Topics in this week’s security digest include:
- a race condition in the Linux kernel’s memory subsystem;
- a path traversal vulnerability in the UnRAR software leading to a zero-Day in Zimbra; and
- discovery of an architectural bug in Intel’s CPUs.
Linux Kernel Vulnerability – CVE-2022-2590
David Hildenbrand of Red Hat—with participation from Amit Nadav from VMware— recently discovered a vulnerability in Linux kernel versions 5.16 or higher, that could result in an adversary modifying the contents of shared memory (shmem/tmpfs) files. Named the “Dirty COW vulnerability restricted to tmpfs/shmem” the flaw (CVE-2022-2590) can allow a local authenticated user to escalate their privileges on the system by exploiting a race condition in the copy-on-write mechanism in Linux’s memory-management subsystem. The x86-64 and aarch64 platforms are affected.
Copy-on-write is a resource management strategy implemented in various systems, such as databases, filesystems, and operating systems. A simplified explanation would be that if different processes are accessing the same resource/object in the memory, and if a process tries to write to the shared resource, a page fault occurs and the kernel creates a new private copy of the resource for the writing process. This prevents data corruption and any writes to the shared resource becoming visible to other processes. The effect of this vulnerability seems to be limited to the tmpfs filesystem, which is most commonly used for mounting /tmp, /var/lock, /var/run and /dev/shm directories.
A prerequisite for exploitation is that the kernel is compiled with CONFIG_USERFAULTFD=y, which allows user space processes to handle page faults through the userfaultfd system call.
More information can be found in the upstream commit patch.
Path Traversal Vulnerability in UnRAR
A path traversal vulnerability in the Unix/Linux versions of UnRAR software was found by Simon Scannell, a SonarSource researcher, in late June. The vulnerability, tracked as CVE-2022-30333, is exploitable when a user or a service tries to extract a maliciously-crafted RAR archive, leading to creation of files outside the target extraction folder.
Zimbra is a popular collaborative software and an email platform available for Linux. It is part of an ongoing zero-day attack campaign that exploits unpatched UnRAR installations on the server. This has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw in UnRAR to its Known Exploited Vulnerabilities Catalog.
Per the SonarSource blog, a threat actor can send an email containing a malicious .rar attachment to a Zimbra instance, the email passes through the Amavis service, which is responsible for parsing and checking the incoming message. The service can also extract email attachments to be checked for spam or malware, requiring no user interaction. Since Amavis relies on UnRAR to extract any .rar attachments, an attacker can drop arbitrary files on a target system or achieve remote code execution by exploiting the vulnerability in UnRAR to compromise a Zimbra instance.
The vulnerability in UnRAR was addressed by RarLab in the source code version 6.1.7 and is patched in the version 6.12. Zimbra has mitigated the flaw in the latest updates to its services and platform.
ÆPIC Leak, an Architectural Bug in Intel CPUs
An architectural bug affecting 10th, 11th, and 12th generation Intel CPUs was discovered jointly by researchers from Sapienza University of Rome, the Graz University of Technology, Amazon Web Services, and the CISPA Helmholtz Center for Information Security. The flaw is in the The Advanced Programmable Interrupt Controller (APIC) CPU component, which is responsible for accepting, prioritizing and dispatching interrupts to the processor cores. A successful exploitation requires Administrator or root privileges to APIC MMIO and could result in disclosure of sensitive information from the processor.
As noted on the ÆPIC Leak website, this bug differs from Meltdown and Spectre vulnerabilities in that the sensitive data can be disclosed without relying on side channel attacks. Additionally, cloud workloads are not granted direct access to underlying hardware’s Advanced Programmable Interrupt Controller by the hypervisors, so the risk of the vulnerability being exploited by a cloud VM is mitigated.
Intel has released a security advisory for the bug and firmware updates to address this vulnerability.
Trending Vulnerabilities this Week
- CVE-2022-27925: Directory traversal in Zimbra Collaboration
- CVE-2022-37042: Potential directory traversal and remote code execution in Zimbra Collaboration suite
- CVE-2022-32893: Arbitrary code execution in Safari
- CVE-2022-28756: Local Privilege Escalation in Zoom Client for Meetings for macOS
- CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.