The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apple MacOS X

computer vulnerability CVE-2016-8670

libgd: buffer overflow via dynamicGetbuf

Synthesis of the vulnerability

An attacker can generate a buffer overflow via dynamicGetbuf of libgd, in order to trigger a denial of service, and possibly to run code.
Impacted products: Mac OS X, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 19/10/2016.
Identifiers: CVE-2016-8670, DLA-665-1, FEDORA-2016-722c0afc64, FEDORA-2016-e45a7e7b13, HT207483, openSUSE-SU-2016:2606-1, openSUSE-SU-2016:2772-1, openSUSE-SU-2016:2831-1, openSUSE-SU-2016:2837-1, SUSE-SU-2016:2460-2, SUSE-SU-2016:2668-1, SUSE-SU-2016:2683-1, SUSE-SU-2016:2683-2, SUSE-SU-2016:2766-1, USN-3117-1, VIGILANCE-VUL-20915.

Description of the vulnerability

An attacker can generate a buffer overflow via dynamicGetbuf of libgd, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-8687 CVE-2016-8688 CVE-2016-8689

libarchive: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of libarchive.
Impacted products: iOS by Apple, iPhone, Mac OS X, Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE Leap, Splunk Enterprise, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/10/2016.
Identifiers: CVE-2016-8687, CVE-2016-8688, CVE-2016-8689, DLA-1600-1, DLA-661-1, FEDORA-2016-dd2aa2b4a9, HT207482, HT207483, K13074505, K35263486, K52697522, openSUSE-SU-2016:3002-1, openSUSE-SU-2016:3005-1, SPL-130721, USN-3225-1, VIGILANCE-VUL-20889.

Description of the vulnerability

Several vulnerabilities were announced in libarchive.

An attacker can generate a buffer overflow via bsdtar_expand_char(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-8687]

An attacker can force a read at an invalid address via bid_entry() / detect_form(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-8688]

An attacker can generate a buffer overflow via read_Header(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-8689]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-6302 CVE-2016-6303 CVE-2016-6304

OpenSSL: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Mac OS X, Arkoon FAST360, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, DB2 UDB, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee Email Gateway, ePO, MySQL Community, MySQL Enterprise, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Percona Server, pfSense, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, Puppet, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, WinSCP.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/09/2016.
Identifiers: 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1996096, 1999395, 1999421, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2000209, 2000544, 2002870, 2003480, 2003620, 2003673, 2008828, bulletinapr2017, bulletinjul2016, bulletinoct2016, CERTFR-2016-AVI-320, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FreeBSD-SA-16:26.openssl, HPESBHF03856, HT207423, JSA10759, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2018:0458-1, RHSA-2016:1940-01, RHSA-2016:2802-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA132, SA40312, SB10171, SB10215, SOL54211024, SOL90492697, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, STORM-2016-005, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20678.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can create a memory over consumption via an OCSP request, in order to trigger a denial of service. [severity:3/4; CVE-2016-6304]

An attacker can make a process block itself via SSL_peek, in order to trigger a denial of service. [severity:2/4; CVE-2016-6305]

An attacker can generate a buffer overflow via MDC2_Update, in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2016-6303]

An attacker can generate a read only buffer overflow, in order to trigger a denial of service. [severity:1/4; CVE-2016-6302]

An attacker can generate a read only buffer overflow via the parsing of an X.509 certificate, in order to trigger a denial of service. [severity:1/4; CVE-2016-6306]

An attacker can make the server allocates a large amount of memory to process TLS packets. [severity:1/4; CVE-2016-6307]

An attacker can make the server allocates a large amount of memory to process DTLS packets. [severity:1/4; CVE-2016-6308]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-4617 CVE-2016-4658 CVE-2016-4682

Apple MacOS: forty nine vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apple MacOS.
Impacted products: Mac OS X.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 49.
Creation date: 21/09/2016.
Identifiers: CERTFR-2016-AVI-316, CVE-2016-4617, CVE-2016-4658, CVE-2016-4682, CVE-2016-4694, CVE-2016-4696, CVE-2016-4697, CVE-2016-4698, CVE-2016-4699, CVE-2016-4700, CVE-2016-4701, CVE-2016-4702, CVE-2016-4703, CVE-2016-4706, CVE-2016-4707, CVE-2016-4708, CVE-2016-4709, CVE-2016-4710, CVE-2016-4711, CVE-2016-4712, CVE-2016-4713, CVE-2016-4715, CVE-2016-4716, CVE-2016-4717, CVE-2016-4718, CVE-2016-4722, CVE-2016-4723, CVE-2016-4724, CVE-2016-4725, CVE-2016-4726, CVE-2016-4727, CVE-2016-4736, CVE-2016-4738, CVE-2016-4739, CVE-2016-4742, CVE-2016-4745, CVE-2016-4748, CVE-2016-4750, CVE-2016-4752, CVE-2016-4753, CVE-2016-4755, CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4775, CVE-2016-4776, CVE-2016-4777, CVE-2016-4778, CVE-2016-4779, CVE-2016-5131, CVE-2016-6174, CVE-2016-7580, CVE-2016-7582, HT207170, VIGILANCE-VUL-20659, ZDI-16-608, ZDI-16-609, ZDI-16-641.

Description of the vulnerability

Several vulnerabilities were announced in Apple MacOS.

An attacker can force the usage of a freed memory area via libxml, in order to trigger a denial of service, and possibly to run code (VIGILANCE-VUL-20993). [severity:3/4; CVE-2016-5131]

An attacker who controls an application can run code with system privileges. [severity:3/4; CVE-2016-4698]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4702]

An attacker can retrieve the Web browsing history. [severity:2/4; CVE-2016-4707]

An attacker who controls a Web server can send an ill formed cookie, in order to obtain sensitive information. [severity:2/4; CVE-2016-4708]

An attacker can bypass security features via CCrypt, in order to obtain sensitive information. [severity:2/4; CVE-2016-4711]

An attacker can generate a buffer overflow via CoreCrypto, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-4712]

An attacker can read a memory fragment via FontParser, in order to obtain sensitive information. [severity:1/4; CVE-2016-4718]

An attacker can tamper with the call relay management, in order to trigger a denial of service. [severity:1/4; CVE-2016-4722]

An attacker who controls an application can run arbitrary code with kernel privileges. [severity:4/4; CVE-2016-4724]

An attacker can read a memory fragment via a Web page, in order to obtain sensitive information. [severity:1/4; CVE-2016-4725]

An attacker who controls an application can run arbitrary code with kernel privileges. [severity:4/4; CVE-2016-4726]

An attacker can use ill formed file paths, in order to be access to normally unreachable files. [severity:2/4; CVE-2016-4771]

An attacker can trigger a fatal error via a kernel lock, in order to trigger a denial of service. [severity:2/4; CVE-2016-4772]

An attacker can trigger read only buffer overflow, in order to get the kernel address space layout. [severity:1/4; CVE-2016-4773, CVE-2016-4774, CVE-2016-4776]

An attacker can tamper with a pointer, in order to run code with the kernel privileges. [severity:4/4; CVE-2016-4777]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code with the kernel privileges. [severity:4/4; CVE-2016-4778]

An attacker can generate a memory corruption via libxml2, in order to trigger a denial of service, and possibly to run code (VIGILANCE-VUL-20992). [severity:2/4; CVE-2016-4658]

An attacker can generate a memory corruption via libxslt, in order to trigger a denial of service, and possibly to run code (VIGILANCE-VUL-21050). [severity:2/4; CVE-2016-4738]

An attacker can generate a memory corruption via the camera handling, in order to trigger a denial of service, and possibly to run code with the kernel privileges. [severity:4/4; CVE-2016-4750]

An attacker can make profit from an error in the application signature check, in order to get the system privileges. [severity:3/4; CVE-2016-4753]

An attacker can tamper with the HTTP_PROXY environment variable, in order to redirect traffic in Apache, when used as a proxy. [severity:2/4; CVE-2016-4694]

An attacker can generate an error via apache_mod_php, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-6174]

An attacker can generate a memory corruption via HSSPI, in order to trigger a denial of service, and possibly to run code with kernel privileges. [severity:4/4; CVE-2016-4697]

An attacker can make the kernel use a NULL pointer, in order to run code with kernel privileges. [severity:4/4; CVE-2016-4696]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code with kernel privileges. [severity:4/4; CVE-2016-4699, CVE-2016-4700]

