The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of HP Tru64 UNIX

cybersecurity threat CVE-2010-4476

Java JRE: denial of service via a real

Synthesis of the vulnerability

An attacker can use a special double floating point number, in order to create an infinite loop in Java programs.
Severity: 3/4.
Creation date: 02/02/2011.
Identifiers: 1468291, BID-46091, c02729756, c02738573, c02746026, c02752210, c02775276, c02826781, c02906075, c03090723, c03316985, CERTA-2002-AVI-271, CERTA-2012-AVI-286, cpuapr2011, CVE-2010-4476, DSA-2161-1, DSA-2161-2, FEDORA-2011-1231, FEDORA-2011-1263, HPSBMU02690, HPSBTU02684, HPSBUX02633, HPSBUX02641, HPSBUX02642, HPSBUX02645, HPSBUX02685, HPSBUX02725, HPSBUX02777, IZ94331, javacpufeb2011, MDVSA-2011:054, openSUSE-SU-2011:0126-1, PM32175, PM32177, PM32184, PM32192, PM32194, RHSA-2011:0210-01, RHSA-2011:0211-01, RHSA-2011:0212-01, RHSA-2011:0213-01, RHSA-2011:0214-01, RHSA-2011:0282-01, RHSA-2011:0290-01, RHSA-2011:0291-01, RHSA-2011:0292-01, RHSA-2011:0299-01, RHSA-2011:0333-01, RHSA-2011:0334-01, RHSA-2011:0336-01, RHSA-2011:0348-01, RHSA-2011:0349-01, RHSA-2011:0880-01, SSRT100387, SSRT100390, SSRT100412, SSRT100415, SSRT100505, SSRT100569, SSRT100627, SSRT100854, SUSE-SA:2011:010, SUSE-SA:2011:014, SUSE-SR:2011:008, SUSE-SU-2011:0823-1, swg21469266, swg24030066, swg24030067, VIGILANCE-VUL-10321.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The number 2.2250738585072011e-308 if the "largest subnormal double number" (in base 2 : 0x0fffffffffffff x 2^-1022).

On a x86 processor, the Java JRE uses x87 FPU registers (80 bit), in order to find bit-after-bit the closest real value. This loop stops when the remainder is inferior to the precision. However, with the number 2.225..., this stop condition is never true (80 bit rounded to 64 bit), and an infinite loop occurs.

An attacker can therefore use a special double floating point number, in order to create an infinite loop in Java programs.

The origin of this vulnerability is the same as VIGILANCE-VUL-10257.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2009-3563

NTP: denial of service

Synthesis of the vulnerability

A remote attacker can send a specially crafted NTP MODE_PRIVATE query in order to generate a denial of service.
Severity: 2/4.
Creation date: 09/12/2009.
Identifiers: 025389-01, 1021781, 2009009932, 275590, 6902029, BID-37255, c01961950, c02737553, c03714526, CERTA-2010-AVI-002, CR131466, CVE-2009-3563, DSA-1948-1, FEDORA-2009-13046, FEDORA-2009-13090, FEDORA-2009-13121, FreeBSD-SA-10:02.ntpd, HPSBTU02496, HPSBUX02639, HPSBUX02859, IZ68659, IZ71047, IZ71071, IZ71093, IZ71608, IZ71610, IZ71611, IZ71613, IZ71614, MDVSA-2009:328, NetBSD-SA2010-005, PSN-2009-12-609, RHSA-2009:1648-01, RHSA-2009:1651-01, SOL10905, SSA:2009-343-01, SSRT090245, SSRT100293, SSRT101144, SUSE-SR:2009:020, VIGILANCE-VUL-9259, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The NTP protocol possess multiple modes of operation.

The MODE_PRIVATE mode is used by ntpdc to query the state of ntpd daemon. When ntpd receives an invalid MODE_PRIVATE request, it sends back a MODE_PRIVATE error. However, when ntpd receives a MODE_PRIVATE error, it sends it back to the sender generating a loop.

A remote attacker can therefore send a specially crafted NTP MODE_PRIVATE query in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness note CVE-2009-0696

BIND: denial of service of Dynamic Update

Synthesis of the vulnerability

An attacker can send a DNS Dynamic Update packet to a BIND server, which is master for a zone, in order to stop it, even if it is not configured for Dynamic Updates.
Severity: 3/4.
Creation date: 29/07/2009.
Identifiers: 264828, 538975, 6865903, BID-35848, c01835108, c01837667, CERTA-2009-AVI-302, CERTA-2009-AVI-413, CVE-2009-0696, DSA-1847-1, FEDORA-2009-8119, FreeBSD-SA-09:12.bind, HPSBTU02453, HPSBUX02451, MDVSA-2009:181, NetBSD-SA2009-013, RHSA-2009:1179-02, RHSA-2009:1180-01, RHSA-2009:1181-01, SSA:2009-210-01, SSRT090137, SSRT091037, SUSE-SA:2009:040, TLSA-2009-22, VIGILANCE-VUL-8897, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VU#725188.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Dynamic Update packet is used to update records in a DNS server.

A DNS server can be authoritative (master or slave) for a zone.

There are several types of DNS requests: A, PTR, ANY, etc.

When BIND is configured as master for a zone, an attacker can send it a DNS Dynamic Update packet of type ANY, for one of its RR records. The dns_db_findrdataset() function of the db.c file checks this packet, before checking if Dynamic Update are allowed for this zone. However, as the packet is of type ANY (which is invalid in this case) an assertion error occurs in this function and stops BIND.

An attacker can therefore send a DNS Dynamic Update packet to a BIND server, which is master for a zone, in order to stop it, even if it is not configured for Dynamic Updates.

It can be noted that this vulnerability cannot be used to stop slave servers, so the DNS service is still partially alive.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2008-4314

Samba: memory fragment reading

Synthesis of the vulnerability

An attacker authenticated on Samba can use specific commands to obtains memory fragments from the daemon.
Severity: 1/4.
Creation date: 27/11/2008.
Identifiers: 249087, 6773861, BID-32494, c01839839, CERTA-2008-AVI-572, CVE-2008-4314, FEDORA-2008-10518, FEDORA-2008-10612, FEDORA-2008-10638, HPSBTU02454, SSA:2008-333-01, SSRT080172, SUSE-SR:2008:027, SUSE-SR:2009:001, VIGILANCE-VUL-8270.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SMB/CIFS protocol successively defined several commands to encapsulate sub-commands: Trans, Trans2 and NTTrans. To use these commands, the user has to be authenticated.

When Samba handles these commands, offsets are incorrectly computed. The daemon can therefore read outside the memory area containing data, and store these bytes in the answer.

An attacker authenticated on Samba can therefore use specific commands to obtains memory fragments from the daemon.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2008-4414

HP Tru64 UNIX: privilege elevation via AdvFS

Synthesis of the vulnerability

A local attacker can use AdvFS in order to elevate his privileges.
Severity: 2/4.
Creation date: 07/11/2008.
Identifiers: BID-32160, c01599842, CERTA-2008-AVI-548, CVE-2008-4414, HPSBTU02383, SSRT080098, VIGILANCE-VUL-8228.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The AdvFS filesystem can be installed as an option under Tru64 UNIX. The /usr/sbin/showfile command displays the attributes of an AdvFS file.

A local attacker can use showfile to elevate his privileges.

This vulnerability may be related to a buffer overflow occurring in this suid/sgid command.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2007-4850 CVE-2008-0674 CVE-2008-2371

PHP 4: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP in order to create a denial of service or to execute code.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 8.
Creation date: 04/09/2008.
Identifiers: BID-27413, BID-27786, BID-30087, BID-30649, c01599836, c01650939, c01756421, c01905287, CERTA-2008-AVI-084, CERTA-2008-AVI-361, CERTA-2008-AVI-388, CERTA-2008-AVI-417, CERTA-2008-AVI-566, CERTA-2009-AVI-083, CERTA-2009-AVI-309, CVE-2007-4850, CVE-2008-0674, CVE-2008-2371, CVE-2008-2829, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, HPSBTU02382, HPSBUX02401, HPSBUX02431, HPSBUX02465, MDVSA-2008:125, MDVSA-2008:126, MDVSA-2008:127, MDVSA-2008:128, MDVSA-2008:129, MDVSA-2008:130, MDVSA-2009:021, MDVSA-2009:022, MDVSA-2009:023, MDVSA-2009:024, MDVSA-2009:065, RHSA-2009:0337-01, SSA:2008-247-01, SSRT080132, SSRT090005, SSRT090085, SSRT090192, TLSA-2008-27, TLSA-2009-2, VIGILANCE-VUL-8085.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in PHP 4.

When attacker can change the PCRE regular expression, he can corrupt its memory in order for example to execute code (VIGILANCE-VUL-7593). [severity:1/4; BID-27786, CERTA-2008-AVI-084, CERTA-2009-AVI-309, CVE-2008-0674]

When the attacker can change the PCRE regular expression, he can corrupt its memory in order for example to execute code (VIGILANCE-VUL-7926). [severity:1/4; BID-30087, CERTA-2008-AVI-361, CERTA-2008-AVI-417, CVE-2008-2371]

An attacker can generate an overflow in memnstr(). [severity:2/4; BID-30649, CERTA-2009-AVI-083, CVE-2008-3659]

An attacker can create a malicious font in order to create a denial of service in imageloadfont() of ext/gd/gd.c. [severity:1/4; BID-30649, CERTA-2008-AVI-566, CVE-2008-3658]

A local attacker can use cURL functions to read files by bypassing safe mode restrictions (VIGILANCE-VUL-7524). [severity:1/4; BID-27413, CERTA-2008-AVI-388, CVE-2007-4850]

An attacker can set mbstring.func_overload in .htaccess in order to overwrite the global configuration. [severity:1/4]

When the FastCGI module is used, an attacker can use a filename containing several dots in order to create a denial of service. [severity:2/4; CVE-2008-3660]

A long IMAP query generates an overflow in the php_imap extension. [severity:2/4; CVE-2008-2829]

These vulnerabilities are local or remote depending on the context.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Severity: 3/4.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2007-4769 CVE-2007-4772 CVE-2007-6067

PostgreSQL: several vulnerabilities

Synthesis of the vulnerability

A local attacker can create a denial of service or elevate his privileges via PostgreSQL.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 07/01/2008.
Revisions dates: 11/01/2008, 06/03/2008.
Identifiers: 103197, 200559, c01420154, CERTA-2002-AVI-163, CERTA-2008-AVI-005, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601, DSA-1460-1, DSA-1463-1, DSA-2019-131, FEDORA-2008-0478, FEDORA-2008-0552, HPSBTU02325, MDVSA-2008:004, openSUSE-SU-2016:0531-1, openSUSE-SU-2016:0578-1, RHSA-2008:0038-01, RHSA-2008:0039-01, RHSA-2008:0040-01, SSRT080006, SUSE-SA:2008:005, SUSE-SU-2016:0539-1, SUSE-SU-2016:0555-1, SUSE-SU-2016:0677-1, TLSA-2008-6, VIGILANCE-VUL-7475.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities affect PostgreSQL.

A local attacker can elevate his privileges via "expression indexes". Indeed, index functions are executed with "superuser" privileges during VACUUM and ANALYZE, and can contain privileged commands (SET ROLE and SET SESSION AUTHORIZATION). [severity:2/4; CVE-2007-6600]

An attacker can use a regular expression in order to create three denials of service (VIGILANCE-VUL-7643). Attacker needs a SQL access or has to use an application to transmit a regular expression to PostgreSQL. [severity:1/4; CERTA-2008-AVI-005, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]

In the default configuration, a local attacker can use the dblink feature to elevate his privileges. [severity:2/4; CVE-2007-6601]
Full Vigil@nce bulletin... (Free trial)

weakness note CVE-2007-6519

Tru64 UNIX: denial of service via FFM

Synthesis of the vulnerability

A local attacker can create a denial of service via File-on-File Mounting.
Severity: 1/4.
Creation date: 21/12/2007.
Identifiers: BID-26964, c01310389, CVE-2007-6519, HPSBTU02300, SSRT071452, VIGILANCE-VUL-7445.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The mount command permits to mount a local directory in another local directory via FFM (File-on-File Mounting File System).

A local attacker can create a denial of service via FFM.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2006-2937 CVE-2006-2940 CVE-2006-3738

OpenSSL: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities have been discovered in OpenSSL, the worst one leading to code execution.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 29/09/2006.
Revision date: 20/12/2007.
Identifiers: 102711, 102747, 20061001-01-P, 6476279, AK-2006-06, AK-2006-07, BID-20246, BID-20247, BID-20248, BID-20249, BID-26093, c00805100, c00849540, c00967144, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-454, CERTA-2006-AVI-521, CERTA-2007-AVI-051, CERTA-2008-AVI-141, cisco-sr-20061108-openssl, CSCek57074, CSCsg09619, CSCsg24311, CSCsg58599, CSCsg58607, CSCtx20378, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343, DSA-1185-1, DSA-1195-1, emr_na-c01203958-1, FEDORA-2006-1004, FreeBSD-SA-06:23.openssl, FSC-2006-6, HPSBTU02207, HPSBUX02174, HPSBUX02186, MDKSA-2006:172, MDKSA-2006:177, MDKSA-2006:178, NetBSD-SA2008-007, RHSA-2006:0695-01, RHSA-2008:0264-01, RHSA-2008:0525-01, SSA:2006-272-01, SSRT061213, SSRT061239, SSRT071299, SSRT071304, SUSE-SA:2006:058, SUSE-SR:2006:024, TLSA-2006-33, TLSA-2007-52, VIGILANCE-VUL-6185, VU#247744, VU#386964, VU#423396, VU#547300.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

Certain ASN.1 structures can generate an error leading to an infinite loop which will consumes system memory. This condition thus permits to generate a denial of service on the system. [severity:3/4; BID-20248, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-521, CERTA-2008-AVI-141, CVE-2006-2937, VU#247744]

Certain types of public keys encoded with ASN.1 can take an extremely long duration to be decoded. An attacker can thus use this vulnerability to generate a denial of service. [severity:3/4; BID-20247, CERTA-2007-AVI-051, CVE-2006-2940, VU#423396]

A buffer overflow in the SSL_get_shared_ciphers() function permits an attacker to run code on the system by sending a succession of malicious packets to an application using openssl. [severity:3/4; BID-20249, CVE-2006-3738, VU#547300]

An attacker can create a malicious SSLv2 server in order to generate a denial of service on connected clients. [severity:2/4; BID-20246, CVE-2006-4343, VU#386964]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.