Pexip security bulletins

VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges

CVSS3.1 base score: 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Discussion: Exploitation of this vulnerability requires that the VMware administrator has issued SAML SSO credentials for a user to perform VM Guest Operations and to also have assigned one or more Guest Aliases to the Infinity virtual machines.

Mitigation: Pexip neither recommends, nor supports, the assignment of Guest Aliases to Infinity virtual machines. Ensure that no Guest Aliases have been inadvertently assigned to Infinity virtual machines: https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html

Resolution: Upgrade to Pexip Infinity v34

Resolved minor issues: CVE-2020-36516, CVE-2021-32292, CVE-2022-20572, CVE-2022-3107, CVE-2022-3435, CVE-2022-3524, CVE-2022-3543, CVE-2022-3623, CVE-2022-3707, CVE-2022-4378, CVE-2022-48554, CVE-2023-0179, CVE-2023-0386, CVE-2023-0458, CVE-2023-0459, CVE-2023-0461, CVE-2023-0465, CVE-2023-0466, CVE-2023-0590, CVE-2023-1095, CVE-2023-1206, CVE-2023-1249, CVE-2023-1252, CVE-2023-1255, CVE-2023-1998, CVE-2023-20588, CVE-2023-20900, CVE-2023-22998, CVE-2023-23006, CVE-2023-23931, CVE-2023-2650, CVE-2023-2975, CVE-2023-31130, CVE-2023-31248, CVE-2023-3138, CVE-2023-32233, CVE-2023-3390, CVE-2023-3446, CVE-2023-36053, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-38039, CVE-2023-3817, CVE-2023-38633, CVE-2023-39318, CVE-2023-39319, CVE-2023-4004, CVE-2023-40217, CVE-2023-4128, CVE-2023-4147, CVE-2023-4569, CVE-2023-4622, CVE-2023-4911

A vulnerability exists in .NET when processing malicious X.509 client certificates that may consume excessive CPU and lead to a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 32.1

Cross-site scripting vulnerability in legacy webapp ("Webapp1") when using preconfigured links.

CVSS3.1 base score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Discussion: An attacker may achieve cross-site scripting by convincing a user to activate a crafted preconfigured link using the legacy Infinity Connect web app ("Webapp1").

• Since Infinity v26, the default configuration enables the Content-Security-Policy response header, allowing the client to enforce the domains from which script contents may be fetched. These include the wildcard domains *.microsoft.com and *.office.com. An attacker able to control or host a script under these domains may cause the application to execute attacker-controlled code.
• In Infinity v25, the Content-Security-Policy response header is disabled by default, but may be enabled on this software version via the security wizard. The Content-Security-Policy response header will include the wildcard domains *.microsoft.com and *.office.com. An attacker able to control or host a script under these domains may cause the application to execute attacker-controlled code.
• In Infinity v18-24, the Content-Security-Policy response header is disabled by default, but may be enabled in these software versions via the security wizard. There are no wildcard domains present in the "script-src" section of the Content-Security-Policy response header in these versions.
• In Infinity before v18, there is no support for the Content-Security-Policy response header and thus no domain-based restrictions on scripts are available.

Mitigation:

• On Infinity v31, access to the webapp can be disabled via the Administrator interface (Web App > Web App Paths) by deselecting the Enabled option for webapp1.
• Infinity v26 onwards allow the Administrator to configure the enabled state and contents of the Content-Security-Policy header via the Administrator interface (Platform > Global Settings > Security). Ensure that the Content-Security-Policy header is enabled and review local modifications to determine if further wildcard domains have been added (and, if they have, consider whether a non-wildcard domain could be used instead). Where the Pexip Scheduling Outlook Add-In is not in use, both *.microsoft.com and *.office.com may safely be removed from the Content-Security-Policy.
• For Infinity v18-25, ensure that the Enable Content-Security-Policy for Conferencing Nodes setting in the security wizard has been configured to yes (it defaults to no in these software versions). Note, however, that the contents of the Content-Security-Policy response header are not configurable on these software versions.
• For Infinity v5-17, there is no mitigation.

Resolution: Upgrade to Pexip Infinity 32.0. For deployments running Infinity v30.x and v31.x, contact your authorized Pexip support representative for a software bundle fix.

Credit: This issue was responsibly disclosed by https://github.com/40826d.

Resolved minor issues: CVE-2022-3515, CVE-2022-3736, CVE-2022-3924, CVE-2022-4203, CVE-2022-4304, CVE-2022-32221, CVE-2022-38725, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255, CVE-2023-2650, CVE-2023-23916, CVE-2023-26463, CVE-2023-27537, CVE-2023-28484, CVE-2023-29469

Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

Unknown

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 103.0.5060.53 allowed a remote attacker to bypass file system access via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High

Use after free in ANGLE in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

Resolved minor issue: CVE-2022-1867

Missing authenticity checks in application provisioning allow an attacker to cause the application to run untrusted code.

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect app 1.8.0

Credit: This issue was responsibly disclosed by The UK's National Cyber Security Centre (NCSC)

Missing checks in certificate allow list matching allow a remote attacker to compromise a TLS connection, extracting data and potentially causing remote code execution.

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity Connect 1.8.0

Credit: This issue was responsibly disclosed by The UK's National Cyber Security Centre (NCSC)

The Pexip VMR self-service portal before v3 uses the same SSH host keys across different customers' installations, which allows man-in-the-middle attackers to spoof fake instances by leveraging these keys.

CVSS 3.1 base score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: Manually remove and regenerate the SSH host keys on each VMR Portal instance.

Resolution: Upgrade to VMR portal v3.