SB2022102131 - Multiple vulnerabilities in Dell PowerFlex rack
Published: October 21, 2022 Updated: February 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2021-21972)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in vSphere Client. A remote non-authenticated attacker can send a specially crafted HTTP request to port 443/tcp and execute arbitrary code on the system.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-21973)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in vSphere Client. A remote non-authenticated attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
3) Heap-based buffer overflow (CVE-ID: CVE-2021-21974)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing packets within the OpenSLP service. A remote non-authenticated attacker on the local network can send specially crafted SLP messages to port 427/tcp, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
4) Security restrictions bypass (CVE-ID: CVE-2020-14372)
The vulnerability allows a local privileged user to bypass implemented security restrictions.
The vulnerability exists due to GRUB enables usage of the acpi command even when Secure Boot is enabled by firmware. A local user with root privileges can put a small SSDT into /boot/efi folder and modify the grub.cfg file to load that SSDT during kernel boot. The SSDT then gets run by the kernel and it overwrites the kernel lock down configuration enabling the attacker to load unsigned kernel modules and kexec unsigned code.
5) Use-after-free (CVE-ID: CVE-2020-25632)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to a use-after-free error when handling module unloads. A local privileged user can unload a kernel module, trigger a use-after-free error and bypass Secure Boot protection mechanism.
6) Out-of-bounds write (CVE-ID: CVE-2020-25647)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing untrusted input from USB device in grub_usb_device_initialize(). An attacker with physical access to the system can trigger an out-of-bounds write error with a malicious USB drive, bypass Secure Boot protection and execute arbitrary code on the system with elevated privileges.
7) Stack-based buffer overflow (CVE-ID: CVE-2020-27749)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the grub_parser_split_cmdline() function while expanding variable names present in the supplied command line in to their corresponding variable contents. A local privileged user can run a specially crafted program to trigger the stack-based buffer overflow and bypass Secure Boot protection.
8) Improper Authorization (CVE-ID: CVE-2020-27779)
The vulnerability allows a local user to bypass authorization checks.
The vulnerability exists within the cutmem command, which does not honor the Secure Boot locking. A local privileged user can remove address ranges from memory creating an opportunity to circumvent Secure Boot protections after proper triage about grub's memory layout.
9) Out-of-bounds write (CVE-ID: CVE-2021-20225)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the option parser. A local privileged user can write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options and execute arbitrary code with elevated privileges.
10) Out-of-bounds write (CVE-ID: CVE-2021-20233)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the setparam_prefix() function in menu rendering code. A local privileged user can run a specially crafted program to trigger out-of-bounds write and escalate privileges on the system.
11) NULL pointer dereference (CVE-ID: CVE-2020-1971)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack.
Remediation
Install update from vendor's website.