ID

VAR-202102-1243

CVE

CVE-2021-26675

TITLE

ConnMan  Out-of-bounds Vulnerability in Microsoft

DESCRIPTION

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code. ConnMan Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ConnMan: Multiple vulnerabilities Date: July 12, 2021 Bugs: #769491, #795084 ID: 202107-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow in ConnMan might allow remote attacker(s) to execute arbitrary code. Background ========== ConnMan provides a daemon for managing Internet connections. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/connman < 1.40 >= 1.40 Description =========== Multiple vulnerabilities have been discovered in connman. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All ConnMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/connman-1.40" References ========== [ 1 ] CVE-2021-26675 https://nvd.nist.gov/vuln/detail/CVE-2021-26675 [ 2 ] CVE-2021-26676 https://nvd.nist.gov/vuln/detail/CVE-2021-26676 [ 3 ] CVE-2021-33833 https://nvd.nist.gov/vuln/detail/CVE-2021-33833 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-29 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (buster), these problems have been fixed in version 1.36-2.1~deb10u1. We recommend that you upgrade your connman packages. For the detailed security status of connman please refer to its security tracker page at: https://security-tracker.debian.org/tracker/connman Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmAhl9pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ToGg//e9ZijJG7S7wkyc4I+q+1Bn1kPikXh4osJ9wgNSUKdcsIGWpjAvnW+X1H WwT5OI+7BeuAK1uAvGIuDK5s6cPsaa8NUKLsAwgKKcwCJcN74wLKls+3j7vt4nQA ynenKrwYBxxdfq9oUFPIvMhWggZ5a1LFqbgLeXnQc36IGAJSpkCMogJpOIQqc3Ed Xi7I7TKk3l2rxsvNxD+qPaRp+0p81trEcX7M81yhEBpg1q2UeEKLrDWkHxT1+l4N +ZHGT71zS5vq7pUrwWURlcy4mwOvNG0VA7BSu/j2mCAH2iUiRMEYOnZWEZTT9rS0 woDFAtU0Yp/zE6FhnXK0iwPyTfv9lJaOLpf30QnT3rc14t1sGhs460Hzv6XUbgjA Z89M5J+ImESPr3S1P7Tw39giD8LRsuXCqX8Hh3blz8astlrp9G+vmH/oN7U/yo9j uaGuwytV5aJuDDyl6tiMPz4nl537fxawdn95Mm9R67F1glESkEUob8ua2PRJDDCl 5ZPkTRwrIMyf2yS9ggvml2AsJbKUEs7pHxuzSpf9f/0ac5vBSwlXgLiEsq91uDxj TkEoXa/UKXyjDqnp4I/ctiwAopcp51Dvmsi2eiLKKxlS8XHWUZxVTSToqcGbj3OU isUqzGXEpvRgvC7u7oFS7FvSX+rBR0+H4iXq8MwCZvgfLldCyLQ= =5+D+ -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-6236-1 July 19, 2023 connman vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in ConnMan. Software Description: - connman: Intel Connection Manager daemon Details: It was discovered that ConnMan could be made to write out of bounds. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26675, CVE-2021-33833) It was discovered that ConnMan could be made to leak sensitive information via the gdhcp component. A remote attacker could possibly use this issue to obtain information for further exploitation. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-26676) It was discovered that ConnMan could be made to read out of bounds. A remote attacker could possibly use this issue to case ConnMan to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-23096, CVE-2022-23097) It was discovered that ConnMan could be made to run into an infinite loop. A remote attacker could possibly use this issue to cause ConnMan to consume resources and to stop operating, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-23098) It was discovered that ConnMan could be made to write out of bounds via the gweb component. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32292) It was discovered that ConnMan did not properly manage memory under certain circumstances. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32293) It was discovered that ConnMan could be made to write out of bounds via the gdhcp component. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-28488) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: connman 1.41-2ubuntu0.23.04.1 Ubuntu 22.04 LTS: connman 1.36-2.3ubuntu0.1 Ubuntu 20.04 LTS: connman 1.36-2ubuntu0.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): connman 1.35-6ubuntu0.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): connman 1.21-1.2+deb8u1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6236-1 CVE-2021-26675, CVE-2021-26676, CVE-2021-33833, CVE-2022-23096, CVE-2022-23097, CVE-2022-23098, CVE-2022-32292, CVE-2022-32293, CVE-2023-28488 Package Information: https://launchpad.net/ubuntu/+source/connman/1.41-2ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/connman/1.36-2.3ubuntu0.1 https://launchpad.net/ubuntu/+source/connman/1.36-2ubuntu0.1

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote or local

TYPE

other

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Gentoo

SOURCES

LAST UPDATE DATE

2024-11-23T21:00:13.112000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE