Pexip security bulletins

The following security bulletins are issued by Pexip.

Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.

Bulletin Description Risk Updated
CVE-2018-20843

Bulletin addresses a vulnerability in the Expat XML parser that could allow an attacker to cause a denial of service (excess CPU and memory consumption).

Minor issues resolved in Pexip Infinity 22: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2018-20855, CVE-2019-2101, CVE-2019-3498, CVE-2019-6975, CVE-2019-10638, CVE-2019-12735, CVE-2019-12749, CVE-2019-12984, CVE-2019-13233, CVE-2019-13272, CVE-2019-13631, CVE-2019-14283, CVE-2019-14284

High September 2019
CVE-2016-10745 Bulletin addresses: In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. High May 2019
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2019-7177, CVE-2019-7178. Critical Feb 15, 2019
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2018-0732, CVE-2018-3620, CVE-2018-3665, CVE-2018-15473, CVE-2018-15572, CVE-2018-17182, CVE-2018-18065. Medium Oct 19, 2018
CVE-2018-3639 Bulletin addresses the Speculative Store Bypass vulnerability. Low May 23, 2018
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2018-10585, CVE-2018-10432, CVE-2017-13194, CVE-2015-5621, CVE-2018-1000116. Medium May 08, 2018
CVE-201x Bulletin addresses several vulnerabilities, including Meltdown (CVE-2017-5754), Spectre (CVE-2017-5715, CVE-2017-5753). Medium Feb 07, 2018
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2017-17477, CVE-2017-3735, CVE-2017-3736, CVE-2017-7668. High Dec 08, 2017
CVE-2017-6551 Bulletin addresses a vulnerability that may allow an unauthenticated remote attacker to cause a service restart or execute arbitrary code as an unprivileged user on Pexip Infinity Conferencing Nodes. Critical Apr 10, 2017
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2016-0758, CVE-2016-5696, CVE-2016-6210, CVE-2016-2179, CVE-2016-2181, CVE-2016-2183, CVE-2016-6304. High Oct 7, 2016
CVE-201x Bulletin addresses several vulnerabilities, including CVE‐2015‐0860, CVE‐2015‐7547, CVE‐2015‐8370, CVE‐2016‐1907, CVE‐2015‐3194, CVE‐2015‐3197. High Feb 22, 2016
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2015-7613, CVE-2015-7703, CVE-2015-7871. Medium Feb 19, 2016
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2015-3183, CVE-2015-1283, CVE-2015-2059, CVE-2015-1819, CVE-2015-1805, CVE-2015-3290, CVE-2015-5364, CVE-2015-5366, CVE-2015-6563. Medium Aug 25, 2015
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2015-3144, CVE-2015-1781, CVE-2014-7822, CVE-2014-8160, CVE-2015-3331, CVE-2015-3339, CVE-2015-1791, CVE-2015-1793, CVE-2015-4000, CVE-2015-5143, CVE-2015-4719. High Aug 10, 2015
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2013-7423, CVE-2014-9402, CVE-2015-1472, CVE-2015-1473, CVE-2014-3710, CVE-2014-8116, CVE-2014-8117, CVE-2014-9620, CVE-2014-9652, CVE-2014-9653, CVE-2014-9529, CVE-2015-1593, CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293, CVE-2015-2296, CVE-2015-0261, CVE-2015-2153, CVE-2015-2154, CVE-2015-2155, and two that have CVE-Id pending High Apr 15, 2015
CVE-201x Bulletin addresses several vulnerabilities, including CVE-2013-5704, CVE-2015-0235, CVE-2014-9447, CVE-2011-4355, CVE-2014-3248, CVE-2014-3631, CVE-2014-9322, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2014-9221, CVE-2014-8767, CVE-2014-8769, CVE-2014-9140. Medium Jan 30, 2015
CVE-2014-8779 Bulletin addresses a vulnerability with generation of SSH host keys on deployment of Pexip Virtual Machines. High Jan 15, 2015
CVE-2014-0160 Bulletin outlining Pexip's response to the CVE-2014-0160 "Heartbleed" bug. Low Apr 9, 2014

Please contact your Pexip authorized support representative for more information about these issues.

More information specific for each of the above vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.

CVE-2018-20843 A vulnerability in the Expat XML parser could allow an attacker to cause a denial of service (excess CPU and memory consumption)

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 22

CVSS3 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Pexip Infinity uses the Expat XML parser only when configured for integration with external systems (such as CUCM adhoc conferencing). This functionality is disabled in default configuration and must be configured explicitly by the system administrator. If integration with CUCM adhoc conferencing is not required, ensure that this functionality is disabled by navigating to Platform > Global Settings, clearing the External system username and External system password fields, and saving the settings. If integration with CUCM adhoc conferencing is required, there is no mitigation available.

Resolution: Upgrade to Pexip Infinity 22

CVE-2016-10745 May 2019: In Pallets Jinja before 2.8.1, str.format allows a sandbox escape

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x, 18.x, 19.x, 20.x

CVSS3 base score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Mitigation: An attacker must be authenticated to the Pexip Infinity management web interface (or API) and have sufficient permissions to access the vulnerable functionality.

Restrict access to the "May modify system configuration", "May restore system backup", "May add/remove VMRs", and "May modify VMR configuration" permissions. Note, however, that these permissions apply to a wide range of configuration items and thus restricting access in this way may not be practical in all environments.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 21.

CVE-201x February 2019 (multiple vulnerabilities)

Identified vulnerabilities

CVE-2019-7177: An input validation failure in the Pexip InfinityAdministrator interface allows an authenticated remote attacker to execute arbitrary code as an unprivileged user on Pexip Infinity nodes.

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x, 18.x, 19.x, 20

CVSS3 base score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Mitigation: An attacker must be authenticated to the Pexip InfinityAdministrator interface (or API) and have sufficient permissions to access the vulnerable functionality.

Restrict access to the "May modify system configuration", "May restore system backup", "May add/remove VMRs", and "May modify VMR configuration" permissions. Note, however, that these permissions apply to a wide range of configuration items and thus restricting access in this way may not be practical in all environments.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.1.

Credit: This issue was discovered and reported by Nenad Stojanovski from the Google Security Team.

CVE-2019-7178: Insufficient validation of the contents of a system backup archive during system restore allows an authenticated remote attacker (or a local attacker with the ability to execute arbitrary code) to install and execute arbitrary code as the root user on the Pexip InfinityManagement Node.

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: 9.x, 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x, 18.x, 19.x, 20

CVSS3 base score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Mitigation: A remote attacker must be authenticated to the Pexip InfinityAdministrator interface (or API) and have sufficient permissions to access the vulnerable functionality.

If running Pexip Infinity 18.0 or later, restrict access to the "May restore system backup" permission. This permits minimization of the number of administrative users who may perform a system restore.

If running a version of Pexip Infinity earlier than 18, restrict access to both the "May view system configuration" and "May modify system configuration" permissions. This permits minimization of the number of administrative users who are able to access system restore. Note, however, that these permissions apply to a wide range of system-level configuration and thus restricting access in this way may not be practical in all environments.

Ensure system backup archives are handled with appropriate care and only ever restore backups which are trusted.

As general good practice, ensure that access to the Pexip Infinity Management Node is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.1.

Credit: This issue was discovered and reported by Nenad Stojanovski from the Google Security Team.

CVE-201x October 2018 (multiple vulnerabilities)

Identified vulnerabilities

CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity will assume the client role in a TLS handshake when initiating connections to external devices. These may include:

  • SIP devices which use a TLS transport
  • Microsoft Lync/Skype for Business infrastructure devices
  • RTMP ingest points which use a TLS transport
  • LDAP directories which use a TLS transport
  • External policy servers which use a TLS transport
  • Microsoft Exchange (on-premise, or in Office365)
  • SMTP servers which use a TLS transport
  • FTP servers which use a TLS transport
  • Syslog servers which use a TLS transport
  • VMware ESXi/vCenter

Ensure the above devices are trusted.

Resolution: Upgrade to Pexip Infinity 20.

CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)

Mitigation: The vulnerabilities are in the processor hardware and affect all software that runs on a vulnerable processor. The vulnerabilities exist regardless of the operating system in use or whether the software is running on bare metal, in a virtual machine, in a container-based solution, on-premises or in the cloud.

To exploit this issue in a way that may affect Pexip Infinity, an attacker must be able to install and run arbitrary, malicious code on at least one of:

  • a Pexip Infinity Management Node or Conferencing Node
  • a virtual machine on the same physical host
  • the physical host itself

Running arbitrary code on a Pexip Infinity node requires the installation and execution of unauthorized malicious software on the system, requiring local access to the system. The vulnerabilities do not allow an unauthorized entity to gain access to a system.

Administrators can take a number of steps to help mitigate the exposure to this vulnerability:

  • Ensure that access to physical hardware is properly controlled.
  • Ensure that access to virtualization infrastructure, including the console of virtual machines, is properly controlled.
  • As the scope of these vulnerabilities is limited to a physical machine, ensuring that Pexip Infinity is deployed on dedicated hardware will minimize the risk from co-located virtual machines.
  • As always, we recommend administrators take steps to prevent and protect against unauthorized access to Pexip Infinity nodes by ensuring only trusted users have credentials for the operating system administration account. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Pexip strongly recommends that virtual machines and hypervisors from other vendors are updated as soon as is practical.

Resolution: Upgrade to Pexip Infinity 20.

CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)

Mitigation: Only systems running VMware ESXi on Intel Sandy Bridge microarchitecture CPUs are affected. Systems running other hypervisors (Microsoft Hyper-V, KVM, or Xen) on Sandy Bridge or later microarchitecture CPUs are unaffected. Systems running VMware ESXi on Ivy Bridge or later microarchitecture CPUs are unaffected. Systems running on Intel microarchitectures before Sandy Bridge are not supported.

To exploit this issue in a way that may affect Pexip Infinity, an attacker must be able to install and run arbitrary, malicious code on a Pexip Infinity Management Node or Conferencing Node.

Running arbitrary code on a Pexip Infinity node requires the installation and execution of unauthorized malicious software on the system, requiring local access to the system. The vulnerabilities do not allow an unauthorized entity to gain access to a system.

Administrators can take a number of steps to help mitigate the exposure to this vulnerability:

  • Ensure that access to physical hardware is properly controlled.
  • Ensure that access to virtualization infrastructure, including the console of virtual machines, is properly controlled.
  • As always, we recommend administrators take steps to prevent and protect against unauthorized access to Pexip Infinity nodes by ensuring only trusted users have credentials for the operating system administration account. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.

CVE-2018-15473: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Mitigation: Ensure SSH access to Infinity nodes is restricted to trusted networks and/or disable SSH using the Management Web Interface.

Resolution: Upgrade to Pexip Infinity 20.

CVE-2018-15572: The Linux kernel does not always fill the Return Stack Buffer upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)

Mitigation: The vulnerabilities are in the processor hardware and affect all software that runs on a vulnerable processor. The vulnerabilities exist regardless of the operating system in use or whether the software is running on bare metal, in a virtual machine, in a container-based solution, on-premises or in the cloud.

To exploit this issue in a way that may affect Pexip Infinity, an attacker must be able to install and run arbitrary, malicious code on a Pexip Infinity Management Node or Conferencing Node.

Running arbitrary code on a Pexip Infinity node requires the installation and execution of unauthorized malicious software on the system, requiring local access to the system. The vulnerabilities do not allow an unauthorized entity to gain access to a system.

Administrators can take a number of steps to help mitigate the exposure to this vulnerability:

  • Ensure that access to physical hardware is properly controlled.
  • Ensure that access to virtualization infrastructure, including the console of virtual machines, is properly controlled.
  • As always, we recommend administrators take steps to prevent and protect against unauthorized access to Pexip Infinity nodes by ensuring only trusted users have credentials for the operating system administration account. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.

CVE-2018-17182: An issue was discovered in the Linux kernel which allows an attacker to trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: To exploit this issue in a way that may affect Pexip Infinity, an attacker must be able to install and run arbitrary, malicious code on a Pexip Infinity Management Node or Conferencing Node.

Running arbitrary code on a Pexip Infinity node requires the installation and execution of unauthorized malicious software on the system, requiring local access to the system. The vulnerabilities do not allow an unauthorized entity to gain access to a system.

Administrators can take a number of steps to help mitigate the exposure to this vulnerability:

  • Ensure that access to physical hardware is properly controlled.
  • Ensure that access to virtualization infrastructure, including the console of virtual machines, is properly controlled.
  • As always, we recommend administrators take steps to prevent and protect against unauthorized access to Pexip Infinity nodes by ensuring only trusted users have credentials for the operating system administration account. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 20.

CVE-2018-18065: Net-SNMP fails to correctly validate input which allows an authenticated remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 20

CVSS2 base score: 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C)

Mitigation: Ensure SNMP access to Infinity nodes is restricted to trusted networks. If using SNMP v2c, ensure that non-default community strings are used. Disable SNMP using the Management Web Interface if it is not required.

Resolution: Upgrade to Pexip Infinity 20.

Speculative Store Bypass (CVE-2018-3639)

Background

Modern microprocessors from multiple vendors (including Intel, AMD, and Arm) are susceptible to a class of vulnerability with which a successful attacker can gain access to information that is stored in memory by applications running on such hardware. All software running on vulnerable hardware may be affected irrespective of the operating system used or whether the software is running in a virtual machine.

Security researchers from Microsoft and Google independently discovered a new attack vector similar to the previously-known Spectre variant 1. Where variant 1 relied on the speculative execution of memory reads using out-of-bounds addresses resulting from mispredicted branches, the new attack vector (known as "variant 4") targets the memory disambiguation functionality of modern microprocessors.

Memory disambiguation is a performance optimization in which a read from memory may be performed speculatively by the processor even if previous writes to memory are outstanding. If no outstanding write addresses the same memory as was speculatively read, then the processor has saved time waiting for the write to complete. If an outstanding write does address the same memory, then the speculative read is discarded and all subsequent instructions are re-executed.

However, as with the previously-known variant 1, this procedure can leave traces in the memory cache which may then be used by an attacker as a side-channel through which information may be extracted.

Details of the new attack vector were made public on 21 May 2018 after a period of embargo while software mitigations were developed. There is no evidence that this new attack vector has been exploited maliciously in the wild.

Impact to Pexip Infinity

The vulnerabilities are in the processor hardware and affect all software that runs on a vulnerable processor. The vulnerabilities exist regardless of the operating system in use or whether the software is running on bare metal, in a virtual machine, in a container-based solution, on-premises or in the cloud.

To exploit this issue in a way that may affect Pexip Infinity, an attacker must be able to install and run arbitrary, malicious code on at least one of:

  • a Pexip Infinity Management Node or Conferencing Node
  • a virtual machine on the same physical host
  • the physical host itself

Mitigation

Running arbitrary code on a Pexip Infinity node requires the installation and execution of unauthorized malicious software on the system, requiring local access to the system. The vulnerabilities do not allow an unauthorized entity to gain access to a system.

Administrators can take a number of steps to help mitigate the exposure to this vulnerability:

  • Ensure that access to physical hardware is properly controlled.
  • Ensure that access to virtualization infrastructure, including the console of virtual machines, is properly controlled.
  • As the scope of these vulnerabilities is limited to a physical machine, ensuring that Pexip Infinity is deployed on dedicated hardware will minimize the risk from co-located virtual machines.
  • As always, we recommend administrators take steps to prevent and protect against unauthorized access to Pexip Infinity nodes by ensuring only trusted users have credentials for the operating system administration account. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Pexip strongly recommends that virtual machines and hypervisors from other vendors are updated as soon as is practical.

Resolution

It is important to be aware that any mitigations provided by updates to the Pexip Infinity software alone will only protect against an attacker running arbitrary code locally on a Pexip Infinity node. As discussed above, it is also necessary to ensure that physical hosts and co-located virtual machines are also up to date.

Pexip recommends that customers upgrade to Infinity 18 or later at their earliest convenience.

In normal operation, Pexip Infinity does not run arbitrary code and is thus not directly affected by this issue. Additionally, from Infinity 18, access to the Linux kernel eBPF engine is restricted to privileged users which guards against attempts to exploit this attack vector by running arbitrary eBPF code locally on a Pexip Infinity node.

Further information

More information specific for each of the above vulnerabilities can be found via the NIST National Vulnerability Database: https://nvd.nist.gov/

Full technical details about these issues may found at the following links:

Statements from processor vendors may be found at the following links:

Statements from hypervisor vendors and cloud providers may be found at:

CVE-201x May 2018 (multiple vulnerabilities)

Identified vulnerabilities

CVE-2018-10585: A vulnerability in the XML parsing implementation in Pexip Infinity allows remote attackers to cause a denial of service (excess memory consumption).

  • Impact to Pexip Infinity: Medium
  • Affected versions of Pexip Infinity: All before 18
  • CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Mitigation: None
  • Resolution: Upgrade to Pexip Infinity 18

CVE-2018-10432: A vulnerability in the TLS handshake implementation in the RTMP server component of Pexip Infinity allows remote attackers to cause a denial of service (excess cpu consumption).

  • Impact to Pexip Infinity: Medium
  • Affected versions of Pexip Infinity: 9.x, 10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x
  • CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Mitigation: Disable RTMP if possible.
  • Resolution: Upgrade to Pexip Infinity 18

CVE-2017-13194: A vulnerability in the VP8 codec reference implementation (libvpx) related to odd frame width allows remote attackers to cause a denial of service (crash).

  • Impact to Pexip Infinity: Medium
  • Affected versions of Pexip Infinity: All before 18
  • CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Mitigation: None
  • Resolution: Upgrade to Pexip Infinity 18

CVE-2015-5621: A vulnerability in the SNMP parsing implementation in net-snmp allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.

  • Impact to Pexip Infinity: Medium
  • Affected versions of Pexip Infinity: All before 18
  • CVSS2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  • Mitigation: Disable SNMP or use a firewall to restrict SNMP access to trusted networks.
  • Resolution: Upgrade to Pexip Infinity 18

CVE-2018-1000116: An implementation defect in the UDP protocol handler in net-snmp can result in command execution.

  • Impact to Pexip Infinity: Medium
  • Affected versions of Pexip Infinity: All before 18
  • CVSS2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  • Mitigation: Disable SNMP or use a firewall to restrict SNMP access to trusted networks.
  • Resolution: Upgrade to Pexip Infinity 18

CVE-201x February 2018 (multiple vulnerabilities including Meltdown and Spectre)

Background

Modern microprocessors from multiple vendors (including Intel, AMD, and Arm) are susceptible to a class of vulnerability with which a successful attacker can gain access to information that is stored in memory by applications running on such hardware. All software running on vulnerable hardware may be affected irrespective of the operating system used or whether the software is running in a virtual machine.

Pexip Infinity runs on affected hardware and can thus be susceptible to these attacks. The purpose of this bulletin is to provide some background, possible mitigation factors, and details of resolution.

The vulnerability and attack vectors were discovered by independent security researchers and reported to processor vendors in June 2017. Details of this class of vulnerability and the known attack vectors were made public on 3 January 2018 after a period of embargo while software mitigations were developed. There is no evidence that this vulnerability has been exploited maliciously in the wild.

Technical background

Modern computer processors use a variety of techniques to achieve the maximum possible performance. One such technique is for the processor to predict whether a certain block of code is to be run. Until it knows for certain, the processor may speculatively execute the code -- if the processor predicted correctly, then it may use the results of this speculative execution and continue; if not, it must discard the results and execute the correct instructions, instead.

By way of a trivial example, consider the following:

if a < b:
  result = b - a
else:
  result = a - b

If, when this code is run, the processor predicts that a is less than b, it will speculatively compute result as b - a. If it turns out that a is, indeed, less than b, then the result it has computed speculatively can be used. Otherwise, it needs to calculate a - b, instead.

Ordinarily, the effects of speculatively executing code after a misprediction are not exposed outside the processor. However, in cases where memory reads are performed speculatively, the contents of the memory cache will reflect the speculative execution. This then permits an attacker to use timing differences in memory access to determine internal processor state or the contents of memory. Full technical details may be found at the links provided in the “Further Information” section at the end of this bulletin.

Impact to Pexip Infinity

The vulnerabilities are in the processor hardware and affect all software that runs on a vulnerable processor. The vulnerabilities exist regardless of the operating system in use or whether the software is running on bare metal, in a virtual machine, in a container-based solution, on-premises or in the cloud.

To exploit this issue in a way that may affect Pexip Infinity, an attacker must be able to install and run arbitrary, malicious code on at least one of:

  • a Pexip Infinity Management Node or Conferencing Node
  • a virtual machine on the same physical host
  • the physical host itself

Mitigation

Running arbitrary code on a Pexip Infinity node requires the installation and execution of unauthorized malicious software on the system, requiring local access to the system. The vulnerabilities do not allow an unauthorized entity to gain access to a system.

Administrators can take a number of steps to help mitigate the exposure to this vulnerability:

  • Ensure that access to physical hardware is properly controlled.
  • Ensure that access to virtualization infrastructure, including the console of virtual machines, is properly controlled.
  • As the scope of these vulnerabilities is limited to a physical machine, ensuring that Pexip Infinity is deployed on dedicated hardware will minimize the risk from co-located virtual machines.
  • As always, we recommend administrators take steps to prevent and protect against unauthorized access to Pexip Infinity nodes by ensuring only trusted users have credentials for the operating system administration account. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Pexip strongly recommends that virtual machines and hypervisors from other vendors are updated as soon as is practical.

Resolution

It is important to be aware that any mitigations provided by updates to the Pexip Infinity software alone will only protect against an attacker running arbitrary code locally on a Pexip Infinity node. As discussed above, it is also necessary to ensure that physical hosts and co-located virtual machines are also up to date.

Pexip recommends that customers upgrade to Infinity 17.2 or later at their earliest convenience.

Software mitigations for Meltdown (CVE-2017-5754) are available in Pexip Infinity 17.2. These mitigations fully protect against attempts to exploit the Meltdown attack vector by running arbitrary code locally on a Pexip Infinity node.

Software mitigations for Spectre variant 1 (CVE-2017-5753) are available in Pexip Infinity 17.2. These mitigations provide protection for the operating system kernel against attempts to exploit this attack vector by running arbitrary eBPF code locally on a Pexip Infinity node. Further enhancements to these mitigations will be included in future releases of Pexip Infinity.

Software mitigations for Spectre variant 2 (CVE-2017-5715) are available in Pexip Infinity 17.2. These mitigations provide protection for the operating system kernel against attempts to exploit this attack vector by running arbitrary code locally on a Pexip Infinity node. Although these mitigations are sufficient for most environments, systems that use Intel processors based on the Skylake microarchitecture (e.g. Xeon Scalable processors) will require additional updates to fully address this issue. Future releases of Pexip Infinity will include further enhancements to the existing mitigations for all environments in addition to the specific improvements for the Skylake microarchitecture.

Performance implications

The software mitigations for these vulnerabilities are known to have a negative impact on performance. Pexip has conducted performance testing in a variety of environments to determine the worst case performance impact on Pexip Infinity. We have focused on Proxying Edge Node resource usage as this workload will be worst affected by the mitigations: it performs relatively little data processing in application space and spends a lot of its time passing data between the application and the operating system kernel.

We have measured the increase in CPU usage for a given call load. However, as CPU usage is not the sole limiting factor in Proxying Edge Node capacity measurement, there is sufficient headroom available to absorb the impact of the mitigations.

In the majority of environments we have tested, CPU usage increases by less than 10% after the mitigations have been applied. By way of illustration, if overall CPU usage was 50% then an increase of ten percent would result in overall CPU usage rising to 55% after the mitigations have been applied.

However, in environments running on Intel processors where the Process Context identifier (PCID) feature is not exposed to virtual machine guest operating systems, we have observed a greater increase in CPU usage. Version 5.x of VMware ESXi, or newer versions of ESXi where the virtual hardware has not been upgraded to at least version 11, have shown an increase in CPU usage of up to 20% after the mitigations have been applied. Microsoft Azure does not currently expose PCID to compute instances, and has shown an increase in CPU usage of up to 30% after the mitigations have been applied.

The availability of PCID may be verified by running the following on each Pexip Infinity node:

$ grep -q pcid /proc/cpuinfo && echo "pcid available"

If PCID is available, “pcid available” will be printed. If not, no output will be generated.

Hypervisor-specific guidance

Pexip strongly recommends that hypervisors from other vendors are updated as soon as is practical. The “Further Information” section at the end of this bulletin contains links to statements published by vendors of each of the hypervisors supported by Pexip Infinity. Customers should follow hypervisor vendor guidance when evaluating hypervisor updates. This section aims to highlight hypervisor-specific information that is relevant to Pexip Infinity.

Microsoft Hyper-V

For optimal performance when running Pexip Infinity 17.2 or later, the PCID feature of modern CPUs must be exposed to the Pexip Infinity node by the hypervisor. Pexip recommends that the latest Windows updates are applied to Hyper-V host servers. Once applied, Pexip recommends cold booting all Pexip Infinity virtual machines: use the Hyper-V Manager to power the machines off and on again.

KVM

For optimal performance when running Pexip Infinity 17.2 or later, the PCID feature of modern CPUs must be exposed to the Pexip Infinity node by the hypervisor. Where possible, Pexip recommends allowing KVM to expose the full features of the underlying CPUs to virtual machines. This will already be the case for deployments which used the virt-install command line as documented in the Pexip Infinity Administrator Guide. This may be checked by using Virtual Machine Manager to view the CPU configuration settings of each Pexip Infinity node.

VMware ESXi

For optimal performance when running Pexip Infinity 17.2 or later, the PCID feature of modern CPUs must be exposed to the Pexip Infinity node by the hypervisor. In VMware environments, this requires at least ESXi 6.0 and the virtual hardware version of Pexip Infinity nodes must be at least version 11.

Instructions for upgrading the hardware version of virtual machines running on ESXi may be found at https://kb.vmware.com/s/article/1010675.

Xen

For optimal performance when running Pexip Infinity 17.2 or later, the PCID feature of modern CPUs must be exposed to the Pexip Infinity node by the hypervisor. Where possible, Pexip recommends allowing Xen to expose the full features of the underlying CPUs to virtual machines. This will already be the case for deployments which used the virt-install command line as documented in the Pexip Infinity Administrator Guide. This may be checked by using Virtual Machine Manager to view the CPU configuration settings of each Pexip Infinity node.

Further information

Full technical details about these issues may found at the following links:

Statements from processor vendors may be found at the following links:

Statements from hypervisor vendors and cloud providers may be found at:

CVE-201x December 2017 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2017-17477: A failure to correctly escape stored data in various views of the Pexip Infinity management web interface may allow an unauthenticated remote attacker to perform a stored cross-site scripting attack against a management session.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 10.x, 11.x, 12.x, 13, 14.x, 15.x, 16.x

CVSS2 base score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)

Mitigation: If running Pexip Infinity 13 or later, ensure a modern browser which obeys the Content-Security-Policy HTTP header is used to administer the Infinity platform. For versions of Pexip Infinity before 13, there is no mitigation.

Resolution: Upgrade to Pexip Infinity 17.

CVE-2017-3735: While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 17

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Mitigation: Ensure certificates uploaded to Pexip Infinity do not have a malformed IPAddressFamily extension.

Resolution: Upgrade to Pexip Infinity 17.

CVE-2017-3736: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 17 CVSS2 base score: 5.4 (AV:N/AC:H/Au:N/C:C/I:N/A:N) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 17.

CVE-2017-7668: The HTTP request parser in Apache httpd could search past the end of its input string when parsing request headers. A remote attacker could exploit this flaw and cause httpd to crash when processing a crafted HTTP request.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: 15, 15.1

CVSS2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 16.

CVE-2017-6551 April 2017

Identified Vulnerabilities

CVE-2017-6551: An input validation failure in multiple components of the Pexip Infinity solution may allow an unauthenticated remote attacker to cause a service restart or execute arbitrary code as an unprivileged user on Pexip Infinity Conferencing Nodes.

Impact to Pexip Infinity: Critical.

Affected versions of Pexip Infinity: All before 14.2

CVSS2 base score: 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)

Mitigation: This vulnerability may be mitigated by performing the following configuration changes:

  • Ensure all Virtual Meeting Rooms and Virtual Auditoriums have a secure host pin configured.
  • Disable support for the H.323 protocol
  • Disable support for chat

It is important to note that the above mitigation is a partial solution only. This vulnerability cannot be fully mitigated by configuration changes alone and requires a software upgrade for full resolution.

Resolution: This issue is resolved in Pexip Infinity 14.2. Customers should upgrade to Pexip Infinity 14.2 or later.

Credits: This issue was detected during an internal penetration test exercise performed by Pexip R&D.

CVE-201x October 2016 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2016-0758: The ASN.1 DER decoder in the Linux kernel allows local users to crash the system or potentially gain privileges via crafted ASN.1 data.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: 4, 5, 6, 7, 8, 8.1, 9, 9.1, 10, 10.1, 10.2, 11, 11.1, 12, 12.1, 12.2

CVSS2 base score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Mitigation: Pexip Infinity does not use this functionality in normal operation. Exploitation of this issue requires the execution of arbitrary code on the system, which is not a permitted configuration of Pexip Infinity in normal operation. Ensure that untrusted code is not run on the system.

Resolution: Upgrade to Pexip Infinity 13

CVE-2016-5696: The TCP implementation in the Linux kernel does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: 4, 5, 6, 7, 8, 8.1, 9, 9.1, 10, 10.1, 10.2, 11, 11.1, 12, 12.1, 12.2

CVSS2 base score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)

Mitigation: There is no means to mitigate this issue within Pexip Infinity itself as the vulnerability lies in a critical system component. TLS connections may not be hijacked using this mechanism (though will still be susceptible to connection termination). Thus, to minimize the impact of this issue, TLS should be used for all connections with external devices.

Resolution: Upgrade to Pexip Infinity 13

CVE-2016-6210: Authentication of users by the OpenSSH server takes a different amount of time depending on whether the user exists or not, which makes it possible for remote attackers to enumerate valid usernames.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 13

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Mitigation: SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 13

CVE-2016-2179: The DTLS implementation in OpenSSL does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 13

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: There is no means to mitigate this issue within Pexip Infinity itself as the vulnerability lies in a critical system component. Deployments which do not make use of WebRTC may choose to disable the WebRTC protocol support in Global Settings.

Resolution: Upgrade to Pexip Infinity 13

CVE-2016-2181: The Anti-Replay feature in the DTLS implementation in OpenSSL mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 13

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: There is no means to mitigate this issue within Pexip Infinity itself as the vulnerability lies in a critical system component. Deployments which do not make use of WebRTC may choose to disable the WebRTC protocol support in Global Settings.

Resolution: Upgrade to Pexip Infinity 13

CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS protocol, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a

long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 13

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Mitigation: The DES cipher is not available for use in Pexip Infinity. TLS connections to Pexip Infinity will typically not use the Triple DES cipher and will thus not be vulnerable to this issue.

Resolution: Upgrade to Pexip Infinity 13

CVE-2016-6304: The processing of OCSP Status Request extensions during TLS session renegotiation in OpenSSL allows remote attackers to cause a denial of service (memory consumption).

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 6, 7, 8, 8.1, 9, 9.1, 10, 10.1, 10.2, 11, 11.1, 12, 12.1, 12.2

CVSS2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Mitigation: There is no means to mitigate this issue within Pexip Infinity itself as the vulnerability lies in a critical system component.

Resolution: Upgrade to Pexip Infinity 13

CVE-201x February 2016 (multiple vulnerabilities)

Identified Vulnerabilities

CVE‐2015‐0860: A logic error in the dpkg‐deb component in Debian dpkg 1.16.x before 1.16.17 allows remote attackers to execute arbitrary code via the archive magic version number in an "old‐style" Debian binary package, which triggers a stack‐based buffer overflow.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 11.1

CVSS2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Mitigation: Pexip Infinity does not use (or support the use of) arbitrary Debian package repositories. Pexip Infinity ensures the authenticity of packages provided to the upgrade process and will reject an upgrade if the uploaded tarball is not trusted. Thus, in the Pexip Infinity environment, local access to the system is required to exploit this issue. Ensure that untrusted users do not have command line access to Pexip Infinity.

Resolution: Upgrade to Pexip Infinity 11.1

CVE‐2015‐7547: A stack‐based buffer overflow in the implementation of the getaddrinfo function in glibc allows unauthenticated remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code with the privileges of the process using the library.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 11.1

CVSS2 base score: 6.1 (AV:N/AC:H/Au:N/C:N/I:C/A:P)

Mitigation: There is no means to mitigate this issue within Pexip Infinity itself as the vulnerability lies in a critical system component. This issue may be mitigated by utilizing an external firewall to drop UDP DNS packets larger than 512 octets and TCP DNS packets larger than 1024 octets.

Resolution: Upgrade to Pexip Infinity 11.1

CVE‐2015‐8370: Multiple logic errors in the Grub2 bootloader (versions 1.98 through 2.02) allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) by typing backspace characters when prompted for credentials.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 11.1

CVSS2 base score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Mitigation: Exploitation of this issue requires access to the system console during boot. Ensure that such access is restricted to authorized users using the tools provided by the hypervisor vendor (e.g. for VMware, ensure that access to a VM's console is restricted to authenticated users with appropriate permissions).

Resolution: Upgrade to Pexip Infinity 11.1

CVE‐2016‐1907: A logic error in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out‐of‐bounds read and application crash) via crafted network traffic.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 11.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: SSH access is not required by Pexip Infinity in normal operation. It is available, however, to permit system administrators to perform maintenance or diagnostic tasks, under guidance from the Pexip support organization. This issue may be mitigated by disabling SSH in the Management Web Interface.

Resolution: Upgrade to Pexip Infinity 11.1

CVE‐2015‐3194: An input validation error in OpenSSL 1.0.1 before 1.0.1q allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 11.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This issue affects TLS certificate verification and may be triggered by use of a crafted certificate by a remote attacker. Pexip Infinity uses TLS in the following scenarios:

  • Incoming HTTPS connections to the Management Web Interface
  • Incoming HTTPS connections from WebRTC clients
  • Outgoing HTTPS connections to policy servers
  • Outgoing LDAPS connections to Active Directory or other LDAP servers
  • Incoming SIPS connections from SIP clients or infrastructure devices
  • Outgoing SIPS connections to SIP clients or infrastructure devices
  • Incoming RTMPS connections from Flash clients
  • Outgoing RTMPS connections to streaming or recording devices

All outgoing connections may be vulnerable to this issue.

Incoming HTTPS connections to the Management Web Interface may be affected if certificate‐based authentication is enabled in configuration.

Incoming SIPS connections may be affected if SIP TLS certificate verification mode is enabled in configuration.

Incoming HTTPS connections from WebRTC clients and incoming RTMPS connections are not affected, as these do not request or verify certificates presented by the clients.

There is no means of mitigating this issue within Pexip Infinity as the vulnerability lies within a critical system component. Where possible, ensure that outbound connections from Infinity are made to trusted devices (all of which may be configured through the Management Web Interface) and ensure access to the management web interface is restricted to trusted networks using an external firewall.

Resolution: Upgrade to Pexip Infinity 11.1

CVE‐2015‐3197: OpenSSL 1.0.1 before 1.0.1r does not prevent use of disabled ciphers, which makes it easier for man‐in‐the‐middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic.

Impact to Pexip Infinity: None

Affected versions of Pexip Infinity: None

CVSS2 base score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Mitigation: No released version of Pexip Infinity has supported SSLv2, as it has been explicitly disabled in build‐time configuration. Thus, Pexip Infinity has never been affected by this issue.

Resolution: N/A

CVE-201x February 2016 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2015-7613: A race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 11

CVSS2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: Exploitation of this issue requires the execution of arbitrary code on the system, which is not a permitted configuration of Pexip Infinity in normal operation. Ensure that untrusted code is not run on the system.

Resolution: Upgrade to Pexip Infinity 11

CVE-2015-7703: If ntpd is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it is possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files.

Impact to Pexip Infinity: None

Affected versions of Pexip Infinity: None

CVSS2 base score: 6.2 (AV:N/AC:H/Au:M/C:N/I:C/A:C)

Mitigation: Pexip Infinity does not configure ntpd to allow remote configuration, thus is not affected by this issue in normal operation.

Resolution: Upgrade to Pexip Infinity 11

CVE-2015-7871: Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 11 CVSS2 base score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 11

CVE-201x August 2015 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2015-3183: The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 10.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Mitigation: Exploitation of this issue requires that Pexip Infinity is fronted by an HTTP proxy and for a remote attacker to craft a chunked HTTP request which would be interpreted differently by the proxy and Apache, potentially allowing requests to be smuggled through the proxy.

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-1283: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0 allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1 CVSS2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Mitigation: None

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-2059: The stringprep_utf8_to_ucs4 function in libidn before 1.31 allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1

CVSS2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Mitigation: Pexip Infinity uses this functionality when processing incident reports. Do not use invalid UTF-8 if using IDN in the configured incident report URL.

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-1819: The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Mitigation: None

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-1805: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed copy_to_user_inatomic and copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1

CVSS2 base score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Mitigation: Exploitation of this issue requires local access and the execution of arbitrary code on the system, which is not a permitted configuration of Pexip Infinity in normal operation. Ensure that untrusted code is not run on the system.

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-3290: The NMI handler and espfix64 functionality in the Linux kernel before 4.2 do not correctly handle the interaction between nested NMIs which allows local users to possibly gain privileges via a crafted application.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1

CVSS2 base score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Mitigation: Exploitation of this issue requires local access and the execution of arbitrary code on the system, which is not a permitted configuration of Pexip Infinity in normal operation. Ensure that untrusted code is not run on the system.

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-5364: The UDP packet handler in the Linux kernel before 4.1 did not correctly handle packets with incorrect checksum values. A remote attacker could exploit this flaw to cause a denial of service (infinite loop).

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1 CVSS2 base score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) Mitigation: None

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-5366: The UDP packet handler in the Linux kernel before 4.1 did not correctly handle packets with incorrect checksum values. A remote attacker could exploit this flaw to cause a denial of service (infinite loop).

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1 CVSS2 base score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) Mitigation: None

Resolution: Upgrade to Pexip Infinity 10.1

CVE-2015-6563: The PAM privilege separation implementation in portable OpenSSH before 7.0 does not guard against inconsistent use of the PAM authentication protocol. An authenticated remote attacker, who had previously achieved remote code execution capabilities in the unprivileged pre-authentication sandbox, could exploit this flaw to gain privileges.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10.1

CVSS2 base score: 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C)

Mitigation: Exploitation of this issue requires valid user credentials on the target system and also requires the attacker to have exploited the pre-authentication sandbox to gain remote code execution capabilities. SSH may be disabled across the Pexip Infinity platform and may be re-enabled in the rare instances where it is needed. Additionally, ensure that SSH access is restricted to trusted networks using appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 10.1

CVE-201x August 2015 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2015-3144: The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Mitigation: Pexip Infinity uses this functionality when processing incident reports. Ensure that the configured incident report URL contains a valid hostname.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-1781: glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Mitigation: In normal operation, Pexip Infinity will not invoke this functionality with unaligned buffers.

Resolution: Upgrade to Pexip Infinity 10

CVE-2014-7822: The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Mitigation: In normal operation, Pexip Infinity will not cause this functionality to be used.

Resolution: Upgrade to Pexip Infinity 10

CVE-2014-8160: net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Mitigation: In normal operation, Pexip Infinity does not create iptables rules which cause incorrect conntrack entries to be created.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-3331: The driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before

3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Mitigation: Although Pexip Infinity will not use the kernel crypto API in normal usage, there is no further mitigation for this issue.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-3339: Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: In normal operation, Pexip Infinity does not execute setuid binaries or expose them to the network.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-1791: Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg,

1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10 CVSS2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-1793: The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 10 CVSS2 base score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-4000: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Mitigation: Pexip Infinity does not enable DHE_EXPORT ciphersuites. Ensure that any devices Pexip Infinity connects out to over TLS (e.g. SIP proxies) also have DHE_EXPORT ciphersuites disabled.

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before

1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Mitigation: In normal deployments, Pexip Infinity does not restrict the number of active management sessions and the session store is effectively unlimited. In deployments where the number of active management sessions have been restricted, this issue has no mitigation. In either case, access to the Pexip Infinity management interface should be restricted to trusted networks using an external firewall or other network infrastructure device

Resolution: Upgrade to Pexip Infinity 10

CVE-2015-4719: A defect in the Pexip Infinity client API authentication mechanism allows remote attackers to gain privileges by submitting a crafted request.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 10

CVSS2 base score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)

Mitigation: In deployments where it is practical to do so, disable the Pexip Infinity client API. Where this is not a practical option, this issue has no mitigation.

Resolution: Upgrade to Pexip Infinity 10

CVE-201x April 2015 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2013-7423: The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-9402: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being processed.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-1472: The wscanf implementation in GNU C Library (aka glibc) before 2.21 allocates too little memory, which allows remote attackers to cause a denial of service (application crash).

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-1473: The wscanf implementation in GNU C Library (aka glibc) before 2.21 fails to correctly perform a bounds check before using alloca to allocate memory on the process stack, which may allow remote attackers to cause a denial of service (application crash)

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-3710: The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This functionality is not exposed to the network by Pexip Infinity.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-8116: The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This functionality is not exposed to the network by Pexip Infinity.

Resolution: Update to Pexip Infinity 9.0

CVE-2014-8117: softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This functionality is not exposed to the network by Pexip Infinity.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-9620: The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This functionality is not exposed to the network by Pexip Infinity.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-9652: softmagic.c in file before 5.22 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via unspecified vectors.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This functionality is not exposed to the network by Pexip Infinity.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-9653: The ELF parser in file before 5.22 allows remote attackers to cause a denial of service (application crash) via a malformed ELF file.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This functionality is not exposed to the network by Pexip Infinity. Resolution: Upgrade to Pexip Infinity 9.0

CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through

3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Mitigation: Pexip Infinity does not use the kernel keys subsystem during normal operation. Exploitation of this issue requires installation and execution of untrusted software on the system.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-1593: The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0209: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0286: The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0287: The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,

1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: This issue is only exploitable via direct use of this functionality; indirect use (such as when processing TLS certificates in both client and server mode) is safe. Pexip Infinity does not directly use this functionality during normal operation.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0288: The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0289: The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not use PKCS#7 during normal operation.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0293: The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

Impact to Pexip Infinity: None

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not support SSLv2, thus is not affected by this issue.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-2296: The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0 CVSS2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Mitigation: None

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-0261: Typecasting or signedness errors in the mobility_opt_print function in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (application crash) via crafted IPv6 packets.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-2153: Buffer overflow in the rpki_rtr_pdu_print function in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (application crash) via crafted TCP packets.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-2154: Missing sanity checks in the osi_print_cksum function in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (application crash) via crafted CLNS frames.

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-2015-2155: Missing sanity checks in handling ForCES traffic in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (application crash).

Impact to Pexip Infinity: Low

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-id pending: The VMware vCenter and ESXi integration in Pexip Infinity before 9.0 does not verify the authenticity of TLS certificates during Conferencing Node deployment, which may expose sensitive information to a remote attacker with privileged network access via a man-in-the-middle attack on the deployment process.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Mitigation: Pexip Infinity provides a variety of mechanisms which permit the creation and deployment of Conferencing Nodes. The automatic deployment process is the only one of these which interacts with external systems. This issue may be avoided by choosing the relevant alternative deployment process (“Manual (ESXi 5.x)” or “Manual (ESXi 4.1)”) and transferring the freshly created Conferencing Node OVA to the virtualization infrastructure manually.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-id pending: The message parser in NET-SNMP does not clean up correctly when encountering an invalid varbind, which allows a remote attacker to cause a denial of service (application crash) via crafted SNMP messages.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 9.0

CVSS2 base score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Mitigation: Pexip Infinity does not enable SNMP by default. If enabled, access to the SNMP functionality should be restricted to trusted networks by a network-level firewall.

Resolution: Upgrade to Pexip Infinity 9.0

CVE-201x January 2015 (multiple vulnerabilities)

Identified Vulnerabilities

CVE-2013-5704: The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Mitigation: Pexip Infinity does not use the "RequestHeader unset" directive of mod_headers. Conferencing Nodes from Pexip Infinity 8 onwards serve static content and are unaffected by this issue. Management Nodes running any version of Pexip Infinity and Conferencing Nodes from versions earlier than Pexip Infinity 8 serve dynamic content using a range of technologies. No known exploit using this vector exists for these systems. As general good practice, the web interface of Pexip Infinity Management Nodes should be made accessible only from trusted networks through use of appropriate firewalls.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2015-0235: GNU C Library (aka glibc) before 2.18 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and crash) via crafted input to the gethostbyname family of functions.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-9447: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and

0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)

Mitigation: None, although Pexip Infinity does not directly expose this functionality to the network.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2011-4355: GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defined, automatically loads certain files from the current working directory, which allows local users to gain privileges via crafted files such as Python scripts.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Mitigation: Pexip Infinity does not use binaries which contain a .debug_gdb_scripts section. Exploitation of this vulnerability requires an attacker to install and execute unauthorized software on the system.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-3248: Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby

1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: Exploitation of this vulnerability requires an attacker to install unauthorized files on the system and cause a privileged user to execute a specific command.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-3631: The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: Pexip Infinity does not use the Linux kernel keys subsystem and does not contain the associated userland utilities. Exploitation of this vulnerability requires an attacker to install and execute unauthorized software on the system.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-9322: arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: Exploitation of this vulnerability requires an attacker to install and execute unauthorized software on the system.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-3570: The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl,

crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-3571: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-3572: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-8275: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Mitigation: Pexip Infinity does not blacklist certificates using their fingerprints.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2015-0204: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2015-0205: The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2015-0206: Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-9221: strongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to cause a denial of service (invalid pointer dereference) via a crafted IKEv2 Key Exchange (KE) message with Diffie-Hellman (DH) group 1025.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1 CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Mitigation: None.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-8769: tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-9140: Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet.

Impact to Pexip Infinity: Medium

Affected versions of Pexip Infinity: All before 8.1

CVSS2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Mitigation: Pexip Infinity does not utilize tcpdump during normal operation. The tool is provided as a convenience for system administration purposes and must be run manually.

Resolution: Upgrade to Pexip Infinity 8.1

CVE-2014-8779 January 2015

Identified Vulnerabilities

CVE-2014-8779: The operating system used by Pexip Infinity does not create unique SSH host keys on deployment of new Management and Conferencing Nodes, using fixed host keys instead. Host keys are used to verify the identity of the remote host when connecting to it over SSH. These keys are contained in the publicly available software image. An attacker with privileged network access may make use of these keys to spoof the identity of a Pexip Infinity installation or conduct man-in-the-middle attacks on administrative SSH sessions. This may permit the attacker access to credentials used to authenticate sessions over SSH and provide shell access to the affected systems.

Impact to Pexip Infinity: High.

Successful exploitation requires an active man-in-the-middle attack, which requires privileged network access to perform. However, if successfully exploited, OS-level login credentials may be exposed to an unauthorized third party and may be used subsequently to perform further authenticated operations.

SSH support is not required for normal operation of the Pexip Infinity platform and thus should be disabled unless needed, or rendered inaccessible from unauthorized networks through the use of appropriate firewalls. Deployments where the default SSH host keys have already been replaced by the administrator are unaffected.

Affected versions of Pexip Infinity: 1, 2, 3, 4, 5, 6, 7.

CVSS2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Mitigation: This vulnerability can be immediately mitigated without experiencing any down time to the platform or user experience. A privileged administrator must perform either or both of the following actions:

  • Log in to the console of each Pexip Infinity node and run the following commands:

    sudo rm ­f /etc/ssh/ssh_host_*_key* sudo dpkg­reconfigure openssh­server

  • Disable SSH access by modifying the system global configuration in the management web interface.

It is important to note that replacing any keys will raise a warning for all clients who have previously connected and cached the keys used on their local host. This warning is expected as the result of replacing the previously used keys and may be safely ignored if the reported key fingerprint matches that of the new host keys.

Resolution: This issue is resolved in Pexip Infinity version 8. Fresh installations will generate unique SSH host keys on deployment. The vulnerable host keys contained in previous release versions of Pexip Infinity will be automatically replaced during the upgrade process.

Please contact your Pexip authorized support representative for more information.

CVE-2014-0160 April 2014 (Heartbleed)

Background

A serious security flaw has been identified in the OpenSSL cryptographic libraries, with details being first published on 7 April 2014, classified under CVE-2014-0160 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160).

If compromised, this vulnerability can allow an attacker to read the memory of the affected system through repeated “heartbeat” requests, disclosing private keys, user data, and other potentially sensitive information. More details of this vulnerability can be found on the Heartbleed site: http://heartbleed.com.

Resolution

Upon discovery of this vulnerability, we immediately assessed the nature of the attack and determined that our cryptographic libraries are susceptible to these attacks. The issue was immediately mitigated through upgrading our OpenSSL libraries. These upgrades will be included in the v4 software release, planned for public consumption on or before 11 April 2014.

We highly recommend that all customers upgrade to the v4 release. This will resolve the open issue, so that future attacks will be prevented.

Additional Actions

Changing passwords

To further protect your deployment, Pexip highly recommends that all passwords – both for the affected system and those in remote contact with the affected system – are changed immediately after upgrading to v4 in order to prevent any compromised information from creating future problems.

Revoking and re-installing custom certificates

Any custom certificates that have been deployed should be revoked and a new certificate installed, to ensure complete protection.

To upload new private keys and certificates, on the Pexip Infinity web UI, navigate to Platform > TLS Certificates. It is possible that private keys have been compromised by this attack. If you consider this a realistic risk, then:

  • If you have proper certificates from a recognized CA, you can get new ones. This may or may not involve a charge depending on the CA.
  • If you are using self-signed certificates generated by Pexip installations, these will not be regenerated, but you can generate new ones on any Linux box with the following commands, for each Conferencing Node:

openssl genrsa -out privkey.pem 4096

openssl req -new -x509 -key privkey.pem -subj '/O=Pexip Infinity Temporary Certificate/CN=hostname’ -days 3650 -out server.pem -extensions v3_ca

… where hostname is the hostname of the Conferencing Node.

After you have generated privkey.pem and server.pem, upload them via the Management Node (Platform > TLS Certificates).

Further information

More details on the recovery from this vulnerability can be found on the Heartbleed site: http://heartbleed.com.