The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Juniper Junos Space Route Insight

computer vulnerability announce CVE-2015-3209

QEMU, Xen: privilege escalation via the PCNET emulation

Synthesis of the vulnerability

An attacker can trigger a buffer overflow in the heap of the QEMU's driver for PCNET cards, in order to escalate his privileges in the host system.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, openSUSE, oVirt, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Xen.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user console.
Creation date: 11/06/2015.
Identifiers: CERTFR-2015-AVI-252, CERTFR-2015-AVI-431, CERTFR-2016-AVI-300, CVE-2015-3209, DSA-3284-1, DSA-3285-1, DSA-3286-1, FEDORA-2015-10001, FEDORA-2015-13402, FEDORA-2015-13404, FEDORA-2015-9965, FEDORA-2015-9978, JSA10698, openSUSE-SU-2015:1092-1, openSUSE-SU-2015:1094-1, RHSA-2015:1087-01, RHSA-2015:1088-01, RHSA-2015:1089-01, RHSA-2015:1189-01, SOL63519101, SUSE-SU-2015:1042-1, SUSE-SU-2015:1045-1, SUSE-SU-2015:1152-1, SUSE-SU-2015:1156-1, SUSE-SU-2015:1157-1, SUSE-SU-2015:1206-1, SUSE-SU-2015:1426-1, SUSE-SU-2015:1519-1, USN-2630-1, VIGILANCE-VUL-17107, XSA-135.

Description of the vulnerability

The Xen product uses QEMU to provide hardware emulation of virtual machines.

QEMU includes a driver for the Ethernet device PCNET. This driver allows frame chaining. However, this function allows the guest kernel to trigger a buffer overflow in the qemu process' heap. It can then overwrite a function pointer in the data structure that describes the frame to be sent, and so run arbitrary code in the host system with the qemu privileges, typically the administration privileges.

An attacker can therefore trigger a buffer overflow in the heap of the QEMU's driver for PCNET cards, in order to escalate his privileges in the host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-1159

CUPS: Cross Site Scripting of templating engine

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the templating engine of CUPS, in order to execute JavaScript code in the context of the web site.
Impacted products: Debian, Fedora, Junos Space, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/06/2015.
Identifiers: CERTFR-2015-AVI-431, CVE-2015-1159, DSA-3283-1, FEDORA-2015-9726, FEDORA-2015-9801, JSA10702, openSUSE-SU-2015:1056-1, RHSA-2015:1123-01, SUSE-SU-2015:1041-1, SUSE-SU-2015:1044-1, SUSE-SU-2015:1044-2, USN-2629-1, VIGILANCE-VUL-17100, VU#810572.

Description of the vulnerability

The CUPS product offers a web interface for monitoring and print jobs submission.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in the templating engine of CUPS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-1158

CUPS: privilege escalation via the dynamic linker

Synthesis of the vulnerability

An attacker can bypass access restrictions to administrative functions of CUPS, in order to escalate his privileges.
Impacted products: CUPS, Debian, Fedora, Junos Space, openSUSE, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 08/06/2015.
Revision date: 09/06/2015.
Identifiers: 4609, CERTFR-2015-AVI-431, CVE-2015-1158, DSA-3283-1, FEDORA-2015-9726, FEDORA-2015-9801, JSA10702, openSUSE-SU-2015:1056-1, RHSA-2015:1123-01, SSA:2015-188-01, SUSE-SU-2015:1011-1, SUSE-SU-2015:1041-1, SUSE-SU-2015:1044-1, SUSE-SU-2015:1044-2, USN-2629-1, VIGILANCE-VUL-17079, VU#810572.

Description of the vulnerability

CUPS us a printing management system for Unix platforms.

It includes a Web interface, used for instance to submit print jobs. However, ill formed requests with more than one "nameWithLanguage" attributes lead to the ability to override a configuration file. This allows the attacker to modify the environment of launched programs with SetEnv commands, and so, via LD_PRELOAD variables, to make launched programs load and run external code compiled as shared object.

An attacker can therefore bypass access restrictions to administrative functions of CUPS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0112 CVE-2014-3569 CVE-2014-7809

Oracle MySQL: several vulnerabilities of April 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle MySQL were announced in April 2015.
Impacted products: Debian, Junos Space, MySQL Community, MySQL Enterprise, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Percona Server, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 26.
Creation date: 15/04/2015.
Identifiers: bulletinapr2016, bulletinapr2017, bulletinoct2015, CERTFR-2015-AVI-173, CERTFR-2015-AVI-431, CERTFR-2016-AVI-300, cpuapr2015, cpuoct2016, CVE-2014-0112, CVE-2014-3569, CVE-2014-7809, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433, CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498, CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508, CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568, CVE-2015-2571, CVE-2015-2573, CVE-2015-2575, CVE-2015-2576, DLA-526-1, DSA-3229-1, DSA-3311-1, DSA-3621-1, JSA10698, MDVSA-2015:227, openSUSE-SU-2015:0967-1, openSUSE-SU-2015:1216-1, openSUSE-SU-2016:2304-1, RHSA-2015:1628-01, RHSA-2015:1629-01, RHSA-2015:1647-01, RHSA-2015:1665-01, SSA:2015-132-01, SSA:2015-132-02, SUSE-SU-2015:0946-1, SUSE-SU-2015:1273-1, USN-2575-1, VIGILANCE-VUL-16614.

Description of the vulnerability

Several vulnerabilities were announced in Oracle MySQL.

An attacker can use a vulnerability of Service Manager, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-0112]

An attacker can use a vulnerability of Service Manager, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-7809]

An attacker can use a vulnerability of Server : Compiling, in order to trigger a denial of service. [severity:2/4; CVE-2015-0501]

An attacker can use a vulnerability of Server : Security : Encryption, in order to trigger a denial of service. [severity:2/4; CVE-2014-3569]

An attacker can use a vulnerability of Server : Security : Privileges, in order to trigger a denial of service. [severity:2/4; CVE-2015-2568]

An attacker can use a vulnerability of Connector/J, in order to obtain or alter information. [severity:2/4; CVE-2015-2575]

An attacker can use a vulnerability of Server : DDL, in order to trigger a denial of service. [severity:2/4; CVE-2015-2573]

An attacker can use a vulnerability of Server : Information Schema, in order to trigger a denial of service. [severity:2/4; CVE-2015-0500]

An attacker can use a vulnerability of Server : InnoDB, in order to trigger a denial of service. [severity:2/4; CVE-2015-0439]

An attacker can use a vulnerability of Server : InnoDB, in order to trigger a denial of service. [severity:2/4; CVE-2015-0508]

An attacker can use a vulnerability of Server : InnoDB : DML, in order to trigger a denial of service. [severity:2/4; CVE-2015-0433]

An attacker can use a vulnerability of Server : Optimizer, in order to trigger a denial of service. [severity:2/4; CVE-2015-0423]

An attacker can use a vulnerability of Server : Optimizer, in order to trigger a denial of service. [severity:2/4; CVE-2015-2571]

An attacker can use a vulnerability of Server : Partition, in order to trigger a denial of service. [severity:2/4; CVE-2015-0438]

An attacker can use a vulnerability of Server : Partition, in order to trigger a denial of service. [severity:2/4; CVE-2015-0503]

An attacker can use a vulnerability of Server : Security : Encryption, in order to trigger a denial of service. [severity:2/4; CVE-2015-0441]

An attacker can use a vulnerability of Server : XA, in order to trigger a denial of service. [severity:2/4; CVE-2015-0405]

An attacker can use a vulnerability of Server : DDL, in order to trigger a denial of service. [severity:2/4; CVE-2015-0505]

An attacker can use a vulnerability of Server : Federated, in order to trigger a denial of service. [severity:2/4; CVE-2015-0499]

An attacker can use a vulnerability of Server : InnoDB, in order to trigger a denial of service. [severity:2/4; CVE-2015-0506]

An attacker can use a vulnerability of Server : Memcached, in order to trigger a denial of service. [severity:2/4; CVE-2015-0507]

An attacker can use a vulnerability of Server : Security : Privileges, in order to trigger a denial of service. [severity:2/4; CVE-2015-2567]

An attacker can use a vulnerability of Server : DML, in order to trigger a denial of service. [severity:1/4; CVE-2015-2566]

An attacker can use a vulnerability of Server : SP, in order to trigger a denial of service. [severity:2/4; CVE-2015-0511]

An attacker can use a vulnerability of Installation, in order to alter information. [severity:1/4; CVE-2015-2576]

An attacker can use a vulnerability of Server : Replication, in order to trigger a denial of service. [severity:1/4; CVE-2015-0498]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-0286 CVE-2015-0287 CVE-2015-0289

OpenSSL 0.9/1.0.0/1.0.1: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL 0.9/1.0.0/1.0.1.
Impacted products: Arkoon FAST360, ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ASR, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS XE Cisco, Cisco IPS, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, WebNS, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, hMailServer, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, Puppet, RHEL, JBoss EAP by Red Hat, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Nessus, Ubuntu, Unix (platform) ~ not comprehensive, WinSCP.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 19/03/2015.
Identifiers: 1701334, 1902519, 1960491, 1964410, 1975397, 55767, 7043086, 9010031, ARUBA-PSA-2015-007, bulletinapr2015, c04679334, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-169, CERTFR-2015-AVI-177, CERTFR-2015-AVI-259, CERTFR-2016-AVI-303, cisco-sa-20150320-openssl, cisco-sa-20150408-ntpd, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, DSA-3197-1, DSA-3197-2, FEDORA-2015-4300, FEDORA-2015-4303, FG-IR-15-008, FreeBSD-SA-15:06.openssl, HPSBUX03334, JSA10680, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-007, NTAP-20150323-0002, openSUSE-SU-2015:0554-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0638-1, openSUSE-SU-2016:0640-1, RHSA-2015:0715-01, RHSA-2015:0716-01, RHSA-2015:0752-01, RHSA-2015:0800-01, RHSA-2016:0372-01, RHSA-2016:0445-01, RHSA-2016:0446-01, RHSA-2016:0490-01, SA40001, SA92, SB10110, SOL16301, SOL16302, SOL16317, SOL16319, SOL16320, SOL16321, SOL16323, SPL-98351, SPL-98531, SSA:2015-111-09, SSRT102000, SUSE-SU-2015:0541-1, SUSE-SU-2015:0553-1, SUSE-SU-2015:0553-2, SUSE-SU-2015:0578-1, SUSE-SU-2016:0678-1, TNS-2015-04, USN-2537-1, VIGILANCE-VUL-16429.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL 0.9/1.0.0/1.0.1.

An attacker can force a read at an invalid address in ASN1_TYPE_cmp, in order to trigger a denial of service. [severity:2/4; CVE-2015-0286]

An attacker can generate a memory corruption in ASN.1, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0287]

An attacker can force a NULL pointer to be dereferenced in PKCS#7, in order to trigger a denial of service. [severity:2/4; CVE-2015-0289]

An attacker can generate a memory corruption with base64 data, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0292]

An attacker can generate an OPENSSL_assert, in order to trigger a denial of service. [severity:2/4; CVE-2015-0293]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-0285

OpenSSL: predictable random via ssl3_client_hello

Synthesis of the vulnerability

An attacker can potentially guess the random used by the TLS client of OpenSSL, in order to read sensitive information.
Impacted products: ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, IRAD, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, Data ONTAP, NetScreen Firewall, ScreenOS, OpenSSL, Oracle Communications, Base SAS Software, SAS SAS/CONNECT.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 18/03/2015.
Identifiers: 1701334, 55767, 9010031, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-259, cpuoct2017, CVE-2015-0285, FG-IR-15-008, JSA10680, NTAP-20150323-0002, SA40001, VIGILANCE-VUL-16410.

Description of the vulnerability

The OpenSSL library implements a TLS client.

Usually, a PRNG random generator is seeded by the TLS client. However, the ssl3_client_hello() function does not seed the PRNG in some cases (if a specific version of the protocol was not requested, and an algorithm such as PSK-RC4-SHA is chosen).

An attacker can therefore potentially guess the random used by the TLS client of OpenSSL, in order to read sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-0288

OpenSSL: NULL pointer dereference via X509_to_X509_REQ

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in X509_to_X509_REQ() of OpenSSL, in order to trigger a denial of service.
Impacted products: Arkoon FAST360, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ASR, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS XE Cisco, Cisco IPS, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, WebNS, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, hMailServer, HP-UX, AIX, IRAD, Tivoli Workload Scheduler, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Nessus, Ubuntu, Unix (platform) ~ not comprehensive, WinSCP.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 09/03/2015.
Identifiers: 1701334, 1964410, 55767, 9010031, c04679334, CERTFR-2015-AVI-089, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-177, CERTFR-2015-AVI-259, CERTFR-2016-AVI-303, cisco-sa-20150320-openssl, cisco-sa-20150408-ntpd, cpuoct2017, CTX216642, CVE-2015-0288, DSA-3197-1, DSA-3197-2, FEDORA-2015-4300, FEDORA-2015-4303, FEDORA-2015-6855, FreeBSD-SA-15:06.openssl, HPSBUX03334, JSA10680, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-007, NTAP-20150323-0002, openSUSE-SU-2015:0554-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, RHSA-2015:0715-01, RHSA-2015:0716-01, RHSA-2015:0752-01, RHSA-2015:0800-01, SA40001, SB10110, SOL16301, SOL16302, SOL16317, SOL16319, SOL16320, SOL16321, SOL16323, SPL-98351, SPL-98531, SSA:2015-111-09, SSRT102000, SUSE-SU-2015:0541-1, SUSE-SU-2015:0553-1, SUSE-SU-2015:0553-2, SUSE-SU-2015:0578-1, TNS-2015-04, USN-2537-1, VIGILANCE-VUL-16342.

Description of the vulnerability

The OpenSSL product processes X.509 certificates.

However, the X509_to_X509_REQ() function does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in X509_to_X509_REQ() of OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-0209

OpenSSL: use after free via d2i_ECPrivateKey

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area in d2i_ECPrivateKey of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ArubaOS, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ASR, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS XE Cisco, Cisco IPS, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, WebNS, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, hMailServer, HP-UX, AIX, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Junos Space, Junos Space Network Management Platform, Juniper Network Connect, NSM Central Manager, NSMXpress, Juniper SBR, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, SUSE Linux Enterprise Desktop, SLES, Nessus, Ubuntu, Unix (platform) ~ not comprehensive, WinSCP.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 09/03/2015.
Identifiers: 1698703, 1701334, 1902519, 1960491, 1964410, 55767, 7043086, 9010031, ARUBA-PSA-2015-007, c04679334, CERTFR-2015-AVI-089, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-177, CERTFR-2015-AVI-259, CERTFR-2016-AVI-303, cisco-sa-20150320-openssl, cisco-sa-20150408-ntpd, cpuoct2017, CTX216642, CVE-2015-0209, DSA-3197-1, DSA-3197-2, FEDORA-2015-10047, FEDORA-2015-10108, FEDORA-2015-4300, FEDORA-2015-4303, FEDORA-2015-6855, FreeBSD-SA-15:06.openssl, HPSBUX03334, JSA10680, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-007, NTAP-20150323-0002, openSUSE-SU-2015:0554-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0640-1, RHSA-2015:0715-01, RHSA-2015:0716-01, RHSA-2015:0752-01, RHSA-2016:1087-01, RHSA-2016:1088-01, RHSA-2016:1089-01, SA40001, SOL16301, SOL16302, SOL16317, SOL16319, SOL16320, SOL16321, SOL16323, SPL-98351, SPL-98531, SSA:2015-111-09, SSRT102000, SUSE-SU-2015:0541-1, SUSE-SU-2015:0553-1, SUSE-SU-2015:0553-2, SUSE-SU-2015:0578-1, TNS-2015-04, TSB16661, USN-2537-1, VIGILANCE-VUL-16341.

Description of the vulnerability

The OpenSSL product implements the Elliptic Curves algorithm.

However, the d2i_ECPrivateKey() function frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area in d2i_ECPrivateKey() of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-0138 CVE-2015-0204

OpenSSL, LibReSSL, Mono, JSSE: weakening TLS encryption via FREAK

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can force the Chrome, JSSE, LibReSSL, Mono or OpenSSL client to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Impacted products: Arkoon FAST360, ArubaOS, Avaya Ethernet Routing Switch, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ATA, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco ESA, IOS by Cisco, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Cisco IP Phone, Cisco MeetingPlace, Cisco WSA, Clearswift Email Gateway, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, Chrome, HPE NNMi, HP-UX, AIX, DB2 UDB, Domino, Notes, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows (platform) ~ not comprehensive, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Java Oracle, Solaris, Tuxedo, WebLogic, pfSense, Puppet, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 04/03/2015.
Revision date: 09/03/2015.
Identifiers: 122007, 1450666, 1610582, 1647054, 1698613, 1699051, 1699810, 1700225, 1700997, 1701485, 1902260, 1903541, 1963275, 1968485, 1973383, 55767, 7014463, 7022958, 9010028, ARUBA-PSA-2015-003, bulletinjan2015, c04556853, c04679334, c04773241, CERTFR-2015-AVI-108, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2016-AVI-303, cisco-sa-20150310-ssl, cpuapr2017, cpujul2018, cpuoct2017, CTX216642, CVE-2015-0138, CVE-2015-0204, DSA-3125-1, FEDORA-2015-0512, FEDORA-2015-0601, FG-IR-15-007, FREAK, FreeBSD-SA-15:01.openssl, HPSBMU03345, HPSBUX03244, HPSBUX03334, JSA10679, MDVSA-2015:019, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-006, NetBSD-SA2015-007, NTAP-20150205-0001, openSUSE-SU-2015:0130-1, openSUSE-SU-2016:0640-1, RHSA-2015:0066-01, RHSA-2015:0800-01, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SA40015, SA88, SA91, SB10108, SB10110, SOL16120, SOL16123, SOL16124, SOL16126, SOL16135, SOL16136, SOL16139, SP-CAAANXD, SPL-95203, SPL-95206, SSA:2015-009-01, SSRT101885, SSRT102000, SUSE-SU-2015:1073-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, T1022075, USN-2459-1, VIGILANCE-VUL-16301, VN-2015-003_FREAK, VU#243585.

Description of the vulnerability

The TLS protocol uses a series of messages which have to be exchanged between the client and the server, before establishing a secured session.

Several cryptographic algorithms can be negotiated, such as algorithms allowed for USA export (less than 512 bits).

An attacker, located as a Man-in-the-Middle, can inject during the session initialization a message choosing an export algorithm. This message should generate an error, however some TLS clients accept it.

Note: the variant related to Windows is described in VIGILANCE-VUL-16332.

An attacker, located as a Man-in-the-Middle, can therefore force the Chrome, JSSE, LibReSSL, Mono or OpenSSL client to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-6593 CVE-2015-0205

JSSE, CyaSSL, Mono, OpenSSL: clear text session via SKIP-TLS

Synthesis of the vulnerability

An attacker, who has a TLS server, can force the JSSE, CyaSSL, Mono or OpenSSL client/server to use a clear text session, in order to allow a third party to capture or alter exchanged data.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ATA, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco ESA, IOS by Cisco, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Cisco IP Phone, Cisco MeetingPlace, Cisco WSA, Clearswift Email Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, IRAD, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee Web Gateway, Windows (platform) ~ not comprehensive, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, Java OpenJDK, OpenSSL, openSUSE, Oracle Communications, Java Oracle, JavaFX, Solaris, pfSense, Puppet, RHEL, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 04/03/2015.
Revision date: 09/03/2015.
Identifiers: 1699051, 1700706, 1701485, 9010028, ARUBA-PSA-2015-003, bulletinjan2015, c04517481, c04556853, c04580241, c04583581, CERTFR-2015-AVI-108, CERTFR-2015-AVI-146, CERTFR-2016-AVI-303, cisco-sa-20150310-ssl, cpujan2015, cpuoct2017, CTX216642, CVE-2014-6593, CVE-2015-0205, DSA-3125-1, DSA-3144-1, DSA-3147-1, FEDORA-2015-0512, FEDORA-2015-0601, FEDORA-2015-0983, FEDORA-2015-1075, FEDORA-2015-1150, FEDORA-2015-8251, FEDORA-2015-8264, FreeBSD-SA-15:01.openssl, HPSBUX03219, HPSBUX03244, HPSBUX03273, HPSBUX03281, JSA10679, MDVSA-2015:019, MDVSA-2015:033, MDVSA-2015:062, NetBSD-SA2015-006, NTAP-20150205-0001, openSUSE-SU-2015:0130-1, openSUSE-SU-2015:0190-1, openSUSE-SU-2015:1277-1, RHSA-2015:0066-01, RHSA-2015:0067-01, RHSA-2015:0068-01, RHSA-2015:0069-01, RHSA-2015:0079-01, RHSA-2015:0080-01, RHSA-2015:0085-01, RHSA-2015:0086-01, RHSA-2015:0133-01, RHSA-2015:0134-01, RHSA-2015:0135-01, RHSA-2015:0136-01, RHSA-2015:0263-01, RHSA-2015:0264-01, SA40015, SA88, SB10104, SB10108, SKIP-TLS, SOL16120, SOL16123, SOL16124, SOL16126, SOL16135, SOL16136, SOL16139, SPL-95203, SSA:2015-009-01, SSRT101859, SSRT101885, SSRT101951, SSRT101968, SUSE-SU-2015:0336-1, SUSE-SU-2015:0503-1, USN-2459-1, USN-2486-1, USN-2487-1, VIGILANCE-VUL-16300, VMSA-2015-0003, VMSA-2015-0003.1, VMSA-2015-0003.10, VMSA-2015-0003.11, VMSA-2015-0003.12, VMSA-2015-0003.13, VMSA-2015-0003.14, VMSA-2015-0003.15, VMSA-2015-0003.2, VMSA-2015-0003.3, VMSA-2015-0003.4, VMSA-2015-0003.5, VMSA-2015-0003.6, VMSA-2015-0003.8, VMSA-2015-0003.9.

Description of the vulnerability

The TLS protocol uses a series of messages which have to be exchanged between the client and the server, before establishing a secured session.

However, clients such as JSSE or CyaSSL accept if the server directly skips to the final state (CVE-2014-6593, first analyzed in VIGILANCE-VUL-16014). Moreover, servers such as Mono or OpenSSL accept if the client directly skips to the final state (CVE-2015-0205, first analyzed in VIGILANCE-VUL-15934).The established session thus uses no encryption.

An attacker, who has a TLS server, can therefore force the JSSE, CyaSSL, Mono or OpenSSL client/server to use a clear text session, in order to allow a third party to capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Juniper Junos Space Route Insight: