CERT-In Issues Vulnerabilities in Google Chrome OS, TP-link Router and Atlassian Bitbucket Server and Data Center

Users are encouraged to update their product and firmware to ensure their systems are secure

On Thursday, CERT-In published notes on high-severity vulnerabilities in Google Chrome OS and critical vulnerabilities in TP-Link router and Bitbucket server and data center. Reported vulnerabilities can be used by remote attackers to target affected systems and run arbitrary code, compromising their security.

In Google Chrome OS

Several vulnerabilities have been reported in the LTS version of the Google Chrome OS pipeline due to post-free use in Blink, browser creation, web interface, managed device APIs, and the Chrome OS environment.

Vulnerabilities also exist in the login flow, extension and extension APIs, insufficient policy enforcement in cookies, inappropriate implementation in the extension API, heap buffer overflows in PDF, and side-channel information leakage during keyboard input.

The vulnerabilities affect most Chrome OS devices, according to Google’s security releases. They can be exploited by remote attackers by sending specially crafted requests to target systems.

A successful exploit could allow attackers to execute arbitrary code or cause a denial of service on affected systems.

Google has released security updates that fix the vulnerabilities, and their implementation is recommended to secure vulnerable systems.

In the firmware of the TP-Link router

A critical security flaw has been reported in the firmware running on routers from TP-Link Technologies Co. Ltd., a manufacturer of computer networking products.

The vulnerability exists due to improper bonus checking using HTTPD daemon software that runs in the background of a web server to receive server requests and process hypertext and multimedia documents over the Internet.

Authenticated remote attackers could exploit this vulnerability by sending specially crafted requests. A successful exploit could lead to attackers overflowing the buffer and executing arbitrary code on the targeted systems.

This vulnerability has been rated critical because it could allow a remote attacker to execute code and gain access to the affected system.

Updating to the latest firmware version is recommended to fix this vulnerability.

In Bitbucket Server and Data Center

A critical vulnerability has been reported in all versions of Atlassian Bitbucket Server and Data Center between 7.0.0 and 8.3.0.

This vulnerability exists due to several API endpoints and can be exploited by sending a specially crafted HTTP request to execute arbitrary commands on affected systems.

The command injection vulnerability could reportedly be exploited by remote authenticated attackers to target Git-based repository management solutions.

Atlassian said on its website that the vulnerability could be exploited by an attacker “with access to the public repository or read permission to the private Bitbucket repository.” The company also said cloud sites hosted by Atlassian are not affected by the vulnerability.

To fix this vulnerability, we recommend that you update each installation of the affected product to the fixed version available on the Atlassian website.