SB2022110932 - Multiple vulnerabilities in Dell EMC Cyber Recovery

Description

This security bulletin contains information about 52 secuirty vulnerabilities.

1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-1543)

2) NULL pointer dereference (CVE-ID: CVE-2019-9937)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dreference error when processing interleaving reads and writes in a single transaction with an fts5 virtual table in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c. A remote attacker can perform a denial of service (DoS) attack.

3) NULL pointer dereference (CVE-ID: CVE-2018-8740)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in the build.c and prepare.c source codes files due to NULL pointer dereference. A remote attacker can cause the service to crash.

4) Integer overflow (CVE-ID: CVE-2019-3855)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the _libssh2_transport_read() function in transport.cwhen processing packet_lengthvalues. A remote attacker can trick the victim to connect to a malicious SSH server, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Integer overflow (CVE-ID: CVE-2019-3856)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when parsing keyboard prompt requests. A remote attacker can trick the victim to connect to a malicious SSH server, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Integer overflow (CVE-ID: CVE-2019-3857)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when parsing SSH_MSG_CHANNEL_REQUEST packets. A remote attacker can trick the victim to connect to a malicious SSH server, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Out-of-bounds read (CVE-ID: CVE-2019-3858)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing SFTP packets. A remote attacker can trick the victim to connect to a malicious SSH server, trigger out-of-bounds read error and read contents of memory or crash the affected application.

8) Out-of-bounds read (CVE-ID: CVE-2019-3859)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing packets in _libssh2_packet_require() and _libssh2_packet_requirev() functions. A remote attacker can trick the victim to connect to a malicious SSH server, trigger out-of-bounds read error and read contents of memory or crash the affected application.

9) Out-of-bounds read (CVE-ID: CVE-2019-3860)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing SFTP packets. A remote attacker can trick the victim to connect to a malicious SSH server, trigger out-of-bounds read error and read contents of memory or crash the affected application.

10) Out-of-bounds read (CVE-ID: CVE-2019-3861)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when SSH packets with a padding length value greater than the packet length are parsed. A remote attacker can trick the victim to connect to a malicious SSH server, trigger out of bounds read and gain access to sensitive information or perform denial of service attack.

11) Out-of-bounds read (CVE-ID: CVE-2019-3862)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker can trick the victim to connect to a malicious SSH server, trigger out of bounds read and gain access to sensitive information or perform denial of service attack.

12) Out-of-bounds write (CVE-ID: CVE-2019-3863)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing total length of multiple keyboard interactive response messages that exceeds the value of unsigned char max characters. A remote attacker can trick the victim to connect to a malicious SSH server, trigger our of bounds write and execute arbitrary code on the system with privileges of the user, running the affected application.

13) Symlink attack (CVE-ID: CVE-2018-6954)

The vulnerability allows a local attacker to launch symlink attack on the target system.

The weakness exists in the systemd-tmpfiles feature due to improper handling of symlinks in nonterminal path components. A local attacker can gain unauthorized access to arbitrary files.

14) SQL injection (CVE-ID: CVE-2018-20506)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the SQLite component. A remote attacker can send a specially specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

15) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-3842)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to pam_systemd creates a user session using environmental parameters. A local user can spoof an active session and gain additional PolicyKit privileges.

16) Input validation error (CVE-ID: CVE-2019-6454)

The vulnerability allows a local unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to incorrect handling of certain D-Bus messages. A local attacker can supply specially crafted D-Bus messages to crash the init process, resulting in a system denial-of-service (kernel panic).

17) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-11068)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error within the xsltCheckRead() and xsltCheckWrite() functions when processing requests from remote servers. A remote attacker can trick the victim into opening a specially crafted URL that will result in "-1 error" code but the URL itself will be processed by the application later.

Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions and perform XXE attacks.

18) Heap use-after-free (CVE-ID: CVE-2019-6706)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a geap use-after-free error in lua_upvaluejoin in lapi.c. A remote attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships can cause the service to crash.

19) Symlink attack (CVE-ID: CVE-2019-3902)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue. A remote user can create a specially crafted symbolic link to and write files outside a repository.

20) Out-of-bounds read (CVE-ID: CVE-2019-11036)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in exif_process_IFD_TAG() function in PHP EXIF extension. A remote attacker can send a specially crafted file to the affected application, trigger out-of-bounds read error and read contents of memory on the system or crash the process.

21) XXE attack (CVE-ID: CVE-2018-14647)

The vulnerability allows a remote attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input, trigger pathological hash collisions in Expat's internal data structures, consume large amounts CPU and RAM, and cause a denial of service (DoS) condition.

22) Input validation error (CVE-ID: CVE-2019-9636)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input when processing data in Unicode encoding with an incorrect netloc during NFKC normalization. A remote attacker can gain access to sensitive information.

23) Exposed dangerous method or function (CVE-ID: CVE-2019-9948)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to urllib implementation in Python 2.x supports the local_file: scheme. An attacker with ability to control input data, such as URL, can bypass protection mechanisms that blacklist file: URIs and view contents of arbitrary file on the system.

PoC:

urllib.urlopen('local_file:///etc/passwd')

24) OS Command Injection (CVE-ID: CVE-2019-12735)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

25) Input validation error (CVE-ID: CVE-2019-9917)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted message in incorrect encoding and cause the application to crash.

26) Out-of-bounds read (CVE-ID: CVE-2019-9936)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the fts5HashEntrySort in sqlite3.c when running fts5 prefix queries inside a transaction. A remote user with ability to send queries can trigger heap-based buffer over-read error and read contents of memory on the system.

27) SQL injection (CVE-ID: CVE-2018-20346)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the SQLite component. A remote attacker can send a specially specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

28) Integer overflow (CVE-ID: CVE-2018-16839)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in processing the Curl_auth_create_plain_message name and password when handling malicious input. A remote unauthenticated attacker can send specially crafted SASL password data, trigger memory corruption and execute arbitrary code with elevated privileges. The affected function can be invoked using POP3(S), IMAP(S), or SMTP(S).

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

29) Input validation error (CVE-ID: CVE-2019-9924)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to "rbash" does not prevent the shell user from modifying BASH_CMDS. A local authenticate user can execute any command with the permissions of the shell.

30) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2018-5743)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.

31) Reachable Assertion (CVE-ID: CVE-2019-6467)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch.

32) Improper Authentication (CVE-ID: CVE-2019-12749)

The vulnerability allows a an attacker to bypass authentication process.

The vulnerability exists due to an error when handling symlinks within the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. A malicious client with access to to its own home directory can manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write into unintended locations.

Successful exploitation of the vulnerability may allow an attacker to bypass DBUS_COOKIE_SHA1 authentication mechanis.

33) NULL pointer dereference (CVE-ID: CVE-2019-11494)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within Submission-login when processing authentication. A remote attacker can unexpectedly abort the authentication process by disconnecting from the server during authentication and cause the software to crash.

34) Resource management error (CVE-ID: CVE-2019-11499)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect resource management error within the submission-login when processing incorrect authentication messages over TLS secure channel. A remote attacker can send an invalid authentication message and crash the service.

35) Improper Authentication (CVE-ID: CVE-2019-11234)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error related to processing authentication tokens. A remote attacker can execute a reflection attack and bypass authentication process.

This vulnerability was dubbed "Dragonblood".

36) Improper Authentication (CVE-ID: CVE-2019-11235)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to FreeRadius mishandles secure checks when preforming user authentication process. The related checks refer to mechanisms, which ensures that "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used". A remote attacker can bypass authentication process.

37) Race condition (CVE-ID: CVE-2019-11190)

The vulnerability allows a local authenticated user to gain access to sensitive information.

The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.

38) Heap-based buffer overflow (CVE-ID: CVE-2019-5436)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing responses from TFTP server in the tftp_receive_packet() function. A remote attacker can trick the victim to send a request to a malicious TFTP server, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

39) Out-of-bounds read (CVE-ID: CVE-2019-8457)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a boundary condition in rtreenode() function when handling invalid rtree tables. A remote attacker can send a specially crafted request to the application, trigger heap out-of-bounds read crash the application.

40) Input validation error (CVE-ID: CVE-2017-13685)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the "dump_callback" function. A local user can submit malicious input and cause a denial of service (DoS) condition on a targeted system.

41) XML External Entity injection (CVE-ID: CVE-2018-20843)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input including XML names that contain a large number of colons. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

42) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2018-10844)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to usage of an insecure implementation of HMAC-SHA-256 algorithm vulnerable to a Lucky thirteen style attack. A remote attacker with ability to intercept traffic can recover encrypted data.

43) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2018-10845)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to usage of an insecure implementation of HMAC-SHA-384 algorithm vulnerable to a Lucky thirteen style attack. A remote attacker with ability to intercept traffic can recover encrypted data.

44) Cryptographic issues (CVE-ID: CVE-2018-10846)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a cache-based side channel in GnuTLS implementation that can lead to recovery of data in cross-VM attack setting. A remote attacker with ability to intercept traffic can recover encrypted data using a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack.

45) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-1559)

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to the way an application behaves, when it receives a 0-byte record with invalid padding compared to the record with an invalid MAC, which results in padding oracle. A remote attacker can decrypt data.

Successful exploitation of the vulnerability requires that the application is using "non-stitched" ciphersuites and calls SSL_shutdown() twice (first, via a BAD_RECORD_MAC and again via a CLOSE_NOTIFY). 

46) Incorrect calculation (CVE-ID: CVE-2019-9893)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due to incorrect 64-bit syscall argument comparison when using arithmetic operators, such as LT, GT, LE, or GE. A local user can bypass seccomp filters and gain elevated privileges on the system.

47) Out-of-bounds read (CVE-ID: CVE-2018-19758)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer overread condition in the wav_write_headerfunction, as defined in the wav.c source code file. A remote attacker can trick the victim into following a custom link or opening a crafted audio file that submits malicious input, trigger memory corruption and perform a denial of service attack.

48) Resource management error (CVE-ID: CVE-2016-6153)

The vulnerability allows a local user to perform a denial of service (DoS) attack or gain access to sensitive information.

The vulnerability exists due to the application improperly implements the temporary directory search algorithm. A local user can make the application use the current working directory for storing temporary files and gain access to sensitive information or perform denial of service attack.

49) Buffer overflow (CVE-ID: CVE-2017-2518)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to buffer overflow when processing SQL queries. A remote attacker can send specially crafted SQL queries, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected system.

50) Memory corruption (CVE-ID: CVE-2017-2519)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing SQL queries. A remote attacker can send specially crafted SQL queries, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected system.

51) Buffer overflow (CVE-ID: CVE-2017-2520)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to buffer overflow when processing SQL queries. A remote attacker can send specially crafted SQL queries, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may allow an attacker to gain complete control over affected system.

52) Heap-based buffer overflow (CVE-ID: CVE-2017-10989)

The vulnerability allows a local user to crash the application or gain access to sensitive data.

The vulnerability exists due to a boundary error in the getNodeSize() function in ext/rtree/rtree.c when handling undersized RTree blobs. A local user can supply a specially crafted database to the affected application, trigger heap-based out of bounds read and crash the application or gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://www.dell.com/support/kbdoc/en-us/000153690/dsa-2019-121-dell-emc-cyber-recovery-security-update-for-multiple-third-party-components-vulnerabilities