The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of MAG Series by Juniper

threat alert CVE-2015-3196

OpenSSL: use after free via PSK Identify Hint

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via PSK Identify Hint of an OpenSSL multi-threaded client, in order to trigger a denial of service, and possibly to run code.
Severity: 2/4.
Creation date: 03/12/2015.
Identifiers: 1972951, 1976113, 1976148, 1981612, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3196, DSA-3413-1, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, RHSA-2015:2617-01, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, USN-2830-1, VIGILANCE-VUL-18437.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library can be used by a multi-threaded client.

However, in this case, the SSL_CTX structure does not contain an updated PSK Identify Hint. OpenSSL can thus free twice the same memory area.

An attacker can therefore force the usage of a freed memory area via PSK Identify Hint of an OpenSSL multi-threaded client, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2015-3195

OpenSSL: information disclosure via X509_ATTRIBUTE

Synthesis of the vulnerability

An attacker can read a memory fragment via X509_ATTRIBUTE of OpenSSL processing PKCS#7 or CMS data, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 03/12/2015.
Identifiers: 1972951, 1976113, 1976148, 1985739, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, CERTFR-2016-AVI-128, cisco-sa-20151204-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CVE-2015-3195, DSA-3413-1, FEDORA-2015-605de37b7f, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, JSA10733, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, openSUSE-SU-2015:2318-1, openSUSE-SU-2015:2349-1, openSUSE-SU-2016:0637-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1327-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:2616-01, RHSA-2015:2617-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SA105, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, SUSE-SU-2016:0678-1, USN-2830-1, VIGILANCE-VUL-18436.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library supports the PKCS#7 and CMS formats.

However, if an X509_ATTRIBUTE structure is malformed, OpenSSL does not initialize a memory area before returning it to the user reading PKCS#7 or CMS data.

It can be noted that SSL/TLS is not impacted.

An attacker can therefore read a memory fragment via X509_ATTRIBUTE of OpenSSL processing PKCS#7 or CMS data, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2015-3194

OpenSSL: NULL pointer dereference via Certificate Verification

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced during the certificate verification of OpenSSL (in client or server mode), in order to trigger a denial of service.
Severity: 2/4.
Creation date: 03/12/2015.
Identifiers: 1972951, 1976113, 1976148, 1985739, 1986593, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3194, DSA-3413-1, FEDORA-2015-605de37b7f, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, HT209139, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, openSUSE-SU-2015:2318-1, openSUSE-SU-2016:0637-1, openSUSE-SU-2016:1327-1, RHSA-2015:2617-01, SA105, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, STORM-2015-017, USN-2830-1, VIGILANCE-VUL-18435.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library can use the RSA PSS algorithm to check the validity of X.509 certificates.

However, if the "mask generation" parameter is missing during the verification of a signature in ASN.1 format, OpenSSL does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced during the certificate verification of OpenSSL (in client or server mode), in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2015-3193

OpenSSL: disclosure of DH private key via BN_mod_exp

Synthesis of the vulnerability

An attacker, with a significant amount of resources, can attack the DH algorithm, in some OpenSSL usages, in order to compute the private key.
Severity: 1/4.
Creation date: 03/12/2015.
Identifiers: 1972951, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2018, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3193, FEDORA-2015-605de37b7f, HPESBHF03709, JSA10759, NTAP-20151207-0001, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, USN-2830-1, VIGILANCE-VUL-18434.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library uses the BN_mod_exp() function to perform a modular exponentiation on large numbers.

However, on an x86_64 processor, the BN_mod_exp() function can generate an incorrect result during the Montgomery Squaring procedure.

An attacker, with a significant amount of resources, can therefore attack the DH algorithm, in some OpenSSL usages, in order to compute the private key.
Full Vigil@nce bulletin... (Free trial)

computer threat CVE-2015-5369

Pulse Secure Connect Secure: Man-in-the-Middle of Hardware Acceleration

Synthesis of the vulnerability

An attacker can perform a Man-in-the-Middle when the Hardware Acceleration is enabled on Pulse Secure Connect Secure, in order to read or alter TLS session data.
Severity: 2/4.
Creation date: 31/07/2015.
Identifiers: CVE-2015-5369, SA40004, TSB16756, VIGILANCE-VUL-17547.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Hardware Acceleration can be enabled on Pulse Secure Connect Secure.

However, in this case, it does not correctly compute the MAC of the TLS Handshake Finished Message. Using a second vulnerability, an attacker can thus perform a Man-in-the-Middle.

An attacker can therefore perform a Man-in-the-Middle when the Hardware Acceleration is enabled on Pulse Secure Connect Secure, in order to read or alter TLS session data.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Severity: 3/4.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

security alert CVE-2014-6278

bash: command execution in the function parser

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity: 3/4.
Creation date: 29/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-6278, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1310-1, openSUSE-SU-2016:2961-1, SB10085, sk102673, SOL15629, SSA:2014-272-01, SSA-860967, T1021272, USN-2380-1, VIGILANCE-VUL-15421, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bash interpreter can use functions.

However, when bash parses the source code to create the function, it directly executes commands located at some places.

This vulnerability can be used with the same attack vector than VIGILANCE-VUL-15399.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-6277

bash: memory corruption in the function parser

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity: 3/4.
Creation date: 29/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-6277, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1310-1, openSUSE-SU-2016:2961-1, SB10085, sk102673, SOL15629, SSA:2014-272-01, SSA-860967, T1021272, USN-2380-1, VIGILANCE-VUL-15420, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bash interpreter can use functions.

However, when bash parses the source code to create the function, it corrupts its memory.

This vulnerability can be used with the same attack vector than VIGILANCE-VUL-15399.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2014-7186 CVE-2014-7187

bash: two denial of service

Synthesis of the vulnerability

An attacker can use several vulnerabilities of bash.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-7186, CVE-2014-7187, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1229-1, openSUSE-SU-2014:1242-1, openSUSE-SU-2014:1248-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, RHSA-2014:1311-01, RHSA-2014:1312-01, RHSA-2014:1354-01, RHSA-2014:1865-01, SB10085, sk102673, SOL15629, SSA-860967, SUSE-SU-2014:1247-1, SUSE-SU-2014:1247-2, T1021272, USN-2364-1, VIGILANCE-VUL-15419, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in bash.

An attacker can force a read at an invalid address in redir_stack, in order to trigger a denial of service. [severity:1/4; CVE-2014-7186]

An attacker can generate a buffer overflow of one byte in word_lineno, in order to trigger a denial of service, and possibly to execute code. [severity:1/4; CVE-2014-7187]
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2014-7169

bash: code execution via Function Variable

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, cisco-sa-20140926-bash, CTX200217, CTX200223, CVE-2014-3659-REJECT, CVE-2014-7169, DSA-3035-1, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, FEDORA-2014-11514, FEDORA-2014-11527, FEDORA-2014-12202, FG-IR-14-030, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2014:190, MDVSA-2015:164, openSUSE-SU-2014:1229-1, openSUSE-SU-2014:1242-1, openSUSE-SU-2014:1248-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, pfSense-SA-14_18.packages, RHSA-2014:1306-01, RHSA-2014:1311-01, RHSA-2014:1312-01, RHSA-2014:1354-01, RHSA-2014:1865-01, SB10085, sk102673, SOL15629, SSA:2014-268-01, SSA:2014-268-02, SSA-860967, SUSE-SU-2014:1247-1, SUSE-SU-2014:1247-2, T1021272, USN-2363-1, USN-2363-2, VIGILANCE-VUL-15401, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9, VN-2014-002.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bulletin VIGILANCE-VUL-15399 describes a vulnerability of bash.

However, the offered patch (VIGILANCE-SOL-36695) is incomplete. An variant of the initial attack can thus still be used to execute code or to create a file.

In this case, the code is run when the variable is parsed (which is not necessarily an environment variable), and not when the shell starts. The impact may thus be lower, but this was not confirmed.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.