The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability alert CVE-2007-5794

nss_ldap: user data inversion

Synthesis of the vulnerability

In some situations, nss_ldap can return data about another user.
Impacted products: Debian, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user account.
Creation date: 15/11/2007.
Identifiers: 154314, CVE-2007-5794, DSA-1430-1, MDVSA-2008:049, RHSA-2008:0389-02, RHSA-2008:0715-01, SUSE-SR:2008:003, VIGILANCE-VUL-7346.

Description of the vulnerability

The nss_ldap module permits to access to data equivalent to /etc/passwd, /etc/group and /etc/hosts stored in a LDAP directory.

When this module is used in an application compiled with pthread (POSIX thread) and calling fork(), two processes share the same LDAP connection. During simultaneous queries, the behaviour of nss_ldap is thus incorrect: data from one session are returned in the second one.

Thus, for example, data from one user (/etc/passwd) can be returned instead of data from another user.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-5934

PEAR MDB2: url insertion

Synthesis of the vulnerability

By conception, the PEAR MDB2 module inserts the content of urls in the database.
Impacted products: Fedora, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 15/11/2007.
Identifiers: 10024, BID-26382, CVE-2007-5934, FEDORA-2007-3369, FEDORA-2007-3376, VIGILANCE-VUL-7345.

Description of the vulnerability

The PEAR MDB2 module can be installed in a PHP environment and proposes an abstraction layer to access to databases.

When a blob field contains an url, MDB2 downloads this url and stores the received document in the database (instead of only saving the url). This url can be "http://" to download a web document or "file://" to download a local document.

For example, if MDB2 is used to store comments entered by users on a web site, an attacker can enter the "file:///etc/passwd" url in order to force MDB2 to store content of this file in the database. When attacker then reviews his comment, he obtains the content of passwd file.

An attacker can therefore obtain information, depending on the way MDB2 is used.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-6044

IBM WebSphere MQ: several memory corruptions

Synthesis of the vulnerability

A remote attacker can exploit 6 corruptions in IBM WebSphere MQ 6.0.
Impacted products: MQSeries, WebSphere MQ.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 14/11/2007.
Identifiers: BID-26441, CVE-2007-6044, VIGILANCE-VUL-7344.

Description of the vulnerability

A remote attacker can exploit 6 corruptions in IBM WebSphere MQ 6.0.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-5904

Linux kernel: buffer overflow of CIFS VFS

Synthesis of the vulnerability

A malicious CIFS server can create an overflow in the CIFS client of the kernel.
Impacted products: Debian, Linux, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: intranet server.
Creation date: 14/11/2007.
Identifiers: BID-26438, CVE-2007-5904, DSA-1428-1, RHSA-2008:0089-01, RHSA-2008:0167-01, SUSE-SA:2007:063, SUSE-SA:2007:064, SUSE-SA:2008:013, SUSE-SA:2008:017, SUSE-SA:2008:030, SUSE-SU-2011:0928-1, VIGILANCE-VUL-7343.

Description of the vulnerability

The kernel implements a CIFS/SMB client permitting to mount remote shares.

The SendReceive() function of fs/cifs/transport.c file does not correctly check size of received data, which leads to an overflow.

An attacker can therefore create a denial of service, and eventually execute code, on computer of victims connecting to a malicious or compromised CIFS server.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 7342

Oracle DB: access during installation

Synthesis of the vulnerability

An attacker can connect as SYS or SYSTEM during installation of the database.
Impacted products: Oracle DB.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 14/11/2007.
Identifiers: BID-26425, VIGILANCE-VUL-7342.

Description of the vulnerability

During database installation, a default password is set for SYS and SYSTEM users. This password is then changed at the end of installation.

Depending on the installation method, there is a window frame of 20 seconds up to 2 minutes during which an attacker can login to these accounts with their default password.


When server is connected to network during the installation, an attacker can therefore login to the database.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-3898

Windows DNS: predictability of query ids

Synthesis of the vulnerability

An attacker can predict query ids in order for example to poison the DNS server cache.
Impacted products: Windows 2000, Windows 2003.
Severity: 3/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 14/11/2007.
Identifiers: 941672, BID-25919, CERTA-2007-AVI-490, CVE-2007-3898, MS07-062, VIGILANCE-VUL-7341, VU#484649.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate answer to its query. When attacker predicts this identifier, he can send fake answers and thus poison the cache of server.

Windows DNS server generates the "n+1" identifier using algorithm below :
 - bits 14 to 15 : always zero
 - bits 11 to 13 : random
 - bits 3 to 10 : n mod 256
 - bits 0 to 2 : function(n)
However, this implementation is weak. If attacker knows the previous identifier he has in the best case one chance over 8 (2^3) to guess the id (against one chance over 65536 (2^16) normally).

An attacker who captured one DNS packet can therefore poison the cache of DNS server.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-5667

Novell Client: privilege elevation via NWFILTER.SYS

Synthesis of the vulnerability

A local attacker can execute code in the kernel via a vulnerability of NWFILTER.SYS.
Impacted products: Novell Client.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 13/11/2007.
Revision date: 14/11/2007.
Identifiers: 3260263, BID-26420, CVE-2007-5667, VIGILANCE-VUL-7340.

Description of the vulnerability

The %systemroot%\System32\netware\NWFILTER.SYS driver filters queries for network resources (UNC Path Filter) in order to not create redundant connections.

This driver creates the "\.\nwfilter" named pipe. However, all users can open it and send IOCTLs. These IOCTLs do not check if received addresses are user space addresses. An attacker can therefore provide a kernel address in order to force the driver to write to this address, and thus to corrupt memory.

A local attacker can therefore elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 7339

Oracle DB: privilege elevation via BECOME USER

Synthesis of the vulnerability

An attacker with the DBA or IMP_FULL_DATABASE role can become SYSDBA.
Impacted products: Oracle DB.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: user account.
Creation date: 13/11/2007.
Identifiers: VIGILANCE-VUL-7339.

Description of the vulnerability

The DBA and IMP_FULL_DATABASE roles have the "BECOME USER" privilege which permits to switch identity. The identity change is done via sys.kupp$proc.change_user() which notably forbids to become SYSDBA, but allows to become SYS.

An attacker can therefore become SYS, which permits to modify _oradbg_pathname, which defines a debugger to run with database privileges. Attacker can then becomes SYSDBA via this debugger.

An attacker with the "BECOME USER" privilege can therefore become SYSDBA.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-5395

Link Grammar: buffer overflow of separate_sentence

Synthesis of the vulnerability

An attacker can create a malicious document in order to execute code on computer of Link Grammar users.
Impacted products: Debian, Fedora, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 13/11/2007.
Identifiers: 2007-78, CVE-2007-5395, DSA-1432-1, FEDORA-2007-3235, FEDORA-2007-3339, VIGILANCE-VUL-7338.

Description of the vulnerability

The Link Grammar tool parses English documents in order to check their grammar.

When a word contains over 61 characters, an error occurs in the separate_word() function of link-grammar/tokenize.c file. This error creates a buffer overflow in the separate_sentence() function.

An attacker can therefore create a malicious document in order to execute code on computer of Link Grammar users.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-5770

Ruby: incorrect validation of SSL certificate

Synthesis of the vulnerability

Several Ruby libraries do not check the real name of remote server.
Impacted products: Debian, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 13/11/2007.
Identifiers: 362081, BID-26421, CVE-2007-5770, DSA-1410-1, DSA-1411-1, DSA-1412-1, MDVSA-2008:029, RHSA-2007:0961-01, RHSA-2007:0965-01, SUSE-SR:2007:024, VIGILANCE-VUL-7337.

Description of the vulnerability

Several Ruby libraries implement SSL features: Net::FTPTLS, Net::Telnets, Net::IMAP, Net::POP et Net::SMTP.

However, these libraries do not check if the Common Name indicated in server certificate is the same as its DNS name.

An attacker can therefore replace the legitimate web server by a malicious web server, with another certificate signed by the same authority. Victim is then not warned that he just connected to a malicious web server.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2895