The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Novell openSUSE

vulnerability bulletin CVE-2015-0777

Xen: information disclosure via usbback

Synthesis of the vulnerability

A local attacker in a guest system can read a memory fragment of the Xen host system, in order to obtain sensitive information.
Impacted products: openSUSE, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 13/08/2015.
Identifiers: 917830, CVE-2015-0777, openSUSE-SU-2015:0713-1, SUSE-SU-2015:0658-1, SUSE-SU-2015:1376-1, VIGILANCE-VUL-17663.

Description of the vulnerability

The Xen product uses the xen/usbback/usbback.c driver for USB exchanges.

However, the copy_buff_to_pages() function does not initialize a memory area before returning it to the user in the guest system.

A local attacker in a guest system can therefore read a memory fragment of the Xen host system, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note CVE-2015-2059

curl: information disclosure via libidn

Synthesis of the vulnerability

An attacker can retrieve a memory fragment from a process using libcurl, in order to get sensitive information.
Impacted products: cURL, Fedora, openSUSE.
Severity: 1/4.
Creation date: 02/07/2015.
Revision date: 07/07/2015.
Identifiers: CVE-2015-2059, FEDORA-2015-11562, FEDORA-2015-11621, openSUSE-SU-2015:1261-1, VIGILANCE-VUL-17294.

Description of the vulnerability

The URLs passed to libcurl functions may include non US-ASCII characters.

The handling of non US-ASCII characters in domain names is delegated to the libidn library. However, some functions from this library do not check whether the passed byte sequences are valid UTF-8 encoding. In the invalid case, the functions may include in the conversion output the content of the memory following the input buffer that should be an UTF-8 byte string. The result will be sent to a DNS server.

An attacker can therefore retrieve a memory fragment from a process using libcurl, in order to get sensitive information.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability alert CVE-2015-3908

Ansible: uncomplete X.509 certificate validation

Synthesis of the vulnerability

An attacker can spoof an HTTP over TLS server used by Ansible, since it does not check whether the X.509 certificate match the server name requested at HTTP level.
Impacted products: Ansible Core, Fedora, openSUSE.
Severity: 1/4.
Creation date: 06/07/2015.
Identifiers: CVE-2015-3908, FEDORA-2015-10797, FEDORA-2015-10807, openSUSE-SU-2015:1280-1, VIGILANCE-VUL-17306.

Description of the vulnerability

An attacker can spoof an HTTP over TLS server used by Ansible, since it does not check whether the X.509 certificate match the server name requested at HTTP level.

The bulletin VIGILANCE-VUL-12182 provides additional details about this bug (for another product).

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note CVE-2015-5364 CVE-2015-5366

Linux kernel: denial of service via UDP

Synthesis of the vulnerability

An attacker can flood a Linux host with UDP packet with wrong checksum, in order to trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 01/07/2015.
Identifiers: CERTFR-2015-AVI-311, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-352, CERTFR-2015-AVI-357, CVE-2015-5364, CVE-2015-5366, DSA-3313-1, DSA-3329-1, openSUSE-SU-2015:1382-1, RHSA-2015:1623-01, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, USN-2678-1, USN-2680-1, USN-2681-1, USN-2682-1, USN-2683-1, USN-2684-1, USN-2685-1, USN-2713-1, USN-2714-1, VIGILANCE-VUL-17284.

Description of the vulnerability

UDP packets carry a checksum to check whether the packet has been corrupted in transit.

However, the check occurs quite late in the packet processing process. So, when the incoming packet rate is hight, the kernel spends too much time handling packet queue and other internal data structures, which prevent resuming the user processes.

An attacker can therefore flood a Linux host with UDP packet with wrong checksum, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note CVE-2015-4692

Linux kernel: NULL pointer dereference via kvm_apic_has_events

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in "kvm_apic_has_events()" of the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Fedora, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 29/06/2015.
Identifiers: CERTFR-2015-AVI-269, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-357, CVE-2015-4692, DSA-3329-1, FEDORA-2015-10677, FEDORA-2015-10678, openSUSE-SU-2015:1382-1, SUSE-SU-2015:1324-1, USN-2678-1, USN-2680-1, USN-2681-1, USN-2682-1, USN-2683-1, USN-2684-1, USN-2685-1, VIGILANCE-VUL-17254.

Description of the vulnerability

The noyau Linux product offers a virtualization layer: KVM.

A KVM virtual machine may have an interrupt controller. In such a case, the emulation of which is partially implemented by the source file "arch/x86/kvm/lapic.h". However, the function "kvm_apic_has_events", defined in this file, it does not check whether a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in "kvm_apic_has_events()" of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability announce CVE-2015-4700

Linux kernel: denial of service via BPF JIT

Synthesis of the vulnerability

An attacker can define a malicious BPF filter to be compiled to native code, in order to raise a fatal exception in the Linux kernel and so trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 23/06/2015.
Identifiers: 1233615, CERTFR-2015-AVI-283, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-357, CVE-2015-4700, DSA-3329-1, openSUSE-SU-2015:1382-1, SUSE-SU-2015:1224-1, USN-2664-1, USN-2666-1, USN-2678-1, USN-2679-1, USN-2680-1, USN-2681-1, USN-2683-1, USN-2684-1, VIGILANCE-VUL-17207.

Description of the vulnerability

The Linux kernel includes a packet filter from BSD. A rule set for this filter may be compiled to native machine code, just before running.

There is more than one way to translate a BPF instruction to x86 code, and these instructions have different lengths. So, the compiler does several passes overs the code to adjust jump instructions. However, some filters require more passes than the allowed maximum. In this case, the produced code includes INT 3 instructions, used to call the debugger. This instruction is not allowed in the kernel.

An attacker can therefore define a malicious BPF filter to be compiled to native code, in order to raise a fatal exception in the Linux kernel and so trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note CVE-2014-9645

busybox: bypass of modprobe filter

Synthesis of the vulnerability

A privileged attacker can add path separator to module names, in order to make modprobe of busybox load forbidden modules.
Impacted products: MBS, openSUSE.
Severity: 1/4.
Creation date: 18/06/2015.
Identifiers: 914660, CVE-2014-9645, MDVSA-2015:031, openSUSE-SU-2015:1083-1, VIGILANCE-VUL-17169.

Description of the vulnerability

The busybox product includes an implementation of many Unix system tools, including modprobe for kernel module loading.

Modprobe allows to black-list modules by names. However, the busybox implementation of modprobe does not suitably handles the path separatopr "/".

A privileged attacker can therefore add path separator to module names, in order to make modprobe of busybox load forbidden modules.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability alert CVE-2015-4651 CVE-2015-4652

Wireshark: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Wireshark.
Impacted products: Debian, openSUSE, Wireshark.
Severity: 1/4.
Creation date: 18/06/2015.
Identifiers: CVE-2015-4651, CVE-2015-4652, DSA-3294-1, openSUSE-SU-2015:1215-1, VIGILANCE-VUL-17166, wnpa-sec-2015-19, wnpa-sec-2015-20.

Description of the vulnerability

Several vulnerabilities were announced in Wireshark.

An attacker can send a ill formed GSM DTAP packet, in order to trigger a denial of service. [severity:1/4; wnpa-sec-2015-20]

An attacker can send a ill formed WCCP packet, in order to trigger a denial of service. [severity:1/4; wnpa-sec-2015-19]
Complete Vigil@nce bulletin.... (free trial)

vulnerability note CVE-2015-3237

curl: information disclosure via SMB

Synthesis of the vulnerability

A attacker who controls a SMB server can read a memory fragment of the client process using curl, in order to obtain sensitive information.
Impacted products: cURL, Fedora, openSUSE, Puppet.
Severity: 1/4.
Creation date: 17/06/2015.
Identifiers: CVE-2015-3237, FEDORA-2015-10155, openSUSE-SU-2015:1135-1, VIGILANCE-VUL-17154.

Description of the vulnerability

The curl product includes an SMB/CIFS client library.

There is a SMB command for wich the server requests the client to send a server specified section of a data area (typically a file). However, the function smb_request_state() from the file "lib/smb.c" does not check whether the requested interval is valid before sending back the content of the corresponding memory area.

A attacker who controls a SMB server can therefore read a memory fragment of the client process using curl, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (free trial)

vulnerability bulletin CVE-2015-3236

curl: credential disclosure via the connection cache

Synthesis of the vulnerability

An attacker who controls an HTTP server can collect usernames and associated password from curl originated requests.
Impacted products: cURL, Fedora, openSUSE, Puppet.
Severity: 2/4.
Creation date: 17/06/2015.
Identifiers: CVE-2015-3236, FEDORA-2015-10155, openSUSE-SU-2015:1135-1, VIGILANCE-VUL-17153.

Description of the vulnerability

The curl product includes an HTTP client library.

It manages usernames and passwords, notably for the HTTP Basic authentication. It also manages a cache of opened TCP connections to be reused as defined by the rules about the HTTP header "Connection". However, the function curl_easy_reset() does not clear the credentials stored in these cached connection descriptors. So, when a client requests a protected resource then a public one from the same server, the library will reuse a connection descriptor with credentials and send them.

An attacker who controls an HTTP server can therefore collect usernames and associated password from curl originated requests.
Complete Vigil@nce bulletin.... (free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Novell openSUSE: