In this week’s digest, we will discuss the following:
- Apache HTTP server vulnerabilities;
- a Linux Kernel Netfilter Integer Overflow vulnerability; and
- CentOS Web Panel 7 RCE
Apache HTTP Server Vulnerabilities:
- CVE-2006-20001 – mod_dav out of bounds read or write of zero byte
If a carefully-crafted request header can perform a memory read or write of a single zero byte in a heap memory location beyond the header value sent, it could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier, so upgrade to 2.4.55 to mitigate.
- CVE-2022-36760 – mod_proxy_ajp Possible request smuggling
Inconsistent interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server to which it forwards requests. This issue affects Apache HTTP Server 2.4 version 2.4.54 and prior versions, so upgrade to 2.4.55 to patch this vulnerability.
- CVE-2022-37436 – mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
The software does not correctly process CRLF character sequences, which are end-of-line characters. Attackers can send a crafted HTTP packet with a CRLF sequence, causing early truncation of the response headers and incorporating some headers into the response body. If the later headers have any security purpose, they will not be interpreted by the client. This issue affects Apache HTTP Server 2.4.54 and prior versions, so upgrade to 2.4.55 to patch this vulnerability.
Linux Kernel Netfilter Integer Overflow Vulnerability
CVE-2023-0179 consists of stack buffer overflow due to integer underflow vulnerability inside the nft_payload_copy_vlan function, which is invoked with nft_payload expressions as long as a VLAN tag is present in the current socket buffer. RedHat gave this vulnerability a CVSS v3 score of 7.8, which affects machines that are on the newest distro versions such as Ubuntu Jammy, Debian Bullseye, Rocky Linux 9, or machines with a kernel version 5.10 LTS. This vulnerability does not affect Debian buster.
Mitigate this flaw by disabling unprivileged user namespaces preventing exploitation:
sysctl -w kernel.unprivileged_userns_clone = 0
Centos Web Panel 7 Remote Code Execution Vulnerability
CVE-2022-44877 is a critical vulnerability that affects any CWP below version 0.9.8.1147 and is being exploited in the wild. This vulnerability exists in the login/index.php in CWP and allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. Researchers released a PoC for this vulnerability to GitHub and Youtube on January 5th, 2023, leading to increased exploitation by threat actors. To mitigate this threat, update to the latest version, v0.9.8.1148, as this affects Centos Web Panel 7 < v0.9.8.1147.