Multiple vulnerabilities in Migration Toolkit for Runtimes 1.2

1) Uncontrolled Recursion

EUVDB-ID: #VU75431

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-1436

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Path traversal

EUVDB-ID: #VU67583

Risk: High

CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2007-4559

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of filenames in the tarfile module in Python. A remote attacker can create a specially crafted archive with symbolic links inside or filenames that contain directory traversal characters (e.g. "..") and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Input validation error

EUVDB-ID: #VU75444

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-1981

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A local user can initiate a DBUS call to the daemon and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds write

EUVDB-ID: #VU77450

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-3138

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within src/InitExt.c in libX11. A remote attacker can send specially crafted data to the server, trigger an out-of-bounds write and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU80801

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-4641

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to an error in gpasswd(1), which fails to clean memory properly. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. A local user with enough access can retrieve the password from the memory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

EUVDB-ID: #VU76761

Risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32324

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the format_log_line() function cups/string.c when the "loglevel" is set to "DEBUG". A remote attacker can pass specially crafted data to the daemon, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use-after-free

EUVDB-ID: #VU77641

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-34241

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in cupsdAcceptClient(). A remote attacker can cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cleartext transmission of sensitive information

EUVDB-ID: #VU80228

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-40217

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in ssl.SSLSocket implementation when handling TLS client authentication. A remote attacker can trick the application to send data unencrypted.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Migration Toolkit for Runtimes: 1.2.0 - 1.2.2

CPE2.3

• cpe:2.3:a:red_hat:mtr:1.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:mtr:1.2.2:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2023:7670

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.