CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3491 – Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
https://notcve.org/view.php?id=CVE-2021-3491
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1). El subsistema io_uring del kernel de Linux permitía saltarse el límite MAX_RW_COUNT en la operación PROVIDE_BUFFERS, lo que llevaba a utilizar valores negativos en mem_rw al leer /proc//mem. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/13 https://www.zerodayinitiative.com/advisories/ZDI-21-589 • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 2%CPEs: 10EXPL: 0CVE-2020-15078
https://notcve.org/view.php?id=CVE-2020-15078
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. OpenVPN versiones 2.5.1 y anteriores, permiten a atacantes remotos omitir la autenticación y los datos del canal de control de acceso en servidores configurados con autenticación diferida, que pueden ser usados para desencadenar potencialmente más fugas de información • https://community.openvpn.net/openvpn/wiki/CVE-2020-15078 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JGEGLC4YGBDN5CGHTNWN2GH6DJJA36T2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLDB3OBQ • CWE-305: Authentication Bypass by Primary Weakness CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 13CVE-2021-3493 – Linux Kernel Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-3493
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. La implementación de overlayfs en el kernel de Linux no comprobó apropiadamente con respecto a los espacios de nombre de los usuarios, la configuración de las capacidades de los archivos en un sistema de archivos subyacente. Debido a la combinación de los espacios de nombre de usuarios no privilegiados junto con un parche incluido en el kernel de Ubuntu para permitir montajes de superposición no privilegiados, un atacante podría usar esto para alcanzar privilegios elevados The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. • https://github.com/briskets/CVE-2021-3493 https://github.com/inspiringz/CVE-2021-3493 https://github.com/oneoy/CVE-2021-3493 https://github.com/cerodah/overlayFS-CVE-2021-3493 https://github.com/derek-turing/CVE-2021-3493 https://github.com/puckiestyle/CVE-2021-3493 https://github.com/smallkill/CVE-2021-3493 https://github.com/Abdennour-py/CVE-2021-3493 https://github.com/fei9747/CVE-2021-3493 https://github.com/ptkhai15/OverlayFS---CVE-2021-3493 https://git • CWE-270: Privilege Context Switching Error CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-3492 – Ubuntu linux kernel shiftfs file system double free vulnerability
https://notcve.org/view.php?id=CVE-2021-3492
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562. Shiftfs, un sistema de archivos de apilamiento fuera del árbol incluido en los kernels de Ubuntu Linux, no manejaba apropiadamente los fallos que ocurrían durante la función copy_from_user(). • https://github.com/synacktiv/CVE-2021-3492 http://packetstormsecurity.com/files/162614/Kernel-Live-Patch-Security-Notice-LSN-0077-1.html https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=25c891a949bf918b59cbc6e4932015ba4c35c333 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=8fee52ab9da87d82bc6de9ebb3480fff9b4d53e6 https://ubuntu.com/security/notices/USN-4917-1 https://www.openwall.com/lists/oss-security/2021/04/16/2 https:&#x • CWE-401: Missing Release of Memory after Effective Lifetime CWE-415: Double Free •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2013-1055 – Potential DoS through abuse of rate limit in libunity-webapps for Firefox
https://notcve.org/view.php?id=CVE-2013-1055
The unity-firefox-extension package could be tricked into dropping a C callback which was still in use, which Firefox would then free, causing Firefox to crash. This could be achieved by adding an action to the launcher and updating it with new callbacks until the libunity-webapps rate limit was hit. Fixed in 3.0.0+14.04.20140416-0ubuntu1.14.04.1 of unity-firefox-extension and in all versions of libunity-webapps by shipping an empty unity-firefox-extension package, thus disabling the extension entirely and invalidating the attack against the libunity-webapps package. El paquete unity-firefox-extension podría ser engañado para que dejara caer una devolución de llamada C que todavía estaba en uso, que luego Firefox liberaría, causando un bloqueo en Firefox. Esto podría ser alcanzado al agregar una acción al iniciar y actualizar con nuevas devoluciones de llamada hasta que se alcance el límite de frecuencia de libunity-webapps. • https://launchpad.net/bugs/1175691 https://ubuntu.com/USN-2743-3 • CWE-404: Improper Resource Shutdown or Release •