On this week’s digest, we’ll focus on the next:

• Linux NetFilter use-after-free Kernel Vulnerability
• WordPress Core v6.2  XSS/CSRF/Listing Traversal Vulnerabilities
• Linux OverlayFS Vulnerability

CVE-2023-32233: Linux NetFilter Kernel Vulnerability

Background

NetFilter, is a framework for packet filtering and community handle translation constructed into the Linux kernel for managing community visitors. It’s managed by userspace utilities like iptables, UFW, and nft. Each iptables and nftables are primarily based on NetFilter, with nftables being the extra fashionable implementation. System directors use these instruments to configure native firewall guidelines and monitor community visitors. 

Vulnerability

The vulnerability, tracked as CVE-2023-32233, is a use-after-free vulnerability within the “nf_tables” module of NetFilter. “nf_tables” is enabled by default on most Linux working methods. “Nf_tables” accepts invalid configurations, which turn into problematic in some situations when an invalid batch operation is carried out. If the invalid batch operation is crafted in a selected manner, it will probably result in a corrupted inside state throughout the Linux kernel. This occurs as a result of the “nf_tables” module doesn’t correctly deal with nameless units (a kind of set with out a identify that’s allotted an identifier by the kernel). 

The corrupted state might be exploited to carry out arbitrary reads and writes of kernel house reminiscence. This may be utilized to escalate privileges for the native person. All variations of the Linux kernel previous to model 6.3.1 are susceptible to this exploit.

It ought to be famous that an attacker wants entry to a Linux system established earlier than making an attempt to use this vulnerability. Moreover, they should have CAP_NET_ADMIN permissions and the flexibility to control NetFilter instantly through the third occasion API.

The impression of this vulnerability is excessive, because it impacts a module enabled by default on many Linux working methods. Moreover, a proof-of-concept has been launched, which will increase the chance of this vulnerability being exploited within the wild.

Mitigation

• Updating the Linux kernel in your methods to model 6.3.2 or increased is very beneficial
• Disable unprivileged person namespaces

WordPress Core v6.2 XSS/CSRF/Listing Traversal Vulnerabilities

Background

WordPress consists of a number of components: Core, Database, Themes, and Plugins. WordPress Core is the muse of the remainder of the WordPress platform and permits all the executive and administration capabilities. 

Vulnerabilities

WordPress Core v6.2 has a number of vulnerabilities we are going to cowl.

CVE-2023-2745: Listing Traversal

This vulnerability, tracked as CVE-2023-2745, permits an attacker to carry out listing traversal over a WordPress web site via exploiting the “wp_lang” parameter. Attackers can entry and cargo arbitrary language translation recordsdata. Moreover, if an attacker has adequate entry to add translation recordsdata, this vulnerability additionally might be utilized to carry out Cross-Web site Scripting.

CVE Pending: Cross-Web site Request Forgery (CSRF)

This vulnerability, which doesn’t have a CVE ID on the time of writing, is attributable to the shortage of nonce validation on an AJAX perform. The AJAX perform, known as “wp_ajax_set_attachment_thumbnail”, might be abused to permit for unauthenticated customers to replace recordsdata related to attachment thumbnails. This solely can occur if an authenticated person performs an motion, similar to clicking a hyperlink.

WordPress has decided that this vulnerability is unlikely to be exploited within the wild, resulting from a posh sequence of occasions required to ensure that exploitation.

CVE Pending: Cross-Web site Scripting (XSS)

This vulnerability, which doesn’t have a CVE ID on the time of writing, is attributable to improper validation of protocol when processing the response from oEmbed discovery. oEmbded is a format sort in WordPress that enables for the rendering of URls from third-party websites. Sometimes, that is used when a person hyperlinks one other web site in a remark, leading to a preview of the linked web site. Attackers which have contributor and above permissions can craft a malicious oEmbed payload at a third-party URL that may trigger arbitrary scripts to be executed when a person accesses that third-party URL. 

NOTE: The unique patch for these vulnerabilities, model 6.2.1, additionally fastened a minor vulnerability with shortcodes. The repair for the shortcode vulnerability broke performance. In model 6.2.2, this concern is fastened. 

Mitigation

• Updating WordPress to model 6.2.2 or above is very beneficial.

CVE-2023-0386: OverlayFS Vulnerability

Background

SetUID is a particular file permission that enables any person with execution permissions to execute a binary because the person or group that owns the file. Within the case that the SetUID bit is about on a binary owned by root, any person with execution permissions can run that binary as root.

OverlayFS is a option to merge a number of mount factors on a Linux file system, into one unified file system. It consists of a number of layers: decrease, higher, and overlay. 

• The “decrease” layer comprises the bottom mount factors in your pre-existing knowledge. Knowledge is accessible upstream within the overlay layer.
• The “higher” layer is outlined as a part of the overlay filesystem. All recordsdata written to the overlay layer are copied to the higher layer. When recordsdata are modified within the decrease layer, the adjustments are propagated to the overlay layer, after which the higher layer.
• The “overlay” layer is the highest layer of the filesystem. It’s composed of recordsdata from the higher and decrease layers. All recordsdata might be accessed from the overlay layer.

Right here is an easy diagram that reveals how file adjustments are propagated via OverlayFS:

Vulnerability

This vulnerability is tracked as CVE-2023-0386, all variations of the Linux kernel prior to six.2-rc6 are vulnerabile. When including a file to an OverlayFS filesystem, the overlay layer doesn’t correctly examine the person/group validity within the present namespace earlier than copying it to the higher layer. An attacker can add a binary with the SUID bit set to a decrease layer, after which have a binary copied to the higher layer.

An attacker can create a brand new digital filesystem and namespace, generate an SUID binary with possession as root, after which mount it into an OverlayFS filesystem. The OverlayFS filesystem received’t examine if the person/group possession is legitimate within the present namespace, and duplicate the binary with permissions intact. The attacker can then execute the SUID binary from the higher layer and elevate their privileges.

Mitigation

• Updating the Linux kernel in your methods to the newest model is very beneficial.
• Disable unprivileged person namespaces.