The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of HP Tru64 UNIX

vulnerability alert CVE-2010-4476

Java JRE: denial of service via a real

Synthesis of the vulnerability

An attacker can use a special double floating point number, in order to create an infinite loop in Java programs.
Impacted products: Debian, Fedora, HPE BAC, HPE NNMi, OpenView, OpenView NNM, Tru64 UNIX, HP-UX, AIX, DB2 UDB, Tivoli Directory Server, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, JBoss AS OpenSource, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SLES.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/02/2011.
Identifiers: 1468291, BID-46091, c02729756, c02738573, c02746026, c02752210, c02775276, c02826781, c02906075, c03090723, c03316985, CERTA-2002-AVI-271, CERTA-2012-AVI-286, cpuapr2011, CVE-2010-4476, DSA-2161-1, DSA-2161-2, FEDORA-2011-1231, FEDORA-2011-1263, HPSBMU02690, HPSBTU02684, HPSBUX02633, HPSBUX02641, HPSBUX02642, HPSBUX02645, HPSBUX02685, HPSBUX02725, HPSBUX02777, IZ94331, javacpufeb2011, MDVSA-2011:054, openSUSE-SU-2011:0126-1, PM32175, PM32177, PM32184, PM32192, PM32194, RHSA-2011:0210-01, RHSA-2011:0211-01, RHSA-2011:0212-01, RHSA-2011:0213-01, RHSA-2011:0214-01, RHSA-2011:0282-01, RHSA-2011:0290-01, RHSA-2011:0291-01, RHSA-2011:0292-01, RHSA-2011:0299-01, RHSA-2011:0333-01, RHSA-2011:0334-01, RHSA-2011:0336-01, RHSA-2011:0348-01, RHSA-2011:0349-01, RHSA-2011:0880-01, SSRT100387, SSRT100390, SSRT100412, SSRT100415, SSRT100505, SSRT100569, SSRT100627, SSRT100854, SUSE-SA:2011:010, SUSE-SA:2011:014, SUSE-SR:2011:008, SUSE-SU-2011:0823-1, swg21469266, swg24030066, swg24030067, VIGILANCE-VUL-10321.

Description of the vulnerability

The number 2.2250738585072011e-308 if the "largest subnormal double number" (in base 2 : 0x0fffffffffffff x 2^-1022).

On a x86 processor, the Java JRE uses x87 FPU registers (80 bit), in order to find bit-after-bit the closest real value. This loop stops when the remainder is inferior to the precision. However, with the number 2.225..., this stop condition is never true (80 bit rounded to 64 bit), and an infinite loop occurs.

An attacker can therefore use a special double floating point number, in order to create an infinite loop in Java programs.

The origin of this vulnerability is the same as VIGILANCE-VUL-10257.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-3563

NTP: denial of service

Synthesis of the vulnerability

A remote attacker can send a specially crafted NTP MODE_PRIVATE query in order to generate a denial of service.
Impacted products: Avaya Ethernet Routing Switch, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, Juniper J-Series, Junos OS, Mandriva Linux, Mandriva NF, Meinberg NTP Server, NetBSD, Nortel ESM, Nortel VPN Router, NLD, OES, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, ESX, ESXi.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 09/12/2009.
Identifiers: 025389-01, 1021781, 2009009932, 275590, 6902029, BID-37255, c01961950, c02737553, c03714526, CERTA-2010-AVI-002, CR131466, CVE-2009-3563, DSA-1948-1, FEDORA-2009-13046, FEDORA-2009-13090, FEDORA-2009-13121, FreeBSD-SA-10:02.ntpd, HPSBTU02496, HPSBUX02639, HPSBUX02859, IZ68659, IZ71047, IZ71071, IZ71093, IZ71608, IZ71610, IZ71611, IZ71613, IZ71614, MDVSA-2009:328, NetBSD-SA2010-005, PSN-2009-12-609, RHSA-2009:1648-01, RHSA-2009:1651-01, SOL10905, SSA:2009-343-01, SSRT090245, SSRT100293, SSRT101144, SUSE-SR:2009:020, VIGILANCE-VUL-9259, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

The NTP protocol possess multiple modes of operation.

