The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Stretch

vulnerability alert CVE-2011-1767 CVE-2011-1768

Linux kernel: denial of service via GRE/Tunnel

Synthesis of the vulnerability

When the system starts, an attacker can send a tunneled packet, in order to stop the system.
Impacted products: Debian, Linux, RHEL.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/02/2010.
Identifiers: BID-38301, BID-38303, BID-47852, BID-47853, CVE-2011-1767, CVE-2011-1768, DSA-2240-1, DSA-2264-1, RHSA-2011:0928-01, RHSA-2011:1253-01, VIGILANCE-VUL-9461.

Description of the vulnerability

The Linux kernel implements several tunnel types :
 - GRE (Generic Routing Encapsulation) : net/ipv4/ip_gre.c
 - IP in IP : net/ipv4/ipip.c
 - IPv6 : net/ipv6/ip6_tunnel.c
 - IPv6 : net/ipv6/sit.c
 - IPv6 : net/ipv6/xfrm6_tunnel.c

When these protocols are compiled as kernel modules, and when a packet is received before the module loading, an error occurs in net_generic(), and stops the kernel.

When the system starts, an attacker can therefore send a tunneled packet, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-1571 CVE-2009-3988 CVE-2010-0159

Firefox, SeaMonkey, Thunderbird: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, SeaMonkey and Thunderbird can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Linux, Firefox, SeaMonkey, Thunderbird, openSUSE, RHEL, Slackware, SLES.
Severity: 4/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 18/02/2010.
Identifiers: 455472, 467005, 501934, 504862, 526500, 527567, 528134, 528300, 530880, 531222, 533000, 534051, 534082, BID-38285, BID-38286, BID-38287, BID-38288, BID-38289, CERTA-2010-AVI-080, CERTA-2010-AVI-082, CVE-2009-1571, CVE-2009-3988, CVE-2010-0159, CVE-2010-0160, CVE-2010-0162, DSA-1999-1, MDVSA-2010:042, MDVSA-2010:051, MFSA 2010-01, MFSA 2010-02, MFSA 2010-03, MFSA 2010-04, MFSA 2010-05, openSUSE-SU-2014:1100-1, RHSA-2010:0112-01, RHSA-2010:0113-01, RHSA-2010:0153-02, RHSA-2010:0154-02, SSA:2010-060-01, SSA:2010-065-01, SUSE-SA:2010:015, VIGILANCE-VUL-9460, ZDI-10-019, ZDI-10-046.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, SeaMonkey and Thunderbird.

An attacker can generate several memory corruptions, leading to code execution. [severity:4/4; 467005, 501934, 527567, 528134, 528300, 530880, 534082, BID-38286, CVE-2010-0159, MFSA 2010-01]

An attacker can generate a memory corruption in Web Workers, leading to code execution. [severity:4/4; 531222, 533000, 534051, BID-38285, CVE-2010-0160, MFSA 2010-02, ZDI-10-046]

An HTML page can force the usage of a freed memory area, which leads to code execution. [severity:4/4; 526500, BID-38287, CERTA-2010-AVI-082, CVE-2009-1571, MFSA 2010-03]

An attacker can read window.dialogArguments, in order to generate a Cross Site Scripting. [severity:2/4; 504862, BID-38289, CVE-2009-3988, MFSA 2010-04, ZDI-10-019]

An attacker can use a SVG file and a binary Content-Type, in order to generate a Cross Site Scripting. [severity:2/4; 455472, BID-38288, CVE-2010-0162, MFSA 2010-05]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-1083

Linux kernel: information disclosure via USB

Synthesis of the vulnerability

A local attacker, allowed to access to USB devices, can obtain fragments of kernel memory.
Impacted products: Debian, Linux, RHEL, SLES, ESX.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 17/02/2010.
Identifiers: CERTA-2011-AVI-571, CVE-2010-1083, DSA-2053-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, RHSA-2010:0394-01, RHSA-2010:0631-01, RHSA-2010:0723-01, SUSE-SA:2010:019, SUSE-SA:2010:023, SUSE-SA:2010:036, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9456, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The processcompl() function of the drivers/usb/core/devio.c file manages USB queries. Its access is reserved to root user, or to privileged processes.

When an error occurs, this function still returns a copy of the data buffer. However, this buffer was not initialized, and it thus contains a fragment of kernel memory.

A local attacker, allowed to access to USB devices, can therefore obtain fragments of kernel memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2006-4339 CVE-2009-0217 CVE-2009-2493

OpenOffice.org: several vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious document with OpenOffice.org, in order to execute code on his computer.
Impacted products: OpenOffice, Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 12/02/2010.
Identifiers: BID-19849, BID-35671, BID-38218, CERTA-2006-AVI-384, CERTA-2007-AVI-546, CERTA-2009-AVI-279, CERTA-2009-AVI-435, CERTA-2009-AVI-452, CERTA-2009-AVI-538, CERTA-2010-AVI-080, CERTA-2010-AVI-253, CERTA-2010-AVI-499, CVE-2006-4339, CVE-2009-0217, CVE-2009-2493, CVE-2009-2949, CVE-2009-2950, CVE-2009-3301, CVE-2009-3302, DSA-1995-1, FEDORA-2010-1847, FEDORA-2010-1941, MDVSA-2010:221, RHSA-2010:0101-02, SUSE-SA:2010:017, VIGILANCE-VUL-9451, VU#456745, VU#466161, VU#845620.

Description of the vulnerability

Several vulnerabilities were announced in OpenOffice.org.

An attacker can create a malicious PKCS #1 signature which will be accepted as valid (VIGILANCE-VUL-6140). [severity:2/4; BID-19849, CERTA-2006-AVI-384, CERTA-2007-AVI-546, CVE-2006-4339, VU#845620]

The XMLDsig recommendation allows an attacker to bypass the signature of an XML document (VIGILANCE-VUL-8864). [severity:3/4; BID-35671, CERTA-2009-AVI-279, CERTA-2009-AVI-452, CERTA-2010-AVI-253, CVE-2009-0217, VU#466161]

On Windows, OpenOffice installs a vulnerable MSVC Runtime (VIGILANCE-VUL-8895). [severity:3/4; CERTA-2009-AVI-435, CERTA-2009-AVI-538, CVE-2009-2493, VU#456745]

An attacker can invite the victim to open a document containing a malicious XPM image with OpenOffice.org, in order to execute code on his computer. [severity:3/4; CERTA-2010-AVI-499, CVE-2009-2949]

An attacker can invite the victim to open a document containing a malicious GIF image with OpenOffice.org, in order to execute code on his computer. [severity:3/4; CVE-2009-2950]

An attacker can invite the victim to open a Word document containing a malicious sprmTDefTable field with OpenOffice.org, in order to execute code on his computer. [severity:3/4; CVE-2009-3301]

An attacker can invite the victim to open a Word document containing a malicious sprmTSetBrc field with OpenOffice.org, in order to execute code on his computer. [severity:3/4; CVE-2009-3302]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-4274

netpbm: integer overflow via XPM

Synthesis of the vulnerability

An attacker can create a malicious XPM image, and invite the victim to convert it with xpmtoppm, in order to generate an overflow leading to a denial of service and possibly to code execution.
Impacted products: Debian, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 10/02/2010.
Identifiers: BID-38164, CERTA-2010-AVI-135, CVE-2009-4274, DSA-2026-1, MDVSA-2010:039, RHSA-2011:1811-01, SUSE-SR:2010:006, VIGILANCE-VUL-9438.

Description of the vulnerability

The netpbm suite converts images in PNM formats:
 - PPM (Portable Pixmap) : color
 - PGM (Portable Greymap) : greyscale
 - PBM (Portable Bitmap) : black and white

The xpmtoppm tool converts an XPM image to the PPM format. However, it does not check if the color index is superior to 127, which corrupts the memory.

An attacker can therefore create a malicious XPM image, and invite the victim to convert it with xpmtoppm, in order to generate an overflow leading to a denial of service and possibly to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-0306

Linux kernel: privilege elevation via KVM

Synthesis of the vulnerability

An attacker located inside a KVM guest system can execute privileged assembler instructions, on a multiprocessor system.
Impacted products: Debian, Linux, RHEL.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 09/02/2010.
Identifiers: 560654, BID-38158, CERTA-2002-AVI-261, CERTA-2010-AVI-080, CVE-2010-0306, DSA-1996-1, DSA-2010-1, RHSA-2010:0088-02, VIGILANCE-VUL-9423.

Description of the vulnerability

A x86 processor has 4 rings associated to privileges:
 - ring 0 : all memory accesses and all assembler instructions are allowed
 - ring 3 : some instructions are forbidden

On a multiprocessor system using KVM, an attacker can replace the instruction from one thread by another, during the time window between the CPL (Current Privilege Level) check and the instruction usage.

An attacker located inside a KVM guest system can therefore execute privileged assembler instructions, on a multiprocessor system.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-0298

Linux kernel: memory access in KVM

Synthesis of the vulnerability

An attacker located inside a KVM guest system can read or access memory with elevated privileges.
Impacted products: Debian, Linux, RHEL.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, data reading, data creation/edition.
Provenance: user shell.
Creation date: 09/02/2010.
Identifiers: 559091, BID-38158, CERTA-2002-AVI-261, CERTA-2010-AVI-080, CVE-2010-0298, DSA-1996-1, DSA-2010-1, RHSA-2010:0088-02, VIGILANCE-VUL-9422.

Description of the vulnerability

A x86 processor has 4 rings associated to privileges:
 - ring 0 : all memory accesses and all assembler instructions are allowed
 - ring 3 : memory access is restricted to segments with the same privilege level

The gva_to_gpa() function of the KVM arch/x86/kvm/emulate.c emulator does not check the CPL (Current Privilege Level) before doing a memory operation.

An attacker located inside a KVM guest system can therefore read or access memory with elevated privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-0734

libcurl: buffer overflow via uncompression

Synthesis of the vulnerability

An attacker, who owns a web server, can return data compressed with Deflate (zlib), in order to generate an overflow in applications linked to libcurl.
Impacted products: curl, Debian, Fedora, Mandriva Linux, Mandriva NF, RHEL, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet server.
Creation date: 09/02/2010.
Identifiers: adv_20100209, BID-38162, CERTA-2010-AVI-135, CERTA-2010-AVI-138, CVE-2010-0734, DSA-2023-1, FEDORA-2010-2720, FEDORA-2010-2762, MDVSA-2010:062, RHSA-2010:0273-05, RHSA-2010:0329-01, VIGILANCE-VUL-9420, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The libcurl library offers a callback system for applications. In this case, the application defines a function such as:
  size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp);
This function is referenced with:
  curl_easy_setopt(easyhandle, CURLOPT_WRITEFUNCTION, write_data);
Then each time libcurl wants to write data, it calls the write_data() function.

Data coming from the web site can be automatically uncompressed by Deflate (zlib) if the application uses (this option is not set by default) :
  curl_easy_setopt(d->m_handle, CURLOPT_HTTP_CONTENT_DECODING, true);

The libcurl documentation indicates that the maximal size of data given to the write_data() function is CURL_MAX_WRITE_SIZE (16k) bytes.

However, if data coming form the web site is automatically uncompressed by Deflate, the maximal size of data given to the write_data() function is 64k bytes. If the write_data() function is not conceived to manage this amount of data, this generates an overflow.

An attacker, who owns a web server, can therefore return data compressed with Deflate (zlib), in order to generate an overflow in applications linked to libcurl.

No public application linked to libcurl is known to be impacted by this vulnerability.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-0622

Linux kernel: denial of service via PI State

Synthesis of the vulnerability

A local attacker can create a multithreaded program using the Priority Inheritance, in order to stop the kernel.
Impacted products: Debian, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 09/02/2010.
Identifiers: BID-38165, CERTA-2002-AVI-252, CERTA-2002-AVI-261, CVE-2010-0622, DSA-2003-1, DSA-2004-1, DSA-2012-1, MDVSA-2010:088, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2013:0927-1, RHSA-2010:0161-01, RHSA-2010:0504-01, SUSE-SA:2010:014, SUSE-SA:2010:016, SUSE-SA:2010:018, VIGILANCE-VUL-9419, VMSA-2010-0016, VMSA-2010-0016.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The pthread_mutexattr_init(&mutattr) function initializes attributes of a mutex. The pthread_mutexattr_setprotocol(&mutattr, PTHREAD_PRIO_INHERIT) function indicates that the mutex inherits the priority of its thread. The pthread_mutex_init(..., &mutattr) function initializes a mutex.

A local attacker can create a thread using PTHREAD_PRIO_INHERIT, in order to initialize the owner (of type task_struct) field of the pi_state (of type futex_pi_state) structure. The attacker can then stop this thread, which forces the owner field to NULL. Then, by recalling pthread_mutex_init(), and by unlocking it, the pi_state->owner field (which is NULL) is dereferenced.

A local attacker can thus create a multithreaded program using the Priority Inheritance, in order to stop the kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-0415

Linux kernel: memory reading via sys_move_pages

Synthesis of the vulnerability

A local attacker can use the move_pages() system call, in order to read kernel memory pages.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 08/02/2010.
Identifiers: BID-38144, CERTA-2002-AVI-252, CERTA-2010-AVI-080, CVE-2010-0415, DSA-1996-1, DSA-2003-1, DSA-2004-1, FEDORA-2010-1787, FEDORA-2010-1804, MDVSA-2010:066, MDVSA-2010:067, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2013:0927-1, RHSA-2010:0147-01, RHSA-2010:0161-01, SOL16471, SUSE-SA:2010:014, SUSE-SA:2010:016, SUSE-SA:2010:018, VIGILANCE-VUL-9417, VMSA-2010-0016, VMSA-2010-0016.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The NUMA (Non-Uniform Memory Access) architecture is used on multi-processors systems, where each node has its own memory area.

The move_pages() system call moves pages to another node:
  move_pages(pid, nr_pages, address, nodes, ...);

However, the nodes value is not checked. An attacker can therefore use a large value or a negative value, to force the kernel to move pages to a zone which can be read.

A local attacker can thus use the move_pages() system call, in order to read kernel memory pages.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Stretch: