The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Check Point Provider-1

vulnerability CVE-2015-0235

glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, MBS, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, NetIQ Sentinel, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.
Severity: 4/4.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Identifiers: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, CTX200437, CVE-2015-0235, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.

Description of the vulnerability

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2014-0224

OpenSSL: man in the middle via ChangeCipherSpec

Synthesis of the vulnerability

An attacker can act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, Provider-1, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, MIMEsweeper, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, HP Operations, ProCurve Switch, HP Switch, HP-UX, AIX, Tivoli Storage Manager, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, MBS, MES, McAfee Web Gateway, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, JBoss EAP by Red Hat, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Nessus, InterScan Messaging Security Suite, InterScan Web Security Suite, TrendMicro ServerProtect, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Creation date: 05/06/2014.
Revision date: 05/06/2014.
Identifiers: 1676496, 1690827, aid-06062014, c04336637, c04347622, c04363613, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, CERTFR-2014-AVI-513, cisco-sa-20140605-openssl, cpuoct2016, CTX140876, CVE-2014-0224, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBHF03052, HPSBUX03046, JSA10629, MDVSA-2014:105, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2015:0229-1, openSUSE-SU-2016:0640-1, RHSA-2014:0624-01, RHSA-2014:0625-01, RHSA-2014:0626-01, RHSA-2014:0627-01, RHSA-2014:0628-01, RHSA-2014:0629-01, RHSA-2014:0630-01, RHSA-2014:0631-01, RHSA-2014:0632-01, RHSA-2014:0633-01, RHSA-2014:0679-01, RHSA-2014:0680-01, SA40006, SA80, SB10075, sk101186, SOL15325, SPL-85063, SSA:2014-156-03, SSA-234763, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0759-2, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14844, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9, VU#978508.

Description of the vulnerability

The OpenSSL product implements SSL/TLS, which uses a handshake.

However, by using a handshake with a ChangeCipherSpec message, an attacker can force the usage of weak keys.

An attacker can therefore act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2013-5211

ntp.org: distributed denial of service via monlist

Synthesis of the vulnerability

An attacker can use monlist of ntp.org, in order to trigger a distributed denial of service.
Impacted products: GAiA, CheckPoint IP Appliance, IPSO, Provider-1, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Cisco Router, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, FreeBSD, HP-UX, AIX, Juniper J-Series, Junos OS, Meinberg NTP Server, NetBSD, NTP.org, openSUSE, Solaris, Trusted Solaris, pfSense, Puppet, Slackware, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 31/12/2013.
Identifiers: 1532, BID-64692, c04084148, CERTA-2014-AVI-034, CERTFR-2014-AVI-069, CERTFR-2014-AVI-112, CERTFR-2014-AVI-117, CERTFR-2014-AVI-244, CERTFR-2014-AVI-526, CSCtd75033, CSCum44673, CSCum52148, CSCum76937, CSCun84909, CSCur38341, CVE-2013-5211, ESX400-201404001, ESX400-201404402-SG, ESX410-201404001, ESX410-201404402-SG, ESXi400-201404001, ESXi400-201404401-SG, ESXi410-201404001, ESXi410-201404401-SG, ESXi510-201404001, ESXi510-201404101-SG, ESXi510-201404102-SG, ESXi550-201403101-SG, FreeBSD-SA-14:02.ntpd, HPSBUX02960, JSA10613, MBGSA-1401, NetBSD-SA2014-002, openSUSE-SU-2014:0949-1, openSUSE-SU-2014:1149-1, sk98758, SSA:2014-044-02, SSRT101419, VIGILANCE-VUL-14004, VMSA-2014-0002, VMSA-2014-0002.1, VMSA-2014-0002.2, VMSA-2014-0002.4, VMSA-2015-0001.

Description of the vulnerability

The ntp.org service implements the "monlist" command, which returns the list of the 600 last clients which connected to the server.

However, the size of the reply is larger than the size of the query. Moreover, public NTP servers request no authentication, and UDP packets can be spoofed.

An attacker can therefore use monlist of ntp.org, in order to trigger a distributed denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 12981

CheckPoint Security Gateway: information disclosure via VoIP

Synthesis of the vulnerability

When SecureXL is enabled on caller side, an attacker can capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint Power-1 Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Creation date: 17/06/2013.
Identifiers: sk92814, VIGILANCE-VUL-12981.

Description of the vulnerability

CheckPoint Security Gateway allow establish VoIP calls thorough a VPN.

The VoIP signaling is exchanged via the SIP protocol. However, when SecureXL is enabled in the VPN end point at caller side, SIP messages are sent in plain text instead of begin encrypted as part of VPN traffic. This allows an attacker located in the public network to capture signaling traffic.

When SecureXL is enabled on caller side, an attacker can therefore capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability 10960

IE, Firefox, SeaMonkey, Opera: revokation of DigiNotar root certificate

Synthesis of the vulnerability

Due to an error in the procedure of the DigiNotar certification authority, web browsers revoked its root certificate.
Impacted products: ProxySG par Blue Coat, Provider-1, CheckPoint Security Gateway, Debian, Fedora, MES, Mandriva Linux, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Firefox, SeaMonkey, Thunderbird, openSUSE, Opera, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 30/08/2011.
Revision date: 07/09/2011.
Identifiers: 2607712, CERTA-2011-AVI-169, CERTA-2011-AVI-493, DSA-2200-1, DSA-2299-1, DSA-2300-2, FEDORA-2011-11951, FEDORA-2011-12224, FEDORA-2011-12275, FEDORA-2011-12280, FEDORA-2011-12300, MDVSA-2011:129, MDVSA-2011:133, MDVSA-2011:133-1, MFSA 2011-34, MFSA 2011-35, openSUSE-SU-2011:0994-1, openSUSE-SU-2011:1024-1, openSUSE-SU-2011:1031-1, openSUSE-SU-2011:1031-2, RHSA-2011:1242-01, RHSA-2011:1243-01, RHSA-2011:1244-01, RHSA-2011:1248-01, RHSA-2011:1266-01, RHSA-2011:1267-01, RHSA-2011:1268-01, RHSA-2011:1282-01, RHSA-2012:0532-01, SA59, sk65277, SSA:2011-249-01, SSA:2011-249-02, SSA:2011-249-03, SUSE-SU-2011:0995-1, SUSE-SU-2011:1042-1, SUSE-SU-2011:1042-2, VIGILANCE-VUL-10960.

Description of the vulnerability

A certification authority signs certificates of web sites using SSL (https). Certificates of these authorities are installed by default in web browsers, in order to provide the chain of trust.

The DigiNotar certification authority did not perform all the necessary checks before issuing a certificate for *.google.com (VIGILANCE-ACTU-3070). The attacker who owns this malicious certificate can thus spoof the identity of all Google sites.

Other sites are also impacted. The Dutch government PKIoverheid root certificates are also cross-signed by DigiNotar.

Several web browser editors decided to revoke the "DigiNotar Root CA" root certificate.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.