On this week’s digest, we’ll focus on the next:
- Linux NetFilter use-after-free Kernel Vulnerability
- WordPress Core v6.2 XSS/CSRF/Listing Traversal Vulnerabilities
- Linux OverlayFS Vulnerability
CVE-2023-32233: Linux NetFilter Kernel Vulnerability
Background
NetFilter, is a framework for packet filtering and community deal with translation constructed into the Linux kernel for managing community site visitors. It’s managed by userspace utilities like iptables, UFW, and nft. Each iptables and nftables are primarily based on NetFilter, with nftables being the extra trendy implementation. System directors use these instruments to configure native firewall guidelines and monitor community site visitors.
Vulnerability
The vulnerability, tracked as CVE-2023-32233, is a use-after-free vulnerability within the “nf_tables” module of NetFilter. “nf_tables” is enabled by default on most Linux working programs. “Nf_tables” accepts invalid configurations, which turn into problematic in some situations when an invalid batch operation is carried out. If the invalid batch operation is crafted in a selected manner, it might result in a corrupted inside state throughout the Linux kernel. This occurs as a result of the “nf_tables” module doesn’t correctly deal with nameless units (a sort of set with out a title that’s allotted an identifier by the kernel).
The corrupted state will be exploited to carry out arbitrary reads and writes of kernel house reminiscence. This may be utilized to escalate privileges for the native consumer. All variations of the Linux kernel previous to model 6.3.1 are weak to this exploit.
It ought to be famous that an attacker wants entry to a Linux system established earlier than trying to take advantage of this vulnerability. Moreover, they will need to have CAP_NET_ADMIN permissions and the flexibility to control NetFilter instantly through the third occasion API.
The impression of this vulnerability is excessive, because it impacts a module enabled by default on many Linux working programs. Moreover, a proof-of-concept has been launched, which will increase the chance of this vulnerability being exploited within the wild.
Mitigation
- Updating the Linux kernel in your programs to model 6.3.2 or increased is extremely really useful
- Disable unprivileged consumer namespaces
WordPress Core v6.2 XSS/CSRF/Listing Traversal Vulnerabilities
Background
WordPress consists of a number of components: Core, Database, Themes, and Plugins. WordPress Core is the muse of the remainder of the WordPress platform and permits all the executive and administration features.
Vulnerabilities
WordPress Core v6.2 has a number of vulnerabilities we’ll cowl.
CVE-2023-2745: Listing Traversal
This vulnerability, tracked as CVE-2023-2745, permits an attacker to carry out listing traversal over a WordPress web site by exploiting the “wp_lang” parameter. Attackers can entry and cargo arbitrary language translation information. Moreover, if an attacker has adequate entry to add translation information, this vulnerability additionally will be utilized to carry out Cross-Website Scripting.
CVE Pending: Cross-Website Request Forgery (CSRF)
This vulnerability, which doesn’t have a CVE ID on the time of writing, is attributable to the shortage of nonce validation on an AJAX perform. The AJAX perform, known as “wp_ajax_set_attachment_thumbnail”, will be abused to permit for unauthenticated customers to replace information related to attachment thumbnails. This solely can occur if an authenticated consumer performs an motion, comparable to clicking a hyperlink.
WordPress has decided that this vulnerability is unlikely to be exploited within the wild, as a consequence of a posh sequence of occasions required to ensure that exploitation.
CVE Pending: Cross-Website Scripting (XSS)
This vulnerability, which doesn’t have a CVE ID on the time of writing, is attributable to improper validation of protocol when processing the response from oEmbed discovery. oEmbded is a format sort in WordPress that enables for the rendering of URls from third-party websites. Sometimes, that is used when a consumer hyperlinks one other web site in a remark, leading to a preview of the linked web site. Attackers which have contributor and above permissions can craft a malicious oEmbed payload at a third-party URL that may trigger arbitrary scripts to be executed when a consumer accesses that third-party URL.
NOTE: The unique patch for these vulnerabilities, model 6.2.1, additionally mounted a minor vulnerability with shortcodes. The repair for the shortcode vulnerability broke performance. In model 6.2.2, this challenge is mounted.
Mitigation
- Updating WordPress to model 6.2.2 or above is extremely really useful.
CVE-2023-0386: OverlayFS Vulnerability
Background
SetUID is a particular file permission that enables any consumer with execution permissions to execute a binary because the consumer or group that owns the file. Within the case that the SetUID bit is about on a binary owned by root, any consumer with execution permissions can run that binary as root.
OverlayFS is a solution to merge a number of mount factors on a Linux file system, into one unified file system. It consists of a number of layers: decrease, higher, and overlay.
- The “decrease” layer comprises the bottom mount factors on your pre-existing knowledge. Knowledge is accessible upstream within the overlay layer.
- The “higher” layer is outlined as a part of the overlay filesystem. All information written to the overlay layer are copied to the higher layer. When information are modified within the decrease layer, the adjustments are propagated to the overlay layer, after which the higher layer.
- The “overlay” layer is the highest layer of the filesystem. It’s composed of information from the higher and decrease layers. All information will be accessed from the overlay layer.
Right here is an easy diagram that reveals how file adjustments are propagated by OverlayFS:
Vulnerability
This vulnerability is tracked as CVE-2023-0386, all variations of the Linux kernel prior to six.2-rc6 are vulnerabile. When including a file to an OverlayFS filesystem, the overlay layer doesn’t correctly test the consumer/group validity within the present namespace earlier than copying it to the higher layer. An attacker can add a binary with the SUID bit set to a decrease layer, after which have a binary copied to the higher layer.
An attacker can create a brand new digital filesystem and namespace, generate an SUID binary with possession as root, after which mount it into an OverlayFS filesystem. The OverlayFS filesystem gained’t test if the consumer/group possession is legitimate within the present namespace, and replica the binary with permissions intact. The attacker can then execute the SUID binary from the higher layer and elevate their privileges.
Mitigation
- Updating the Linux kernel in your programs to the most recent model is extremely really useful.
- Disable unprivileged consumer namespaces.
