The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of MNF

computer vulnerability bulletin CVE-2010-1447

Perl: bypassing Safe.pm via sub references

Synthesis of the vulnerability

An attacker can use a reference on a subroutine, in order to bypass restrictions imposed by the Safe.pm module of Perl.
Impacted products: Debian, Fedora, NSMXpress, Mandriva Linux, Mandriva NF, openSUSE, Perl Module ~ not comprehensive, RHEL, SLES, ESX.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 21/05/2010.
Identifiers: 588269, BID-40305, CVE-2010-1447, DSA-2267-1, FEDORA-2010-11323, FEDORA-2010-11340, MDVSA-2010:115, openSUSE-SU-2010:0518-1, openSUSE-SU-2010:0519-1, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2010:0457-01, RHSA-2010:0458-02, SUSE-SR:2010:016, VIGILANCE-VUL-9658, VMSA-2010-0013, VMSA-2010-0013.1, VMSA-2010-0013.2, VMSA-2010-0013.3.

Description of the vulnerability

The Safe.pm module creates an environment restricting Perl features:
 - Safe::reval("here a Perl code") : the Perl code is restricted
 - Safe::rdo("file") : the Perl code located inside the file is restricted

However, a malicious Perl code can define a reference on a subroutine, which is used after the restricted environment.

An attacker can therefore use a reference on a subroutine, in order to bypass restrictions imposed by the Safe.pm module of Perl.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-1168

Perl: bypassing Safe.pm via overloading

Synthesis of the vulnerability

An attacker can define methods or overload operators, in order to bypass restrictions imposed by the Safe.pm module of Perl.
Impacted products: Fedora, Mandriva Linux, Mandriva NF, openSUSE, Solaris, Perl Module ~ not comprehensive, RHEL, SLES, ESX.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 21/05/2010.
Identifiers: 576508, BID-40302, CERTA-2010-AVI-580, CVE-2010-1168, CVE-2010-1974-REJECT, FEDORA-2010-11323, FEDORA-2010-11340, MDVSA-2010:115, openSUSE-SU-2010:0518-1, openSUSE-SU-2010:0519-1, RHSA-2010:0457-01, RHSA-2010:0458-02, SUSE-SR:2010:016, VIGILANCE-VUL-9657, VMSA-2010-0013, VMSA-2010-0013.1, VMSA-2010-0013.2, VMSA-2010-0013.3.

Description of the vulnerability

The Safe.pm module creates an environment restricting Perl features:
 - Safe::reval("here a Perl code") : the Perl code is restricted
 - Safe::rdo("file") : the Perl code located inside the file is restricted

However, a malicious Perl code can:
 - define a destructor (DESTROY)
 - define an AUTOLOAD
 - overload an operator
The code located in these elements is not filtered.

An attacker can therefore define methods or overload operators, in order to bypass restrictions imposed by the Safe.pm module of Perl.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-0830

glibc: integer overflow of ld.so

Synthesis of the vulnerability

An attacker can use a malformed ELF file, to generate an integer overflow in ld.so, in order to execute code.
Impacted products: Debian, Mandriva Linux, Mandriva NF, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: user access/rights.
Provenance: user shell.
Creation date: 12/05/2010.
Identifiers: BID-40063, CERTA-2012-AVI-479, CERTA-2012-AVI-759, CVE-2010-0830, DSA-2058-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi500-201212101, ESXi510-201304101-SG, MDVSA-2010:111, MDVSA-2010:112, openSUSE-SU-2010:0913-1, openSUSE-SU-2010:0914-1, RHSA-2012:0125-01, RHSA-2012:0126-01, SUSE-SA:2010:052, VIGILANCE-VUL-9641, VMSA-2012-0005.2, VMSA-2012-0013, VMSA-2012-0018, VMSA-2012-0018.2, VMSA-2013-0001.3, VMSA-2013-0004.1.

Description of the vulnerability

The ld.so program is the linker/loader provided with the glibc. It is used to load dependencies or to check a program:
  /lib/ld-linux.so.2 /bin/ls
  /lib/ld-linux.so.2 --verify /bin/ls
  /lib/ld-linux.so.2 --list /bin/ls

However, if the loaded program has a malformed ELF header, an integer overflow occurs in the elf_get_dynamic_info() function of the ld.so/elf/rtld.c file. This program runs with user privileges, so this vulnerability does not lead to a privilege elevation.

In order to exploit this vulnerability, a service has for example to check (--verify/--list) an ELF coming from an untrusted source. In this case, an attacker can execute code with privileges of the service.

An attacker can therefore use a malformed ELF file, to generate an integer overflow in ld.so, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-0740

OpenSSL: denial of service via ssl3_get_record

Synthesis of the vulnerability

An attacker can send a malicious SSL message, in order to stop applications linked to OpenSSL.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, Mandriva Linux, Mandriva NF, NetScreen Firewall, ScreenOS, OpenBSD, OpenSolaris, OpenSSL, Slackware, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 29/03/2010.
Identifiers: BID-39013, c02079216, c02160663, CVE-2010-0740, FEDORA-2010-8742, HPSBUX02517, HPSBUX02531, MDVSA-2010:076, MDVSA-2010:076-1, SOL11533, SSA:2010-090-01, SSRT100058, SSRT100108, VIGILANCE-VUL-9541, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The OpenSSL library implements several versions of SSL: SSLv2, SSLv3, TLSv1.

The ssl3_get_record() function of the file ssl/s3_pkt.c decodes SSL messages. When an attacker:
 - sent a first message in SSLv3
 - then sends only the header of a message in another version
the ssl3_get_record() function tries to read the body, and then generates an error message using the bad version number. The sending function then tries to access to an uninitialized field, which dereferences a NULL pointer.

An attacker can therefore send a malicious SSL message, in order to stop applications linked to OpenSSL.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2010-0624

GNU tar, cpio: buffer overflow via rmt

Synthesis of the vulnerability

An attacker, owning a malicious rmt server, or inviting the victim to open a malicious file with GNU tar or cpio, can generate an overflow, leading to code execution.
Impacted products: Fedora, Mandriva Linux, Mandriva NF, OpenSolaris, openSUSE, Solaris, RHEL, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 10/03/2010.
Identifiers: BID-38628, CVE-2010-0624, FEDORA-2010-4267, FEDORA-2010-4274, FEDORA-2010-4302, FEDORA-2010-4306, FEDORA-2010-4309, FEDORA-2010-4321, MDVSA-2010:065, RHSA-2010:0141-01, RHSA-2010:0142-01, RHSA-2010:0143-01, RHSA-2010:0144-01, RHSA-2010:0145-01, SUSE-SR:2010:011, USN-2456-1, VIGILANCE-VUL-9511, VMSA-2010-0013, VMSA-2010-0013.1, VMSA-2010-0013.2, VMSA-2010-0013.3.

Description of the vulnerability

The GNU tar and cpio archive management tools support the rmt (Remote Magnetic Tape) protocol. If the file name contains ':' (for example "site:b.tar"), tar automatically connects via rsh/ssh on the site to download the archive, using the rmt protocol.

The rmt_read__() function of the file lib/rtapelib.c reads the archive data via rmt. However, this function does not check the size announced by the rmt server. A malicious server can thus return large data, in order to generate a buffer overflow in tar or cpio.

An attacker, owning a malicious rmt server, or inviting the victim to open a malicious file with GNU tar or cpio, can therefore generate an overflow, leading to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-3245

OpenSSL: buffer overflow via bn_wexpand

Synthesis of the vulnerability

The OpenSSL library does not check the error code of the bn_wexpand() function, which can generate a denial of service, or lead to code execution.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, NSM Central Manager, NSMXpress, Mandriva Linux, Mandriva NF, NLD, OES, OpenBSD, OpenSSL, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SLES, ESX.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 08/03/2010.
Identifiers: BID-38562, c02079216, CERTA-2009-AVI-482, CERTA-2011-AVI-369, CVE-2009-3245, FEDORA-2010-5357, FEDORA-2010-8742, HPSBUX02517, MDVSA-2010:076, MDVSA-2010:076-1, PSN-2012-11-767, RHSA-2010:0162-01, RHSA-2010:0173-02, RHSA-2010:0977-01, RHSA-2011:0896-01, RHSA-2011:0897-01, SOL15404, SSA:2010-060-02, SSRT100058, SUSE-SA:2010:020, SUSE-SR:2010:013, VIGILANCE-VUL-9503, VMSA-2010-0015, VMSA-2010-0015.1.

Description of the vulnerability

The BN (BIGNUM) module of the OpenSSL suite implements the management of big numbers.

The bn_wexpand() function extends the size of a BIGNUM, to ensure it can contain 'n' bytes:
  bn_wexpand(bignumber, n);

Several functions of OpenSSL use bn_wexpand(), in files crypto/bn/bn_div.c, crypto/bn/bn_gf2m.c, crypto/ec/ec2_smpl.c, and engines/e_ubsec.c. However, they do not check if the size extension failed, before using the BIGNUM. An overflow can thus occur.

When an application uses the affected functions, this overflow can create a denial of service, or lead to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2010-0790 CVE-2010-0791

ncpfs: two vulnerabilities

Synthesis of the vulnerability

A local attacker can use two vulnerabilities of ncpfs, in order to obtain information or to create a denial of service.
Impacted products: Mandriva Linux, Mandriva NF, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/03/2010.
Identifiers: CVE-2010-0790, CVE-2010-0791, MDVSA-2010:061, SUSE-SR:2010:012, SUSE-SR:2010:013, VIGILANCE-VUL-9502.

Description of the vulnerability

The ncpmount and ncpumount utilities are used to mount a remote NCP (NetWare Core Protocol) share in a local directory. Two vulnerabilities were announced in ncpfs.

An attacker can use ncpumount, in order to detect if a file located in a restricted directory exists. [severity:1/4; CVE-2010-0790]

An attacker can set a lock on "/etc/mtab~", so users cannot mount other filesystems. [severity:1/4; CVE-2010-0791]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-0433

OpenSSL: denial of service via Kerberos

Synthesis of the vulnerability

When OpenSSL supports the Kerberos key exchange, and when the server application is in a chroot jail, an attacker can send a special ClientHello message, in order to stop the application.
Impacted products: Fedora, HP-UX, AIX, NSM Central Manager, NSMXpress, Mandriva Linux, Mandriva NF, OpenSSL, RHEL, Slackware, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 04/03/2010.
Identifiers: 567711, 569774, BID-38533, c02079216, c02160663, CVE-2010-0433, FEDORA-2010-5357, FEDORA-2010-8742, HPSBUX02517, HPSBUX02531, MDVSA-2010:076, MDVSA-2010:076-1, PSN-2012-11-767, RHSA-2010:0162-01, SSA:2010-090-01, SSRT100058, SSRT100108, VIGILANCE-VUL-9493, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

A CipherSuite is a threefold :
 - algorithm to exchange keys (RSA, DH, DHE, EllipCurveDH, Kerberos(RFC 2712))
 - algorithm to encrypt data (RC4, 3DES, AES, IDEA, DES)
 - algorithm to hash data, used for signature (HMAC-MD5, HMAC-SHA)

The SSL/TLS protocol uses the ClientHello message to indicate to the server the list of supported CipherSuites.

When OpenSSL supports the Kerberos key exchange, and when the server application is in a chroot jail, an attacker can send a ClientHello message, containing a CipherSuite TLS_KRB5_WITH_xyz. In this case, the Kerberos krb5_sname_to_principal() function returns a NULL pointer, which is dereferenced by OpenSSL kssl_keytab_is_available().

An attacker can therefore stop the TLS/SSL server.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-0205

libpng: denial of service during the decompression

Synthesis of the vulnerability

An attacker can create an extremely compressed image, and invite the victim to open it with libpng, in order to generate a denial of service on his computer.
Impacted products: Debian, Fedora, libpng, Mandriva Linux, Mandriva NF, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, SLES, VMware Player, VMware Workstation.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 03/03/2010.
Identifiers: BID-38478, CVE-2010-0205, DSA-2032-1, FEDORA-2010-2988, FEDORA-2010-3375, FEDORA-2010-3414, FEDORA-2010-4616, FEDORA-2010-4673, FEDORA-2010-4683, MDVSA-2010:063, MDVSA-2010:064, RHSA-2010:0534-01, SUSE-SR:2010:011, SUSE-SR:2010:012, SUSE-SR:2010:013, VIGILANCE-VUL-9488, VMSA-2010-0014, VMSA-2010-0014.1, VU#576029.

Description of the vulnerability

A PNG image can contain ancillary chunks:
 - zTXt : compressed text
 - iTXt : international text, which can be compressed
 - iCCP : name of the color correction profile, which can be compressed
 - etc.

When libpng analyzes a PNG image containing compressed chunks, the png_decompress_chunk() function does not enforce limits on the uncompressed size, nor on the used CPU resources. For example, a compressed zTXt chunk of 17 kb can be uncompressed to 5 Mb, and a compressed iCCP chunk of 50 kb can be uncompressed to 60 Mb.

An attacker can therefore create an extremely compressed image, and invite the victim to open it with libpng, in order to generate a denial of service on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-0734

libcurl: buffer overflow via uncompression

Synthesis of the vulnerability

An attacker, who owns a web server, can return data compressed with Deflate (zlib), in order to generate an overflow in applications linked to libcurl.
Impacted products: curl, Debian, Fedora, Mandriva Linux, Mandriva NF, RHEL, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet server.
Creation date: 09/02/2010.
Identifiers: adv_20100209, BID-38162, CERTA-2010-AVI-135, CERTA-2010-AVI-138, CVE-2010-0734, DSA-2023-1, FEDORA-2010-2720, FEDORA-2010-2762, MDVSA-2010:062, RHSA-2010:0273-05, RHSA-2010:0329-01, VIGILANCE-VUL-9420, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The libcurl library offers a callback system for applications. In this case, the application defines a function such as:
  size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp);
This function is referenced with:
  curl_easy_setopt(easyhandle, CURLOPT_WRITEFUNCTION, write_data);
Then each time libcurl wants to write data, it calls the write_data() function.

Data coming from the web site can be automatically uncompressed by Deflate (zlib) if the application uses (this option is not set by default) :
  curl_easy_setopt(d->m_handle, CURLOPT_HTTP_CONTENT_DECODING, true);

The libcurl documentation indicates that the maximal size of data given to the write_data() function is CURL_MAX_WRITE_SIZE (16k) bytes.

However, if data coming form the web site is automatically uncompressed by Deflate, the maximal size of data given to the write_data() function is 64k bytes. If the write_data() function is not conceived to manage this amount of data, this generates an overflow.

An attacker, who owns a web server, can therefore return data compressed with Deflate (zlib), in order to generate an overflow in applications linked to libcurl.

No public application linked to libcurl is known to be impacted by this vulnerability.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.