The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Micro Focus Performance Center

vulnerability CVE-2015-0235

glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.
Severity: 4/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet server.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Identifiers: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CTX200437, CVE-2015-0235, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.

Description of the vulnerability

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-9322

Linux kernel: privilege escalation via IRET gsbase

Synthesis of the vulnerability

A local attacker can call an IRET on the Linux kernel, in order to escalate his privileges.
Impacted products: BIG-IP Hardware, TMOS, Android OS, HPE BSM, HP Operations, Performance Center, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 16/12/2014.
Identifiers: c04594684, CERTFR-2014-AVI-532, CERTFR-2015-AVI-021, CERTFR-2015-AVI-054, CVE-2014-9322, HPSBGN03282, KM01411792, MDVSA-2015:027, openSUSE-SU-2014:1669-1, openSUSE-SU-2014:1677-1, openSUSE-SU-2014:1678-1, openSUSE-SU-2015:0566-1, RHSA-2014:1997-01, RHSA-2014:1998-01, RHSA-2014:2008-01, RHSA-2014:2009-01, RHSA-2014:2010-01, RHSA-2014:2028-01, RHSA-2014:2029-01, RHSA-2014:2030-01, RHSA-2014:2031-01, RHSA-2015:0009-01, SOL16122, SUSE-SU-2014:1693-1, SUSE-SU-2014:1693-2, SUSE-SU-2014:1695-1, SUSE-SU-2014:1695-2, SUSE-SU-2014:1698-1, SUSE-SU-2015:0068-1, SUSE-SU-2015:0581-1, SUSE-SU-2015:0736-1, SUSE-SU-2015:0812-1, USN-2464-1, USN-2491-1, VIGILANCE-VUL-15815.

Description of the vulnerability

On an Intel processor, when an interruption/exception occurs (for example a system call via int 0x80), the current context (registers CS and EIP/RIP, and flags) is saved. At the end of the interruption/exception, the IRET instruction restores saved values, so the interrupted program can continue its execution where it was interrupted:
 - restore the EIP/RIP instruction pointer
 - restore the CS register (privilege switch)
 - restore flags

However, on a 64 bit processor, with a writable kernel stack, after an IRET triggering a #SS Fault, the general_protection() function is executed with kernel/user BS Base addresses swapped.

A local attacker can therefore call an IRET on the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-6324

Windows domain: privilege escalation via Kerberos KDC

Synthesis of the vulnerability

An attacker, who is authenticated on the domain, can create a fake Kerberos ticket for Windows, in order to obtain privileges of the domain administrator.
Impacted products: LoadRunner, Performance Center, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 18/11/2014.
Identifiers: 3011780, c04526330, CERTFR-2014-ALE-011, CERTFR-2014-AVI-489, CVE-2014-6324, HPSBMU03224, MS14-068, VIGILANCE-VUL-15667, VU#213119.

Description of the vulnerability

Domain controllers implement the Kerberos KDC (Key Distribution Center) service, which processes authorizations for domain users.

Kerberos tickets are signed. However, the Windows implementation of KDC accepts tickets without a valid signature.

An attacker, who is authenticated on the domain, can therefore create a fake Kerberos ticket for Windows, in order to obtain privileges of the domain administrator.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-3673 CVE-2014-3687 CVE-2014-3688

Linux kernel: multiple vulnerabilities of SCTP

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SCTP of the Linux kernel.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HPE BSM, HP Operations, Performance Center, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 28/10/2014.
Identifiers: c04594684, CERTFR-2014-AVI-455, CERTFR-2014-AVI-459, CERTFR-2014-AVI-495, CERTFR-2014-AVI-528, CERTFR-2014-AVI-532, CERTFR-2015-AVI-051, CERTFR-2015-AVI-165, CERTFR-2018-AVI-361, CVE-2014-3673, CVE-2014-3687, CVE-2014-3688, DSA-3060-1, FEDORA-2014-13558, FEDORA-2014-13773, FEDORA-2014-14068, HPSBGN03282, KM01411792, MDVSA-2014:230, MDVSA-2015:027, openSUSE-SU-2014:1677-1, openSUSE-SU-2014:1678-1, openSUSE-SU-2015:0566-1, RHSA-2014:1971-01, RHSA-2014:1997-01, RHSA-2014:2009-01, RHSA-2014:2028-01, RHSA-2014:2030-01, RHSA-2015:0043-01, RHSA-2015:0062-01, RHSA-2015:0115-01, SOL15910, SOL16025, SUSE-SU-2014:1693-1, SUSE-SU-2014:1693-2, SUSE-SU-2014:1695-1, SUSE-SU-2014:1695-2, SUSE-SU-2014:1698-1, SUSE-SU-2015:0068-1, SUSE-SU-2015:0178-1, SUSE-SU-2015:0481-1, SUSE-SU-2015:0529-1, SUSE-SU-2015:0581-1, SUSE-SU-2015:0652-1, SUSE-SU-2015:0736-1, SUSE-SU-2015:0812-1, SUSE-SU-2018:2062-1, USN-2417-1, USN-2418-1, USN-2441-1, USN-2442-1, USN-2445-1, USN-2446-1, USN-2447-1, USN-2447-2, USN-2448-1, USN-2448-2, VIGILANCE-VUL-15554.

Description of the vulnerability

Several vulnerabilities were announced in the Linux kernel.

An attacker can send duplicated packets of type ASCONF to a kernel that bundles fragments in the output queue, in order to trigger a denial of service. [severity:2/4; CVE-2014-3687]

An attacker can send specially crafted ASCONF packets, in order to trigger a denial of service. [severity:2/4; CVE-2014-3673]

An attacker can send a sequence of SCTP fragments, the last of which has an ill formed header, in order make the kernel use an excessive amount of memory for the packet queue and so, to trigger a denial of service. [severity:2/4; CVE-2014-3688]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-6410

Linux kernel: infinite loop of __udf_read_inode

Synthesis of the vulnerability

An attacker can mount an UDF file system, to generate a large recursion in __udf_read_inode(), in order to trigger a denial of service of the Linux kernel.
Impacted products: Fedora, HPE BSM, HP Operations, Performance Center, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 15/09/2014.
Identifiers: c04594684, CERTFR-2014-AVI-413, CERTFR-2014-AVI-532, CVE-2014-6410, FEDORA-2014-11008, HPSBGN03282, KM01411792, MDVSA-2014:201, openSUSE-SU-2014:1669-1, openSUSE-SU-2014:1677-1, RHSA-2014:1318-01, RHSA-2014:1971-01, RHSA-2014:1997-01, RHSA-2014:2009-01, RHSA-2014:2028-01, RHSA-2014:2030-01, SUSE-SU-2014:1316-1, SUSE-SU-2014:1319-1, USN-2374-1, USN-2375-1, USN-2376-1, USN-2377-1, USN-2378-1, USN-2379-1, VIGILANCE-VUL-15353.

Description of the vulnerability

The Linux kernel supports UDF file systems.

However, the __udf_read_inode() function of the fs/udf/inode.c file does not limit the number of ICB, which triggers an unlimited recursive call.

An attacker can therefore mount an UDF file system, to generate a large recursion in __udf_read_inode(), in order to trigger a denial of service of the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-6657

Linux kernel: unreachable memory reading via SO_KEEPALIVE

Synthesis of the vulnerability

An attacker can force a read at an invalid address via SO_KEEPALIVE on the Linux kernel, in order to trigger a denial of service.
Impacted products: BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 15/09/2014.
Identifiers: c04594684, CERTFR-2014-AVI-532, CERTFR-2015-AVI-165, CVE-2012-6657, HPSBGN03282, KM01411792, RHSA-2014:1997-01, RHSA-2014:2009-01, RHSA-2014:2028-01, RHSA-2014:2030-01, SOL16011, SUSE-SU-2015:0652-1, SUSE-SU-2015:0812-1, VIGILANCE-VUL-15352.

Description of the vulnerability

The setsockopt() function defines options of a socket.

The SO_KEEPALIVE option is use to keep a session active. However, the net/core/sock.c file does not check if the socket if of type SOCK_STREAM, so the kernel tries to read a memory area which is not reachable, which triggers a fatal error.

An attacker can therefore force a read at an invalid address via SO_KEEPALIVE on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-5471 CVE-2014-5472

Linux kernel: denial of service via ISOFS

Synthesis of the vulnerability

A local attacker can mount a malicious ISOFS image on the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, HPE BSM, HP Operations, Performance Center, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 26/08/2014.
Identifiers: c04594684, CERTFR-2014-AVI-396, CERTFR-2014-AVI-532, CERTFR-2015-AVI-136, CERTFR-2015-AVI-164, CVE-2014-5471, CVE-2014-5472, FEDORA-2014-11008, FEDORA-2014-9959, HPSBGN03282, KM01411792, MDVSA-2014:201, openSUSE-SU-2014:1669-1, openSUSE-SU-2014:1677-1, openSUSE-SU-2015:0566-1, RHSA-2014:1318-01, RHSA-2014:1997-01, RHSA-2014:2009-01, RHSA-2014:2028-01, RHSA-2014:2030-01, RHSA-2015:0102-01, RHSA-2015:0695-01, RHSA-2015:0782-01, RHSA-2015:0803-01, SUSE-SU-2014:1316-1, SUSE-SU-2014:1319-1, SUSE-SU-2015:0481-1, SUSE-SU-2015:0812-1, USN-2354-1, USN-2355-1, USN-2356-1, USN-2357-1, USN-2358-1, USN-2359-1, VIGILANCE-VUL-15230.

Description of the vulnerability

An ISOFS image contains a filesystem, which can be mounted by the Linux kernel.

However, when the ISOFS image relocates a directory, an infinite recursion occurs in the parse_rock_ridge_inode_internal() function.

A local attacker can therefore mount a malicious ISOFS image on the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0160

OpenSSL: information disclosure via Heartbeat

Synthesis of the vulnerability

An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.

Description of the vulnerability

The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.

Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).

An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-3269 CVE-2012-3270

HP Performance Insight: vulnerabilities of Sybase

Synthesis of the vulnerability

When HP Performance Insight uses a Sybase database, an attacker can create a denial of service, delete data, and possibly read/alter data.
Impacted products: Performance Center.
Severity: 3/4.
Consequences: data reading, data creation/edition, data deletion, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/11/2012.
Identifiers: BID-56373, c03555488, CERTA-2012-AVI-620, CVE-2012-3269, CVE-2012-3270, HPSBMU02827, SSRT100924, VIGILANCE-VUL-12106.

Description of the vulnerability

Two vulnerabilities were announced when HP Performance Insight uses a Sybase database.

An attacker can use a vulnerability, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2012-3270]

An attacker can use a vulnerability, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2012-3269]

When HP Performance Insight uses a Sybase database, an attacker can therefore create a denial of service, delete data, and possibly read/alter data.

Note: the HP announce indicates incoherent consequences.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-2019 CVE-2012-2020

HP Operations Agent, Performance Agent: code execution

Synthesis of the vulnerability

A remote attacker can use two vulnerabilities of HP Operations Agent and HP Performance Agent, in order to execute code.
Impacted products: OpenView, OpenView Operations, HP Operations, Performance Center.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/07/2012.
Revisions dates: 13/07/2012, 23/07/2012.
Identifiers: BID-54362, c03397769, CERTA-2012-AVI-374, CVE-2012-2019, CVE-2012-2020, HPSBMU02796, SSRT100594, SSRT100595, VIGILANCE-VUL-11749, ZDI-12-114, ZDI-12-115, ZDI-CAN-1325, ZDI-CAN-1326.

Description of the vulnerability

Two vulnerabilities were announced in HP Operations Agent and HP Performance Agent.

An unauthenticated attacker can use a GET query with a parameter with a large integer value for Opcode 0x34, in order to generate a buffer overflow in coda.exe. [severity:3/4; CVE-2012-2019, SSRT100594, ZDI-12-114, ZDI-CAN-1325]

An unauthenticated attacker can use a GET query with a parameter with a large integer value for Opcode 0x8C, in order to generate a buffer overflow in coda.exe. [severity:3/4; CVE-2012-2020, SSRT100595, ZDI-12-115, ZDI-CAN-1326]

A remote attacker can therefore use two vulnerabilities of HP Operations/Performance Agent, in order to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Micro Focus Performance Center: