CVE-2021-44730 – snapd could be made to escalate privileges and run programs as administrator
https://notcve.org/view.php?id=CVE-2021-44730
snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 snapd versión 2.54.2, no comprueba apropiadamente la ubicación del binario snap-confine. Un atacante local que pueda enlazar este binario a otra ubicación puede causar que snap-confine ejecute otros binarios arbitrarios y, por lo tanto, alcanzar una escalada de privilegios. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1 • http://www.openwall.com/lists/oss-security/2022/02/18/2 http://www.openwall.com/lists/oss-security/2022/02/23/1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7 https://ubuntu.com/security/notices/USN-5292-1 https://www.debian.org/security/2022/dsa-5080 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2021-3155 – snapd created ~/snap with too-wide permissions
https://notcve.org/view.php?id=CVE-2021-3155
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 snapd versiones 2.54.2 y anteriores, creaban directorios ~/snap en los directorios personales de usuarios sin especificar los permisos de sólo propietario. Esto podía permitir a un atacante local leer información que debería ser privada. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1 • https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca https://ubuntu.com/security/notices/USN-5292-1 • CWE-276: Incorrect Default Permissions •
CVE-2021-44731 – snapd could be made to escalate privileges and run programs as administrator
https://notcve.org/view.php?id=CVE-2021-44731
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 Se presentaba una condición de carrera en snapd versión 2.54.2 en el binario snap-confine cuando era preparado un espacio de nombres de montaje privado para un snap. Esto podía permitir a un atacante local alcanzar privilegios de root al montar su propio contenido dentro del espacio de nombres de montaje privado del snap y causar que snap-confine ejecutara código arbitrario y por lo tanto obtuviera una escalada de privilegios. Corregido en snapd versiones 2.54.3+18.04, 2.54.3+20.04 y 2.54.3+21.10.1 • https://github.com/deeexcee-io/CVE-2021-44731-snap-confine-SUID http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html http://seclists.org/fulldisclosure/2022/Dec/4 http://www.openwall.com/lists/oss-security/2022/02/18/2 http://www.openwall.com/lists/oss-security/2022/02/23/1 http://www.openwall.com/lists/oss-security/2022/02/23/2 http://www.openwall.com/lists/oss-security/2022/11/30/2 https://lists.fedoraproje • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2021-4093 – kernel: KVM: SVM: out-of-bounds read/write in sev_es_string_io
https://notcve.org/view.php?id=CVE-2021-4093
A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario. Se ha encontrado un fallo en el código de AMD de KVM para soportar la Virtualización Segura Encriptada-Estado Encriptado (SEV-ES). Un huésped de KVM que use SEV-ES puede desencadenar lecturas y escrituras fuera de límites en el núcleo anfitrión por medio de un VMGEXIT malicioso para una instrucción de E/S de cadena (por ejemplo, outs o ins) usando el motivo de salida SVM_EXIT_IOIO. • https://bugs.chromium.org/p/project-zero/issues/detail?id=2222 https://bugzilla.redhat.com/show_bug.cgi?id=2028584 https://access.redhat.com/security/cve/CVE-2021-4093 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2021-3640 – kernel: use-after-free vulnerability in function sco_sock_sendmsg()
https://notcve.org/view.php?id=CVE-2021-3640
A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system. Se encontró un fallo de uso de memoria previamente liberada en la función sco_sock_sendmsg() del subsistema HCI del kernel de Linux en la forma en que el usuario llama a ioct UFFDIO_REGISTER o de otra manera desencadena una condición de carrera de la llamada sco_conn_del() junto con la llamada sco_sock_sendmsg() con la página de memoria de fallo controlable esperada. Un usuario local privilegiado podría usar este fallo para bloquear el sistema o escalar sus privilegios en el sistema • https://bugzilla.redhat.com/show_bug.cgi?id=1980646 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/bluetooth/sco.c?h=v5.16&id=99c23da0eed4fd20cae8243f2b51e10e66aa0951 https://github.com/torvalds/linux/commit/99c23da0eed4fd20cae8243f2b51e10e66aa0951 https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html https://security.netapp.com/advisory/ntap-20220419-0003 https://ubuntu.com/security/CVE-2021- • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •