The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Google Android KitKat

computer vulnerability CVE-2015-2000 CVE-2015-2001 CVE-2015-2002

Android: privilege escalation via Serialization

Synthesis of the vulnerability

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Impacted products: Android Applications ~ not comprehensive, ArcGIS for Desktop, Android OS, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 8.
Creation date: 12/08/2015.
Identifiers: CVE-2015-2000, CVE-2015-2001, CVE-2015-2002, CVE-2015-2003, CVE-2015-2004, CVE-2015-2020, CVE-2015-3825-REJECT, CVE-2015-3837, VIGILANCE-VUL-17645.

Description of the vulnerability

A Java class can:
 - be serializable, and
 - contain a finalize method, and
 - contain an attacker-controlled field

However, in this case, an attacker can change the attribute, and thus inject code which is run during the finalize() method by the Android garbage collector.

There are several Java classes with the three required characteristics:
 - the OpenSSLX509Certificate class of Android OS (CVE-2015-3825, CVE-2015-3837)
 - classes from the SDK Jumio (CVE-2015-2000), used by applications built with this SDK
 - classes from the SDK MetaIO (CVE-2015-2001), used by applications built with this SDK
 - classes from the SDK PJSIP PJSUA2 (CVE-2015-2003), used by applications built with this SDK
 - classes from the SDK GraceNote GNSDK (CVE-2015-2004), used by applications built with this SDK
 - classes from the SDK MyScript (CVE-2015-2020), used by applications built with this SDK
 - classes from the SDK esri ArcGis (CVE-2015-2002), used by applications built with this SDK

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-3823

Google Android OS: infinite loop of MediaServer

Synthesis of the vulnerability

An attacker can generate an infinite loop in MediaServer of Google Android OS, in order to trigger a denial of service.
Impacted products: Android OS.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: document.
Creation date: 04/08/2015.
Identifiers: ANDROID-21335999, CVE-2015-3823, VIGILANCE-VUL-17591.

Description of the vulnerability

The Google Android OS system uses the MediaServer service to display videos in MKV (Matroska) format.

However, a malformed MKV video triggers an infinite loop in MatroskaExtractor.cpp.

An attacker can therefore generate an infinite loop in MediaServer of Google Android OS, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-5707

Linux kernel: integer overflow of SCSI sg_start_req

Synthesis of the vulnerability

A local attacker can generate an integer overflow in the SCSI driver of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/08/2015.
Identifiers: CERTFR-2015-AVI-331, CERTFR-2015-AVI-369, CERTFR-2015-AVI-372, CERTFR-2015-AVI-411, CERTFR-2015-AVI-417, CERTFR-2016-AVI-073, CERTFR-2016-AVI-103, CVE-2015-5707, DSA-3329-1, openSUSE-SU-2015:1842-1, openSUSE-SU-2016:0301-1, SOL17475, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, SUSE-SU-2015:2084-1, SUSE-SU-2015:2085-1, SUSE-SU-2015:2086-1, SUSE-SU-2015:2087-1, SUSE-SU-2015:2089-1, SUSE-SU-2015:2090-1, SUSE-SU-2015:2091-1, SUSE-SU-2016:0585-1, SUSE-SU-2016:0785-1, USN-2733-1, USN-2734-1, USN-2737-1, USN-2738-1, USN-2750-1, USN-2759-1, USN-2760-1, VIGILANCE-VUL-17576.

Description of the vulnerability

The drivers/scsi/sg.c file of the Linux kernel implements the generic driver for SCSI.

However, if iov_count is too large, a multiplication overflows in the sg_start_req() function, and an allocated memory area is too short.

A local attacker can therefore generate an integer overflow in the SCSI driver of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-5706

Linux kernel: use after free via path_openat

Synthesis of the vulnerability

A local attacker can force the usage of a freed memory area in the path_openat() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Android OS, Linux.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server.
Provenance: user shell.
Creation date: 03/08/2015.
Identifiers: 940339, CERTFR-2015-AVI-331, CVE-2015-5706, DSA-3329-1, VIGILANCE-VUL-17575.

Description of the vulnerability

The openat() system call opens a file, with a path relative to a directory descriptor:
  int openat(dirfd, pathname, flags);

The path_openat() function of the fs/namei.c file implements openat(). However, if a file has the __O_TMPFILE flag, the path_cleanup() function is called twice.

A local attacker can therefore force the usage of a freed memory area in the path_openat() function of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 17542

Google Android OS: integer overflow of mediaserver via MKV

Synthesis of the vulnerability

An attacker can invite the victim to see a web site containing a malicious MKV video, in order to trigger a denial of service of mediaserver on Google Android OS, .
Impacted products: Android OS.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 30/07/2015.
Identifiers: ANDROID-21296336, VIGILANCE-VUL-17542.

Description of the vulnerability

The Google Android OS system uses the mediaserver service to display videos in MKV (Matroska) format.

However, if an integer is too large, the frameworks/av/media/libstagefright/matroska/MatroskaExtractor.cpp file reads or writes to an invalid address.

An attacker can therefore invite the victim to see a web site containing a malicious MKV video, in order to trigger a denial of service of mediaserver on Google Android OS, .
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-1538 CVE-2015-1539 CVE-2015-3824

Google Android OS: seven vulnerabilities of Stagefright

Synthesis of the vulnerability

An attacker can send a malicious MMS to the number of an Android phone owner, in order to run code.
Impacted products: Android OS.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 28/07/2015.
Identifiers: ANDROID-21336907, AVKB230, CERTFR-2015-ALE-010, CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829, VIGILANCE-VUL-17512, VU#924951.

Description of the vulnerability

Several vulnerabilities were announced in the Stagefright multimedia library of Google Android OS.

An attacker can generate an integer overflow in MP4, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-1538]

An attacker can generate an integer overflow in ESDS, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-1539]

An attacker can generate a buffer overflow with a MP4 file, in order to trigger a denial of service, and possibly to run code. [severity:3/4; ANDROID-21336907, CVE-2015-3824]

An attacker can force a read at an invalid address in 3GPP, in order to trigger a denial of service. [severity:3/4; CVE-2015-3826]

An attacker can generate an integer overflow in MPEG4 Covr Atoms, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3827]

An attacker can generate an integer overflow in 3GPP, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3828]

An attacker can generate an integer overflow in MPEG4 chunk_data_size, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3829]

Note: some of these vulnerabilities are the same than those of VIGILANCE-VUL-16897 (fixed by Firefox version 38, CVE-2015-4496). Some of these vulnerabilities are similar to those of VIGILANCE-VUL-17644 (fixed by Firefox version 40).

An attacker can therefore send a malicious MMS to the number of an Android phone owner, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1283

Expat: integer overflow of XML

Synthesis of the vulnerability

An attacker can generate an integer overflow in the XML parser of Expat, in order to trigger a denial of service, and possibly to run code.
Impacted products: APR-util, Debian, BIG-IP Hardware, TMOS, FreeBSD, Android OS, Domino, Notes, Tivoli System Automation, WebSphere AS Traditional, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, pfSense, Python, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 27/07/2015.
Identifiers: 1964428, 1965444, 1967199, 1969062, 1990421, 1990658, bulletinjul2016, CVE-2015-1283, DSA-3318-1, FreeBSD-SA-15:20.expat, JSA10904, openSUSE-SU-2016:1441-1, openSUSE-SU-2016:1523-1, SOL15104541, SSA:2016-359-01, SUSE-SU-2016:1508-1, SUSE-SU-2016:1512-1, USN-2726-1, USN-3013-1, VIGILANCE-VUL-17498.

Description of the vulnerability

An attacker can generate an integer overflow in the XML parser of Expat, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 17353

Android: file creation via ADB

Synthesis of the vulnerability

An attacker can bypass access restrictions of ADB of Android, in order for example to create a Trojan horse.
Impacted products: Android OS.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: user account.
Creation date: 10/07/2015.
Identifiers: VIGILANCE-VUL-17353.

Description of the vulnerability

The Android product uses the ADB (Android Debug Bridge) tool provided by the SDK of Google, in order to save/restore files.

However, a malicious application can inject a new file in the archive created by ADB.

An attacker can therefore bypass access restrictions of ADB of Android, in order for example to create a Trojan horse.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-5364 CVE-2015-5366

Linux kernel: denial of service via UDP

Synthesis of the vulnerability

An attacker can flood a Linux host with UDP packet with wrong checksum, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Android OS, Junos Space, Linux, openSUSE, Palo Alto Firewall PA***, PAN-OS, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/07/2015.
Identifiers: CERTFR-2015-AVI-311, CERTFR-2015-AVI-318, CERTFR-2015-AVI-331, CERTFR-2015-AVI-352, CERTFR-2015-AVI-357, CERTFR-2015-AVI-391, CERTFR-2017-AVI-012, CVE-2015-5364, CVE-2015-5366, DSA-3313-1, DSA-3329-1, JSA10770, K17307, K17309, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, PAN-SA-2016-0025, RHSA-2015:1623-01, RHSA-2015:1778-01, RHSA-2015:1787-01, RHSA-2015:1788-01, RHSA-2016:0045-01, RHSA-2016:1096-01, RHSA-2016:1100-01, RHSA-2016:1225-01, SOL17307, SOL17309, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, USN-2678-1, USN-2680-1, USN-2681-1, USN-2682-1, USN-2683-1, USN-2684-1, USN-2685-1, USN-2713-1, USN-2714-1, VIGILANCE-VUL-17284.

Description of the vulnerability

UDP packets carry a checksum to check whether the packet has been corrupted in transit.

However, the check occurs quite late in the packet processing process. So, when the incoming packet rate is hight, the kernel spends too much time handling packet queue and other internal data structures, which prevent resuming the user processes.

An attacker can therefore flood a Linux host with UDP packet with wrong checksum, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-9731

Linux kernel: information disclosure via UDF

Synthesis of the vulnerability

A local attacker can mount a malicious UDF filesystem on Linux, in order to obtain sensitive information from the kernel memory.
Impacted products: Android OS, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: privileged console.
Creation date: 03/06/2015.
Identifiers: CERTFR-2015-AVI-357, CVE-2014-9731, openSUSE-SU-2015:1382-1, openSUSE-SU-2016:0301-1, SUSE-SU-2015:1224-1, SUSE-SU-2015:1324-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, VIGILANCE-VUL-17056.

Description of the vulnerability

The Linux kernel supports the UDF filesystem, which is used for DVD.

UDF systems support symbolic links. However, if the name is malformed, the fs/udf/symlink.c file does not detect the end of the filename, and the readlink() function thus returns the content of the kernel memory to the user.

A local attacker can therefore mount a malicious UDF filesystem on Linux, in order to obtain sensitive information from the kernel memory.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Google Android KitKat: