Malware Devil

Tuesday, June 8, 2021

ESB-2021.1973 – [RedHat] nginx:1.18, rh-nginx116-nginx and rh-nginx118-nginx: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1973
nginx:1.18, rh-nginx116-nginx and rh-nginx118-nginx security update
8 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: nginx:1.18
rh-nginx116-nginx
rh-nginx118-nginx
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Denial of Service — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23017

Reference: ESB-2021.1936
ESB-2021.1851

Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2258
https://access.redhat.com/errata/RHSA-2021:2259
https://access.redhat.com/errata/RHSA-2021:2278

Comment: This bulletin contains three (3) Red Hat security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: rh-nginx118-nginx security update
Advisory ID: RHSA-2021:2258-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2258
Issue date: 2021-06-07
CVE Names: CVE-2021-23017
=====================================================================

1. Summary:

An update for rh-nginx118-nginx is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) – ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) – ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) – x86_64

3. Description:

nginx is a web and proxy server supporting HTTP and other protocols, with a
focus on high concurrency, performance, and low memory usage.

Security Fix(es):

* nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a
pointer to a root domain name (CVE-2021-23017)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The rh-nginx118-nginx service must be restarted for this update to take
effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1963121 – CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nginx118-nginx-1.18.0-3.el7.src.rpm

ppc64le:
rh-nginx118-nginx-1.18.0-3.el7.ppc64le.rpm
rh-nginx118-nginx-debuginfo-1.18.0-3.el7.ppc64le.rpm
rh-nginx118-nginx-mod-http-image-filter-1.18.0-3.el7.ppc64le.rpm
rh-nginx118-nginx-mod-http-perl-1.18.0-3.el7.ppc64le.rpm
rh-nginx118-nginx-mod-http-xslt-filter-1.18.0-3.el7.ppc64le.rpm
rh-nginx118-nginx-mod-mail-1.18.0-3.el7.ppc64le.rpm
rh-nginx118-nginx-mod-stream-1.18.0-3.el7.ppc64le.rpm

s390x:
rh-nginx118-nginx-1.18.0-3.el7.s390x.rpm
rh-nginx118-nginx-debuginfo-1.18.0-3.el7.s390x.rpm
rh-nginx118-nginx-mod-http-image-filter-1.18.0-3.el7.s390x.rpm
rh-nginx118-nginx-mod-http-perl-1.18.0-3.el7.s390x.rpm
rh-nginx118-nginx-mod-http-xslt-filter-1.18.0-3.el7.s390x.rpm
rh-nginx118-nginx-mod-mail-1.18.0-3.el7.s390x.rpm
rh-nginx118-nginx-mod-stream-1.18.0-3.el7.s390x.rpm

x86_64:
rh-nginx118-nginx-1.18.0-3.el7.x86_64.rpm
rh-nginx118-nginx-debuginfo-1.18.0-3.el7.x86_64.rpm
rh-nginx118-nginx-mod-http-image-filter-1.18.0-3.el7.x86_64.rpm
rh-nginx118-nginx-mod-http-perl-1.18.0-3.el7.x86_64.rpm
rh-nginx118-nginx-mod-http-xslt-filter-1.18.0-3.el7.x86_64.rpm
rh-nginx118-nginx-mod-mail-1.18.0-3.el7.x86_64.rpm
rh-nginx118-nginx-mod-stream-1.18.0-3.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-nginx118-nginx-1.18.0-3.el7.src.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-nginx118-nginx-1.18.0-3.el7.src.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-23017
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBYL3MN9zjgjWX9erEAQjMKA//YaSwGZ/DmvwILuYqYNbIGKvcatycisD6
RrS+A7J9QqTEKqC8mZQ/OvfS5TukanQ/jzTNfRuGuO7booPRlhqVxZVLrSgQNaVD
1FV/cQqXhS/FwmrM8wnWdLpsFUXRXsTqiOoUnymzZbSh1VDjB8VZZLjWc7Wnueqy
clLQnYtwMT5axzXRJl/JiXs+yJBmzv5igSFMoGXEKDx6DTrWGtZENE1rpumPAjb6
Y3aDzDZYu4Bl9V1FCUOtksWnmP0Xl/kvSL31aUkyYbyi9i0DpQswmdBH4Bl5ulw2
skkKH69ixA1wu+2D128toUy2ZR/MjX88sH3bCahhY1G4ajp0Vl3/p/kM7VVR5uRi
KTVNK8FueNIvp8fMp8oYKhZW9It5DzlMa0Q1QcFfsutgf+932up8qJ9o0mQ9AbVK
fBYb8F0hYMDI8udy+npgUM0WwwiBQAqzcHmbnYIRt6IK5f/dUOqucugiJFsbyTl2
pIcJty1208RbrDE/ctTcKuyVbHH9pPOHql5rFlJLAh7yYdHWh6J1QhmdA1RNm51h
MEgO5OOVUjrV2mye1c8o7EkTzvuhu2RWQ7WyQc6C81ZlcUcjfNnq73vJ9HBNtNT5
hsiDG/UdvY/thIQmqzSFI3z8ALFKPRUcJ91v/fZNRpBTxcsluN91X7XrHIQDNOs9
jVrMgzAG88I=
=av6T
– —–END PGP SIGNATURE—–

– ——————————————————————————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: nginx:1.18 security update
Advisory ID: RHSA-2021:2259-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2259
Issue date: 2021-06-07
CVE Names: CVE-2021-23017
=====================================================================

1. Summary:

An update for the nginx:1.18 module is now available for Red Hat Enterprise
Linux 8.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) – aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

nginx is a web and proxy server supporting HTTP and other protocols, with a
focus on high concurrency, performance, and low memory usage.

Security Fix(es):

* nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a
pointer to a root domain name (CVE-2021-23017)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1963121 – CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
nginx-1.18.0-3.module+el8.4.0+11152+f736ed63.1.src.rpm

aarch64:
nginx-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-debugsource-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-http-image-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-http-image-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-http-perl-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-http-perl-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-http-xslt-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-http-xslt-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-mail-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-mail-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-stream-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm
nginx-mod-stream-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.aarch64.rpm

noarch:
nginx-all-modules-1.18.0-3.module+el8.4.0+11152+f736ed63.1.noarch.rpm
nginx-filesystem-1.18.0-3.module+el8.4.0+11152+f736ed63.1.noarch.rpm

ppc64le:
nginx-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-debugsource-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-http-image-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-http-image-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-http-perl-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-http-perl-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-http-xslt-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-http-xslt-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-mail-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-mail-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-stream-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm
nginx-mod-stream-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.ppc64le.rpm

s390x:
nginx-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-debugsource-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-http-image-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-http-image-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-http-perl-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-http-perl-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-http-xslt-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-http-xslt-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-mail-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-mail-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-stream-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm
nginx-mod-stream-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.s390x.rpm

x86_64:
nginx-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-debugsource-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-http-image-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-http-image-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-http-perl-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-http-perl-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-http-xslt-filter-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-http-xslt-filter-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-mail-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-mail-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-stream-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm
nginx-mod-stream-debuginfo-1.18.0-3.module+el8.4.0+11152+f736ed63.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-23017
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBYL4APtzjgjWX9erEAQjhnxAAojPCQmgWmUaUOUAkFSVi4Mvs0udZBw6E
SvMc1p2v6P90nWZstoCW1wz6JeVvfwZwULgX8BNWkoZI7rJoXKMf+mHO05YEhOMP
xDNkjxCa1Sih8CKDprvD0muYKbhNFP4icK8xYxefB+AlFG32w0miL6QBrqDcTxsw
td1BT/Co8Zz2PbNrwY6CoPzWNqWHT3baRfOiF9MGpcwQsZT1k0VALAxz27MAJ/pD
oHEvoeXaZmSxheoWiqp4QNPShmK16xghzn6TEIvGpXHqQO6jtpbM+QtSwrX2/7um
tUnn5iOiQH3gYWeT3dIYMKSuttq07XZQzmEkuWbqEu0rg/JXbShtKa1wZ+U985k9
Da61tsjGysq+wrcvFp1OjW3nzJ5GsA6wws4mChDuKI0hQGu1wOijMUBeD/dEAjo1
r81JuC0MIT/omu7ZhkmpqxQ8qjTChj3W8hkVsXSnTYwE3EPqMkVDAjHvtz6PttR9
H3fe/mj9lhIN47+qYNfONWsBpBm0JZJ52rzr/bJCN2JT5iZzocN3aff31q/FFW8O
ZDblv7/VEdmyeqDVLQmLwOR9qL7xBNXwu0zBAyP6g2BYCJYAiXVn23jSQmjyOziO
HNcf0cWGHrGMFWHNDMGlUg9YThoHIsN5dwVw2j0bPkyROiG5cViQ9bPGHKPBkn23
6BBo0Gx+Ujo=
=gTXT
– —–END PGP SIGNATURE—–

– ——————————————————————————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: rh-nginx116-nginx security update
Advisory ID: RHSA-2021:2278-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2278
Issue date: 2021-06-07
CVE Names: CVE-2021-23017
=====================================================================

1. Summary:

An update for rh-nginx116-nginx is now available for Red Hat Software
Collections.

2. Relevant releases/architectures:

3. Description:

nginx is a web and proxy server supporting HTTP and other protocols, with a
focus on high concurrency, performance, and low memory usage.

Security Fix(es):

* nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a
pointer to a root domain name (CVE-2021-23017)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The rh-nginx116-nginx service must be restarted for this update to take
effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1963121 – CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nginx116-nginx-1.16.1-6.el7.src.rpm

ppc64le:
rh-nginx116-nginx-1.16.1-6.el7.ppc64le.rpm
rh-nginx116-nginx-debuginfo-1.16.1-6.el7.ppc64le.rpm
rh-nginx116-nginx-mod-http-image-filter-1.16.1-6.el7.ppc64le.rpm
rh-nginx116-nginx-mod-http-perl-1.16.1-6.el7.ppc64le.rpm
rh-nginx116-nginx-mod-http-xslt-filter-1.16.1-6.el7.ppc64le.rpm
rh-nginx116-nginx-mod-mail-1.16.1-6.el7.ppc64le.rpm
rh-nginx116-nginx-mod-stream-1.16.1-6.el7.ppc64le.rpm

s390x:
rh-nginx116-nginx-1.16.1-6.el7.s390x.rpm
rh-nginx116-nginx-debuginfo-1.16.1-6.el7.s390x.rpm
rh-nginx116-nginx-mod-http-image-filter-1.16.1-6.el7.s390x.rpm
rh-nginx116-nginx-mod-http-perl-1.16.1-6.el7.s390x.rpm
rh-nginx116-nginx-mod-http-xslt-filter-1.16.1-6.el7.s390x.rpm
rh-nginx116-nginx-mod-mail-1.16.1-6.el7.s390x.rpm
rh-nginx116-nginx-mod-stream-1.16.1-6.el7.s390x.rpm

x86_64:
rh-nginx116-nginx-1.16.1-6.el7.x86_64.rpm
rh-nginx116-nginx-debuginfo-1.16.1-6.el7.x86_64.rpm
rh-nginx116-nginx-mod-http-image-filter-1.16.1-6.el7.x86_64.rpm
rh-nginx116-nginx-mod-http-perl-1.16.1-6.el7.x86_64.rpm
rh-nginx116-nginx-mod-http-xslt-filter-1.16.1-6.el7.x86_64.rpm
rh-nginx116-nginx-mod-mail-1.16.1-6.el7.x86_64.rpm
rh-nginx116-nginx-mod-stream-1.16.1-6.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-nginx116-nginx-1.16.1-6.el7.src.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-nginx116-nginx-1.16.1-6.el7.src.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-23017
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBYL5eOtzjgjWX9erEAQgQEQ//T7Jz+AN/TKTzw7RA57QI4rVdLkv2hJHC
1cW6/iFbgfYF10HldhRJKBkGpBTPzb4yzt3y4oRDa35GTLw6zXZquosSaC9RXLq+
RKxU93XKaw1K/qAYqq3q9ZemMpL+ce3mXeaEoK8oQQtbdbYO53eqCQBRIdR0ucFE
WFJBFrpVXKKKSb6qbvDUWJCIQLlF9YBPjt3RpgSwPXVOu/74Oe6/AutYmpjgKyt1
BIsZ7V2SliQNIBtgmAHq+dzBIuPpPCRtS6zCML/eIs3ZIUU80jbX9guyb1euN2L/
FlrAFUvSpp0Z72LM33qle6D0Zbe6yCxOxi5QjEIUcP735Z8hYxNWs8H+5HDGq3gl
pKLGWLUJG0N0kfoK6RHKuDzPuNmAGm5KwNYu0xO+mdMbgj+rzr4lhe5Dz3+qh7o0
DiImaFoHvbilJvUbjUmvTvwL4DMZvk2oKUI6MDxlNp/TyDdwMraZDVhyOpc0frGU
hHlLMr4k+gvTQnjlaf+cilYPHfTTRL7/kdPpjWLCcdZ0v68FC5MHcG/pqpRQUFKO
xCNEMLixyH/gY8Ymm+047U2i2TITRb1X5rI+nWHBuEWexgie7cNSzfB++WJYIC07
R2tSuGLQP/eZQpSoHZavZ3KJVMKOsH/foI1DYbFn7gyqtP8wqQAhI4klXFYGeXqa
O23scR4nPsc=
=dc6n
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYL662uNLKJtyKPYoAQiutg//cdfTUtJ0HqrMoo/xfBJK/oUMg0TKPRgD
KhxI5cgIqt76sLJOwzgtzzRGQ63MKaQU+4WX8gdXU3h/tXv+Hf3ye5bbGhIfxGsH
HX0YSFXrjlklZSFU7TFQBhPPnvPnaWF4k4vlcSXYql3vvZYRaVNie0/9XfvixVWV
fqb4FBjE8nvben2RyMHPqCEMmDwqbHVXuUVMRftVy3eGOv6Y/R+QnzMeyafr2PfH
MBRT7StPIciNDDkzB8IcZuJ7BP4NR7hsJ5IzCIOd8uRPNJolyXRDaQfQFa2qa/L8
nEuNirOlgUtcdYaZS4BceqpHJdJmDaozdgPOrzBXYAh5iw4ghm1IQqIMFaoQ7hwL
+TIzb/QJsfNpBqZuOyKMwwrOp5+Ecc3hG6ereri+CzgeZzp8xwVmSWi3KI99ib8V
GEilVf9nPFpTsQQqul3xU02kVC863TZ1ANbdkGKC9reO5+YHIIDqAurg9tA4L8OT
zy5oOT0lNkt9jF0cLOd2mVWEDK3NAD190DoOIUAJ/IdGDyXlETyUEZAu4iiqW346
LgtzsyOHbkblaa4xK9dVG3kcNbogGcK+ykYXYNF56BirjGOlytL/6g7HKI3nxcwo
thlbQ7hQF5hGCY28kWcHVtJ4nwZ+uWe9lS6+Mdxv6o/wLNDirL5otqOyL4yE0y96
lJcdAHjrzWQ=
=4j7P
—–END PGP SIGNATURE—–

The post ESB-2021.1973 – [RedHat] nginx:1.18, rh-nginx116-nginx and rh-nginx118-nginx: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/esb-2021-1973-redhat-nginx1-18-rh-nginx116-nginx-and-rh-nginx118-nginx-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1973-redhat-nginx1-18-rh-nginx116-nginx-and-rh-nginx118-nginx-multiple-vulnerabilities

ESB-2021.1974 – [Win][UNIX/Linux][Debian] nginx: Reduced security – Unknown/unspecified

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1974
nginx security update
8 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: nginx
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Reduced Security — Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2017-20005

Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/06/msg00009.html

Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running nginx check for an updated version of the software for their
operating system.

