This week, important updates have been issued for Dovecot, the Intel microcode and the Linux kernel (KVM). Ubuntu users are at heightened risk this week, as an array of important kernel security issues impacting Ubuntu and its derivatives have been discovered and fixed.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!
Yours in Open Source,
Dovecot The Discovery
Two remotely exploitable vulnerabilities have been identified in Dovecot before version 126.96.36.199 (CVE-2021-29157 and CVE-2021-33515). CVE-2021-29157 involves the incorrect escape of the kid and azp fields in JWT tokens, while CVE-2021-33515 affects the SMTP submission service.
Both of these Dovecot vulnerabilities can result in information disclosure. CVE-2021-29157 may be used to supply attacker controlled keys to validate tokens in some configurations when an attacker is able to write files to the local disk, enabling a local user to login as any user and access their emails. CVE-2021-33515 (impacting the SMTP submission service) allows an on-path attacker who has sending permissions on the submission server to inject plaintext commands before the STARTLS negotiation that would be executed after STARTTLS finished with the client, and potentially steal user credentials and emails by doing so.
These issues have been fixed upstream in Dovecot version 2.3.15. Users should upgrade to version 2.3.15-1 immediately to protect sensitive information.
Various security vulnerabilities have been discovered in the Intel CPU microcode including a domain-bypass transient execution vulnerability in some Intel Atom(R) processors (CVE-2020-24513), an observable timing discrepancy in some Intel(R) processors (CVE-2020-24512), improper isolation of shared resources in some Intel(R) processors (CVE-2020-24511) and incomplete cleanup in some Intel(R) VT-d products.
These flaws could be exploited by a local attacker to carry out privilege escalation attacks and side channel attacks, and could enable information disclosure.
Intel has updated its CPU microcode to fix these bugs. Users should upgrade their intel-microcode packages immediately to prevent compromise.