SB2020022530 - Insecure DLL loading in python3 (Alpine package)
Published: February 25, 2020
Security Bulletin ID
SB2020022530
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Insecure DLL loading (CVE-ID: CVE-2020-8315)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to direct calls to "LoadLibraryW()" in "getpathp.c" without any "LOAD_LIBRARY_SEARCH*" flags. A remote attacker can use a malicious copy of api-ms-win-core-path-l1-1-0.dll, which being loaded and used instead of the system's copy and execute arbitrary code on victim's system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=21a5b7dd0924932b20512155471ee45dada0abf4
- https://git.alpinelinux.org/aports/commit/?id=5fbbd588ac1a7f3a4d779fe13c37b9ab4d65e259
- https://git.alpinelinux.org/aports/commit/?id=3d60659100e95bd6d05aaceaef7aa2a1410107d8
- https://git.alpinelinux.org/aports/commit/?id=8135de912b23c9bd9649fa7b6a59ec455529b7af
- https://git.alpinelinux.org/aports/commit/?id=99c195369d53843a8a4f186257072600a773bbde
- https://git.alpinelinux.org/aports/commit/?id=b98b6bd76527ff7e722baece7a94e43ddb008a9d