The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability alert CVE-2007-5381

Cisco IOS: buffer overflow of LPD

Synthesis of the vulnerability

An attacker allowed to change router's name can generate an overflow in LPD in order to execute code.
Impacted products: IOS by Cisco, Cisco Router.
Severity: 1/4.
Consequences: user access/rights.
Provenance: user console.
Creation date: 11/10/2007.
Identifiers: 99109, BID-25994, BID-26001, cisco-sr-20071010-lpd, CSCsj86725, CVE-2007-5381, VIGILANCE-VUL-7236, VU#230505.

Description of the vulnerability

The LPD printing daemon can be activated on the IOS (this is not the case by default).

This daemon listens to the 515/tcp port, and the client connects with a source port inferior to 1024. If the client uses a port superior to 1024, the daemon returns the following error:
  name_of_router: /usr/lib/lpd: Malformed from address

However, if size of "name_of_router" is over 99 characters, an overflow occurs during usage of sprintf() function. To exploit this vulnerability, attacker thus have to alter the name of router.

An attacker can therefore for example change the name of router via SNMP (if community string is known) then connect to the 515/tcp port in order to generate a buffer overflow in LPD, which permits to execute code on the IOS.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-5382

CiscoWorks: default password during conversion from WLSE to WCS

Synthesis of the vulnerability

The utility to convert from CiscoWorks Wireless LAN Solution Engine to Cisco Wireless Control System does not force administrator to change the Linux root password.
Impacted products: CiscoWorks.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 11/10/2007.
Identifiers: 98799, BID-26000, CERTA-2007-AVI-441, cisco-sa-20071010-wcs, CSCsj71081, CVE-2007-5382, VIGILANCE-VUL-7235.

Description of the vulnerability

The WLSE (CiscoWorks Wireless LAN Solution Engine) product permits to administer a wireless infrastructure. The WCS (Cisco Wireless Control System) product permits to administer access points.

Cisco provides an utility to convert WLSE configurations to WCS. This utility creates two users : "Linux root" and "WCS root". However, the utility does not invite administrator to change password of Linux root account.

An attacker knowing the default password can therefore authenticate as administrator.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-3675 CVE-2007-4466 CVE-2007-5257

IE: vulnerabilities of several ActiveX of October 2007

Synthesis of the vulnerability

Several ActiveX permit a remote attacker to generate a denial of service or to execute code.
Impacted products: IE.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 9.
Creation date: 10/10/2007.
Revisions dates: 11/10/2007, 11/10/2007, 16/10/2007, 25/10/2007, 30/10/2007.
Identifiers: BID-25892, BID-25970, BID-25977, BID-26004, BID-26058, BID-26130, CERTA-2007-AVI-450, CVE-2007-3675, CVE-2007-4466, CVE-2007-5257, CVE-2007-5322, CVE-2007-5446, CVE-2007-5601, CVE-2007-5779, TA07-297A, VIGILANCE-VUL-7234, VU#179281, VU#871673.

Description of the vulnerability

Several ActiveX permit a remote attacker to generate a denial of service or to execute code.

An attacker can use the FoxDoCmd() method of Microsoft Visual FoxPro 6.0 FPOLE.OCX ActiveX in order to execute a command. [severity:2/4; BID-25977, CVE-2007-5322]

An attacker can generate several overflows in the Electronic Arts SnoopyCtrl NPSnpy.dll ActiveX in order to execute code. [severity:2/4; BID-25970, CVE-2007-4466, VU#179281]

An attacker can use the FtpDownloadFile() method of Draw Office Viewer Component 5.3 ActiveX in order to execute code. [severity:2/4; BID-25892, CVE-2007-5257]

An attacker can use the CKAVWebScan() method of Kaspersky Web Scanner 5.0.93.0 ActiveX in order to execute code. [severity:2/4; BID-26004, CVE-2007-3675]

An attacker can use the CacheFile() method of Pegasus Imaging ThumbnailXpress 1.0 ActiveX in order to delete a file on the system. [severity:2/4]

An attacker can generate an overflow in the RejectedRecordsFile parameter of VImpX.ocx ActiveX in order to execute code. [severity:2/4]

An attacker can use the SaveSenderToXml() method of PBEmail 7 ActiveX in order to create a file on victim's computer. [severity:2/4; BID-26058, CVE-2007-5446]

An attacker can generate an overflow in the RealNetworks RealPlayer Playlist ierpplug.dll ActiveX in order to execute code. [severity:2/4; BID-26130, CERTA-2007-AVI-450, CVE-2007-5601, TA07-297A, VU#871673]

An attacker can use the OpenUrl() method of GomWeb Control (GomWeb3.dll 1.0.0.12) ActiveX in order to execute code. [severity:2/4; CVE-2007-5779]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-5302

HP-UX: Cross Site Scripting of SMH

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting in System Management Homepage.
Impacted products: HP-UX.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/10/2007.
Identifiers: BID-25953, c01183265, CERTA-2007-AVI-435, CVE-2007-5302, emr_na-c01183265-1, HPSBMA02274, SSRT071445, VIGILANCE-VUL-7233.

Description of the vulnerability

The SMH (HP System Management Homepage) product proposes a web interface to administer a HP-UX server.

This web service does not validate parameters indicated in the url before displaying them.

These vulnerabilities can be used to create a Cross Site Scripting attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-5368

Solaris: denial of service of labeld

Synthesis of the vulnerability

Two vulnerabilities of labeld daemon permit a local attacker to stop the Trusted Extensions service.
Impacted products: Solaris.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/10/2007.
Identifiers: 103109, 6598910, 6598913, BID-25993, CVE-2007-5368, VIGILANCE-VUL-7232.

Description of the vulnerability

The Solaris Trusted Extensions component adds features from Trusted Solaris to Solaris. The labeld daemon handles all labels (network, filesystem, printing, desktop, etc.). This daemon has two vulnerabilities permitting a local attacker to stop it.

The zonecopy() function does not validate pointers before using them, which stops the daemon. [severity:1/4; 6598910]

The "label builder door" service does not validate size of memory areas before using them, which stops the daemon. [severity:1/4; 6598913]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-5367

Solaris 10: denial of service via VFS

Synthesis of the vulnerability

A local attacker can overload system memory, which creates a denial of service on the computer.
Impacted products: Solaris.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 10/10/2007.
Identifiers: 103088, 127111-01, 127112-01, 6500134, BID-25992, CVE-2007-5367, VIGILANCE-VUL-7231.

Description of the vulnerability

In Solaris 10, the VFS file system uses virtual inodes named vnode (virtual node). The vnode structure has a field named v_path which contains the name of the file associated to the vnode.

An unspecified error in the construction of the v_path field can cause an overload of system memory, which leads to the system halt.

A local attacker can thus overload system memory in order to cause a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-5198

Nagios Plugins: buffer overflow via check_http

Synthesis of the vulnerability

A remote attacker disposing of a compromised web server can run code on a Nagios Server using Nagios Plugins.
Impacted products: Debian, Fedora, Nagios Open Source, openSUSE, SLES.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: internet server.
Creation date: 10/10/2007.
Identifiers: 1687867, BID-25952, CVE-2007-5198, DSA-1495-1, FEDORA-2008-3061, FEDORA-2008-3098, FEDORA-2008-3146, MDVSA-2008:067, SUSE-SR:2007:025, VIGILANCE-VUL-7230.

Description of the vulnerability

Nagios provides plugins for its users which control hosts and services. The redir() function of the check_http.c file realize a check on the origin host when a redirection is made with the Location HTTP header.

The buffer defined to contain the host name of the server making the redirection is too short.

A remote attacker can thus run code on a server using the Nagios Plugins by setting a very long host name in the Location header of a compromised server.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-5268 CVE-2007-5269

libpng: multiples denials of service

Synthesis of the vulnerability

Several errors in the libpng library can permit an attacker to create a denial of service in applications using the libpng library.
Impacted products: Debian, Fedora, libpng, Mandriva Linux, Mandriva NF, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, ESX.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 6.
Creation date: 10/10/2007.
Identifiers: 259989, 674516, 6745161, 6755267, 6813939, BID-25956, CERTA-2008-AVI-445, CVE-2007-5268, CVE-2007-5269, DSA-1750-1, FEDORA-2007-2521, FEDORA-2007-2666, FEDORA-2007-734, MDKSA-2007:217, RHSA-2007:0992-01, SSA:2007-325-01, SUSE-SR:2007:025, VIGILANCE-VUL-7227, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2.

Description of the vulnerability

Several vulnerabilities were announced in the libpng library.

Several error in the pngrtran.c file can lead to a crash of the application using libpng. [severity:2/4; CVE-2007-5268]

An out-of-bounds read error in the png_handle_pCAL() function creates a denial of service. [severity:2/4; CERTA-2008-AVI-445, CVE-2007-5269]

An out-of-bounds read error in the png_handle_sCAL() function creates a denial of service. [severity:2/4; CERTA-2008-AVI-445, CVE-2007-5269]

An out-of-bounds read error in the png_push_read_tEXt() function creates a denial of service. [severity:2/4; CERTA-2008-AVI-445, CVE-2007-5269]

An out-of-bounds read error in the png_handle_iTXt() function creates a denial of service. [severity:2/4; CERTA-2008-AVI-445, CVE-2007-5269]

An out-of-bounds read error in the png_handle_ztXt() function creates a denial of service. [severity:2/4; CERTA-2008-AVI-445, CVE-2007-5269]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-5266 CVE-2007-5267

libpng: denial of service via png_set_iCCP

Synthesis of the vulnerability

A local attacker can create a denial of service of an application using libpng.
Impacted products: libpng, Mandriva Linux, Mandriva NF, OpenSolaris, Solaris, Trusted Solaris, Slackware.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/10/2007.
Identifiers: 259989, 674516, 6745161, 6755267, 6813939, BID-25957, CVE-2007-5266, CVE-2007-5267, MDKSA-2007:217, SSA:2007-325-01, VIGILANCE-VUL-7226.

Description of the vulnerability

The libpng library is used by applications creating or manipulating PNG (Portable Network Graphics) image files. Functions of the pngset.c source file are used to store in memory information about files manipulated during read or write of the file by the application exploiting the library.

The png_set_iCCP() function is used to store in memory information about ICC profile (International Color Consortium) of the file manipulated by the application.

An error in the calculation of the allocated memory to store information of the ICC profile leads to the crash of the application using the libpng library.

A local attacker can thus create a denial of service of an application using the libpng library.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-5365 CVE-2008-5010

OpenBSD dhcpd, ISC DHCPv2: buffer overflow

Synthesis of the vulnerability

An attacker of the local network can configure his DHCP client maliciously in order to create a buffer overflow in dhcpd.
Impacted products: Debian, OpenBSD, OpenSolaris, Solaris, Trusted Solaris, RHEL.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/10/2007.
Revisions dates: 11/10/2007, 29/10/2007, 05/11/2007.
Identifiers: 243806, 6619398, 6713805, BID-25984, BID-32213, CERTA-2008-AVI-552, CORE-2007-0928, CVE-2007-0063-ERROR, CVE-2007-5365, CVE-2008-5010, DSA-1388-3, RHSA-2007:0970-01, VIGILANCE-VUL-7224.

Description of the vulnerability

During the configuration of a DHCP client, user defines the mms (max_message_size) value, which represents the maximum size of a DHCP packet accepted by the client from the DHCP server.

The source code of dhcpd defines the DHCP_FIXED_LEN macro (236 + 14 + 20 +8), indicating the minimum size needed to create a DHCP packet without options.

To define the amount of data that the dhcpd server will be able to send in each packet to the client, DHCP_FIXED_LEN is subtracted to the mms value. This value is stored in the main_buffer_size variable.

If the mms value is less than the DHCP_FIXED_LEN value, the main_buffer_size variable becomes negative, which leads to a buffer overflow in dhcpd.

An attacker of the local network can thus configure his DHCP client in order to create a buffer overflow in dhcpd.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821