In this week’s digest, we’ll cover:
- Asynchronous Redis command canceled leaving an open connection.
- An access control issue in polkit that allows service users to escalate privileges to root.
- High severity access control issue in Elementor Pro.and
- Sudo Replay as a means of creating an audit trail.
CVE-2023-28858: redis-py: canceled async connection left open
Background
redis-py A Python interface to the Redis key-value store, supporting various abstract data types. Redis allows client connections over TCP and supports asynchronous client processing.
Vulnerability
initial vulnerability, CVE-2023-28858Affects versions of redis-py prior to 4.5.3 when an asynchronous redis command is canceled after the command has been sent but before the response has been received. This leaves an open connection that can be used to send response data to unrelated clients. The root cause of the vulnerability is the handling of canceled requests in an asynchronous client (client.py). A sent command always waits for a response, even if the command is later canceled.
Despite its initial vulnerability, CVE-2023-2885which was closed with a similar fix problem It was reopened because the fix was incomplete and left non-pipeline operations vulnerable.Remaining Vulnerabilities Assigned CVE-2023-28859has been patched with a fix to address these data leakage issues with fully asynchronous connections.
relief
- This vulnerability is addressed in redis-py version 4.5.4. To resolve this issue, we recommend upgrading to the latest version.
polkit: default configuration writable by the service user
Background
Porkit is tool kit For defining and handling authorization in Unix-like operating systems, it is typically used to allow unprivileged processes to communicate with privileged processes.
Vulnerability
of Vulnerability Occurs when the default user polkitd is accessed. This user owns the file where the polkit rules are stored (with permissions set to 700) and can create rules that grant root privileges.
If polkitd is set to ‘nologin’, this hypothetical attack could lead to root privilege escalation.
The mitigation recommended by the vulnerability reporter is to change the permissions of the files /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d to root:polkitd, 750 to remove this to prevent such a situation. These changes were merged shortly thereafter.
relief
- For existing installations of polkit, it is recommended to change the permissions of /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d to root:polkitd, 750.
- At the time of this digest, no new releases with this patch have been released, but it is recommended to upgrade to the latest version of polkit once it becomes available.
Elementor Pro: High Severity Access Control Issues
Background
Elementor Pro is a popular premium WordPress plugin estimated to be used by over 12 million sites. This plugin offers a professional quality website builder, widgets and integration with WooCommerce for your commercial needs.
Vulnerability
of Vulnerability– No CVE assigned at the time of writing this digest – Affects WordPress sites with both Elementor Pro and WooCommerce installed. Specifically, it happens when the update_option function is called by her AJAX action in the WooCommerce module component. The update_option function should only allow privileged users to update certain shop components. However, this function does not restrict access to highly privileged users and does not validate user input.
This vulnerability could allow an attacker to access a website’s backend using a generic WooCommerce customer account. This could allow an attacker to create an administrator account, change the administrator’s email address, and redirect all traffic to an external site.
relief
- This vulnerability is resolved in Elementor Pro version 3.11.7. To resolve this issue, we recommend upgrading to the latest version.
sudo replay: create audit trail
Background
sudo replay Command-line utility for replaying sudo output logs, available with sudo 1.8. You can play the session in real time or at a speed specified on the command line.
Method
and blog Published by Wott, author Viktor Petersson demonstrated how to configure it. sudo replay Output sudo logs. This way, commands run with sudo have an audit trail that can be obtained with the following command: sudo replay.
As mentioned in the blog, if the /etc/sudoers file is not properly locked down, users can wipe /var/log/sudo-io to remove the audit trail.
relief
- Sending logs to a remote server reduces the risk of log tampering, rather than storing logs locally.