The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability alert CVE-2007-6043

Windows: weakness in random generator

Synthesis of the vulnerability

A unprivileged local attacker can rebuild state of Windows pseudo random number generator.
Impacted products: Windows 2000, Windows 2003, Windows XP.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 20/11/2007.
Identifiers: BID-26495, CVE-2007-6043, VIGILANCE-VUL-7356.

Description of the vulnerability

The CryptGenRandom() function of Windows cryptographic API provides a pseudo random number generator (PRNG).

A local attacker can obtain the state of this generator. He can thus infer past random numbers or predict future random numbers, in a range of 128 Kbytes.

For example, attacker could compute cryptographic keys generated on the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-5925

MySQL: denial of service via CONTAINS

Synthesis of the vulnerability

An authenticated attacker can use a SQL query with CONTAINS in order to stop the database.
Impacted products: Debian, Fedora, Mandriva Linux, MySQL Community, MySQL Enterprise, NLD, OES, openSUSE, Percona Server, RHEL, SLES.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user account.
Creation date: 20/11/2007.
Identifiers: BID-26353, CVE-2007-5925, DSA-1413-1, FEDORA-2007-4465, FEDORA-2007-4471, MDKSA-2007:243, RHSA-2007:1155-01, RHSA-2007:1157-01, SUSE-SR:2008:003, VIGILANCE-VUL-7355.

Description of the vulnerability

The CONTAINS function permits to search the content of a column. For example:
  SELECT * FROM mytable WHERE CONTAINS(mycolumn, 'value');

When the InnoDB engine of MySQL is used, and when the column is indexed, using CONTAINS generates an error in the convert_search_mode_to_innobase() function of ha_innodb.cc. This error stops the database.

An authenticated attacker can therefore create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2006-7230

PCRE: overflow of regular expressions

Synthesis of the vulnerability

When attacker can change the regular expression used by a program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, NLD, OES, openSUSE, RHEL, Snort, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 19/11/2007.
Identifiers: BID-26550, CERTA-2008-AVI-239, CVE-2006-7230, DSA-1570-1, RHSA-2007:1059-01, RHSA-2007:1068-01, SUSE-SA:2007:062, SUSE-SA:2008:004, VIGILANCE-VUL-7354.

Description of the vulnerability

The PCRE library implements Perl compatible regular expressions (different than POSIX).

A regular expression can indicate a modifier, such as 'i' (case insensitive) or 'x' (ignore comments). For example:
  /hello/i

The modifier can be changed in the expression. For example:
  /hel(?i)lo(-i)/

However, PCRE incorrectly computes the memory size requested by 'i' and 'x' changes, which leads to an overflow.

When attacker can change the regular expression used by a program, he can thus corrupt its memory in order to execute code or to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-5501

Linux kernel: denial of service of tcp_sacktag_write_queue

Synthesis of the vulnerability

An attacker can send a packet with SACK in order to create a denial of service.
Impacted products: Fedora, Linux, Mandriva Linux, openSUSE, SLES.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 19/11/2007.
Identifiers: BID-26474, CVE-2007-5501, FEDORA-2007-3751, FEDORA-2007-3837, FEDORA-2007-759, MDVSA-2008:044, SUSE-SA:2007:063, SUSE-SA:2008:013, VIGILANCE-VUL-7353.

Description of the vulnerability

The RFC 2018 proposes an extension to TCP protocol to acknowledge parts of received data (Selective Acknowledgement, SACK).

The tcp_sacktag_write_queue() function of net/ipv4/tcp_input.c file handles the retransmission queue. The tp->packets_out pointer is set by tcp_write_queue_head(). However, in some cases, this pointer can be NULL, which generates an error in tcp_sacktag_write_queue().

