Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus

Summary

Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner such as denial of service, elevation of privileges, buffer overflow, directory traversal, information disclosure, and bypassing of security restrictions , may affect IBM Spectrum Protect Plus. UPDATE 28 January 2022: CVE-2020-8492 for Python - complete fix in 10.1.9 or higher. UPDATE: 12 March 2022: CVE-2021-3156 for Sudo - complete fix in 10.1.10 or higher UPDATE: 05 May 2022: In the Remediation/Fixes section under “Notes”, corrected the CVE number of the sudo vulnerability.

Vulnerability Details

CVEID:CVE-2020-8492
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS).
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-14323
**DESCRIPTION:**Samba is vulnerable to a denial of service, caused by a NULL pointer dereference in the Winbind service. By sending a specially-crafted packet, a local authenticated attacker could exploit this vulnerability to crash the winbind service.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190934 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-15436
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free flaw in fs/block_dev.c. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges, or cause a denial of service condition.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192171 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-3156
**DESCRIPTION:**Sudo is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing command line arguments. By sending an “sudoedit -s” and a command-line argument that ends with a single backslash character, a local attacker could overflow a buffer and execute arbitrary code on the system with root privileges. This vulnerability is also known as Baron Samedit.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195658 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-3139
**DESCRIPTION:**Open-iSCSI tcmu-runner could allow a remote attacker to traverse directories on the system, caused by a flaw in the xcopy_locate_udev in tcmur_cmd_handler.c. An attacker could send a specially-crafted XCOPY request to read or write arbitrary files on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194936 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2020-35513
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a flaw with incorrectly umask during file or directory modification in the NFS (network file system) function. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195545 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-35508
**DESCRIPTION:**Linux Kernel could allow a local attacker to bypass security restrictions, caused by a race condition and incorrect initialization in the handling of child/parent process identification. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass checks to send any signal to a privileged process.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198870 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**Third Party Entry:**189303
**DESCRIPTION:**Linux Kernel romfs information disclosure
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189303 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

<https://www.ibm.com/support/pages/node/6415111&gt;

**
Notes:
**===== CVE-2020-8492 - Python
The 10.1.8 fix was incomplete. Complete fix is in 10.1.9 or higher. Link to 10.1.9: <https://www.ibm.com/support/pages/node/6487159&gt;
CVE-2021-3156 - Sudo
The 10.1.8 fix was incomplete. Complete fix is in 10.1.10 or higher. Link to 10.1.10: <https://www.ibm.com/support/pages/node/6552532&gt;

Workarounds and Mitigations

None