The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability CVE-2010-2951

Squid: denial of service via DNS

Synthesis of the vulnerability

An attacker can send DNS packets with TC flag, in order to stop the Squid proxy.
Impacted products: Squid.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet server.
Creation date: 25/08/2010.
Identifiers: 3021, CVE-2010-2951, VIGILANCE-VUL-9880.

Description of the vulnerability

The Squid proxy implements a DNS resolver, which queries DNS servers and analyzes its answers.

The idnsSendQuery() function of the file src/dns_internal.cc sends a DNS query. If the answer is greater than 512 bytes (TC flag on), the query is resent using TCP. However, in that case, idnsSendQuery() tries to resend the query on a closed socket. The assert() function is called and stops the program.

An attacker, with a malicious DNS server, can therefore answer to Squid with big packets, in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 9879

Windows: code execution via DLL Preload

Synthesis of the vulnerability

An attacker can use a malicious DLL in order to execute code in the context of the targeted application.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows NT, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 25/08/2010.
Identifiers: 2269637, VIGILANCE-VUL-9879, VU#707943.

Description of the vulnerability

An application can use several DLL libraries (Dynamic Link library).

When an application uses a function of a DLL, it is first loaded via LoadLibrary(), and then the function is called.

If the application does not specify the DLL path, Windows searches the DLL at many places (current directory, system directory, etc.) and loads the first match. When a malicious DLL with the same name is located in the search path, it is thus loaded before the legitimate DLL.

An attacker can therefore place a malicious DLL in a WebDAV of SMB share, and can invite the victim to open a document from this site, in order to execute code in the context of the targeted application.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-2948 CVE-2010-2949

Quagga Routing Suite: two vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities in Quagga Routing Suite can be used by an attacker to create a denial of service or possibly to execute code.
Impacted products: Debian, Fedora, openSUSE, Solaris, RHEL, ROX, RuggedSwitch, SLES.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 24/08/2010.
Identifiers: 626783, 626795, BID-42635, BID-42642, CVE-2010-2948, CVE-2010-2949, DSA-2104-1, FEDORA-2010-13928, FEDORA-2010-14002, FEDORA-2010-14009, MDVSA-2010:174, openSUSE-SU-2010:0984-1, RHSA-2010:0785-01, RHSA-2010:0945-01, SUSE-SR:2010:022, VIGILANCE-VUL-9877.

Description of the vulnerability

Two vulnerabilities were announced in Quagga Routing Suite.

An attacker can send a malicious BGP "Outbound Route Filtering" message in order to generate a stack overflow in the BGP daemon. [severity:2/4; 626783, BID-42635, CVE-2010-2948]

An attacker can send a malicious BGP "update AS path" in order to generate a denial of service of the BPG daemon. [severity:2/4; 626795, BID-42642, CVE-2010-2949]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-2946

Linux kernel: xattr access bypass on JFS

Synthesis of the vulnerability

An attacker can access extended attributes without necessary permissions, using os2 namespace.
Impacted products: Linux, NLD, OES, openSUSE, SLES.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: user account.
Creation date: 24/08/2010.
Identifiers: BID-42589, CVE-2010-2946, MDVSA-2011:051, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0895-1, openSUSE-SU-2013:0927-1, SUSE-SA:2010:040, SUSE-SA:2010:046, SUSE-SA:2010:054, SUSE-SA:2010:060, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9876.

Description of the vulnerability

The JFS filesystem handles extended attributes (xattr). They are sorted by namespace and accessible via their full name of the form "namespace.attributename". Five namespaces are defined : user, trusted, system, security and os2. Access to attributes is regulated.

Historically, attributes of os2 namespace are stored without prefix. For example, attribute "os2.attrname" is accessed by the driver as "attrname". However, if a full valid name is prefixed by os2 namespace, for example "os2.system.attrname", the attribute "system.attrname" is accessed, bypassing access restrictions to "system.attrname" attribute.

An attacker can therefore access extended attributes without necessary permissions, using os2 namespace.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 9875

Windows: denial of service via Ipv4SetEchoRequestCreate

Synthesis of the vulnerability

An attacker can interrupt the sending of an ICMP ECHO request in order to stop the kernel.
Impacted products: Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user account.
Creation date: 24/08/2010.
Identifiers: BID-42606, VIGILANCE-VUL-9875.

Description of the vulnerability

The IcmpSendEcho() function of the Windows API sends an IPv4 ICMP ECHO.

When sending a packet via IcmpSendEcho(), the Ipv4SetEchoRequestCreate() function of the tcpip.sys driver is called. However, when the call is interrupted by an exception, a locked memory page is not released leading to a bug-check stopping the kernel.

An attacker can therefore interrupt the sending of an ICMP ECHO request in order to stop the kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-3055

phpMyAdmin: execution pf PHP code via setup.php

Synthesis of the vulnerability

An attacker can use parameters of setup.php script in order to inject PHP code in phpMyAdmin.
Impacted products: Debian, phpMyAdmin.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Creation date: 23/08/2010.
Identifiers: BID-42591, CERTA-2010-AVI-397, CVE-2010-3055, DSA-2097-1, DSA-2097-2, MDVSA-2010:163, PMASA-2010-4, VIGILANCE-VUL-9872.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database.

The setup.php script configures the environment. This script does not filter parameters its receives. An attacker can therefore use it to inject arbitrary PHP code in the configuration file.

This vulnerability therefore permits an attacker to execute PHP code on the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-3056

phpMyAdmin: several Cross Site Scripting

Synthesis of the vulnerability

An attacker can use multiple features to generate several Cross Site Scripting in phpMyAdmin.
Impacted products: Debian, Fedora, phpMyAdmin.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 23/08/2010.
Identifiers: BID-42584, CVE-2010-3056, DSA-2097-1, DSA-2097-2, FEDORA-2010-13249, FEDORA-2010-13258, FEDORA-2010-13402, MDVSA-2010:163, MDVSA-2010:164, PMASA-2010-5, VIGILANCE-VUL-9870.

Description of the vulnerability

The phpMyAdmin server is used to administer a MySQL database via a web browser.

Several pages do not correctly checks data passed via URL :
 - "field_str" parameter to db_search.php
 - "delimiter" parameter to db_sql.php
 - "sort" parameter to db_structure.php
 - "db" parameter to js/messages.php
 - "sort_by" parameter to server_databases.php
 - "checkprivs", "dbname", "pred_tablename", "selected_usr[]", "tablename", and "username" parameters to server_privileges.php
 - "DefaultLang" parameter to setup/config.php
 - "cpurge", "goto", "purge", "purgekey", "table", and "zero_rows" parameters to sql.php
 - "fields[multi_edit][]" parameter to tbl_replace.php

An attacker can therefore use multiple features to generate several Cross Site Scripting in phpMyAdmin.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-1527

Novell iPrint Client: buffer overflow of op-client-interface-version

Synthesis of the vulnerability

An attacker can use "op-client-interface-version" with a return type of "url" and a very long parameter "call-back-url" in order to create a buffer overflow on the client machine.
Impacted products: Windows (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet server.
Creation date: 23/08/2010.
Identifiers: 7006679, BID-42576, CERTA-2010-AVI-396, CVE-2010-1527, VIGILANCE-VUL-9869.

Description of the vulnerability

Novell iPrint Client is an application for Windows which is used to manage document printing with the Novell iPrint Server.

The "op-client-interface-version" operation returns the version associated with the plug-in's HTML interface. It returns either an URL, a cookie or an object. In case of a returned URL (via call-back-url), the client incorrectly verify the size of the URL leading to a buffer overflow.

An attacker can therefore use "op-client-interface-version" with a return type of "url" and a very long parameter "call-back-url" in order to create a buffer overflow on the client machine.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-2803

Linux kernel: memory disclosure via drm_ioctl

Synthesis of the vulnerability

An attacker can use ioctl DRM_I810_xxx in order to read kernel data.
Impacted products: Debian, Linux, Mandriva Linux, openSUSE, RHEL, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 23/08/2010.
Identifiers: 621435, BID-42577, CVE-2010-2803, DSA-2094-1, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2010:0634-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0895-1, openSUSE-SU-2013:0927-1, RHSA-2010:0842-01, SUSE-SA:2010:040, SUSE-SA:2010:041, SUSE-SA:2010:046, SUSE-SA:2010:054, SUSE-SA:2011:007, VIGILANCE-VUL-9868.

Description of the vulnerability

The drm_ioctl() function of the file drivers/gpu/drm/drm_drv.c handles IOCTL commands for the DRM driver. Each command can take in parameter an input / output buffer.

When handling an IOCTL command that returns data, the drm_ioctl() function allocates a kernel space buffer to receive those data. The size of this buffer is defined by the first parameter of the function. The buffer is then integrally copied to the buffer passed in parameter. However, the drm_ioctl() function does not properly check the size of the returned data. Therefore more data than necessary could be copied to the caller.

An attacker can therefore use DRM_I810_xxx ioctl in order to read kernel data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-2959

Linux kernel: buffer overflow of bcm_tx_setup et bcm_rx_setup

Synthesis of the vulnerability

An attacker can generate a buffer overflow using CAN BCM in order to elevate his privileges or to execute code.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, openSUSE, SLES.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on service.
Provenance: user shell.
Creation date: 23/08/2010.
Revision date: 27/08/2010.
Identifiers: 625699, BID-42585, CVE-2010-2959, DSA-2094-1, FEDORA-2010-13903, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2010:0634-1, openSUSE-SU-2010:0654-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2013:0927-1, SUSE-SA:2010:040, SUSE-SA:2010:041, SUSE-SA:2010:043, SUSE-SA:2010:046, SUSE-SA:2011:007, VIGILANCE-VUL-9866.

Description of the vulnerability

The BCM (Broadcast Manager) protocol of CAN (Controller Area Network) bus, handles the broadcast of packets on the bus.

The bcm_tx_setup() and bcm_rx_setup() functions of the file net/can/bcm.c handle the transmission/reception operations of AF_CAN sockets. Upon transmission/reception of a packet, frames are copied into a buffer. However, the data size to be copied is incorrectly checked leading to a buffer overflow.

An attacker can therefore generate a buffer overflow using CAN BCM in order to elevate his privileges or to execute code.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2870