Chris Moberly

**Name of the Vulnerable Software and Affected Versions** Google Cloud Platform's guest-oslogin versions 20190304 through 20200507 **Description** A vulnerability in Google Cloud Platform's guest-oslogin allows a user with the role "roles/compute.osLogin" to escalate privileges to root. This is achieved by using their membership to the "adm" group to read the DHCP XID from the systemd journal, then setting the IP address and hostname of the instance to any value, which is stored in /etc/hosts. An attacker can then impersonate the GCE metadata server by pointing metadata.google.internal to an arbitrary IP address, making it possible to instruct the OS Login PAM module to grant administrative privileges. **Recommendations** For versions 20190304 through 20200507, edit /etc/group/security.conf and remove the "adm" user from the OS Login entry if an update is not possible. For all affected versions, update to an image created after 2020-May-07 (20200507) to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Google Cloud OS guest-oslogin versions 20190304 through 20200507 Description: The issue is related to incorrect default permission settings in the guest-oslogin feature of Google Cloud OS. This allows an attacker to escalate privileges to root. By being a member of the `lxd` group, an attacker can attach host devices and filesystems. Within an `lxc` container, it is possible to attach the host OS filesystem and modify `/etc/sudoers` to gain administrative privileges. Recommendations: For versions 20190304 through 20200507, update to an image created after 2020-May-07. As a temporary workaround for versions that cannot be updated, edit `/etc/group/security.conf` and remove the `lxd` user from the OS Login entry.

Name of the Vulnerable Software and Affected Versions: Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 Description: A vulnerability in Google Cloud Platform's guest-oslogin allows a user with the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. Recommendations: For versions between 20190304 and 20200507, if an update to a newer version is not possible, edit /etc/group/security.conf and remove the "docker" user from the OS Login entry to mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but it is known that all images created after 2020-May-07 are fixed.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Serv-U FTP Server version 15.1.6.25 **Description** The local management interface in SolarWinds Serv-U FTP Server has incorrect access controls, allowing local users to bypass authentication and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. An attacker must have local access to the host running Serv-U and a Serv-U administrator must have an active management console session to exploit this issue. **Recommendations** For SolarWinds Serv-U FTP Server version 15.1.6.25, consider restricting local access to the host and ensuring that Serv-U administrator management console sessions are properly secured and monitored until a fix is available. As a temporary workaround, limit the use of the local management interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Serv-U FTP Server version 15.1.6 **Description** The issue allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file. **Recommendations** For SolarWinds Serv-U FTP Server version 15.1.6, consider disabling the Import feature as a temporary workaround until a patch is available. Restrict access to the Import feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Serv-U FTP Server version 15.1.6.25 **Description** The issue concerns reflected cross-site scripting (XSS) in the Web management interface. This occurs via the URL path and an HTTP POST parameter. **Recommendations** For SolarWinds Serv-U FTP Server version 15.1.6.25, consider disabling access to the Web management interface until a patch is available. Restrict the use of HTTP POST parameters in this interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Canonical snapd versions prior to 2.37.1 **Description** The issue is related to insufficient access control in the snapd utility, which can be exploited to elevate privileges using a specially crafted file. This allows an attacker to run arbitrary commands as root due to incorrect socket owner validation. **Recommendations** For versions prior to 2.37.1, update to version 2.37.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the snapd socket to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vuze Bittorrent Client version 5.7.6.0 **Description** The XML parsing engine for SSDP/UPnP functionality in Vuze Bittorrent Client is vulnerable to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running Vuze. Additionally, attackers can initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or relay a NetNTLM challenge/response to achieve Remote Command Execution in Windows domains. **Recommendations** For Vuze Bittorrent Client version 5.7.6.0, consider disabling the SSDP/UPnP functionality as a temporary workaround until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid using the vulnerable XML parsing engine for SSDP/UPnP functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plex Media Server version 1.13.2.5154 **Description** The XML parsing engine for SSDP/UPnP functionality in the affected software is susceptible to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running the software. Additionally, attackers can initiate SMB connections to capture a NetNTLM challenge/response, potentially leading to cleartext password cracking, or relay a NetNTLM challenge/response to achieve Remote Command Execution in Windows domains. **Recommendations** For Plex Media Server version 1.13.2.5154, consider disabling the SSDP/UPnP functionality as a temporary workaround until a patch is available. Restrict access to the XML parsing engine to minimize the risk of exploitation. Avoid using the affected XML parsing engine for SSDP/UPnP functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Universal Media Server version 7.1.0 **Description** The XML parsing engine for SSDP/UPnP functionality in Universal Media Server is vulnerable to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running the software, initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains. **Recommendations** For Universal Media Server version 7.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sitecore Sitecore.NET versions 8.1 rev. 151207 Hotfix 141178-1 and above **Description** An issue allows an attacker to perform a directory traversal attack using the 'Log Viewer' application. This is achieved by accessing a specific URI, "sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=", and manipulating the `file` parameter. The validation filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack, enabling access to arbitrary files from the host Operating System. **Recommendations** For Sitecore Sitecore.NET versions 8.1 rev. 151207 Hotfix 141178-1 and above, consider restricting access to the 'Log Viewer' application until a patch is available. As a temporary workaround, avoid using the `file` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.