Details of VAR-202106-1510

ID

VAR-202106-1510

CVE

CVE-2021-33833

TITLE

ConnMan Out-of-bounds Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-008150

DESCRIPTION

ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA). ConnMan ( alias Connection Manager) Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Arch Linux ConnMan 1.39 is an application software of the American Arch Linux community. Provides Intel's Modular Network Connection Manager. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ConnMan: Multiple vulnerabilities Date: July 12, 2021 Bugs: #769491, #795084 ID: 202107-29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow in ConnMan might allow remote attacker(s) to execute arbitrary code. Background ========== ConnMan provides a daemon for managing Internet connections. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/connman < 1.40 >= 1.40 Description =========== Multiple vulnerabilities have been discovered in connman. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All ConnMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/connman-1.40" References ========== [ 1 ] CVE-2021-26675 https://nvd.nist.gov/vuln/detail/CVE-2021-26675 [ 2 ] CVE-2021-26676 https://nvd.nist.gov/vuln/detail/CVE-2021-26676 [ 3 ] CVE-2021-33833 https://nvd.nist.gov/vuln/detail/CVE-2021-33833 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-29 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.43

sources: NVD: CVE-2021-33833 // JVNDB: JVNDB-2021-008150 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-393968 // VULMON: CVE-2021-33833 // PACKETSTORM: 163473

AFFECTED PRODUCTS

vendor:	intel	model:	connection manager	scope:	gte	version:	1.30	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	intel	model:	connection manager	scope:	lte	version:	1.39	Trust: 1.0
vendor:	debian	model:	gnu/linux	scope:	eq	version:	-	Trust: 0.8
vendor:	connman	model:	connman	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-008150 // NVD: CVE-2021-33833

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-33833
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-33833
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-751
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-393968
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-33833
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-33833
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-393968
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-33833
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-33833
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-393968 // VULMON: CVE-2021-33833 // JVNDB: JVNDB-2021-008150 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-751 // NVD: CVE-2021-33833

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.1
problemtype:	Out-of-bounds writing (CWE-787) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-393968 // JVNDB: JVNDB-2021-008150 // NVD: CVE-2021-33833

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 163473 // CNNVD: CNNVD-202106-751

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	connman.lists.linux.dev archive mirror DebianDebian	url:	https://lore.kernel.org/connman/	Trust: 0.8
title:	Debian CVElist Bug Report Logs: connman: CVE-2021-33833: dnsproxy: Check the length of buffers before memcpy	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=e7f5b390291ead68b45a751f973dc64b	Trust: 0.1
title:	Arch Linux Advisories: [ASA-202106-44] connman: arbitrary code execution	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202106-44	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-33833 log	Trust: 0.1
title:	POC-connman	url:	https://github.com/merrychap/POC-connman	Trust: 0.1

sources: VULMON: CVE-2021-33833 // JVNDB: JVNDB-2021-008150

EXTERNAL IDS

db:	NVD	id:	CVE-2021-33833	Trust: 3.5
db:	OPENWALL	id:	OSS-SECURITY/2021/06/09/1	Trust: 1.8
db:	OPENWALL	id:	OSS-SECURITY/2022/01/25/1	Trust: 1.7
db:	PACKETSTORM	id:	163473	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-008150	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-751	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2023.4078	Trust: 0.6
db:	CS-HELP	id:	SB2021060949	Trust: 0.6
db:	CS-HELP	id:	SB2021061624	Trust: 0.6
db:	CS-HELP	id:	SB2021071202	Trust: 0.6
db:	VULHUB	id:	VHN-393968	Trust: 0.1
db:	VULMON	id:	CVE-2021-33833	Trust: 0.1

sources: VULHUB: VHN-393968 // VULMON: CVE-2021-33833 // JVNDB: JVNDB-2021-008150 // PACKETSTORM: 163473 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-751 // NVD: CVE-2021-33833

REFERENCES

url:	https://security.gentoo.org/glsa/202107-29	Trust: 1.8
url:	https://lore.kernel.org/connman/	Trust: 1.8
url:	http://www.openwall.com/lists/oss-security/2021/06/09/1	Trust: 1.8
url:	https://lists.debian.org/debian-lts-announce/2022/02/msg00009.html	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2022/01/25/1	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-33833	Trust: 0.9
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060949	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.4078	Trust: 0.6
url:	https://vigilance.fr/vulnerability/connman-buffer-overflow-via-uncompress-37502	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021061624	Trust: 0.6
url:	https://packetstormsecurity.com/files/163473/gentoo-linux-security-advisory-202107-29.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071202	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://github.com/merrychap/poc-connman	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989662	Trust: 0.1
url:	https://security.archlinux.org/cve-2021-33833	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26676	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1

CREDITS

Gentoo

Trust: 0.1

sources: PACKETSTORM: 163473

SOURCES

db:	VULHUB	id:	VHN-393968
db:	VULMON	id:	CVE-2021-33833
db:	JVNDB	id:	JVNDB-2021-008150
db:	PACKETSTORM	id:	163473
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-751
db:	NVD	id:	CVE-2021-33833

LAST UPDATE DATE

2024-08-14T12:22:13.921000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-393968	date:	2022-02-09T00:00:00
db:	VULMON	id:	CVE-2021-33833	date:	2021-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-008150	date:	2022-03-04T08:29:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-751	date:	2023-07-20T00:00:00
db:	NVD	id:	CVE-2021-33833	date:	2022-02-09T21:20:07.273

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-393968	date:	2021-06-09T00:00:00
db:	VULMON	id:	CVE-2021-33833	date:	2021-06-09T00:00:00
db:	JVNDB	id:	JVNDB-2021-008150	date:	2022-03-04T00:00:00
db:	PACKETSTORM	id:	163473	date:	2021-07-13T15:09:13
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-751	date:	2021-06-09T00:00:00
db:	NVD	id:	CVE-2021-33833	date:	2021-06-09T18:15:08.797