The MODE_PRIVATE mode is used by ntpdc to query the state of ntpd daemon. When ntpd receives an invalid MODE_PRIVATE request, it sends back a MODE_PRIVATE error. However, when ntpd receives a MODE_PRIVATE error, it sends it back to the sender generating a loop.

A remote attacker can therefore send a specially crafted NTP MODE_PRIVATE query in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-0696

BIND: denial of service of Dynamic Update

Synthesis of the vulnerability

An attacker can send a DNS Dynamic Update packet to a BIND server, which is master for a zone, in order to stop it, even if it is not configured for Dynamic Updates.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, BIND, Mandriva Linux, Mandriva NF, NetBSD, Netware, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 29/07/2009.
Identifiers: 264828, 538975, 6865903, BID-35848, c01835108, c01837667, CERTA-2009-AVI-302, CERTA-2009-AVI-413, CVE-2009-0696, DSA-1847-1, FEDORA-2009-8119, FreeBSD-SA-09:12.bind, HPSBTU02453, HPSBUX02451, MDVSA-2009:181, NetBSD-SA2009-013, RHSA-2009:1179-02, RHSA-2009:1180-01, RHSA-2009:1181-01, SSA:2009-210-01, SSRT090137, SSRT091037, SUSE-SA:2009:040, TLSA-2009-22, VIGILANCE-VUL-8897, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VU#725188.

Description of the vulnerability

A Dynamic Update packet is used to update records in a DNS server.

A DNS server can be authoritative (master or slave) for a zone.

There are several types of DNS requests: A, PTR, ANY, etc.

When BIND is configured as master for a zone, an attacker can send it a DNS Dynamic Update packet of type ANY, for one of its RR records. The dns_db_findrdataset() function of the db.c file checks this packet, before checking if Dynamic Update are allowed for this zone. However, as the packet is of type ANY (which is invalid in this case) an assertion error occurs in this function and stops BIND.

An attacker can therefore send a DNS Dynamic Update packet to a BIND server, which is master for a zone, in order to stop it, even if it is not configured for Dynamic Updates.

It can be noted that this vulnerability cannot be used to stop slave servers, so the DNS service is still partially alive.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2008-4314

Samba: memory fragment reading

Synthesis of the vulnerability

An attacker authenticated on Samba can use specific commands to obtains memory fragments from the daemon.
Impacted products: Fedora, Tru64 UNIX, NLD, OES, OpenSolaris, openSUSE, Solaris, Samba, Slackware, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 27/11/2008.
Identifiers: 249087, 6773861, BID-32494, c01839839, CERTA-2008-AVI-572, CVE-2008-4314, FEDORA-2008-10518, FEDORA-2008-10612, FEDORA-2008-10638, HPSBTU02454, SSA:2008-333-01, SSRT080172, SUSE-SR:2008:027, SUSE-SR:2009:001, VIGILANCE-VUL-8270.

Description of the vulnerability

The SMB/CIFS protocol successively defined several commands to encapsulate sub-commands: Trans, Trans2 and NTTrans. To use these commands, the user has to be authenticated.

When Samba handles these commands, offsets are incorrectly computed. The daemon can therefore read outside the memory area containing data, and store these bytes in the answer.

An attacker authenticated on Samba can therefore use specific commands to obtains memory fragments from the daemon.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2008-4414

HP Tru64 UNIX: privilege elevation via AdvFS

Synthesis of the vulnerability

A local attacker can use AdvFS in order to elevate his privileges.
Impacted products: Tru64 UNIX.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 07/11/2008.
Identifiers: BID-32160, c01599842, CERTA-2008-AVI-548, CVE-2008-4414, HPSBTU02383, SSRT080098, VIGILANCE-VUL-8228.

Description of the vulnerability

The AdvFS filesystem can be installed as an option under Tru64 UNIX. The /usr/sbin/showfile command displays the attributes of an AdvFS file.

A local attacker can use showfile to elevate his privileges.

This vulnerability may be related to a buffer overflow occurring in this suid/sgid command.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-4850 CVE-2008-0674 CVE-2008-2371

PHP 4: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP in order to create a denial of service or to execute code.
Impacted products: Tru64 UNIX, HP-UX, Mandriva Linux, Mandriva NF, PHP, RHEL, Slackware, TurboLinux.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 8.
Creation date: 04/09/2008.
Identifiers: BID-27413, BID-27786, BID-30087, BID-30649, c01599836, c01650939, c01756421, c01905287, CERTA-2008-AVI-084, CERTA-2008-AVI-361, CERTA-2008-AVI-388, CERTA-2008-AVI-417, CERTA-2008-AVI-566, CERTA-2009-AVI-083, CERTA-2009-AVI-309, CVE-2007-4850, CVE-2008-0674, CVE-2008-2371, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, HPSBTU02382, HPSBUX02401, HPSBUX02431, HPSBUX02465, MDVSA-2008:125, MDVSA-2008:126, MDVSA-2008:127, MDVSA-2008:128, MDVSA-2008:129, MDVSA-2008:130, MDVSA-2009:021, MDVSA-2009:022, MDVSA-2009:023, MDVSA-2009:024, MDVSA-2009:065, RHSA-2009:0337-01, SSA:2008-247-01, SSRT080132, SSRT090005, SSRT090085, SSRT090192, TLSA-2008-27, TLSA-2009-2, VIGILANCE-VUL-8085.

Description of the vulnerability

Several vulnerabilities were announced in PHP 4.

When attacker can change the PCRE regular expression, he can corrupt its memory in order for example to execute code (VIGILANCE-VUL-7593). [severity:1/4; BID-27786, CERTA-2008-AVI-084, CERTA-2009-AVI-309, CVE-2008-0674]

When the attacker can change the PCRE regular expression, he can corrupt its memory in order for example to execute code (VIGILANCE-VUL-7926). [severity:1/4; BID-30087, CERTA-2008-AVI-361, CERTA-2008-AVI-417, CVE-2008-2371]

An attacker can generate an overflow in memnstr(). [severity:2/4; BID-30649, CERTA-2009-AVI-083, CVE-2008-3659]

An attacker can create a malicious font in order to create a denial of service in imageloadfont() of ext/gd/gd.c. [severity:1/4; BID-30649, CERTA-2008-AVI-566, CVE-2008-3658]

A local attacker can use cURL functions to read files by bypassing safe mode restrictions (VIGILANCE-VUL-7524). [severity:1/4; BID-27413, CERTA-2008-AVI-388, CVE-2007-4850]

An attacker can set mbstring.func_overload in .htaccess in order to overwrite the global configuration. [severity:1/4]

When the FastCGI module is used, an attacker can use a filename containing several dots in order to create a denial of service. [severity:2/4; CVE-2008-3660]

A long IMAP query generates an overflow in the php_imap extension. [severity:2/4; CVE-2008-2829]

These vulnerabilities are local or remote depending on the context.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Impacted products: ProxyRA, ProxySG par Blue Coat, IOS by Cisco, Cisco Router, Debian, Dnsmasq, BIG-IP Hardware, TMOS, Fedora, FreeBSD, MPE/iX, Tru64 UNIX, HP-UX, AIX, BIND, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Linux, Mandriva NF, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, NLD, Netware, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, DNS protocol, RHEL, Slackware, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 3/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-4769 CVE-2007-4772 CVE-2007-6067

PostgreSQL: several vulnerabilities

Synthesis of the vulnerability

A local attacker can create a denial of service or elevate his privileges via PostgreSQL.
Impacted products: Debian, VNX Operating Environment, VNX Series, Fedora, Tru64 UNIX, Mandriva Linux, NLD, OES, openSUSE, openSUSE Leap, Solaris, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, TurboLinux.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 07/01/2008.
Revisions dates: 11/01/2008, 06/03/2008.
Identifiers: 103197, 200559, c01420154, CERTA-2002-AVI-163, CERTA-2008-AVI-005, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601, DSA-1460-1, DSA-1463-1, DSA-2019-131, FEDORA-2008-0478, FEDORA-2008-0552, HPSBTU02325, MDVSA-2008:004, openSUSE-SU-2016:0531-1, openSUSE-SU-2016:0578-1, RHSA-2008:0038-01, RHSA-2008:0039-01, RHSA-2008:0040-01, SSRT080006, SUSE-SA:2008:005, SUSE-SU-2016:0539-1, SUSE-SU-2016:0555-1, SUSE-SU-2016:0677-1, TLSA-2008-6, VIGILANCE-VUL-7475.

Description of the vulnerability

Several vulnerabilities affect PostgreSQL.

A local attacker can elevate his privileges via "expression indexes". Indeed, index functions are executed with "superuser" privileges during VACUUM and ANALYZE, and can contain privileged commands (SET ROLE and SET SESSION AUTHORIZATION). [severity:2/4; CVE-2007-6600]

An attacker can use a regular expression in order to create three denials of service (VIGILANCE-VUL-7643). Attacker needs a SQL access or has to use an application to transmit a regular expression to PostgreSQL. [severity:1/4; CERTA-2008-AVI-005, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]

In the default configuration, a local attacker can use the dblink feature to elevate his privileges. [severity:2/4; CVE-2007-6601]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-6519

Tru64 UNIX: denial of service via FFM

Synthesis of the vulnerability

A local attacker can create a denial of service via File-on-File Mounting.
Impacted products: Tru64 UNIX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 21/12/2007.
Identifiers: BID-26964, c01310389, CVE-2007-6519, HPSBTU02300, SSRT071452, VIGILANCE-VUL-7445.

Description of the vulnerability

The mount command permits to mount a local directory in another local directory via FFM (File-on-File Mounting File System).

A local attacker can create a denial of service via FFM.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-2937 CVE-2006-2940 CVE-2006-3738

OpenSSL: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities have been discovered in OpenSSL, the worst one leading to code execution.
Impacted products: Arkoon FAST360, CiscoWorks, Cisco CSS, Cisco IPS, Cisco Prime Central for HCS, Secure ACS, WebNS, Debian, Fedora, FreeBSD, F-Secure AV, Tru64 UNIX, HP-UX, BIND, Mandriva Linux, Mandriva NF, Windows (platform) ~ not comprehensive, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, Slackware, TurboLinux.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 29/09/2006.
Revision date: 20/12/2007.
Identifiers: 102711, 102747, 20061001-01-P, 6476279, AK-2006-06, AK-2006-07, BID-20246, BID-20247, BID-20248, BID-20249, BID-26093, c00805100, c00849540, c00967144, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-454, CERTA-2006-AVI-521, CERTA-2007-AVI-051, CERTA-2008-AVI-141, cisco-sr-20061108-openssl, CSCek57074, CSCsg09619, CSCsg24311, CSCsg58599, CSCsg58607, CSCtx20378, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343, DSA-1185-1, DSA-1195-1, emr_na-c01203958-1, FEDORA-2006-1004, FreeBSD-SA-06:23.openssl, FSC-2006-6, HPSBTU02207, HPSBUX02174, HPSBUX02186, MDKSA-2006:172, MDKSA-2006:177, MDKSA-2006:178, NetBSD-SA2008-007, RHSA-2006:0695-01, RHSA-2008:0264-01, RHSA-2008:0525-01, SSA:2006-272-01, SSRT061213, SSRT061239, SSRT071299, SSRT071304, SUSE-SA:2006:058, SUSE-SR:2006:024, TLSA-2006-33, TLSA-2007-52, VIGILANCE-VUL-6185, VU#247744, VU#386964, VU#423396, VU#547300.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

Certain ASN.1 structures can generate an error leading to an infinite loop which will consumes system memory. This condition thus permits to generate a denial of service on the system. [severity:3/4; BID-20248, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-521, CERTA-2008-AVI-141, CVE-2006-2937, VU#247744]

Certain types of public keys encoded with ASN.1 can take an extremely long duration to be decoded. An attacker can thus use this vulnerability to generate a denial of service. [severity:3/4; BID-20247, CERTA-2007-AVI-051, CVE-2006-2940, VU#423396]

A buffer overflow in the SSL_get_shared_ciphers() function permits an attacker to run code on the system by sending a succession of malicious packets to an application using openssl. [severity:3/4; BID-20249, CVE-2006-3738, VU#547300]

An attacker can create a malicious SSLv2 server in order to generate a denial of service on connected clients. [severity:2/4; BID-20246, CVE-2006-4343, VU#386964]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.