– ————————–BEGIN INCLUDED TEXT——————–

– ————————————————————————-
Debian LTS Advisory DLA-2680-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 07, 2021 https://wiki.debian.org/LTS
– ————————————————————————-

Package : nginx
Version : 1.10.3-1+deb9u7
CVE ID : CVE-2017-20005

Jamie Landeg-Jones and Manfred Paul discovered a buffer overflow vulnerability
in NGINX, a small, powerful, scalable web/proxy server.

NGINX has a buffer overflow for years that exceed four digits, as demonstrated
by a file with a modification date in 1969 that causes an integer overflow(or
a false modification date far in the future), when encountered by the autoindex
module.

For Debian 9 stretch, this problem has been fixed in version
1.10.3-1+deb9u7.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

– —–BEGIN PGP SIGNATURE—–

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmC+iTBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQILQ/+KK7YPgI7f2RuXAKqds5oTv/Fj+nEbWM6iPK0v2lJFQGunPzAjhV2Au4j
h4RoUbd+JLSIZAiJ+i4Myam5HQs3VSIS8LDKVRShX2kwyyCQti0TQLcF7wCBmR4p
iiP3VtX22Dda43rzxZITV/cGPo9pJ2lYwwCF+i+KrxT98MDkBnUaeUD3PQJXz6dO
Z9spVt6e23N+57tbJAKVy2yyVzsoiY3JUHf7R0/yvUHFlvNC6CLnAPmT4pgyhRj7
nVVGV7GX4Qd1s8XJOU0DVJzt+4fkiVJXv2wVkV2MqwckA0b+xUmTLqZAKyGzPDP+
2n8aIGxuiucu0VgClmL/PvGPbJQZefzosfv9NZlyllEbHZ7lnIx+sDCHuYTpdekz
gxGEFgp9lKruJYtZmXt/fxGqRw35oJjpGbmUAvMS5+5gOp5LfLjV5HTelqZEQQaM
iREiNJw69k0mr8aMgy6RJH5YONBBIgWpJLreALJcvvBQiqPUcrDz6iuXdeWM8zmE
qh/ORgDQEURO9eqYUg1Hfq+UhI900m/E12acCHgODtLreYQ5NkJJVjsrez1fUtkH
v0kXXIKbeDT6DEVi6uWz+EHvHPNVAdAYc4xSPSx7B/www4C4qNZIy3VRmmV6zYCr
xV8BkClstD9a4CfI3eq1DbK2XDoLJPkO86trI9+cEttu0OVVoQs=
=WHAg
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYL67AONLKJtyKPYoAQin/A//drT2NIsUPZ2oFI8vvsuCc6My6sWmos+l
/b0gG2UuDUBHWb3pZYv2+ZYwYvsSGR4tBiM9xrGs/JPDx2QEIIc778/oDGOOHTYT
B43JLLzP1xkc7ZuINpF12q/FKfBYJ3dvjkCjEX4nvbD841o7Fogd9ANqnxEcBeZZ
KCwa/ZXNqcqMGH0Uf1mwmn9/6YcTT/vhIxVKpRrT4tj44ILWt3q64fw7Li+gdstV
MPgXPpxCemuDbG8nlhmxTscpJJzAT8+TvuochqeI6PKZdhI4keTf4IfuX1lp90yE
pWZKDKuhv2ko+XTs7ITITF41cyFR7RA1ESzYRm1OjFzgkUiQK8HLxv+Ouva7vmSj
EopeC+FGZKAggwSSq3feHV6p/LbYOXLAV+000csECqosGZ54nhjMFW6FUpF8CPO1
KcOPPPcnR7/yhpdWBR7PEayIPylf4q84kMzwk+Ig6BhUtPPUgml7CYF4LSX6Hx4N
rygnjYOVAFkamIyuLTZ6uYqmTnyGreJQPXv9ozs1BJKPd76M8ZM+VnkXgKeKzkvV
BUuCNDQDjnoReYFjwxHjgpt+AEvxFAir7eIjfZjStiEWgRRwFsduU/VRgDMoOZwB
LJncZ3vmd2wjSnaDelT1PgOysZ86Rvz/ivkMif22IRM6fKABYhqdJu5FH8gvf2j9
rQqTiNUhFco=
=dRGo
—–END PGP SIGNATURE—–

The post ESB-2021.1974 – [Win][UNIX/Linux][Debian] nginx: Reduced security – Unknown/unspecified appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/esb-2021-1974-winunix-linuxdebian-nginx-reduced-security-unknown-unspecified/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1974-winunix-linuxdebian-nginx-reduced-security-unknown-unspecified

ESB-2021.1975 – [SUSE] snakeyaml: Denial of service – Remote/unauthenticated

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1975
Security update for snakeyaml
8 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: snakeyaml
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-18640

Reference: ESB-2021.1519
ESB-2020.2096

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211876-1

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for snakeyaml

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1876-1
Rating: important
References: #1159488 #1186088
Cross-References: CVE-2017-18640
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP2
______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update for snakeyaml fixes the following issues:

o Upgrade to 1.28
o CVE-2017-18640: The Alias feature allows entity expansion during a load
operation (bsc#1159488, bsc#1186088)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Module for SUSE Manager Server 4.2:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-1876=1
o SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1876=1
o SUSE Linux Enterprise Module for Development Tools 15-SP2:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1876=1

Package List:

o SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):
snakeyaml-1.28-3.5.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch):
snakeyaml-1.28-3.5.1
o SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch):
snakeyaml-1.28-3.5.1

References:

o https://www.suse.com/security/cve/CVE-2017-18640.html
o https://bugzilla.suse.com/1159488
o https://bugzilla.suse.com/1186088

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYL67EuNLKJtyKPYoAQjb1hAAnnxrd63orSvUybNbbmLabJYCY1bBS9Kj
Cg367teI3ow9B4z5ny1n3l77NiATRwiuYdV0cclYXTngRPMN+f71czbro4QwLduH
ro+ih+J0Nd6n4uaqY04mDFkm7SADttjX0EIF+VAl+n4eBtVi8ExSZZZaA6AcTYwp
yrIorPKQmeB/TpioI38Ax9lC5e18ZB10QrWHuNAN4JZhH3P35hyX72rulaIBnfiL
yF5AllaSVIUJxpByCpttvxV2dbhnvUuNYDrDIjPGWNmXBHxolSg4UslA8AHo3SPA
rXzu0MbUrAfoGmAeWDWBRlNN8OGxT7RC0X9a0Jx3xQzhNRsO53S8H/qhVrpdW0xz
H9Q5J/n6hqhyivSrJdxqTzhSweitKAWU6CWh6AOdOlOZG6aY9y81DDVzvR774dMS
nX5nO83PLFjZonRnMPJjH8XJzp2dasSaSMYRIYXuNCfPHj540CwQkGGMrZ8QUJRj
8XeyB3FF+QH43o+StKUy8RM8kCIeerrSP5oRArkm9vMFMjUb6TrZsy8MUiV2dbFl
sIopp3ep0FGmYTTld01JAG4Sfus/Rx4K2PupyqTNAU97a/q/iam1bkYOIDUXzWdq
dVotOEFo2wwF4lgwQKqyOxwAZEUZwYb4luMLNLuM3rfB1NTF/iNwA4AIjs0Go6+7
+rDhgsgB2W0=
=gcry
—–END PGP SIGNATURE—–

The post ESB-2021.1975 – [SUSE] snakeyaml: Denial of service – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/esb-2021-1975-suse-snakeyaml-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1975-suse-snakeyaml-denial-of-service-remote-unauthenticated

ESB-2021.1976 – [Android] Android OS: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1976
Android Security BulletinÃ¢Â€Â”June 2021
8 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Android OS
Publisher: Android
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands — Remote with User Interaction
Increased Privileges — Remote with User Interaction
Access Confidential Data — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-1937 CVE-2021-1925 CVE-2021-1900
CVE-2021-0533 CVE-2021-0532 CVE-2021-0531
CVE-2021-0530 CVE-2021-0529 CVE-2021-0528
CVE-2021-0527 CVE-2021-0526 CVE-2021-0525
CVE-2021-0523 CVE-2021-0522 CVE-2021-0521
CVE-2021-0520 CVE-2021-0517 CVE-2021-0516
CVE-2021-0513 CVE-2021-0512 CVE-2021-0511
CVE-2021-0510 CVE-2021-0509 CVE-2021-0508
CVE-2021-0507 CVE-2021-0506 CVE-2021-0505
CVE-2021-0504 CVE-2021-0478 CVE-2020-26558
CVE-2020-26555 CVE-2020-14305 CVE-2020-11306
CVE-2020-11304 CVE-2020-11298 CVE-2020-11292
CVE-2020-11291 CVE-2020-11267 CVE-2020-11176

Reference: ESB-2020.3346

Original Bulletin:
https://source.android.com/security/bulletin/2021-06-01

– ————————–BEGIN INCLUDED TEXT——————–

Android Security Bulletin-June 2021

Published June 7, 2021

The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2021-06-05 or later address
all of these issues. To learn how to check a device’s security patch level, see
Check and update your Android version .

Android partners are notified of all issues at least a month before
publication. Source code patches for these issues will be released to the
Android Open Source Project (AOSP) repository in the next 48 hours. We will
revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the
System component that could enable a remote attacker using a specially crafted
transmission to execute arbitrary code within the context of a privileged
process. The severity assessment is based on the effect that exploiting the
vulnerability would possibly have on an affected device, assuming the platform
and service mitigations are turned off for development purposes or if
successfully bypassed.

Announcements

o For July, the Android public security bulletin will be released on July 7,
2021

Refer to the Android and Google Play Protect mitigations section for details on
the Android security platform protections and Google Play Protect, which
improve the security of the Android platform.

Note : Information on the latest over-the-air update (OTA) and firmware images
for Google devices is available in the June 2021 Pixel Update Bulletin .

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform
and service protections such as Google Play Protect . These capabilities reduce
the likelihood that security vulnerabilities could be successfully exploited on
Android.

o Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all
users to update to the latest version of Android where possible.
o The Android security team actively monitors for abuse through Google Play
Protect and warns users about Potentially Harmful Applications . Google
Play Protect is enabled by default on devices with Google Mobile Services ,
and is especially important for users who install apps from outside of
Google Play.

2021-06-01 security patch level vulnerability details

In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2021-06-01 patch level. Vulnerabilities are
grouped under the component they affect. Issues are described in the tables
below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID. Devices with Android 10
and later may receive security updates as well as Google Play system updates .

Android runtime

The vulnerability in this section could enable a local attacker to execute
arbitrary code and bypass user interaction requirements in order to gain access
to additional permissions.

CVE References Type Severity Updated AOSP versions
CVE-2021-0511 A-178055795 EoP High 9, 10, 11

Framework

The vulnerability in this section could lead to local information disclosure of
cross-user permissions with no additional execution privileges needed.

CVE References Type Severity Updated AOSP versions
CVE-2021-0521 A-174661955 ID High 8.1, 9, 10, 11

Media Framework

The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.

CVE References Type Severity Updated AOSP versions
CVE-2021-0508 A-176444154 EoP High 8.1, 9, 10, 11
CVE-2021-0509 A-176444161 EoP High 8.1, 9, 10, 11
CVE-2021-0510 A-176444622 EoP High 8.1, 9, 10, 11
CVE-2021-0520 A-176237595 EoP High 10, 11

System

The most severe vulnerability in this section could enable a remote attacker
using a specially crafted transmission to execute arbitrary code within the
context of a privileged process.

CVE References Type Severity Updated AOSP versions
CVE-2021-0507 A-181860042 RCE Critical 8.1, 9, 10, 11
CVE-2021-0516 A-181660448 EoP Critical 8.1, 9, 10, 11
CVE-2021-0505 A-179975048 EoP High 11
CVE-2021-0506 A-181962311 EoP High 8.1, 9, 10, 11
CVE-2021-0523 A-174047492 EoP High 10, 11
CVE-2021-0504 A-179162665 ID High 11
CVE-2021-0517 A-179053823 ID High 11
CVE-2021-0522 A-174182139 ID High 9, 10, 11

Google Play system updates

There are no security issues addressed in Google Play system updates (Project
Mainline) this month.

2021-06-05 security patch level vulnerability details

In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2021-06-05 patch level. Vulnerabilities are
grouped under the component they affect. Issues are described in the tables
below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.

Framework

The vulnerability in this section could enable a local malicious application to
bypass user interaction requirements in order to gain access to additional
permissions.

CVE References Type Severity Updated AOSP versions
CVE-2021-0513 A-156090809 EoP High 8.1, 9, 10, 11

System

The most severe vulnerability in this section could enable a remote attacker
using a specially crafted transmission to gain access to additional
permissions.

CVE References Type Severity Updated AOSP versions
CVE-2020-26555 A-174626251 EoP High 8.1, 9, 10, 11
CVE-2020-26558 A-174886838 EoP High 8.1, 9, 10, 11
CVE-2021-0478 A-169255797 EoP High 8.1, 9, 10, 11

Kernel components

The most severe vulnerability in this section could lead to local escalation of
privilege with no additional execution privileges needed.

CVE References Type Severity Component
CVE-2020-14305 A-174904512 EoP High Voice Over IP H.323
Upstream kernel
CVE-2021-0512 A-173843328 EoP High HID
Upstream kernel

MediaTek components

These vulnerabilities affect MediaTek components and further details are
available directly from MediaTek. The severity assessment of these issues is
provided directly by MediaTek.

CVE References Severity Component
CVE-2021-0525 A-185193929 High memory management driver
M-ALPS05403499 *
CVE-2021-0526 A-185195264 High memory management driver
M-ALPS05403499 *
CVE-2021-0527 A-185193931 High memory management driver
M-ALPS05403499 *
CVE-2021-0528 A-185195266 High memory management driver
M-ALPS05403499 *
CVE-2021-0529 A-185195268 High memory management driver
M-ALPS05403499 *
CVE-2021-0530 A-185196175 High memory management driver
M-ALPS05403499 *
CVE-2021-0531 A-185195272 High memory management driver
M-ALPS05403499 *
CVE-2021-0532 A-185196177 High memory management driver
M-ALPS05403499 *
CVE-2021-0533 A-185193932 High memory management driver
M-ALPS05403499 *

Qualcomm components

This vulnerability affects Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of this issue is provided directly by Qualcomm.

CVE References Severity Component
CVE-2020-11267 A-168918351 High Security
QC-CR#2723768 [ 2 ] [ 3 ]

Qualcomm closed-source components

These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.

CVE References Severity Component
CVE-2020-11176 A-175038159 * Critical Closed-source component
CVE-2020-11291 A-175038624 * Critical Closed-source component
CVE-2020-26558 A-179039983 * Critical Closed-source component
CVE-2020-11292 A-171309888 * High Closed-source component
CVE-2020-11298 A-175038385 * High Closed-source component
CVE-2020-11304 A-167567084 * High Closed-source component
CVE-2020-11306 A-175038981 * High Closed-source component
CVE-2020-26555 A-181682537 * High Closed-source component
CVE-2021-1900 A-181682536 * High Closed-source component
CVE-2021-1925 A-179040020 * High Closed-source component
CVE-2021-1937 A-181682513 * High Closed-source component

Common questions and answers

This section answers common questions that may occur after reading this
bulletin.

1. How do I determine if my device is updated to address these issues

To learn how to check a device’s security patch level, see Check and update
your Android version .

o Security patch levels of 2021-06-01 or later address all issues associated
with the 2021-06-01 security patch level.
o Security patch levels of 2021-06-05 or later address all issues associated
with the 2021-06-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string
level to:

o [ro.build.version.security_patch]:[2021-06-01]
o [ro.build.version.security_patch]:[2021-06-05]

For some devices on Android 10 or later, the Google Play system update will
have a date string that matches the 2021-06-01 security patch level. Please see
this article for more details on how to install security updates.

2. Why does this bulletin have two security patch levels

This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.

o Devices that use the 2021-06-01 security patch level must include all
issues associated with that security patch level, as well as fixes for all
issues reported in previous security bulletins.
o Devices that use the security patch level of 2021-06-05 or newer must
include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.

3. What do the entries in the Type column mean

Entries in the Type column of the vulnerability details table reference the
classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

4. What do the entries in the References column mean

Entries under the References column of the vulnerability details table may
contain a prefix identifying the organization to which the reference value
belongs.

Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number

5. What does an * next to the Android bug ID in the References column mean

Issues that are not publicly available have an * next to the corresponding
reference ID. The update for that issue is generally contained in the latest
binary drivers for Pixel devices available from the Google Developer site .

6. Why are security vulnerabilities split between this bulletin and device /
partner security bulletins, such as the Pixel bulletin

Security vulnerabilities that are documented in this security bulletin are
required to declare the latest security patch level on Android devices.
Additional security vulnerabilities that are documented in the device / partner
security bulletins are not required for declaring a security patch level.
Android device and chipset manufacturers may also publish security
vulnerability details specific to their products, such as Google , Huawei , LGE
, Motorola , Nokia , or Samsung .

Versions

Version Date Notes
1.0 June 7, 2021 Bulletin published

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYL67KuNLKJtyKPYoAQg4GA/9FbBnJcsa2+lpI98eh9gsMZxaSskPgSWR
3Wyu4Ko7XPSc/yyBVuol+DAzuvDPQar31JrTXTqhmfy86TiSXrkoTOLWtZXbYq5y
ZJVObMXbsKO5tGRsASYKFLrRGxMqfTmkToGRozyG/Io1ixBpjpGGZWX8ul4iKHDF
wUARc1q3YcdiRCc2YUPLnDTr/KMZEkoHg/2uiPKErUEcPScuGy9seiwIILRfJjjI
zTuLkoy4DX99ziuMkXiHKPedErXz3kWRuWHVGdMGR0Uf+ctmVMtrSJ+VR4vEVM6z
X1SK3LDOt6PoiQ9BMypESTO+uvWoR5dG7ngvNunhVGizl5heEgUuYtFI/luFg6PH
bfsbIfNAX8Mj8REv1GIqT+xv0kv6vY9q1eseGEzH5GJXRnDo1TUF2vEqByAswibj
IkOrrwAJd6vAitXF2JsIVufnwTLsmuSTYuE/vz0Xw0/ZNd474y8Hu4HrHfSxlOoS
KbjQ18xkvNQTmbTyQCHdgFAeye4eJk2y6BAuCnOv6Q2KzLv0l5ggtL+NAWt/BLDg
Cp2QE3Z29nWb3zWc0LiCeNAhrmoVB4TU5TZrlKr9KtOLZntVyPib39jC9VVKkcTr
yj1FMmK6nltJyTDrbks65cK8qfhhILPbrcg/Br91lNb12w2oD3Cc3h33EyZ8SnTX
2zHw1CWHDp8=
=k4jT
—–END PGP SIGNATURE—–

The post ESB-2021.1976 – [Android] Android OS: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/esb-2021-1976-android-android-os-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1976-android-android-os-multiple-vulnerabilities

ESB-2021.1977 – [Debian] thunderbird: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1977
thunderbird security update
8 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: thunderbird
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands — Remote with User Interaction
Denial of Service — Remote with User Interaction
Access Confidential Data — Existing Account
Reduced Security — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29967 CVE-2021-29957 CVE-2021-29956

Reference: ESB-2021.1968
ESB-2021.1955
ESB-2021.1942

Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/06/msg00008.html

– ————————–BEGIN INCLUDED TEXT——————–

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

– – ————————————————————————-
Debian LTS Advisory DLA-2679-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
June 07, 2021 https://wiki.debian.org/LTS
– – ————————————————————————-

Package : thunderbird
Version : 1:78.11.0-1~deb9u1
CVE ID : CVE-2021-29956 CVE-2021-29957 CVE-2021-29967

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code. In addition two security
issues were addressed in the OpenPGP support.

For Debian 9 stretch, these problems have been fixed in version
1:78.11.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
– —–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmC94iwACgkQnUbEiOQ2
gwLfGg//bdym2Z7tUoSC/JX0bqGlj4zB+nJaUzD0BgewQ0ZkWXyxKnGBSUsv5GwZ
atpgFatar6LgGDvlZp5dCFEivJGVWJDETSGBDxxYaFFG4lVHYe8kNMjN8dyWnw+E
X1B9VXG92VIiPkcCM4AU8xJlBki895T8AYWbXEmVt4kzKhPxWohzetL+F34jyV1y
CRHmMjxy7spxzSiZ13s5mjTAq4JE2qVIyzdZyBT9kuDDGaXGN/Ntq+fRPlEvo3kY
00eG7zrLvmoqM09hxEgzDoUbOVaWt0IQI2CpdeAn0c2V/eljMBnrJpCmluQtX2jc
5mnzdz9sSWidYGp1yPYMDld+cQiGtQgMnFmjSQeWNyVIxFCM/PkA4VJbJTI4+a/G
aXZby2CAD8/iqDJ7JwyGCfvRDR8cHKluMfQON0EzXIHUS1gaaVYeUtxREzRFcIKy
Z9fyW3a8tWRsAFta7fkB1eXH/vY6An0C3xzpDFXTWi6L4vkCbL3LNcuvNxOPUQm8
yDsX8r5GWV4Ewbr8o47HVwr1G8LygQRS4faRAaX+zh6RNME/e+O48jXw9PAlq0yb
bob2O1gJFuzwoL+NY+vKxhC+3g+Sd8GNxTCu9k6ZZyIXb2iLdBdNHKDSzrepzNfe
M7X6aN2XY6pb6NSVWWse+JUeXMJS/u4EofYVCJOCzYtVYTS3rIw=
=QZuX
– —–END PGP SIGNATURE—–

– ————————–END INCLUDED TEXT——————–

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

iQIVAwUBYL7Gj+NLKJtyKPYoAQhpVhAAoMKB7fgWuziKYrEHTnyzIK1v88zpj9+u
Y9UC+t0+aQ/dY7ZV+ZG5Ok+ZP5TxRLGDgnOtvf+9cOe2T4bJUjx4jiNnehGZPh6w
IMftDp/piDlW1rYLzFAqEeMJ1aAV5r8JKcdRjN+sjUBPpzeIUDMvAmv84oFxvgsL
/66b6OfkP2hAmLcbGUiEK8S9pQAIqQ50zfTT4GfWyINcoCxKZsA9IfbIYCMpu567
GFA04qcq1ir8L+FG9DoekiJkX32z3Bpr7nD6j3I57etGK/2xE6TESo+udkRtAlKI
XdpIgCKSenPZ4DkDygbh89QdQGM6XTFQcJA/IvqFLa9k8BZMhb0O5Jie29Lja7FQ
asr4pneuoTzC/jT5VuhPZTY6UyXW3LaFG3hqFSsFAP6Wa7pmVZedAcZzFwka6/5w
BkYzvrl7Fj79oZlOuLDqRuPHuS201TXJ+/PNN85nr8IYxa4fHlULHcoaFifCscHD
cMoIhukMoHyFeWLq+KNj/HVe2mZpcr1D5gPYYHV49peKlVS3BJ0vCfQZEvxV8kqs
+c0H1aImzoZj3+ahiQ5/H3y4EMnx7sqbSX94BCgKhMxAwfTSmvNSUN9FvPNriKCH
MS/u1OKXe+i81KEbJD3JNF/DaDvSYd020VZ6gs+LWnf5YIW4QoikDw86OVr1s7ru
m9yHdbGNN9E=
=Nj3M
—–END PGP SIGNATURE—–

The post ESB-2021.1977 – [Debian] thunderbird: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/06/08/esb-2021-1977-debian-thunderbird-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1977-debian-thunderbird-multiple-vulnerabilities

Monday, June 7, 2021

New Executive Order on Improving the Nation’s Cybersecurity

In case you missed it, the President of the United States of America, Joe Biden, issued a new executive order in May of 2021, aimed at improving the nation’s cyber security. With increase in threats and almost daily stories of new companies being the subject of ransomware and data breaches, perhaps it’s no surprise that the U.S. Federal government is taking a serious look at the state of the security in federal organizations.

The post New Executive Order on Improving the Nation’s Cybersecurity appeared first on K2io.

The post New Executive Order on Improving the Nation’s Cybersecurity appeared first on Security Boulevard.

The post New Executive Order on Improving the Nation’s Cybersecurity appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/new-executive-order-on-improving-the-nations-cybersecurity/?utm_source=rss&utm_medium=rss&utm_campaign=new-executive-order-on-improving-the-nations-cybersecurity

ISACA Workforce Report | Avast

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA’s State of Cybersecurity 2021, Part 1 report contains the organization’s update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years (see the chart below).

The post ISACA Workforce Report | Avast appeared first on Security Boulevard.

The post ISACA Workforce Report | Avast appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/isaca-workforce-report-avast/?utm_source=rss&utm_medium=rss&utm_campaign=isaca-workforce-report-avast

The Importance of Identity and Access Management (IAM) in Cloud Infrastructure

Learn how to easily and securely manage human and service identities, and their entitlements, to secure your organization’s cloud infrastructure.

The post The Importance of Identity and Access Management (IAM) in Cloud Infrastructure appeared first on Ermetic.

The post The Importance of Identity and Access Management (IAM) in Cloud Infrastructure appeared first on Security Boulevard.

The post The Importance of Identity and Access Management (IAM) in Cloud Infrastructure appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/the-importance-of-identity-and-access-management-iam-in-cloud-infrastructure/?utm_source=rss&utm_medium=rss&utm_campaign=the-importance-of-identity-and-access-management-iam-in-cloud-infrastructure

Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware

The U.S. Department of Justice (DoJ) on Friday charged a Latvian woman for her alleged role as a programmer in a cybercrime gang that helped develop TrickBot malware.

The woman in question, Alla Witte, aka Max, 55, who resided in Paramaribo, Suriname, was arrested in Miami, Florida on February 6. Witte has been charged with 19 counts, including conspiracy to commit computer fraud and aggravated identity theft, wire and bank fraud affecting a financial institution, and money laundering.

According to heavily redacted court documents released by the DoJ, Witte and 16 other unnamed cohorts have been accused of running a transnational criminal organization to develop and deploy a digital suite of malware tools with an aim to target businesses and individuals worldwide for theft and ransom.

Since its origin as a banking Trojan in late 2015, TrickBot has evolved into a “crimeware-as-a-service” capable of pilfering valuable personal and financial information and even dropping ransomware and post-exploitation toolkits on compromised devices, in addition to recruiting them into a family of bots. The group is said to have primarily operated out of Russia, Belarus, Ukraine, and Suriname.

Largely propagated through phishing and malspam attacks, TrickBot is designed to capture online banking login credentials and hoover other personal information, such as credit card numbers, emails, passwords, dates of birth, social security numbers, and addresses, with the captured credentials abused to gain illicit access to online bank accounts, execute unauthorized electronic funds transfers, and launder the money through U.S. and foreign beneficiary accounts.

TrickBot also emerged on the threat landscape coinciding with the disbanding of the malware crew behind Dyre after the latter’s rapid rise to prominence was curtailed in November 2015, when Russia’s Federal Security Service (FSB) purportedly made numerous arrests of individuals suspected of being part of the group.

“In the months and years following the Russian authorities’ purported actions, the Dyre actors regrouped and created a new suite of malware tools known as Trickbot,” the DoJ said.

Accusing the defendants of plundering money and confidential information from unsuspecting businesses and financial institutions in the U.S., U.K., Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, and Russia, the DoJ said Witte was a malware developer “overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware victims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims infected by Trickbot.”

TrickBot notably suffered a huge blow to its infrastructure following twin efforts led by the U.S. Cyber Command and Microsoft to eliminate 94% of its command-and-control (C2) servers that were in use as well as any new servers the criminals operating TrickBot attempted to bring online to replace the previously disabled servers.

But these takedowns have only served as a temporary solution. Not only has the malware proven to be resilient to law enforcement actions, the operators have also bounced back by adjusting tactics and hosting their malware in other criminal servers that make use of Mikrotik routers.

“Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems,” said Special Agent in Charge Eric B. Smith of the FBI’s Cleveland Field Office. “Cyber intrusions and malware infections take significant time, expertise, and investigative effort, but the FBI will ensure these hackers are held accountable, no matter where they reside or how anonymous they think they are.”

If convicted on all charges, Witte faces a maximum penalty of no fewer than 90 years in prison.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The post Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/latvian-woman-charged-for-her-role-in-creating-trickbot-banking-malware-2/?utm_source=rss&utm_medium=rss&utm_campaign=latvian-woman-charged-for-her-role-in-creating-trickbot-banking-malware-2

Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware

The U.S. Department of Justice (DoJ) on Friday charged a Latvian woman for her alleged role as a programmer in a cybercrime gang that helped develop TrickBot malware.
The woman in question, Alla Witte, aka Max, 55, who resided in Paramaribo, Suriname, was arrested in Miami, Florida on February 6. Witte has been charged with 19 counts, including conspiracy to commit computer fraud and aggravated
Read More

The post Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/latvian-woman-charged-for-her-role-in-creating-trickbot-banking-malware/?utm_source=rss&utm_medium=rss&utm_campaign=latvian-woman-charged-for-her-role-in-creating-trickbot-banking-malware

SaaS to PaaS: The Best Kind of Platform Shift

For cloud security specialists, these are strange times, indeed. On one hand, software-as-a-service (SaaS) providers with a focus on security are tearing up the transaction market. The most recent one is described as the largest private equity deal in the cybersecurity industry, and the staggering amounts of money involved in this very hot market are..

The post SaaS to PaaS: The Best Kind of Platform Shift appeared first on Security Boulevard.

The post SaaS to PaaS: The Best Kind of Platform Shift appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/saas-to-paas-the-best-kind-of-platform-shift/?utm_source=rss&utm_medium=rss&utm_campaign=saas-to-paas-the-best-kind-of-platform-shift

Qualcomm IPQ40xx: Breaking into QSEE using Fault Injection

We’ve identified multiple critical software vulnerabilities in QSEE, Qualcomm’s Trusted Execution Environment (TEE), on Qualcomm IPQ40xx-based devices (see blog #1 and blog #2). We exploited these vulnerabilities in order to disable the secure range checks performed by QSEE in order to execute arbitrary code at the highest privilege (see blog #4). As these vulnerabilities are software vulnerabilities, they were easily fixed by Qualcomm after we disclosed them responsibly.

As you may have already raelized, at Raelize we like to look further than just software vulnerabilities. Therefore, we decided to analyze the resilience of the Qualcomm IPQ40xx-family of chip towards Electromagnetic Fault Injection (EMFI). We used the Linksys EA8300 WiFi router (see blog #2).

We are fully aware that FI attacks are typically out of scope for a TEE threat model. Actually, ARM specifies this very clearly in their documentation. However, TEEs are also used for devices where FI attacks are considered a reasonable threat. Therefore, even if FI attacks are out of scope for a TEE according to ARM, they may not be for specific devices. The TEE on such devices, may be used to protect assets interesting for an attacker, making it an (very) interesting attack surface. Whenever the underlying platform (i.e. hardware) is vulnerable to FI attacks, the security of a TEE can be (easily) compromised as we will see in this post.

At first, you may think that the ARM TrustZone hardware primitives (e.g. NS bit, TrustZone controllers, …) are the most interesting target for a FI attack. However, we decided to target the processor executing the QSEE software in order to show that other approaches are very effective as well.

EMFI

We use Riscure’s EMFI tooling to inject EM glitches in the chip. This tooling drives a high voltage through a coil in order to generate an electromagnetic field. This allows us to introduce faults at the transistor level due to eddy currents within the chip’s circuitry. The concept of EMFI is shown in the picture below (source).

A diagram of our setup is shown below. We used the Riscure Spider, Riscure EMFI Probe and Riscure XYZ stage. Additionally, we use a solid-state relay to control the external power supply of the target. We control the all hardware using Riscure’s Inspector FI Python framework in order to, among others, the glitch parameters (i.e. position, timing and glitch power) completely automatically.

We perform the EMFI attack by placing the EM probe directly on the chip’s surface. In order to do so, we opened up the target and removed the chip’s heatsink. We made no other physical (invasive) modifications. An actual picture of the chip is shown below.

We often get asked if our lab-grade tooling made by Riscure is really required to perform our attacks. We believe it’s definitely possible to perform the same type of attacks using easier to obtain tooling like NewAE’s ChipShouter or to build your own tooling. However, the tooling we use makes it easier to identify and reproduce the attacks. Nonetheless, we would love to hear from you if you’re working on reproducing our research using other tooling.

Characterization

Whenever possible, we like to start with a FI characterization test in order to determine if the target is vulnerable. We implement the characterization code, which is shown below, as an U-Boot standalone application. The goal of this characterization test is to identify good glitch parameters (i.e. location and power) in a semi-controlled environment. By repeating the target instruction (i.e. add instruction) we increase the chances for success.

uint32_t *trigger = (uint32_t *)(0x0102f004);

if(cmd == ‘A’) {

uint32_t counter;

*trigger = 0x0; // 1. set trigger high

asm volatile (

“mov r0, #0;” // 2. set counter to 0

“add r0, r0, #1;” // 3. increase counter

< repeat 10,000 times>

“mov %[counter], r0;”

: [counter] “=r” (counter)

:

: “r0” );

*trigger = 0x3; // 4. set trigger to low

printf(“AAAA%08xBBBBn”, counter); // 5. print counter on UART

}

We use a GPIO pin of the target as a trigger to time the characterization test. This allows us to exactly inject glitches when the add instructions are executed. If the resulting counter value that’s printed on the serial interface is differently than expected, we know we successfully modified the expected behavior of the software.

After performing roughly 20,000 experiments across the chip’s surface, we observed different output, some of which are shown below. Most interesting of course, are the experiments where a modified counter value is returned. An indication that the target is vulnerable.

Type
Response
Expected
AAAA 00002710 BBBB
Reset/Mute
no output
Success
AAAA 0000270f BBBB
Success
AAAA 0000270e BBBB
Success
AAAA 0000270b BBBB

We plot the experiments based their classification in order to determine what’s a good location for the EMFI probe, which is shown below. Interestingly, we observe that all successful experiments occurred in a specific area on the chip’s surface.

Even though we determined that the target is vulnerable to EMFI, we don’t know yet if we can actually alter the QSEE software itself as we targeted only U-Boot code so far. However, as both U-Boot and QSEE are executed by the same processor, just with a different NS bit, we are confident the vulnerable locations we identified will yields faults in QSEE software too. Therefore, we place the probe on one of the locations where we observed a successful glitch. This allows us to target QSEE software without moving the probe, effectively removing the spatial parameter from the glitch parameter search space.

Disabling secure ranges

As earlier mentioned, we decided to target the QSEE software instead of the the underlying ARM TrustZone hardware primitives (e.g. NS-bit, TZASC).

We know from our earlier conducted QSEE software analysis that various security enforcements are entirely implemented by software. This includes for example the secure range checks which are performed by the SMC handler routines on the arguments received from the Rich Execution Environment (REE).

We decided to target a SMC handler routine that does not include any software vulnerability. One of the candidates that we identified is tzbsp_fver_get_version for which the decompilation is shown below.

int tzbsp_fver_get_version(uint32_t a1, uint32_t *a2, uint32_t a3)

{

uint32_t v4 = 0;

if ( !is_ree_range(off_87EAB290, a2, a2 + 3) ) // range check

return 0xFFFFFFEE;

if ( a3 < 4 || !a2 ) // argument check

return 0xFFFFFFF0;

*a2 = 0; // NULL-write

do {

if ( dword_87EABB48[2 * v4] == a1 ) // must fail

*a2 = dword_87EABB48[2 * v4 + 1];

++v4;

} while ( v4 < 0xC );

return 0;

}

The is_ree_range function checks if a2 and a2 +3 point to non-secure memory. This argument is passed from the REE and we assume that this argument is under control of the attacker. Simpler said, this function verifies if the buffer provided from the REE overlaps with secure memory. If it does, tzbsp_fver_get_version will immediately return 0xFFFFFFEE.

Using an EM glitch, we aim to to bypass the restrictions enforced by the is_ree_range function. This allows us to execute the remainder of tzbsp_fver_get_version in order to write NULL to an arbitrary address (incl. secure memory).

We communicate with tzbsp_fver_get_version from the REE using an U-Boot standalone application, which is shown below.

uint32_t a1 = 0xdeadbeef; // pass argument check

uint32_t a2 = 0x87EAB204; // secure memory address

uint32_t a3 = 4; // pass argument check

uint32_t a4 = 0; // NA

uint32_t *trigger = (uint32_t *)(0x0102f004);

// trigger up

*trigger = 0x0;

// calling tzbsp_fver_get_version()

uint32_t ret1 = scm_call_r(0x6, 0x3, a1, a2, a3, a4, 3);

// trigger down

*trigger = 0x3;

// calling tzbsp_fver_get_version()

uint32_t ret2 = scm_call_r(0x6, 0x3, a1, a2, a3, a4, 3);

// printing to serial interface

printf(“AAAA%08x%08x%08xBBBBn”, ret1, ret2, *(uint32_t *)a2);

We use a GPIO signal as a trigger to time exactly when tzbsp_fver_get_version exactly is executed. The EM glitch is injected exactly between the moment the trigger is set high and set low, which takes approximately 5.875 microseconds (see picture below).

In the above code example, by writing NULL to 0x87EAB204, we disable one of the secure ranges defined in the secure range table. More details on how this exactly works will be explained in more detail in blog #4 of this series. For this post, it’s sufficient to raelize that a successful attack will disable the restrictions enforced by the secure range check for each SMC handler routine.

We execute tzbsp_fver_get_version a second time, with the same destination address, without injecting any glitch, in order to verify whether the attack was successful. If the secure range is successfully disabled, is_ree_range will consider any address passed from REE in a2 as valid, including secure memory addresses. The write to the secure memory address will then successfully complete as well.

Moreover, in the last line of the code, we dereference the secure range flag field from REE. This is done in order to verify that the malicious TEE write actually happened. It should be noted that, due to the (mis)configuration of the target, we are able to read secure memory from the REE.

Typically, this is not possible, or should NOT be possible, as, otherwise, any secret handled by QSEE would be exposed to the REE. In our setup, we only use this mis-configuration to double verify if an experiment is successful or not.

We expect at least the following type of results: expected, successful, processor exception and reset/mute experiments. The table below indicates the serial interface output we expect to receive for each result.

Type
Response
Expected
AAAAffffffeeffffffee00000002BBBB
Success
AAAA000000000000000000000000BBBB
Exceptions
undefined instruction
Reset/Mute
no output

We performed roughly 300,000 experiments where we inject EM glitches within the entire attack window. We give each experiment a randomized power between 10% and 100%. The EM probe itself is fixed to a vulnerable location on the chip’s surface that we identified earlier. This entire campaign lasted roughly 12 hours. We plotted all experiments as is shown in the figure below.

We can summarize the plot as follows:

In area 1 we observe many processor exceptions. An indication that the glitch is injected while U-Boot code is being executed. In other words, we inject the glitch too soon.
In area 2 we observe many successful experiments. An indication that this is exactly the moment where we wan to inject the glitch. Moreover, this proves that this is the moment where tzbsp_fver_get_version is executed.
In area 3 we observe many processor exceptions. An indication that the glitch is injected while U-Boot code is being executed. In other words, we inject the glitch too late.

The success rate is fairly low. Most experiments, where we observe the expected response, are not successful. Nonetheless, we observe a success rate of 0.05%, which, at our testing speeds, translates to roughly 1 successful experiment every 5 minutes.

However, if we set the glitch parameters (i.e. glitch delay and glitch power) to that of a successful experiment, we observe a success rate of 5%, or roughly 1 successful experiment every 20 seconds. This shows that the reproducibility of bypassing the range check is very high. We feel comfortable saying that we are able to bypass any of the configured range checks, by using an EM glitch.

Achieving code execution

We know from our software vulnerability analysis that we are able to achieve code execution after the secure ranges are disabled. This will be described in full details in blog #4 (will be released soon).

Conclusion

We demonstrated that the Qualcomm IPQ40xx family of chips are vulnerable to EMFI. We exploited this vulnerability in order to bypass a secure range check performed by QSEE. This allows us to write a restricted value to an arbitrary address (incl. secure memory).

The attack can be described using our FIRM, as shown in the figure below. Once the optimal glitch parameters are found, the attack can be reproduced once every 20 seconds, which is a very high success rate.

We targeted the processor executing the QSEE software instead of the ARM TrustZone hardware primitives. This means that hardening these hardware primitives is not sufficient protection for hardening a device against FI attacks. We believe that hardening the processor itself is fundamental.

The impact of software vulnerabilities is typically much larger than (hardware) attacks that require physical access. Mass exploitation is for example typically not possible with FI attacks. Nonetheless, we like to stress that these type of attacks should not immediately be considered a harmless threat. For instance, they are often used to gain access to secured code or data in order to identify easier to exploit (software) vulnerabilities.

As a TEE is used to secure important assets, it will always be a very interesting target, also for FI-capable attackers. Of course, especially for devices where FI attacks are specifically included in the threat model and other components (e.g. ROM, bootloaders) are already hardened.

We’ve disclosed this vulnerability responsibly to Qualcomm using a coordinated disclosure process. They indicated that FI attacks are out of scope for the Qualcomm IPQ40xx family of chips and therefore the vulnerability will not be fixed. This choice is understandable, considering the typical TEE threat model. However, as a result, these chips will be vulnerable forever…

– Raelize.

The post Qualcomm IPQ40xx: Breaking into QSEE using Fault Injection appeared first on Malware Devil.

https://malwaredevil.com/2021/06/07/qualcomm-ipq40xx-breaking-into-qsee-using-fault-injection/?utm_source=rss&utm_medium=rss&utm_campaign=qualcomm-ipq40xx-breaking-into-qsee-using-fault-injection

Malware Devil

Malware Devil

Tuesday, June 8, 2021

ESB-2021.1973 – [RedHat] nginx:1.18, rh-nginx116-nginx and rh-nginx118-nginx: Multiple vulnerabilities

ESB-2021.1974 – [Win][UNIX/Linux][Debian] nginx: Reduced security – Unknown/unspecified

ESB-2021.1975 – [SUSE] snakeyaml: Denial of service – Remote/unauthenticated

ESB-2021.1976 – [Android] Android OS: Multiple vulnerabilities

ESB-2021.1977 – [Debian] thunderbird: Multiple vulnerabilities

Monday, June 7, 2021

New Executive Order on Improving the Nation’s Cybersecurity

ISACA Workforce Report | Avast

The Importance of Identity and Access Management (IAM) in Cloud Infrastructure

Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware

Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware

SaaS to PaaS: The Best Kind of Platform Shift

Qualcomm IPQ40xx: Breaking into QSEE using Fault Injection

EMFI

Characterization

Disabling secure ranges

Achieving code execution

Conclusion

Barbary Pirates and Russian Cybercrime

Blog Archive

About Me