The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco IronPort Management

vulnerability announce CVE-2013-6780

Cisco ESA, SMA, WSA: Cross Site Scripting of uploader.swf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in uploader.swf of Cisco ESA, SMA, WSA, in order to execute JavaScript code in the context of the web site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/02/2015.
Identifiers: CSCur44409, CSCur89624, CSCur89626, CVE-2013-6780, VIGILANCE-VUL-16272.

Description of the vulnerability

The Cisco ESA, SMA, WSA product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in uploader.swf of Cisco ESA, SMA, WSA, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-0624

Cisco ESA, SMA, WSA: HTTP redirect

Synthesis of the vulnerability

An attacker can deceive the user of Cisco ESA, SMA, or WSA, in order to redirect him to a malicious site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 23/02/2015.
Identifiers: CSCur44412, CSCur44415, CSCur89630, CSCur89633, CSCur89636, CSCur89639, CVE-2015-0624, VIGILANCE-VUL-16246.

Description of the vulnerability

The Cisco Email Security Appliance, Cisco Content Security Management Appliance and Cisco Web Security Appliance products offers a web service.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of Cisco ESA, SMA, or WSA, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 16053

Cisco Ironport: privilege escalation via Service Account

Synthesis of the vulnerability

A local privileged attacker can connect to the Service Account of Cisco Ironport, in order to escalate his privileges.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: privileged shell.
Creation date: 26/01/2015.
Identifiers: VIGILANCE-VUL-16053.

Description of the vulnerability

The Cisco Ironport product offers a remote maintenance service associated to the "service" user.

An authenticated user with "admin" privileges can enable the "service" account. However, he can then connect via SSH to the "service" account, and obtain a full root shell.

A local privileged attacker can therefore connect to the Service Account of Cisco Ironport, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-3289

Cisco AsyncOS: Cross Site Scripting of date_range

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in date_range of Cisco AsyncOS, in order to execute JavaScript code in the context of the web site.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/06/2014.
Identifiers: CSCun07844, CSCun07888, CSCun07998, CVE-2014-3289, VIGILANCE-VUL-14851, VU#613308.

Description of the vulnerability

The Cisco AsyncOS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in date_range of Cisco AsyncOS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0224

OpenSSL: man in the middle via ChangeCipherSpec

Synthesis of the vulnerability

An attacker can act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, Provider-1, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, HP Operations, ProCurve Switch, HP Switch, HP-UX, AIX, Tivoli Storage Manager, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, JBoss EAP by Red Hat, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Nessus, InterScan Messaging Security Suite, InterScan Web Security Suite, TrendMicro ServerProtect, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: document.
Creation date: 05/06/2014.
Revision date: 05/06/2014.
Identifiers: 1676496, 1690827, aid-06062014, c04336637, c04347622, c04363613, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, CERTFR-2014-AVI-513, cisco-sa-20140605-openssl, cpuoct2016, CTX140876, CVE-2014-0224, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBHF03052, HPSBUX03046, JSA10629, MDVSA-2014:105, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2015:0229-1, openSUSE-SU-2016:0640-1, RHSA-2014:0624-01, RHSA-2014:0625-01, RHSA-2014:0626-01, RHSA-2014:0627-01, RHSA-2014:0628-01, RHSA-2014:0629-01, RHSA-2014:0630-01, RHSA-2014:0631-01, RHSA-2014:0632-01, RHSA-2014:0633-01, RHSA-2014:0679-01, RHSA-2014:0680-01, SA40006, SA80, SB10075, sk101186, SOL15325, SPL-85063, SSA:2014-156-03, SSA-234763, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0759-2, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14844, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9, VU#978508.

Description of the vulnerability

The OpenSSL product implements SSL/TLS, which uses a handshake.

However, by using a handshake with a ChangeCipherSpec message, an attacker can force the usage of weak keys.

An attacker can therefore act as a man in the middle between a client and a server using OpenSSL, in order to read or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-3470

OpenSSL: denial of service via ECDH

Synthesis of the vulnerability

An attacker, who is located on a TLS server, can use Anonymous ECDH, in order to trigger a denial of service in OpenSSL client applications.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, HP Operations, HP-UX, AIX, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on client.
Provenance: internet server.
Creation date: 05/06/2014.
Identifiers: 1676496, aid-06062014, c04336637, c04363613, c04368523, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CTX140876, CVE-2014-3470, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBMU03069, HPSBUX03046, JSA10629, MDVSA-2014:105, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2016:0640-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SPL-85063, SSA:2014-156-03, SSA-234763, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0759-2, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14847, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9.

Description of the vulnerability

A client based on the OpenSSL library can create an encrypted session using elliptic curves (ECDH : elliptic curves and Diffie-Hellman).

However, a malicious server can negotiate an Anonymous ECDH ciphersuite, in order to trigger a denial of service in the OpenSSL client.

An attacker, who is located on a TLS server, can therefore use Anonymous ECDH, in order to trigger a denial of service in OpenSSL client applications.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-0076

OpenSSL: disclosure of ECDSA secret

Synthesis of the vulnerability

A local attacker can guess the ECDSA secret used by the OpenSSL implementation, in order to obtain sensitive information.
Impacted products: Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenSSL, openSUSE, openSUSE Leap, Solaris, pfSense, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: data reading.
Provenance: document.
Creation date: 21/03/2014.
Revision date: 05/06/2014.
Identifiers: 1673696, 1681249, 1688949, c04336637, CERTFR-2014-AVI-179, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CVE-2014-0076, DOC-53313, DSA-2908-1, FreeBSD-SA-14:06.openssl, HPSBUX03046, JSA10629, MDVSA-2014:067, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0480-1, openSUSE-SU-2016:0640-1, pfSense-SA-14_04.openssl, SA40006, SB10075, SSA:2014-098-01, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2165-1, VIGILANCE-VUL-14462.

Description of the vulnerability

The ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm uses a secret "k" value.

However, a local attacker can monitor the process linked to OpenSSL, and use the "FLUSH+RELOAD Cache" attack on a conditional branch (if), to obtain bit after bit the "k" secret value.

A local attacker can therefore guess the ECDSA secret used by the OpenSSL implementation, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-5298

OpenSSL: data injection via OPENSSL_NO_BUF_FREELIST

Synthesis of the vulnerability

An attacker can establish a connection with a multi-thread application linked to OpenSSL with OPENSSL_NO_BUF_FREELIST, in order to potentially inject data in the session of another user.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, ProCurve Switch, HP Switch, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, Solaris, pfSense, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, stunnel, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 14/04/2014.
Revision date: 05/06/2014.
Identifiers: 2167, aid-06062014, c04347622, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CTX140876, CVE-2010-5298, DOC-53313, DSA-2908-1, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:09.openssl, HPSBHF03052, JSA10629, MDVSA-2014:090, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0592-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SOL15328, SSA:2014-156-03, SSA-234763, USN-2192-1, VIGILANCE-VUL-14585, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9.

Description of the vulnerability

The OpenSSL product uses a proprietary implementation of malloc to manage its memory.

However, when this feature is disabled with OPENSSL_NO_BUF_FREELIST, a memory area is not freed, and the ssl3_setup_read_buffer() function can, in multi-thread mode, reuse data from another SSL session.

An attacker can therefore establish a connection with a multi-threaded application linked to OpenSSL with OPENSSL_NO_BUF_FREELIST, in order to potentially inject data in the session of another user.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-0198

OpenSSL: NULL pointer dereference via SSL_MODE_RELEASE_BUFFERS

Synthesis of the vulnerability

An attacker can dereference a NULL pointer in OpenSSL applications using SSL_MODE_RELEASE_BUFFERS, in order to trigger a denial of service.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FreeBSD, ProCurve Switch, HP Switch, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, stunnel, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 02/05/2014.
Revisions dates: 02/05/2014, 05/06/2014.
Identifiers: 3321, aid-06062014, c04347622, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CTX140876, CVE-2014-0198, DOC-53313, DSA-2931-1, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FreeBSD-SA-14:10.openssl, HPSBHF03052, JSA10629, MDVSA-2014:080, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0634-1, openSUSE-SU-2014:0635-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SOL15329, SSA:2014-156-03, SSA-234763, USN-2192-1, VIGILANCE-VUL-14690, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9.

Description of the vulnerability

The SSL_set_mode() function of OpenSSL defines the behavior of the library. The SSL_MODE_RELEASE_BUFFERS parameter, added in version 1.0.0, indicates to free the memory as soon as it it not needed anymore. The SSL module of Apache httpd uses it when Apache is configured to save memory.

The do_ssl3_write() function of the ssl/s3_pkt.c file sends SSLv3 packets. After sending data, the memory can be freed if SSL_MODE_RELEASE_BUFFERS is used, so a pointer can be NULL. However, OpenSSL does not check if this pointer is NULL, before using it.

An attacker can therefore dereference a NULL pointer in OpenSSL applications using SSL_MODE_RELEASE_BUFFERS, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-0195

OpenSSL: buffer overflow of DTLS

Synthesis of the vulnerability

An attacker can generate a buffer overflow via DTLS of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ArubaOS, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, HP Operations, HP-UX, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, Slackware, stunnel, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 05/06/2014.
Identifiers: aid-06062014, c04336637, c04363613, c04368523, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, CERTFR-2014-AVI-291, cisco-sa-20140605-openssl, CTX140876, CVE-2014-0195, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBMU03069, HPSBUX03046, JSA10629, KB36051, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2016:0640-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SOL15356, SSA:2014-156-03, SSRT101590, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14846, ZDI-14-173.

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

However, if the size of data of a DTLS fragment is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow via DTLS of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.