Skip to main content
Uncategorized

Linux Vulnerabilities of the Week: January 29, 2021

By January 30, 2021June 22nd, 2022No Comments
||

Linux Vulnerabilities of the Week: January 29, 2021

Are you caught up on January's Linux vulnerabilities? See this week's top issues and keep your IT environment protected.

[vc_empty_space]
[vc_single_image image=”364537″ img_size=”full”]

1. Samba update for Amzn1 (Amazon AWS), Red Hat Enterprise 6, 7, 8 & Red Hat Storage 3

Vendor Severity: Critical
CVSS Score: 10

A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges.

CVE Reference(s): CVE-2020-14318, CVE-2020-14323, CVE-2020-1472

[vc_separator]

2. Libxslt update for Amzn1 (Amazon AWS)

Vendor Severity: Medium
CVSS Score:
9.8

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068).

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn’t reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197).

CVE Reference(s): CVE-2019-11068, CVE-2019-18197

ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file (CVE-2020-25677).

CVE Reference(s): CVE-2020-25660, CVE-2020-25677, CVE-2020-27781.

[vc_separator]

3. Slurm security update for Suse Enterprise 15 SP1

Vendor Severity: Moderate
CVSS Score:
9.8

Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive Information to an Unauthorized Actor because xauth for X11 magic cookies is affected by a race condition in a read operation on the /proc filesystem.

CVE Reference(s): CVE-2020-27745, CVE-2020-27746

[vc_separator]

4. Kernel security update for Oracle Linux 6 & 7

Vendor Severity: Important
CVSS Score: 8.8

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9009 advisory.

CVE Reference(s):  CVE-2020-27673, CVE-2020-29568, CVE-2020-29569, CVE-2020-28374

[vc_separator]

5. Red Hat Ceph Storage 4.2 Security and Bug Fix update for Red Hat Enterprise 7

Vendor Severity: Critical
CVSS Score:
10

ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila (CVE-2020-27781).

ceph: CEPHX_V2 replay attack protection lost (CVE-2020-25660).

ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file (CVE-2020-25677).

CVE Reference(s): CVE-2020-25660, CVE-2020-25677, CVE-2020-27781.

[vc_separator]

Try Linux Patching with Syxsense

Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

[vc_btn title=”Start a Free Trial” style=”gradient-custom” gradient_custom_color_1=”#da4453″ gradient_custom_color_2=”#8a2387″ shape=”round” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fstart-a-free-trial-of-syxsense%2F|||” css=”.vc_custom_1586908107967{margin-top: 15px !important;}”]
[vc_single_image image=”37252″ img_size=”full” css_animation=”fadeIn” css=”.vc_custom_1611965477970{padding-right: 20px !important;padding-left: 20px !important;}”]

Leave a Reply