Preface: SCTP is used mostly in the telecom area. Traditionally, telecom switches use SS7 (Signaling System No. 7) to interconnect different entities in the telecom network.
From technical point of view, IP network is open and not reliable. This is why SCTP was developed.

SCTP design objective:

• Emulate the advantages of the SS7 network accumulated over the decades.
• Create a connection-oriented protocol better than TCP in speed, security, and redundancy.

Background: SCTP is a message oriented, reliable transport protocol with direct support for multihoming that runs on top of ip(7), and supports both v4 and v6 versions. Like TCP, SCTP provides reliable, connection oriented data delivery with congestion control.Unlike TCP, SCTP also provides message boundary preservation, ordered and unordered message delivery, multi-streaming and multi-homing.
Stream Control Transmission Protocol over User Datagram Protocol (SCTP over UDP, also known as UDP encapsulation of SCTP) is a feature defined in RFC6951 and implemented in the Linux kernel space since 5.11. 0. It is planned to be supported by Red Hat Enterprise Linux (RHEL) 8.5. 0 and 9.0.
SCTP is a reliable message-oriented protocol. It preserves the message boundaries, and at the same time, detects lost data, duplicate data, and out-of-order data. It also has congestion control and flows control mechanisms.
About the SCTP sender’s port number. It can be used by the receiver in combination with the source IP address, the SCTP destination port and possibly the destination IP address to identify the association to which this packet belongs. The port number 0 MUST NOT be used. Destination Port Number is 16 bits (unsigned integer).This is the SCTP port number to which this packet is destined.

Vulnerability details: A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.

Remedy:

• Make sure sctp_vtag_verify() is called firstly to verify the vtag from the received chunk and discard this – chunk if it fails.
• Always use the vtag from the received INIT chunk to make the response ABORT in sctp_ootb_pkt_new().
• Fix the order for some checks and add some missing checks for the received chunk.

Official announcement (From the Ubuntu security team) – For more details, please refer to the link – https://ubuntu.com/security/CVE-2021-3772

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. FortiManager provides automation-driven centralized management of your Fortinet devices from a single console. Both devices operate in a network-based structure. Therefore, it requires a web browser or CLI (command line) for the end user to work.

Vulnerability details: An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user.

My observation My observation (one of the possibilities): Authentication bypass vulnerabilities exist when authentication state is not consistently enforced on the devices (FortiAnalyzer and FortiManager). As a result, it can be tampered by clients.

The vulnerability risk level is not high (CVSS v3=3.9). But it will let you know more. The client can arbitrarily change the GET parameters sent with the request. Nothing prevents the client from simply changing the parameter value. It effectively bypassing policy. Since this vulnerability in low risk (enforce password change to its user). Whether there will be unknown problems, we do not know.

Official announcement – For details, please refer to the link – https://www.fortiguard.com/psirt/FG-IR-21-255

Preface: The registration of CVE records is largely out of sync with the time of the event. Perhaps the new release of CVE record by today, however it was happened few weeks or months ago. But with reference of these vulnerabilities records. Vulnerability scanner can precisely provide a result to you after scan.

Background: Dropbox will be deployed lossless compression algorithms that are processed for certain classes of files and storage, like Lepton for jpeg images, and Pied-Piper-esque lossless video encoding. For other file types, Dropbox currently uses the zlib compression format, which saves almost 8% of disk storage.

Lepton is a tool and file format for actively compressing JPEGs. First developed by Daniel Horn at a Dropbox Hack Week, this streaming image compression format achieves a 22% savings reduction for existing JPEG images, while preserving the original file bit-for-bit perfectly.

Vulnerability details: A security vulnerability exists in the ‘build_huffcodes’ function of the lepton/jpgcoder[.]cc file. A remote attacker can exploit this vulnerability to cause a denial of service by means of a specially crafted jpeg file.

Reference: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

Official announcement: For details , please refer to the link – https://drive.google.com/file/d/1bJlHozO37c5NZ1wI0NBWh0yHHyTcfaQL/view?usp=sharing

https://github.com/dropbox/lepton/issues/154

https://github.com/dropbox/lepton