Skip to main content
BlogSecurityLinode Security Digest February 20 – 27, 2022

Linode Security Digest February 20 – 27, 2022

Linode Security Digest

This week, we’ll discuss critical vulnerabilities in multiple products and services.

Remote Code Execution in Apache Cassandra 

Apache Cassandra is a highly scalable and distributed NoSQL database that is extremely popular due to the benefits of its distributed nature. Some companies even provide cloud-based turnkey solutions based on Cassandra. Checkout Linode’s DBaaS offering.

When running Apache Cassandra with the following configuration:

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false

An attacker can execute an arbitrary code execution on the host if the malicious actor has enough permissions to create user defined functions in the cluster. 

Root Cause – Cassandra offers the functionality of creating user-defined-functions (UDFs) to perform custom processing of data in the database. UDFs can be written in Java and JavaScript by default. In JavaScript, it uses the Nashorn engine in the Java Runtime Environment (JRE), which is a JavaScript engine that runs on top of the Java Virtual Machine (JVM). Nashorn is not guaranteed to be secure when accepting untrusted code. Refer to JFrog’s blog to see how Nashorn can be used to run untrusted code.

Cassandra users can use the following mitigations against CVE-2021-44521:

Set `enable_user_defined_functions_threads: true` (this is default) OR

3.0 users should upgrade to 3.0.26
3.11 users should upgrade to 3.11.12
4.0 users should upgrade to 4.0.2

Potential Remote Code Execution Flaw in Redis

Redis is an open source, in-memory data structure store which can be used as a database, cache, and message broker. Redis lets you run Lua scripts for better performance and enables atomic execution of all the steps within a script. No other Redis command can run while a script is executing.

CVE-2022-0543 was discovered in Redis, due to a packaging issue, which is prone to a (Debian-specific) Lua sandbox escape, potentially leading to a remote code execution vulnerability.

Root Cause – The vulnerability exists because the Lua library in Debian is provided as a dynamic library. A “package” variable is automatically populated, which, in turn, permits access to arbitrary Lua functionality. For example, as this functionality extends to the “execute” function from the “os” module, an attacker with the ability to execute arbitrary Lua code could potentially execute arbitrary shell commands.

It’s recommended that you upgrade your Redis package on Debian according to the vendor’s advisory.

Local Privilege Escalation in snap-confine

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel. The packages are called snaps, and the tool for using snaps is snapd. Snap works across a variety of Linux distributions and allows upstream software developers to distribute their applications directly to users. Snaps are self-contained applications that run in a sandbox with mediated access to the host system. 

Snap-confine is a program used internally by snapd to construct the execution environment for snap applications.

CVE-2021-44730 and CVE-2021-44731, two local privilege escalation bugs, were discovered in snap-confine. The first one is a hardlink attack that is exploitable only in a non-default configuration, when the kernel’s fs.protected_hardlinks is set to 0. And the latter is caused by a race condition that is exploitable in default installations of Ubuntu Desktop, and near-default installations of Ubuntu Server. Successful exploitation of these vulnerabilities allows any unprivileged user to gain root privileges on the vulnerable host. 

The two flaws are addressed by patching snap-confine to version 2.54.3. Ubuntu also states “In general, a standard system update will make all the necessary changes.” on its advisory page.

Critical bugs in Adobe Commerce, Magento, Chrome and Firefox

CVE-2022-24086 is an improper input validation flaw in Adobe Commerce and Magento Open Source, which is given a CVSS score of 9.8. This vulnerability could allow a remote attacker to execute arbitrary code on an affected system without any credentials, potentially enabling digital skimming attacks on ecommerce sites that run the CMS software. Although it seems that attacks in the wild are very limited, the fact that Adobe released an out-of-band patch on February 13, 2022 makes it a high risk vulnerability.

CVE-2022-0609, is a use-after-free vulnerability in Chrome’s Animation component. It could allow a remote attacker to execute arbitrary code on a machine by creating a specially crafted webpage and phishing users to visit the page. Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild, and Google recommends users to update to version 98.0.4758.102 to patch this vulnerability.

CVE-2021-38503 is an Improper authorization flaw in Firefox. The root cause of this vulnerability is incorrect implementation of  iframe sandbox rules for XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Arbitrary Backup Download in WordPress UpdraftPlus Plugin

UpdraftPlus is a popular back-up plugin for WordPress sites and allows you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented, making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files.

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any user with an account on the site (such as subscriber) to download the most recent site and database backup.

Root Cause – The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus][updraft_credentialtest_nonce] parameter while a backup is running. If they are able to time this request to any time while a backup is running, the response will return the backup nonce required to download that particular backup.

This vulnerability was patched in version 1.22.3 of UpdraftPlus.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *