Firefox sandbox escape, a Dell RCE, and a Pacemaker crasher walk into your queue

A remote authenticated user can execute arbitrary code through Dell's OpenManage Integration plugin for Windows Admin Center. Successful exploitation lets the attacker escalate privileges, potentially taking full control of the gateway host. CVSS 8.8, not exploited in the wild.

Included because

CVSS 8.8; remote code execution; authenticated but targets a high-privilege management console

Affected estate

Any Windows Admin Center instance with the Dell OpenManage Integration gateway plugin installed.

How to check

Open Windows Admin Center, go to Settings > Extensions, and check the installed version of the Dell OpenManage Integration plugin. Cross-reference with Dell's advisory for the fixed version number.

Action

Download and install the patched plugin version from Dell's support portal.

Urgency

Patch within 24 hours

Why it matters

An authenticated attacker can run arbitrary code on a management gateway, which typically has broad access to your server fleet.

Source

Dell Security Advisory

An unauthenticated remote attacker can crash the Pacemaker CIB remote listener by sending a specially crafted compressed message. The bug is an integer overflow in the decompression path that triggers memory corruption before any authentication check. This is a denial-of-service issue that can take down your cluster management layer. CVSS 8.6.

Included because

unauthenticated; pre-auth exploitation; network-reachable; affects high-availability infrastructure

Affected estate

Any Linux host running Pacemaker with the CIB remote listener enabled and reachable over the network.

How to check

Run `pacemaker-remoted --version` or `rpm -q pacemaker` / `dpkg -l pacemaker` to get the installed version. Check if the CIB remote listener port (default 3121) is open with `ss -tlnp | grep 3121`.

Action

Patch the pacemaker package and restart cluster services. If a patch is not yet available for your distro, restrict network access to port 3121 to trusted cluster nodes only.

Urgency

Patch within 24 hours

Why it matters

Crashing the CIB listener takes down cluster management, which can cascade into failover storms or split-brain conditions across your HA environment.

Source

Red Hat / Pacemaker upstream advisory

An authenticated user who controls an external git repository can inject shell commands through crafted branch or tag names when importing legacy roles via the Galaxy NG v1 API. This gives the attacker remote code execution on the Pulp worker. The catch: the vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default. CVSS 7.5.

Included because

authenticated; RCE; non-default config required but commonly enabled in legacy environments

Affected estate

Galaxy NG or Ansible Automation Hub instances with GALAXY_ENABLE_LEGACY_ROLES=True in their configuration.

How to check

Check your Galaxy NG settings (typically in /etc/pulp/settings.py or the environment variables) for GALAXY_ENABLE_LEGACY_ROLES. If it's not set or is False, you're not exposed through this path.

Action

Update galaxy_ng to the fixed release. As an immediate mitigation, set GALAXY_ENABLE_LEGACY_ROLES=False and restart the service.

Urgency

Patch this week

Why it matters

An authenticated attacker can get full code execution on the Pulp worker, which processes content and has access to stored automation artifacts.

Source

Red Hat / Galaxy NG upstream advisory

An attacker with network access between SUSE Harvester's virtualization layer and Rancher Manager can interfere with the TLS handshake and bypass TLS protections entirely. This means management traffic between these components could be intercepted or tampered with. CVSS 8.6, not exploited in the wild. Requires the attacker to be positioned on the internal network path between the two services.

Included because

CVSS 8.6; TLS bypass on management plane; requires network positioning but affects infrastructure control path

Affected estate

SUSE Harvester installations prior to version 1.8.0 that are integrated with Rancher Manager.

How to check

Check the Harvester version in the dashboard UI or via `kubectl get settings.harvesterhci.io server-version -o jsonpath='{.value}'`. Any version below 1.8.0 is affected.

Action

Upgrade Harvester to 1.8.0 or later. If you can't upgrade immediately, restrict network access between Harvester nodes and Rancher Manager to a trusted, segmented VLAN.

Urgency

Patch this week

Why it matters

Bypassing TLS between Harvester and Rancher lets a network-positioned attacker intercept or modify management commands controlling your virtual infrastructure.

Source

SUSE Security Advisory