The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of MicroFocus openSUSE Leap

vulnerability bulletin CVE-2016-1241 CVE-2016-1242

Tryton: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Tryton.
Impacted products: Debian, openSUSE Leap.
Severity: 2/4.
Creation date: 31/08/2016.
Identifiers: CVE-2016-1241, CVE-2016-1242, DSA-3656-1, openSUSE-SU-2017:0009-1, VIGILANCE-VUL-20493.

Description of the vulnerability

Several vulnerabilities were announced in Tryton.

An attacker can bypass security features of Password Hashes, in order to obtain sensitive information. [severity:2/4; CVE-2016-1241]

An attacker can bypass security features of File Contents, in order to obtain sensitive information. [severity:2/4; CVE-2016-1242]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2016-7116

QEMU: directory traversal via 9pfs

Synthesis of the vulnerability

An attacker, in a guest system, can traverse directories via 9pfs of QEMU, in order to read a file on the host system.
Impacted products: Debian, Fedora, openSUSE Leap, QEMU, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 30/08/2016.
Identifiers: CVE-2016-7116, DLA-618-1, DLA-619-1, FEDORA-2016-4c407cd849, FEDORA-2016-689f240960, openSUSE-SU-2016:2642-1, SUSE-SU-2016:2589-1, USN-3125-1, VIGILANCE-VUL-20487.

Description of the vulnerability

The QEMU product can share files via 9pfs (Plan 9 File System).

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker, in a guest system, can therefore traverse directories via 9pfs of QEMU, in order to read a file on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2016-7097

Linux kernel: privilege escalation via setxattr

Synthesis of the vulnerability

A local attacker can use setxattr() on the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, Linux, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 26/08/2016.
Identifiers: CERTFR-2016-AVI-393, CERTFR-2016-AVI-426, CERTFR-2017-AVI-001, CERTFR-2017-AVI-034, CERTFR-2017-AVI-053, CERTFR-2017-AVI-054, CERTFR-2017-AVI-131, CERTFR-2017-AVI-287, CERTFR-2017-AVI-307, CVE-2016-7097, DLA-772-1, FEDORA-2017-6cc158c193, FEDORA-2017-81fbd592d4, K31603170, openSUSE-SU-2016:3021-1, openSUSE-SU-2016:3058-1, RHSA-2017:0817-01, RHSA-2017:1842-01, RHSA-2017:2077-01, RHSA-2017:2669-01, SUSE-SU-2016:2912-1, SUSE-SU-2016:2976-1, SUSE-SU-2016:3304-1, SUSE-SU-2017:0333-1, SUSE-SU-2017:0471-1, SUSE-SU-2017:0494-1, SUSE-SU-2017:1102-1, USN-3146-1, USN-3146-2, USN-3147-1, USN-3161-1, USN-3161-2, USN-3161-3, USN-3161-4, USN-3162-1, USN-3162-2, USN-3422-1, USN-3422-2, VIGILANCE-VUL-20479.

Description of the vulnerability

The Linux kernel implements the setxattr() system call, which is used to set extended attributes.

However, if setxattr() is called to set a POSIX ACL, and if the user is not privileged, the sgid bit is not reset.

A local attacker can therefore use setxattr() on the Linux kernel, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2016-2183 CVE-2016-6329

Blowfish, Triple-DES: algorithms too weak, SWEET32

Synthesis of the vulnerability

An attacker can create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Impacted products: Avaya Ethernet Routing Switch, Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeRADIUS, hMailServer, HPE BSM, LoadRunner, Performance Center, Real User Monitoring, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Informix Server, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Storage Manager, Tivoli System Automation, WebSphere MQ, Junos Space, McAfee Email Gateway, ePO, Data ONTAP, Snap Creator Framework, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Manager, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WindRiver Linux.
Severity: 1/4.
Creation date: 25/08/2016.
Identifiers: 1610582, 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1994375, 1995099, 1995922, 1998797, 1999054, 1999421, 2000209, 2000212, 2000370, 2000544, 2001608, 2002021, 2002335, 2002336, 2002479, 2002537, 2002870, 2002897, 2002991, 2003145, 2003480, 2003620, 2003673, 2004036, 2008828, 9010102, bulletinapr2017, c05349499, c05369403, c05369415, c05390849, CERTFR-2017-AVI-012, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpujul2017, cpuoct2017, CVE-2016-2183, CVE-2016-6329, DSA-3673-1, DSA-3673-2, FEDORA-2016-7810e24465, FEDORA-2016-dc2cb4ad6b, FG-IR-16-047, FG-IR-16-048, FG-IR-16-050, FG-IR-17-127, HPESBGN03697, HPESBGN03765, HPESBUX03725, HPSBGN03690, HPSBGN03694, HPSBHF03674, java_jan2017_advisory, JSA10770, NTAP-20160915-0001, openSUSE-SU-2016:2199-1, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2017:1638-1, RHSA-2017:0336-01, RHSA-2017:0337-01, RHSA-2017:0338-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, SA133, SA40312, SB10171, SB10186, SB10197, SB10215, SOL13167034, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SSA:2016-363-01, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, SUSE-SU-2017:1444-1, SUSE-SU-2017:2838-1, SUSE-SU-2017:3177-1, SWEET32, TNS-2016-16, USN-3087-1, USN-3087-2, USN-3270-1, USN-3339-1, USN-3339-2, USN-3372-1, VIGILANCE-VUL-20473.

Description of the vulnerability

The Blowfish and Triple-DES symetric encryption algorithms use 64 bit blocks.

However, if they are used in CBC mode, a collision occurs after 785 GB transferred, and it is then possible to decrypt blocks with an attack lasting two days.

An attacker can therefore create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2016-2182

OpenSSL: memory corruption via BN_bn2dec

Synthesis of the vulnerability

An attacker can generate a memory corruption via BN_bn2dec() of OpenSSL, in order to trigger a denial of service, and possibly to run code.
Impacted products: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, FreeRADIUS, Android OS, hMailServer, AIX, DB2 UDB, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, JUNOS, Junos Space, NSM Central Manager, NSMXpress, McAfee Email Gateway, ePO, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, pfSense, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Manager, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WindRiver Linux.
Severity: 2/4.
Creation date: 24/08/2016.
Identifiers: 1996096, 1999395, 1999421, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2000209, 2002870, 2003480, 2003620, 2003673, 2008828, bulletinapr2017, bulletinjul2016, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpuoct2017, CVE-2016-2182, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-16-050, FG-IR-17-127, FreeBSD-SA-16:26.openssl, JSA10759, K01276005, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2537-1, RHSA-2016:1940-01, SA132, SA40312, SB10171, SB10215, SOL01276005, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20460.

Description of the vulnerability

The OpenSSL library works on large numbers to perform operations such are RSA.

The BN_bn2dec() function converts a large number to its decimal representation. However, a special number forces BN_div_word() to return a limit value, then data are written after the end of the memory area.

An attacker can therefore generate a memory corruption via BN_bn2dec() of OpenSSL, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2016-2181

OpenSSL: denial of service via DTLS Window

Synthesis of the vulnerability

An attacker can send a DTLS packet with a large sequence number to an application compiled with OpenSSL, in order to trigger a denial of service.
Impacted products: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, FreeRADIUS, hMailServer, AIX, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper J-Series, JUNOS, Junos Space, NSM Central Manager, NSMXpress, McAfee Email Gateway, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, pfSense, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Manager, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WindRiver Linux.
Severity: 2/4.
Creation date: 24/08/2016.
Identifiers: 1996096, 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2003480, 2003620, 2003673, bulletinapr2017, bulletinjul2016, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpuoct2017, CVE-2016-2181, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FreeBSD-SA-16:26.openssl, JSA10759, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2537-1, RHSA-2016:1940-01, SA132, SB10215, SOL59298921, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20458.

Description of the vulnerability

The OpenSSL library implements DTLS (Datagram Transport Layer Security, for example on UDP).

In order to manage replays, OpenSSL uses a sliding window containing accepted sequence numbers. However, if an attacker sends a packet with a large sequence number, the window is moved, and legitimate packets thus have numbers before the beginning of the window, and are rejected.

An attacker can therefore send a DTLS packet with a large sequence number to an application compiled with OpenSSL, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2016-2179

OpenSSL: denial of service via DTLS Reassembly

Synthesis of the vulnerability

An attacker can send DTLS packets in the wrong order with missing packets to an application compiled with OpenSSL, in order to trigger a denial of service.
Impacted products: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, FreeRADIUS, hMailServer, AIX, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper J-Series, JUNOS, Junos Space, NSM Central Manager, NSMXpress, McAfee Email Gateway, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, pfSense, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Manager, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, WindRiver Linux.
Severity: 2/4.
Creation date: 24/08/2016.
Identifiers: 1996096, 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2003480, 2003620, 2003673, bulletinapr2017, bulletinjul2016, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpuoct2017, CVE-2016-2179, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-16-050, FG-IR-17-127, FreeBSD-SA-16:26.openssl, JSA10759, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2537-1, RHSA-2016:1940-01, SA132, SB10215, SOL23512141, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20457.

Description of the vulnerability

The OpenSSL library implements DTLS (Datagram Transport Layer Security, for example on UDP).

DTLS packets can be in the wrong order. OpenSSL has to keep them in memory, in order to reassemble them. However, in two cases, message queues are not cleared.

An attacker can therefore send DTLS packets in the wrong order with missing packets to an application compiled with OpenSSL, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2016-6888

QEMU: NULL pointer dereference via VMXNET3

Synthesis of the vulnerability

An attacker, who is administrator in a guest system, can force a NULL pointer to be dereferenced via VMXNET3 of QEMU, in order to trigger a denial of service on the host system.
Impacted products: openSUSE, openSUSE Leap, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 19/08/2016.
Identifiers: CVE-2016-6888, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, openSUSE-SU-2016:2642-1, RHSA-2017:2392-01, SUSE-SU-2016:2473-1, SUSE-SU-2016:2507-1, SUSE-SU-2016:2533-1, SUSE-SU-2016:2589-1, USN-3125-1, VIGILANCE-VUL-20439.

Description of the vulnerability

The QEMU product supports VMWARE VMXNET3 devices.

However, an integer overflow in the net_tx_pkt_init() function leads to the usage of the memory at address zero.

An attacker, who is administrator in a guest system, can therefore force a NULL pointer to be dereferenced via VMXNET3 of QEMU, in order to trigger a denial of service on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2016-7124 CVE-2016-7125 CVE-2016-7126

PHP 5: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.
Impacted products: Debian, BIG-IP Hardware, TMOS, openSUSE, openSUSE Leap, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 3/4.
Creation date: 19/08/2016.
Identifiers: 70436, 71894, 72024, 72142, 72627, 72663, 72681, 72697, 72708, 72710, 72730, 72749, 72750, 72771, 72790, 72799, 72807, 72836, 72837, 72838, 72848, 72849, 72850, CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, DLA-749-1, DSA-3689-1, K54308010, openSUSE-SU-2016:2337-1, openSUSE-SU-2016:2451-1, RHSA-2016:2750-01, SOL35232053, SOL54308010, SSA:2016-252-01, SUSE-SU-2016:2328-1, SUSE-SU-2016:2408-1, SUSE-SU-2016:2459-1, SUSE-SU-2016:2460-1, SUSE-SU-2016:2460-2, SUSE-SU-2016:2683-1, SUSE-SU-2016:2683-2, USN-3095-1, VIGILANCE-VUL-20436.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.

An attacker can generate an integer overflow via bzdecompress, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72837]

An attacker can force the usage of a freed memory area via unserialize, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70436]

An attacker can create a memory leak via microtime, in order to trigger a denial of service. [severity:1/4; 72024]

An attacker can inject data in PHP Session. [severity:2/4; 72681, CVE-2016-7125]

An attacker can generate a buffer overflow via zif_cal_from_jd, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 71894]

An attacker can generate an integer overflow via curl_escape, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72807]

An attacker can generate an integer overflow via sql_regcase, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72838]

An attacker can create a memory leak via exif_process_IFD_in_TIFF, in order to trigger a denial of service. [severity:1/4; 72627, CVE-2016-7128]

An attacker can generate a buffer overflow via mb_ereg, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72710]

An attacker can generate an integer overflow via php_snmp_parse_oid, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72708]

An attacker can generate an integer overflow via base64_decode, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72836]

An attacker can generate an integer overflow via quoted_printable_encode, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72848]

An attacker can generate an integer overflow via urlencode, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72849]

An attacker can generate an integer overflow via php_uuencode, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 72850]

An attacker can use a Protocol Downgrade on ftps://, in order to read or alter data. [severity:2/4; 72771]

An attacker can generate a memory corruption via wddx_serialize_value, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72142]

An attacker can force a read at an invalid address via wddx_deserialize, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 72749, CVE-2016-7129]

An attacker can force a NULL pointer to be dereferenced via wddx_deserialize, in order to trigger a denial of service. [severity:1/4; 72750, 72790, 72799, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132]

An attacker can use a vulnerability via __wakeup(), in order to run code. [severity:2/4; 72663, CVE-2016-7124]

An attacker can generate a buffer overflow via select_colors(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72697, CVE-2016-7126]

An attacker can generate a buffer overflow via imagegammacorrect(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72730, CVE-2016-7127]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2016-6313

GnuPG: predicting 160 bits

Synthesis of the vulnerability

An attacker can use a vulnerability in the pseudo-random generator of GnuPG, in order to predict bits.
Impacted products: Debian, Fedora, GnuPG, Security Directory Server, openSUSE, openSUSE Leap, Solaris, RHEL, Slackware, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 18/08/2016.
Identifiers: 2000347, bulletinoct2017, CVE-2016-6313, CVE-2016-6316-ERROR, DLA-600-1, DLA-602-1, DSA-3649-1, DSA-3650-1, FEDORA-2016-2b4ecfa79f, FEDORA-2016-3a0195918f, FEDORA-2016-81aab0aff9, FEDORA-2016-9864953aa3, openSUSE-SU-2016:2208-1, openSUSE-SU-2016:2423-1, RHSA-2016:2674-01, SSA:2016-236-01, SSA:2016-236-02, USN-3064-1, USN-3065-1, VIGILANCE-VUL-20413.

Description of the vulnerability

The GnuPG/Libgcrypt product uses a pseudo-random generator to generate series of bits, used by keys.

However, an attacker who can read 4640 successive bits can predict the 160 next bits.

Existing RSA keys are not weakened. Existing DSA / ElGamal keys should not be weakened. The editor thus recommends to not revoke existing keys.

An attacker can therefore use a vulnerability in the pseudo-random generator of GnuPG, in order to predict bits.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about MicroFocus openSUSE Leap: