Linode Security Digest August 8-12, 2022

In this week’s digest, we will discuss:

• a cross-site scripting vulnerability that can lead to remote code execution in Joplin;
• a buffer overflow vulnerability in zlib; and
• multiple vulnerabilities identified in the NVIDIA GPU display driver.

Joplin Remote Code Execution through XSS

A code execution vulnerability via XSS was identified in Joplin that could allow attackers to execute arbitrary commands through a crafted payload injected into the Node titles. Joplin is a free, open source, markdown-based note taking app compatible with multiple operating systems such as Windows, Mac, and Linux. 

The vulnerability stems from how the dangerouslySetInnerHTML() method is used with unescaped user input in GotoAnything.tsx. This allows an attacker to achieve remote code execution on the victim’s system just by sharing a notebook with the vulnerable payload in node titles. The payload executes whenever the victim searches for the notebook.

The patch has been released in Joplin’s v2.9.1 release. Joplin version v2.8.8 and earlier versions are affected. This vulnerability, registered as CVE-2022-35131, was rated 9.0 in the CVSS scoring on NVD due to the high impact to confidentiality, integrity, and availability. A successful attack requires any authenticated user to search for the vulnerable notebook.

We recommend that you update Joplin to the latest version as soon as possible, especially if you receive shared notebooks.

Zlib Heap-based Buffer Overflow vulnerability

A heap-based buffer overflow vulnerability has been identified in zlib, a popular general purpose library used for data compression. The vulnerability has been registered as CVE-2022-37434 and affects all versions below 1.2.12.

Exploitation of the vulnerability is possible due to the heap-based buffer over-read or buffer overflow in inflate.c through a large gzip header extra field. According to the pull request comment that the developers created, if the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This vulnerability only affects applications that use the inflateGetHeader() method. 

Multiple Vulnerabilities discovered for NVIDIA GPU Display Drivers

NVIDIA, one of the most popular GPU manufacturers, has released a security advisory for multiple vulnerabilities discovered in its GPU display driver for both Windows and Linux platforms. These vulnerabilities can be exploited to carry out various types of attacks such as denial of service, information disclosure, privilege escalation, code execution, or data tampering. 

One of the high-severity vulnerabilities, CVE‑2022‑31607, affects the kernel mode layer (nvidia.ko), where a local user with basic capabilities can cause improper input validation leading to several exploitation paths, according to NVIDIA’ security advisory. This vulnerability affects Linux, and has a CVSS score of 7.8 with a high rating on confidentiality, integrity, and availability. 

CVE‑2022‑31608 describes a vulnerability in an optional D-Bus configuration file which can lead to code execution. The vulnerability could be leveraged by a local user with basic capabilities. Most of the CVEs mentioned in NVIDIA’s security advisory require local privileges on the victim’s system in order for exploitation to be successful. 

You can use this guide from NVIDIA to understand which NVIDIA display driver is currently installed in your PC.