The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Micro Focus Open Enterprise Server

computer vulnerability CVE-2017-5182

Novell Open Enterprise Server: directory traversal via Remote Manager

Synthesis of the vulnerability

An attacker can traverse directories via Remote Manager of Novell Open Enterprise Server, in order to read a file outside the service root path.
Impacted products: OES.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 25/01/2017.
Identifiers: CVE-2017-5182, VIGILANCE-VUL-21675.

Description of the vulnerability

The Novell Open Enterprise Server product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories via Remote Manager of Novell Open Enterprise Server, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-5763

Novell Open Enterprise Server: read-write access

Synthesis of the vulnerability

An attacker can bypass access restrictions of Novell Open Enterprise Server, in order to read or alter data.
Impacted products: OES.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 16/11/2016.
Identifiers: CVE-2016-5763, VIGILANCE-VUL-21133.

Description of the vulnerability

An attacker can bypass access restrictions of Novell Open Enterprise Server, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-0240

Samba: use after free via NetLogon

Synthesis of the vulnerability

An unauthenticated attacker can force the usage of a freed memory area in NetLogon of Samba, in order to trigger a denial of service, and possibly to execute code with root privileges.
Impacted products: Debian, Fedora, HP-UX, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 23/02/2015.
Revision date: 15/04/2015.
Identifiers: 7014420, bulletinjan2015, c04636672, CERTFR-2015-AVI-078, CVE-2015-0240, DSA-3171-1, FEDORA-2015-2519, FEDORA-2015-2538, HPSBUX03320, MDVSA-2015:081, MDVSA-2015:082, MDVSA-2015:083, openSUSE-SU-2015:0375-1, openSUSE-SU-2016:1064-1, openSUSE-SU-2016:1106-1, openSUSE-SU-2016:1107-1, openSUSE-SU-2016:1108-1, openSUSE-SU-2016:1440-1, RHSA-2015:0249-01, RHSA-2015:0250-01, RHSA-2015:0251-01, RHSA-2015:0252-01, RHSA-2015:0253-01, RHSA-2015:0254-01, RHSA-2015:0255-01, RHSA-2015:0256-01, RHSA-2015:0257-01, SSA:2015-064-01, SSRT101952, SUSE-SU-2015:0353-1, SUSE-SU-2015:0371-1, SUSE-SU-2015:0386-1, USN-2508-1, VIGILANCE-VUL-16242.

Description of the vulnerability

The Samba product implements the NetLogon service.

An unauthenticated attacker (NULL session over IPC) can use the RPC ServerPasswordSet() of NetLogon. However, the _netr_ServerPasswordSet() function frees a memory area before reusing it.

An unauthenticated attacker can therefore force the usage of a freed memory area in NetLogon of Samba, in order to trigger a denial of service, and possibly to execute code with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-0595

Novell Client for Linux on OES11 SP2: privilege escalation via nwrights

Synthesis of the vulnerability

A local attacker can use a file, with rights granted by nwrights, in order to escalate his privileges.
Impacted products: Novell Client, OES, SUSE Linux Enterprise Desktop.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 12/05/2014.
Identifiers: 7014932, CVE-2014-0595, SUSE-SU-2014:0847-1, VIGILANCE-VUL-14721.

Description of the vulnerability

The /opt/novell/ncl/bin/nwrights command is provided with Novell Client for Linux. It defines rights on files.

However, on OES11 SP2, the 'S' (Supervisor) right is automatically granted when the user sets the 'F' (File system) right.

A local attacker can therefore use a file, with rights granted by nwrights, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2013-3707

Novell Open Enterprise Server: denial of service via HTTPSTK

Synthesis of the vulnerability

An attacker can generate several SSL errors in HTTPSTK of Novell Open Enterprise Server, in order to trigger a denial of service.
Impacted products: OES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 04/12/2013.
Identifiers: 7014063, CVE-2013-3707, VIGILANCE-VUL-13866.

Description of the vulnerability

The HTTPSTK service listens on port 8009/tcp.

However, when a SSL session ends with an error, the HTTPSTK service does not call the SSL_free() and SSL_shutdown() functions. The TCP socket thus stay in the CLOSE_WAIT state.

An attacker can therefore generate several SSL errors in HTTPSTK of Novell Open Enterprise Server, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-4194

Novell Open Enterprise Server: buffer overflow via iPrint

Synthesis of the vulnerability

A remote attacker can generate a buffer overflow in Novell iPrint Server, in order to execute code.
Impacted products: OES.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 02/02/2012.
Identifiers: 7010084, BID-51791, CVE-2011-4194, VIGILANCE-VUL-11338, ZDI-12-031.

Description of the vulnerability

The IPP (Internet Printing Protocol) protocol is used to remotely manage printers.

The IPP Print-Job and Create-Job operations print a file, or create a print job. A Print-Job or Create-Job query can have attributes:
 - attributes-charset
 - attributes-natural-language
 - printer-uri
 - etc.

However, if an IPP query uses a long "attributes-natural-language" attribute, an overflow occurs in Novell iPrint Server.

A remote attacker can therefore generate a buffer overflow in Novell iPrint Server, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-4072 CVE-2010-4073

Linux kernel: memory reading via ipc

Synthesis of the vulnerability

A local attacker can use an IPC, in order to read bytes stored in the kernel memory.
Impacted products: Debian, Fedora, Linux, NLD, OES, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/10/2010.
Revision date: 06/09/2011.
Identifiers: BID-43828, BID-43829, BID-45054, BID-45073, CERTA-2002-AVI-272, CVE-2010-4072, CVE-2010-4073, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18432, FEDORA-2010-18493, FEDORA-2010-18506, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:1047-1, openSUSE-SU-2011:0004-1, openSUSE-SU-2011:0048-1, openSUSE-SU-2011:0346-1, openSUSE-SU-2013:0927-1, RHSA-2010:0958-01, RHSA-2011:0007-01, RHSA-2011:0017-01, RHSA-2011:0162-01, SUSE-SA:2010:060, SUSE-SA:2011:001, SUSE-SA:2011:004, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SA:2011:017, SUSE-SU-2011:0928-1, VIGILANCE-VUL-10008, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

Several system calls manage IPC (Inter Process Communication):
 - semctl() : semaphores
 - shmctl() : shared memory
 - msgctl() : messages
However, these functions do not initialize fields of a structure. Previous data are thus transmitted to the user.

The shmctl() function of the ipc/shm.c file does not correctly initialize the shmid_ds structure. [severity:1/4; BID-43829, BID-45054, CVE-2010-4072]

The shmctl(), shmctl() and msgctl() functions of the ipc/compat.c file do not correctly initialize several structures. [severity:1/4; BID-43828, BID-45073, CVE-2010-4073]

A local attacker can therefore use an IPC, in order to read bytes stored in the kernel memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-2483

crypt_blowfish: hash collision

Synthesis of the vulnerability

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() generates an invalid hash, which is potentially faster to find with a brute force.
Impacted products: Debian, Mandriva Linux, NLD, OES, openSUSE, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 19/08/2011.
Identifiers: CVE-2011-2483, DSA-2340-1, MDVSA-2011:161, MDVSA-2011:178, MDVSA-2011:179, MDVSA-2011:180, openSUSE-SU-2011:0921-1, openSUSE-SU-2011:0921-2, openSUSE-SU-2011:0970-1, openSUSE-SU-2011:0972-1, openSUSE-SU-2012:0480-1, openSUSE-SU-2013:1670-1, openSUSE-SU-2013:1676-1, RHSA-2011:1377-01, RHSA-2011:1378-01, SUSE-SA:2011:035, SUSE-SU-2011:0922-1, SUSE-SU-2011:0923-1, SUSE-SU-2011:0927-1, SUSE-SU-2011:0971-1, SUSE-SU-2011:0974-1, SUSE-SU-2011:0991-1, SUSE-SU-2011:1081-1, SUSE-SU-2011:1081-2, VIGILANCE-VUL-10934.

Description of the vulnerability

The crypt() function hashes the password of a user. When a user is added, the hash is stored in the /etc/shadow file. When the user authenticates, the hash is compared to the hash from /etc/shadow.

The crypt() function supports several hash algorithms:
 - DES
 - MD5 (prefix $1$)
 - Blowfish (prefix $2a$), which is implemented in the crypt_blowfish library

However, crypt_blowfish uses signed C characters (-128 to 127), instead of unsigned characters (0 to 255). The generated hash is thus invalid if the password contains 8 bit characters.

This error has no impact of user authentication, because the invalid hash was stored in the /etc/shadow file, and the invalid hash of the entered password is the same.

However, the generated hash is subject to collisions: several passwords can have the same hash. A brute force attack thus requires to test less passwords before finding user's password.

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() therefore generates an invalid hash, which is potentially faster to find with a brute force.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-2697 CVE-2011-2964

foomatic-rip: code execution via PPD

Synthesis of the vulnerability

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can print a document, in order to execute code with privileges of the lp user.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/08/2011.
Identifiers: 698451, CVE-2011-2697, CVE-2011-2964, DSA-2380-1, FEDORA-2011-9554, FEDORA-2011-9575, MDVSA-2011:125, openSUSE-SU-2011:0892-1, RHSA-2011:1109-01, RHSA-2011:1110-01, SUSE-SU-2011:0895-1, VIGILANCE-VUL-10883.

Description of the vulnerability

The foomatic-rip or foomatic-rip-hplip filter (written in C or in Perl) adapts print queries to printers.

A PPD (PostScript Printer Description) file contains a FoomaticRIPCommandLine directive which indicates the command line to execute by foomatic-rip.

The "-p" option of foomatic-rip indicates the name of a spool file to use. However, when "-p" is used, foomatic-rip also accepts a PPD file provided by the user. The "-p" option can be provided via the "-U" option of lp which indicates the user name (because all parameters are concatenated whatever their origin is).

An attacker can therefore print with a "-U" option containing "-p", and a PPD file containing a malicious FoomaticRIPCommandLine command. This command will be run with privileges of the print system.

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can therefore print a document, in order to execute code with privileges of the lp user.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-2522 CVE-2011-2694

Samba: two vulnerabilities of SWAT

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/07/2011.
Identifiers: 8289, 8290, 8347, BID-48899, BID-48901, c03297338, CERTA-2011-AVI-416, CERTA-2011-AVI-493, CERTA-2012-AVI-232, CVE-2011-2522, CVE-2011-2694, DSA-2290-1, FEDORA-2011-10341, FEDORA-2011-10367, HPSBUX02768, MDVSA-2011:121, openSUSE-SU-2011:0998-1, RHSA-2011:1219-01, RHSA-2011:1220-01, RHSA-2011:1221-01, SSA:2011-210-03, SSRT100664, SUSE-SU-2011:0981-1, SUSE-SU-2011:0999-1, SUSE-SU-2011:1001-1, SUSE-SU-2011:1002-1, VIGILANCE-VUL-10871.

Description of the vulnerability

The Samba server can be administered via the SWAT (Samba Web Administration Tool) web interface, which is not enabled by default. Two vulnerabilities impact SWAT.

The SWAT web site does not use session tokens. When an administrator if connected to SWAT, an attacker can thus invite him to display an HTML page containing images with special urls. When images are loaded, these urls do administration operations. As SWAT does not check if these urls belong to the administrator session, administration operations are directly done. [severity:2/4; 8290, BID-48899, CERTA-2011-AVI-416, CERTA-2012-AVI-232, CVE-2011-2522]

The SWAT web site uses the SWAT_USER ("username") variable to indicate the name of the current user. The chg_passwd() function of the source/web/swat.c file changes the password of the user. However, this function directly displays the name of the user stored in the SWAT_USER variable. If a username given as parameter contains JavaScript code, the generated HTML page thus also contains this JavaScript code. [severity:2/4; 8289, BID-48901, CVE-2011-2694]

An attacker can therefore use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Micro Focus Open Enterprise Server: