The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of HPUX

computer vulnerability note CVE-2012-4431

Apache Tomcat: bypass of countermeasures against CSRF

Synthesis of the vulnerability

An attacker can bypass verifications of Tomcat against requests dedicated to detection of request forgery, without having any valid session identifier, in order to submit request on other user's behalf.
Impacted products: Tomcat, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 05/12/2012.
Identifiers: BID-56814, c03734195, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-4431, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, openSUSE-SU-2013:0161-1, openSUSE-SU-2013:0192-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0267-01, RHSA-2013:0268-01, RHSA-2013:0647-01, RHSA-2013:0648-01, RHSA-2013:0665-01, RHSA-2013:1437-01, RHSA-2013:1853-01, SSRT101139, VIGILANCE-VUL-12209.

Description of the vulnerability

An attacker can bypass verifications against requests dedicated to detection of request forgery, without having any valid session identifier, in order to submit request on other user's behalf.

Technical details are unknown.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2012-3546

Apache Tomcat: authentication bypass via URL mangling

Synthesis of the vulnerability

An attacker who must go through authentication via a form, can append /j_security_check to to URL, in order to bypass the authentication process.
Impacted products: Tomcat, Debian, Fedora, HPE NNMi, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 05/12/2012.
Identifiers: BID-56812, c03734195, c03824583, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTA-2013-AVI-440, CERTFR-2014-AVI-112, CVE-2012-3546, DSA-2725-1, FEDORA-2012-20151, HPSBMU02894, HPSBUX02866, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0004-01, RHSA-2013:0005-01, RHSA-2013:0146-01, RHSA-2013:0147-01, RHSA-2013:0151-01, RHSA-2013:0157-01, RHSA-2013:0158-01, RHSA-2013:0162-01, RHSA-2013:0163-01, RHSA-2013:0164-01, RHSA-2013:0191-01, RHSA-2013:0192-01, RHSA-2013:0193-01, RHSA-2013:0194-01, RHSA-2013:0195-01, RHSA-2013:0196-01, RHSA-2013:0197-01, RHSA-2013:0198-01, RHSA-2013:0221-01, RHSA-2013:0235-01, RHSA-2013:0623-01, RHSA-2013:0640-01, RHSA-2013:0641-01, RHSA-2013:0642-01, SSRT101139, VIGILANCE-VUL-12208.

Description of the vulnerability

The URL suffix /j_security_check has a special meaningful in the authentication process with a form.

Some Tomcat components other than the one in charge of password check can define the account used to validate accesses for the remote user (the principal). However, when the requested URL has this special suffix, these assignments badly interact with the desire that access to the error pages and login form are always granted, which leads to premature termination of the credentials validation.

An attacker who must go through authentication via a form, can append /j_security_check to to URL, in order to bypass the authentication process.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2012-4534

Apache Tomcat: denial of service via SSL and NIO

Synthesis of the vulnerability

An attacker who access Tomcat using the NIO connector and an SSL enabled connection, can cause excessive computing power, in order to deny service.
Impacted products: Tomcat, Debian, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 05/12/2012.
Identifiers: BID-56813, c03734195, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-4534, DSA-2725-1, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2013:0161-1, openSUSE-SU-2013:0170-1, openSUSE-SU-2013:0192-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0623-01, SSRT101139, VIGILANCE-VUL-12207, VMSA-2013-0006.

Description of the vulnerability

The vulnerability is applicable under the following conditions:
 - Tomcat is configured to use the NIO connector.
 - Tomcat use the sendfile() system call, which require that the response body is static.
 - The connection must use HTTP over SSL.

In this case, when the attacker half close the TCP connection and discard received TCP data, Tomcat enters in a CPU intensive endless loop, while attempting to send the response body.

An attacker who access Tomcat using the NIO connector and an SSL enabled connection, can therefore cause excessive computing power, in order to deny service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2012-4557

Apache httpd: denial of service via mod_proxy_ajp

Synthesis of the vulnerability

When a Web server is made of Apache httpd with mod_proxy_ajp and a Tomcat server, an attacker can send a request requiring much processing time, in oder to make httpd disconnect the Tomcat server.
Impacted products: Debian, HP-UX, openSUSE, RHEL.
Severity: 3/4.
Creation date: 30/11/2012.
Identifiers: 871685, BID-56753, c03734195, c03820647, CVE-2012-4557, DSA-2579-1, HPSBUX02866, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0248-1, RHSA-2013:0512-02, SSRT101139, VIGILANCE-VUL-12194.

Description of the vulnerability

The mod_proxy module provides a generic proxy service for Apache httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe Protocol version 1.3) support, which is used with Tomcat.

The mod_proxy_ajp module manage a list of Tomcat servers that it forwards requests to, with their state (working or not). When a Tomcat server does not reply at all or send an invalid response, the module marks it as not working. However, the fonction ajp_ilink_receive() in the file modules/proxy/ajp_link.c does not distinguish between time out (error code APR_TIMEUP) and faultly responses (error code AJP_ENO_HEADER). So, a time-out makes the httpd module considers that the Tomcat process is faultly.

When a Web server is made of Apache httpd with mod_proxy_ajp and a Tomcat server, an attacker can therefore send a request requiring much processing time, in oder to make httpd disconnect the Tomcat server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-5885 CVE-2012-5886 CVE-2012-5887

Apache Tomcat: bypassing the DIGEST authentication

Synthesis of the vulnerability

When Apache Tomcat uses an HTTP DIGEST authentication, an attacker can replay a previously captured session, and thus access to protected resources.
Impacted products: Tomcat, Debian, HP-UX, NSMXpress, MES, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat.
Severity: 3/4.
Creation date: 06/11/2012.
Identifiers: BID-56403, c03734195, CERTA-2012-AVI-629, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-3439-REJECT, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, DSA-2725-1, HPSBUX02866, JSA10600, MDVSA-2013:004, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0623-01, RHSA-2013:0629-01, RHSA-2013:0631-01, RHSA-2013:0632-01, RHSA-2013:0633-01, RHSA-2013:0640-01, RHSA-2013:0647-01, RHSA-2013:0648-01, RHSA-2013:0665-01, RHSA-2013:0726-01, RHSA-2013:1006-01, SSRT101139, VIGILANCE-VUL-12113.

Description of the vulnerability

The HTTP Digest authentication defined in RFC 2617 combines several elements:
  HA1 = MD5(username:realm:password)
  HA2a = MD5(HTTP-METHOD:uri)
  HA2b = MD5(HTTP-METHOD:uri:md5(body-of-query))
  if qop == "auth" HA2=HA2a, if qop == "auth-int" HA2=HA2b
  digest = MD5(HA1:nonce:nc:cnonce:qop:HA2)
Where :
 - realm : service name
 - nonce : server random (the server can indicate that it is "stale", which means already used)
 - cnonce : client random
 - nc : incremented counter
 - qop : requested level : auth or auth-int

However, the Apache Tomcat implementation of HTTP Digest authentication is impacted by three vulnerabilities.

The Tomcat server monitors nonces (and nc) of clients, instead of detecting servers nonces duplicates. [severity:2/4; CVE-2012-5885]

When a session identifier is present, the authentication is bypassed. [severity:3/4; CVE-2012-5886]

When the nonce is stale, Tomcat does not check the user name and the password, and accepts the session. [severity:3/4; CVE-2012-5887]

When Apache Tomcat uses an HTTP DIGEST authentication, an attacker can therefore replay a previously captured session, and thus access to protected resources.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-2733

Apache Tomcat: denial of service via headers

Synthesis of the vulnerability

An attacker can send an HTTP query with large headers, in order to stop the HTTP NIO service of Apache Tomcat.
Impacted products: Tomcat, Debian, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 3/4.
Creation date: 06/11/2012.
Identifiers: BID-56402, c03734195, CERTA-2012-AVI-629, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-2733, DSA-2725-1, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, RHSA-2013:0265-01, RHSA-2013:0266-01, SSRT101139, VIGILANCE-VUL-12112, VMSA-2013-0006.

Description of the vulnerability

The HTTP NIO connector processes HTTP queries for Apache Tomcat.

HTTP header which are longer than maxHttpHeaderSize (4kb by default) are forbidden. However, the HTTP NIO connector does this check too late: a long header can already have generated an OutOfMemoryError exception.

An attacker can therefore send an HTTP query with large headers, in order to stop the HTTP NIO service of Apache Tomcat.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-1531 CVE-2012-1532 CVE-2012-1533

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, WebSphere MQ, Junos Space, Junos Space Network Management Platform, MES, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, VirtualCenter.
Severity: 3/4.
Creation date: 17/10/2012.
Identifiers: BID-55501, BID-55538, BID-56025, BID-56033, BID-56039, BID-56043, BID-56046, BID-56051, BID-56054, BID-56055, BID-56056, BID-56057, BID-56058, BID-56059, BID-56061, BID-56063, BID-56065, BID-56067, BID-56070, BID-56071, BID-56072, BID-56075, BID-56076, BID-56079, BID-56080, BID-56081, BID-56082, BID-56083, c03595351, CERTA-2012-AVI-576, CERTA-2012-AVI-746, CERTA-2013-AVI-094, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-4420, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089, CVE-2012-5979-ERROR, DSECRG-12-039, ESX350-201302401-SG, FEDORA-2012-16346, FEDORA-2012-16351, IC89804, javacpuoct2012, MDVSA-2012:169, openSUSE-SU-2012:1419-1, openSUSE-SU-2012:1423-1, openSUSE-SU-2012:1424-1, RHSA-2012:1384-01, RHSA-2012:1385-01, RHSA-2012:1386-01, RHSA-2012:1391-01, RHSA-2012:1392-01, RHSA-2012:1465-01, RHSA-2012:1466-01, RHSA-2012:1467-01, RHSA-2012:1485-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SUSE-SU-2012:1398-1, SUSE-SU-2012:1489-1, SUSE-SU-2012:1489-2, SUSE-SU-2012:1490-1, SUSE-SU-2012:1588-1, SUSE-SU-2012:1595-1, swg21621958, swg21621959, VIGILANCE-VUL-12072, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56025, CVE-2012-5083]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56033, CVE-2012-1531]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56039, CVE-2012-5086]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56043, CVE-2012-5087]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56046, CVE-2012-1533]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56051, CVE-2012-1532]

An attacker can use the class com.sun.org.glassfish.gmbal.util.GenericConstructor in order to execute arbitrary JVM code. [severity:3/4; BID-56054, CVE-2012-5076]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56055, CVE-2012-3143]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56057, CVE-2012-5088]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56059, CVE-2012-5089]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56063, CVE-2012-5084]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56072, CVE-2012-3159]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56076, CVE-2012-5068]

When a Java application uses an integer array, and the Arrays.fill() method, the array memory area is not initialized to zero by the JRE, so an attacker can obtain a fragment memory (VIGILANCE-VUL-11929). [severity:3/4; BID-55501, BID-55538, CVE-2012-4416, CVE-2012-4420]

An attacker can use a vulnerability of JAX-WS, in order to obtain or alter information. [severity:3/4; BID-56056, CVE-2012-5074]

An attacker can use a vulnerability of JMX, in order to obtain or alter information. [severity:3/4; BID-56061, CVE-2012-5071]

An attacker can use a vulnerability of Concurrency, in order to obtain or alter information. [severity:3/4; BID-56065, CVE-2012-5069]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-56070, CVE-2012-5067]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56079, CVE-2012-5070]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56081, CVE-2012-5075]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56080, CVE-2012-5073]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56082, CVE-2012-5079, CVE-2012-5979-ERROR]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; BID-56083, CVE-2012-5072]

An attacker can use a vulnerability of JSSE (ROBOT Attack VIGILANCE-VUL-24749), in order to create a denial of service. [severity:2/4; BID-56071, CVE-2012-5081]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:1/4; BID-56075, CVE-2012-3216]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:1/4; BID-56058, CVE-2012-5077]

An attacker can use a vulnerability of Gopher, in order to send packets. [severity:1/4; BID-56067, CVE-2012-5085, DSECRG-12-039]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-5166

BIND: denial of service via Additional Records

Synthesis of the vulnerability

An attacker can use malicious Additional Resource Records, in order to lockup a BIND server.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, MES, Mandriva Linux, NLD, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 10/10/2012.
Identifiers: AA-00801, AA-00807, BID-55852, c03526327, CERTA-2012-AVI-569, CERTA-2012-AVI-601, CERTA-2012-AVI-602, CERTA-2012-AVI-603, CERTA-2012-AVI-679, CVE-2012-5166, DSA-2560-1, FEDORA-2012-15965, FEDORA-2012-15981, FreeBSD-SA-12:06.bind, HPSBUX02823, IV30364, IV30365, IV30366, IV30367, IV30368, MDVSA-2012:162, openSUSE-SU-2012:1372-1, openSUSE-SU-2013:0605-1, RHSA-2012:1363-01, RHSA-2012:1364-01, RHSA-2012:1365-01, sol14201, SSA:2012-284-01, SSA:2012-341-01, SSRT100976, SUSE-SU-2012:1390-1, SUSE-SU-2012:1390-2, SUSE-SU-2012:1390-3, VIGILANCE-VUL-12050.

Description of the vulnerability

A DNS response contains Resource Records of different types:
 - Question : question
 - Answer : direct answer
 - Authority : information on the authority
 - Additional : additional information

The query_addadditional() function of the named/query.c file of BIND adds additional information to a reply. However, if a name is duplicated, an infinite loop occurs in the BIND service.

The origin of this duplicated name depends on the server type:
 - recursive server: the name comes from the reply of an authoritative server (this is the most probable attack configuration)
 - secondary authoritative server: the name comes from a zone transfer from the primary
 - primary authoritative server: the name comes from a loaded zone file

An attacker can therefore use malicious Additional Resource Records, in order to lockup a BIND server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-4929

SSL, TLS: obtaining HTTP Cookies via Deflate, CRIME

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser, can use several SSL sessions compressed with Deflate in order to compute HTTP headers, such as cookies.
Impacted products: curl, Debian, Exim, Fedora, HP-UX, McAfee Email and Web Security, McAfee Email Gateway, Firefox, MySQL Enterprise, OpenSSL, openSUSE, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 14/09/2012.
Identifiers: BID-55704, c03734195, CRIME, CVE-2012-4929, DSA-2579-1, DSA-2626-1, DSA-2627-1, DSA-3253-1, FEDORA-2012-15194, FEDORA-2012-15203, FEDORA-2013-4403, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02866, openSUSE-SU-2012:1420-1, openSUSE-SU-2013:0143-1, openSUSE-SU-2013:0154-1, openSUSE-SU-2013:0157-1, openSUSE-SU-2013:1630-1, RHSA-2013:0587-01, RHSA-2013:0636-01, RHSA-2014:0416-01, SB10052, SSRT101139, SUSE-SU-2012:1428-1, VIGILANCE-VUL-11952.

Description of the vulnerability

The RFC 3749 adds the support for data compression, before encrypting them with SSL/TLS.

The Deflate compression algorithm replaces duplicate patterns by a reference. For example:
  hello mister hello madam
is compressed to:
  hello mister [reference] madam
So, the compression of a pattern already found is shorter than the compression of a pattern not yet seen. This difference in size thus indicates if the second pattern was already seen.

HTTP cookies are for example like:
  Cookie: secret=1234
If the attacker adds "Cookie: secret=1234" later in the HTTP body, the compressed string will be shorter than if he added "Cookie: secret=5678" in the body. This difference in size thus allow the cookie to be guessed, character by character, using a brute force.

An attacker, who can control HTTPS connections of victim's web browser, can therefore use several SSL sessions compressed with Deflate in order to compute HTTP headers, such as cookies.

This attack requires that the web browser supports the RFC 3749. This is not the case of Internet Explorer, Opera and Safari. However, Chrome and Firefox may be vulnerable (precise versions are not yet known).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2012-4244

ISC BIND: denial of service via RDATA 65535

Synthesis of the vulnerability

When the ISC BIND DNS server processes a record with a RDATA larger than 65535 bytes it stops.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, BIND, MES, Mandriva Linux, McAfee Email and Web Security, McAfee Email Gateway, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 2/4.
Creation date: 13/09/2012.
Identifiers: AA-00778, BID-55522, c03526327, CERTA-2012-AVI-500, CERTA-2012-AVI-601, CERTA-2012-AVI-679, CERTA-2013-AVI-337, CVE-2012-4244, DSA-2547-1, ESX400-201305001, ESX400-201305402-SG, ESX400-201305404-SG, ESX410-201301001, ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, ESX410-201301405-SG, FEDORA-2012-14030, FEDORA-2012-14106, FreeBSD-SA-12:06.bind, HPSBUX02823, KB76394, MDVSA-2012:152, MDVSA-2012:152-1, openSUSE-SU-2012:1192-1, openSUSE-SU-2013:0605-1, RHSA-2012:1266-01, RHSA-2012:1267-01, RHSA-2012:1268-01, RHSA-2012:1365-01, sol13974, sol14201, SSA:2012-257-01, SSRT100976, SUSE-SU-2012:1199-1, SUSE-SU-2012:1333-1, VIGILANCE-VUL-11938, VMSA-2013-0001, VMSA-2013-0001.5, VMSA-2013-0003, VMSA-2013-0004.3, VMSA-2013-0007.

Description of the vulnerability

The DNS protocol uses records containing a name, a type, a class, and data stored in a RDATA. For example (textual representation):
  www.example.com A IN "192.168.1.1"

The source code of ISC BIND checks if the size of a RDATA is larger than 65535 octets. The REQUIRE() macro stops the daemon if this size is exceeded.

However, ISC BIND accepts RDATA larger than 65535 octets, and memorizes them, without detecting them. Then, when they are used, the REQUIRE() macro stops the daemon.

In order to exploit this attack:
 - on a recursive DNS server, the attacker has to own an authoritative DNS server, and to invite the user to query this zone through the recursive DNS server
 - on a primary authoritative DNS server, the attacker has to force it to load a malicious zone file
 - on a slave authoritative DNS server, the attacker has to put data on the primary server, and to wait for a zone transfer
The two last attack vectors require that the attacker already has elevated privileges on victim's systems

When the ISC BIND DNS server processes a record with a RDATA larger than 65535 bytes it therefore stops.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about HPUX: