The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NETASQ

computer vulnerability note 19729

Netasq, Stormshield Network Security: Man-in-the-Middle via NSRPC Client

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle via NSRPC on Netasq or Stormshield Network Security, in order to obtain administrator privileges.
Impacted products: SNS, NETASQ.
Severity: 2/4.
Creation date: 30/05/2016.
Identifiers: STORM-2016-001, VIGILANCE-VUL-19729.

Description of the vulnerability

The Netasq and Stormshield Network Security products use the NSRPC client.

However, an attacker can alter the size of NSRPC message, to perform a brute force, to get the administrator password hash.

An attacker can therefore act as a Man-in-the-Middle via NSRPC on Netasq or Stormshield Network Security, in order to obtain administrator privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Tomcat, Mac OS X, StormShield, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, XenServer, Debian, PowerPath, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiOS, FreeBSD, Android OS, HP Operations, HP Switch, AIX, IRAD, QRadar SIEM, IBM System x Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Copssh, Juniper J-Series, JUNOS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee NSM, Meinberg NTP Server, MySQL Community, MySQL Enterprise, Data ONTAP, NETASQ, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, VirtualBox, WebLogic, Oracle Web Tier, Palo Alto Firewall PA***, PAN-OS, Percona Server, XtraDB Cluster, pfSense, Pulse Connect Secure, Puppet, Python, RHEL, JBoss EAP by Red Hat, SAS Management Console, Shibboleth SP, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, WindRiver Linux, VxWorks, WordPress Plugins ~ not comprehensive, X2GoClient.
Severity: 3/4.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 510853, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, cisco-sa-20160504-openssl, cpuapr2017, cpujul2016, cpujul2017, cpuoct2016, cpuoct2017, CTX212736, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, ESA-2017-142, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-8605

ISC DHCP: buffer overflow of decode_udp_ip_header

Synthesis of the vulnerability

An attacker can generate a buffer overflow by sending an IPv4+UDP packet to an ISC DHCP client or server, in order to trigger a denial of service, and possibly to run code.
Impacted products: SNS, ArubaOS, Debian, BIG-IP Hardware, TMOS, Fedora, ISC DHCP, NETASQ, openSUSE, openSUSE Leap, Slackware, Ubuntu.
Severity: 3/4.
Creation date: 13/01/2016.
Identifiers: AA-01334, ARUBA-PSA-2016-007, CERTFR-2016-AVI-167, CVE-2015-8605, DSA-3442-1, FEDORA-2016-0c5bb21bf1, FEDORA-2016-adb533a418, openSUSE-SU-2016:0601-1, openSUSE-SU-2016:0610-1, SOL57500018, SSA:2016-012-01, STORM-2015-018, USN-2868-1, VIGILANCE-VUL-18707.

Description of the vulnerability

The DHCP protocol uses UDP packets.

The decode_udp_ip_header() function of the common/packet.c file of ISC DHCP decodes these UDP packets. However, if the size indicated in the IPv4 header for UDP data is too large, an overflow occurs.

An attacker can therefore generate a buffer overflow by sending an IPv4+UDP packet to an ISC DHCP client or server, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce 18687

Netasq, Stormshield Network Security: Cross Site Scripting of Certificate

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in Netasq and Stormshield Network Security, in order to run JavaScript code in the context of the web site.
Impacted products: SNS, NETASQ.
Severity: 2/4.
Creation date: 12/01/2016.
Identifiers: STORM-2015-015, VIGILANCE-VUL-18687.

Description of the vulnerability

The Netasq or Stormshield Network Security product offers a web service.

However, it does not filter received data from the X.509 certificate before inserting them in generated HTML documents on the proxy error page.

An attacker can therefore trigger a Cross Site Scripting in Netasq and Stormshield Network Security, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2015-3194

OpenSSL: NULL pointer dereference via Certificate Verification

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced during the certificate verification of OpenSSL (in client or server mode), in order to trigger a denial of service.
Impacted products: SES, SNS, Tomcat, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Switch, AIX, IRAD, QRadar SIEM, Tivoli Storage Manager, WebSphere MQ, IVE OS, Juniper J-Series, JUNOS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper SBR, MariaDB ~ precise, McAfee Email Gateway, MySQL Enterprise, Data ONTAP, NETASQ, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, Pulse Connect Secure, MAG Series by Pulse Secure, Pulse Secure SBR, Puppet, RHEL, Slackware, stunnel, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 03/12/2015.
Identifiers: 1972951, 1976113, 1976148, 1985739, 1986593, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3194, DSA-3413-1, FEDORA-2015-605de37b7f, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, openSUSE-SU-2015:2318-1, openSUSE-SU-2016:0637-1, openSUSE-SU-2016:1327-1, RHSA-2015:2617-01, SA105, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, STORM-2015-017, USN-2830-1, VIGILANCE-VUL-18435.

Description of the vulnerability

The OpenSSL library can use the RSA PSS algorithm to check the validity of X.509 certificates.

However, if the "mask generation" parameter is missing during the verification of a signature in ASN.1 format, OpenSSL does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced during the certificate verification of OpenSSL (in client or server mode), in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-5358

BSD, Juniper JunOS: memory leak in the LAST_ACK TCP state

Synthesis of the vulnerability

An attacker can block numerous TCP sessions in the LAST_ACK state, to trigger a memory exhaustion in FreeBSD/OpenBSD/JunOS, in order to create a denial of service.
Impacted products: SNS, FreeBSD, Juniper J-Series, JUNOS, NETASQ, NetBSD, OpenBSD, pfSense.
Severity: 3/4.
Creation date: 09/07/2015.
Revision date: 22/07/2015.
Identifiers: CERTFR-2015-AVI-286, CVE-2015-5358, FreeBSD-SA-15:13.tcp, JSA10686, NetBSD-SA2015-009, STORM-2015-013, VIGILANCE-VUL-17333.

Description of the vulnerability

According to the TCP protocol, when a service receives a FIN packet:
 - it jumps in the CLOSE_WAIT state
 - it sends a FIN packet to the client
 - it enters in the LAST_ACK state
 - it waits to receive the FIN-ACK packet
 - it can retry to send the FIN packet
 - if it does not receive the FIN-ACK packet, it waits at most the duration of a timer to jump from the LAST_ACK state to the CLOSED state

In the LAST_ACK state, the service keeps information (mbufs) in memory.

However, when the TCP Window has a zero length size, the BSD stack forgets to start the timer. Information are thus indefinitely kept in memory.

An attacker can therefore block numerous TCP sessions in the LAST_ACK state, to trigger a memory exhaustion in BSD/JunOS, in order to create a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Ridgeline, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, WS_FTP Server, IVE OS, Juniper J-Series, JUNOS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Domino, Notes, MBS, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetIQ Sentinel, NetScreen Firewall, ScreenOS, nginx, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Spectracom SecureSync, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WindRiver Linux.
Severity: 3/4.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2007-3725

ClamAV, unrar: denial of service

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to stop ClamAV or unrar.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 11/07/2007.
Identifiers: BID-24866, CERTA-2002-AVI-136, CERTA-2007-AVI-306, CVE-2007-3725, DSA-1340-1, MDKSA-2007:150, SUSE-SR:2007:015, VIGILANCE-VUL-6991.

Description of the vulnerability

The ClamAV antivirus and the unrar tool share the same vulnerability.

The execute_standard_filter() function of unrarvm.c does not check if one of the sizes indicated in the RAR file is too small. This error forces ClamAV to read data at an invalid address, which leads to a segmentation error.

An attacker can therefore create a malicious RAR archive in order to stop ClamAV or unrar.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2007-2650 CVE-2007-3023 CVE-2007-3024

ClamAV: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of ClamAV lead to denials of service or to code execution.
Impacted products: ClamAV, Debian, Fedora, Mandriva Corporate, Mandriva Linux, NETASQ, openSUSE.
Severity: 3/4.
Creation date: 31/05/2007.
Identifiers: BID-24289, BID-24316, BID-24358, CVE-2007-2650, CVE-2007-3023, CVE-2007-3024, CVE-2007-3025, CVE-2007-3122, CVE-2007-3123, DSA-1320-1, FEDORA-2007-1154, MDKSA-2007:115, SUSE-SA:2007:033, VIGILANCE-VUL-6855.

Description of the vulnerability

Several vulnerabilities of ClamAV lead to denials of service or to code execution.

The %v parameter is not correctly checked in fresclam/manager.c. [severity:3/4]

Malicious RAR headers are not correctly handled in libclamav/unrar/unrar.c. [severity:3/4; BID-24289, CVE-2007-3122]

Size of data is not correctly computed in libclamav/unsp.c. [severity:3/4; CVE-2007-3023]

Permissions of temporary files created by cli_gentempstream() are not sufficiently strict. [severity:3/4; CVE-2007-3024]

A malicious OLE file can generate an infinite loop in libclamav/ole2_extract.c. [severity:3/4; BID-24316, CVE-2007-2650]

An unknown vulnerability affects libclamav/phishcheck.c. [severity:3/4; CVE-2007-3025]

An unknown vulnerability affects libclamav/unrar/unrar.c. [severity:3/4; CVE-2007-3123]

An unknown vulnerability affects libclamav/pdf.c. [severity:3/4]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2007-1745 CVE-2007-1997 CVE-2007-2029

ClamAV: vulnerabilities of CHM, CAB and PDF

Synthesis of the vulnerability

An attacker can create CHM, CAB and PDF files leading to denials of service or to code execution on ClamAV.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, openSUSE.
Severity: 3/4.
Creation date: 13/04/2007.
Revision date: 17/04/2007.
Identifiers: BID-23473, BID-23656, CERTA-2002-AVI-088, CVE-2007-1745, CVE-2007-1997, CVE-2007-2029, DSA-1281-1, DSA-1281-2, MDKSA-2007:098, SUSE-SA:2007:026, VIGILANCE-VUL-6740.

Description of the vulnerability

Three vulnerabilities were announced in ClamAV antivirus.

When an error occurs during the analysis of a CHM file, the chm_decompress_stream() function of libclamav/chmunpack.c does not lock the temporary file containing the binary. [severity:3/4; CVE-2007-1745]

A malicious CAB archive can generate an integer overflow in cab_unstore() function of libclamav/cab.c, leading to code execution. [severity:3/4; CVE-2007-1997]

The PDF format is composed of a series of objects (pages, fonts, catalog, etc.), which can be compressed with zlib. The cli_pdf() function of libclamav/pdf.c stores compressed data in a temporary file, to uncompress them. However, if size of compressed data is null, the temporary file descriptor is not closed. [severity:3/4; BID-23656, CVE-2007-2029]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NETASQ: