Skip to main content
BlogSecurityLinode Security Digest February 3-10, 2023

Linode Security Digest February 3-10, 2023

Linode Security Digest

In this week’s digest, we will discuss the following:

  • an OpenSSL security advisory;
  • a double free vulnerability in OpenSSH Server; and
  • improper session handling in Pi-hole Web.
OpenSSL Security Advisory

OpenSSL is a toolkit for general-purpose cryptography and secure communication.

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

Vulnerability

This vulnerability results from type confusion between ANS1_STRING and ANS1_TYPE for the x400Address field during X.400 address parsing. Under certain conditions, an attacker can push arbitrary pointers to memcmp, which allows them to read from memory, or craft a denial of service attack.

OpenSSL 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue. This vulnerability was given a high severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8 and 1.0  users upgrade to OpenSSL 1.1.1t.

Timing Oracle in RSA Decryption (CVE-2022-4304)

Vulnerability

The RSA Decryption implementation in OpenSSL was vulnerable to an attack that affects all RSA padding modes (PKCS#1 v1.5, RSA-OEAP, and RSASVE) and could lead to an attacker decrypting traffic.

OpenSSL 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8 and 1.0  users upgrade to OpenSSL 1.1.1t.

X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203)

Vulnerability

The X.509 implementation in OpenSSL was vulnerable to a buffer overflow when processing a signed malicious certificate, which could lead to a denial of service attack or, theoretically, private memory leaks.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8.

Use-after-free following BIO_new_NDEF (CVE-2023-0215)

Vulnerability

Many public API functions made calls to unsafe helper functions, which under certain conditions, led to crashes. It’s believed this could be used to create a denial of service attack. OpenSSL 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue.

The OpenSSL cms and smime command line applications are similarly affected. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8 and 1.0  users upgrade to OpenSSL 1.1.1t.

Double free after calling PEM_read_bio_ex (CVE-2022-4450)

Vulnerability

A function in OpenSSL that generated header and data arguments contained an implementation error that could lead to freeing a buffer twice, inducing a crash. If exploited by an attacker, this could lead to a denial of service attack. This function is called by a number of other OpenSSL functions, increasing the attack surface.

OpenSSL 3.0 and 1.1.1 are vulnerable to this issue. The OpenSSL asn1parse command line application is also impacted by this issue. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8 and 1.0  users upgrade to OpenSSL 1.1.1t.

Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216)

Vulnerability

An invalid pointer dereference on read can be triggered when an application attempts to load malformed PKCS7 data in certain functions. This could lead to a denial of service attack.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8

NULL dereference validating DSA public key (CVE-2023-0217)

Vulnerability

An invalid pointer dereference on read can be triggered when an application attempts to load a malformed DSA public key in certain functions. This could lead to a denial of service attack.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users upgrade to OpenSSL 3.0.8

NULL dereference during PKCS7 data verification (CVE-2023-0401)

Vulnerability

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed which can lead to a crash when the algorithm is known to OpenSSL, but the implementation is not. This  could be leveraged by attackers to facilitate a denial of service attack.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. This vulnerability was given a moderate severity.

Mitigation

The OpenSSL advisory recommends 3.0  users to upgrade to OpenSSL 3.0.8 and 1.0  users to upgrade to OpenSSL 1.1.1t.

Double Free Vulnerability in OpenSSH Server

OpenSSH Server is a tool that allows you to securely create a remote terminal session. 

Vulnerability

CVE-2023-25136 in OpenSSH happens as a result of memory being freed twice. This occurs before authentication, but remote code execution is not believed to be exploitable, partially because the process containing the vulnerability is also subject to sandboxing. There has been proof of concepts that demonstrate a denial of service attack.

OpenSSH Server version 9.1 is vulnerable to this issue. This vulnerability was given a medium severity.

Mitigation

Qualys advises users to upgrade to the OpenSSH version 9.2 to mitigate this vulnerability.

Improper Session Handling in Pi-hole Web 

Pi-hole Web is the web utility used to interact with pihole, a DNS Server implementation with built-in ad and malicious domain blocking. 

Vulnerability

GitHub User PromoFaux reported CVE-2023-23614 in a GitHub Security Advisory. The vulnerability comes from a pull request which introduced functionality to stay logged in for seven days. The feature was implemented by storing the user’s password hash in a cookie that could allow an attacker to steal a user’s hash if stolen. This hash could be used to craft new cookies with an arbitrary expiration time and would work until the affected user changed their password.

This vulnerability affects versions 4.0 – 5.18.2 of Pi-hole Web. This vulnerability was given a high severity.

Mitigation

The developers recommend that Pi-hole Web users upgrade to version 5.18.3 or newer.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *