CVSS: 7.4EPSS: 0%CPEs: 56EXPL: 0CVE-2021-3450 – CA certificate check bypass with X509_V_FLAG_X509_STRICT
https://notcve.org/view.php?id=CVE-2021-3450
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. • http://www.openwall.com/lists/oss-security/2021/03/27/1 http://www.openwall.com/lists/oss-security/2021/03/27/2 http://www.openwall.com/lists/oss-security/2021/03/28/3 http://www.openwall.com/lists/oss-security/2021/03/28/4 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845 https://kc.mc • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 29EXPL: 0CVE-2020-7468 – FreeBSD FTPD Improper Handling of Exceptional Conditions Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-7468
In FreeBSD 12.2-STABLE before r365772, 11.4-STABLE before r365773, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges. En FreeBSD versiones 12.2-STABLE anteriores a r365772, 11.4-STABLE anteriores a r365773, 12.1-RELEASE anteriores a p10, 11.4-RELEASE anteriores a p4 y 11.3-RELEASE anteriores a p14, un bug de ftpd(8) en la implementación del sandbox del sistema de archivos, combinado con las capacidades disponibles para un usuario FTP autenticado, puede ser usada para escapar de la restricción del sistema de archivos configurada en ftpchroot(5). Además, el bug permite a un cliente malicioso alcanzar privilegios root. This vulnerability allows remote attackers to escalate privileges on affected installations of FreeBSD FTPD. • https://security.FreeBSD.org/advisories/FreeBSD-SA-20:30.ftpd.asc •
CVSS: 8.2EPSS: 0%CPEs: 49EXPL: 1CVE-2020-24718
https://notcve.org/view.php?id=CVE-2020-24718
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP. bhyve, como es usado en FreeBSD versiones hasta 12.1 e illumos (por ejemplo, OmniOS CE versiones hasta r151034 y OpenIndiana versiones hasta Hipster 2020.04), no restringe apropiadamente las operaciones de lectura y de escritura de VMCS y VMCB, como es demostrado por un usuario root en un contenedor en un sistema Intel, quién puede alcanzar privilegios al modificar VMCS_HOST_RIP • https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249 https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc https://security.netapp.com/advisory/ntap-20201016-0002 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-24385
https://notcve.org/view.php?id=CVE-2020-24385
In MidnightBSD before 1.2.6 and 1.3 before August 2020, and FreeBSD before 7, a NULL pointer dereference was found in the Linux emulation layer that allows attackers to crash the running kernel. During binary interaction, td->td_emuldata in sys/compat/linux/linux_emul.h is not getting initialized and returns NULL from em_find(). En MidnightBSD versiones anteriores a 1.2.6 y versiones 1.3 anteriores a Agosto de 2020, y FreeBSD versiones anteriores a 7, se encontró una desreferencia del puntero NULL en la capa de emulación de Linux que permite a atacantes bloquear el kernel en ejecución. Durante la interacción binaria, td-)td_emuldata en el archivo sys/compat/linux/linux_emul.h no se inicializa y devuelve NULL desde la función em_find() • http://www.midnightbsd.org/security/adv/MIDNIGHTBSD-SA-20:02.txt https://www.midnightbsd.org/notes • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 2CVE-2020-24863
https://notcve.org/view.php?id=CVE-2020-24863
A memory corruption vulnerability was found in the kernel function kern_getfsstat in MidnightBSD before 1.2.7 and 1.3 through 2020-08-19, and FreeBSD through 11.4, that allows an attacker to trigger an invalid free and crash the system via a crafted size value in conjunction with an invalid mode. Se encontró una vulnerabilidad de corrupción de memoria en la función del kernel kern_getfsstat en MidnightBSD versiones anteriores a 1.2.7 y versiones 1.3 hasta el19-08-2020, y FreeBSD versiones hasta 11.4, que permite a un atacante desencadenar una liberación no válida y bloquear el sistema por medio de un valor de tamaño diseñado en conjunto con un modo no válido • http://www.midnightbsd.org/security/adv/MIDNIGHTBSD-SA-20:01.txt https://github.com/MidnightBSD/src/blob/1691c07ff4f27b97220a5d65e217341e477f4014/sys/kern/vfs_syscalls.c https://www.freebsd.org/security/advisories/FreeBSD-EN-20:18.getfsstat.asc https://www.midnightbsd.org/notes • CWE-787: Out-of-bounds Write •