In this week’s digest, we will discuss:
- A vulnerability in the commonly-used BackupBuddy WordPress backup plugin
- Apple iOS and macOS updates to patch a zero-day flaw being exploited in the wild
- VMWare’s performance testing for Retbleed speculative execution mitigation
- A number of Kubernetes/Rancher-related vulnerabilities
BackupBuddy – CVE-2022-31474
Developers at iThemes discovered a vulnerability in their BackupBuddy plugin present in versions 22.214.171.124 through 126.96.36.199. Assigned CVE-2022-31474, this vulnerability allows an attacker to abuse the ‘Local Directory Copy’ option available within the plugin to create backups of any files to which WordPress has access. In deployments lacking appropriate permissions, this can mean that the entire filesystem can be downloaded by malicious actors.
There are two separate flaws that made this vulnerability possible. The first is that the function intended for use in downloading local backups did not have appropriate checks, allowing it to be called from any administrative page, including those that could be accessed by unauthenticated users. The second is that the backup target path lacked validation, allowing users to specify any files to which WordPress had access for download.
iThemes recommends updating your plugin to version 8.7.5 or higher immediately, and auditing your server’s access logs for strings containing local-destination-id and /etc/passwd or wp-config.php with an HTTP 2xx Response.
Apple iOS and macOS Updates
Apple released a patch for an actively exploited zero-day flaw that would allow malicious actors to execute arbitrary code with kernel privileges on devices running macOS Big Sur 11.7, macOS Monterey 12.6, iOS 16, iOS 15.7, and iPadOS 15.7. Discovered by an anonymous hacker, CVE-2022-32917 is believed to be the 8th zero-day patched by Apple this year.
Details regarding the specific vulnerability are sparse, however we recommend following Apple’s guidelines and updating your devices immediately.
Retbleed fix may slow Linux VM performance by 70%
Manikandan Jagatheesan of VMWare’s performance engineering team posted valuable performance testing information to the Linux Kernel Mailing list last week.
Manikandan’s findings show dramatic performance regressions in Linux VMs on ESXi:
- Compute(up to -70%)
- Networking(up to -30%)
- Storage(up to -13%)
Linux kernel 15.9 contains a number of feature updates, however Manikandan’s research indicates that the performance impact can be directly attributed to this specific commit related to patching Retbleed.
Although Linode servers now default to using an upstream kernel, we have included the fix for Retbleed in our 5.19 custom kernel for customers.
K8S — Rancher & Helm Vulnerabilities
CVE-2022-31247 – This Rancher privilege escalation vulnerability affects versions up to and including 2.5.15 and 2.6.6. Exploitation allows an attacker to gain owner permission on other projects within its cluster or another project in a downstream cluster.
CVE-2021-36783 – Rancher versions up to and including 2.5.12 and 2.6.3 contain an information disclosure bug that allows plaintext disclosure of sensitive information through improper template answer sanitization.
CVE-2022-36049 – This bug in the Helm SDK affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0. These services are vulnerable to a denial of service attack due to resource starvation by way of an input validation bug that can cause the host device to run out of memory.