The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability alert 11656

TCP: packets injection via a firewall and a malware

Synthesis of the vulnerability

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session.
Impacted products: CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, VPN-1, CheckPoint VSX-1, TCP protocol.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 28/05/2012.
Identifiers: FGA-2012-19, sk74640, VIGILANCE-VUL-11656.

Description of the vulnerability

When a privileged malware is installed on victim's computer, it can inject data in his TCP sessions. However, if the malware is not privileged, it cannot do it.

TCP sequence and acknowledgment numbers are used to sort data. An attacker has to guess these numbers (and also IP addresses and ports, but the malware knows them via netstat), in order to inject malicious packets in an active TCP session.

Firewalls usually block TCP packets with a sequence number outside the expected window. However, when this feature is enabled, a remote attacker can send a series of packets:
 - if one of these packets went through the firewall, the malware (which for example reads packets counters, which are not always precise) indicates it to the remote attacker
 - if none of these packets went through, the malware indicates the attacker to send another series
So, after several iterations, the remote attacker guesses which sequence numbers are currently valid.

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session. This vulnerability also works be reversing the client and the server.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2012-2752

VMware vSphere Management Assistant: privilege elevation

Synthesis of the vulnerability

A local attacker can invite VMware vSphere Management Assistant to load a malicious library, in order to elevate his privileges.
Impacted products: VMware vSphere.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 28/05/2012.
Identifiers: BID-53697, CERTA-2012-AVI-296, CVE-2012-2752, VIGILANCE-VUL-11655, VMSA-2012-0010.

Description of the vulnerability

The VMware vMA (vSphere Management Assistant) product is used to manage virtualized systems.

During its execution, it does not check loaded libraries.

A local attacker can therefore invite VMware vSphere Management Assistant to load a malicious library, in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-2098

Apache Ant, Commons Compress: denial of service via bzip2

Synthesis of the vulnerability

When an attacker can transmit data to compress by bzip2 to Apache Ant or Apache Commons Compress, he can create a denial of service.
Impacted products: Fedora, WebSphere AS Traditional, Solaris, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 24/05/2012.
Identifiers: BID-53676, CERTA-2012-AVI-294, CVE-2012-2098, FEDORA-2012-8428, FEDORA-2012-8465, FEDORA-2013-5546, FEDORA-2013-5548, swg21639723, VIGILANCE-VUL-11654.

Description of the vulnerability

The bzip2 compression algorithm uses the Burrows-Wheeler Transformation (BWT). This transformation groups successive characters, in order to facilitate their compression. The transformation of a string of length N:
 - generates the N rotations of this string
 - sorts these N lines
 - obtains the N last characters (which are the characters before the first sorted character)
 - create a new string containing these N characters
Thus, if the original string contains several times the word "TO", the resulting string contains several successive "T".

In this algorithm, sorting is the most resource consuming operation. However, if input data are repetitive, the sorting algorithm implemented in Apache Ant and Apache Commons Compress is not efficient, and no fall-back algorithm is used (as in bzip2 tools).

When an attacker can transmit data to compress by bzip2 to Apache Ant or Apache Commons Compress, he can therefore create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0289 CVE-2012-0294 CVE-2012-0295

Symantec Endpoint Protection: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Symantec Endpoint Protection, in order to create a denial of service, to delete files, or to elevate his privileges.
Impacted products: SEP.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, data creation/edition, data deletion, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 23/05/2012.
Identifiers: BID-50358, BID-51795, BID-53182, BID-53183, BID-53184-ERROR, CERTA-2012-AVI-291, CVE-2012-0289, CVE-2012-0294, CVE-2012-0295, CVE-2012-1821, SYM12-007, SYM12-008, VIGILANCE-VUL-11653, VU#149070, ZDI-12-145.

Description of the vulnerability

Several vulnerabilities were announced in Symantec Endpoint Protection.

When Symantec Endpoint Protection Manager 11 runs on Windows 2003, an attacker can scan the service, so the Network Threat Protection module blocks legitimate sessions. [severity:2/4; BID-50358, CVE-2012-1821, SYM12-007, VU#149070]

A local attacker can generate a buffer overflow in the HIDownloadURLFile() function of SSHelper.dll of Symantec Endpoint Protection Management Console 11, in order to execute code with system privileges. [severity:2/4; BID-51795, CVE-2012-0289, SYM12-008]

An attacker can use Symantec Endpoint Protection Manager 12.1, in order to delete files. [severity:2/4; BID-53182, CVE-2012-0294, SYM12-008]

An attacker can insert malicious code via Symantec Endpoint Protection Manager 12.1, an execute it with system privileges. [severity:3/4; BID-53183, BID-53184-ERROR, CVE-2012-0295, SYM12-008]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-2390

Linux kernel: memory leak via HugeTLB

Synthesis of the vulnerability

A local attacker can create an error during the mmap() of huge memory pages, in order to generate memory leaks, leading progressively to a denial of service.
Impacted products: Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 23/05/2012.
Identifiers: BID-53668, CVE-2012-2390, FEDORA-2012-8824, FEDORA-2012-8890, FEDORA-2012-8931, openSUSE-SU-2013:0927-1, RHSA-2012:1150-01, RHSA-2012:1304-01, SUSE-SU-2012:0789-1, SUSE-SU-2012:0904-1, SUSE-SU-2012:1056-1, VIGILANCE-VUL-11652.

Description of the vulnerability

Memory pages usually have a size of 4kbytes. In order to limit the number of memory addresses conversions, the kernel supports large pages, with a size up to 16Mbytes. The "HugeTLB" table provides this address conversion feature.

The MAP_HUGETLB option of mmap() is used to obtain a memory area using large pages. However, if this function fails, the vm_ops->close() function is never called, and the memory area reserved by hugetlb_reserve_pages() is thus never freed.

A local attacker can therefore create an error during the mmap() of huge memory pages, in order to generate memory leaks, leading progressively to a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 11651

Windows XP: privilege elevation via Keyboard Layout offTable

Synthesis of the vulnerability

A local attacker can load a malformed Keyboard Layout, in order to create a denial of service or to obtain system privileges.
Impacted products: Windows XP.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 23/05/2012.
Identifiers: BID-53657, VIGILANCE-VUL-11651.

Description of the vulnerability

The location of keys on a keyboard depends on the country.

The win32k.sys driver loads a Keyboard Layout file, which indicates the location of keys. The offTable field indicates an offset in the file. However, the ReadLayoutFile() function of win32k.sys does not check the offTable value, which corrupts the memory.

A local attacker can therefore load a malformed Keyboard Layout, in order to create a denial of service or to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-2625

Xen: denial of service via Kernel Size

Synthesis of the vulnerability

An attacker, who is administrator in a guest system, can enlarge the kernel size, in order to create a denial of service on the host system.
Impacted products: openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 23/05/2012.
Identifiers: 1817, CERTA-2012-AVI-605, CVE-2012-2625, openSUSE-SU-2012:1172-1, openSUSE-SU-2012:1174-1, openSUSE-SU-2012:1176-1, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, RHSA-2012:1130-01, SUSE-SU-2012:1044-1, VIGILANCE-VUL-11650, XSA-25.

Description of the vulnerability

The Linux kernel is stored in a file (vmlinuz) which can be compressed with bzip2. When the system starts, this kernel in uncompressed.

However, if data are added and the end of the vmlinuz file, and if this file is larger than the allocated RAM for the guest system, the host system consumes resources to start this kernel. ParaVirtualized systems with pygrub are vulnerable.

An attacker, who is administrator in a guest system, can therefore enlarge the kernel size, in order to create a denial of service on the host system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-2392 CVE-2012-2393 CVE-2012-2394

Wireshark: denials of service

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service.
Impacted products: Fedora, Mandriva Linux, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Wireshark.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 23/05/2012.
Identifiers: 7221, BID-53651, BID-53652, BID-53653, CERTA-2012-AVI-292, CVE-2012-2392, CVE-2012-2393, CVE-2012-2394, CVE-2012-3825, CVE-2012-3826, FEDORA-2012-10175, MDVSA-2012:080, MDVSA-2013:055, openSUSE-SU-2012:0657-1, RHSA-2013:1569-02, SUSE-SU-2012:0792-1, VIGILANCE-VUL-11649, wnpa-sec-2012-08, wnpa-sec-2012-09, wnpa-sec-2012-10.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

An attacker can generate infinite loops in the ANSI MAP, ASF, BACapp, Bluetooth HCI, IEEE 802.11, IEEE 802.3, LTP and R3 dissectors. [severity:1/4; BID-53651, CVE-2012-2392, CVE-2012-3825, CVE-2012-3826, wnpa-sec-2012-08]

An attacker can send a malformed DIAMETER packet, in order to generate a memory allocation error. [severity:1/4; BID-53652, CVE-2012-2393, wnpa-sec-2012-09]

On a SPARC or Itanium processor, an attacker can force the usage of an unaligned pointer, which stops Wireshark. [severity:1/4; 7221, BID-53653, CVE-2012-2394, wnpa-sec-2012-10]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 11648

Citrix XenApp, Presentation Server: denial of service via Branch Repeater

Synthesis of the vulnerability

A remote attacker can connect through Branch Repeater, in order to generate a fatal error in wdica.sys, which stops Citrix XenApp.
Impacted products: Citrix Presentation Server, XenApp.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 23/05/2012.
Identifiers: BID-53663, CTX133159, VIGILANCE-VUL-11648.

Description of the vulnerability

The Branch Repeater service is used to optimize network access.

Citrix products install the wdica.sys driver (Independent Computing Architecture WinStation Driver) which processes client-server exchanges.

A remote attacker can connect through Branch Repeater, in order to generate a fatal error in wdica.sys, which stops Citrix XenApp.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 11647

SPIP: vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities could have been corrected by SPIP.
Impacted products: SPIP.
Severity: 1/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: internet client.
Creation date: 21/05/2012.
Identifiers: CERTA-2012-AVI-280, VIGILANCE-VUL-11647.

Description of the vulnerability

Several vulnerabilities could have been corrected by SPIP. This information was not confirmed.

The SPIP announce is ambiguous.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2847