The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability announce CVE-2009-5016 CVE-2010-3870

PHP: incorrect decoding of utf8_decode

Synthesis of the vulnerability

When an application uses the utf8_decode() or xml_utf8_decode() functions, UTF-8 characters are incorrectly decoded, so an attacker can for example bypass a filter.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Mandriva Linux, openSUSE, PHP, RHEL, SLES.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/11/2010.
Identifiers: 49687, BID-44605, BID-44889, CERTA-2003-AVI-002, CVE-2009-5016, CVE-2010-3870, DSA-2195-1, FEDORA-2010-18976, FEDORA-2010-19011, MDVSA-2010:224, openSUSE-SU-2010:1012-1, openSUSE-SU-2010:1053-1, RHSA-2010:0919-01, RHSA-2011:0195-01, SOL13519, SUSE-SR:2010:023, VIGILANCE-VUL-10092.

Description of the vulnerability

The PHP utf8_decode() and xml_utf8_decode() decode UTF-8 character sequences.

The UTF-8 encoding can be used to represent Unicode characters on several bytes:
 - 1 to 7 bits : 0xxxxxxx
 - 8 to 11 bits : 110xxxxx 10xxxxxx
 - 12 to 16 bits : 1110xxxx 10xxxxxx 10xxxxxx
 - 17 to 21 bits : 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
UTF-8 limits the encoding to 4 bytes and forbids usage of more bytes than necessary.

However, the utf8_decode() and xml_utf8_decode() function do not correctly decode malformed encoding between 17 and 21 bits. A valid character is thus generated, instead of the unknown ('?') character.

When an application uses the utf8_decode() or xml_utf8_decode() functions, UTF-8 characters are therefore incorrectly decoded, so an attacker can for example bypass a filter.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-3316 CVE-2010-3430 CVE-2010-3431

Linux-PAM: eight vulnerabilities

Synthesis of the vulnerability

A local attacker can use eight vulnerabilities of Linux-PAM, in order to elevate his privileges.
Impacted products: Fedora, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 8.
Creation date: 02/11/2010.
Revision date: 31/05/2011.
Identifiers: 637898, 641335, 643043, BID-42472, BID-43487, BID-44590, BID-46045, BID-46046, CERTA-2010-AVI-530, CVE-2010-3316, CVE-2010-3430, CVE-2010-3431, CVE-2010-3435, CVE-2010-3853, CVE-2010-4706, CVE-2010-4707, CVE-2010-4708, FEDORA-2010-17112, FEDORA-2010-17155, MDVSA-2010:220, openSUSE-SU-2011:1204-1, openSUSE-SU-2011:1208-1, RHSA-2010:0819-01, RHSA-2010:0891-01, SUSE-SU-2011:1205-1, SUSE-SU-2011:1207-1, SUSE-SU-2011:1209-1, SUSE-SU-2011:1218-1, VIGILANCE-VUL-10091, VMSA-2011-0004, VMSA-2011-0004.1, VMSA-2011-0004.2, VMSA-2011-0004.3, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

Eight vulnerabilities were announced in Linux-PAM.

An attacker can start several processes with RLIMIT_NPROC enabled, in order to force a failure of setuid(), so he can run the "xauth merge" command with the identity of the victim. [severity:2/4; 637898, BID-42472, CVE-2010-3316]

An attacker can use the pam_env and pam_mail module to access to victim's files with root privileges, because these modules do not loose uid privileges. [severity:2/4; 641335, BID-43487, CVE-2010-3435]

An attacker can use the pam_env and pam_mail module to access to victim's files with root privileges, because these modules do not loose fsgid/egid/group privileges. [severity:2/4; BID-43487, CERTA-2010-AVI-530, CVE-2010-3430]

An attacker can use the pam_env and pam_mail module to access to victim's files with root privileges, because these modules do not check the return code of setfsuid(). [severity:2/4; BID-43487, CVE-2010-3431]

The pam_namespace module runs the namespace.init script, keeping the attacker's environment variables. [severity:1/4; 643043, BID-44590, CVE-2010-3853]

The pam_sm_close_session() function of pam_xauth.c does not correctly process errors, so an attacker can delete a file. [severity:1/4; BID-46045, CVE-2010-4706]

The check_acl() function of the pam_xauth.c file does not check if the ACL file is a regular file, so a local attacker can create a denial of service. [severity:1/4; BID-46045, CVE-2010-4707]

An attacker can create a ~/.pam_environment file, in order to alter the environment of a program. [severity:1/4; BID-46046, CVE-2010-4708]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-3173

NSS: accepting short DHE keys

Synthesis of the vulnerability

When an SSL/TLS server uses a short DHE key, an attacker who captured the session can decrypt it more easily.
Impacted products: Debian, NSS, ESX.
Severity: 1/4.
Consequences: data flow.
Provenance: internet server.
Creation date: 02/11/2010.
Identifiers: 554354, 583337, 587234, CERTA-2002-AVI-272, CVE-2010-3173, DSA-2123-1, VIGILANCE-VUL-10090, VMSA-2011-0004.2, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The NSS (Network Security Services) library implements SSL/TLS.

An attacker, who is located between the client and the server, and who knows the server secret key, can decrypt a SSL/TLS session. The EDH/DHE (Ephemeral Diffie-Hellman) algorithm is used to compute a new key only known by the client and the server, so the intermediate attacker cannot decrypt the session.

However, if the SSL/TLS server uses a short DHE key (8 bit for example), the NSS client does not reject it. The DHE protection can thus be bypassed by a brute force (256 cases to test for example).

When an SSL/TLS server uses a short DHE key, an attacker who captured the session can therefore decrypt it more easily. It can be noted that the server has no legitimate reason to use a short key, so this vulnerability is initially due to a server error.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-3436 CVE-2010-3709 CVE-2010-3710

PHP: three vulnerabilities

Synthesis of the vulnerability

An attacker can use three vulnerabilities of PHP, in order to create a denial of service, or to access to files.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Mandriva Linux, openSUSE, PHP, RHEL, Slackware, SLES.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 02/11/2010.
Identifiers: BID-44718, BID-44723, CERTA-2003-AVI-002, CERTA-2010-AVI-474, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710, DSA-2195-1, FEDORA-2010-18976, FEDORA-2010-19011, MDVSA-2010:218, openSUSE-SU-2010:1012-1, openSUSE-SU-2010:1053-1, RHSA-2011:0195-01, RHSA-2011:0196-01, SOL13519, SSA:2010-357-01, SUSE-SR:2010:023, VIGILANCE-VUL-10089.

Description of the vulnerability

Three vulnerabilities were announced in PHP.

An attacker can use a long email address, in order to force the filter_var() function to consume a lot of resources when FILTER_VALIDATE_EMAIL is used, which stops the application. [severity:2/4; CERTA-2010-AVI-474, CVE-2010-3710]

An attacker can create a malicious ZIP archive, in order to force the ZipArchive::getArchiveComment() function to dereference a NULL pointer, which stops the application. [severity:2/4; BID-44718, CVE-2010-3709]

An attacker can bypass open_basedir, which define directories where files can be located. [severity:2/4; BID-44723, CVE-2010-3436]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-4221

ProFTPd: buffer overflow via TELNET_IAC

Synthesis of the vulnerability

An unauthenticated attacker can use the TELNET_IAC character, in order to create a buffer overflow in ProFTPd, leading to code execution.
Impacted products: Fedora, Mandriva Linux, ProFTPD, Slackware.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 02/11/2010.
Identifiers: 3521, BID-44562, CVE-2010-4221, FEDORA-2010-17091, FEDORA-2010-17098, FEDORA-2010-17220, MDVSA-2010:227, SSA:2010-305-03, VIGILANCE-VUL-10088, ZDI-10-229.

Description of the vulnerability

The RFC 959, which defines the FTP protocol, requires that the control connection uses the Telnet protocol.

The Telnet protocol is mostly text, where control sequences are inserted. The 0xFF character (TELNET_IAC, Interpret As Command), is the delimiter of a two characters command.

When ProFTPd analyzes a command line, the pr_cmd_read() function calls the pr_netio_telnet_gets() function which stores the line in a 4103 characters array. This function checks for each character if the array does not overflow. However, if the IAC character is inserted at the last position, the array index increments of two, and the overflow check is then never valid.

An unauthenticated attacker can therefore use the TELNET_IAC character, in order to create a buffer overflow in ProFTPd version 1.3.2 or superior, leading to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-3867

ProFTPd: directory traversal via mod_site_misc

Synthesis of the vulnerability

When mod_site_misc is enabled, and if a directory is writable, an attacker can access to files located outside the writable directory.
Impacted products: Debian, Fedora, Mandriva Linux, ProFTPD, Slackware.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 02/11/2010.
Identifiers: 3519, BID-44562, CERTA-2003-AVI-002, CERTA-2010-AVI-531, CVE-2010-3867, DSA-2191-1, FEDORA-2010-17091, FEDORA-2010-17098, FEDORA-2010-17220, MDVSA-2010:227, SSA:2010-305-03, VIGILANCE-VUL-10087.

Description of the vulnerability

The mod_site_misc module implements additional FTP commands for ProFTPd:
 - SITE MKDIR: create a directory
 - SITE RMDIR: delete a directory
 - SITE SYMLINK: create a symbolic link
 - SITE UTIME: change the time of a file
This module is disabled by default.

The ProFTPd configuration can define a writable directory, such as "incoming". Files located outside this directory cannot be altered. However, by using "../" and SITE commands, an attacker can:
 - create a directory located outside the writable directory
 - delete a directory located outside the writable directory
 - create a symlink located outside the writable directory
 - change the time of a file located outside the writable directory

When mod_site_misc is enabled, and if a directory is writable, an attacker can therefore access to files located outside the writable directory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-3865

Linux kernel: integer overflow via RDS

Synthesis of the vulnerability

A local attacker can use a sendmsg() on an RDS socket, with a large iovec array, in order to generate an integer overflow, leading to a memory corruption.
Impacted products: Linux, openSUSE, RHEL, SLES, ESX.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 29/10/2010.
Identifiers: 647416, BID-44549, CVE-2010-3865, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, openSUSE-SU-2010:0933-1, openSUSE-SU-2011:0003-1, openSUSE-SU-2011:0004-1, RHSA-2011:0004-01, RHSA-2011:0007-01, SUSE-SA:2010:057, SUSE-SA:2011:001, SUSE-SA:2011:002, SUSE-SA:2011:007, VIGILANCE-VUL-10086, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The RDS (Reliable Datagram Socket) protocol is used to transmit data in a non connected mode. It is supported by kernels since version 2.6.30.

The sendmsg() system call sends a message to a socket:
  sendmsg(socket, &msghdr, flags);
The msghdr structure contains an array of iovec structures (memory area where to store data).

The implementation of recvmsg() for RDS uses rds_rdma_pages() in the net/rds/rdma.c file to process memory pages. However, if sendmsg() parameters are too high, the number of pages overflows.

A local attacker can therefore use a sendmsg() on an RDS socket, with a large iovec array, in order to generate an integer overflow, leading to a memory corruption.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-3846

CVS: integer overflow via RCS

Synthesis of the vulnerability

An attacker can upload a malicious RCS file in a CVS repository, in order to execute code on computers of CVS clients.
Impacted products: CVS, Fedora, RHEL.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 29/10/2010.
Identifiers: 642146, BID-44528, CVE-2010-3846, FEDORA-2010-16599, FEDORA-2010-16600, FEDORA-2010-16721, RHSA-2010:0918-01, VIGILANCE-VUL-10085.

Description of the vulnerability

An RCS (Revision Control System) file describes changes which occurred on a file.

When an RCS file is localed in a repository, if the CVS client does a "checkout" to create a local copy, the CVS client analyzes the RCS file. The rcs.c code then processes changed lines, and stores them in an array. However, the index of this array can overflow, which corrupts the memory.

An attacker can therefore upload a malicious RCS file in a CVS repository, in order to execute code on computers of CVS clients.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2010-2941

CUPS: memory corruption via IPP Attribute

Synthesis of the vulnerability

An attacker can send a malicious IPP query to CUPS, in order to corrupt its memory, which creates a denial of service and possibly leads to code execution.
Impacted products: CUPS, Debian, Fedora, Mandriva Linux, OpenSolaris, openSUSE, RHEL, Slackware, SLES.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 29/10/2010.
Identifiers: 624438, BID-44530, CERTA-2010-AVI-577, CVE-2010-2941, DSA-2176-1, FEDORA-2010-17615, FEDORA-2010-17627, FEDORA-2010-17641, MDVSA-2010:232, MDVSA-2010:233, MDVSA-2010:234, openSUSE-SU-2010:1018-1, openSUSE-SU-2010:1053-1, RHSA-2010:0811-01, RHSA-2010:0866-02, SSA:2010-333-01, SUSE-SR:2010:023, VIGILANCE-VUL-10084.

Description of the vulnerability

The CUPS product (Common UNIX Printing System) provides printers management under Unix. It uses the IPP protocol (Internet Printing Protocol) which listens on port 631/tcp.

An IPP query contains attributes, which can have several values. These values are allocated depending on the attribute type:
 - 56 (not defined) : use of malloc(), which has to be freed with free()
 - 65 (IPP_TAG_TEXT) : use of the StrAlloc() pool memory manager, which has to be freed with StrFree()
 - etc.
However, if the attribute has a value allocated with malloc() and values allocated with StrAlloc(), the free() function is always called.

An attacker can therefore send a malicious IPP query to CUPS, in order to corrupt its memory, which creates a denial of service and possibly leads to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-3654

Adobe Flash, Reader: code execution

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious Flash document, or a PDF document containing malicious Flash data, in order to execute code on his computer.
Impacted products: Flash Player, Acrobat, openSUSE, RHEL, SLES.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 29/10/2010.
Identifiers: APSA10-05, APSB10-26, APSB10-28, BID-44504, CVE-2010-3654, openSUSE-SU-2010:1030-1, RHSA-2010:0829-01, RHSA-2010:0834-01, RHSA-2010:0867-02, RHSA-2010:0934-01, SUSE-SA:2010:055, SUSE-SA:2010:058, VIGILANCE-VUL-10083, VU#298081.

Description of the vulnerability

The Adobe Flash Player program displays animations in format SWF (Shockwave Flash). With a plugin/module, these animations can be directly displayed in a web page.

The Adobe Reader and Acrobat programs include a Flash reader, managed by authplay.dll. With a plugin/module, these PDF documents can be directly displayed in a web page.

An attacker can invite the victim to display a malicious Flash document, or a PDF document containing malicious Flash data, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2819