The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco IronPort Encryption

vulnerability CVE-2016-4953 CVE-2016-4954 CVE-2016-4955

NTP.org: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: Cisco ACE, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco MeetingPlace, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, AIX, Meinberg NTP Server, Data ONTAP 7-Mode, NTP.org, openSUSE, openSUSE Leap, Solaris, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, VxWorks.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 5.
Creation date: 03/06/2016.
Identifiers: 9010095, bulletinapr2016, CERTFR-2016-AVI-209, cisco-sa-20160603-ntpd, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957, FEDORA-2016-89e0874533, FEDORA-2016-c3bd6a3496, FreeBSD-SA-16:24.ntp, hpesbhf03757, ICSA-16-175-03, K03331206, K64505405, K82644737, NTAP-20160722-0001, openSUSE-SU-2016:1583-1, openSUSE-SU-2016:1636-1, SOL03331206, SSA:2016-155-01, SUSE-SU-2016:1563-1, SUSE-SU-2016:1568-1, SUSE-SU-2016:1584-1, SUSE-SU-2016:1602-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, USN-3096-1, VIGILANCE-VUL-19790, VU#321640.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

An attacker can force ntpd to use "interleaved" mode, in order to trigger a denial of service. [severity:1/4; CVE-2016-4956, VU#321640]

An attacker can send a spoofed CRYPTO_NAK packet, in order to trigger a denial of service. [severity:1/4; CVE-2016-4955, VU#321640]

An attacker can send spoofed packets, in order to partially corrupt the state ot the target server. [severity:1/4; CVE-2016-4954, VU#321640]

An attacker can send a malicious CRYPTO-NAK packet, in order to invalidate the cryptographic protection layer. [severity:1/4; CVE-2016-4953, VU#321640]

An attacker can send a malicious CRYPTO-NAK packet, the validity of which is wrongly checked, in order to trigger a denial of service. [severity:3/4; CVE-2016-4957, VU#321640]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Tomcat, Mac OS X, StormShield, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, XenServer, Debian, PowerPath, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiOS, FreeBSD, Android OS, HP Operations, HP Switch, AIX, IRAD, QRadar SIEM, IBM System x Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee NSM, Meinberg NTP Server, MySQL Community, MySQL Enterprise, Data ONTAP 7-Mode, NETASQ, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Palo Alto Firewall PA***, PAN-OS, Percona Server, pfSense, Pulse Connect Secure, Puppet, Python, RHEL, JBoss EAP by Red Hat, SAS Management Console, Shibboleth SP, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, X2GoClient.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 510853, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, CERTFR-2018-AVI-160, cisco-sa-20160504-openssl, cpuapr2017, cpujan2018, cpujul2016, cpujul2017, cpujul2018, cpuoct2016, cpuoct2017, cpuoct2018, CTX212736, CTX233832, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, ESA-2017-142, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, SUSE-SU-2018:0112-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-7704 CVE-2015-8138 CVE-2016-1547

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: SNS, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco Unity ~ precise, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, AIX, Juniper EX-Series, Juniper J-Series, Junos OS, Junos Space, SRX-Series, McAfee Web Gateway, Meinberg NTP Server, NTP.org, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 27/04/2016.
Identifiers: bulletinapr2016, bulletinapr2019, c05270839, CERTFR-2016-AVI-153, CERTFR-2017-AVI-365, CERTFR-2018-AVI-545, cisco-sa-20160428-ntpd, cpujan2018, CTX220112, CVE-2015-7704, CVE-2015-8138, CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, DLA-559-1, DSA-3629-1, FEDORA-2016-5b2eb0bf9c, FEDORA-2016-777d838c1b, FEDORA-2018-70c191d84a, FEDORA-2018-de113aeac6, FreeBSD-SA-16:16.ntp, HPESBHF03750, HPSBHF03646, JSA10776, JSA10796, JSA10824, JSA10826, JSA10898, K11251130, K20804323, K24613253, K43205719, K63675293, MBGSA-1602, openSUSE-SU-2016:1292-1, openSUSE-SU-2016:1329-1, openSUSE-SU-2016:1423-1, openSUSE-SU-2018:0970-1, PAN-SA-2016-0019, RHSA-2016:1141-01, RHSA-2016:1552-01, SB10164, SOL11251130, SOL20804323, SOL24613253, SOL41613034, SOL43205719, SOL45427159, SOL61200338, SOL63675293, SSA:2016-120-01, STORM-2016-003, STORM-2016-004, SUSE-SU-2016:1175-1, SUSE-SU-2016:1177-1, SUSE-SU-2016:1247-1, SUSE-SU-2016:1278-1, SUSE-SU-2016:1291-1, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, SUSE-SU-2018:1464-1, SUSE-SU-2018:1765-1, Synology-SA-18:13, Synology-SA-18:14, TALOS-2016-0081, TALOS-2016-0082, TALOS-2016-0083, TALOS-2016-0084, TALOS-2016-0132, USN-3096-1, USN-3349-1, VIGILANCE-VUL-19477, VU#718152.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

The ntpd daemon can on certain systems accept packets from 127.0.0.0/8. [severity:1/4; CVE-2016-1551, TALOS-2016-0132]

An attacker can use a Sybil attack, in order to alter the system clock. [severity:2/4; CVE-2016-1549, TALOS-2016-0083]

An attacker can force an assertion error with duplicate IP, in order to trigger a denial of service. [severity:2/4; CVE-2016-2516]

An attacker can trigger an error in the management of trustedkey/requestkey/controlkey, in order to trigger a denial of service. [severity:2/4; CVE-2016-2517]

An attacker can force a read at an invalid address in MATCH_ASSOC, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-2518]

An attacker can trigger a fatal error in ctl_getitem(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2519]

An attacker can send a malicious CRYPTO-NAK packet, in order to trigger a denial of service. [severity:2/4; CVE-2016-1547, TALOS-2016-0081]

An attacker can use Interleave-pivot, in order to alter a client time. [severity:2/4; CVE-2016-1548, TALOS-2016-0082]

An attacker can trigger a fatal error in the ntp client, in order to trigger a denial of service. [severity:2/4; CVE-2015-7704]

The Zero Origin Timestamp value is not correctly checked. [severity:2/4; CVE-2015-8138]

An attacker can measure the comparison execution time, in order to guess a hash. [severity:2/4; CVE-2016-1550, TALOS-2016-0084]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-8176

OpenSSL: use after free via DTLS

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, HP Switch, AIX, IRAD, McAfee Email and Web Security, McAfee Email Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, OpenSSL, openSUSE, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, stunnel, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 12/06/2015.
Identifiers: 1961569, 9010038, 9010039, BSA-2015-006, c05184351, CERTFR-2015-AVI-257, cisco-sa-20150612-openssl, CVE-2014-8176, DSA-3287-1, HPSBHF03613, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1277-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA98, SB10122, SOL16920, USN-2639-1, VIGILANCE-VUL-17118.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

However, if data are received between the ChangeCipherSpec and Finished messages, OpenSSL frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-1788 CVE-2015-1789 CVE-2015-1790

OpenSSL: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/06/2015.
Identifiers: 1450666, 1610582, 1647054, 1961111, 1961569, 1964113, 1964766, 1966038, 1970103, 1972125, 9010038, 9010039, BSA-2015-006, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-257, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2017, CTX216642, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, RHSA-2015:1197-01, SA40002, SA98, SB10122, SOL16898, SOL16913, SOL16915, SOL16938, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TNS-2015-07, TSB16728, USN-2639-1, VIGILANCE-VUL-17117.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can generate an infinite loop via ECParameters, in order to trigger a denial of service. [severity:2/4; CVE-2015-1788]

An attacker can force a read at an invalid address in X509_cmp_time(), in order to trigger a denial of service. [severity:2/4; CVE-2015-1789]

An attacker can force a NULL pointer to be dereferenced via EnvelopedContent, in order to trigger a denial of service. [severity:2/4; CVE-2015-1790]

An attacker can generate an infinite loop via CMS signedData, in order to trigger a denial of service. [severity:2/4; CVE-2015-1792]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-1791

OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet client.
Creation date: 04/06/2015.
Identifiers: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-7169

bash: code execution via Function Variable

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ASR, Cisco ACE, ASA, IOS XE Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Secure ACS, Cisco CUCM, Cisco Unified CCX, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiManager, FortiManager Virtual Appliance, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, Solaris, pfSense, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, RHEL, RSA Authentication Manager, ROX, RuggedSwitch, Slackware, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, cisco-sa-20140926-bash, CTX200217, CTX200223, CVE-2014-3659-REJECT, CVE-2014-7169, DSA-3035-1, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, FEDORA-2014-11514, FEDORA-2014-11527, FEDORA-2014-12202, FG-IR-14-030, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2014:190, MDVSA-2015:164, openSUSE-SU-2014:1229-1, openSUSE-SU-2014:1242-1, openSUSE-SU-2014:1248-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, pfSense-SA-14_18.packages, RHSA-2014:1306-01, RHSA-2014:1311-01, RHSA-2014:1312-01, RHSA-2014:1354-01, RHSA-2014:1865-01, SB10085, sk102673, SOL15629, SSA:2014-268-01, SSA:2014-268-02, SSA-860967, SUSE-SU-2014:1247-1, SUSE-SU-2014:1247-2, T1021272, USN-2363-1, USN-2363-2, VIGILANCE-VUL-15401, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9, VN-2014-002.

Description of the vulnerability

The bulletin VIGILANCE-VUL-15399 describes a vulnerability of bash.

However, the offered patch (VIGILANCE-SOL-36695) is incomplete. An variant of the initial attack can thus still be used to execute code or to create a file.

In this case, the code is run when the variable is parsed (which is not necessarily an environment variable), and not when the shell starts. The impact may thus be lower, but this was not confirmed.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-6271

bash: code execution via Environment Variable, ShellShock

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ASR, Cisco ACE, ASA, IOS XE Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Secure ACS, Cisco CUCM, Cisco Unified CCX, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiManager, FortiManager Virtual Appliance, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, Solaris, pfSense, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, RHEL, RSA Authentication Manager, ROX, RuggedSwitch, Slackware, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 24/09/2014.
Identifiers: 1141597, 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-ALE-006, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, cisco-sa-20140926-bash, CTX200217, CTX200223, CVE-2014-6271, DSA-3032-1, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, FEDORA-2014-11360, FEDORA-2014-11503, FG-IR-14-030, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2014:186, MDVSA-2015:164, openSUSE-SU-2014:1226-1, openSUSE-SU-2014:1238-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, pfSense-SA-14_18.packages, RHSA-2014:1293-01, RHSA-2014:1294-01, RHSA-2014:1295-01, RHSA-2014:1354-01, SB10085, ShellShock, sk102673, SOL15629, SSA:2014-267-01, SSA-860967, SUSE-SU-2014:1212-1, SUSE-SU-2014:1213-1, SUSE-SU-2014:1214-1, SUSE-SU-2014:1223-1, T1021272, USN-2362-1, VIGILANCE-VUL-15399, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9, VN-2014-002, VU#252743.

Description of the vulnerability

When bash interpreter is started, environment variables of the parent process are transfered to the current process. For example:
  export A=test
  bash
  echo $A

Functions can also be transfered through environment variables. For example:
  export F='() { echo bonjour; }'
  bash
  F

However, bash loads functions by interpreting the full environment variable. If an environment variable starts with "() {" and ends with "; command", then the command is run when the shell is started.

The main attack vectors are:
 - CGI scripts (Apache mod_cgi, mod_cgid) on a web server (variables: HTTP_header, REMOTE_HOST, SERVER_PROTOCOL)
 - OpenSSH via AcceptEnv (variables : TERM, ForceCommand avec SSH_ORIGINAL_COMMAND)

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-0340

Cisco IronPort Encryption: Cross Site Scripting

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting in the administration web interface of Cisco IronPort Encryption, in order to execute JavaScript code in the session of the administrator who is authenticated.
Impacted products: IronPort Encryption.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/02/2012.
Revision date: 17/02/2012.
Identifiers: 25045, 72410, BID-52030, CERTA-2012-AVI-090, CVE-2012-0340, SWRX-2012-001, VIGILANCE-VUL-11370.

Description of the vulnerability

The Cisco IronPort Encryption product has an administration web interface.

The administration page is generated in JavaScript, using a header, a body and a footer. The header can be modified with the "header" parameter. However, this header is inserted in the page with no filtering.

An attacker can therefore generate a Cross Site Scripting in the administration web interface of Cisco IronPort Encryption, in order to execute JavaScript code in the session of the administrator who is authenticated.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Cisco IronPort Encryption: