The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of McAfee Email and Web Security

security vulnerability CVE-2014-8176

OpenSSL: use after free via DTLS

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Severity: 2/4.
Creation date: 12/06/2015.
Identifiers: 1961569, 9010038, 9010039, BSA-2015-006, c05184351, CERTFR-2015-AVI-257, cisco-sa-20150612-openssl, CVE-2014-8176, DSA-3287-1, HPSBHF03613, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1277-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA98, SB10122, SOL16920, USN-2639-1, VIGILANCE-VUL-17118.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

However, if data are received between the ChangeCipherSpec and Finished messages, OpenSSL frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area via DTLS in OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2015-1788 CVE-2015-1789 CVE-2015-1790

OpenSSL: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/06/2015.
Identifiers: 1450666, 1610582, 1647054, 1961111, 1961569, 1964113, 1964766, 1966038, 1970103, 1972125, 9010038, 9010039, BSA-2015-006, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-257, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2017, CTX216642, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, RHSA-2015:1197-01, SA40002, SA98, SB10122, SOL16898, SOL16913, SOL16915, SOL16938, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TNS-2015-07, TSB16728, USN-2639-1, VIGILANCE-VUL-17117.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can generate an infinite loop via ECParameters, in order to trigger a denial of service. [severity:2/4; CVE-2015-1788]

An attacker can force a read at an invalid address in X509_cmp_time(), in order to trigger a denial of service. [severity:2/4; CVE-2015-1789]

An attacker can force a NULL pointer to be dereferenced via EnvelopedContent, in order to trigger a denial of service. [severity:2/4; CVE-2015-1790]

An attacker can generate an infinite loop via CMS signedData, in order to trigger a denial of service. [severity:2/4; CVE-2015-1792]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-1791

OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Severity: 2/4.
Creation date: 04/06/2015.
Identifiers: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2015-0235

glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Severity: 4/4.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Identifiers: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CTX200437, CVE-2015-0235, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-3568

OpenSSL: option no-ssl3 useless

Synthesis of the vulnerability

An attacker can still use SSLv3, even if OpenSSL was compiled with no-ssl3.
Severity: 1/4.
Creation date: 15/10/2014.
Identifiers: 1691140, 1696383, c04492722, c04616259, CERTFR-2014-AVI-435, CERTFR-2014-AVI-509, CERTFR-2015-AVI-024, CERTFR-2016-AVI-303, CTX216642, CVE-2014-3568, DSA-3053-1, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FreeBSD-SA-14:23.openssl, HPSBHF03300, HPSBUX03162, NetBSD-SA2014-015, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, SA87, SB10091, SSA:2014-288-01, SSRT101767, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, VIGILANCE-VUL-15491, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library can be compiled with the no-ssl3 option, in order to disable SSLv3.

However, this option does not work.

An attacker can therefore still use SSLv3, even if OpenSSL was compiled with no-ssl3.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2014-3567

OpenSSL: memory leak via Session Ticket

Synthesis of the vulnerability

An attacker can use a malicious Session Ticket, to create a memory leak in OpenSSL, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 15/10/2014.
Identifiers: 1691140, 1696383, c04492722, c04616259, CERTFR-2014-AVI-435, CERTFR-2014-AVI-509, CERTFR-2015-AVI-024, CERTFR-2016-AVI-303, CTX216642, CVE-2014-3567, DSA-3053-1, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FreeBSD-SA-14:23.openssl, HPSBHF03300, HPSBUX03162, MDVSA-2014:203, MDVSA-2015:062, NetBSD-SA2014-015, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2015:0126-01, SA87, SB10091, SOL15723, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSRT101767, STORM-2014-003, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, USN-2385-1, VIGILANCE-VUL-15490, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL product implements a SSL/TLS/DTLS client/server.

When the server receives a session ticket, it checks its integrity. However, if this ticket is invalid, the memory allocated for its processing is never freed.

An attacker can therefore use a malicious Session Ticket, to create a memory leak in OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2014-3513

OpenSSL: memory leak via SRTP

Synthesis of the vulnerability

An attacker can create a memory leak in OpenSSL compiled by default with SRTP, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 15/10/2014.
Identifiers: 1691140, 1696383, c04616259, CERTFR-2014-AVI-435, CERTFR-2014-AVI-509, CERTFR-2015-AVI-024, CVE-2014-3513, DSA-3053-1, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FreeBSD-SA-14:23.openssl, HPSBHF03300, MDVSA-2015:062, NetBSD-SA2014-015, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1426-1, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, SA87, SB10091, SOL15722, SSA:2014-288-01, SUSE-SU-2014:1357-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, USN-2385-1, VIGILANCE-VUL-15489, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library supports the SRTP extension, which is enabled by default (except if OPENSSL_NO_SRTP is used).

However, when the OpenSSL server receives a special Handshake message (even if SRTP is not used), an allocated memory area of 64kb is never freed.

An attacker can therefore create a memory leak in OpenSSL compiled by default with SRTP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Severity: 3/4.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

security alert CVE-2014-6278

bash: command execution in the function parser

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity: 3/4.
Creation date: 29/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-6278, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1310-1, openSUSE-SU-2016:2961-1, SB10085, sk102673, SOL15629, SSA:2014-272-01, SSA-860967, T1021272, USN-2380-1, VIGILANCE-VUL-15421, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bash interpreter can use functions.

However, when bash parses the source code to create the function, it directly executes commands located at some places.

This vulnerability can be used with the same attack vector than VIGILANCE-VUL-15399.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-6277

bash: memory corruption in the function parser

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity: 3/4.
Creation date: 29/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-6277, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1310-1, openSUSE-SU-2016:2961-1, SB10085, sk102673, SOL15629, SSA:2014-272-01, SSA-860967, T1021272, USN-2380-1, VIGILANCE-VUL-15420, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bash interpreter can use functions.

However, when bash parses the source code to create the function, it corrupts its memory.

This vulnerability can be used with the same attack vector than VIGILANCE-VUL-15399.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.