The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of HPE Switch Comware

computer vulnerability bulletin CVE-2013-7306 CVE-2013-7307 CVE-2013-7308

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, Nexus by Cisco, NX-OS, Cisco Router, ProCurve Switch, HP Switch, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetScreen Firewall, ScreenOS.
Severity: 3/4.
Consequences: data creation/edition, data deletion.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 9.
Creation date: 28/01/2014.
Identifiers: BID-65140, BID-65157, BID-65161, BID-65162, BID-65163, BID-65166, BID-65167, BID-65169, BID-65170, c03880910, CERTA-2013-AVI-487, cisco-sa-20130801-lsaospf, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-7306, CVE-2013-7307, CVE-2013-7308, CVE-2013-7309, CVE-2013-7310, CVE-2013-7311, CVE-2013-7312, CVE-2013-7313, CVE-2013-7314, HPSBHF02912, JSA10575, JSA10580, sk94490, VIGILANCE-VUL-14148, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations do not check for duplicates before editing their databases.

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.

This vulnerability is similar to VIGILANCE-VUL-13192.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-2340 CVE-2013-2341

HP Switch, Router: information disclosure and code execution

Synthesis of the vulnerability

An attacker can send specially crafted data to an HP switch or router, in order to obtain sensitive information or to make the node execute code.
Impacted products: HP Switch.
Severity: 4/4.
Consequences: privileged access/rights, data reading.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/07/2013.
Identifiers: BID-60881, BID-60882, c03808969, CERTA-2013-AVI-386, CVE-2013-2340, CVE-2013-2341, HPSBHF02888, SSRT100917, SSRT101120, VIGILANCE-VUL-13022.

Description of the vulnerability

An attacker can send specially crafted data to an HP switch or router, in order to obtain sensitive information or to make the node execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-2566

SSL/TLS: obtaining messages encrypted by RC4

Synthesis of the vulnerability

When an attacker has 2^30 RC4 encrypted messages with different keys, he can guess the clear text message.
Impacted products: DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Avamar, BIG-IP Hardware, TMOS, HP Switch, Opera, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 15/03/2013.
Identifiers: 523628, BID-58796, BSA-2015-007, c05336888, cpuapr2017, cpujan2018, cpuoct2016, cpuoct2017, CVE-2013-2566, DSA-2018-124, HPSBHF03673, SOL14638, VIGILANCE-VUL-12530.

Description of the vulnerability

A SSL/TLS session can negotiate different encryption algorithms.

The RC4 algorithm uses a continuous stream of bytes generated from the key. This stream if then combined (XOR) with the clear text message.

However, the generated stream is biased. A statistical analysis of million of encrypted messages shows this bias.

When an attacker has 2^30 (minimum 2^24) RC4 encrypted messages with different keys, he can therefore guess the clear text message. This vulnerability is hard to exploit because of the quantity of messages required to perform the attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-0036

cURL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of cURL, in order to inject IMAP/POP3/SMTP commands or to obtain HTTPS cookies.
Impacted products: curl, Debian, Fedora, HP Switch, Mandriva Linux, openSUSE.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 24/01/2012.
Identifiers: adv_20120124, BID-51665, CVE-2012-0036, DSA-2398-1, DSA-2398-2, FEDORA-2012-0888, FEDORA-2012-0894, HPESBHF03760, MDVSA-2012:058, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, VIGILANCE-VUL-11314.

Description of the vulnerability

Two vulnerabilities were announced in cURL.

The Curl_urldecode() function does not filter special characters such as line feeds. An attacker can therefore force cURL to use an url containing "%0d%0a", in order to inject line feeds in some protocols such as IMAP, POP3 and SMTP. The attacker can then inject new commands. [severity:2/4; adv_20120124, BID-51665, CVE-2012-0036]

The bulletin VIGILANCE-VUL-11014 describes a vulnerability of OpenSSL which can be used by an attacker to obtain HTTPS cookies. This vulnerability is corrected in recent versions of OpenSSL, however cURL uses the SSL_OP_ALL bitmask which disables this protection. [severity:1/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-7270 CVE-2010-4180

OpenSSL: changing ciphersuite

Synthesis of the vulnerability

When a server uses OpenSSL, a remote attacker can change the ciphersuite, in order to force the usage of a weaker algorithm.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, ProCurve Switch, HP Switch, HP-UX, AIX, NSM Central Manager, NSMXpress, Mandriva Linux, NetBSD, OpenSSL, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 03/12/2010.
Identifiers: BID-45164, BID-45254, c02737002, c03819065, CERTA-2010-AVI-590, CERTA-2011-AVI-052, CERTA-2011-AVI-609, CERTA-2012-AVI-479, CVE-2008-7270, CVE-2010-4180, DSA-2141-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FEDORA-2010-18736, FEDORA-2010-18765, HPSBPV02891, HPSBUX02638, MDVSA-2010:248, openSUSE-SU-2011:0014-1, openSUSE-SU-2011:0845-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, PSN-2012-11-767, RHSA-2010:0977-01, RHSA-2010:0978-01, RHSA-2010:0979-01, RHSA-2011:0896-01, RHSA-2011:0897-01, SA53, SSA:2010-340-01, SSRT100339, SUSE-SR:2011:001, SUSE-SR:2011:009, SUSE-SU-2011:0847-1, VIGILANCE-VUL-10173, VMSA-2011-0004.2, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

The SSL session caching feature saves sessions, to be reused later. An application can enable it with the SSL_CTX_set_session_cache_mode() function. For example, Apache httpd does not enable it.

The SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag allows a ciphersuite change, to resolve a compatibility problem with old Netscape web browsers.

However, when a server uses session caching and SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (or SSL_OP_ALL), a malicious client can use this feature to choose a weaker algorithm for the following sessions.

When a server uses OpenSSL, a remote attacker can therefore change the ciphersuite, in order to force the usage of a weaker algorithm.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-3238

Linux kernel: predicting get_random_int

Synthesis of the vulnerability

Integers generated by the get_random_int() function are sometimes predictable.
Impacted products: Debian, HP Switch, Linux, openSUSE, RHEL, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 23/10/2009.
Identifiers: BID-36788, CERTA-2002-AVI-244, CVE-2009-3238, DSA-1927-1, DSA-1928-1, DSA-1929-1, HPESBHF03836, RHSA-2009:1438-01, SUSE-SA:2009:054, SUSE-SA:2009:055, SUSE-SA:2010:012, VIGILANCE-VUL-9119.

Description of the vulnerability

The get_random_int() function of the drivers/char/random.c file generates random integer numbers.

However, this function is initialized with:
 - current->pid : current pid number
 - jiffies : clock
An attacker can thus statistically predict the generated random numbers.

Features calling get_random_int() can therefore use predictable values.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2004-2761

SSL: creating a fake certification authority

Synthesis of the vulnerability

An attacker, with important resources, can create a fake intermediary certification authority using a MD5 hash.
Impacted products: Brocade Network Advisor, Brocade vTM, ASA, IOS by Cisco, Cisco Router, Fedora, HP Switch, Notes, IE, Windows (platform) ~ not comprehensive, Firefox, SeaMonkey, Mozilla Suite, Opera, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data flow.
Provenance: internet server.
Creation date: 16/01/2009.
Identifiers: 17341, BID-33065, BSA-2016-004, c05336888, CSCsw88068, CSCsw90626, CVE-2004-2761, FEDORA-2009-1276, FEDORA-2009-1291, HPSBHF03673, RHSA-2010:0837-01, RHSA-2010:0838-01, VIGILANCE-VUL-8401, VU#836068.

Description of the vulnerability

At the end of 2008 (VIGILANCE-ACTU-1377), using a cluster of 200 game consoles, researchers used a collision on MD5, to create a fake certification authority recognized by all browsers.

Here is a description of the attack:
 - The attacker chooses a Certification Authority (CA) using MD5 signatures (RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte, verisign.co.jp).
 - The attacker requests to this CA a certificate for a web site. This initial certificate is thus signed with MD5.
 - The attacker alters this certificate to transform it to an Intermediary Certification Authority (IAC), and then uses a MD5 collision to ensure it has the same MD5 as the initial certificate.
 - The attacker uses the IAC to generate a web site certificate (WS).
 - The attacker setups a malicious web site, proposing certificates for the WS and the ACI.
 - The victim connects to the web site. His web browser contains the root certificate of the CA, which authenticates the IAC and then the WS.

No error message is displayed in victim's browser, who can then trust attacker's web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about HPE Switch Comware: