A vulnerability (CVE-2021-3997) has been discovered in the systemd utility systemd-tmpfiles, which allows for uncontrolled recursion. This issue can be exploited to cause a denial of service during system boot by creating a large number of nested subdirectories in the /tmp directory. A fix is currently available as a patch. Package updates that address the issue have been proposed in Ubuntu and SUSE, but not yet available in Debian, RHEL and Fedora (fixes in testing phase).
When creating thousands of nested directories, the "systemd-tmpfiles --remove" operation crashes due to stack exhaustion. Typically, the systemd-tmpfiles utility performs delete and create directories in one call (“systemd-tmpfiles —create —remove —boot —exclude-prefix=/dev”), with the removal first and then the creation, i.e. a crash at the uninstall stage will result in the important files specified in /usr/lib/tmpfiles.d/*.conf not being created.
A more dangerous attack scenario is also mentioned Ubuntu 21.04: Since the /run/lock/subsys file is not created due to the systemd-tmpfiles crash, and the /run/lock directory is writable by all users, an attacker can create the /run/lock/subsys directory under their own user ID and, by creating symbolic links that intersect with the lock files from system processes, organize the overwriting of system files.
In addition, we can note the publication of new releases of the Flatpak, Samba, FreeRDP, Clamav and Node.js projects, in which the vulnerabilities are eliminated:
- Two vulnerabilities have been fixed in the Flatpak 1.10.6 and 1.12.3 patch releases for building self-contained packages: The first vulnerability (CVE-2021-43860) allows, when downloading a package from an unverified repository, through metadata manipulation, to hide the display of certain extended permissions during the installation process. The second vulnerability (without CVE) allows the creation of directories in the FS area outside the build directory during the build of the package using the "flatpak-builder --mirror-screenshots-url" command.
- The Samba 4.13.16 update fixes a vulnerability (CVE-2021-43566) that allows a client to manipulate symbolic links on SMB1 or NFS partitions to create a server directory outside the file system's exported area (the issue is caused by a race condition and is difficult to exploit in practice, but theoretically possible). This issue affects versions prior to 4.13.16.
A report has also been published about another similar vulnerability (CVE-2021-20316), which allows an authenticated client to read or modify the contents of a file or directory metadata in the FS area through manipulation of symbolic links. Server Outside the exported partition. The issue was fixed in release 4.15.0, but it also affects previous releases. Fixes for older releases will not be published, as the old Samba VFS architecture doesn't address the issue due to the binding of metadata operations to file paths (the VFS layer was completely redesigned in Samba 4.15). The issue's severity is mitigated by its complexity and the user's permissions requiring read and write access to the target file or directory.
- The release of the FreeRDP 2.5 project, which offers a free implementation of the Remote Desktop Protocol (RDP), fixes three security issues (no CVE IDs assigned) that can lead to buffer overflows when using an incorrect locale, handling specially crafted registry settings and specifying an incorrectly formatted name of the add-on. Of the changes in the new version, there is support for the OpenSSL 3.0 library, the implementation of the TcpConnectTimeout setting, improved compatibility with LibreSSL, and solving problems with the clipboard in Wayland-based environments.
- In the new releases of the free anti-virus package ClamAV 0.103.5 and 0.104.2, the vulnerability CVE-2022-20698, associated with incorrect reading of the pointer and allowing to remotely cause a process crash, if the package was compiled with the libjson-c library and the CL_SCAN_GENERAL_COLLECT_METADATA option (clamscan -gen-json).
- Four vulnerabilities have been fixed in Node.js platform updates 16.13.2, 14.18.3, 17.3.1, and 12.22.9: Certificate verification bypass during network connection verification due to incorrect conversion of SAN (Subject Alternative Names) to string format (CVE-2021) -44532); incorrect handling of enumeration of multiple values in the subject and issuer fields, which can be used to bypass the verification of the mentioned fields in certificates (CVE-2021-44533); Bypass URI SAN type restrictions in certificates (CVE-2021-44531); insufficient input validation in the console.table() function, which can be used to assign empty strings to numeric keys (CVE-2022-21824).
Source: opennet.ru
