Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L (6.0 Medium)

A cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle (MitM) attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.

**Am I vulnerable?**

Kubernetes itself is not vulnerable. A Kubernetes cluster using an affected networking implementation is vulnerable.

Binary releases of the kubelet installed from upstream Kubernetes Community repositories hosted at https://packages.cloud.google.com/ may have also installed the kubernetes-cni package containing the containernetworking CNI plugins, which are affected by CVE-2020-10749.

**Affected Versions**

The following official kubelet package versions have an affected kubernetes-cni package as a dependency:

*   kubelet v1.18.0-v1.18.3
*   kubelet v1.17.0-v1.17.6
*   kubelet < v1.16.11

A cluster having an affected kubernetes-cni package installed is only affected if configured to use it.

**Third-party components and versions**

Many container networking implementations are affected, including:

*   CNI Plugins maintained by the containernetworking team, prior to version 0.8.6 (CVE-2020-10749) (See containernetworking/plugins#484)
*   Calico and Calico Enterprise (CVE-2020-13597) Please refer to the Tigera Advisory TTA-2020-001 at https://www.projectcalico.org/security-bulletins/ for details
*   Docker versions prior to 19.03.11 (see https://github.com/docker/docker-ce/releases/v19.03.11) (CVE-2020-13401)
*   Flannel, all current versions
*   Weave Net, prior to version 2.6.3

It is believed that the following are not affected:

*   Cilium
*   Juniper Contrail Networking
*   OpenShift SDN
*   OVN-Kubernetes
*   Tungsten Fabric

Information about the vulnerability status of any plugins or implementations not listed above is currently unavailable. Please contact the provider directly with questions about their implementation.

**How do I mitigate this vulnerability?**

*   Set the host default to reject router advertisements. This should prevent attacks from succeeding, but may break legitimate traffic, depending upon the networking implementation and the network where the cluster is running. To change this setting, set the sysctl net.ipv6.conf.all.accept_ra to 0.
*   Use TLS with proper certificate validation
*   Disallow CAP_NET_RAW for untrusted workloads or users. For example, a Pod Security Policy with a RequiredDropCapabilities that includes NET_RAW will prevent this attack for controlled workloads.

**Fixed Versions**

The following packages will bundle fixed versions of the containernetworking CNI plugins that were formerly installed via the kubernetes-cni package.

*   kubelet v1.19.0+ (master branch #91370)
*   kubelet v1.18.4+ (#91387)
*   kubelet v1.17.7+ (#91386)
*   kubelet v1.16.11+ (#91388)

Because these versions are not yet available, cluster administrators using packages from the Kubernetes repositories may choose to manually upgrade CNI plugins by retrieving the relevant arch tarball from the containernetworking/plugins v0.8.6 release. The patch versions are expected to be released on June 17th, subject to change.

**Additional Details****Detection**

*   The IPv6 routing table on nodes will show any attacker-created entries. For example, a host with IPv6 disabled might show no default route when running ip -6 route but the same host with an attack in progress might show an updated default route or a route to the target address(es). Any IPv6 route with a destination interface of a host-side container network interface should be investigated.
*   The host-side of a container network interface may show additional configured IPv6 addresses after receiving a rogue RA packet. For example, given a host-side interface of cbr0 which might normally have no IPv6 address, a dynamic-configured address on the interface may signal an attack in progress. Use this command to view interface addresses: ip a show dynamic cbr0

**Affected configurations**

*   Clusters using an affected networking implementation and allowing workloads to run with CAP_NET_RAW privileges. The default Kubernetes security context runs workloads with a capabilities bounding set that includes CAP_NET_RAW.

**Vulnerability impact**

*   A user able to create containers with CAP_NET_RAW privileges on an affected cluster can intercept traffic from other containers on the host or from the host itself.

**Acknowledgements**

This vulnerability was reported by Etienne Champetier (@champtar).

The issue was fixed by Casey Callendrello (@squeed) and maintainers of various container networking implementations. Updates to Kubernetes builds were coordinated by Stephen Augustus (@justaugustus) and Tim Pepper (@tpepper).

/area security  
/kind bug  
/committee product-security  
/sig network

CVE-2020-13597: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements · Issue #91507 · kubernetes/kubernetes

Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

CVE-2020-13757: python-rsa does not detect ciphertext modification (prepended "0" bytes) in PKCS1_v1_5 · Issue #146 · sybrenstuvel/python-rsa

Sympa before 6.2.56 allows privilege escalation.

Durant bon nombre de formations dispensées à Sysdream, les consultants ont pu révéler l’existence d’outils internes divers et variés, employés lors de tests d’intrusion ou de tests d’applications, sans pouvoir (ou vouloir ?) les diffuser. Dans un souci d’ouverture à la communauté, le laboratoire R&D a décidé de publier les sources de certains des outils développés et employés en interne, pour des raisons évidentes:

*   Ils contiennent encore des bugs, ou manquent de fonctionnalités, et nécessitent donc des tests à plus large échelle
*   L’apport de la communauté de la sécurité informatique ne peut être que bénéfique, et faire en sorte que ces outils soient améliorés
*   Github intègre un bug tracker qui permettra d’avoir un réel suivi des bugs ainsi que d’avoir une vision des fonctionnalités futures

L’ensemble des outils se trouvent donc sur notre Github. Nous allons ainsi publier durant les prochains mois différents outils sous licence GPL aggrémentés de leurs documentations respectives. Ces outils sont majoritairement développés en Python et en C, et certains même sont issus des recherches effectués au laboratoire. A l’heure actuelle, nous avons diffusé deux outils qu’il nous semble intéressant de partager:

**Protod**

Lorsque nous avions diffusé la première version de cet outil, ses capacités étaient somme toute relativement limitées. Nous avons profité d’un peu de temps disponible pour redévelopper intégralement cet outil, et améliorer la routine de localisation et d’extraction des méta-données. Protod supporte désormais aussi bien les exécutables Linux que Windows, ainsi que les fichiers Python compilés (pyc).

Comme nous le disions précédemment, cet outil fait aussi écho à un autre outil développé par Emilien Girault qui lui a permis de retrouver les fichiers de description des messages (.proto) employés par le Play Store de Google, basé sur micro-protobuf (une version allégée et sans méta-données de Protocol Buffers). Nous vous invitons bien sûr à consulter la méthode employée **\[1\]** ainsi que le code de son outil !

Code source sur Github

**Socketjump**

Un autre outil développé par nos soins, lors d’un test d’intrusion où socat ne convenait pas. Il s’agit d’un petit outil permettant de faire un pont entre deux sockets TCP, peu importe qu’elles soient en écoute ou en connexion sortante. Des options complémentaires comme la spécification du port source, ou le chiffrement (léger) de la communication sont aussi disponibles.

Le nom de cet outil est bien évidemment issu du célèbre “Rocket Jump” de Quake, son objectif premier étant de pouvoir faire du rebond vers un réseau interne à partir d’une machine compromise ouverte à un accès extérieur (Internet par exemple). 

Code source sur Github

Nous espérons que ces différents outils seront utiles à la communauté de la sécurité informatique.

**Références**

**\[1\]** http://www.segmentationfault.fr/publications/reversing-google-play-and-micro-protobuf-applications/

**\[2\]** https://sysdream.com/reverse-engineering-of-protobuf-based/

CVE-2020-10936: Le labo R&D a désormais son Github - SysDream

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.

**Mozilla Foundation Security Advisory 2020-17**

Announced

May 5, 2020

Impact

critical

Products

Firefox ESR

Fixed in

*   Firefox ESR 68.8

**#CVE-2020-12387: Use-after-free during worker shutdown**

Reporter

Looben Yang

Impact

critical

**Description**

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

**References**

*   Bug 1545345

**#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens**

Reporter

James Forshaw of Google Project Zero

Impact

critical

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1618911

**#CVE-2020-12389: Sandbox escape with improperly separated process types**

Reporter

Niklas Baumstark

Impact

high

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1554110

**#CVE-2020-6831: Buffer overflow in SCTP chunk input validation**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

high

**Description**

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1632241

**#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

**References**

*   Bug 1614468

**#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

David Yesland

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1615471

**#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

CVE-2020-12387: Security Vulnerabilities fixed in Firefox ESR 68.8

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.

**Mozilla Foundation Security Advisory 2020-16**

Announced

May 5, 2020

Impact

critical

Products

Firefox

Fixed in

*   Firefox 76

**#CVE-2020-12387: Use-after-free during worker shutdown**

Reporter

Looben Yang

Impact

critical

**Description**

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

**References**

*   Bug 1545345

**#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens**

Reporter

James Forshaw of Google Project Zero

Impact

critical

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1618911

**#CVE-2020-12389: Sandbox escape with improperly separated process types**

Reporter

Niklas Baumstark

Impact

high

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1554110

**#CVE-2020-6831: Buffer overflow in SCTP chunk input validation**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

high

**Description**

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1632241

**#CVE-2020-12390: Incorrect serialization of nsIPrincipal.origin for IPv6 addresses**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks

**References**

*   Bug 1141959

**#CVE-2020-12391: Content-Security-Policy bypass using object elements**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Documents formed using `data:` URLs in an `object` element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.

**References**

*   Bug 1457100

**#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

**References**

*   Bug 1614468

**#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

David Yesland

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1615471

**#CVE-2020-12394: URL spoofing in location bar when unfocussed**

Reporter

Kestrel

Impact

low

**Description**

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element.

**References**

*   Bug 1628288

**#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

**#CVE-2020-12396: Memory safety bugs fixed in Firefox 76**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Frederik Braun, Andrew McCreight, C.M.Chang, and Dan Minor reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76

CVE-2020-12394: Security Vulnerabilities fixed in Firefox 76

An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.

Permalink

Browse files

Add a failsafe on the maximum number of Canon MakerNote subtags.

A malicious file could be crafted to cause extremely large values in some
tags without tripping any buffer range checks.  This is bad with the libexif
representation of Canon MakerNotes because some arrays are turned into
individual tags that the application must loop around.

The largest value I've seen for failsafe\_size in a (very small) sample of valid
Canon files is <5000.  The limit is set two orders of magnitude larger to avoid
tripping up falsely in case some models use much larger values.

Patch from Google.

CVE-2020-13114

*   Loading branch information

Showing with **21 additions** and **0 deletions**.

1.  +21 −0 libexif/canon/exif-mnote-data-canon.c

CVE-2020-13114: Add a failsafe on the maximum number of Canon MakerNote subtags. · libexif/libexif@e6a38a1

Insufficient data validation in site information in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted domain name.

CVE-2020-6491

Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6466

Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6457

Insufficient data validation in URL formatting in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to perform domain spoofing via a crafted domain name.

Tag

#google