Impact of certain CVEs on Mender

deffo · August 16, 2021, 6:29am

Hi there!

How do you consider the impact of

https://nvd.nist.gov/vuln/detail/CVE-2021-33195
https://nvd.nist.gov/vuln/detail/CVE-2021-33196
https://nvd.nist.gov/vuln/detail/CVE-2021-33197
https://nvd.nist.gov/vuln/detail/CVE-2021-33198

on Mender?

Do you think this is critical? We are asking since dunfell is directly affected with version 1.14.12.

Best regards

kacf · August 16, 2021, 7:33am

Taking each one separately:

I believe it is impacted, but since the client validates the server certificate against the DNS name, in practice it has no other effect than not being able to connect (as long as the attack is going on).

Impacted, but the attacker must have deployment privileges on the server in order to exploit it. As far as I can tell, all they can do is crash the client, but systemd is set to automatically restart the mender client if it panics, so it should have no lasting effect.

Not impacted, ReverseProxy is not used in the client.

I think not impacted, the client doesn’t use the math.big package. I’m not 100% sure if some of the crypto functions might use it, but probably this would have been mentioned in the CVE, so I don’t think so.

deffo · August 16, 2021, 7:58am

Thanks for your quick reply.

Topic		Replies	Views
Impact of CVE-2021-29923 and CVE-2021-36221 on Mender General Discussions	1	287	August 26, 2021
Impact of CVE-2021-38297 on Mender General Discussions yocto , security , dunfell	1	401	October 26, 2021
Impact of CVE-2021-44716 and CVE-2021-44717 on Mender General Discussions yocto , security , dunfell	1	450	January 14, 2022
Impact of CVE-2021-39293 on Mender General Discussions yocto , security , dunfell	1	431	February 8, 2022
Impact of CVE-2021-31525 and CVE-2021-33194 on Mender General Discussions security	2	366	July 2, 2021

Impact of certain CVEs on Mender

Related topics