The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of HPE HP-UX

vulnerability announce CVE-2015-1791

OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet client.
Creation date: 04/06/2015.
Identifiers: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-4000

TLS: weakening Diffie-Hellman via Logjam

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Impacted products: Apache httpd, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Clearswift Email Gateway, Debian, Summit, Fedora, FileZilla Server, FreeBSD, HPE BSM, HPE NNMi, HP Operations, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, lighttpd, ePO, Firefox, NSS, MySQL Community, MySQL Enterprise, Data ONTAP, Snap Creator Framework, SnapManager, NetBSD, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Solaris, Palo Alto Firewall PA***, PAN-OS, Percona Server, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, Postfix, SSL protocol, Pulse Connect Secure, Puppet, RHEL, JBoss EAP by Red Hat, Sendmail, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 20/05/2015.
Revision date: 20/05/2015.
Identifiers: 1610582, 1647054, 1957980, 1958984, 1959033, 1959539, 1959745, 1960194, 1960418, 1960862, 1962398, 1962694, 1963151, 9010038, 9010039, 9010041, 9010044, BSA-2015-005, bulletinjan2016, bulletinjul2015, c04725401, c04760669, c04767175, c04770140, c04773119, c04773241, c04774058, c04778650, c04832246, c04918839, c04926789, CERTFR-2016-AVI-303, CTX216642, CVE-2015-4000, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3688-1, FEDORA-2015-10047, FEDORA-2015-10108, FEDORA-2015-9048, FEDORA-2015-9130, FEDORA-2015-9161, FreeBSD-EN-15:08.sendmail, FreeBSD-SA-15:10.openssl, HPSBGN03399, HPSBGN03407, HPSBGN03411, HPSBGN03417, HPSBHF03433, HPSBMU03345, HPSBMU03401, HPSBUX03363, HPSBUX03388, HPSBUX03435, HPSBUX03512, JSA10681, Logjam, NetBSD-SA2015-008, NTAP-20150616-0001, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1209-1, openSUSE-SU-2015:1216-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0226-1, openSUSE-SU-2016:0255-1, openSUSE-SU-2016:0261-1, openSUSE-SU-2016:2267-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1072-01, RHSA-2015:1185-01, RHSA-2015:1197-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SA111, SA40002, SA98, SB10122, SSA:2015-219-02, SSRT102180, SSRT102254, SSRT102964, SSRT102977, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1177-1, SUSE-SU-2015:1177-2, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, SUSE-SU-2015:1268-1, SUSE-SU-2015:1268-2, SUSE-SU-2015:1269-1, SUSE-SU-2015:1581-1, SUSE-SU-2016:0224-1, SUSE-SU-2018:1768-1, TSB16728, USN-2624-1, USN-2625-1, USN-2656-1, USN-2656-2, VIGILANCE-VUL-16950, VN-2015-007.

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. The DHE_EXPORT suite uses prime numbers smaller than 512 bits.

The Diffie-Hellman algorithm is used by TLS. However, during the negotiation, an attacker, located as a Man-in-the-Middle, can force TLS to use DHE_EXPORT (event if stronger suites are available).

This vulnerability can then be combined with VIGILANCE-VUL-16951.

An attacker, located as a Man-in-the-Middle, can therefore force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-7810

Apache Tomcat: privilege escalation via Web Application

Synthesis of the vulnerability

An attacker can create a malicious application, and invite the administrator to install it on Apache Tomcat, in order to escalate his privileges.
Impacted products: Tomcat, Debian, HP-UX, Tivoli System Automation, WebSphere AS Traditional, Oracle Communications, Solaris, RHEL.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 18/05/2015.
Identifiers: bulletinoct2015, c05054964, cpujul2018, CVE-2014-7810, DSA-3428-1, DSA-3447-1, DSA-3530-1, HPSBUX03561, ibm10729557, ibm10739953, RHSA-2015:1621-01, RHSA-2015:1622-01, RHSA-2016:0492-01, VIGILANCE-VUL-16917.

Description of the vulnerability

The Apache Tomcat administrator can accept to install web applications from untrusted sources.

However, these applications can use the Expression Language to bypass the Security Manager.

An attacker can therefore create a malicious application, and invite the administrator to install it on Apache Tomcat, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-2783 CVE-2015-3329 CVE-2015-3330

PHP 5.6: eleven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.6.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, openSUSE, Solaris, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 17/04/2015.
Revisions dates: 17/04/2015, 30/04/2015.
Identifiers: 66550, 68819, 69152, 69218, 69227, 69316, 69324, 69337, 69353, 69441, bulletinjul2015, c04686230, CVE-2015-2783, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, CVE-2015-4604, CVE-2015-4605, DSA-3280-1, FEDORA-2015-6407, HPSBUX03337, openSUSE-SU-2015:0855-1, openSUSE-SU-2015:1197-1, RHSA-2015:1135-01, RHSA-2015:1187-01, RHSA-2015:1218-01, SOL17028, SOL17061, SSRT102066, SUSE-SU-2015:0868-1, SUSE-SU-2016:1638-1, USN-2658-1, VIGILANCE-VUL-16647.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.6.

An attacker can use a type error in exception::getTraceAsString, in order to obtain sensitive information. [severity:2/4; 69152, CVE-2015-4599]

An attacker can generate a memory corruption in php_stream_url_wrap_http_ex, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69337]

An attacker can use the null character, in order to access to other files. [severity:2/4; 69353, CVE-2015-3411, CVE-2015-3412]

An attacker can use apache2handler, in order to execute code. [severity:3/4; 69218, CVE-2015-3330]

An attacker can force the usage of a freed memory area in php_curl, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69316]

An attacker can force a read at an invalid address in Phar, in order to trigger a denial of service. [severity:2/4; 69324, CVE-2015-2783]

An attacker can generate a buffer overflow in phar_set_inode, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69441, CVE-2015-3329]

An attacker can force the usage of a freed memory area in zval_scan, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69227]

An attacker can force the usage of a freed memory area in SQLite, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 66550]

An attacker can use a type error in SoapFault unserialize(), in order to obtain sensitive information. [severity:2/4; CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603]

An attacker can trigger a fatal error in Fileinfo, in order to trigger a denial of service. [severity:2/4; 68819, CVE-2015-4604, CVE-2015-4605]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-2783 CVE-2015-3329 CVE-2015-3330

PHP 5.5: nine vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.5.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Solaris, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 9.
Creation date: 17/04/2015.
Revision date: 17/04/2015.
Identifiers: 69152, 69218, 69227, 69316, 69324, 69337, 69353, 69441, bulletinjul2015, c04686230, CERTFR-2015-AVI-187, CVE-2015-2783, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, DSA-3280-1, FEDORA-2015-6399, HPSBUX03337, MDVSA-2015:209, RHSA-2015:1135-01, RHSA-2015:1186-01, RHSA-2015:1218-01, SOL17028, SOL17061, SSRT102066, SUSE-SU-2015:0868-1, SUSE-SU-2015:1253-1, SUSE-SU-2015:1253-2, SUSE-SU-2016:1638-1, USN-2572-1, USN-2658-1, VIGILANCE-VUL-16646.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.5.

An attacker can use apache2handler, in order to execute code. [severity:3/4; 69218, CVE-2015-3330]

An attacker can use a type error in exception::getTraceAsString, in order to obtain sensitive information. [severity:2/4; 69152, CVE-2015-4599]

An attacker can generate a memory corruption in php_stream_url_wrap_http_ex, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69337]

An attacker can use the null character, in order to access to other files. [severity:2/4; 69353, CVE-2015-3411, CVE-2015-3412]

An attacker can force the usage of a freed memory area in php_curl, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69316]

An attacker can force a read at an invalid address in Phar, in order to trigger a denial of service. [severity:2/4; 69324, CVE-2015-2783]

An attacker can generate a buffer overflow in phar_set_inode, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69441, CVE-2015-3329]

An attacker can force the usage of a freed memory area in zval_scan, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69227]

An attacker can use a type error in SoapFault unserialize(), in order to obtain sensitive information. [severity:2/4; CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-2301 CVE-2015-2783 CVE-2015-3329

PHP 5.4: eleven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.4.
Impacted products: Debian, BIG-IP Hardware, TMOS, HP-UX, openSUSE, Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 17/04/2015.
Revision date: 17/04/2015.
Identifiers: 66550, 68901, 69152, 69218, 69316, 69324, 69337, 69353, 69441, bulletinjul2015, c04686230, CERTFR-2015-AVI-187, CVE-2015-2301, CVE-2015-2783, CVE-2015-3329, CVE-2015-3330, CVE-2015-3411, CVE-2015-3412, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, DSA-3280-1, HPSBUX03337, openSUSE-SU-2015:0855-1, openSUSE-SU-2015:1197-1, RHSA-2015:1053-01, RHSA-2015:1066-01, RHSA-2015:1135-01, RHSA-2015:1218-01, SOL17028, SOL17061, SSA:2015-111-10, SSRT102066, SUSE-SU-2015:0868-1, SUSE-SU-2015:1265-1, SUSE-SU-2016:1638-1, USN-2572-1, VIGILANCE-VUL-16645.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.4.

An attacker can use apache2handler, in order to execute code. [severity:3/4; 69218, CVE-2015-3330]

An attacker can use a type error in exception::getTraceAsString, in order to obtain sensitive information. [severity:2/4; 69152, CVE-2015-4599]

An attacker can generate a memory corruption in php_stream_url_wrap_http_ex, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69337]

An attacker can use the null character, in order to access to other files. [severity:2/4; 69353, CVE-2015-3411, CVE-2015-3412]

An attacker can force the usage of a freed memory area in php_curl, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69316]

An attacker can force the usage of a freed memory area in phar_object.c, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 68901, CVE-2015-2301]

An attacker can force a read at an invalid address in Phar, in order to trigger a denial of service. [severity:2/4; 69324, CVE-2015-2783]

An attacker can generate a buffer overflow in phar_set_inode, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69441, CVE-2015-3329]

An attacker can generate a memory corruption in SoapFault unserialize(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69152]

An attacker can force the usage of a freed memory area in SQLite, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 66550]

An attacker can use a type error in SoapFault unserialize(), in order to obtain sensitive information. [severity:2/4; CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-0240

Samba: use after free via NetLogon

Synthesis of the vulnerability

An unauthenticated attacker can force the usage of a freed memory area in NetLogon of Samba, in order to trigger a denial of service, and possibly to execute code with root privileges.
Impacted products: Debian, Fedora, HP-UX, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 23/02/2015.
Revision date: 15/04/2015.
Identifiers: 7014420, bulletinjan2015, c04636672, CERTFR-2015-AVI-078, CVE-2015-0240, DSA-3171-1, FEDORA-2015-2519, FEDORA-2015-2538, HPSBUX03320, MDVSA-2015:081, MDVSA-2015:082, MDVSA-2015:083, openSUSE-SU-2015:0375-1, openSUSE-SU-2016:1064-1, openSUSE-SU-2016:1106-1, openSUSE-SU-2016:1107-1, openSUSE-SU-2016:1108-1, openSUSE-SU-2016:1440-1, RHSA-2015:0249-01, RHSA-2015:0250-01, RHSA-2015:0251-01, RHSA-2015:0252-01, RHSA-2015:0253-01, RHSA-2015:0254-01, RHSA-2015:0255-01, RHSA-2015:0256-01, RHSA-2015:0257-01, SSA:2015-064-01, SSRT101952, SUSE-SU-2015:0353-1, SUSE-SU-2015:0371-1, SUSE-SU-2015:0386-1, USN-2508-1, VIGILANCE-VUL-16242.

Description of the vulnerability

The Samba product implements the NetLogon service.

An unauthenticated attacker (NULL session over IPC) can use the RPC ServerPasswordSet() of NetLogon. However, the _netr_ServerPasswordSet() function frees a memory area before reusing it.

An unauthenticated attacker can therefore force the usage of a freed memory area in NetLogon of Samba, in order to trigger a denial of service, and possibly to execute code with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-0230

Apache Tomcat: denial of service via SwallowSize

Synthesis of the vulnerability

An attacker can upload an invalid file on Apache Tomcat, to consume a large amount of memory, in order to trigger a denial of service.
Impacted products: Tomcat, Debian, BIG-IP Hardware, TMOS, HP-UX, Oracle Communications, Solaris, RealPresence Collaboration Server, RealPresence Resource Manager, JBoss EAP by Red Hat, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 10/04/2015.
Identifiers: bulletinoct2015, c05054964, CERTFR-2015-AVI-204, cpujul2018, CVE-2014-0230, DSA-3530-1, HPSBUX03561, RHSA-2015:1621-01, RHSA-2015:1622-01, RHSA-2015:2659-01, RHSA-2015:2660-01, RHSA-2015:2661-01, RHSA-2016:0595-01, RHSA-2016:0596-01, RHSA-2016:0597-01, RHSA-2016:0599-01, SOL17123, USN-2654-1, USN-2655-1, VIGILANCE-VUL-16570.

Description of the vulnerability

The Apache Tomcat product offers a web service, which can accept the file upload feature.

However, when the tomcat server expects to refuse an upload, it still accepts to read the received file without a memory limit.

An attacker can therefore upload an invalid file on Apache Tomcat, to consume a large amount of memory, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1798 CVE-2015-1799

NTP.org: two vulnerabilities of Crypto

Synthesis of the vulnerability

An attacker can use two vulnerabilities related to cryptographic features of NTP.org.
Impacted products: Cisco ASR, Cisco ACE, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, HP-UX, AIX, Meinberg NTP Server, NTP.org, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/04/2015.
Identifiers: 2779, 2781, bulletinapr2015, c04679309, c05033748, cisco-sa-20150408-ntpd, CVE-2015-1798, CVE-2015-1799, DSA-3223-1, FEDORA-2015-5830, FEDORA-2015-5874, FreeBSD-SA-15:07.ntp, HPSBHF03557, HPSBUX03333, MDVSA-2015:202, ntp4_advisory, ntp_advisory3, openSUSE-SU-2015:0775-1, RHSA-2015:1459-01, RHSA-2015:2231-04, SOL16505, SOL16506, SSA:2015-111-08, SSRT102029, SUSE-SU-2015:1173-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, USN-2567-1, VIGILANCE-VUL-16548, VN-2015-006-NTP, VU#374268.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

An attacker can use a message without MAC (Message Authentication Code), in order to bypass the authentication using a symmetric key. [severity:2/4; 2779, CVE-2015-1798]

An attacker can spoof a packet between two servers paired with a symmetric association, in order to trigger a denial of service. [severity:2/4; 2781, CVE-2015-1799]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-2808

TLS: RC4 decryption via Bar Mitzvah

Synthesis of the vulnerability

An attacker can use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Impacted products: DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Avamar, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Domino, Notes, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 27/03/2015.
Identifiers: 1450666, 1610582, 1647054, 1882708, 1883551, 1883553, 1902260, 1903541, 1960659, 1963275, 1967498, 523628, 7014463, 7022958, 7045736, 9010041, 9010044, Bar Mitzvah, BSA-2015-007, c04708650, c04767175, c04770140, c04772305, c04773119, c04773241, c04777195, c04777255, c04832246, c04926789, c05085988, c05336888, cpujan2018, cpuoct2017, CVE-2015-2808, DSA-2018-124, HPSBGN03350, HPSBGN03393, HPSBGN03399, HPSBGN03407, HPSBGN03414, HPSBGN03415, HPSBGN03580, HPSBHF03673, HPSBMU03345, HPSBMU03401, HPSBUX03435, HPSBUX03512, NTAP-20150715-0001, NTAP-20151028-0001, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SOL16864, SSRT102254, SSRT102977, SUSE-SU-2015:1073-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, VIGILANCE-VUL-16486, VN-2015-004.

Description of the vulnerability

During the initialization of a TLS session, the client and the server negotiate cryptographic algorithms. The RC4 algorithm can be chosen to encrypt data.

For some weak keys (one over 2^24), the Invariance Weakness can be used to predict the two LSB (Least Significant Bit) of the 100 first bytes encrypted with RC4. The first TLS message is "Finished" (36 bytes), thus an attacker can predict LSBs of 64 bytes.

An attacker can therefore use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about HPE HP-UX: