CVE-2020-15157 – containerd can be coerced into leaking credentials during image pull
https://notcve.org/view.php?id=CVE-2020-15157
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. • https://github.com/containerd/containerd/releases/tag/v1.2.14 https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c https://usn.ubuntu.com/4589-1 https://usn.ubuntu.com/4589-2 https://www.debian.org/security/2021/dsa-4865 https://access.redhat.com/security/cve/CVE-2020-15157 https://bugzilla.redhat.com/show_bug.cgi?id=1888248 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVE-2020-16119 – DCCP CCID structure use-after-free
https://notcve.org/view.php?id=CVE-2020-16119
Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196. Una vulnerabilidad de uso de la memoria previamente liberada en el kernel de Linux explotable por un atacante local debido a la reutilización de un socket DCCP con un objeto dccps_hc_tx_ccid adjunto como oyente después de ser liberado. Corregido en el kernel de Ubuntu Linux versiones 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 y 3.2.0-149.196 • https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=01872cb896c76cedeabe93a08456976ab55ad695 https://launchpad.net/bugs/1883840 https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html https://lore.kernel.org/netdev/20201013171849.236025-1-kleber.souza%40canonical.com/T https://security.netapp.com/advisory/ntap-20210304-0006 https://ubuntu.com/USN-4576-1 https://ubuntu.com/USN-4 • CWE-416: Use After Free •
CVE-2020-16120 – Unprivileged overlay + shiftfs read access
https://notcve.org/view.php?id=CVE-2020-16120
Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. • https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8 https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84 https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52 https://launchpad.net/bugs/1894980 https://launchpad.net/bugs/1900141 https://ubuntu.com/USN-4576-1 https://ubuntu.com/USN-4577-1 https://ubuntu.com/USN-4578-1 https://www.openwall • CWE-266: Incorrect Privilege Assignment •
CVE-2020-25645 – kernel: Geneve/IPsec traffic may be unencrypted between two Geneve endpoints
https://notcve.org/view.php?id=CVE-2020-25645
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. Se encontró un fallo en el kernel de Linux en versiones anteriores a 5.9-rc7. El tráfico entre dos endpoints Geneve puede no estar cifrado cuando IPsec está configurado para cifrar el tráfico para el puerto UDP específico usado por el túnel GENEVE, permitiendo a cualquier persona entre los dos endpoints leer el tráfico sin cifrar. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00042.html http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html https://bugzilla.redhat.com/show_bug.cgi?id=1883988 https://lists.debian.org/debian-lts-announce/2020/10/msg00028.html https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html https://security.netapp.com/advisory/ntap-20201103-0004 https://ww • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2020-14355 – spice: multiple buffer overflow vulnerabilities in QUIC decoding code
https://notcve.org/view.php?id=CVE-2020-14355
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. Se encontraron múltiples vulnerabilidades de desbordamiento de búfer en el proceso de decodificación de imágenes QUIC del sistema de visualización remota SPICE, versiones anteriores a spice-0.14.2-1. Tanto el cliente SPICE (spice-gtk) como el servidor están afectados por estos defectos. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00001.html https://bugzilla.redhat.com/show_bug.cgi?id=1868435 https://lists.debian.org/debian-lts-announce/2020/11/msg00001.html https://lists.debian.org/debian-lts-announce/2020/11/msg00002.html https://usn.ubuntu.com/4572-1 https://usn.ubuntu.com/4572-2 https://www.debian.org/security/2020/dsa-4771 https://www.openwall.com/lists/oss • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •