The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability alert CVE-2011-2746

OTRS: file reading via AdminPackageManager

Synthesis of the vulnerability

An OTRS administrator, with no shell access to the system, can use the AdminPackageManager module, in order to read a file.
Impacted products: openSUSE, OTRS Help Desk.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 17/08/2011.
Identifiers: BID-49251, CERTA-2011-AVI-460, CVE-2011-2746, openSUSE-SU-2011:1017-1, OSA-2011-03, VIGILANCE-VUL-10931.

Description of the vulnerability

The module Kernel/Modules/AdminPackageManager.pm processes optional ".opm" packages. Only an authenticated OTRS administrator can use it.

The ViewDiff feature ("Subaction") of AdminPackageManager compares versions of a package file.

However, an OTRS administrator can use a filename containing "../", in order to compare with an arbitrary file from the filesystem. The content of this file is then displayed as a text difference (similar to the Unix "diff" command).

An OTRS administrator, with no shell access to the system, can therefore use the AdminPackageManager module, in order to read a file.
Full Vigil@nce bulletin... (Free trial)

vulnerability 10930

Windows 7: denial of service of RPC via DHCPv6

Synthesis of the vulnerability

An attacker can send a malformed DHCPv6 reply, in order to stop the RPC service of Windows 7.
Impacted products: Windows 7.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: LAN.
Creation date: 17/08/2011.
Identifiers: BID-49164, VIGILANCE-VUL-10930.

Description of the vulnerability

The DHCPv6 (Dynamic Host Configuration Protocol for IPv6, RFC 3315) protocol is used to automatically configure the network. DHCPv6 packets use optional fields to store additional information.

The RFC 3646 defines the option OPTION_DOMAIN_LIST (value 24) which indicates the names of domains to search. These domains are stored in the format of the RFC 1035 (DNS). For example "7 example 3 com", where the number (stored in binary) indicates the number of characters of the following label.

However, if Windows receives a DHCPv6 reply with the field OPTION_DOMAIN_LIST containing "0" (which means a null size domain name), the Ndr64ConformantArrayFree() function of the RPCRT4.dll library tries to free an unallocated memory area.

An attacker can therefore send a malformed DHCPv6 reply, in order to stop the RPC service of Windows 7.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-0084 CVE-2011-2985 CVE-2011-2986

SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, SeaMonkey, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 17/08/2011.
Identifiers: BID-49166, BID-49213, BID-49224, BID-49226, BID-49227, BID-49239, BID-49242, BID-49243, BID-49245, BID-49246, BID-49248, CERTA-2011-AVI-457, CERTA-2011-AVI-493, CVE-2011-0084, CVE-2011-2985, CVE-2011-2986, CVE-2011-2987, CVE-2011-2988, CVE-2011-2989, CVE-2011-2990, CVE-2011-2991, CVE-2011-2992, CVE-2011-2993, DSA-2295-1, MFSA 2011-33, openSUSE-SU-2011:0957-1, openSUSE-SU-2012:0567-1, RHSA-2011:1167-01, SUSE-SA:2011:037, VIGILANCE-VUL-10929, ZDI-11-270.

Description of the vulnerability

Several vulnerabilities were announced in SeaMonkey.

An attacker can corrupt the memory via WebGL. [severity:4/4; BID-49239, CVE-2011-2989]

An attacker can corrupt the memory via JavaScript. [severity:4/4; BID-49243, CVE-2011-2991]

An attacker can corrupt the memory via an Ogg file. [severity:4/4; BID-49245, CVE-2011-2992]

An attacker can create several memory corruptions. [severity:4/4; BID-49224, CVE-2011-2985]

Unsigned JavaScript code can call code inside a signed JAR archive, in order to be recognized as signed code. [severity:2/4; BID-49248, CVE-2011-2993]

An attacker can create a buffer overflow in WebGL. [severity:4/4; BID-49242, CVE-2011-2988]

An attacker can corrupt the memory via the ANGLE library. [severity:4/4; BID-49226, CVE-2011-2987]

An attacker can use SVGTextElement.getCharNumAtPosition(), in order to corrupt the memory. [severity:4/4; BID-49213, CERTA-2011-AVI-457, CVE-2011-0084, ZDI-11-270]

An attacker can obtain proxy credentials via Content Security Policy. [severity:3/4; BID-49246, CVE-2011-2990]

An attacker can use Windows D2D, in order to read an image coming from another site. [severity:2/4; BID-49227, CVE-2011-2986]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-0084 CVE-2011-2378 CVE-2011-2980

Thunderbird 3: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Thunderbird can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Linux, Thunderbird, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 17/08/2011.
Identifiers: ASPR #2011-08-18-1, ASPR #2011-08-18-2, BID-49166, BID-49213, BID-49214, BID-49216, BID-49217, BID-49218, BID-49219, BID-49223, CERTA-2011-AVI-457, CERTA-2011-AVI-493, CVE-2011-0084, CVE-2011-2378, CVE-2011-2980, CVE-2011-2981, CVE-2011-2982, CVE-2011-2983, CVE-2011-2984, DSA-2297-1, MDVSA-2011:127, MFSA 2011-32, openSUSE-SU-2011:0935-2, RHSA-2011:1166-01, SUSE-SA:2011:037, VIGILANCE-VUL-10928, ZDI-11-270, ZDI-11-271.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird.

An attacker can generate several memory corruptions. [severity:4/4; BID-49216, CVE-2011-2982]

An attacker can use SVGTextElement.getCharNumAtPosition(), in order to corrupt the memory. [severity:4/4; BID-49213, CERTA-2011-AVI-457, CVE-2011-0084, ZDI-11-270]

An attacker can use an event, in order to execute privileged JavaScript code. [severity:3/4; BID-49218, CVE-2011-2981]

An attacker can use a DOM object and appendChild, in order to corrupt the memory. [severity:4/4; BID-49214, CVE-2011-2378, ZDI-11-271]

An attacker can use a drop event, in order to gain chrome privileges. [severity:4/4; BID-49219, CVE-2011-2984]

An attacker can use ThinkPadSensor::Startup, in order to load a malicious DLL. [severity:3/4; ASPR #2011-08-18-1, ASPR #2011-08-18-2, BID-49217, CVE-2011-2980]

An attacker can use RegExp.input, in order to read data from another domain. [severity:2/4; BID-49223, CVE-2011-2983]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-0084 CVE-2011-2985 CVE-2011-2986

Thunderbird 5: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Thunderbird can be used by an attacker to execute code on victim's computer.
Impacted products: Fedora, Thunderbird, openSUSE.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 17/08/2011.
Identifiers: BID-49166, BID-49213, BID-49224, BID-49226, BID-49227, BID-49239, BID-49242, BID-49243, BID-49245, CERTA-2011-AVI-457, CVE-2011-0084, CVE-2011-2985, CVE-2011-2986, CVE-2011-2987, CVE-2011-2988, CVE-2011-2989, CVE-2011-2991, CVE-2011-2992, FEDORA-2011-11087, MFSA 2011-31, openSUSE-SU-2012:0567-1, VIGILANCE-VUL-10927, ZDI-11-270.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird.

An attacker can corrupt the memory via WebGL. [severity:4/4; BID-49239, CVE-2011-2989]

An attacker can corrupt the memory via JavaScript. [severity:4/4; BID-49243, CVE-2011-2991]

An attacker can corrupt the memory via an Ogg file. [severity:4/4; BID-49245, CVE-2011-2992]

An attacker can create several memory corruptions. [severity:4/4; BID-49224, CVE-2011-2985]

An attacker can create a buffer overflow in WebGL. [severity:4/4; BID-49242, CVE-2011-2988]

An attacker can corrupt the memory via the ANGLE library. [severity:4/4; BID-49226, CVE-2011-2987]

An attacker can use SVGTextElement.getCharNumAtPosition(), in order to corrupt the memory. [severity:4/4; BID-49213, CERTA-2011-AVI-457, CVE-2011-0084, ZDI-11-270]

An attacker can use Windows D2D, in order to read an image coming from another site. [severity:2/4; BID-49227, CVE-2011-2986]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2011-0084 CVE-2011-2378 CVE-2011-2980

Firefox 3: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Linux, Firefox, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 17/08/2011.
Identifiers: ASPR #2011-08-18-1, ASPR #2011-08-18-2, BID-49166, BID-49213, BID-49214, BID-49216, BID-49217, BID-49218, BID-49219, BID-49223, CERTA-2011-AVI-457, CERTA-2011-AVI-493, CVE-2011-0084, CVE-2011-2378, CVE-2011-2980, CVE-2011-2981, CVE-2011-2982, CVE-2011-2983, CVE-2011-2984, DSA-2296-1, MDVSA-2011:127, MFSA 2011-30, openSUSE-SU-2011:0935-1, openSUSE-SU-2011:0957-2, openSUSE-SU-2011:0958-1, openSUSE-SU-2014:1100-1, RHSA-2011:1164-01, SUSE-SA:2011:037, SUSE-SU-2011:0967-1, VIGILANCE-VUL-10926, ZDI-11-270, ZDI-11-271.

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

An attacker can generate several memory corruptions. [severity:4/4; BID-49216, CVE-2011-2982]

An attacker can use SVGTextElement.getCharNumAtPosition(), in order to corrupt the memory. [severity:4/4; BID-49213, CERTA-2011-AVI-457, CVE-2011-0084, ZDI-11-270]

An attacker can use an event, in order to execute privileged JavaScript code. [severity:3/4; BID-49218, CVE-2011-2981]

An attacker can use a DOM object and appendChild, in order to corrupt the memory. [severity:4/4; BID-49214, CVE-2011-2378, ZDI-11-271]

An attacker can use a drop event, in order to gain chrome privileges. [severity:4/4; BID-49219, CVE-2011-2984]

An attacker can use ThinkPadSensor::Startup, in order to load a malicious DLL. [severity:3/4; ASPR #2011-08-18-1, ASPR #2011-08-18-2, BID-49217, CVE-2011-2980]

An attacker can use RegExp.input, in order to read data from another domain. [severity:2/4; BID-49223, CVE-2011-2983]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-0084 CVE-2011-2985 CVE-2011-2986

Firefox 4, 5: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox can be used by an attacker to execute code on victim's computer.
Impacted products: Fedora, Firefox, openSUSE.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 17/08/2011.
Identifiers: BID-49166, BID-49213, BID-49224, BID-49226, BID-49227, BID-49239, BID-49242, BID-49243, BID-49245, BID-49246, BID-49248, CERTA-2011-AVI-457, CVE-2011-0084, CVE-2011-2985, CVE-2011-2986, CVE-2011-2987, CVE-2011-2988, CVE-2011-2989, CVE-2011-2990, CVE-2011-2991, CVE-2011-2992, CVE-2011-2993, MFSA 2011-29, openSUSE-SU-2012:0567-1, openSUSE-SU-2014:1100-1, VIGILANCE-VUL-10925, ZDI-11-270.

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

An attacker can corrupt the memory via WebGL. [severity:4/4; BID-49239, CVE-2011-2989]

An attacker can corrupt the memory via JavaScript. [severity:4/4; BID-49243, CVE-2011-2991]

An attacker can corrupt the memory via an Ogg file. [severity:4/4; BID-49245, CVE-2011-2992]

An attacker can create several memory corruptions. [severity:4/4; BID-49224, CVE-2011-2985]

Unsigned JavaScript code can call code inside a signed JAR archive, in order to be recognized as signed code. [severity:2/4; BID-49248, CVE-2011-2993]

An attacker can create a buffer overflow in WebGL. [severity:4/4; BID-49242, CVE-2011-2988]

An attacker can corrupt the memory via the ANGLE library. [severity:4/4; BID-49226, CVE-2011-2987]

An attacker can use SVGTextElement.getCharNumAtPosition(), in order to corrupt the memory. [severity:4/4; BID-49213, CERTA-2011-AVI-457, CVE-2011-0084, ZDI-11-270]

An attacker can obtain proxy credentials via Content Security Policy. [severity:3/4; BID-49246, CVE-2011-2990]

An attacker can use Windows D2D, in order to read an image coming from another site. [severity:2/4; BID-49227, CVE-2011-2986]

The most severe vulnerabilities lead to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-2918

Linux kernel: denial of service via PERF_COUNT_SW_CPU_CLOCK

Synthesis of the vulnerability

A local attacker can use the performance measurement interface, in order to stop the system.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 16/08/2011.
Identifiers: BID-49152, CVE-2011-2918, DSA-2303-1, DSA-2303-2, FEDORA-2011-12874, openSUSE-SU-2011:1222-1, RHSA-2011:1350-01, RHSA-2012:0333-01, SUSE-SA:2011:038, SUSE-SU-2011:0984-1, SUSE-SU-2011:0984-2, SUSE-SU-2011:0984-3, SUSE-SU-2012:0364-1, VIGILANCE-VUL-10924.

Description of the vulnerability

Recent processors have special registers which count hardware events. The Linux kernel provides an interface to access to these counters, or to simulate them if they do not exist:
 - PERF_COUNT_SW_CPU_CLOCK : CPU time
 - PERF_COUNT_SW_PAGE_FAULTS : number of page errors
 - etc.

When operations are long, the PERF_COUNT_SW_CPU_CLOCK counter overflows (it is reset to zero). The perf_event_overflow() function of __kernel/events/core.c file is then called. However, it deletes a timer which is still used.

A local attacker can therefore use the performance measurement interface, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-2729

Apache Commons Daemon: privilege elevation via jsvc

Synthesis of the vulnerability

When Apache Commons Daemon is installed on Linux and compiled with libcap, capabilities are not lost, so an application can access to files with root privileges.
Impacted products: Tomcat, Fedora, HP-UX, NSM Central Manager, NSMXpress, openSUSE, Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 12/08/2011.
Identifiers: BID-49143, c03090723, CVE-2011-2729, FEDORA-2011-10936, HPSBUX02725, openSUSE-SU-2011:1062-1, PSN-2012-05-584, RHSA-2011:1291-01, RHSA-2011:1292-01, SSRT100627, VIGILANCE-VUL-10923.

Description of the vulnerability

The Apache Commons Daemon project is used to create a daemon (Unix) or a service (Windows) which runs a non interactive Java application. This project offers:
 - a Java API, and
 - a C program:
  + jsvc (Unix) developed in C, which starts a process as a daemon with fork(), or
  + procrun (Windows) developed in C, which starts a service.
Apache Tomcat uses Apache Commons Daemon.

The jsvc tool is for example run with:
  ./jsvc -cp commons-daemon-1.0.6.jar:myJar.jar -user nobody myClass
In this case, myJar.myClass is started in daemon mode, with privileges of the "nobody" user.

The jsvc tool can be compiled on Linux with the libcap library, which processes capabilities. However, in this case, the daemon does not lose its capabilities. In the previous example, the nobody user thus gains capabilities of the root user.

When Apache Commons Daemon is installed on Linux and compiled with libcap, capabilities are therefore not lost, so an application can access to files with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-2481

Apache Tomcat: reading XML file

Synthesis of the vulnerability

A malicious web application can change the XML parser, and thus access to the web.xml/context.xml file of another application.
Impacted products: Tomcat.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 12/08/2011.
Identifiers: 51395, BID-49147, CERTA-2011-AVI-454, CVE-2011-2481, VIGILANCE-VUL-10922.

Description of the vulnerability

The Apache Tomcat application server successively loads all web applications.

Each application has a WEB-INF/web.xml file which configures servlets. The Tomcat server uses an XML parser to analyze this file.

However, the first loaded application can replace the default parser. It can then read XML files of applications which are loaded later.

A malicious web application can therefore change the XML parser, and thus access to the web.xml/context.xml file of another application.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2824