The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Sarge

computer vulnerability announce CVE-2012-5526

Perl CGI.pm: HTTP header injection via header

Synthesis of the vulnerability

An attacker who controls an application based on the Perl CGI.pm module, can inject headers in HTTP responses.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, AIX, Mandriva Linux, openSUSE, Solaris, Perl Module ~ not comprehensive, RHEL.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 16/11/2012.
Identifiers: BID-56562, CERTA-2013-AVI-387, CERTA-2013-AVI-543, CERTA-2013-AVI-590, CERTA-2013-AVI-593, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CVE-2012-5526, DSA-2586-1, DSA-2587-1, FEDORA-2012-18318, FEDORA-2012-18330, FEDORA-2012-19282, IV43973, IV46765, K15867, MDVSA-2012:180, openSUSE-SU-2013:0497-1, openSUSE-SU-2013:0502-1, RHSA-2013:0685-01, SOL15867, VIGILANCE-VUL-12167.

Description of the vulnerability

The Perl module CGI.pm from the standard library facilitates the development of Web applications based on the CGI interface, which specifies the communication protocol between the application and the HTTP server.

The module defines a routine header(), which generates headers of HTTP responses. The header value should not include end of line characters. However, the routine header() does not reject values containing line ends for headers Set-Cookie and P3P, which leads to the injection of headers in the response from the HTTP server.

An attacker who controls an application based on the Perl CGI.pm module, can therefore inject headers in HTTP responses.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-0343

Linux kernel: disabling of RFC 4941

Synthesis of the vulnerability

An attacker can send several ICMPv6 prefix advertisement packets, in order to make the process of temporary address creation fail, which leads to disclosure of the host MAC address.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 15/11/2012.
Identifiers: BID-58795, CVE-2013-0343, DSA-2906-1, FEDORA-2013-15151, FEDORA-2013-15198, openSUSE-SU-2014:0204-1, openSUSE-SU-2014:0766-1, RHSA-2013:1449-01, RHSA-2013:1490-01, RHSA-2013:1645-02, SUSE-SU-2014:0536-1, VIGILANCE-VUL-12164.

Description of the vulnerability

Historically, IPv6 address auto-configuration is based on the host MAC address, so an attacker can trace the history of the host communications. The RFC 4941 defines a temporary address allocation feature, which prevents this tracking.

These addresses are computed from the network address prefixes announced by neighbor routers. However, when the number of prefixes is larger than the kernel parameter ipv6.max_addresses (default value: 16), an error happens in the routine ipv6_create_tempaddr(), this error disables the RFC functionality.

An attacker can therefore send several ICMPv6 prefix advertisement packets, in order to make the process of temporary address creation fail, which leads to disclosure of the host MAC address.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-4539

Xen: infinite loop via GNTTABOP_get_status_frames

Synthesis of the vulnerability

A local attacker, who is administrator in a PV guest system, can use the GNTTABOP_get_status_frames hypercall, in order to lock Xen.
Impacted products: XenServer, Debian, Fedora, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 13/11/2012.
Identifiers: BID-56498, CERTA-2012-AVI-650, CERTA-2012-AVI-651, CTX135458, CVE-2012-4539, DSA-2582-1, FEDORA-2012-18242, FEDORA-2012-18249, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-12140, XSA-24.

Description of the vulnerability

The Xen hypervisor can be installed on a 64 bit processor, and can provide ParaVirtualized 32 bit systems.

However, in this configuration, the GNTTABOP_get_status_frames hypercall uses twice the same loop control variable. An attacker can then use a malicious hypercall parameter, to generate an infinite loop.

A local attacker, who is administrator in a PV guest system, can therefore use the GNTTABOP_get_status_frames hypercall, in order to lock Xen.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-4538

Xen: denial of service via HVMOP_pagetable_dying

Synthesis of the vulnerability

A local attacker, who is administrator in a HVM+HAP guest system, can use the HVMOP_pagetable_dying hypercall, in order to stop Xen.
Impacted products: XenServer, Debian, Fedora, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 13/11/2012.
Identifiers: BID-56498, CERTA-2012-AVI-650, CERTA-2012-AVI-651, CTX135458, CVE-2012-4538, DSA-2582-1, FEDORA-2012-18242, FEDORA-2012-18249, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-12138, XSA-23.

Description of the vulnerability

Modern processors support the HAP (Hardware Assisted Paging) feature. When Xen is configured in HVM mode, it uses HAP.

The HVMOP_pagetable_dying hypercall calls the sh_pagetable_dying() function. However, this function does not check if the memory manager state is stable, before changing it.

A local attacker, who is administrator in a HVM+HAP guest system, can therefore use the HVMOP_pagetable_dying hypercall, in order to stop Xen.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-4537

Xen: denial of service via Memory mapping

Synthesis of the vulnerability

A local attacker, who is located in a guest system, can deplete the memory, in order to desynchronize the memory manager of Xen, and to stop it.
Impacted products: XenServer, Debian, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 13/11/2012.
Identifiers: BID-56498, CERTA-2012-AVI-650, CERTA-2012-AVI-651, CTX135458, CVE-2012-4537, DSA-2582-1, FEDORA-2012-18242, FEDORA-2012-18249, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, RHSA-2012:1540-01, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-12137.

Description of the vulnerability

The Xen hypervisor associates physical memory to each guest system.

However, when a guest system, consumed almost all its memory, the set_p2m_entry() function fails, which desynchronizes memory address mapping tables.

A local attacker, who is located in a guest system, can therefore deplete the memory, in order to desynchronize the memory manager of Xen, and to stop it.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-4535

Xen: infinite loop via Timer overflow

Synthesis of the vulnerability

A local attacker, who is administrator in a guest system, can generate an overflow of a Xen Timer, in order to create an infinite loop on the physical processor.
Impacted products: XenServer, Debian, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 13/11/2012.
Identifiers: BID-56498, CERTA-2012-AVI-650, CERTA-2012-AVI-651, CTX135458, CVE-2012-4535, DSA-2582-1, FEDORA-2012-18242, FEDORA-2012-18249, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, RHSA-2012:1540-01, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-12134, XSA-20.

Description of the vulnerability

A watchdog can be configured to perform an operation at a future date.

The do_vcpu_op() function of the xen/common/domain.c file manages Xen VCPU. However, if the watchdog date has already expired, a Timer uses a negative value, and an infinite loop occurs.

A local attacker, who is administrator in a guest system, can therefore generate an overflow of a Xen Timer, in order to create an infinite loop on the physical processor.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-5519

CUPS: file access via PageLog

Synthesis of the vulnerability

A local attacker, who is member of the lpadmin group, can change the CUPS log filename, in order to read or write in a file, with privileges of the daemon.
Impacted products: CUPS, Debian, Fedora, Mandriva Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: user shell.
Creation date: 12/11/2012.
Identifiers: 692791, BID-56494, CVE-2012-5519, DSA-2600-1, FEDORA-2012-19606, MDVSA-2012:179, openSUSE-SU-2015:1056-1, RHSA-2013:0580-01, SUSE-SU-2015:1041-1, SUSE-SU-2015:1044-1, SUSE-SU-2015:1044-2, VIGILANCE-VUL-12126.

Description of the vulnerability

The CUPS print service uses the /etc/cups/cupsd.conf configuration file.

Members of the lpadmin group can authenticate on the CUPS web administration interface, in order to modify this configuration file. They can thus change the PageLog configuration directive, which indicates the log file name, in order to point for example to /etc/shadow.

However, the CUPS daemon runs with elevated privileges (root on some systems such as Debian). An attacker can thus use the log display web interface, in order to read the content of the log file, with root privileges. Moreover, if the attacker prints a document, log data are appended to this file, with elevated privileges.

A local attacker, who is member of the lpadmin group, can therefore change the CUPS log filename, in order to read or write in a file, with privileges of the daemon.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-6144 CVE-2012-6145 CVE-2012-6146

TYPO3: four vulnerabilities

Synthesis of the vulnerability

An attacker can use four vulnerabilities of TYPO3, in order to obtain/alter information, or to create a Cross Site Scripting.
Impacted products: Debian, TYPO3 Core.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 08/11/2012.
Identifiers: BID-56472, CERTA-2012-AVI-641, CVE-2012-6144, CVE-2012-6145, CVE-2012-6146, CVE-2012-6147, CVE-2012-6148, DSA-2574-1, TYPO3-CORE-SA-2012-005, VIGILANCE-VUL-12122.

Description of the vulnerability

Four vulnerabilities were announced in TYPO3.

An authenticated attacker can inject SQL data or create a Cross Site Scripting in the Backend History module. [severity:2/4; CVE-2012-6144, CVE-2012-6145]

An authenticated attacker can read all previous modifications via the Backend History module. [severity:1/4; CVE-2012-6146]

An attacker can generate a Cross-Site Scripting via an application using the TCA-Tree API. [severity:2/4; CVE-2012-6147]

An attacker can generate a Cross-Site Scripting via an application using the menu API. [severity:2/4; CVE-2012-6148]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-4461

Linux kernel: denial of service via XSAVE

Synthesis of the vulnerability

An attacker, who is located in a qemu+KVM guest system, and on a host system using a processor without xsave/xrstor, can stop the host system.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 07/11/2012.
Identifiers: BID-56414, CERTA-2012-AVI-633, CVE-2012-4461, DSA-2668-1, FEDORA-2012-18684, FEDORA-2012-18691, openSUSE-SU-2013:0925-1, openSUSE-SU-2013:0927-1, RHSA-2013:0223-01, RHSA-2013:0882-01, SOL15797, SUSE-SU-2012:1679-1, SUSE-SU-2013:0786-1, VIGILANCE-VUL-12118.

Description of the vulnerability

The x86 "xsave" and "xrstor" assembler instructions manage the extended state of the processor. These instructions are supported by processors created since 2008.

A user (in a guest system) can use the KVM_SET_SREGS ioctl to set the bit X86_CR4_OSXSAVE in the CR4 register, and can then use the KVM_RUN ioctl. In this case, the kvm_arch_vcpu_ioctl_set_sregs() function uses xsave/xrstor. However, if the processor is anterior to 2008, it does not recognize these instructions, which stops the kernel on the host system.

An attacker, who is located in a qemu+KVM guest system, and on a host system using a processor without xsave/xrstor, can therefore stop the host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-5885 CVE-2012-5886 CVE-2012-5887

Apache Tomcat: bypassing the DIGEST authentication

Synthesis of the vulnerability

When Apache Tomcat uses an HTTP DIGEST authentication, an attacker can replay a previously captured session, and thus access to protected resources.
Impacted products: Tomcat, Debian, HP-UX, NSMXpress, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 06/11/2012.
Identifiers: BID-56403, c03734195, CERTA-2012-AVI-629, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-3439-REJECT, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, DSA-2725-1, HPSBUX02866, JSA10600, MDVSA-2013:004, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0623-01, RHSA-2013:0629-01, RHSA-2013:0631-01, RHSA-2013:0632-01, RHSA-2013:0633-01, RHSA-2013:0640-01, RHSA-2013:0647-01, RHSA-2013:0648-01, RHSA-2013:0665-01, RHSA-2013:0726-01, RHSA-2013:1006-01, SSRT101139, VIGILANCE-VUL-12113.

Description of the vulnerability

The HTTP Digest authentication defined in RFC 2617 combines several elements:
  HA1 = MD5(username:realm:password)
  HA2a = MD5(HTTP-METHOD:uri)
  HA2b = MD5(HTTP-METHOD:uri:md5(body-of-query))
  if qop == "auth" HA2=HA2a, if qop == "auth-int" HA2=HA2b
  digest = MD5(HA1:nonce:nc:cnonce:qop:HA2)
Where :
 - realm : service name
 - nonce : server random (the server can indicate that it is "stale", which means already used)
 - cnonce : client random
 - nc : incremented counter
 - qop : requested level : auth or auth-int

However, the Apache Tomcat implementation of HTTP Digest authentication is impacted by three vulnerabilities.

The Tomcat server monitors nonces (and nc) of clients, instead of detecting servers nonces duplicates. [severity:2/4; CVE-2012-5885]

When a session identifier is present, the authentication is bypassed. [severity:3/4; CVE-2012-5886]

When the nonce is stale, Tomcat does not check the user name and the password, and accepts the session. [severity:3/4; CVE-2012-5887]

When Apache Tomcat uses an HTTP DIGEST authentication, an attacker can therefore replay a previously captured session, and thus access to protected resources.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Sarge: