Monday,
July 8, 2024

πŸ“‹ Chef's weekly selections

The internet is on fire this week. Enjoy!

  1. regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

    The big news in cloud security this week was not cloud specific. Qualys (re)discovered a remote unauthenticated code execution vulnerbaility (CVE-2024-6387) in OpenSSH server. This is badβ€”the Shadowserver Foundation reckons ~4.5 million hosts worth of bad. Various appliance companies released patches for their products. Good luck to the internet; it's going to be hot in here for a while.

  2. AWS Managed KMS Keys and their Key Policies: Security Implications and Coverage for AWS Services

    Many AWS services can manage encryption keys for you if you don't want to muck around with policies. These managed keys are indistinguishable from magic, but this very niche post sheds light on some of their details and oddities. It has an accompanying GitHub repo with all the managed key policies for the sleuths to investigate.

  3. Setting up AWS IAM Identity Center as an identity provider for Confluence

    You read that right. Accept your fate, descend into madness with Julian Michel, and follow this detailed tutorial for setting up single sign-on access to Confluence via AWS IAM Identity Center. If you survive, let us know what it's like on the other side.

Bonus: More arguments about account ID sensitivity

πŸ₯— AWS security blog

πŸ‘Ύ r/aws

🧁 IAM permission changes

πŸ” AWS API Changes

🍹 Updated AWS Managed IAM Policies

  1. AWSPriceListServiceFullAccess
  2. AmazonRDSServiceRolePolicy
  3. 🚩 AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
  4. CostOptimizationHubServiceRolePolicy

πŸ”€ Weekly diff

πŸ€– Powered by MAMIP | 🚩 Sensitive IAM Actions included

β˜•οΈŽ CloudFormation updates

New resources:

πŸͺ Amazon Linux CVEs

Amazon Linux CVEs are back with a vengeance. There was a bug in our code that mistakenly caused no CVEs to be shown in the last few issues. My sincere apologies! You can find the full list of past CVEs here.

  • CVE-2023-39329 - In openjepg, a resource exhaustion can occur in the opj_t1_decode_cblks function in the tcd.c through a crafted image file causing a denial of service.
  • CVE-2024-6501 - Given a system running NetworkManager with DEBUG logs enabled and an interface eth1 configured with LLDP enabled, someone could inject a malformed LLDP packet and NetworkManager would crash leading to a DoS.
  • CVE-2023-39328 - openjpeg: denail of service via crafted image file
  • CVE-2024-39689 - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store.
  • CVE-2024-39884 - A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.
  • CVE-2024-39929 - Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
  • CVE-2024-39936 - An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
  • CVE-2024-29508 - Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.
  • CVE-2024-29506 - Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.
  • CVE-2023-52169 - The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image.
  • CVE-2024-34750 - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
  • CVE-2024-29511 - Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.
  • CVE-2024-29507 - Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.
  • CVE-2024-29509 - Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.
  • CVE-2023-52168 - The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc.
  • CVE-2023-24531 - Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.
  • CVE-2024-4877 - With OpenVPN on Windows platforms, a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as.
  • CVE-2024-39894 - OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
  • CVE-2024-4467 - A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
  • CVE-2024-24791 - The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend.
  • CVE-2024-38472 - SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content
  • CVE-2024-36387 - Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
  • CVE-2024-6387 - A signal handler race condition was found in the OpenSSH server (sshd). If a client does not authenticate within the LoginGraceTime period (120 seconds by default, or 600 seconds in older OpenSSH versions), the sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, such as syslog().
  • CVE-2024-38473 - Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
  • CVE-2024-39573 - Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.
  • CVE-2024-38475 - Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
  • CVE-2024-38474 - Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.
  • CVE-2024-38476 - Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.
  • CVE-2024-38477 - null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.
  • CVE-2024-28882 - An openvpn authenticated client can make the server "keep the session" even when the server has been told to disconnect this client

Crafted with ❀️ by Plerion. We simplify cloud security.