In this week’s digest, we will discuss:
- a Grafana security release;
- Integer overflow in VLC; and
- a Snapd race condition vulnerability.
Grafana Security Release
Privilege escalation: Unauthorized access to arbitrary endpoints
CVE-2022-39328 is a race condition in Grafana codebase, which allows an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints with malicious intent.
All installations for Grafana versions >=9.2.x are impacted. To fully address CVE-2022-39328, Grafana recommends upgrading your instances.
Privilege escalation: Usernames/email addresses cannot be trusted
Grafana administrators can invite other members to the organization they are an administrator for. When admins add members to the organization, non-existing users get an email invite while existing members are added directly to the organization. When an invite link is sent, it allows anyone with access to the link to sign up with whatever username/email address the user chooses and become a member of the organization. The CVSS score for CVE-2022-39306 is 6.4 Moderate.
All installations for Grafana versions <=9.x, <8.x are impacted. To fully address CVE-2022-39306, Grafana recommends upgrading your instances.
When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message, which can be leveraged by unauthenticated users to disclose information on impacted endpoints.
The CVSS score for CVE-2022-39307 is 5.3 Moderate. All installations for Grafana versions <=9.x, <8.x are impacted. To fully address this vulnerability, Grafana recommends upgrading your instances.
Integer Overflow in VLC
VLC media player (previously the VideoLAN Client and commonly known as simply VLC) is a free and open source, portable, cross-platform media player software and streaming media server developed by the VideoLAN project. CVE-2022-41325 resides in the VNC module. VLC can display a VNC video stream by using its URI: vlc vnc://ip_address_of_server:port/
If an attacker has control over a VNC server, they can trick VLC into allocating a memory buffer shorter than expected. The attacker then has a powerful relative “write-what-where” primitive. They can crash VLC, or execute arbitrary code under certain conditions. Although VNC support is provided through a third-party library (LibVNCClient), the affected code is in VLC itself.
Version 18.104.22.168 and earlier are affected. The VLC team has fixed the vulnerability with the commit here.
Snapd Race Condition Vulnerability
The snap-confine program is used internally by snapd to construct the execution environment for snap applications, which are containerized software packages. CVE-2022-3328 describes a race condition vulnerability in the must_mkdir_and_open_with_perms() function in snap-confine, which is installed as a SUID-root program by default on Ubuntu. This was introduced as part of the fix for CVE-2021-44731.
An attacker with normal user privileges can use Multipath Privilege Escalation Vulnerability (CVE-2022-41974) and Multipath Symbolic Link Vulnerability, bind the /tmp directory to any directory in the file system, and promote the ordinary user permissions to ROOT permissions.
Affected snapd versions are 2.54.3 – 2.57.6. At present, the official security version has been released to fix this vulnerability. It is recommended that affected users upgrade to a newer version.