A series of patches and updates were issued by VMware, Mozilla and Apache to patch critical and moderately rated vulnerabilities.
VMware’s Workspace ONE Unified Endpoint Management Console (AirWatch Console) was updated to resolve a critically rated SAML authentication bypass vulnerability (CVE-2018-6979). If exploited a malicious actor could impersonate an authorized SAML session if certificate-based authentication is enabled. However, even if a certificate-based authentication is not enabled there is still the possibility of information being disclosed, but this is only considered an important-rated issue.
Mozilla issued Thunderbird 60.2.1 to fix seven separate vulnerabilities in the free email application that together were rated as critical by the company.
The lone individually rated critical problem, CVE-2018-12376, concerned memory safety bugs in Firefox 62 and ESR 60.2. Although the bugs presented did not directly lead to memory corruption Mozilla stated there is enough evidence to presume that someone willing to spend the time and effort could exploit the flaw and run arbitrary code.
The two high-rated vulnerabilities concerned use-after-free in refresh drives, CVE-2018-12377, and in IndexedDB, CVE-2018-12378. The first problem can occur when refresh driver timers are refreshed during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash, but does not happen in every instance.
The second problem, also a system crash, can take place when an IndexedDB is deleted while still in use by JavaScript code that is providing payload values to be stored.
The three moderate issued patched were CVE-2018-12379: Out-of-bounds write with malicious MAR file, CVE-2017-16541: Proxy bypass using automount and autofs and CVE-2018-12385 Crash in TransportSecurityInfo due to cached data.
The first can result in an exploitable crash if Mozilla Updater opens an MAE format filing containing a very long filename. For the crash to occur Mozilla Updater must be running manually. The second problem only affects OS X in default configurations while On Linux systems, autofs must be installed for the vulnerability to occur and Windows is not affected. Mozilla said proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Data can be loaded from this mounted filesystem directly using a file: URI, bypassing configured proxy settings.
The final moderate issue covers a potentially exploitable crash in TransportSecurityIfo used for SSL that is triggered by data stare in the local cache or from locally installed malware.
“This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used,” the security advisory said.
The single low-rated vulnerability, CVE-2018-12383, fixes a problem where saved passwords in Firefox 58 and earlier and then set a master password unencrypted versions of the earlier passwords remain accessible.
The Apache Software Foundation issued updates to fix the open redirect issue CVE-2018-11784, rated moderate, in Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90.
“When the default servlet returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attacker’s choice,” Apache said in its statement.
