SB2022111116 - Multiple vulnerabilities in Dell EMC Cloud Tiering Appliance Family
Published: November 11, 2022 Updated: March 9, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 secuirty vulnerabilities.
1) Same-origin policy bypass (CVE-ID: CVE-2018-18494)
The vulnerability allows a remote attacker to bypass same-origin policy on the target system.The weakness exists due to an error .when using the Javascript
location property. A remote attacker can trick the victim into visiting a specially crafted website and theft cross-origin URL entries to cause a redirection to another site using performance.getEntries(). 2) Null pointer dereference (CVE-ID: CVE-2018-18065)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The vulnerability exists in the _set_key() function, as defined in the agent/helpers/table_container.c source code file due to a NULL pointer exception bug. A remote attacker can send a malicious UDP packet, trigger a NULL pointer dereference condition, cause the application to crash.
3) Type confusion (CVE-ID: CVE-2018-19477)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to a JBIG2Decode type confusion condition in the psi/zfjbig2.csource code file. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input to bypass the security access restrictions on the targeted system, which could be used to conduct further attacks.
4) Type confusion (CVE-ID: CVE-2018-19476)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to a setcolorspace type confusion condition in the psi/zicc.c source code file. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input to bypass the security access restrictions on the targeted system, which could be used to conduct further attacks.
5) Security restrictions bypass (CVE-ID: CVE-2018-19475)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to the psi/zdevice2.c source code file fails to check available stack space. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input to bypass the security access restrictions on the targeted system, which could be used to conduct further attacks.
6) Security restrictions bypass (CVE-ID: CVE-2018-19409)
The vulnerability allows a local attacker to bypass security restrictions on the target system.
The vulnerability exists due to improper checks of the LockSafetyParams device parameter if another device is used as the top device. A local attacker can make a .setdevice call and bypass security restrictions If another device, such as the pdf14 compositor, is the top device on the system.
7) Code injection (CVE-ID: CVE-2018-18284)
The vulnerability allows a remote attacker to bypass the sandbox protection mechanism on the target system.
The vulnerability exists due to the failure of the sandbox protection mechanism of the affected software when the 1Policy operator is used. A remote unauthenticated attacker can trick the victim into accessing a PostScript file that submits malicious input, bypass the sandbox protection mechanism and modify or replace error handlers used by the software, which the attacker could use to inject and execute arbitrary code on the system.
8) Security restrictions bypass (CVE-ID: CVE-2018-18073)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to exposure of system operators in the saved execution stack in an error object. A remote attacker can bypass a sandbox protection mechanism to conduct further attacks.
9) Code Injection (CVE-ID: CVE-2018-17961)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation that allows sandbox bypass via error handler setup vectors. A remote attacker can pass a specially crafted PostScript file to the affected application, inject and execute arbitrary code on the target system.
Note: this vulnerability exists due to insufficient patch for previously fixed Code injection vulnerability (CVE-2018-17183).
10) Code Injection (CVE-ID: CVE-2018-17183)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the application allowed a user-writable error exception table. A remote attacker can use a specially crafted PostScript file to overwrite error handlers and inject arbitrary code.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Information disclosure (CVE-ID: CVE-2018-15919)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to insufficient validation of an authentication request packet when the Guide Star Server II (GSS2) component is used. A remote attacker can send an authentication request packet and access sensitive information, such as valid usernames.
12) User enumeration (CVE-ID: CVE-2018-15473)
The vulnerability allows a remote attacker to enumerate all accounts on the system.
The vulnerability exists due to a logical error in auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c files when processing authentication requests. A remote attacker can send a specially crafted chain of packets and monitor behavior of openssh server to determine presence of a valid username. The server will drop connection upon receiving a malformed authentication packets if the username is valid.
13) SQL injection (CVE-ID: CVE-2018-10915)
The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.
14) Integer overflow (CVE-ID: CVE-2018-18498)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to an integer overflow during buffer size calculations for images. A remote attacker can use a raw value instead of the checked value, trigger out-of-bounds read and cause the service to crash.
15) Buffer overflow (CVE-ID: CVE-2018-18493)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in the Skia library during buffer offset calculations with hardware accelerated canvas 2D actions due to the use of 32-bit calculations instead of 64-bit. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
16) Use-after-free error (CVE-ID: CVE-2018-18492)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to use-after-free error after deleting a selection element due to a weak reference to the
select element in the options collection.. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.Successful exploitation of the vulnerability may result in system compromise.
17) Memory corruption (CVE-ID: CVE-2018-17466)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error in Angle. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation on the vulnerability may result in system compromise.
18) Memory corruption (CVE-ID: CVE-2018-12405)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
19) Cache Attacks (CVE-ID: CVE-2018-12404)
The vulnerability allows a remote attacker to perform a downgrade attack on the server and decrypt private keys on the target system.The vulnerability exists due to a core weakness in TLS that relates to the handshaking of the session key which is used within the tunnel during parallelisation of thousands of oracle queries that occurs using a cluster of TLS servers which share the same public key certificate. A remote attacker can mount a microarchitectural side channel attack against a vulnerable implementation, obtain a network man-in-the-middle position, obtain the relevant data to sign and trigger the victim server to decrypt ciphertexts chosen by the adversary to perform a downgrade attack.
20) Man-in-the-middle attack (CVE-ID: CVE-2018-12384)
The vulnerability allows a remote attacker to conduct man-in-the-middle attack on the target system.
The weakness exists due to ServerHello.random is all zero when handling a v2-compatible ClientHello. A remote attacker can use man-in-the-middle techniques to conduct passive replay attack and obtain potentially sensitive information.
21) Memory-cache side-channel attack (CVE-ID: CVE-2018-0495)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists due to a leakage of information through memory caches when the affected library uses a private key to create Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. A local attacker can conduct a memory-cache side-channel attack on ECDSA signatures and recover sensitive information, such as ECDSA private keys, which could be used to conduct further attacks.
Note: The vulnerability is known as the "Return Of the Hidden Number Problem" or ROHNP.
22) Link following (CVE-ID: CVE-2017-7501)
The vulnerability allows a local authenticated user to execute arbitrary code.
It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
23) Link following (CVE-ID: CVE-2017-7500)
The vulnerability allows a local authenticated user to execute arbitrary code.
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
24) Side-channel attack (CVE-ID: CVE-2018-5407)
The vulnerability allows a physical attacker to obtain potentially sensitive information.
The vulnerability exists due to due to execution of engine sharing on SMT (e.g.Hyper-Threading) architectures when improper handling of information by the processor. A physical attacker can construct a timing side channel to hijack information from processes that are running in the same core.
Note: the vulnerability has been dubbed as PortSmash microarchitecture bug.
25) Information disclosure (CVE-ID: CVE-2018-0737)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists in the RSA key generation algorithm's BN_mod_inverse() and BN_mod_exp_mont() functions due to a cache timing side channel attack. A local attacker can recover the private key.
26) Information disclosure (CVE-ID: CVE-2018-0734)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists due to unspecified flaw in Digital Signature Algorithm (DSA). A local attacker can conduct a timing side-channel attack and recover the private key, which could be used to conduct further attacks.
27) Denial of service (CVE-ID: CVE-2016-8610)
The vulnerability allows a remote unauthenticated user to exhaust memory on the target system.The weakness is due to improper handling of certain packets by the ssl3_read_bytes() function in 'ssl/s3_pkt.c.
By sending a flood of SSL3_AL_WARNING alerts during the SSL handshake, a remote attacker can consume excessive CPU resources that may lead to OpenSSL library being unavailable.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Remediation
Install update from vendor's website.