An attacker can trigger a fatal error via the firewall, in order to trigger a denial of service. [severity:2/4; CVE-2016-4701]

An attacker can generate a memory corruption via a font file, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-4779]

An attacker can see the screen content of another user. [severity:2/4; CVE-2016-4713]

An attacker can tamper with the date and time option management, in order to get the location of a user. [severity:1/4; CVE-2016-4715]

An attacker can bypass security features via DiskArbitration, in order to get system privileges. [severity:3/4; CVE-2016-4716]

An attacker can trigger a fatal error, in order to trigger a denial of service. [severity:2/4; CVE-2016-4717]

An attacker can use a vulnerability of the Intel Graphics driver, in order to run code with system privileges. [severity:3/4; CVE-2016-4723]

An attacker can use a vulnerability of IOThunderboltFamily, in order to run code with system privileges. [severity:3/4; CVE-2016-4727]

An attacker can check the validity of a user account thanks to response time. [severity:1/4; CVE-2016-4745]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code with the kernel privileges. [severity:4/4; CVE-2016-4775]

An attacker can generate several memory corruptions via libarchive, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4736]

An attacker can bypass security features via VMnet.framework, in order to obtain sensitive information. [severity:1/4; CVE-2016-4739]

An attacker can use NSSecureTextField, in order to get the user credentials. [severity:2/4; CVE-2016-4742]

An attacker can bypass the the taint checks for unsafe data in perl. [severity:2/4; CVE-2016-4748]

An attacker can create a memory leak via SecKeyDeriveFromPassword, in order to trigger a denial of service. [severity:1/4; CVE-2016-4752]

An attacker can read the Bash initialization scripts. [severity:1/4; CVE-2016-4755]

An attacker can bypass security features, in order to get the privileges of the root account. [severity:3/4; CVE-2016-4709, CVE-2016-4710, ZDI-16-608, ZDI-16-609]

An attacker can use a vulnerability via Bluetooth, in order to run code. [severity:2/4; CVE-2016-4703]

An attacker can trigger a fatal error via cd9660, in order to trigger a denial of service. [severity:1/4; CVE-2016-4706]

An attacker can bypass security features via ImageIO, in order to obtain sensitive information. [severity:2/4; CVE-2016-4682]

An attacker can bypass security features via Intel Graphics Driver, in order to escalate his privileges. [severity:2/4; CVE-2016-7582, ZDI-16-641]

An attacker can bypass security features via libxpc, in order to escalate his privileges. [severity:2/4; CVE-2016-4617]

An attacker can trigger a fatal error via Mail, in order to trigger a denial of service. [severity:2/4; CVE-2016-7580]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-7411 CVE-2016-7412 CVE-2016-7413

PHP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Mac OS X, Debian, openSUSE, openSUSE Leap, pfSense, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 15/09/2016.
Identifiers: 72293, 72860, 72928, 73007, 73029, 73052, 73065, CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416, CVE-2016-7417, CVE-2016-7418, DLA-749-1, HT207423, openSUSE-SU-2016:2444-1, openSUSE-SU-2016:2540-1, RHSA-2018:1296-01, SSA:2016-267-01, SUSE-SU-2016:2459-1, SUSE-SU-2016:2460-1, SUSE-SU-2016:2460-2, SUSE-SU-2016:2461-1, SUSE-SU-2016:2477-1, SUSE-SU-2016:2477-2, SUSE-SU-2016:2683-1, SUSE-SU-2016:2683-2, USN-3095-1, VIGILANCE-VUL-20623.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can generate a memory corruption via Deserialized-object Destruction, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 73052, CVE-2016-7411]

An attacker can generate a buffer overflow via mysqlnd, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72293, CVE-2016-7412]

An attacker can force the usage of a freed memory area via wddx_deserialize, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72860, CVE-2016-7413]

An attacker can force a read at an invalid address via phar_parse_zipfile, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 72928, CVE-2016-7414]

An attacker can generate a buffer overflow via locale, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 73007, CVE-2016-7416]

An attacker can generate a memory corruption via SplArray, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 73029, CVE-2016-7417]

An attacker can force a read at an invalid address via php_wddx_push_element, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 73065, CVE-2016-7418]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-7167

libcurl: integer overflow via curl_escape

Synthesis of the vulnerability

An attacker can generate an integer overflow via functions of the curl_escape() family of libcurl, in order to trigger a denial of service, and possibly to run code.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, pfSense, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 14/09/2016.
Identifiers: bulletinoct2016, cpuoct2018, CVE-2016-7167, DLA-1568-1, DLA-625-1, FEDORA-2016-7a2ed52d41, FEDORA-2016-80f4f71eff, HT207423, JSA10874, openSUSE-SU-2016:2768-1, RHSA-2017:2016-01, RHSA-2018:3558-01, SSA:2016-259-01, STORM-2019-002, SUSE-SU-2016:2699-1, SUSE-SU-2016:2714-1, USN-3123-1, VIGILANCE-VUL-20606.

Description of the vulnerability

The libcurl library provides the curl_escape(), curl_easy_escape(), curl_unescape() and curl_easy_unescape() functions to convert special characters.

However, if the requested size is too large, an integer overflows, and an allocated memory area is too short.

An attacker can therefore generate an integer overflow via functions of the curl_escape() family of libcurl, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-7141

cURL: session reuse even if client certificate changed

Synthesis of the vulnerability

The TLS client of libcurl can reuse a session even if the client certificate changed, which may lead to the authentication with an incorrect identity.
Impacted products: OpenOffice, Mac OS X, Brocade vTM, curl, Debian, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, Puppet, RHEL, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 05/09/2016.
Identifiers: BSA-2016-204, BSA-2016-207, BSA-2016-211, BSA-2016-212, BSA-2016-213, BSA-2016-216, BSA-2016-234, cpuoct2018, CVE-2016-7141, DLA-1568-1, DLA-616-1, HT207423, JSA10874, openSUSE-SU-2016:2379-1, RHSA-2016:2575-02, RHSA-2018:3558-01, USN-3123-1, VIGILANCE-VUL-20516.

Description of the vulnerability

The libcurl library can be installed with NSS, instead of OpenSSL.

The TLS client of libcurl can reuse a session even if the client certificate changed, which may lead to the authentication with an incorrect identity.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-4657

WebKit: memory corruption

Synthesis of the vulnerability

An attacker can generate a memory corruption of WebKit, in order to trigger a denial of service, and possibly to run code.
Impacted products: iOS by Apple, iPhone, Mac OS X, WebKit.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 02/09/2016.
Identifiers: CVE-2016-4657, HT207107, HT207131, VIGILANCE-VUL-20508.

Description of the vulnerability

An attacker can generate a memory corruption of WebKit, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-4655 CVE-2016-4656

Apple Mac OS X: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apple Mac OS X.
Impacted products: Mac OS X.
Severity: 3/4.
Consequences: administrator access/rights, data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/09/2016.
Identifiers: CERTFR-2016-AVI-294, CVE-2016-4655, CVE-2016-4656, HT207130, VIGILANCE-VUL-20507.

Description of the vulnerability

Several vulnerabilities were announced in Apple Mac OS X.

An application can read a kernel memory fragment, in order to obtain sensitive information. [severity:2/4; CVE-2016-4655]

An application can use a kernel vulnerability, in order to run privileged code. [severity:3/4; CVE-2016-4656]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 20429

WebKit: Man-in-the-Middle via Proxy CONNECT

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle when an HTTP proxy is configured, in order to alter the visible content of an https site, to execute JavaScript code for example.
Impacted products: iOS by Apple, iPhone, Mac OS X, Opera, WebKit.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: intranet server.
Creation date: 18/08/2016.
Identifiers: FalseCONNECT, HT206902, HT206903, VIGILANCE-VUL-20429, VU#905344.

Description of the vulnerability

When an HTTP proxy is configured, the web browser uses the HTTP CONNECT method to ask the proxy to setup a secured TLS session.

However, the HTTP CONNECT query and its reply are sent in a clear HTTP session. An attacker can act as a Man-in-the-Middle, and spoof a 407 Proxy Authentication reply to the client, not containing a Proxy-Authenticate header, but containing an HTTP body.

The RFC 7235 indicates that the HTTP body must not be displayed. However, WebKit displays it, and executes its content in the context of the requested https/TLS site.

An attacker can therefore act as a Man-in-the-Middle when an HTTP proxy is configured, in order to alter the visible content of an https site, to execute JavaScript code for example.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apple MacOS X: