CVE-2021-3489 – Linux kernel eBPF RINGBUF map oversized allocation
https://notcve.org/view.php?id=CVE-2021-3489
The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1). La función eBPF RINGBUF bpf_ringbuf_reserve() del kernel de Linux no comprobaba que el tamaño asignado fuera menor que el tamaño del ringbuf, lo que permitía a un atacante realizar escrituras fuera de los límites del kernel y, por tanto, la ejecución de código arbitrario. Este problema se solucionó a través del commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) y se retroalimentó a los kernels estables en versiones v5.12.4, v5.11.21 y v5.10.37. • https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4b81ccebaeee885ab1aa1438133f2991e3a2b6ea https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/10 https://www.zerodayinitiative.com/advisories/ZDI-21-590 https://access.redhat.com/security/cve/CVE-2021-3489 https://bugzilla.redhat.com/show_bug.cgi?id=1959559 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-3490 – Linux kernel eBPF bitwise ops ALU32 bounds tracking
https://notcve.org/view.php?id=CVE-2021-3490
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1). El seguimiento de los límites de la ALU32 de eBPF para las operaciones por bits (AND, OR y XOR) en el kernel de Linux no actualizaba correctamente los límites de 32 bits, lo que podía convertirse en lecturas y escrituras fuera de los límites en el kernel de Linux y, por tanto, en la ejecución de código arbitrario. Este problema fue corregido a través del commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) y retrocedido a los kernels estables en v5.12.4, v5.11.21 y v5.10.37. • https://github.com/pivik271/CVE-2021-3490 http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/11 https:/ • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2021-3491 – Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
https://notcve.org/view.php?id=CVE-2021-3491
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1). El subsistema io_uring del kernel de Linux permitía saltarse el límite MAX_RW_COUNT en la operación PROVIDE_BUFFERS, lo que llevaba a utilizar valores negativos en mem_rw al leer /proc//mem. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/13 https://www.zerodayinitiative.com/advisories/ZDI-21-589 • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVE-2020-15078
https://notcve.org/view.php?id=CVE-2020-15078
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. OpenVPN versiones 2.5.1 y anteriores, permiten a atacantes remotos omitir la autenticación y los datos del canal de control de acceso en servidores configurados con autenticación diferida, que pueden ser usados para desencadenar potencialmente más fugas de información • https://community.openvpn.net/openvpn/wiki/CVE-2020-15078 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ • CWE-305: Authentication Bypass by Primary Weakness CWE-306: Missing Authentication for Critical Function •
CVE-2020-27351 – Various memory and file descriptor leaks in apt-python
https://notcve.org/view.php?id=CVE-2020-27351
Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1; Se encontraron varios filtrados de memoria y descriptores de archivos en los archivos python/arfile.cc, python/tag.cc, python/tarfile.cc, también se conoce como GHSL-2020-170. Este problema afecta a: python-apt versiones 1.1.0~beta1 anteriores a 1.1.0~beta1ubuntu0.16.04.10; versiones 1.6.5ubuntu0 anteriores a 1.6.5ubuntu0.4; versiones 2.0.0ubuntu0 anteriores a 2.0.0ubuntu0.20.04.2; versiones 2.1.3ubuntu1 anteriores a 2.1.3ubuntu1.1; • https://bugs.launchpad.net/bugs/1899193 https://usn.ubuntu.com/usn/usn-4668-1 https://www.debian.org/security/2020/dsa-4809 • CWE-772: Missing Release of Resource after Effective Lifetime •