The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability announce CVE-2008-3761 CVE-2008-4916 CVE-2009-0177

VMware: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities impact VMware ACE, Player, Server and Workstation.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VirtualCenter, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, data reading, data creation/edition, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 8.
Creation date: 02/04/2009.
Revision date: 06/04/2009.
Identifiers: BID-30737, BID-33095, BID-34373, CERTA-2009-AVI-137, CVE-2008-3761, CVE-2008-4916, CVE-2009-0177, CVE-2009-0518, CVE-2009-0908, CVE-2009-0909, CVE-2009-0910, CVE-2009-1146, CVE-2009-1147, Positive Technologies SA 2008-05, Positive Technologies SA 2008-07, PT-2008-05, PT-2008-07, TPTI-09-01, TPTI-09-02, VIGILANCE-VUL-8592, VMSA-2009-0005.

Description of the vulnerability

Several vulnerabilities impact VMware products.

On Windows host, an attacker can use an IOCTL of hcmon.sys in order to elevate his privileges. [severity:2/4; CVE-2009-1146, Positive Technologies SA 2008-07, PT-2008-07]

On Windows host, an attacker can use an IOCTL of hcmon.sys in order to create a denial of service (VIGILANCE-VUL-8042). [severity:1/4; BID-30737, CVE-2008-3761]

On Windows host, an attacker can send a long authentication query to the vmware-authd service in order to stop it (VIGILANCE-VUL-8368). [severity:2/4; BID-33095, CVE-2009-0177]

On Windows host or guest, an attacker can use vmci.sys (Virtual Machine Communication Interface) to elevate his privileges. [severity:2/4; CVE-2009-1147, Positive Technologies SA 2008-05, PT-2008-05]

Two overflows of the VMnc codec can be used by an attacker to execute code on the host. [severity:2/4; CVE-2009-0909, CVE-2009-0910, TPTI-09-01, TPTI-09-02]

An attacker can re-enable an ACE Shared Folder of HGFS (Host Guest File System). [severity:1/4; CVE-2009-0908]

An attacker in a guest system can use a device driver to stop the host. [severity:1/4; CERTA-2009-AVI-137, CVE-2008-4916]

The VI Client keeps in its memory the VirtualCenter Server password. [severity:1/4; CVE-2009-0518]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-1239

IBM DB2: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in IBM DB2.
Impacted products: DB2 UDB.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: user account.
Creation date: 02/04/2009.
Identifiers: BID-34650, CVE-2009-1239, swg21381257, VIGILANCE-VUL-8591.

Description of the vulnerability

Several vulnerabilities were announced in IBM DB2.
Full Vigil@nce bulletin... (Free trial)

vulnerability 8590

SAP BusinessObjects Crystal Reports: several Cross Site Scripting

Synthesis of the vulnerability

An attacker can use several parameters of the viewreport.asp script in order to create several Cross Site Scripting on SAP BusinessObjects Crystal Reports.
Impacted products: Business Objects.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 02/04/2009.
Identifiers: BID-34341, VIGILANCE-VUL-8590.

Description of the vulnerability

The viewreport.asp script of SAP BusinessObjects Crystal Reports displays reports which are generated by the product.

However, this script does not filter several of its parameters before displaying them: ID, PROMPTEX-SESSION_ID, PROMPTEX-TO_DATE, PROMPTEX-FROM_DATE, PROMPTEX-YEAR_QTR1, PROMPTEX-YEAR_QTR2, PROMPTEX-YEAR_QTR3, PROMPTEX-YEAR_QTR4, PROMPTEX-YEAR_QTR5, PROMPTEX-YEAR_QTR6, PROMPTEX-YEAR_QTR7, PROMPTEX-YEAR_QTR8 and PROMPTEX-QT.

An attacker can therefore use them to create a Cross Site Scripting in order to execute JavaScript code in web browsers of visitors of the website.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-6725 CVE-2008-6679

Ghostscript: two overflows

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious PDF or PS file with Ghostscript in order to execute code with victim's privileges.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/04/2009.
Identifiers: 229174, 262288, 493442, 493445, 6830965, 6837966, 6837974, 6841014, 690211, BID-34337, BID-34340, CERTA-2002-AVI-279, CVE-2007-6725, CVE-2008-6679, DSA-2080-1, FEDORA-2009-3709, FEDORA-2009-3710, MDVSA-2009:095, MDVSA-2009:096, MDVSA-2009:096-1, MDVSA-2009:311, RHSA-2009:0420-01, RHSA-2009:0421-01, SUSE-SR:2009:011, VIGILANCE-VUL-8589.

Description of the vulnerability

The Ghostscript program displays PDF or PostScript documents. Two vulnerabilities were announced in Ghostscript.

A PDF file can contain a malicious CCITTFax field in order to generate an overflow in the invert_data() define of scfd.c. [severity:3/4; 229174, 493442, BID-34337, CVE-2007-6725]

A PostScript file containing a malicious BaseFont generates an overflow in the base/gdevpdtb.c file. [severity:3/4; 493445, 690211, BID-34340, CVE-2008-6679]

An attacker can therefore invite the victim to open a malicious PDF or PS file with Ghostscript in order to execute code with victim's privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-1962

Xfig: file corruptions

Synthesis of the vulnerability

A local attacker can use symbolic links in order to force file corruptions with rights of users of Xfig.
Impacted products: Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 01/04/2009.
Identifiers: BID-34328, CVE-2009-1962, MDVSA-2009:244, MDVSA-2009:244-1, VIGILANCE-VUL-8588.

Description of the vulnerability

The Xfig program is used to draw.

It uses several temporary files in an insecure manner:
 - xfig-eps$$ in f_readeps.c
 - xfig-pic$$.pix in f_readeps.c
 - xfig-pic$$.err in f_readeps.c
 - xfig-pcx$$.pix in f_readgif.c
 - xfig-pcx$$.pix in f_readppm.c
 - xfig-pcx$$.pix in f_readtif.c
 - xfig-xfigrc$$ in f_util.c
 - xfig$$ in main.c
 - xfig-print$$ in u_print.c
 - xfig-export$$.err in u_print.c
 - xfig-exp$$ in w_print.c
 - xfig-spell.$$ in w_srchrepl.c

A local attacker can use symbolic links in order to force file corruptions with rights of users of Xfig.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-1273

pam_ssh: user detection

Synthesis of the vulnerability

An attacker can detect if a username is valid by looking at the pam_ssh prompt.
Impacted products: Fedora, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 01/04/2009.
Identifiers: 263579, 492153, CVE-2009-1273, FEDORA-2009-3500, FEDORA-2009-3627, VIGILANCE-VUL-8587.

Description of the vulnerability

The pam_ssh PAM module handles the authentication using the SSH protocol.

When an attacker enters a valid username, pam_ssh displays "SSH passphrase". When an attacker enters an invalid username, pam_ssh displays "Password".

An attacker can therefore use a brute force attack to detect valid usernames.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-1243

Linux kernel: denial of service via /proc/net/udp

Synthesis of the vulnerability

An attacker can read from /proc/net/udp in order to stop the system.
Impacted products: Linux.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 01/04/2009.
Identifiers: BID-34329, BID-34333, CVE-2009-1243, VIGILANCE-VUL-8586.

Description of the vulnerability

The /proc/net/udp pseudo file indicates the list of listening UDP services or established UDP sessions (its content is equivalent to "netstat -aun").

To handle the various simultaneous access to this file, the kernel uses a lock. When the user requests a read() on this file, the kernel locks the access, sends the data, and unlock the access.

If the user requests a read() of zero byte on this file, the kernel does not need to lock the access. However, at the end of the call, it tries to unlock a lock which is not locked. This error stops the kernel.

An attacker can therefore read from /proc/net/udp in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-1242

Linux kernel: denial of service via EFER

Synthesis of the vulnerability

On an x86 virtualized computer, a local attacker can use EFER to stop the system.
Impacted products: Debian, Linux, openSUSE, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 01/04/2009.
Identifiers: BID-34331, CERTA-2002-AVI-235, CVE-2009-1242, DSA-1787-1, DSA-1800-1, SUSE-SA:2009:031, SUSE-SA:2009:032, VIGILANCE-VUL-8585.

Description of the vulnerability

An x86 processor supports VMX (Virtual Machine Extensions).

The vmx_set_msr() function of the arch/x86/kvm/vmx.c file sets MSR (Model Specific Registers):
 - MSR_EFER : extended feature
 - MSR_STAR : legacy mode syscall target
 - etc.

The EFER MSR is specific to x64 processors. However, in a i386 virtual machine, the vmx_set_msr() function tries to set it, which panics the kernel.

On an x86 virtualized computer, a local attacker can therefore use EFER to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-1220

Cisco ASA: Cross Site Scripting of WebVPN

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting in the WebVPN service of Cisco PIX/ASA.
Impacted products: ASA.
Severity: 1/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 01/04/2009.
Identifiers: BID-34307, CSCsy82093, CVE-2009-1220, VIGILANCE-VUL-8584.

Description of the vulnerability

The WebVPN service is used to create a secured tunnel with a web client.

The Host header of the HTTP protocol indicates the name of the server. For example, if the user clicks on the "http://server/page" url, the Host header is set to "server". This header cannot be freely set.

The WebVPN service does not filter the server name received in the Host header before displaying it in an HTML page. This error leads to a Cross Site Scripting. However, as the Host cannot be freely set, this vulnerability is hard to exploit.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-1207

Solaris: file corruption via dircmp

Synthesis of the vulnerability

A local attacker can alter a file with privileges of a dircmp user.
Impacted products: OpenSolaris, Solaris, Trusted Solaris.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 01/04/2009.
Identifiers: 253468, 6633566, BID-34316, CVE-2009-1207, VIGILANCE-VUL-8583.

Description of the vulnerability

The /usr/bin/dircmp script is used to compare two directories.

This script stores differences in temporary files starting by "/usr/tmp/dc$$". However, these filenames are predictable, files are stored in a public directory and the script does not check if a symbolic link is present.

A local attacker can therefore create a symbolic link in order to alter a file with privileges of a dircmp user.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2870