SB2022092748 - Multiple Linux kernel vulnerabilities in Hitachi Energy Lumada APM Edge

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-4034)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper handling of the calling parameters count in the pkexec setuid binary, which causes the binary to execute environment variables as commands. A local user can craft environment variables in a way that they will be processed and executed by pkexec and execute arbitrary commands on the system as root.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-0492)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a logic error within the cgroup_release_agent_write() function in  kernel/cgroup/cgroup-v1.c. A local user can use the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation.

Remediation

Install update from vendor's website.

References

• https://ics-cert.us-cert.gov/advisories/icsa-22-270-02"
• https://ics-cert.us-cert.gov/advisories/icsa-22-270-02</a></p><p>
• https://search.abb.com/library/Download.aspx?DocumentID=8DBD000115</p><p><br></p>