The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability note CVE-2010-3067

Linux kernel: memory corruption via do_io_submit

Synthesis of the vulnerability

A local attacker can use io_submit() in order to corrupt the kernel memory, which leads to a denial of service and possibly to code execution.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, ESX.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 21/09/2010.
Identifiers: 629441, BID-43353, CERTA-2002-AVI-272, CVE-2010-3067, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-14832, FEDORA-2010-14878, FEDORA-2010-14890, FEDORA-2011-2134, MDVSA-2010:257, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:1047-1, openSUSE-SU-2011:0003-1, openSUSE-SU-2011:0004-1, RHSA-2010:0758-01, RHSA-2010:0779-01, RHSA-2010:0839-01, RHSA-2011:0007-01, SUSE-SA:2010:060, SUSE-SA:2011:001, SUSE-SA:2011:002, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9959, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The io_submit() system call is used to read/write asynchronously from/to a file:
  io_submit(context, size_of_array, array_of_blocks);

It calls the do_io_submit() function of the file fs/aio.c. However, this function does not check if the following multiplication overflows:
  size_of_array * size_of_a_block
When the size_of_array parameter is too large, the memory is then corrupted.

A local attacker can therefore use io_submit() in order to corrupt the kernel memory, which leads to a denial of service and possibly to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-3079

Linux kernel: denial of service via ftrace

Synthesis of the vulnerability

When DebugFS is enabled, a local attacker can use ftrace in order to stop the system.
Impacted products: Fedora, Linux, openSUSE, RHEL, SLES.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user shell.
Creation date: 21/09/2010.
Identifiers: 631623, BID-43684, CVE-2010-3079, FEDORA-2010-14878, FEDORA-2010-14890, FEDORA-2011-6447, openSUSE-SU-2010:0655-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0720-1, openSUSE-SU-2013:0927-1, RHSA-2010:0842-01, SUSE-SA:2010:046, SUSE-SA:2010:047, SUSE-SA:2010:050, SUSE-SA:2011:007, VIGILANCE-VUL-9958.

Description of the vulnerability

The DebugFS virtual file system is used to debug changes on an ext2 file system.

The ftrace feature profiles events of an application. The filter set_ftrace_filter defines operations to monitor (open, read, write, llseek, etc.).

The llseek() operation changes the position of the cursor in a file. However, when llseek() is traced on DebugFS, a NULL pointer is dereferenced.

When DebugFS is enabled, a local attacker can therefore use ftrace in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-3434

ClamAV: buffer overflow via PDF

Synthesis of the vulnerability

An attacker can send a malformed PDF document, in order to stop ClamAV, and possibly to execute code.
Impacted products: ClamAV, openSUSE, SLES.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 21/09/2010.
Identifiers: 2226, BID-43555, CVE-2010-3434, openSUSE-SU-2010:0921-1, SUSE-SR:2010:020, VIGILANCE-VUL-9957.

Description of the vulnerability

A PDF document contains objects:
 - Encoding : character encoding
 - Font : character font
 - Page : page
 - etc.

The pdf_findobj() function of the libclamav/pdf.c file decodes these objects. It calls the find_stream_bounds() function to find the end of objects.

However, these functions do not correctly decode the size of objects, and a buffer overflow occurs.

An attacker can therefore send a malformed PDF document, in order to stop ClamAV, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-0405

bzip2: integer overflow via RUNA/RUNB

Synthesis of the vulnerability

An attacker can create a malicious bz2 document, and invite the victim to open it with bzip2 or an application linked to libbzip2, in order to execute code on his computer.
Impacted products: ClamAV, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Mandriva Linux, NetBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 20/09/2010.
Identifiers: 1993667, BID-43331, CERTA-2010-AVI-449, CERTA-2012-AVI-151, CVE-2010-0405, DSA-2112-1, FEDORA-2010-15106, FEDORA-2010-15120, FEDORA-2010-15125, FEDORA-2010-15443, FEDORA-2010-17439, FreeBSD-SA-10:08.bzip2, MDVSA-2010:185, NetBSD-SA2010-007, openSUSE-SU-2010:0684-1, RHSA-2010:0703-01, RHSA-2010:0858-03, SOL15878, SSA:2010-263-01, SUSE-SR:2010:018, VIGILANCE-VUL-9956, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3.

Description of the vulnerability

The bzip2 compression algorithm encodes blocks of maximal size 900kb. It uses an RLE (Run Length Encoding) algorithm where identical sequences are indicated by their repetition number. For example :
  ab ab ab ab cdef
is encoded to:
  ab(4times) cdef
The multiplication factor (4 times in the example) in encoded with increased binary. For example, 50 is encoded as:
  RUNB(2) RUNB(2) RUNA(1) RUNA(1) RUNB(2)
which means:
  1*2 + 2*2 + 4*1 + 8*1 + 16*2 = 50
The number resulting of RUNA and RUNB multiplications should not be larger than 900k.

The libbzip2 implements the bzip2 algorithm. However, the BZ2_decompress() function of the decompress.c file does not check if the number of repetition is larger than 900k. An integer overflow thus occurs, and the memory is corrupted.

An attacker can therefore create a malicious bz2 document, and invite the victim to open it with bzip2 or an application linked to libbzip2, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 9955

Adobe Reader, Acrobat: memory corruption via acroform_PlugInMain

Synthesis of the vulnerability

An attacker can create a malicious PDF document, and invite the victim to open it, in order to generate a denial of service and possibly to execute code on his computer.
Impacted products: Acrobat.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 20/09/2010.
Identifiers: BID-42998, VIGILANCE-VUL-9955.

Description of the vulnerability

The AcroForm.api module processes PDF forms.

The AcroForm::PlugInMain (acroform_PlugInMain) method does not correctly process malformed PDF data.

An attacker can therefore create a malicious PDF document, and invite the victim to open it, in order to generate a denial of service and possibly to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 9954

Adobe Reader, Acrobat: memory corruption via AcroForm.api

Synthesis of the vulnerability

An attacker can create a malicious PDF document, and invite the victim to open it, in order to generate a denial of service and possibly to execute code on his computer.
Impacted products: Acrobat.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Creation date: 20/09/2010.
Identifiers: BID-42701, VIGILANCE-VUL-9954.

Description of the vulnerability

The AcroForm.api module processes PDF forms.

When a form contains a special character, the AcroForm.api module uses an invalid memory area.

An attacker can therefore create a malicious PDF document, and invite the victim to open it, in order to generate a denial of service and possibly to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-3332

ASP.NET: information disclosure via Padding Oracle

Synthesis of the vulnerability

An attacker can use ASP.NET as an "oracle" to decrypt information such as the View State object, or read a file such as "web.config".
Impacted products: IIS, .NET Framework, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 20/09/2010.
Identifiers: 2416728, 2418042, BID-43316, CERTA-2010-AVI-458, CVE-2010-3332, MS10-070, SUSE-SU-2012:0393-1, VIGILANCE-VUL-9953.

Description of the vulnerability

An ASP page can use a hidden variable named __VIEWSTATE, containing the state of a form. This View State, as well as cookie content, can be encrypted with AES.

When the size of data is not a multiple of the size of encryption blocks, padding bytes are added. The PKSC#7 padding adds bytes whose value is the padding size. For example:
 - 01
 - 02 02
 - etc.
The clear content of the padding is thus known.

When the padding is invalid, an ASP.NET application generates the System.Security.Cryptography.CryptographicException exception ("Padding is invalid and cannot be removed"). This error message is different from other messages. An ASP.NET application can thus act as an oracle indicating if a block is valid.

An attacker can therefore, one byte at a time, vary the padding to obtain a different error message, and progressively determine the encryption key. The attacker can then for example decrypt the content of View State or cookies. He can also encrypt malicious data and send them to the server, which will interpret them as valid.

With extension, this vulnerability can also be used to read files reachable by the application, such as "web.config".

An attacker can therefore use ASP.NET as an "oracle" to decrypt information such as the View State object, or read a file such as "web.config".
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-3474 CVE-2010-3475 CVE-2010-3731

IBM DB2 9.7: three vulnerabilities

Synthesis of the vulnerability

An attacker can use three vulnerabilities of IBM DB2, in order to execute code or privileged features.
Impacted products: DB2 UDB.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 17/09/2010.
Revisions dates: 31/01/2011, 20/04/2011.
Identifiers: BID-43291, BID-43634, BID-46077, CERTA-2010-AVI-443, CVE-2010-3474, CVE-2010-3475, CVE-2010-3731, IC68015, IC69986, IC70406, IC70538, IC70539, swg21446455, VIGILANCE-VUL-9952, ZDI-11-035.

Description of the vulnerability

Three vulnerabilities were announced in IBM DB2.

When privileges on an object are revoked for PUBLIC, a local attacker can continue to execute functions, because they are not marked as INVALID. [severity:2/4; CERTA-2010-AVI-443, CVE-2010-3474, IC68015]

When a privileged user called a Compound SQL (compiled), it is stored in the cache. However, access rights to the cache are not checked. An unprivileged attacker can therefore execute the cached query. [severity:2/4; CVE-2010-3475, IC70406]

A remote attacker can generate a buffer overflow in the validateUser() function of the administrative server (db2dasrrm), in order to generate a denial of service, and possibly to execute code. [severity:3/4; BID-43634, BID-46077, CVE-2010-3731, IC69986, IC70538, IC70539, ZDI-11-035]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-2080 CVE-2010-3476

OTRS: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several Cross Site Scripting or a denial of service in OTRS.
Impacted products: openSUSE, OTRS Help Desk, SLES.
Severity: 2/4.
Consequences: client access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 17/09/2010.
Identifiers: BID-43264, CVE-2010-2080, CVE-2010-3476, openSUSE-SU-2010:1061-1, OSA-2010-02, SUSE-SR:2010:024, VIGILANCE-VUL-9951.

Description of the vulnerability

Two vulnerabilities were announced in OTRS.

The pages AgentStatsOverview, AdminCustomerUser, AdminCustomerUserGroup, AdminCustomerUserGroupForm and CustomerTicketOverView do not correctly check their data before displaying them. An attacker can therefore generate a Cross Site Scripting. [severity:2/4; CVE-2010-2080]

An attacker can send an HTML mail containing several data, in order to force the Perl regular expression engine to consume all available processor resources. [severity:2/4; CVE-2010-3476]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-3743

Ghostscript: memory corruption via PDF

Synthesis of the vulnerability

An attacker can invite the victim to see a malicious PDF document, in order to stop Ghostscript, or to execute code.
Impacted products: Fedora, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 17/09/2010.
Revision date: 26/11/2010.
Identifiers: 691044, CVE-2009-3743, FEDORA-2010-11325, FEDORA-2010-11376, r10602, RHSA-2012:0095-01, SUSE-SU-2012:0531-1, TSSA-2010-01, VIGILANCE-VUL-9950, VU#644319.

Description of the vulnerability

The Ghostscript program displays PDF or PostScript documents.

The file gs/base/ttinterp.c analyzes TrueType fonts. The TrueType MINDEX instruction moves the indexed item to the top of the stack. However, if the index is null, the Ins_MINDEX() function of the ttinterp.c file uses an invalid memory address.

An attacker can therefore invite the victim to see a malicious PDF document, in order to stop Ghostscript, or to execute code.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2892