An attacker can therefore create a TCP session and inject a packet with a special SACK in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-5500

Linux kernel: denial of service of wait_task_stopped

Synthesis of the vulnerability

A local attacker can create a denial of service via an error of wait_task_stopped().
Impacted products: Debian, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 19/11/2007.
Identifiers: BID-26477, CVE-2007-5500, DSA-1428-1, FEDORA-2007-3751, FEDORA-2007-3837, FEDORA-2007-759, MDVSA-2008:008, MDVSA-2008:044, MDVSA-2008:112, RHSA-2008:0055-01, SUSE-SA:2007:063, SUSE-SA:2008:013, SUSE-SA:2008:030, SUSE-SA:2008:032, VIGILANCE-VUL-7352.

Description of the vulnerability

The wait_task_stopped() function of kernel/exit.c file handles kernel tasks in TASK_STOPPED state.

The 14bf01bb0599c89fc7f426d20353b76e12555308 patch of 1st of October 2005 incorrectly replaced a condition in this function. Indeed:
  p->state > TASK_STOPPED
was replaced by:
  p->state & TASK_TRACED

A local attacker can therefore trace a process in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-6591 CVE-2007-6592 CVE-2008-2809

Firefox, Netscape: spoofing via subjectAltName dNSName

Synthesis of the vulnerability

An attacker can create a SSL certificate using the subjectAltName:dNSName extension, whose warning dialog will not be displayed.
Impacted products: Firefox, SeaMonkey, Mozilla Suite.
Severity: 1/4.
Consequences: data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 19/11/2007.
Revision date: 20/11/2007.
Identifiers: BID-26501, CVE-2007-6590-REJECT, CVE-2007-6591, CVE-2007-6592, CVE-2008-2809, VIGILANCE-VUL-7351.

Description of the vulnerability

The subjectAltName extension family adds additional information to a X.509 certificate.

The subjectAltName:dNSName extension indicates a list of domain names. For example:
 - subjectAltName:dNSName=www.personalpage.dom
 - subjectAltName:dNSName=www.bank.dom
This certificate can thus be used for both domains.

This field can contain "*" or "*.org" in order to encompass several names. [severity:1/4]

This field is not generally displayed, which can lead victim to accept a certificate for "www.personalpage.dom", whereas it also contains "www.bank.dom". [severity:1/4]

Moreover, browsers of Firefox familly do not associate the certificate to the orign web site. Thus, attacker can invite victim to accept the certificate for a non important web site such as "www.personalpage.dom". Then attacker can for example use a DNS attack to redirect victim to a fake "www.bank.dom" website with the same certificate. When victim will land on this site, no message will warn him that the certificate is new. [severity:1/4]

An attacker can therefore create phishing attacks.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-6026

Microsoft Jet: buffer overflow via Access

Synthesis of the vulnerability

An attacker can use a buffer overflow of Microsoft Jet Database Engine to run code on computer.
Impacted products: Office, Access, Outlook, Windows 2000, Windows 2003, Windows XP.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 19/11/2007.
Identifiers: 950749, BID-26468, CERTA-2008-AVI-244, CVE-2007-6026, MS08-028, TPTI-08-04, VIGILANCE-VUL-7350.

Description of the vulnerability

The Microsoft Jet database is used by Office suite. The mjet40.dll DLL handles user requests.

When victim opens a malicious Access (.mdb) file, a stack overflow occurs in msjet40.dll. It leads to code execution.

This vulnerability therefore permits an attacker to run code on computers of victims opening a malicious file.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-6277 CVE-2007-6278 CVE-2007-6279

FLAC: several vulnerabilities

Synthesis of the vulnerability

Several memory corruptions of FLAC permit an attacker to execute code on computer of victim.
Impacted products: Debian, Fedora.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 16/11/2007.
Identifiers: AD20071115, CERTA-2002-AVI-163, CVE-2007-6277, CVE-2007-6278, CVE-2007-6279, DSA-1469-1, FEDORA-2007-2596, VIGILANCE-VUL-7349, VU#544656.

Description of the vulnerability

The FLAC/libFLAC library implements the FLAC (Free Lossless Audio Codec) audio format. It contains several vulnerabilities.

An attacker can use a negative Metadata Block size in order to corrupt the memory. [severity:2/4; CVE-2007-6277]

An attacker can use a negative VORBIS comment size in order to corrupt the memory. [severity:2/4; CVE-2007-6277]

An attacker can use a long VORBIS comment in order to create a stack overflow. [severity:2/4; CVE-2007-6277]

An attacker can use a negative MIME-Type field size in order to corrupt the memory. [severity:2/4; CVE-2007-6277]

An attacker can use a long MIME-Type in order to create a stack overflow. [severity:2/4; CVE-2007-6277]

An attacker can use a negative image description size in order to corrupt the memory. [severity:2/4; CVE-2007-6277]

An attacker can use a long image description in order to create a heap overflow. [severity:2/4; CVE-2007-6277]

An attacker can use a long image description in order to create a stack overflow. [severity:2/4; CVE-2007-6277]

An attacker can use a negative image data size in order to corrupt the memory. [severity:2/4; CVE-2007-6277]

An attacker can use a long url in order to create a stack overflow. [severity:2/4; CVE-2007-6277]

An attacker can use the "-->" MIME type in order to force the download of a malicious file. [severity:2/4; CVE-2007-6278]

An attacker can use a negative padding size in order to corrupt the memory. [severity:2/4; CVE-2007-6277]

An attacker can use an out of range Seektable value in order to create a double memory free. [severity:2/4; CVE-2007-6279]

An attacker can use a malformed Seektable value in order to create a double memory free. [severity:2/4; CVE-2007-6279]

An attacker can therefore create a malicious audio file and invite victim to listen it with a software linked to libFLAC in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-5944

WebSphere AS 5.1.1: Cross Site Scripting of Expect

Synthesis of the vulnerability

An attacker can create a Cross Site Scripting attack via the Expect header.
Impacted products: WebSphere AS Traditional.
Severity: 1/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/11/2007.
Identifiers: 4017314, BID-26457, CVE-2007-5944, PK51068, VIGILANCE-VUL-7348.

Description of the vulnerability

The Expect header of HTTP protocol (RFC 2616) defines a special feature requested by the client to the server, such as "100-continue".

The WebContainer does not filter the Expect header before returning it to the client.

A Cross Site Scripting attack may then be created.

This vulnerability is similar to VIGILANCE-VUL-5819.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-4572 CVE-2007-5398

Samba: vulnerabilities of nmbd

Synthesis of the vulnerability

Two vulnerabilities of nmbd permit a remote attacker to create a denial of service or to execute code.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SLES, ESX.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/11/2007.
Identifiers: 2007-90, 237764, 6630358, BID-26454, BID-26455, c01377687, CERTA-2007-AVI-502, CERTA-2008-AVI-337, CVE-2007-4572, CVE-2007-5398, DSA-1409-1, DSA-1409-2, DSA-1409-3, FEDORA-2007-3402, FEDORA-2007-3403, FEDORA-2007-751, HPSBUX02316, MDKSA-2007:224, RHSA-2007:1013-01, RHSA-2007:1016-01, RHSA-2007:1017-01, SSA:2007-320-01, SSRT071495, SUSE-SA:2007:065, VIGILANCE-VUL-7347, VMSA-2008-0001, VMSA-2008-0001.1.

Description of the vulnerability

Two vulnerabilities affect the nmbd daemon of Samba.

When "domain logons" and "domain master" are enabled in smb.conf, the server accepts GETDC queries (Domain Controler). However, nmbd does not correctly check the received name, which generates an error in source/nmbd/nmbd_processlogon.c. This error stops nmbd. [severity:2/4; BID-26454, CERTA-2007-AVI-502, CERTA-2008-AVI-337, CVE-2007-4572]

When "wins support" is enabled in smb.conf, the WINS of nmbd is active. An attacker can send several "WINS Name Registration" queries in order to register malicious names. Then he can send a "WINS Name Query" in order to obtain these names. However, during the construction of the answer, an overflow occurs in the reply_netbios_packet() function of nmbd/nmbd_packets.c. An attacker can therefore execute code. [severity:2/4; 2007-90, BID-26455, CVE-2007-5398]
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2816