The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability announce CVE-2009-2506

WordPad, Word: code execution via Word 97

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious file in the Word 97 format, in order to execute code when it is converted by WordPad or Word.
Impacted products: Office, Word, Windows 2000, Windows 2003, Windows XP.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 09/12/2009.
Identifiers: 975539, BID-37216, CERTA-2009-AVI-539, CVE-2009-2506, MS09-073, VIGILANCE-VUL-9247.

Description of the vulnerability

When users open a document in an old format, Microsoft Office Word and Windows WordPad software recognize it, and convert it automatically.

However, the Word 97 format converter does not correctly manage the DocumentSummaryInformation field from the document, which corrupts the memory.

An attacker can therefore invite the victim to open a malicious file in the Word 97 format, in order to execute code when it is converted by WordPad or Word.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-2493 CVE-2009-3671 CVE-2009-3672

Internet Explorer: multiple vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Internet Explorer lead to code execution.
Impacted products: IE.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 09/12/2009.
Identifiers: 976325, BID-37085, BID-37188, BID-37212, BID-37213, CERTA-2009-AVI-435, CERTA-2009-AVI-538, CVE-2009-2493, CVE-2009-3671, CVE-2009-3672, CVE-2009-3673, CVE-2009-3674, MS09-072, VIGILANCE-VUL-9246, VU#515749, ZDI-09-086, ZDI-09-087, ZDI-09-088.

Description of the vulnerability

Several vulnerabilities were announced in Internet Explorer.

The tdc.ocx ActiveX is linked to a vulnerable version of Visual Studio ATL (VIGILANCE-VUL-8895). An attacker can therefore initialize it in an HTML page, in order to execute code. [severity:3/4; CERTA-2009-AVI-435, CERTA-2009-AVI-538, CVE-2009-2493]

An attacker can invite the victim to display an HTML page calling getElementsByTagName() on a style, in order to execute code on his computer (VIGILANCE-VUL-9213). [severity:4/4; BID-37085, CVE-2009-3672, VU#515749]

An attacker can use an XHTML object which is not initialized or has been deleted, in order to corrupt the memory. [severity:4/4; BID-37188, CVE-2009-3671, ZDI-09-086]

An attacker can use a race attack on a CSS style sheet, in order to corrupt the memory. [severity:4/4; BID-37212, CVE-2009-3673, ZDI-09-087]

An attacker can use an IFRAME attribute, in order to corrupt the memory of a CAttrArray object. [severity:4/4; BID-37213, CVE-2009-3674, ZDI-09-088]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2505 CVE-2009-3677

Windows: vulnerabilities of PEAP and MS-CHAP v2

Synthesis of the vulnerability

A remote attacker can use malformed PEAP/MS-CHAPv2 queries, in order to execute code on the system.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows Vista, Windows XP.
Severity: 4/4.
Consequences: user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/12/2009.
Identifiers: 974318, BID-37197, BID-37198, CERTA-2009-AVI-537, CVE-2009-2505, CVE-2009-3677, MS09-071, VIGILANCE-VUL-9245.

Description of the vulnerability

The IAS (Internet Authentication Service) implements the RADIUS (Remote Authentication Dial-in User Service) protocol. It supports PEAP (Protected Extensible Authentication Protocol) authentications with MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2). When IAS is configured to use PEAP with MS-CHAP v2, an attacker can use two vulnerabilities.

Under Windows Vista/2008, a remote attacker can send a malformed PEAP/MS-CHAPv2 query, in order to corrupt the memory, which leads to code execution. [severity:4/4; BID-37197, CERTA-2009-AVI-537, CVE-2009-2505]

A remote attacker can send a PEAP/MS-CHAPv2 authentication query which is invalid, but which is accepted by IAS. The attacker then gains access to the environment of this user. [severity:3/4; BID-37198, CVE-2009-3677]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-2508 CVE-2009-2509

Windows: two vulnerabilities of ADFS

Synthesis of the vulnerability

An authenticated attacker can use two vulnerabilities of ADFS, in order to spoof the identity of a user, or to execute code.
Impacted products: IIS, Windows 2003, Windows 2008 R0.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/12/2009.
Identifiers: 971726, BID-37214, BID-37215, CERTA-2009-AVI-536, CVE-2009-2508, CVE-2009-2509, MS09-070, VIGILANCE-VUL-9244.

Description of the vulnerability

The ADFS (Active Directory Federation Services) feature manages the SSO (Single Sign-On) authentication of users who access to several web services. ADFS can be enabled on the IIS web server, and is reachable with a web client implementing WS-* (SOAP, WSDL and UUDI). ADFS is impacted by two vulnerabilities.

An attacker, who gains access to the cache of victim's web browser, can read and then reuse ADFS data during 10 hours, even if the victim logged off the web site. The attacker can therefore access to a web service, under the identity of the victim. [severity:2/4; BID-37215, CERTA-2009-AVI-536, CVE-2009-2508]

A remote authenticated attacker can use an HTTP-ADFS query with a malicious header, in order to execute code on IIS. [severity:3/4; BID-37214, CVE-2009-2509]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-3675

Windows: denial of service via IPSec and ISAKMP

Synthesis of the vulnerability

A remote authenticated attacker can send a malicious ISAKMP packer, in order to generate an infinite loop.
Impacted products: Windows 2000, Windows 2003, Windows XP.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 09/12/2009.
Identifiers: 974392, BID-37218, CERTA-2009-AVI-535, CVE-2009-3675, MS09-069, VIGILANCE-VUL-9243.

Description of the vulnerability

The IPSec protocol is used to create VPNs. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (Internet Security Association and Key Management Protocol).

The LSASS service (Local Security Authority Subsystem Service) manages for example user authentication.

When an authenticated user, who accesses to the server via IPSec, sends a malicious ISAKMP packet, an infinite loop occurs in LSASS.

An authenticated attacker can thus generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-4226

OpenSolaris: NULL dereference via tcp_do_getsockname and tcp_do_getpeername

Synthesis of the vulnerability

An attacker can thus send a IPv6 packet order to stop the kernel.
Impacted products: OpenSolaris.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 08/12/2009.
Identifiers: 268189, 6877954, BID-37225, CVE-2009-4226, VIGILANCE-VUL-9242.

Description of the vulnerability

The tcp structure contains TCP information of the packet. The tcp->tcp_ip6h holds IPv6 header information of the packet.

The tcp_do_getsockname() and tcp_do_getpeername() method of the file common/inet/tcp/tcp.c return respectively the name of the local and peer socket of a TCP connection. If the socket is of AF_INET6 (IPv6) family, the result structure is initialized with some information of tcp->tcp_ip6h. However, tcp->tcp_ip6h can be NULL. The tcp_do_getsockname() et tcp_do_getpeername() method therefore dereference a NULL pointer.

An attacker can thus send a IPv6 packet order to stop the kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-1298

Linux kernel: NULL dereference via ip_frag_reasm

Synthesis of the vulnerability

An attacker can send a fragmented IPv4 packet of total size greater than 65,535 bytes in order to stop the kernel.
Impacted products: Fedora, Linux, Mandriva Linux, openSUSE, Slackware.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: internet client.
Creation date: 07/12/2009.
Identifiers: BID-37231, CVE-2009-1298, FEDORA-2009-12786, FEDORA-2009-12825, MDVSA-2009:329, SSA:2009-342-01, SUSE-SA:2010:001, VIGILANCE-VUL-9240.

Description of the vulnerability

The dev structure contains information about the network interface. The dev_net() method of the file linux/netdevice.h returns the structure representing the network from the network interface.

The ip_frag_reasm() method of the file net/ipv4/ip_fragment.c handles IPv4 packets reassembling. However, when the system is running out of memory or when a packet with size greater than 65,535 bytes is reassembled, dev_net() returns a NULL pointer. The ip_frag_reasm() method therefore dereference a NULL pointer.

An attacker can thus send a fragmented IPv4 packet of total size greater than 65,535 bytes in order to stop the kernel.

An attacker can also use this vulnerability with VIGILANCE-VUL-8953/VIGILANCE-VUL-8861 in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 9239

Linux kernel: NULL dereference via put_tty_queue_nolock

Synthesis of the vulnerability

A local attacker can use a terminal in order to stop the kernel or to execute privileged code.
Impacted products: Linux.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/12/2009.
Identifiers: 14605, BID-37147, VIGILANCE-VUL-9239.

Description of the vulnerability

The tty structure contains information of the terminal. The tty->read_buf buffer holds the characters typed on the terminal.

The n_tty_close() method of the file drivers/char/n_tty.c frees resources associated to the terminal (including tty->read_buf). The put_tty_queue_nolock() method of the file drivers/char/n_tty.c is called when a character is typed. It stocks it in tty->read_buf. However, if a character is received while the terminal is closing, tty->read_buf can be NULL. The put_tty_queue_nolock() method therefore dereference a NULL pointer.

A local attacker can thus use a terminal in order to stop the kernel.

An attacker can also use this vulnerability with VIGILANCE-VUL-8953/VIGILANCE-VUL-8861 in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-3889 CVE-2009-3939

Linux kernel: two vulnerabilities of megaraid_sas

Synthesis of the vulnerability

Two vulnerabilities can be used to modify the behavior of the megaraid_sas driver.
Impacted products: Debian, Linux, NLD, openSUSE, RHEL, SLES, ESX, ESXi.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 03/12/2009.
Identifiers: 526068, CERTA-2002-AVI-252, CERTA-2010-AVI-080, CVE-2009-3889, CVE-2009-3939, DSA-1996-1, DSA-2004-1, RHSA-2009:1635-01, RHSA-2010:0046-01, RHSA-2010:0076-01, SUSE-SA:2009:061, SUSE-SA:2009:064, SUSE-SA:2010:001, SUSE-SA:2010:005, SUSE-SA:2010:010, SUSE-SA:2010:012, SUSE-SA:2010:013, SUSE-SA:2010:014, VIGILANCE-VUL-9237, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

Two vulnerabilities can be used to modify the behavior of the megaraid_sas driver.

The file /sys/bus/pci/drivers/megaraid_sas/dbg_lvl defines the debug level of megaraid_sas driver. However, this file is world writable. A local attacker can therefore modify driver behavior. [severity:2/4; 526068, CVE-2009-3889]

The file /sys/bus/pci/drivers/megaraid_sas/poll_mode_io defines the input/output mode of megaraid_sas driver. However, this file is world writable. A local attacker can therefore modify driver behavior. [severity:2/4; 526068, CVE-2009-3939]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-4071 CVE-2009-4072

Opera: two vulnerabilities

Synthesis of the vulnerability

An attacker can obtain information or generate a Cross Site Scripting.
Impacted products: Opera.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/12/2009.
Identifiers: BID-37089, CVE-2009-4071, CVE-2009-4072, VIGILANCE-VUL-9234.

Description of the vulnerability

Two vulnerabilities were announced in Opera.

Opera enables exception tracing. When activated, script error messages are stored in variables. However, any script from any site can access those variables. An attacker can therefore obtain information or generate a Cross Site Scripting. [severity:2/4; BID-37089, CVE-2009-4071]

A vulnerability exists in Opera. [severity:2/4; BID-37089, CVE-2009-4072]
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2775