A security feature bypass issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed for sandbox escape in Electron and escalation of privilege if combined with a remote code execution vulnerability inside the sandboxed renderer process.
Tag: Security Bypass
ASA-2020-00039 – Linux kernel: SELinux netlink permission check bypass due to SELinux incorrectly assume that an skb would only contain a single netlink message
A flaw was found in the Linux kernels SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
ASA-2019-00399 – Magento: Security bypass via form data injection
An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload.
ASA-2019-00271 – FreeBSD: ICMP/ICMP6 packet filter bypass in pf
pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable.
ASA-2019-00270 – FreeBSD: IPv6 fragment reassembly panic in pf(4)
A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected.
ASA-2019-00234 – BIND: Limiting simultaneous TCP clients is ineffective
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit.
ASA-2019-00017 – PowerDNS: Insufficient validation of DNSSEC signatures
An issue has been found in PowerDNS Recursor where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
ASA-2019-00016 – PowerDNS: Lua hooks are not applied in certain configurations
An issue has been found in PowerDNS Recursor where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua. When the recursor is configured to run with more than one thread (threads=X) and to do the distribution of incoming queries to the worker threads itself (pdns-distributes-queries=yes), the Lua script is not properly loaded in the thread handling incoming TCP queries, causing the Lua hooks to not be properly applied.