon AWS)
Vendor Severity: Medium
CVSS Score: 9.8
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068).
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn’t reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197).
CVE Reference(s): CVE-2019-11068, CVE-2019-18197
ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file (CVE-2020-25677).
CVE Reference(s): CVE-2020-25660, CVE-2020-25677, CVE-2020-27781.
3. Slurm security update for Suse Enterprise 15 SP1
Vendor Severity: Moderate
CVSS Score: 9.8
Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive Information to an Unauthorized Actor because xauth for X11 magic cookies is affected by a race condition in a read operation on the /proc filesystem.
CVE Reference(s): CVE-2020-27745, CVE-2020-27746
4. Kernel security update for Oracle Linux 6 & 7
Vendor Severity: Important
CVSS Score: 8.8
The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9009 advisory.
CVE Reference(s): CVE-2020-27673, CVE-2020-29568, CVE-2020-29569, CVE-2020-28374
5. Red Hat Ceph Storage 4.2 Security and Bug Fix update for Red Hat Enterprise 7
Vendor Severity: Critical
CVSS Score: 10
ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila (CVE-2020-27781).
ceph: CEPHX_V2 replay attack protection lost (CVE-2020-25660).
ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file (CVE-2020-25677).
CVE Reference(s): CVE-2020-25660, CVE-2020-25677, CVE-2020-27781.
Try Linux Patching with Syxsense
Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.
Schedule Your Syxsense Demo
Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.
