If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted.
Month: February 2019
ASA-2019-00113 – BIND: Zone transfer controls for writable DLZ zones were not effective
Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable. A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
ASA-2019-00112 – BIND: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys
"managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.
ASA-2019-00111 – BIND: A specially crafted packet can cause named to leak memory
A failure to free memory can occur when processing messages having a specific combination of EDNS options. By exploiting this condition, an attacker can potentially cause named's memory use to grow without bounds until all memory available to the process is exhausted. Typically a server process is limited as to the amount of memory it can use but if the named process is not limited by the operating system all free memory on the server could be exhausted.
ASA-2019-00110 – Linux kernel: Use-after-free in sctp_sendmsg()
A use-after-free error in the sctp_sendmsg() function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.
ASA-2019-00109 – QubesOS: Insecure default DisposableVM networking configuration
In Qubes OS, one can attempt to limit the network access of a qube by either completely disconnecting it from any NetVM or by setting its firewall rules to disallow access. A malicious qube can circumvent these limits by launching a DisposableVM [1], which, in the default configuration, would have unrestricted network access. Moreover, even when a non-default DisposableVM is configured to have no network access (or limited access), other DisposableVMs started from _that_ DisposableVM can have full network access (unless explicitly configured otherwise). While limiting network access in this manner should not be considered to be an effective leak-prevention mechanism [1], we still consider this type of potentially ineffective network isolation to be a problem.
ASA-2019-00108 – Drupal: Remote code execution if REST module is enabled
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
ASA-2019-00107 – Jenkins: Cross-Site Scripting (XSS) vulnerability in Warnings Next Generation Plugin
Warnings Next Generation Plugin did not properly escape HTML content in warnings displayed on the Jenkins UI, resulting in a cross-site scripting vulnerability exploitable by users able to control warnings parser input.