Chris Moberly

**Nome do software vulnerável e versões afetadas** Versões do guest-oslogin do Google Cloud Platform de 20190304 a 20200507 **Descrição** Uma vulnerabilidade no guest-oslogin do Google Cloud Platform permite que um usuário com a função “roles/compute.osLogin” eleve seus privilégios para root. Isso é feito usando sua participação no grupo “adm” para ler o XID do DHCP no journal do systemd e, em seguida, definir o endereço IP e o nome do host da instância para qualquer valor, que é armazenado em /etc/hosts. Um invasor pode então se passar pelo servidor de metadados do GCE, direcionando metadata.google.internal para um endereço IP arbitrário, tornando possível instruir o módulo PAM do OS Login a conceder privilégios administrativos. **Recomendações** Para as versões 20190304 a 20200507, edite /etc/group/security.conf e remova o usuário “adm” da entrada OS Login caso não seja possível realizar uma atualização. Para todas as versões afetadas, atualize para uma imagem criada após 7 de maio de 2020 (20200507) para resolver o problema.

**Nome do software vulnerável e versões afetadas: Google Cloud OS guest-oslogin, versões 20190304 a 20200507 Descrição: O problema está relacionado a configurações de permissão padrão incorretas no recurso guest-oslogin do Google Cloud OS. Isso permite que um invasor eleve seus privilégios para root. Ao ser membro do grupo `lxd`, um invasor pode conectar dispositivos e sistemas de arquivos do host. Dentro de um contêiner `lxc`, é possível conectar o sistema de arquivos do SO do host e modificar o arquivo `/etc/sudoers` para obter privilégios administrativos. Recomendações: Para as versões 20190304 a 20200507, atualize para uma imagem criada após 7 de maio de 2020. Como solução alternativa temporária para versões que não podem ser atualizadas, edite `/etc/group/security.conf` e remova o usuário `lxd` da entrada OS Login.

**Nome do software vulnerável e versões afetadas: Versões do guest-oslogin do Google Cloud Platform entre 20190304 e 20200507 Descrição: Uma vulnerabilidade no guest-oslogin do Google Cloud Platform permite que um usuário com a função “roles/compute.osLogin” eleve seus privilégios para root. Usando sua participação no grupo “docker”, um invasor com essa função é capaz de executar o docker e montar o sistema operacional do host. Dentro do docker, é possível modificar o sistema de arquivos do sistema operacional do host e alterar o arquivo /etc/groups para obter privilégios administrativos. Recomendações: Para versões entre 20190304 e 20200507, se não for possível atualizar para uma versão mais recente, edite o arquivo /etc/group/security.conf e remova o usuário “docker” da entrada OS Login para mitigar o problema. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade, mas sabe-se que todas as imagens criadas após 7 de maio de 2020 estão corrigidas.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Serv-U FTP Server version 15.1.6.25 **Description** The local management interface in SolarWinds Serv-U FTP Server has incorrect access controls, allowing local users to bypass authentication and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. An attacker must have local access to the host running Serv-U and a Serv-U administrator must have an active management console session to exploit this issue. **Recommendations** For SolarWinds Serv-U FTP Server version 15.1.6.25, consider restricting local access to the host and ensuring that Serv-U administrator management console sessions are properly secured and monitored until a fix is available. As a temporary workaround, limit the use of the local management interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Serv-U FTP Server version 15.1.6 **Description** The issue allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file. **Recommendations** For SolarWinds Serv-U FTP Server version 15.1.6, consider disabling the Import feature as a temporary workaround until a patch is available. Restrict access to the Import feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Serv-U FTP Server version 15.1.6.25 **Description** The issue concerns reflected cross-site scripting (XSS) in the Web management interface. This occurs via the URL path and an HTTP POST parameter. **Recommendations** For SolarWinds Serv-U FTP Server version 15.1.6.25, consider disabling access to the Web management interface until a patch is available. Restrict the use of HTTP POST parameters in this interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Canonical snapd versions prior to 2.37.1 **Description** The issue is related to insufficient access control in the snapd utility, which can be exploited to elevate privileges using a specially crafted file. This allows an attacker to run arbitrary commands as root due to incorrect socket owner validation. **Recommendations** For versions prior to 2.37.1, update to version 2.37.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the snapd socket to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vuze Bittorrent Client version 5.7.6.0 **Description** The XML parsing engine for SSDP/UPnP functionality in Vuze Bittorrent Client is vulnerable to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running Vuze. Additionally, attackers can initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or relay a NetNTLM challenge/response to achieve Remote Command Execution in Windows domains. **Recommendations** For Vuze Bittorrent Client version 5.7.6.0, consider disabling the SSDP/UPnP functionality as a temporary workaround until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid using the vulnerable XML parsing engine for SSDP/UPnP functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plex Media Server version 1.13.2.5154 **Description** The XML parsing engine for SSDP/UPnP functionality in the affected software is susceptible to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running the software. Additionally, attackers can initiate SMB connections to capture a NetNTLM challenge/response, potentially leading to cleartext password cracking, or relay a NetNTLM challenge/response to achieve Remote Command Execution in Windows domains. **Recommendations** For Plex Media Server version 1.13.2.5154, consider disabling the SSDP/UPnP functionality as a temporary workaround until a patch is available. Restrict access to the XML parsing engine to minimize the risk of exploitation. Avoid using the affected XML parsing engine for SSDP/UPnP functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Universal Media Server version 7.1.0 **Description** The XML parsing engine for SSDP/UPnP functionality in Universal Media Server is vulnerable to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running the software, initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. **Recommendations** For Universal Media Server version 7.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sitecore Sitecore.NET versions 8.1 rev. 151207 Hotfix 141178-1 and above **Description** An issue allows an attacker to perform a directory traversal attack using the 'Log Viewer' application. This is achieved by accessing a specific URI, "sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=", and manipulating the `file` parameter. The validation filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack, enabling access to arbitrary files from the host Operating System. **Recommendations** For Sitecore Sitecore.NET versions 8.1 rev. 151207 Hotfix 141178-1 and above, consider restricting access to the 'Log Viewer' application until a patch is available. As a temporary workaround, avoid using the `file` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.