A vulnerability (CVE-2021-4160) has been disclosed in the OpenSSL cryptographic library, which is caused by an error in the implementation of the adder in the BN_mod_exp function, which leads to the return of an incorrect result of the squaring operation. The issue only occurs on hardware based on the MIPS32 and MIPS64 architectures, and can compromise elliptic curve algorithms, including those used by default in TLS 1.3. The problem is fixed in the December updates of OpenSSL 1.1.1m and 3.0.1.
It is noted that the implementation of real attacks to obtain information about private keys using the identified problem is considered for RSA, DSA and the Diffie-Hellman algorithm (DH, Diffie-Hellman) as possible, but unlikely, too difficult to carry out and requires huge computing resources. At the same time, an attack on TLS is excluded, since in 2016, when the vulnerability CVE-2016-0701 was eliminated, the sharing of one DH private key by clients was prohibited.
Additionally, there are several recently identified vulnerabilities in open source projects:
- Several vulnerabilities (CVE-2022-0330) in the i915 graphics driver related to missing GPU TLB reset. If IOMMU (address translation) is not applied, the vulnerability allows access to random pages of memory from user space. The problem can be used to corrupt or read data from random areas of memory. The problem occurs on all integrated and discrete Intel GPUs. The fix is implemented by adding a mandatory TLB flush before each GPU buffer return operation to the system, which will lead to performance degradation. The performance impact depends on the GPU, the operations performed on the GPU, and the load on the system. The fix is currently only available as a patch.
- Vulnerability (CVE-2022-22942) in the vmwgfx graphics driver used to implement 3D acceleration in VMware environments. The issue allows an unprivileged user to access files opened by other processes on the system. The attack requires access to the device /dev/dri/card0 or /dev/dri/rendererD128 and the ability to make an ioctl() call with the resulting file descriptor.
- Vulnerabilities (CVE-2021-3996, CVE-2021-3995) in the libmount library supplied with the util-linux package that allow an unprivileged user to mount disk partitions without being authorized to do so. The issue was identified during an audit of the SUID-root programs umount and fusermount.
- Vulnerabilities in the standard Glibc C library affecting the realpath (CVE-2021-3998) and getcwd (CVE-2021-3999) functions.
- The problem in realpath() is caused by returning an invalid value under certain conditions, containing uncleaned residual data from the stack. For the SUID-root fusermount program, the vulnerability can be used to obtain sensitive information from the process's memory, for example, to obtain information about pointers.
- A problem with getcwd() allows for a buffer overflow of one byte. The problem is caused by a bug present since 1995. To call an overflow, in a separate mount point namespace, it is enough to call chdir () for the "/" directory. It is not reported whether the vulnerability is limited to process crashing, but there have been cases of working exploits for such vulnerabilities in the past, despite the skepticism of the developers.
- Vulnerability (CVE-2022-23220) in the usbview package that allows local users logged in via SSH to execute code as root, due to the setting (allow_any=yes) in the PolKit rules to run the usbview utility as root without authentication . Operation comes down to using the "--gtk-module" option to load your library into usbview. This issue has been fixed in usbview 2.2.
Source: opennet.ru