Rich Mirch

**Name of the Vulnerable Software and Affected Versions** Sudo versions prior to 1.9.17p1 **Description** An issue exists where local users can obtain root access by exploiting the `--chroot` (or `-R`) option. The flaw allows an attacker to place a malicious `nsswitch.conf` configuration file within a user-controlled directory, which is then used by the system when the chroot option is invoked. This enables the execution of arbitrary commands as root, bypassing the permissions typically enforced by the sudoers file. This issue has been reported as actively exploited in the wild. **Recommendations** Upgrade Sudo to version 1.9.17p1 or later. As a temporary containment measure, remove the SUID bit from `/usr/bin/sudo` to prevent privilege elevation.

**Name of the Vulnerable Software and Affected Versions:** Sudo versions 1.8.8 through 1.9.17 **Description:** Sudo, a program designed to provide limited super user privileges, contains a vulnerability due to incorrect handling of the host (-h or --host) option. This flaw allows a local user to potentially escalate privileges by bypassing host restrictions when using the sudo command or sudoedit. The vulnerability stems from the host option not being restricted to listing privileges only, enabling execution of commands on unintended machines. This issue has existed for over 12 years. **Recommendations:** Upgrade to Sudo version 1.9.17p1 or later to address this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apport (affected versions not specified) **Description** The `process crash()` function within the data/apport component of the Apport crash reporting tool may create crash files with incorrect group ownership. This could lead to the exposure of crash information to groups beyond those with intended access. This issue was discovered during the investigation of another issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Defender for Endpoint (affected versions not specified) Description: The issue concerns an elevation of privilege in Microsoft Defender for Endpoint. No specific details about the technical aspects of the issue, such as API endpoints, vulnerable parameters, or function names, are provided. There is also no information available about the estimated number of potentially affected devices worldwide or any real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Defender for Endpoint (affected versions not specified) Description: The issue allows an authorized attacker to elevate privileges locally through external control of file name or path. The vulnerability exists in the `grab java version()` function. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the Kaseya Unitrends Backup Appliance, where multiple functions in the bpserverd daemon were vulnerable to arbitrary remote code execution as root. The vulnerability was caused by untrusted input being passed to system calls. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the bpserverd daemon to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the Samba file sharing service, allowing anonymous read/write access. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Samba file sharing service until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered where the privileged vaultServer could be leveraged to create arbitrary writable files, leading to privilege escalation. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the vaultServer to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the Kaseya Unitrends Backup Appliance where the `wguest` account could execute commands by injecting into PostgreSQL trigger functions, allowing privilege escalation from the `wguest` user to the `postgres` user. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to PostgreSQL trigger functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the software where the apache user could read arbitrary files, such as /etc/shadow, by abusing an insecure Sudo rule. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting the privileges of the apache user to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the Kaseya Unitrends Backup Appliance, where a world writable file allowed local users to execute arbitrary code as the user apache, leading to privilege escalation. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the world writable file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the Kaseya Unitrends Backup Appliance where the password for the PostgreSQL `wguest` account is weak. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider changing the password for the PostgreSQL `wguest` account to a stronger one until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Kaseya Unitrends Backup Appliance versions prior to 10.5.5 **Description** An issue was discovered in the software, involving two unauthenticated SQL injection vulnerabilities. These vulnerabilities allow arbitrary SQL queries to be injected and executed under the postgres superuser account, leading to remote code execution and full access to the postgres user account. **Recommendations** For versions prior to 10.5.5, update to version 10.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the postgres superuser account to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 9.7, 10.1, 10.5, 11.1, and 11.5 **Description** The issue allows a local user to execute arbitrary code and conduct DLL hijacking attacks. **Recommendations** For versions 9.7, 10.1, 10.5, 11.1, and 11.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks GlobalProtect app versions prior to 5.0.10 on Windows Palo Alto Networks GlobalProtect app versions prior to 5.1.4 on Windows **Description** The issue exists due to insufficient checking of a shared resource's state, leading to a race condition vulnerability. This vulnerability can be exploited by a local limited Windows user to execute programs with SYSTEM privileges, but only during a GlobalProtect app upgrade. **Recommendations** For GlobalProtect app versions prior to 5.0.10 on Windows, update to version 5.0.10 or later. For GlobalProtect app versions prior to 5.1.4 on Windows, update to version 5.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** VMware Fusion versions 11.x before 11.5.5 VMware Remote Console for Mac versions 11.x and prior VMware Horizon Client for Mac versions 5.x and prior **Description** The issue is related to insufficient access control in VMware products, allowing for local privilege escalation. Exploitation of this issue may enable an attacker to elevate their privileges to root level on the system. The vulnerability is due to a Time-of-check Time-of-use (TOCTOU) issue in the service opener. **Recommendations** For VMware Fusion versions 11.x before 11.5.5, update to version 11.5.5 or later. For VMware Remote Console for Mac versions 11.x and prior, update to a version later than 11.x. For VMware Horizon Client for Mac versions 5.x and prior, update to a version later than 5.x.

**Name of the Vulnerable Software and Affected Versions** VMware Fusion versions 11.x before 11.5.2 VMware Remote Console for Mac versions 11.x and prior before 11.0.1 Horizon Client for Mac versions 5.x and prior before 5.4.0 **Description** The issue is due to improper use of setuid binaries, which may allow attackers with normal user privileges to escalate their privileges to root on the system where the software is installed. Successful exploitation of this issue can lead to privilege escalation. **Recommendations** For VMware Fusion versions 11.x before 11.5.2, update to version 11.5.2 or later. For VMware Remote Console for Mac versions 11.x and prior before 11.0.1, update to version 11.0.1 or later. For Horizon Client for Mac versions 5.x and prior before 5.4.0, update to version 5.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Viscosity version 1.8.2 **Description** The issue allows an unprivileged user to set certain OpenVPN parameters, potentially loading a malicious library into the OpenVPN process memory. This can lead to limited local privilege escalation. When a VPN connection is initiated using a TLS/SSL client profile, the privileges are dropped, and the library will be loaded, resulting in arbitrary code execution as a user with limited privileges. **Recommendations** For Viscosity version 1.8.2, consider restricting the ability of unprivileged users to set OpenVPN parameters until a patch is available. As a temporary workaround, avoid using TLS/SSL client profiles for VPN connections to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Signal Desktop versions prior to 1.29.1 **Description** The issue allows local users to gain privileges by creating a Trojan horse file, specifically `%SYSTEMDRIVE% ode modules.binwmic.exe`. **Recommendations** For versions prior to 1.29.1, update to version 1.29.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** postgresql-common versions prior to 210 **Description** The issue is related to the pg ctlcluster script in postgresql-common, which failed to drop privileges when creating temporary directories for sockets and statistics. This could lead to local privilege escalation. An attacker could exploit this issue to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For versions prior to 210, update to version 210 or later to resolve the issue. As a temporary workaround, consider restricting access to the pg ctlcluster script to minimize the risk of exploitation.