The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

vulnerability note CVE-2011-2212

QEMU-KVM: buffer overflow of virtqueue_pop

Synthesis of the vulnerability

A local attacker in a guest system can use virtqueue_pop(), in order to create a buffer overflow in the host, which stops it, or leads to code execution.
Impacted products: Debian, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 06/07/2011.
Identifiers: 713589, BID-48574, CERTA-2003-AVI-037, CERTA-2011-AVI-383, CVE-2011-2212, DSA-2282-1, openSUSE-SU-2011:0803-1, RHSA-2011:0919-01, SUSE-SU-2011:0806-1, VIGILANCE-VUL-10814.

Description of the vulnerability

The QEMU-KVM product uses the KVM kernel module, in order to manage guest systems.

A host system usually emulates standard devices, for which guest systems have a driver. The VIRTIO (Virtual Input-Output) interface has less features than a hardware device, and its usage is thus faster, with a VIRTIO driver installed in guest systems.

VIRTIO uses queues for data exchange. However, the virtqueue_pop() function of the hw/virtio.c file does not check if the number of read/write descriptors is larger than the storage array.

A local attacker in a guest system can therefore use virtqueue_pop(), in order to create a buffer overflow in the host, which stops it, or leads to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-1526

MIT krb5-appl: file access via ftpd

Synthesis of the vulnerability

A remote attacker can read or modify some files hosted by the ftpd daemon of MIT krb5-appl.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 06/07/2011.
Identifiers: BID-48571, CERTA-2003-AVI-037, CVE-2011-1526, DSA-2283-1, FEDORA-2011-9080, FEDORA-2011-9109, MDVSA-2011:117, MITKRB5-SA-2011-005, openSUSE-SU-2011:1169-1, RHSA-2011:0920-01, RHSA-2012:0306-03, VIGILANCE-VUL-10810.

Description of the vulnerability

The MIT krb5-appl suite contains kerberized versions for telnetd, ftpd, etc. daemons.

The ftpd daemon uses the setregid() and initgroups() functions to switch from the group who started the daemon (root/wheel) to the ftp group. However, the return code of these functions is not checked. The ftpd daemon can thus run with privileges of the root/wheel group.

A FTP service user can then access to files with the root/wheel group, which are hosted on the service.

A remote attacker can therefore read or modify some files hosted by the ftpd daemon of MIT krb5-appl.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-2464

ISC BIND: denial of service of dns_rdataset_totext

Synthesis of the vulnerability

A remote attacker can send a special DNS packet to the BIND server, in order to stop it.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, BIND, NSM Central Manager, NSMXpress, Mandriva Linux, NetBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 05/07/2011.
Revision date: 05/07/2011.
Identifiers: BID-48566, c03070783, CERTA-2003-AVI-004, CERTA-2011-AVI-381, CVE-2011-2464, DSA-2272-1, FEDORA-2011-9127, FEDORA-2011-9146, FreeBSD-SA-11:03.bind, HPSBUX02719, MDVSA-2011:115, NetBSD-SA2011-006, openSUSE-SU-2011:0788-1, PSN-2012-11-767, RHSA-2011:0926-01, sol12986, SSA:2011-189-01, SSA:2011-224-01, SSRT100658, SUSE-SA:2011:029, SUSE-SU-2011:0759-1, VIGILANCE-VUL-10808, VU#142646.

Description of the vulnerability

The named server of BIND processes received DNS packets, and stores them in its cache.

Negative DNS records (which were previously errors) are saved with a null type. However, if BIND receives a special DNS UPDATE packet, the dns_rdataset_totext() function tries to convert the null type (which is invalid) to a string, so an assertion error occurs.

A remote attacker can therefore send a special DNS packet to the BIND server (authoritative or recursive), in order to stop it.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-2505 CVE-2011-2506 CVE-2011-2507

phpMyAdmin: four vulnerabilities

Synthesis of the vulnerability

An attacker can use four vulnerabilities of phpMyAdmin, in order to execute PHP code.
Impacted products: Debian, Fedora, phpMyAdmin, TYPO3 Extensions ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 04/07/2011.
Identifiers: BID-48480, BID-48563, CERTA-2003-AVI-037, CERTA-2011-AVI-380, CVE-2011-2505, CVE-2011-2506, CVE-2011-2507, CVE-2011-2508, DSA-2286-1, FEDORA-2011-9132, FEDORA-2011-9144, MDVSA-2011:124, PMASA-2011-5, PMASA-2011-6, PMASA-2011-7, PMASA-2011-8, TYPO3-SA-2011-008, VIGILANCE-VUL-10807.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database. It is impacted by four vulnerabilities.

An attacker can use a Swekey authentication, in order to alter the $_SESSION variable. [severity:2/4; CERTA-2011-AVI-380, CVE-2011-2505, PMASA-2011-5]

An attacker can use the $_SESSION variable, in order to inject PHP code in a file. [severity:3/4; CVE-2011-2506, PMASA-2011-6]

An attacker can use the $_SESSION variable, in order to execute PHP code via preg_replace(). [severity:3/4; CVE-2011-2507, PMASA-2011-7]

An attacker can access to a local file, in order to execute its content as PHP code. [severity:3/4; CVE-2011-2508, PMASA-2011-8]

An attacker can therefore use four vulnerabilities of phpMyAdmin, in order to execute PHP code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-2517

Linux kernel: buffer overflow via nl80211

Synthesis of the vulnerability

A local attacker, with the CAP_NET_ADMIN privileges, can create a buffer overflow in nl80211, in order to execute code in the kernel.
Impacted products: Debian, Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 1/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 01/07/2011.
Identifiers: BID-48538, CVE-2011-2517, DSA-2303-1, DSA-2303-2, FEDORA-2011-11103, FEDORA-2011-9130, openSUSE-SU-2012:0799-1, openSUSE-SU-2012:1439-1, RHSA-2011:1189-01, RHSA-2011:1212-01, RHSA-2011:1253-01, RHSA-2011:1813-01, SUSE-SA:2011:031, SUSE-SU-2011:0832-1, VIGILANCE-VUL-10800.

Description of the vulnerability

The net/wireless/nl80211.c file implements the support of NETLINK for wireless 802.11 networks.

NETLINK NL80211_CMD_TRIGGER_SCAN messages are processed by the nl80211_trigger_scan() function. NETLINK NL80211_CMD_START_SCHED_SCAN messages are processed by the nl80211_start_sched_scan() function. Only a user with the CAP_NET_ADMIN capability can use these NETLINK messages.

The maximum size of a SSID is 32 bytes. However, the nl80211_trigger_scan() and nl80211_start_sched_scan() functions do not use the correct variable to check if the SSID size is not too large.

A local attacker, with the CAP_NET_ADMIN privileges, can therefore create a buffer overflow in nl80211, in order to execute code in the kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-1898

Xen: privilege elevation via Intel VT-d

Synthesis of the vulnerability

An attacker, who is inside a guest system on an Intel VT-d processor without Interrupt Remapping, can obtain host privileges or create a denial of service.
Impacted products: XenServer, Debian, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 30/06/2011.
Identifiers: BID-48515, CERTA-2003-AVI-008, CTX130325, CVE-2011-1898, DSA-2337-1, FEDORA-2011-8403, FEDORA-2011-8421, openSUSE-SU-2011:0941-1, RHSA-2011:1189-01, RHSA-2011:1479-01, RHSA-2012:0358-01, SUSE-SU-2011:0942-1, VIGILANCE-VUL-10793.

Description of the vulnerability

Recent Intel VT-d processors support the Interrupt Remapping feature which isolate interruptions of virtual machines. This feature was defined in 2006, but it was not implemented on all processor models before before 2011 (cf. processor datasheet).

These interruptions are used when a virtual machine tries to access to a real PCI device, which is exported by Xen via the "PCI passthrough" feature (option "pci=", "xl pci-attach" or "xm pci-attach").

Without Interrupt Remapping (or on a old processor not supporting Intel VT-d nor AMD-Vi), an attacker in a guest system can use DMA to generate a MSI (Message Signaled Interrupt) interruption which is directly handled by the processor with no isolation. This asynchronous interruption can thus be sent to a vector which only expects synchronous interruptions.

An attacker, who is inside a guest system on an Intel VT-d processor without Interrupt Remapping, can therefore obtain host privileges or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-2512

QEMU-KVM: memory corruption via virtio_queue_notify

Synthesis of the vulnerability

A local attacker in a guest system can use virtio_queue_notify(), in order to corrupt the memory of the host, which stops it, or leads to code execution.
Impacted products: Debian, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 29/06/2011.
Identifiers: BID-48499, CERTA-2003-AVI-004, CVE-2011-2512, DSA-2270-1, openSUSE-SU-2011:0803-1, RHSA-2011:0919-01, SUSE-SU-2011:0806-1, VIGILANCE-VUL-10790.

Description of the vulnerability

The QEMU-KVM product uses the KVM kernel module, in order to manage guest systems.

A host system usually emulates standard devices, for which guest systems have a driver. The VIRTIO (Virtual Input-Output) interface has less features than a hardware device, and its usage is thus faster, with a VIRTIO driver installed in guest systems.

VIRTIO uses queues for data exchange. The virtio_queue_notify() function of the hw/virtio.c file notifies that data is available in a queue. However, this function does not check if the queue index is negative. The system can thus write outside the queue array.

A local attacker in a guest system can therefore use virtio_queue_notify(), in order to corrupt the memory of the host, which stops it, or leads to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-2511

libvirt: integer overflow via VirDomainGetVcpus

Synthesis of the vulnerability

A remote attacker can use the VirDomainGetVcpus() function of libvirt, in order to stop the libvirtd daemon.
Impacted products: Debian, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 28/06/2011.
Identifiers: BID-48478, CERTA-2003-AVI-037, CVE-2011-2511, DSA-2280-1, FEDORA-2011-9062, FEDORA-2011-9091, openSUSE-SU-2011:0900-1, RHSA-2011:1019-01, RHSA-2011:1197-01, SUSE-SU-2011:0837-1, VIGILANCE-VUL-10785.

Description of the vulnerability

The libvirt library provides a standard interface on several virtualization products (Xen, QEMU, KVM, etc.).

The VirDomainGetVcpus() function of libvirt stores virtual CPU information for a domain in a "virVcpuInfo" structure array, and in a buffer "cpumaps". The number of records is indicated by the "maxinfo" parameter, and the size of a "cpumaps" entry is indicated by the "maplen" parameter:
  int virDomainGetVcpus(domain, virVcpuInfoArray, maxinfo, cpumaps, maplen);

In order to allocate the memory area of "cpumaps", the virDomainGetVcpus() function multiplies "maxinfo" by "maplen". However, this multiplication can overflow, and a short memory area is allocated.

A remote attacker can therefore use the VirDomainGetVcpus() function of libvirt, in order to stop the libvirtd daemon, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-2501 CVE-2011-2691

libpng: denial of service of png_format_buffer

Synthesis of the vulnerability

An attacker can invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.
Impacted products: Debian, Fedora, libpng, Mandriva Linux, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/06/2011.
Identifiers: BID-48474, BID-48660, CERTA-2003-AVI-037, CVE-2011-2501, CVE-2011-2691, DSA-2287-1, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-8868, FEDORA-2011-8874, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10782.

Description of the vulnerability

The libpng library is used to process PNG (Portable Network Graphics) images.

The png_chunk_error() and png_chunk_warning() functions create error messages to indicate that an image is invalid. These functions call the png_format_buffer() function. This function contains the following code:
  png_memcpy(buffer+iout, error_message, PNG_MAX_ERROR_TEXT(64));
This function thus always concatenate 64 bytes into the buffer.

However, if the message length is only 10 bytes, 64 bytes are copied, so the processor accesses to 54 bytes located after the message character string. If these bytes are located in a different memory page, a segmentation error occurs.

An attacker can therefore invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.

This vulnerability is a regression of VIGILANCE-VUL-4148.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-2204

Apache Tomcat: reading passwords of MemoryUserDatabase

Synthesis of the vulnerability

An attacker, who is allowed to read log files, can read passwords which are sometimes stored in these files.
Impacted products: Tomcat, Debian, HP-UX, NSM Central Manager, NSMXpress, Mandriva Linux, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SLES.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Creation date: 27/06/2011.
Identifiers: BID-48456, c03090723, CVE-2011-2204, DSA-2401-1, HPSBUX02725, MDVSA-2011:156, openSUSE-SU-2011:0988-1, PSN-2012-05-584, RHSA-2011:1780-01, RHSA-2011:1845-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, SSRT100627, SUSE-SU-2011:0989-1, SUSE-SU-2011:0990-1, VIGILANCE-VUL-10781.

Description of the vulnerability

The MemoryUserDatabase stores information about users in memory, from the conf/tomcat-users.xml file. The user creation can be done via JMX (Java Management Extensions).

When an exception (Out of Memory for example) occurs when a user is created by org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java, this class logs the username and his password.

An attacker, who is allowed to read log files, can therefore read passwords which are sometimes stored in these files.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: