The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

computer vulnerability CVE-2011-1750

QEMU-KVM: buffer overflow via virtio-blk

Synthesis of the vulnerability

A privileged attacker in a QEMU-KVM guest system can generate an overflow, in order to stop the host system, or to execute code.
Impacted products: Debian, Fedora, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: privileged shell.
Creation date: 22/04/2011.
Identifiers: BID-47546, CVE-2011-1750, DSA-2230-1, FEDORA-2012-8592, FEDORA-2012-8604, openSUSE-SU-2011:0510-1, RHSA-2011:0534-01, SUSE-SR:2011:010, SUSE-SU-2011:0533-1, VIGILANCE-VUL-10595.

Description of the vulnerability

QEMU-KVM uses the KVM kernel module, and can use VIRTIO to communicate efficiently with the kernel.

The hw/virtio-blk.c file implements the support of block type devices, such as hard drives. However, the virtio_blk_handle_write() and virtio_blk_handle_read() functions do not check if the size of queries is a multiple of a block size. A buffer overflow then occurs.

These malformed queries can only be sent by an administrator in the guest system.

A privileged attacker in a QEMU-KVM guest system can therefore generate an overflow, in order to stop the host system, or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-1507 CVE-2011-1599

Asterisk: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Asterisk, in order to create a denial of service or to execute code.
Impacted products: Asterisk Open Source, Debian, Fedora.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/04/2011.
Identifiers: AST-2011-005, AST-2011-006, BID-47537, CERTA-2003-AVI-001, CERTA-2011-AVI-196, CERTA-2011-AVI-249, CVE-2011-1507, CVE-2011-1599, DSA-2225-1, FEDORA-2011-6208, FEDORA-2011-6225, VIGILANCE-VUL-10594.

Description of the vulnerability

Two vulnerabilities were announced in Asterisk.

A unauthenticated attacker can create several TCP sessions (TCP SIP, Skinny, Asterisk Manager Interface, HTTP), in order to create a denial of service. [severity:2/4; AST-2011-005, CERTA-2011-AVI-249, CVE-2011-1507]

An attacker can send an Async or Application header, in order to execute a shell command via Asterisk Manager Interface. [severity:3/4; AST-2011-006, BID-47537, CVE-2011-1599]

An attacker can therefore use two vulnerabilities of Asterisk, in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-1745 CVE-2011-1746 CVE-2011-1747

Linux kernel: memory corruption via AGPgart

Synthesis of the vulnerability

A local attacker can use two vulnerabilities of AGPgart, in order to corrupt the memory, to create a denial of service or to elevate his privileges.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/04/2011.
Identifiers: BID-47534, BID-47535, BID-47843, CVE-2011-1745, CVE-2011-1746, CVE-2011-1747, CVE-2011-2022, DSA-2240-1, DSA-2264-1, FEDORA-2011-6447, FEDORA-2011-6541, openSUSE-SU-2011:0860-1, RHSA-2011:0927-01, RHSA-2011:1253-01, RHSA-2011:1350-01, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SA:2011:040, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:0928-1, SUSE-SU-2011:1058-1, VIGILANCE-VUL-10592.

Description of the vulnerability

The AGPgart (Graphics Address Remapping Table) module is used by video devices with low memory resources. It uses /dev/agpgart, and it is impacted by two vulnerabilities.

The AGPIOC_BIND and AGPIOC_UNBIND ioctl call the agp_generic_insert_memory() and agp_generic_remove_memory() functions. An attacker can use them to write in kernel memory. [severity:2/4; BID-47534, BID-47843, CVE-2011-1745, CVE-2011-2022]

The AGPIOC_ALLOCATE ioctl calls the agp_create_user_memory() and agp_allocate_memory() functions. An attacker can use them to create a buffer overflow. [severity:2/4; BID-47535, CVE-2011-1746]

An attacker can use the AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls in order to allocate memory area which will never be freed. [severity:1/4; CVE-2011-1747]

A local attacker can therefore use two vulnerabilities of AGPgart, in order to corrupt the memory, to create a denial of service or to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1748

Linux kernel: denial of service via CAN RAW

Synthesis of the vulnerability

A local attacker can use a CAN RAW socket, in order to stop the system.
Impacted products: Debian, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 21/04/2011.
Identifiers: CVE-2011-1748, DSA-2240-1, DSA-2264-1, RHSA-2011:0836-01, RHSA-2011:1253-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10588.

Description of the vulnerability

The CAN (Controller Area Network) bus is mainly used in cars. CAN RAW sockets are used to directly build packets.

The raw_release() function of the net/can/raw.c file is called when an error occurs in socket()/socketpair()/etc. or when the socket is closed with close().

However, if raw_release() is called after an error, its parameter can be NULL, and this NULL pointer is dereferenced.

A local attacker can therefore use a CAN RAW socket, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-1598

Linux kernel: denial of service via CAN BCM

Synthesis of the vulnerability

A local attacker can use a CAN BCM socket, in order to stop the system.
Impacted products: Debian, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 20/04/2011.
Identifiers: BID-47503, CVE-2011-1598, DSA-2240-1, DSA-2264-1, RHSA-2011:0836-01, RHSA-2011:1253-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10584.

Description of the vulnerability

The BCM (Broadcast Manager) of CAN (Controller Area Network, mainly used in cars) bus processes the broadcast of packets on the bus.

The bcm_release() function of the net/can/bcm.c file is called when an error occurs in socket()/socketpair()/etc. or when the socket is closed with close().

However, if bcm_release() is called after an error, its parameter can be NULL, and this NULL pointer is dereferenced.

A local attacker can therefore use a CAN BCM socket, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-1485

PolicyKit: privilege elevation via pkexec

Synthesis of the vulnerability

A local attacker can use pkexec, in order to execute code with root privileges.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 20/04/2011.
Identifiers: BID-47496, CERTA-2003-AVI-005, CVE-2011-1485, DSA-2319-1, FEDORA-2011-5676, MDVSA-2011:086, openSUSE-SU-2011:0412-1, openSUSE-SU-2011:0413-1, RHSA-2011:0455-01, SSA:2011-109-01, SUSE-SR:2011:008, VIGILANCE-VUL-10583.

Description of the vulnerability

The PolicyKit suite provides the pkexec utility which is used to exec a command with an uid (user id) different from the uid of the current user.

The pkexec determines the uid of the process which called it, in order to know the uid of the pkexec user. However, if this process used exec() to be replaced by a suid root process, pkexec obtains the uid zero, and deduce that root called pkexec. Security measures are then bypassed.

A local attacker can therefore use pkexec, in order to execute code with root privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-1593

Linux kernel: denial of service via /proc next_pidmap

Synthesis of the vulnerability

An attacker can access to the /proc directory, in order to stop the Linux kernel.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 19/04/2011.
Identifiers: BID-47497, CVE-2011-1593, DSA-2240-1, DSA-2264-1, openSUSE-SU-2011:0860-1, openSUSE-SU-2011:0861-1, openSUSE-SU-2013:0927-1, RHSA-2011:0927-01, RHSA-2011:1189-01, RHSA-2011:1253-01, SUSE-SA:2011:027, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:1150-1, VIGILANCE-VUL-10577.

Description of the vulnerability

The /proc virtual directory contains information on processes.

The getdents() (get directory entries) system call obtains the list of files of a directory. The lseek() call is used to change the current position in a file.

If an attacker opens the /proc directory, then moves with lseek(), then calls getdents(), the next_pidmap() function of the kernel/pid.c file obtains a pid (process number) which is too large. A fatal error then occurs in find_ge_pid().

A local attacker can therefore access to the /proc directory, in order to stop the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-1590 CVE-2011-1591 CVE-2011-1592

Wireshark: three vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service or to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Wireshark.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/04/2011.
Identifiers: 5209, 5754, 5793, BID-47392, CERTA-2003-AVI-004, CVE-2011-1590, CVE-2011-1591, CVE-2011-1592, DSA-2274-1, FEDORA-2011-5529, FEDORA-2011-5569, MDVSA-2011:083, openSUSE-SU-2011:0599-1, openSUSE-SU-2011:0602-1, RHSA-2012:0509-01, SUSE-SU-2011:0604-1, SUSE-SU-2011:0611-1, VIGILANCE-VUL-10571, VU#243670, wnpa-sec-2011-05, wnpa-sec-2011-06.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

On Windows, an attacker can stop the NFS dissector. [severity:1/4; 5209, CVE-2011-1592]

An attacker can stop the X.509if dissector. [severity:1/4; 5754, 5793, CVE-2011-1590]

An attacker can generate a buffer overflow in the DECT dissector, in order to execute code. [severity:2/4; CVE-2011-1591, VU#243670]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1585

Linux kernel: reuse of CIFS session

Synthesis of the vulnerability

A local attacker can reuse the CIFS session of another user, in order to access to his data.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 15/04/2011.
Identifiers: BID-47381, CVE-2011-1585, DSA-2240-1, openSUSE-SU-2011:0861-1, RHSA-2011:1253-01, RHSA-2011:1386-01, SUSE-SA:2011:026, SUSE-SA:2011:027, SUSE-SA:2011:031, SUSE-SA:2011:034, SUSE-SA:2011:040, SUSE-SU-2011:0512-1, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:0832-1, SUSE-SU-2011:0899-1, SUSE-SU-2011:1058-1, SUSE-SU-2015:0812-1, VIGILANCE-VUL-10568.

Description of the vulnerability

The kernel implements a CIFS client to access to resources shared with CIFS/SMB.

The cifs_find_smb_ses() function of the fs/cifs/connect.c file returns information about the user of the CIFS client (who mounted a network share). However, if a local attacker uses an empty password, this function returns parameters of the first user.

A local attacker can therefore reuse the CIFS session of another user, in order to access to his data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-1577

Linux kernel: denial of service via EFI

Synthesis of the vulnerability

An attacker can mount a device with a malicious EFI partition, in order to stop the system.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user console.
Creation date: 13/04/2011.
Identifiers: BID-47343, CVE-2011-1577, DSA-2264-1, FEDORA-2011-7823, openSUSE-SU-2011:0416-1, openSUSE-SU-2011:0861-1, PRE-SA-2011-03, RHSA-2011:0833-01, RHSA-2011:1253-01, RHSA-2011:1465-01, SUSE-SA:2011:021, SUSE-SA:2011:026, SUSE-SA:2011:027, SUSE-SA:2011:031, SUSE-SU-2011:0512-1, SUSE-SU-2011:0711-1, SUSE-SU-2011:0737-1, SUSE-SU-2011:0832-1, SUSE-SU-2011:0928-1, SUSE-SU-2011:1150-1, SUSE-SU-2012:0364-1, VIGILANCE-VUL-10565.

Description of the vulnerability

The fs/partitions/efi.c file implements the support of EFI partitions (Extensible Firmware Interface). These partitions are automatically read when a user connects/mounts a device formatted with EFI.

The is_gpt_valid() function computes the CRC32 of the EFI GPT (GUID Partition Table). However, the is_gpt_valid() function does not check if size is too large, and then tries to read at an invalid memory address.

An attacker can therefore mount a device with a malicious EFI partition, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: