The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability alert CVE-2010-0789

FUSE: denial of service via fusermount

Synthesis of the vulnerability

When the fusermount tool is installed suid root, a local attacker can use a symbolic link, in order to unmount a mount point belonging to another user, which creates a denial of service.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/01/2010.
Identifiers: 532940, CVE-2009-3297-REJECT, CVE-2010-0789, DSA-1989-1, FEDORA-2010-1140, FEDORA-2010-1159, MDVSA-2010:047, SUSE-SR:2010:003, SUSE-SR:2010:004, SUSE-SR:2010:011, SUSE-SR:2010:013, VIGILANCE-VUL-9391.

Description of the vulnerability

The FUSE (Filesystem in Userspace) interface is used by a program to create a virtual file system. The "fusermount -u" command unmounts the mount point.

However, the fusermount tool does not atomically check the directory to be unmounted. A local attacker can therefore:
 - call "fusermount -u /home/user/mydir"
 - during its execution, replace /home/user/mydir by a symbolic link to /privatedirectory
 - wait for fusermount to unmount /privatedirectory
A local attacker can thus unmount a mount point belonging to another user.

When the fusermount tool is installed suid root, a local attacker can therefore use a symbolic link, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-0787

Samba: privilege elevation via mount.cifs

Synthesis of the vulnerability

When the mount.cifs tool is installed suid root, a local attacker can use a symbolic link, in order to elevate his privileges or to obtain information.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, Samba, SLES, ESX.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 29/01/2010.
Identifiers: 532940, 6853, BID-37992, BID-39898, CERTA-2002-AVI-252, CVE-2009-3297-REJECT, CVE-2010-0747-ERROR, CVE-2010-0787, DSA-2004-1, FEDORA-2010-1190, FEDORA-2010-1218, MDVSA-2010:090, MDVSA-2010:090-1, RHSA-2011:1219-01, SUSE-SA:2010:025, SUSE-SR:2010:004, SUSE-SR:2010:014, VIGILANCE-VUL-9390.

Description of the vulnerability

The mount.cifs utility of the Samba suite is used to mount a remote CIFS/SMB share in a local directory. This tool is frequently installed suid root.

However, this tool does not atomically check the mount directory. A local attacker can therefore:
 - call mount.cifs to mount a remote share on /home/user/mydir
 - during its execution, replace /home/user/mydir by a symbolic link to /privatedirectory
 - wait for mount.cifs to mount the share on /privatedirectory
So, by modifying/reading the content of the share on the remote server, the local attacker can modify/read to content of /privatedirectory.

When the mount.cifs tool is installed suid root, a local attacker can therefore use a symbolic link, in order to elevate his privileges or to obtain information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-0301

maildrop: privilege elevation

Synthesis of the vulnerability

When emails are delivered with maildrop, a local attacker can acquire privileges of the root group.
Impacted products: Debian, Fedora, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 28/01/2010.
Identifiers: 564601, BID-37984, CVE-2010-0301, DSA-1981-1, DSA-1981-2, FEDORA-2010-1863, FEDORA-2010-1927, MDVSA-2010:038, VIGILANCE-VUL-9389.

Description of the vulnerability

The maildrop program delivers local messages and filters them. This command is for example called by root:
  maildrop -d user_who_receives_the_email
The email recipient can then have a ~/.mailfilter file containing commands to execute, in order to filter the mail.

The maildrop command looses root privileges, and acquires privileges of the user, before executing commands of the filtering file. However, additional groups are not limited to user's group. The root (0) additional group is therefore kept.

When emails are delivered with maildrop, a local attacker can thus acquire privileges of the root group.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-0442

PostgreSQL: memory corruption via substring

Synthesis of the vulnerability

An authenticated attacker can use the substring() function, in order to generate a corruption, leading to a denial of service or to code execution with database privileges.
Impacted products: Debian, Mandriva Linux, PostgreSQL, RHEL.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user account.
Creation date: 28/01/2010.
Identifiers: BID-37973, CVE-2010-0442, DSA-2051-1, MDVSA-2010:103, RHSA-2010:0427-01, RHSA-2010:0428-01, RHSA-2010:0429-01, VIGILANCE-VUL-9388.

Description of the vulnerability

The SQL substring() function extracts a character string. For example, to extract "ell" (from offset 2, with size 3) :
  SELECT substring('Hello', 2, 3);

A "Bit String" is a string containing 0 and 1 values. For example: B'101'

When the substring() function is called on a Bit String, a memory corruption occurs.

An authenticated attacker can therefore use the substring() function, in order to generate a corruption, leading to a denial of service or to code execution with database privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-0462 CVE-2010-1560

IBM DB2: heap overflow via REPEAT

Synthesis of the vulnerability

An authenticated attacker can use the REPEAT() function, in order to generate an overflow, leading to a denial of service or to code execution with database privileges.
Impacted products: DB2 UDB.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/01/2010.
Identifiers: 1426108, BID-37976, CVE-2010-0462, CVE-2010-1560, swg21426108, VIGILANCE-VUL-9387.

Description of the vulnerability

The SQL REPEAT() function generates a character string, which is built by repeating a pattern. For example, to obtain "HelloHello" :
  SELECT REPEAT( 'Hello', 2 )

IBM DB2 checks that the size of the string is not too long. However, by using a sub-call, the size can become over 2^32, and forces the allocation of a short memory area, and then a heap overflow.

An authenticated attacker can therefore use the REPEAT() function, in order to generate an overflow, leading to a denial of service or to code execution with database privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-0304

Wireshark 1.2: denials of service

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service.
Impacted products: Fedora, openSUSE, SLES, Wireshark.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/01/2010.
Identifiers: BID-37985, CVE-2010-0304, FEDORA-2010-3556, SUSE-SR:2010:007, VIGILANCE-VUL-9386, wnpa-sec-2010-02.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

An attacker can generate several buffer overflows in the LWRES dissector. [severity:2/4; BID-37985, CVE-2010-0304, wnpa-sec-2010-02]

An attacker can use malformed Kerberos data, in order to stop Wireshark. [severity:1/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2563 CVE-2009-4377 CVE-2010-0304

Wireshark 1.0: denials of service

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service.
Impacted products: Debian, Mandriva Linux, openSUSE, RHEL, SLES, Wireshark.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 28/01/2010.
Identifiers: BID-37985, CERTA-2010-AVI-035, CVE-2009-2563, CVE-2009-4337-ERROR, CVE-2009-4377, CVE-2010-0304, DSA-1983-1, MDVSA-2010:031, RHSA-2010:0360-01, SUSE-SR:2010:007, VIGILANCE-VUL-9385, wnpa-sec-2010-02.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

An attacker can generate a denial of service in the SMB/SMB2 dissector. [severity:1/4; CVE-2009-4337-ERROR, CVE-2009-4377]

An attacker can generate a denial of service in the Infiniband dissector. [severity:1/4; CERTA-2010-AVI-035, CVE-2009-2563]

An attacker can generate several buffer overflows in the LWRES dissector. [severity:2/4; BID-37985, CVE-2010-0304, wnpa-sec-2010-02]
Full Vigil@nce bulletin... (Free trial)

vulnerability note 9384

yaSSL: buffer overflow via X.509

Synthesis of the vulnerability

An attacker can send an invalid certificate, in order to generate a denial of service or to execute code on applications linked with yaSSL.
Impacted products: Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 28/01/2010.
Identifiers: BID-37974, VIGILANCE-VUL-9384.

Description of the vulnerability

The yaSSL library implements SSL.

A X.509 certificate contains the Common Name of its owner. However, if yaSSL receives a certificate with a long CN, a buffer overflow occurs.

An attacker can therefore send an invalid certificate, in order to generate a denial of service or to execute code on applications linked with yaSSL.

This vulnerability is for example the reason for the VIGILANCE-VUL-9380 vulnerability of MySQL.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-0010

Apache httpd 1.3: integer overflow of mod_proxy

Synthesis of the vulnerability

On a 64 bit processor, an attacker can generate an overflow in mod_proxy, in order to generate a denial of service, and possibly to execute code.
Impacted products: Apache httpd, openSUSE, SLES.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 27/01/2010.
Identifiers: BID-37966, CERTA-2010-AVI-032, CERTA-2010-AVI-054, CVE-2010-0010, SUSE-SR:2010:010, VIGILANCE-VUL-9383.

Description of the vulnerability

The mod_proxy module can be enabled on Apache httpd 1.3, in order to proxy web data.

On a 64 bit processor (such as amd64), an integer (int) is stored on 4 bytes, and a long on 8 bytes, whereas on a 32 bit processor, they are both stored on 4 bytes.

The ap_proxy_send_fb() function of the modules/proxy/proxy_util.c file converts ("cast") a long to an int. However, if mod_proxy receives a chunk fragment with a long size, this conversion generates a memory corruption.

On a 64 bit processor, an attacker can therefore generate an overflow in mod_proxy, in order to generate a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-0139 CVE-2010-0140 CVE-2010-0141

Cisco Unified MeetingPlace: several vulnerabilities

Synthesis of the vulnerability

Four vulnerabilities of Cisco Unified MeetingPlace can be used by an attacker to obtain information, to alter data, or to elevate his privileges.
Impacted products: Cisco MeetingPlace.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 27/01/2010.
Identifiers: 111013, BID-37965, CERTA-2010-AVI-034, cisco-sa-20100127-mp, CSCsv66530, CSCsv76935, CSCtc39691, CSCtc59231, CSCtd40661, CVE-2010-0139, CVE-2010-0140, CVE-2010-0141, CVE-2010-0142, VIGILANCE-VUL-9382.

Description of the vulnerability

Four vulnerabilities were announced in Cisco Unified MeetingPlace.

An unauthenticated attacker can inject SQL queries, in order to alter the content of the database. [severity:3/4; CERTA-2010-AVI-034, CSCtc39691, CVE-2010-0139]

An unauthenticated attacker can use an url, in order to directly create an user. [severity:3/4; CSCtc59231, CSCtd40661, CVE-2010-0140]

An unauthenticated attacker can alter the authentication sequence of MeetingTime, in order to detect if a username is valid. [severity:1/4; CSCsv76935, CVE-2010-0141]

An authenticated attacker can alter the authentication sequence of MeetingTime, in order to elevate his privileges. [severity:3/4; CSCsv66530, CVE-2010-0142]
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2846