SB2019071516 - Multiple vulnerabilities in GNU Glibc

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2019-1010022)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-1010023)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.

3) Information disclosure (CVE-ID: CVE-2019-1010025)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."

Remediation

Install update from vendor's website.

References

• https://sourceware.org/bugzilla/show_bug.cgi?id=22850
• http://www.securityfocus.com/bid/109167
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22853
• https://support.f5.com/csp/article/K06046097
• https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS