An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.

**OSSA-2021-005: Arbitrary dnsmasq reconfiguration via extra\_dhcp\_opts¶**

Date:

August 31, 2021

CVE:

CVE-2021-40085

**Affects¶**

*   Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1
    

**Description¶**

Pavel Toporkov reported a vulnerability in Neutron. By supplying a specially crafted extra\_dhcp\_opts value, an authenticated user may add arbitrary configuration to the dnsmasq process in order to crash the service, change parameters for other tenants sharing the same interface, or otherwise alter that daemon’s behavior. This vulnerability may also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81, which could lead to remote code execution. All Neutron deployments are affected.

**Patches¶**

*   https://review.opendev.org/806709 (Queens)
    
*   https://review.opendev.org/806862 (Rocky)
    
*   https://review.opendev.org/806708 (Stein)
    
*   https://review.opendev.org/806707 (Train)
    
*   https://review.opendev.org/806750 (Ussuri)
    
*   https://review.opendev.org/806749 (Victoria)
    
*   https://review.opendev.org/806748 (Wallaby)
    
*   https://review.opendev.org/806746 (Xena)
    

**Credits¶**

*   Pavel Toporkov (CVE-2021-40085)
    

**References¶**

*   https://launchpad.net/bugs/1939733
    
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
    

**Notes¶**

*   The stable/train, stable/stein, stable/rocky, and stable/queens branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.

CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts — OpenStack Security Advisories 0.0.1.dev251 documentation

IBM OpenPages with Watson 8.1 and 8.2 could allow an authenticated user to upload a file that could execute arbitrary code on the system. IBM X-Force ID: 207633.

  

**Summary**

An issue was found within the IBM OpenPages with Watson that could allow an authenticated user to upload a file that could execute arbitrary code.

**Vulnerability Details**

**CVEID:**   CVE-2021-29907  
**DESCRIPTION:**   IBM OpenPages with Watson could allow an authenticated user to upload a file that could execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207633 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

IBM OpenPages with Watson versions v8.1 through v8.2

**Remediation/Fixes**

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:  

**Workarounds and Mitigations**

None

**References**

Off

None

**Acknowledgement**

The vulnerability was reported to IBM by Adam Murray

**Change History**

24 Aug 2021: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"8.2,8.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2021-29907: Security Bulletin: IBM OpenPages with Watson has addressed a remote code execution vulnerability (CVE-2021-29907)

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Azure AD Plugin
*   Code Coverage API Plugin
*   Nested View Plugin
*   Nomad Plugin
*   SAML Plugin

**Descriptions****RCE vulnerability in Code Coverage API Plugin**

**SECURITY-2376 / CVE-2021-21677**  
**Severity (CVSS):** High  
**Affected plugin: code-coverage-api**  
**Description:**

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

**SAML Plugin allows bypassing CSRF protection for any URL**

**SECURITY-2469 / CVE-2021-21678**  
**Severity (CVSS):** High  
**Affected plugin: saml**  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.

**Azure AD Plugin allows bypassing CSRF protection for any URL**

**SECURITY-2470 / CVE-2021-21679**  
**Severity (CVSS):** High  
**Affected plugin: azure-ad**  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Azure AD Plugin implements this extension point for URLs used by a JavaScript component.

In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.

Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.

**XXE vulnerability in Nested View Plugin**

**SECURITY-2411 / CVE-2021-21680**  
**Severity (CVSS):** High  
**Affected plugin: nested-view**  
**Description:**

Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

**Password stored in plain text by Nomad Plugin**

**SECURITY-2396 / CVE-2021-21681**  
**Severity (CVSS):** Low  
**Affected plugin: nomad**  
**Description:**

Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

**Severity**

*   SECURITY-2376: High
*   SECURITY-2396: Low
*   SECURITY-2411: High
*   SECURITY-2469: High
*   SECURITY-2470: High

**Affected Versions**

*   **Azure AD Plugin** up to and including 179.vf6841393099e
*   **Code Coverage API Plugin** up to and including 1.4.0
*   **Nested View Plugin** up to and including 1.20
*   **Nomad Plugin** up to and including 0.7.4
*   **SAML Plugin** up to and including 2.0.7

**Fix**

*   **Azure AD Plugin** should be updated to version 180.v8b1e80e6f242
*   **Code Coverage API Plugin** should be updated to version 1.4.1
*   **Nested View Plugin** should be updated to version 1.21
*   **Nomad Plugin** should be updated to version 0.7.5
*   **SAML Plugin** should be updated to version 2.0.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Brian Hysell, Synopsys Software Integrity Group** for SECURITY-2411
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2469, SECURITY-2470

CVE-2021-21678: Jenkins Security Advisory 2021-08-31

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVE-2021-21679: Jenkins Security Advisory 2021-08-31

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.

2021-08-16 14:00 (CEST) VDE-2021-027  

**Pepperl+Fuchs: WirelessHART-Gateway - Vulnerability may allow remote attackers to cause a Denial Of Service**  
Share: Email | Twitter  

**

Published

**

2021-08-16 14:00 (CEST)

**

Last update

**

2021-08-16 14:00 (CEST)

**Vendor(s)**

Pepperl+Fuchs SE  

**Product(s)**

Article No°

Product Name

Affected Version(s)

217229

WHA-GW-F2D2-0-AS- Z2-ETH

\= 3.0.7

217229

WHA-GW-F2D2-0-AS- Z2-ETH

\= 3.0.8

217229

WHA-GW-F2D2-0-AS- Z2-ETH

\= 3.0.9

252863

WHA-GW-F2D2-0-AS- Z2-ETH.EIP

\= 3.0.7

252863

WHA-GW-F2D2-0-AS- Z2-ETH.EIP

\= 3.0.8

252863

WHA-GW-F2D2-0-AS- Z2-ETH.EIP

\= 3.0.9

**

Summary

**

Critical vulnerabilities have been discovered in the product and in the utilized components jQuery by jQuery Team and TLS Version 1.0/1.1.

The impact of the vulnerabilities on the affected device may result in

*   denial of service
*   remote code execution
*   code exposure

**

Vulnerabilities

**

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials._

**Weakness**

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.7 the filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server._

**Weakness**

Uncontrolled Resource Consumption (CWE-400)

**Summary**

_jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into ..._

**Weakness**

Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable \_\_proto\_\_ property, ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containingelements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove some extra chars which results in the enclosed script logic ..._

**Weakness**

Cleartext Storage of Sensitive Information in a Cookie (CWE-315)

**Summary**

_Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the PEPPERL+FUCHS WirelessHART-Gateway 3.0.9._

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user's computer. ..._

**Weakness**

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (CWE-444)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings._

**Weakness**

Cross-site Scripting (XSS) (CWE-79)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 it is possible to inject arbitrary JavaScript into the application's response._

**Weakness**

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

**Summary**

_The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag._

**Weakness**

Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)

**Summary**

_In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript._

**Summary**

_The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on ..._

**

Impact

**

Pepperl+Fuchs analyzed and identified affected devices.  
Remote attackers may exploit the vulnerability sending specially crafted packages that may result in a denial-of-service condition or code execution.

**Firmware Version**

**Affected by**

3.0.7

CVE-2020-11023, CVE-2020-11022, CVE-2020-7656, CVE-2019-11358, CVE-2016-10707, CVE-2015-9251, CVE-2014-6071, CVE-2012-6708, CVE-2011-4969, CVE-2007-2379, CVE-2021-33555, CVE-2021-34559, CVE-2021-34560, CVE-2021-34561, CVE-2021-34565

3.0.8

CVE-2020-11023, CVE-2020-11022, CVE-2020-7656, CVE-2019-11358, CVE-2016-10707, CVE-2015-9251, CVE-2014-6071, CVE-2012-6708, CVE-2011-4969, CVE-2007-2379, CVE-2021-34559, CVE-2021-34560, CVE-2021-34561, CVE-2021-34562, CVE-2021-34563, CVE-2021-34565

3.0.9

CVE-2021-34560, CVE-2021-34563, CVE-2021-34564, CVE-2013-0169, CVE-2021-34565

**

Solution

**

An external protective measure is required.

*   Minimize network exposure for affected products and ensure that they are not accessible via the Internet.
*   Isolate affected products from the corporate network.
*   If remote access is required, use secure methods such as virtual private networks (VPNs).

**

Reported by

**

Pepperl+Fuchs  
Coordinated by CERT@VDE

CVE-2021-34565: VDE-2021-027 | CERT@VDE

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.

**Report on vulnerability CVE-2021-36981 "Insecure Java deserialization of untrusted data".**

*   Subject: Unsafe Java deserialization of untrusted data, leading to Remote Code Execution (authenticated)
*   CVE ID#: CVE-2021-36981
*   Versions: All versions of verinice/verinice.PRO before 1.22.2
*   Summary: A vulnerability in the communication between the client and server components can be used by an authenticated user to execute arbitrary code on the server.

**1\. Description**

verinice uses Java serialization as a communication channel between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework being used is susceptible to exploits that can be used to cause execution of arbitrary code on the server component. The verinice.TEAM has confirmed the vulnerability.

Since this server component is also used in the standalone mode of verinice, it could theoretically be used for local attacks of the verinice client-only product by a malicious user. A malicious user on the same machine could execute arbitrary commands on the local host but with the permissions and context of the user running the verinice client. This second attack variant was not verified by us but as a cautionary measure we recommend all standalone-client users to install the available patch as well.

The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and extract information, including all data in the verinice database.

**2\. Patch Availability**

An updated version of packages has been released to fix the issue. All users should install version 1.22.2 or later from the official repositories and/or the online shop:

*   https://shop.verinice.com
*   https://update.verinice.com

Users of the verinice.PRO server should install the available RPM packages using their established update procedure.

Users of the verinice standalone client version will be offered to install the updated version during startup. If the automated update mechanism has been disabled by the user, the update can be manually triggered by accessing the following menu item:

**_Help -> Check for Updates_**

**3\. CVSSv3 calculation**

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

**4\. Workaround and mitigating factors**

A user with valid verinice application credentials (i.e. name and password) and network access to the HTTP(S) port (usually one of: 80/443/8080/8443) is required to execute the attack. The user does not need administrative privileges or any particular rights within verinice for the attack to work.

**5\. Timeline**

*   2021-07-14 – Frank Nusko of Secianus GmbH notified SerNet about the bug
*   2021-08-02 – SerNet has patch ready on source branch for testing
*   2021-08-12 – Secianus verified the patch
*   2021-08-30 – verinice 1.22.2 released, customers notified

_Reported by Frank Nusko, Secianus GmbH._

_Advisory written by the verinice.TEAM of SerNet GmbH._

_The verinice.TEAM provided the fix._

**Questions or problems with your update?**

Please feel free to contact us – we're here to help you!

Send Mail

CVE-2021-36981: Security Advisory

Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'.

**1.XSS**

Examples:

    python3 -m simiki.cli new -t "Hello Simiki<svg/onload=alert(1)>" -c first-catetory
    
    python3 -m simiki.cli g
    python3 -m simiki.cli p
    
    

The affected file appears to be  
https://github.com/tankywoo/simiki/blob/master/simiki/generators.py Line 54

By default, jinja2 sets autoescape to False. Consider using autoescape=True or use the select\_autoescape function to mitigate XSS vulnerabilities.

**2.RCE**

https://github.com/tankywoo/simiki/blob/master/simiki/config.py line 64  
Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe\_load().

This can lead to remote code execution.

When simiki loads a malicious \_config.xml file.

Payload：

    !!python/object/new:os.system ["/Applications/Calculator.app/Contents/MacOS/Calculator"]
    

When using smiik again, smiik will load \_config.yml and cause remote code execution

CVE-2020-19001: SImiik <=v1.6.2.1 xss + rce · Issue #123 · tankywoo/simiki

A heap-based buffer overflow vulnerability exists in the XML Decompression DecodeTreeBlock functionality of AT&T Labs Xmill 0.7. Within `DecodeTreeBlock` which is called during the decompression of an XMI file, a UINT32 is loaded from the file and used as trusted input as the length of a buffer. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21827: TALOS-2021-1291 || Cisco Talos Intelligence Group

In memory management driver, there is a possible system crash due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05336702.

**August 2021 Product Security Bulletin**

Published 2021-08-05

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek smartphone chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least a month before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2021-0573, CVE-2021-0574, CVE-2021-0576, CVE-2021-0578, CVE-2021-0579, CVE-2021-0580, CVE-2021-0581, CVE-2021-0582

Medium

CVE-2021-0407, CVE-2021-0408, CVE-2021-0415, CVE-2021-0416, CVE-2021-0417, CVE-2021-0418, CVE-2021-0419, CVE-2021-0420, CVE-2021-0626, CVE-2021-0627, CVE-2021-0628

****Details****

CVE

**CVE-2021-0573**

Title

Improper check or handling of exceptional conditions in asf extractor

Severity

High

Vulnerability Type

EoP

CWE

CWE-703 Improper Check or Handling of Exceptional Conditions

Description

In asf extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6771, MT6779, MT6785, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6889, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0574**

Title

Out-of-bounds write in asf extractor

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In asf extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6771, MT6779, MT6785, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6889, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0576**

Title

Heap overflow in flv extractor

Severity

High

Vulnerability Type

EoP

CWE

CWE-122 Heap Overflow

Description

In flv extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6771, MT6779, MT6785, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6889, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0578**

Title

Out-of-bounds read in wifi driver

Severity

High

Vulnerability Type

ID

CWE

CWE-125 Out-of-bounds Read

Description

In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0579**

Title

Buffer over-read in wifi driver

Severity

High

Vulnerability Type

ID

CWE

CWE-126 Buffer Over-read

Description

In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0580**

Title

Integer underflow in wifi driver

Severity

High

Vulnerability Type

ID

CWE

CWE-191 Integer Underflow

Description

In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0581**

Title

Out-of-bounds read in wifi driver

Severity

High

Vulnerability Type

ID

CWE

CWE-125 Out-of-bounds Read

Description

In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0582**

Title

Out-of-bounds read in wifi driver

Severity

High

Vulnerability Type

ID

CWE

CWE-125 Out-of-bounds Read

Description

In wifi driver, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0407**

Title

Write-what-where condition in clk driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-123 Write-what-where Condition

Description

In clk driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6833, MT6853, MT6853T, MT6873, MT6885, MT6889, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0408**

Title

Improper check or handling of exceptional conditions in asf extractor

Severity

Medium

Vulnerability Type

ID

CWE

CWE-703 Improper Check or Handling of Exceptional Conditions

Description

In asf extractor, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6771, MT6779, MT6785, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6889, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0415**

Title

Information disclosure in memory management driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-200 Information Disclosure

Description

In memory management driver, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6582E, MT6582H, MT6582T, MT6582W, MT6582\_90, MT6589, MT6589TD, MT6592E, MT6592H, MT6592T, MT6592W, MT6592\_90, MT6595, MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0416**

Title

Improper input validation in memory management driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In memory management driver, there is a possible system crash due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6582E, MT6582H, MT6582T, MT6582W, MT6582\_90, MT6589, MT6589TD, MT6592E, MT6592H, MT6592T, MT6592W, MT6592\_90, MT6595, MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0417**

Title

Use of insufficiently random values in memory management driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-330 Use of Insufficiently Random Values

Description

In memory management driver, there is a possible system crash due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6582E, MT6582H, MT6582T, MT6582W, MT6582\_90, MT6589, MT6589TD, MT6592E, MT6592H, MT6592T, MT6592W, MT6592\_90, MT6595, MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0418**

Title

Denial of service in memory management driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-400 Denial of Service

Description

In memory management driver, there is a possible system crash due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6582E, MT6582H, MT6582T, MT6582W, MT6582\_90, MT6589, MT6589TD, MT6592E, MT6592H, MT6592T, MT6592W, MT6592\_90, MT6595, MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0419**

Title

Denial of service in memory management driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-400 Denial of Service

Description

In memory management driver, there is a possible system crash due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6582E, MT6582H, MT6582T, MT6582W, MT6582\_90, MT6589, MT6589TD, MT6592E, MT6592H, MT6592T, MT6592W, MT6592\_90, MT6595, MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0420**

Title

Denial of service in memory management driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-400 Denial of Service

Description

In memory management driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6582E, MT6582H, MT6582T, MT6582W, MT6582\_90, MT6589, MT6589TD, MT6592E, MT6592H, MT6592T, MT6592W, MT6592\_90, MT6595, MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0626**

Title

Out-of-bounds write in ged

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In ged, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6768, MT6771, MT6779, MT6785

Affected Software Versions

Android 9.0, 10.0, 11.0

CVE

**CVE-2021-0627**

Title

Integer overflow or wraparound in OMA DRM

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In OMA DRM, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6755S, MT6757, MT6761, MT6763, MT6765, MT6768, MT6771, MT6785, MT6833, MT6853, MT6873, MT6877, MT6885

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2021-0628**

Title

Improper input validation in OMA DRM

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In OMA DRM, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6755S, MT6757, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6785, MT6833, MT6853, MT6873, MT6877, MT6885

Affected Software Versions

Android 10.0, 11.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

August 5, 2021

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2021-0417: August 2021

A heap-based buffer overflow vulnerability exists in the XML Decompression PlainTextUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the XML Decompression PlainTextUncompressor::UncompressItem functionality of AT&T Labs’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

AT&T Labs Xmill 0.7  
Schneider Electric EcoStruxure Control Expert 15

**Product URLs**

None

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods.

While this software is old, released in 1999, it can be found in modern software suites, such as Schneider Electric’s EcoStruxure Control Expert.

During the Uncompress functionality of Xdemill, container blocks are decompressed independently. Within PlainTextUncompressor::UncompressItem a length provided by the compressed file is used as trusted input for a memcpy.

    void UncompressItem(UncompressContainer *cont,char *dataptr,XMLOutput *output)
    {
       unsigned long len=cont->LoadUInt32();
    
       output->characters((char *)cont->GetDataPtr(len),len);
    }
    

Once the length is passed the XMLOutput::characters no additional checks are made to check the length of the input versus the provided length, and is passed to Output::StoreData.

    void OUTPUT_STATIC characters(char *str,int len)
    {
       switch(x.status)
       {
       case XMLOUTPUT_OPENATTRIB:
          StoreData(str,len);
          return;
     
       case XMLOUTPUT_OPENLABEL:
          StoreChar('>');
     
       case XMLOUTPUT_AFTERDATA:
       case XMLOUTPUT_AFTERENDLABEL:
       case XMLOUTPUT_INIT:
          StoreData(str,len);
       }
       x.status=XMLOUTPUT_AFTERDATA;
    }
    

Output::StoreData passes the function input directly into memcpy (mymemcpy is a #define of memcpy) which allows a malicious user to overflow the provided heap-based buffer which can result in remote code execution.

    void OUTPUT_STATIC StoreData(char *ptr,int len)
       // Stores the data at position 'ptr' of length 'len'
    {
       while(bufsize-curpos<len)
       {
          mymemcpy(buf+curpos,ptr,bufsize-curpos);
          len-=bufsize-curpos;
          ptr+=bufsize-curpos;
          curpos=bufsize;
          Flush();
       }
       mymemcpy(buf+curpos,ptr,len);
       curpos+=len;
    } 
    

**Crash Information**

    =================================================================
    ==5418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4d03478 at pc 0x080f3825 bp 0xbffe8ad8 sp 0xbffe86b0
    READ of size 385 at 0xb4d03478 thread T0
        #0 0x80f3824 in __asan_memcpy (/home/fuzz/Desktop/xmill/unix/xdemill+0x80f3824)
        #1 0x8188d6e in Output::StoreData(char*, int) /home/fuzz/Desktop/xmill/./src/Output.hpp:204:7
        #2 0x8185fe1 in XMLOutput::characters(char*, int) /home/fuzz/Desktop/xmill/./src/XMLOutput.hpp:241:10
        #3 0x818e0ba in PlainTextUncompressor::UncompressItem(UncompressContainer*, char*, XMLOutput*) /home/fuzz/Desktop/xmill/./src/StdCompress.cpp:148:7
        #4 0x81870ad in UncompressContainerBlock::UncompressText(XMLOutput*) /home/fuzz/Desktop/xmill/./src/UnCompCont.hpp:180:7
        #5 0x81840f7 in DecodeTreeBlock(UncompressContainer*, UncompressContainer*, UncompressContainer*, XMLOutput*) /home/fuzz/Desktop/xmill/./src/Decode.cpp:82:10
        #6 0x8197226 in Uncompress(char*, char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:854:7
        #7 0x8196c37 in HandleSingleFile(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:248:10
        #8 0x8197482 in HandleFileArg(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:382:4
        #9 0x81976f5 in main /home/fuzz/Desktop/xmill/./src/Main.cpp:494:7
        #10 0xb7bd5646 in __libc_start_main /build/glibc-ViVLyQ/glibc-2.23/csu/../csu/libc-start.c:291
        #11 0x80664d3 in _start (/home/fuzz/Desktop/xmill/unix/xdemill+0x80664d3)
    
    0xb4d03478 is located 0 bytes to the right of 6008-byte region [0xb4d01d00,0xb4d03478)
    allocated by thread T0 here:
        #0 0x810a814 in __interceptor_malloc (/home/fuzz/Desktop/xmill/unix/xdemill+0x810a814)
        #1 0x819977e in SetMemoryAllocationSize(unsigned long) /home/fuzz/Desktop/xmill/./src/MemMan.hpp:119:40
        #2 0x8197cd3 in UncompressBlockHeader(Input*) /home/fuzz/Desktop/xmill/./src/Main.cpp:780:4
        #3 0x8197100 in Uncompress(char*, char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:840:10
        #4 0x8196c37 in HandleSingleFile(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:248:10
        #5 0x8197482 in HandleFileArg(char*) /home/fuzz/Desktop/xmill/./src/Main.cpp:382:4
        #6 0x81976f5 in main /home/fuzz/Desktop/xmill/./src/Main.cpp:494:7
        #7 0xb7bd5646 in __libc_start_main /build/glibc-ViVLyQ/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Desktop/xmill/unix/xdemill+0x80f3824) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x369a0630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x369a0640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x369a0650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x369a0660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x369a0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x369a0680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x369a0690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x369a06a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x369a06b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x369a06c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x369a06d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    =================================================================
    Error in file '../fuzz/triage/fut.xmi':
    Error while uncompressing container!    
    

**Timeline**

2021-04-30 - Vendor Disclosure  
2021-08-10 - Public Release

Discovered by Carl Hurd of Cisco Talos.

Tag

#rce