Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-42555: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

CVE
Open in Source
#vulnerability#web#google#linux#dos#apache#git

The following security bulletins are published by Pexip for issues affecting Pexip Infinity and Infinity Connect.

Please contact your Pexip authorized support representative for more information about these issues. For issues addressed in 2018 and earlier, see our documentation for previous releases.

More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.

Pexip Infinity

Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.

Bulletin

Description

Risk

Updated

Addressed in version

CVE-2021-42555

Insufficient input validation in the in call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

High

November 2021

26.2

CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Medium

November 2021

26.2

CVE-2021-42013

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Medium

November 2021

26.2

CVE-2021-34798

Malformed requests may cause the Apache web server to dereference a NULL pointer resulting in a denial of service.

High

September 2021

26.1

CVE-2021-39275

The ap_escape_quotes() function in the Apache httpd may write beyond the end of a buffer when given malicious input.

High

September 2021

26.1

CVE-2021-40438

A crafted HTTP request can cause the proxy module of Apache httpd to forward the request to an origin server chosen by the attacker.

Critical

September 2021

26.1

CVE-2021-32545

Incomplete input validation in the RTMP implementation allows an unauthenticated remote attacker to cause a denial of service.

High

July 2021

26

CVE-2021-33498

Incomplete input validation in the H.264 implementation allows an unauthenticated remote attacker to cause a denial of service.

High

July 2021

26

CVE-2021-33499

Incomplete input validation in the H.264 implementation allows an unauthenticated remote attacker to cause a denial of service.

High

July 2021

26

CVE-2021-35969

Insufficient input validation in the in call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

High

July 2021

26

Multiple

Resolved minor issues: CVE-2018-1311, CVE-2018-12929, CVE-2018-12930, CVE-2018-12931, CVE-2019-12881, CVE-2019-16089, CVE-2019-17567, CVE-2019-19070, CVE-2019-19083, CVE-2019-19318, CVE-2019-19378, CVE-2019-20367, CVE-2019-20446, CVE-2019-20908, CVE-2020-0444, CVE-2020-0465, CVE-2020-0466, CVE-2020-0543, CVE-2020-8169, CVE-2020-8177, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2020-8625, CVE-2020-10135, CVE-2020-11725, CVE-2020-12363, CVE-2020-12364, CVE-2020-13938, CVE-2020-13950, CVE-2020-14372, CVE-2020-15780, CVE-2020-16120, CVE-2020-24977, CVE-2020-25632, CVE-2020-25639, CVE-2020-25647, CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2020-26116, CVE-2020-26262, CVE-2020-27066, CVE-2020-27068, CVE-2020-27170, CVE-2020-27171, CVE-2020-27350, CVE-2020-27749, CVE-2020-27779, CVE-2020-27783, CVE-2020-27786, CVE-2020-27815, CVE-2020-27820, CVE-2020-27825, CVE-2020-27830, CVE-2020-27835, CVE-2020-28374, CVE-2020-28493, CVE-2020-28588, CVE-2020-28941, CVE-2020-29374, CVE-2020-29534, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-35452, CVE-2020-35492, CVE-2020-35499, CVE-2020-35508, CVE-2020-35519, CVE-2020-36158, CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2020-36310, CVE-2020-36311, CVE-2020-36312, CVE-2020-36313, CVE-2020-36322, CVE-2020-36385, CVE-2021-0342, CVE-2021-0512, CVE-2021-0605, CVE-2021-3177, CVE-2021-3178, CVE-2021-3347, CVE-2021-3348, CVE-2021-3411, CVE-2021-3428, CVE-2021-3444, CVE-2021-3483, CVE-2021-3489, CVE-2021-3490, CVE-2021-3491, CVE-2021-3501, CVE-2021-3506, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3520, CVE-2021-3537, CVE-2021-3541, CVE-2021-20177, CVE-2021-20194, CVE-2021-20225, CVE-2021-20226, CVE-2021-20233, CVE-2021-20239, CVE-2021-20261, CVE-2021-20265, CVE-2021-20268, CVE-2021-20292, CVE-2021-22876, CVE-2021-22890, CVE-2021-23133, CVE-2021-23134, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-25214, CVE-2021-25215, CVE-2021-25216, CVE-2021-25217, CVE-2021-26690, CVE-2021-26691, CVE-2021-26930, CVE-2021-26931, CVE-2021-26932, CVE-2021-27212, CVE-2021-27218, CVE-2021-27219, CVE-2021-27363, CVE-2021-27364, CVE-2021-27365, CVE-2021-28038, CVE-2021-28039, CVE-2021-28041, CVE-2021-28153, CVE-2021-28375, CVE-2021-28660, CVE-2021-28688, CVE-2021-28950, CVE-2021-28951, CVE-2021-28952, CVE-2021-28957, CVE-2021-28964, CVE-2021-28971, CVE-2021-29154, CVE-2021-29155, CVE-2021-29265, CVE-2021-29266, CVE-2021-29646, CVE-2021-29647, CVE-2021-29649, CVE-2021-29650, CVE-2021-29657, CVE-2021-30002, CVE-2021-30178, CVE-2021-30641, CVE-2021-31440, CVE-2021-31535, CVE-2021-31618, CVE-2021-31829, CVE-2021-31870, CVE-2021-31871, CVE-2021-31872, CVE-2021-31873, CVE-2021-31916, CVE-2021-33033, CVE-2021-33200, CVE-2021-33560

July 2021

26

CVE-2021-31925

Incomplete input validation in the administrative web interface allows an unauthenticated remote attacker to cause a denial of service.

High

May 2021

25.4

CVE-2021-3156

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.

Low

February 2021

25.1

CVE-2020-25705

A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

Resolved minor issues: CVE-2017-18258, CVE-2018-1152, CVE-2018-14404, CVE-2018-14498, CVE-2018-14567, CVE-2019-0146, CVE-2019-0147, CVE-2019-0148, CVE-2019-0149, CVE-2019-16168, CVE-2019-18808, CVE-2019-18885, CVE-2019-19036, CVE-2019-19039, CVE-2019-19054, CVE-2019-19067, CVE-2019-19072, CVE-2019-19073, CVE-2019-19082, CVE-2019-19462, CVE-2019-19813, CVE-2019-19956, CVE-2019-20388, CVE-2019-20806, CVE-2019-20810, CVE-2019-20811, CVE-2019-20812, CVE-2019-20934, CVE-2020-0305, CVE-2020-0427, CVE-2020-10177, CVE-2020-10378, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-10769, CVE-2020-10781, CVE-2020-10878, CVE-2020-12049, CVE-2020-12352, CVE-2020-12656, CVE-2020-12723, CVE-2020-12768, CVE-2020-12771, CVE-2020-12797, CVE-2020-12826, CVE-2020-12888, CVE-2020-13143, CVE-2020-13434, CVE-2020-13435, CVE-2020-13632, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-14314, CVE-2020-14331, CVE-2020-14344, CVE-2020-14363, CVE-2020-14381, CVE-2020-14385, CVE-2020-14390, CVE-2020-14416, CVE-2020-14422, CVE-2020-15358, CVE-2020-15393, CVE-2020-15436, CVE-2020-15437, CVE-2020-15706, CVE-2020-15707, CVE-2020-15999, CVE-2020-16166, CVE-2020-1968, CVE-2020-1971, CVE-2020-25211, CVE-2020-25284, CVE-2020-25285, CVE-2020-25641, CVE-2020-25656, CVE-2020-25704, CVE-2020-26088, CVE-2020-27675, CVE-2020-28196, CVE-2020-28915, CVE-2020-28974, CVE-2020-29368, CVE-2020-29370, CVE-2020-29371, CVE-2020-7595, CVE-2020-7676, CVE-2020-7955, CVE-2020-8492, CVE-2020-8619, CVE-2020-8622, CVE-2020-8624, CVE-2020-8694

High

January 2021

25

CVE-2020-25868

Insufficient input validation in the in call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

High

October 2020

24.2

CVE-2020-24615

Bulletin addresses insufficient input validation in the SIP protocol implementation that allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

High

August 2020

24.1

CVE-2020-4067

Bulletin addresses Coturn not initializing the STUN/TURN response buffer properly, allowing an attacker to extract information from the connection of another client.

Minor issues resolved in Pexip Infinity 24: CVE-2019-3016, CVE-2019-5108, CVE-2019-5436, CVE-2019-5481, CVE-2019-5482, CVE-2019-14615, CVE-2019-15217, CVE-2019-18197, CVE-2019-19046, CVE-2019-19051, CVE-2019-19056, CVE-2019-19058, CVE-2019-19059, CVE-2019-19066, CVE-2019-19068, CVE-2019-19768, CVE-2019-20636, CVE-2020-1749, CVE-2020-2732, CVE-2020-3810, CVE-2020-8428, CVE-2020-8616, CVE-2020-8617, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-10531, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-12114, CVE-2020-12243, CVE-2020-12464, CVE-2020-12465, CVE-2020-12652, CVE-2020-12657, CVE-2020-12659, CVE-2020-12769, CVE-2020-12770

High

July 2020

24

CVE-2020-13387

Bulletin addresses insufficient input validation in the H.323 protocol implementation that allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

High

June 2020

23.4

CVE-2020-12824

Bulletin addresses insufficient input validation in the real-time transport protocol (RTP) implementation that allows an unauthenticated remote attacker to cause a controlled software abort leading to a temporary loss of service.

High

May 2020

23.3

CVE-2020-11805

Bulletin addresses insufficient input validation when the TURN server feature is enabled and configured to listen on port 443. This allows an unauthenticated remote attacker to send arbitrary UDP traffic to destinations on the same network segment as the Pexip Reverse Proxy and TURN Server.

Critical

April 2020

6.1.0

CVE-2020-11805

Bulletin addresses insufficient input validation in the “technology preview” TCP media relay feature that allows an unauthenticated remote attacker to send arbitrary UDP traffic to destinations on the same network segment as the Conferencing Node operating as a relay.

Critical

April 2020

23.2

CVE-2018-20843

Bulletin addresses a vulnerability in the Expat XML parser that could allow an attacker to cause a denial of service (excess CPU and memory consumption).

Minor issues resolved in Pexip Infinity 22: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2018-20855, CVE-2019-2101, CVE-2019-3498, CVE-2019-6975, CVE-2019-10638, CVE-2019-12735, CVE-2019-12749, CVE-2019-12984, CVE-2019-13233, CVE-2019-13272, CVE-2019-13631, CVE-2019-14283, CVE-2019-14284

High

September 2019

22

CVE-2016-10745

Bulletin addresses: In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

High

May 2019

21

CVE-201x

Bulletin addresses several vulnerabilities, including CVE-2019-7177, CVE-2019-7178.

Critical

Feb 15, 2019

20.1

CVE-2021-42555: Insufficient input validation in the in call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 25.0 to 26.1

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Disable gateway rules that allow untrusted devices to place outbound calls to Skype for Business

Resolution: Upgrade to Pexip Infinity 26.2

CVE-2021-41773: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: 26.1

CVSS3.1 base score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Mitigation: Pexip Infinity configures the Apache HTTP server with a strict ACL which denies access unless explicitly granted. Support for CGI scripts is not enabled. The scope of this vulnerability is limited to the disclosure, on the Pexip Infinity Management Node, of the contents of the administrative web interface bootstrap script. This script contains no credentials or other sensitive information. Pexip Infinity Conferencing Nodes will not expose any information as a result of this vulnerability.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 26.2

CVE-2021-42013: It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: 26.1

CVSS3.1 base score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Mitigation: Pexip Infinity configures the Apache HTTP server with a strict ACL which denies access unless explicitly granted. Support for CGI scripts is not enabled. The scope of this vulnerability is limited to the disclosure, on the Pexip Infinity Management Node, of the contents of the administrative web interface bootstrap script. This script contains no credentials or other sensitive information. Pexip Infinity Conferencing Nodes will not expose any information as a result of this vulnerability.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 26.2

CVE-2021-34798: Malformed requests may cause the Apache web server to dereference a NULL pointer resulting in a denial of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 26.1

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 26.1

CVE-2021-39275: The ap_escape_quotes() function in the Apache httpd may write beyond the end of a buffer when given malicious input.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 26.1

CVSS3.1 base score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 26.1

CVE-2021-40438: A crafted HTTP request can cause the proxy module of Apache httpd to forward the request to an origin server chosen by the attacker.

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 26.1

CVSS3.1 base score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 26.1

CVE-2021-32545: Incomplete input validation in the RTMP implementation allows an unauthenticated remote attacker to cause a denial of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 7-25.4

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: This issue may be mitigated by disabling support for RTMP via Platform > Global Settings > Connectivity. However, RTMP is required for streaming conferences to external recording implementations. If this functionality is required, ensure that call routing rules are configured to allow RTMP connections to trusted destinations only.

Resolution: Upgrade to Pexip Infinity 26

CVE-2021-33498: Incomplete input validation in the H.264 implementation allows an unauthenticated remote attacker to cause a denial of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 1-25.4

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 26

CVE-2021-33499: Incomplete input validation in the H.264 implementation allows an unauthenticated remote attacker to cause a denial of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 1-25.4

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 26

CVE-2021-35969: Insufficient input validation in the in call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 22.0 to 25.4

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: This issue may be mitigated by disabling the Opus codec via Platform > Global Settings > Codecs. To disable the codec, remove Opus from the chosen codecs list.

Resolution: Upgrade to Pexip Infinity 26

CVE-2021-31925: Incomplete input validation in the administrative web interface allows an unauthenticated remote attacker to cause a denial of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 25.0-25.3

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 25.4

CVE-2021-3156: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 25.1

CVSS3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Pexip Infinity has a single administrative user account which already has privileged access to the system. Therefore there is no direct risk to Infinity from legitimate administrative users.

Resolution: Upgrade to Pexip Infinity 25.1

CVE-2020-25705: A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 13-24.3

CVSS 3.1 base score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 25

CVE-2020-25868: Insufficient input validation in the in call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 22.0 to 24.1

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: This issue may be mitigated by disabling the Opus codec via Platform > Global Settings > Codecs. To disable the codec, remove Opus from the chosen codecs list.

Resolution: Upgrade to Pexip Infinity 24.2

CVE-2020-24615: Insufficient input validation in the SIP protocol implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 24

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: This issue may be mitigated by disabling the device registrar function via Services > Registrar. If device registration is required, however, no mitigation is available.

Resolution: Upgrade to Pexip Infinity 24.1

CVE-2020-4067: Coturn does not initialize the STUN/TURN response buffer properly, allowing an attacker to extract information from the connection of another client.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 23.0, 23.1, 23.2, 23.3, 23.4

CVSS 3.1 base score: 7.0 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)

Mitigation: This issue only affects Pexip Infinity deployments that have enabled the “technology preview” option to Enable media relay on TCP port 443.

This feature is disabled by default. Deployments that have this functionality enabled should be reconfigured to disable this feature (via Global Settings > Tech preview features and de-selecting Enable media relay on TCP port 443).

Resolution: Upgrade to Pexip Infinity 24.

CVE-2020-13387: Missing input validation in the H.323 protocol implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All versions up to and including 23.3

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation:

  • This issue may be partially mitigated as follows:
    • configure Host PINs on all Virtual Meeting Rooms and Virtual Auditoriums. Only Hosts can trigger outbound calls.
    • configure Call Routing Rules to forbid calls to H.323 protocol destinations.
  • Alternatively, if running Pexip Infinity v6 or later and H.323 is not required:
    • disable H.323 in Platform > Global settings > Connectivity.

Resolution: Upgrade to Pexip Infinity 23.4

CVE-2020-12824: Insufficient input validation in the real-time transport protocol (RTP) implementation allows an unauthenticated remote attacker to cause a controlled software abort leading to a temporary loss of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 23, 23.1, 23.2

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 23.3

CVE-2020-11805: Insufficient input validation when the TURN server feature is enabled and configured to listen on port 443. This allows an unauthenticated remote attacker to send arbitrary UDP traffic to destinations on the same network segment as the Pexip Reverse Proxy and TURN Server

Impact to Pexip Reverse Proxy and TURN Server: Critical

Affected versions of Pexip Reverse Proxy and TURN Server: 6.0.7 and 6.0.10

CVSS3.1 base score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Mitigation: The TURN server feature does not listen on port 443 by default. Deployments that have this functionality enabled should be reconfigured to disable this feature. As general good practice, deploy your Pexip Reverse Proxy and TURN Server in a DMZ — especially if using the TURN server feature in any capacity — and ensure that external firewalls are configured to forbid unexpected traffic between network segments.

Resolution: Upgrade to Pexip Reverse Proxy and TURN Server 6.1.0

CVE-2020-11805: Insufficient input validation in the “technology preview” TCP media relay feature allows an unauthenticated remote attacker to send arbitrary UDP traffic to destinations on the same network segment as the Conferencing Node operating as a relay

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: 23, 23.1

CVSS3.1 base score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Mitigation: The TCP media relay feature is disabled by default. Deployments that have this functionality enabled (by navigating to > Global settings > Tech preview features and selecting Enable media relay on TCP port 443) should be reconfigured to disable this feature. As general good practice, ensure that external firewalls are configured to forbid unexpected traffic between network segments.

Resolution: Upgrade to Pexip Infinity 23.2

CVE-2018-20843: A vulnerability in the Expat XML parser could allow an attacker to cause a denial of service (excess CPU and memory consumption)

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 22

CVSS3 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Pexip Infinity uses the Expat XML parser only when configured for integration with external systems (such as CUCM Ad Hoc conferencing). This functionality is disabled in default configuration and must be configured explicitly by the system administrator. If integration with CUCM Ad Hoc conferencing is not required, ensure that this functionality is disabled by navigating to Platform > Global Settings > External system integration, clearing the External system username and External system password fields, and saving the settings. If integration with CUCM Ad Hoc conferencing is required, there is no mitigation available.

Resolution: Upgrade to Pexip Infinity 22

CVE-2016-10745 May 2019: In Pallets Jinja before 2.8.1, str.format allows a sandbox escape

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x, 18.x, 19.x, 20.x

CVSS3 base score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Mitigation: An attacker must be authenticated to the Pexip Infinity management web interface (or API) and have sufficient permissions to access the vulnerable functionality.

Restrict access to the "May modify system configuration", "May restore system backup", "May add/remove VMRs", and “May modify VMR configuration” permissions. Note, however, that these permissions apply to a wide range of configuration items and thus restricting access in this way may not be practical in all environments.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 21.

CVE-201x February 2019 (multiple vulnerabilities)****Identified vulnerabilities

CVE-2019-7177: An input validation failure in the Pexip Infinity Administrator interface allows an authenticated remote attacker to execute arbitrary code as an unprivileged user on Pexip Infinity nodes.

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x, 18.x, 19.x, 20

CVSS3 base score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Mitigation: An attacker must be authenticated to the Pexip Infinity Administrator interface (or API) and have sufficient permissions to access the vulnerable functionality.

Restrict access to the "May modify system configuration", "May restore system backup", "May add/remove VMRs", and “May modify VMR configuration” permissions. Note, however, that these permissions apply to a wide range of configuration items and thus restricting access in this way may not be practical in all environments.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.1.

Credit: This issue was discovered and reported by Nenad Stojanovski from the Google Security Team.

CVE-2019-7178: Insufficient validation of the contents of a system backup archive during system restore allows an authenticated remote attacker (or a local attacker with the ability to execute arbitrary code) to install and execute arbitrary code as the root user on the Pexip InfinityManagement Node.

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: 9.x, 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x, 18.x, 19.x, 20

CVSS3 base score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Mitigation: A remote attacker must be authenticated to the Pexip Infinity Administrator interface (or API) and have sufficient permissions to access the vulnerable functionality.

If running Pexip Infinity 18.0 or later, restrict access to the “May restore system backup” permission. This permits minimization of the number of administrative users who may perform a system restore.

If running a version of Pexip Infinity earlier than 18, restrict access to both the “May view system configuration” and “May modify system configuration” permissions. This permits minimization of the number of administrative users who are able to access system restore. Note, however, that these permissions apply to a wide range of system-level configuration and thus restricting access in this way may not be practical in all environments.

Ensure system backup archives are handled with appropriate care and only ever restore backups which are trusted.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.1.

Credit: This issue was discovered and reported by Nenad Stojanovski from the Google Security Team.

Infinity Connect

Each bulletin addresses a number of vulnerabilities in the software used by Infinity Connect. The bulletins include an assessment of the issues, the impact to Infinity Connect, and resolution details.

Bulletin

Description

Risk

Updated

Addressed in version

CVE-2021-29655

Missing authenticity checks in application provisioning allow an attacker to cause the application to run untrusted code.

High

June 2021

1.8.0

CVE-2021-29656

Missing checks in certificate allow list matching allow a remote attacker to compromise a TLS connection, extracting data and potentially causing remote code execution.

High

June 2021

1.8.0

CVE-2021-29655: Missing authenticity checks in application provisioning allow an attacker to cause the application to run untrusted code.

Impact to Infinity Connect: High

Affected versions of Infinity Connect: All before 1.8.0

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Infinity Connect 1.8.0

Credit: This issue was responsibly disclosed by The UK’s National Cyber Security Centre (NCSC)

CVE-2021-29656: Missing checks in certificate allow list matching allow a remote attacker to compromise a TLS connection, extracting data and potentially causing remote code execution.

Impact to Infinity Connect: High

Affected versions of Infinity Connect: All before 1.8.0

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity Connect 1.8.0

Credit: This issue was responsibly disclosed by The UK’s National Cyber Security Centre (NCSC)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE