The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

computer vulnerability alert CVE-2010-4258

Linux kernel: memory corruption via do_exit

Synthesis of the vulnerability

A local attacker can create an error calling BUG(), in order to alter a value located in kernel memory.
Impacted products: Debian, Fedora, Linux, MES, NLD, OES, openSUSE, SLES.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 03/12/2010.
Identifiers: BID-45159, CERTA-2002-AVI-280, CVE-2010-4258, DSA-2153-1, FEDORA-2010-18983, MDVSA-2011:029, openSUSE-SU-2011:0003-1, openSUSE-SU-2011:0004-1, openSUSE-SU-2011:0048-1, openSUSE-SU-2013:0927-1, SUSE-SA:2011:001, SUSE-SA:2011:002, SUSE-SA:2011:004, SUSE-SA:2011:005, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SU-2011:0635-1, SUSE-SU-2011:0928-1, VIGILANCE-VUL-10176.

Description of the vulnerability

The set_fs(KERNEL_DS) call indicates that the code is run from the kernel (no memory segment limit). The set_fs(USER_DS) call indicates that the code is run from the user space.

The access_ok() function checks if a memory address is located in the user space. This function is disabled when KERNEL_DS was previously defined.

When a process created a kernel error (such as a BUG() call), the clear_child_tid() function is called from do_exit(). This function calls access_ok() before writing to memory. However, if KERNEL_DS was defined, clear_child_tid() can write to the kernel space.

A local attacker can therefore create an error calling BUG(), in order to alter a value located in kernel memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-7270 CVE-2010-4180

OpenSSL: changing ciphersuite

Synthesis of the vulnerability

When a server uses OpenSSL, a remote attacker can change the ciphersuite, in order to force the usage of a weaker algorithm.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, ProCurve Switch, HP Switch, HP-UX, AIX, NSM Central Manager, NSMXpress, Mandriva Corporate, MES, Mandriva Linux, NetBSD, OpenSSL, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 03/12/2010.
Identifiers: BID-45164, BID-45254, c02737002, c03819065, CERTA-2010-AVI-590, CERTA-2011-AVI-052, CERTA-2011-AVI-609, CERTA-2012-AVI-479, CVE-2008-7270, CVE-2010-4180, DSA-2141-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FEDORA-2010-18736, FEDORA-2010-18765, HPSBPV02891, HPSBUX02638, MDVSA-2010:248, openSUSE-SU-2011:0014-1, openSUSE-SU-2011:0845-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, PSN-2012-11-767, RHSA-2010:0977-01, RHSA-2010:0978-01, RHSA-2010:0979-01, RHSA-2011:0896-01, RHSA-2011:0897-01, SA53, SSA:2010-340-01, SSRT100339, SUSE-SR:2011:001, SUSE-SR:2011:009, SUSE-SU-2011:0847-1, VIGILANCE-VUL-10173, VMSA-2011-0004.2, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

The SSL session caching feature saves sessions, to be reused later. An application can enable it with the SSL_CTX_set_session_cache_mode() function. For example, Apache httpd does not enable it.

The SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag allows a ciphersuite change, to resolve a compatibility problem with old Netscape web browsers.

However, when a server uses session caching and SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (or SSL_OP_ALL), a malicious client can use this feature to choose a weaker algorithm for the following sessions.

When a server uses OpenSSL, a remote attacker can therefore change the ciphersuite, in order to force the usage of a weaker algorithm.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-1323 CVE-2010-1324 CVE-2010-4020

MIT krb5: vulnerabilities of checksum

Synthesis of the vulnerability

Several vulnerabilities of MIT krb5 can be used by an attacker, in order to alter Kerberos messages.
Impacted products: Debian, Fedora, HP-UX, Mandriva Corporate, MES, Mandriva Linux, MIT krb5, OpenSolaris, openSUSE, Solaris, RHEL, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data creation/edition.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 01/12/2010.
Identifiers: BID-45116, BID-45117, BID-45118, BID-45122, c02657328, CERTA-2002-AVI-272, CERTA-2010-AVI-571, CERTA-2013-AVI-543, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CVE-2010-1323, CVE-2010-1324, CVE-2010-4020, CVE-2010-4021, DSA-2129-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18409, FEDORA-2010-18425, HPSBUX02623, MDVSA-2010:245, MDVSA-2010:246, MITKRB5-SA-2010-007, openSUSE-SU-2010:1053-1, RHSA-2010:0925-01, RHSA-2010:0926-01, SSRT100355, SUSE-SR:2010:023, SUSE-SR:2010:024, VIGILANCE-VUL-10168, VMSA-2011-0004.2, VMSA-2011-0007, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

Several vulnerabilities were announced in MIT krb5.

The krb5 client (version 1.3 or superior) does not require SAM-2 messages to use a key for HMAC algorithms. An attacker can therefore obtain the SAD (Single-use Authentication Data), in order to gain the identity of the client. [severity:3/4; BID-45118, CERTA-2010-AVI-571, CVE-2010-1323]

The krb client (version 1.3 or superior) does not require the messages to use a strong key for "RFC 3961 key-derivation RC4 checksum" HMAC algorithms. An attacker therefore has a 1/256 chance to create a KRB-SAFE message. [severity:3/4; BID-45118, CERTA-2010-AVI-571, CVE-2010-1323]

When an application uses krb-1.7/1.8 GSS-API, with a DES session key, the server does not require the messages to use a key for HMAC algorithms. An attacker can therefore forge GSS tokens. [severity:3/4; BID-45116, CVE-2010-1324]

The krb-1.7/1.8 KDC server does not require PAC (Privilege Attribute Certificate) messages to use a key for HMAC algorithms. An attacker can therefore forge malicious "PAC authdata" authentication data. [severity:3/4; BID-45116, CVE-2010-1324]

The krb-1.7/1.8 KDC server does not require the messages to use a strong key for "RFC 3961 key-derivation RC4 checksum" HMAC algorithms. An attacker therefore has a 1/256 chance to change the KDC-REQ type of a KrbFastReq (KrbArmoredFastReq) message. [severity:2/4; BID-45116, CVE-2010-1324]

The krb 1.8 KDC server does not require the messages to use a strong key for "RFC 3961 key-derivation RC4 checksum" HMAC algorithms. An attacker therefore has a 1/256 chance to create an AD-SIGNEDPATH or AD-KDC-ISSUED message. [severity:2/4; BID-45117, CVE-2010-4020]

The krb-1.7 KDC server does not correctly check TGT Credential, so an attacker can obtain a ticket, to be used with a S4U2proxy. [severity:1/4; BID-45122, CVE-2010-4021]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-4329

phpMyAdmin: Cross Site Scripting via db

Synthesis of the vulnerability

An attacker can use the database search script, in order to inject JavaScript code in phpMyAdmin.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, phpMyAdmin.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 30/11/2010.
Identifiers: BID-45100, CERTA-2003-AVI-003, CERTA-2010-AVI-572, CVE-2010-4329, DSA-2139-1, FEDORA-2010-18343, FEDORA-2010-18371, MDVSA-2010:244, PMASA-2010-8, VIGILANCE-VUL-10165.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database.

The PMA_linkOrButton() function of the libraries/common.lib.php file processes links. However, this function does not filter parameters that are generated.

The database search script uses PMA_linkOrButton() to generate a confirmation link. This script can thus be used as an attack vector.

An attacker can therefore use the database search script, in order to inject JavaScript code in phpMyAdmin.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-3848 CVE-2010-3849 CVE-2010-3850

Linux kernel: three vulnerabilities of Econet

Synthesis of the vulnerability

A local attacker can use an Econet socket, in order to create a denial of service or to elevate his privileges.
Impacted products: Debian, Linux, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, SLES.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 29/11/2010.
Identifiers: BID-45072, CERTA-2002-AVI-272, CVE-2010-3848, CVE-2010-3849, CVE-2010-3850, DSA-2126-1, MDVSA-2010:257, MDVSA-2011:051, openSUSE-SU-2011:0346-1, openSUSE-SU-2011:0399-1, SUSE-SA:2011:005, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SA:2011:017, SUSE-SA:2011:020, SUSE-SU-2011:0635-1, SUSE-SU-2011:0928-1, VIGILANCE-VUL-10157.

Description of the vulnerability

The Econet protocol is used by some local networks. Its implementation in the Linux kernel is impacted by three vulnerabilities.

An attacker can use a large msg->msgiovlen value, in order to create a buffer overflow. [severity:2/4; CVE-2010-3848]

An attacker can use sendmsg() with a null remote address, in order to create a denial of service. [severity:1/4; CVE-2010-3849]

An unprivileged attacker is allowed to change the Econet address of interfaces. [severity:2/4; CVE-2010-3850]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-3448

Linux kernel: denial of service via thinkpad-acpi

Synthesis of the vulnerability

When ThinkPad and X.org are used, a local attacker can stop the system.
Impacted products: Debian, Linux.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 29/11/2010.
Identifiers: 652122, CERTA-2002-AVI-272, CVE-2010-3448, DSA-2126-1, VIGILANCE-VUL-10156.

Description of the vulnerability

The drivers/platform/x86/thinkpad_acpi.c file implements the ACPI (Advanced Configuration and Power Interface) feature for Thinkpad computers.

A local attacker can read the video configuration, via the X.org configuration interface. The video_read() function is then called, to access the Video Output Control State, which stops the kernel.

When ThinkPad and X.org are used, a local attacker can therefore stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-3699

Linux kernel: denial of service via xen

Synthesis of the vulnerability

An attacker, who is located in a xen guest system, can reopen a XenBus device, so kernel resources are never freed, which creates a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 25/11/2010.
Identifiers: 636411, BID-45039, CERTA-2002-AVI-280, CVE-2010-3699, DSA-2153-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, openSUSE-SU-2011:0159-1, openSUSE-SU-2011:0346-1, openSUSE-SU-2011:0399-1, openSUSE-SU-2013:0927-1, RHSA-2011:0004-01, SUSE-SA:2011:005, SUSE-SA:2011:012, SUSE-SA:2011:017, SUSE-SA:2011:020, VIGILANCE-VUL-10153, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The XenBus bus is used by para-virtualized devices to communicate between domains.

The blkback, blktap and netback devices use XenBus. However, when the bus is reopened without being closed, these devices do not free a kernel thread. The xenwatch task then blocks, and management commands (xm utility) stop working.

An attacker, who is located in a xen guest system, can therefore reopen a XenBus device, so kernel resources are never freed, which creates a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-4249

Linux kernel: denial of service via unix socket

Synthesis of the vulnerability

A local attacker can use several unix sockets, in order to create a denial of service.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 24/11/2010.
Identifiers: BID-45037, CERTA-2002-AVI-280, CVE-2010-4249, DSA-2153-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18983, openSUSE-SU-2012:0799-1, openSUSE-SU-2012:1439-1, RHSA-2011:0007-01, RHSA-2011:0162-01, RHSA-2011:0303-01, RHSA-2011:0330-01, VIGILANCE-VUL-10149, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

A program can create different socket types: tcp, udp, unix, etc.

When a program using unix sockets ends, the kernel calls the wait_for_unix_gc() (Garbage Collector) function of the net/unix/garbage.c file, in order to free resources.

However, this function does not call unix_gc() to immediately free resources. When several programs run, the quantity of resources waiting to be freed increases, until all memory is depleted.

A local attacker can therefore use several unix sockets, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-4248

Linux kernel: denial of service via posix-cpu-timers

Synthesis of the vulnerability

A local attacker can create a multi-threaded process using POSIX timers, in order to stop the system.
Impacted products: Debian, Fedora, Linux, MES, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 23/11/2010.
Identifiers: BID-45028, CERTA-2002-AVI-280, CVE-2010-4248, DSA-2153-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18493, FEDORA-2010-18506, MDVSA-2011:029, openSUSE-SU-2011:0346-1, openSUSE-SU-2011:0399-1, RHSA-2011:0004-01, RHSA-2011:0007-01, RHSA-2011:0330-01, SUSE-SA:2011:015, SUSE-SA:2011:017, SUSE-SA:2011:020, SUSE-SU-2011:1150-1, VIGILANCE-VUL-10147, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The kernel/posix-cpu-timers.c file implements timers used by system calls such as nanosleep() and clock_getres().

When a process ends, the posix_cpu_timer_del() function deletes current timers. If the thread group leader changed, the posix_cpu_timers_exit_group() function is not called. This case is not implemented, and the BUG_ON() macro stops the kernel.

A local attacker can therefore create a multi-threaded process using POSIX timers, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-4243

Linux kernel: denial of service via argv

Synthesis of the vulnerability

A local attacker can create a program allocating a lot of memory for parameters of another program, in order to create a denial of service.
Impacted products: Debian, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 22/11/2010.
Identifiers: 625688, BID-45004, CERTA-2002-AVI-280, CVE-2010-4243, DSA-2153-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, openSUSE-SU-2011:0159-1, openSUSE-SU-2011:0346-1, openSUSE-SU-2011:0399-1, openSUSE-SU-2013:0927-1, RHSA-2011:0017-01, RHSA-2011:0283-01, RHSA-2011:1253-01, SUSE-SA:2011:012, SUSE-SA:2011:017, SUSE-SA:2011:020, SUSE-SU-2011:1150-1, VIGILANCE-VUL-10143, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The Linux kernel contains an OOM (Out Of Memory) Killer which kills processes consuming a lot of memory, so a local attacker cannot create a permanent denial of service.

Parameters of a program (named "argv" in the C language) are not counted for the used memory size of a process. A local attacker can therefore create programs with large parameters, in order to bypass the OOM Killer.

A local attacker can therefore create a program allocating a lot of memory for parameters of another program, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: