The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability announce CVE-2008-5138

pam_mount: file corruption via passwdehd

Synthesis of the vulnerability

A local attacker can force the corruption of a file when passwdehd of pam_mount is used.
Impacted products: Mandriva Linux, NLD, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 12/01/2009.
Identifiers: CVE-2008-5138, MDVSA-2009:004, SUSE-SR:2009:005, VIGILANCE-VUL-8377.

Description of the vulnerability

The pam_mount module is used to mount a volume after the authentication of a user.

The passwdehd script installed with pam_mount can be used by the administrator to change the password of an encrypted volume.

This script creates a temporary file named "/tmp/passwdehd.$$" (where $$ is replaced by the pid) and accesses it in an insecure manner.

A local attacker can therefore create a symbolic link when the administrator uses passwdehd, in order to force a file to be corrupted with root privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-0041

Asterisk: user detection via IAX2

Synthesis of the vulnerability

An attacker can use information returned during the IAX2 authentication in order to detect if a user name is valid.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 09/01/2009.
Identifiers: AST-2009-001, BID-33174, CERTA-2009-AVI-010, CVE-2009-0041, DSA-1952-1, FEDORA-2009-0973, FEDORA-2009-0984, VIGILANCE-VUL-8376.

Description of the vulnerability

The Asterisk product implements the IAX2 protocol (Inter-Asterisk Exchange version 2) to transmit streaming over IP.

The IAX2 authentication uses several methods:
 - IAX_AUTH_PLAINTEXT : text
 - IAX_AUTH_MD5 : md5 hash
 - IAX_AUTH_RSA : RSA encryption

When the user name is invalid, the error message uses a text authentication. When the username is valid and the password is invalid, the error message uses one of user's authentication methods.

An attacker can therefore use this difference in order to detect if the username is valid. The attacker can thus construct a list of valid users.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2008-4388 CVE-2008-4827 CVE-2008-5260

IE: vulnerabilities of several ActiveX of January 2009

Synthesis of the vulnerability

Several ActiveX can be used by a remote attacker to generate a denial of service or to execute code.
Impacted products: IE.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 22.
Creation date: 07/01/2009.
Revisions dates: 13/01/2009, 16/01/2009, 20/01/2009, 23/01/2009, 27/01/2009.
Identifiers: BID-33148, BID-33222, BID-33233, BID-33238, BID-33243, BID-33245, BID-33247, BID-33272, BID-33318, BID-33345, BID-33348, BID-33349, BID-33408, BID-33451, BID-33453, BID-33469, BID-33515, CERTA-2009-AVI-019, CVE-2008-4388, CVE-2008-4827, CVE-2008-5260, CVE-2009-0134, CVE-2009-0298, CVE-2009-0301, CVE-2009-0389, SYM09-001, VIGILANCE-VUL-8375, VU#194505.

Description of the vulnerability

Several ActiveX can be used by a remote attacker to generate a denial of service or to execute code.

An attacker can generate an overflow in the AddTab() method of the ComponentOne SizerOne c1sizer.ocx ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33148, CVE-2008-4827]

An attacker can generate an overflow in the AddTab() method of the TSC2 Help Desk CTab c1sizer.ocx ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33148, CVE-2008-4827]

An attacker can generate an overflow in the AddTab() method of the SAP GUI TabOn sizerone.ocx ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33148, CVE-2008-4827]

An attacker can use the Save() and HttpDownloadFile() methods of the Excel Viewer OCX 3.2 ActiveX in order to alter a file on victim's computer. [severity:1/4; BID-33222]

An attacker can use the SaveToFile() method of the Ciansoft PDFBuilderX ActiveX in order to create a file on victim's computer. [severity:2/4; BID-33233]

An attacker can use the Save() method of the PowerPoint Viewer ActiveX in order to create a file on victim's computer. [severity:1/4; BID-33238]

An attacker can use the OpenWebFile() method of the PowerPoint Viewer ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33243]

An attacker can use the OpenWebFile() method of the Word Viewer ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33243]

An attacker can use the OpenWebFile() method of the Excel Viewer ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33243]

An attacker can use the OpenWebFile() method of the Office Viewer ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33245]

An attacker can use the DoSaveFile() method of the AAA EasyGrid ActiveX in order to create a file on victim's computer. [severity:1/4; BID-33272, CVE-2009-0134]

An attacker can use the Symantec AppStream LaunchObj ActiveX to create a file on victim's computer. [severity:2/4; BID-33247, CERTA-2009-AVI-019, CVE-2008-4388, SYM09-001, VU#194505]

Add the SaveToBMP() method of the MetaProducts MetaTreeX ActiveX in order to create a file on victim's computer. [severity:2/4; BID-33318]

An attacker can use the SaveMaskToFile() method of the SmartVmd ActiveX in order to create a file on victim's computer. [severity:1/4; BID-33348]

An attacker can use the StartVideoSaving() method of the SmartVmd ActiveX in order to delete a file from victim's computer. [severity:1/4; BID-33349]

An attacker can use the SaveToFile() method of the JamDTA ActiveX in order to create a file on victim's computer. [severity:1/4; BID-33345]

An attacker can create a buffer overflow in the image_pan_tilt property of the AXIS Camera CamImage.CamImage.1 ActiveX in order to execute code on victim's computer. [severity:2/4; BID-33408, CVE-2008-5260]

An attacker can use the SaveFile() method of the FlexCell Grid ActiveX in order to create a file on victim's computer. [severity:1/4; BID-33453, CVE-2009-0301]

An attacker can create a buffer overflow in the Supplement parameter of the MW6 Barcode Barcode.dll ActiveX in order to execute code on victim's computer. [severity:1/4; BID-33451, CVE-2009-0298]

An attacker can use the CreateTiff() method of the HtmlCapture HtmlCapture.dll ActiveX in order to create a file on victim's computer. [severity:1/4]

An attacker can use the CreateFile() method of the NCTVideoStudio ActiveX in order to create a file on victim's computer. [severity:1/4; BID-33469]

An attacker can use the WriteIniFileString() and ShellExecute() methods of the Web on Windows WoW ActiveX in order to create a file on victim's computer, or to execute code. [severity:2/4; BID-33515, CVE-2009-0389]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-0021

NTP: incorrect usage of OpenSSL EVP_VerifyFinal

Synthesis of the vulnerability

The NTP server incorrectly uses the EVP_VerifyFinal() function of OpenSSL, which can be used by an attacker to bypass the signature check.
Impacted products: Debian, Fedora, FreeBSD, Mandriva Linux, Mandriva NF, McAfee Email and Web Security, Meinberg NTP Server, NLD, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES.
Severity: 3/4.
Consequences: data flow, disguisement.
Provenance: internet server.
Creation date: 07/01/2009.
Identifiers: CVE-2009-0021, DSA-1702-1, FEDORA-2009-0544, FEDORA-2009-0547, FreeBSD-SA-09:03.ntpd, KB76646, MDVSA-2009:007, ocert-2008-016, RHSA-2009:0046-01, SSA:2009-014-03, SUSE-SR:2009:005, SUSE-SR:2009:008, VIGILANCE-VUL-8374.

Description of the vulnerability

The NTP server can authenticate packets. In this case, NTP is compiled with OpenSSL.

The EVP_VerifyFinal() function returns:
 - either +1 if the signature is valid
 - either 0 if the signature is invalid
 - either -1 if an unexpected error occurred

However, instead of using:
  if (EVP_VerifyFinal(...) <= 0) error;
NTP uses:
  if (!EVP_VerifyFinal(...)) error;
Unexpected errors are thus handled as valid signatures.

An attacker can therefore setup a malicious NTP server using an invalid signature.

This vulnerability is similar to VIGILANCE-VUL-8371.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-0025 CVE-2009-0265

BIND: incorrect usage of OpenSSL DSA_verify

Synthesis of the vulnerability

The BIND server incorrectly uses the DSA_verify() function of OpenSSL, which can be used by an attacker to bypass the signature check.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, BIND, Mandriva Linux, Mandriva NF, NetBSD, NLD, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES, TurboLinux, ESX.
Severity: 3/4.
Consequences: data flow, disguisement.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/01/2009.
Revision date: 08/01/2009.
Identifiers: 250846, 6791029, BID-33151, CERTA-2011-AVI-616, CVE-2009-0025, CVE-2009-0265, DSA-1703-1, FEDORA-2009-0350, FEDORA-2009-0451, FreeBSD-SA-09:04.bind, IV09491, IV09978, IV10049, IV11742, IV11743, IV11744, MDVSA-2009:002, MDVSA-2009:037, ocert-2008-016, RHSA-2009:0020-01, SOL11503, SSA:2009-014-02, SSA:2009-015-01, SUSE-SA:2009:005, TLSA-2009-4, VIGILANCE-VUL-8372, VMSA-2009-0004, VMSA-2009-0004.1, VMSA-2009-0004.2, VMSA-2009-0004.3.

Description of the vulnerability

The BIND server can use the DNSSEC protocol to authenticate DNS packets. In this case, BIND is compiled with OpenSSL.

The DSA_verify() function returns:
 - either +1 if the signature is valid
 - either 0 if the signature is invalid
 - either -1 if an unexpected error occurred

However, instead of using:
  if (DSA_verify(...) <= 0) error;
BIND uses:
  if (!DSA_verify(...)) error;
Unexpected errors are thus handled as valid signatures.

An attacker can therefore setup a malicious DNS server using an invalid signature.

This vulnerability has the CVE-2009-0025 identifier and is similar to VIGILANCE-VUL-8371.

When solutions to this vulnerability require a compiling and were applied without previously applying VIGILANCE-SOL-16759, the CVE-2009-0265 vulnerability appears due to a bad link with OpenSSL.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-5077

OpenSSL: bypassing signature check

Synthesis of the vulnerability

The OpenSSL client does not correctly validates signatures presented by the server.
Impacted products: Debian, Fedora, FreeBSD, HP-UX, Mandriva Linux, Mandriva NF, Nortel VPN Router, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, TurboLinux, ESX.
Severity: 3/4.
Consequences: data flow, disguisement.
Provenance: internet server.
Creation date: 07/01/2009.
Identifiers: 2009009350, 250826, 6786120, BID-33150, c01706219, CERTA-2009-AVI-006, CERTA-2009-AVI-009, CERTA-2010-AVI-268, CVE-2008-5077, DSA-1701-1, FEDORA-2009-0325, FEDORA-2009-0331, FEDORA-2009-0419, FEDORA-2009-0543, FEDORA-2009-0577, FEDORA-2009-0636, FEDORA-2009-1914, FEDORA-2009-2090, FreeBSD-SA-09:02.openssl, HPSBUX02418, MDVSA-2009:001, ocert-2008-016, openSUSE-SU-2011:0845-1, SSA:2009-014-01, SSRT090002, SUSE-SA:2009:006, SUSE-SU-2011:0847-1, TLSA-2009-5, VIGILANCE-VUL-8371, VMSA-2009-0004, VMSA-2009-0004.1, VMSA-2009-0004.2, VMSA-2009-0004.3.

Description of the vulnerability

The EVP interface of OpenSSL provides high level features, independent of used algorithms. The EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() functions check signatures.

The EVP_VerifyFinal() function returns:
 - either +1 if the signature is valid
 - either 0 if the signature is invalid
 - either -1 if an unexpected error occurred

However, instead of using:
  if (EVP_VerifyFinal(...) <= 0) error;
the SSL client uses:
  if (!EVP_VerifyFinal(...)) error;
Unexpected errors are thus handled as valid signatures.

This vulnerability impacts the SSL client, when a DSA or ECDSA signature is checked.

An attacker can therefore setup a SSL server with a malicious certification chain. He can also setup a Man-In-The-Middle attack and offer an invalid certification chain. Both attacks are undetected by the OpenSSL client, and the victim can think he is connected to a trusted site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2008-0067

OpenView NNM: several overflows

Synthesis of the vulnerability

Several vulnerabilities of OpenView NNM can be used by an attacker to create a denial of service or to execute code.
Impacted products: HPE NMC, OpenView, OpenView NNM.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 07/01/2009.
Revision date: 12/02/2009.
Identifiers: 2008-13, BA324, BID-33147, c01646081, CERTA-2009-AVI-027, CVE-2008-0067, HPSBMA02400, SSRT080144, VIGILANCE-VUL-8370.

Description of the vulnerability

Several vulnerabilities impact OpenView NNM.

An attacker can use a long parameter in the OpenView5.exe CGI script in order to generate a buffer overflow. [severity:3/4]

An attacker can use a long Context parameter in the OpenView5.exe CGI script in order to generate a buffer overflow. [severity:3/4; BA324]

An attacker can use a long parameter in the getcvdata.exe CGI script in order to generate a buffer overflow. [severity:3/4]

An attacker can use a long parameter in the ovlaunch.exe CGI script in order to generate a buffer overflow. [severity:3/4]

An attacker can use a long parameter in the Toolbar.exe CGI script in order to generate a buffer overflow. [severity:3/4]

An attacker can use a long parameter in the Toolbar.exe CGI script in order to generate a buffer overflow. [severity:3/4]

These vulnerabilities lead to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-0069

Solaris: denial of service of NFSv4

Synthesis of the vulnerability

A local attacker can rename a file located on a remote NFSv4 share in order to stop the local system.
Impacted products: OpenSolaris, Solaris.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 06/01/2009.
Identifiers: 248566, 6300710, BID-33128, CVE-2009-0069, VIGILANCE-VUL-8369.

Description of the vulnerability

The NFS version 4 protocol uses:
 - a server to export a path
 - a client to connect to this share and to use it as if it were a local filesystem

The nfs4rename_persistent_fh() function of the usr/src/uts/common/fs/nfs/nfs4_vfsops.c file is called when a filename changes.

However, if the file is simultaneously renamed on the server and on the NFSv4 client, a mutex is re-acquired via mutex_enter(), which panics the system.

A local attacker can therefore rename a file located on a remote NFSv4 share in order to stop the local system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-0177

VMware Player, Workstation: denial of service of vmware-authd

Synthesis of the vulnerability

An attacker can send a long authentication query to the vmware-authd service of VMware Player or VMware Workstation in order to stop it.
Impacted products: VMware ACE, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 05/01/2009.
Identifiers: BID-33095, CVE-2009-0177, VIGILANCE-VUL-8368.

Description of the vulnerability

The vmware-authd.exe authentication service of VMware Player or VMware Workstation listens on port 912/tcp.

However, when vmware-authd receives a login name longer than 300 characters, it stops.

A non authenticated attacker can therefore create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-0022

Samba: file access via registry shares

Synthesis of the vulnerability

When the "registry shares" feature is enabled, an authenticated attacker can access to files located outside shares.
Impacted products: Fedora, Mandriva Linux, Samba, Slackware.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: user account.
Creation date: 05/01/2009.
Identifiers: BID-33118, CERTA-2009-AVI-001, CVE-2009-0022, FEDORA-2009-0160, FEDORA-2009-0268, MDVSA-2009:042, SSA:2009-005-01, VIGILANCE-VUL-8367.

Description of the vulnerability

The "registry shares" feature of Samba indicates to use a configuration stored in a registry. This feature, implemented in version 3.2.0, can be enabled by:
  registry shares = yes
  include = registry
  config backend = registry

A Samba share has a name like "//servername/sharename".

However, due to an error of "registry share", if the sharename is empty ("//servername/"), the user accesses to the root file system ("/"), instead of being restricted to the shared directory.

When the "registry shares" feature is enabled, an authenticated attacker can therefore access to files located outside shares. The access is done with user's rights.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2899