A vulnerability (CVE-2021-3997) has been identified in the systemd utility systemd-tmpfiles that could cause uncontrolled recursion. The problem can be used to stage a denial of service during system boot by creating a large number of nested subdirectories in the /tmp directory. The fix is still available in the form of a patch. Package updates to address the issue are offered in Ubuntu and SUSE, but are not yet available in Debian, RHEL, and Fedora (fixes in testing).
When creating thousands of nested directories, the "systemd-tmpfiles --remove" operation crashes due to stack exhaustion. Typically, the systemd-tmpfiles utility performs delete and create directories in one call (“systemd-tmpfiles —create —remove —boot —exclude-prefix=/dev”), with the removal first and then the creation, i.e. a crash at the uninstall stage will result in the important files specified in /usr/lib/tmpfiles.d/*.conf not being created.
A more dangerous attack scenario on Ubuntu 21.04 is also mentioned: since the systemd-tmpfiles crash does not create the /run/lock/subsys file and the /run/lock directory is writable by all users, an attacker could create the /run/lock/ directory subsys under its own identifier and through the creation of symbolic links that intersect with lock-files from system processes, organize overwriting of system files.
In addition, we can note the publication of new releases of the Flatpak, Samba, FreeRDP, Clamav and Node.js projects, in which the vulnerabilities are eliminated:
- Two vulnerabilities have been fixed in the Flatpak 1.10.6 and 1.12.3 patch releases for building self-contained packages: The first vulnerability (CVE-2021-43860) allows, when downloading a package from an unverified repository, through metadata manipulation, to hide the display of certain extended permissions during the installation process. The second vulnerability (without CVE) allows the creation of directories in the FS area outside the build directory during the build of the package using the "flatpak-builder --mirror-screenshots-url" command.
- The Samba 4.13.16 update fixes a vulnerability (CVE-2021-43566) that could allow a client to manipulate symbolic links on SMB1 or NFS partitions to create a directory on the server outside the FS exported area (the problem is caused by a race condition and is difficult to exploit in practice, but theoretically possible). Versions prior to 4.13.16 are affected by the problem.
A report on another similar vulnerability (CVE-2021-20316) has also been published, which allows an authenticated client to read or change the contents of a file or directory metadata in the server FS area outside the exported partition through manipulation with symbolic links. The issue is fixed in release 4.15.0, but also affects past branches. At the same time, fixes for old branches will not be published, since the old Samba VFS architecture does not allow to fix the problem due to the binding of metadata operations to file paths (in Samba 4.15, the VFS layer was completely redesigned). The danger of the problem is reduced by the fact that it is quite difficult to operate and the user's access rights must allow reading or writing to the target file or directory.
- The release of the FreeRDP 2.5 project, which offers a free implementation of the Remote Desktop Protocol (RDP), fixes three security issues (no CVE IDs assigned) that can lead to buffer overflows when using an incorrect locale, handling specially crafted registry settings and specifying an incorrectly formatted name of the add-on. Of the changes in the new version, there is support for the OpenSSL 3.0 library, the implementation of the TcpConnectTimeout setting, improved compatibility with LibreSSL, and solving problems with the clipboard in Wayland-based environments.
- In the new releases of the free anti-virus package ClamAV 0.103.5 and 0.104.2, the vulnerability CVE-2022-20698, associated with incorrect reading of the pointer and allowing to remotely cause a process crash, if the package was compiled with the libjson-c library and the CL_SCAN_GENERAL_COLLECT_METADATA option (clamscan -gen-json).
- Four vulnerabilities have been fixed in Node.js platform updates 16.13.2, 14.18.3, 17.3.1, and 12.22.9: Certificate verification bypass during network connection verification due to incorrect conversion of SAN (Subject Alternative Names) to string format (CVE-2021) -44532); incorrect handling of enumeration of multiple values in the subject and issuer fields, which can be used to bypass the verification of the mentioned fields in certificates (CVE-2021-44533); Bypass URI SAN type restrictions in certificates (CVE-2021-44531); insufficient input validation in the console.table() function, which can be used to assign empty strings to numeric keys (CVE-2022-21824).
Source: opennet.ru