Patch Roundup: Windows, Linux, Oracle, JuniperCompanies Address a Range of Vulnerabilities
A patch is forthcoming for a privilege escalation vulnerability in the Windows operating system that can allow hackers to gain a foothold. Meanwhile, Linux OS users also need to adopt system upgrades to fix a flaw, and Oracle and Juniper have announced product patches.
The flaw affecting the upcoming version of Windows 11 as well as Windows 10 can be exploited to access hashed passwords and other sensitive data, researchers say.
The Windows vulnerability, tracked as CVE-2021-36934, was discovered by security researcher Jonas L on Tuesday. The researcher says the flaw is present in Windows Security Account Manager, which stores the users' accounts and security descriptors.
In a separate tweet, security researcher Benjamin Delpy notes the flaw affects security and system files in Windows 10 in addition to the SAM database.
If exploited, the flaw could provide access to default passwords, data protection API keys and system machine accounts that store password history, researchers say.
On Wednesday, Microsoft noted that the flaw is a critical vulnerability in the Access Control Lists in SAM and other files used to grant or deny access. "An attacker who successfully exploited this vulnerability could run arbitrary code with system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.
Microsoft said it does not believe the flaw has been exploited, and a patch is pending while the company investigates the flaw. Until a patch is issued, Microsoft’s advisory recommends a two-step "workaround" of restricting access and also deleting shadow copies to prevent exploits.
A report released by Carnegie Mellon University's CERT Coordination Center shows the vulnerability affects Windows 10 devices starting with build 1809 versions, and it grants non-administrative users read access to files.
The report notes if a system has enabled volume shadow copy or VSS service - used to create backup copies or snapshots of computer files – then the flaw allows a nonprivileged users to extract and leverage account password hashes, discover the original Windows installation password, obtain DPAPI computer keys and access a computer machine account.
"Note that VSS shadow copies may not be available in some configurations. However, simply having a system drive that is larger that 128GB in size and then performing a Windows update or installing an MSI will ensure that a VSS shadow copy will be automatically created," according to the Carnegie Mellon report.
Meanwhile, researchers at Qualys found that most versions of Linux are vulnerable to an unprivileged attack because of an LPE vulnerability that can allow an attacker to gain root privileges in the Linux Kernel's filesystem layer by creating, mounting and deleting a deep directory structure whose total path length exceeds 1GB.
The vulnerability tracked as CVE-2021-33909 is dubbed Sequoia. If exploited, this uncontrolled out-of-bounds flaw can enable attackers to write and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation, according to Qualys.
Qualys has provided patches for the exploits they discovered. But Qualys researchers say that “other Linux distributions are certainly vulnerable, and probably exploitable," and so they recommend users upgrade their Linux and system packages.
Other Patching Updates
In addition to the Linux and Microsoft vulnerabilities, Juniper Networks and Oracle have also issued software updates.
For example, Juniper Networks has released a patch for CVE-2021-0276 a critical vulnerability on Steel-Belted Radius Carrier Edition network server. Exploitation of the bug would have likely caused a denial-of-service attack or a remote code execution attack, the company says.
SBR Carrier is a network server that enables wireless and fixed line operators to gain control over the way subscribers access their networks. The flaw, if exploited, could lead to a disruption of network service by telecom/wireless service providers, Juniper says.
The company also issued a separate patch for a severe vulnerability that affects 16 versions of Junos OS and all versions of Junos OS Evolved, a network operating system.
That vulnerability, tracked as CVE-2021-0276, affects Juniper Networks SBR Carrier's 8.4.1 versions prior to 8.4.1R19; 8.5.0 versions prior to 8.5.0R10; and 8.6.0 versions prior to 8.6.0R4 that is configured with EAP.
The flaw, which has a CVSS vulnerability-severity score of 9.8 out of 10, is a stack-based Buffer Overflow vulnerability that uses EAP. An exploit would allow attackers to send specific packets causing the radius daemon to crash, leading to a DoS attack or a remote code execution attack.
"By continuously sending these specific packets, an attacker can repeatedly crash the radius daemon, causing a sustained denial of service [attack]," the company says.
The company also released patches for 34 other vulnerabilities, including critical flaw, several high-severity issues, and multiple medium-risk ones.
Oracle Patches 342 Vulnerabilities
Meanwhile, Oracle released patches to address 342 vulnerabilities across multiple products. If exploited, some of these flaws could enable remote attackers to take control of an affected system, the company says.
Among issues addressed in Oracle’s quarterly critical patch update is CVE-2019-2729, a deserialization vulnerability in XMLDecoder in Oracle WebLogic Server Web Services. This RCE vulnerability can be exploited without authentication, which means any attacker on a network can exploit it without the need for a username and password.
The flaw, which has a CVSS severity score of 9.8 out of a maximum of 10, exists within the Oracle Hyperion Infrastructure Technology and affects WebLogic Server versions 220.127.116.11 and 18.104.22.168.
"In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply critical patch update security patches without delay," the company says.
(Senior Correspondent Akshaya Ashokan contributed to this story.)