The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NLD

vulnerability CVE-2012-5166

BIND: denial of service via Additional Records

Synthesis of the vulnerability

An attacker can use malicious Additional Resource Records, in order to lockup a BIND server.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, MES, Mandriva Linux, NLD, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 10/10/2012.
Identifiers: AA-00801, AA-00807, BID-55852, c03526327, CERTA-2012-AVI-569, CERTA-2012-AVI-601, CERTA-2012-AVI-602, CERTA-2012-AVI-603, CERTA-2012-AVI-679, CVE-2012-5166, DSA-2560-1, FEDORA-2012-15965, FEDORA-2012-15981, FreeBSD-SA-12:06.bind, HPSBUX02823, IV30364, IV30365, IV30366, IV30367, IV30368, MDVSA-2012:162, openSUSE-SU-2012:1372-1, openSUSE-SU-2013:0605-1, RHSA-2012:1363-01, RHSA-2012:1364-01, RHSA-2012:1365-01, sol14201, SSA:2012-284-01, SSA:2012-341-01, SSRT100976, SUSE-SU-2012:1390-1, SUSE-SU-2012:1390-2, SUSE-SU-2012:1390-3, VIGILANCE-VUL-12050.

Description of the vulnerability

A DNS response contains Resource Records of different types:
 - Question : question
 - Answer : direct answer
 - Authority : information on the authority
 - Additional : additional information

The query_addadditional() function of the named/query.c file of BIND adds additional information to a reply. However, if a name is duplicated, an infinite loop occurs in the BIND service.

The origin of this duplicated name depends on the server type:
 - recursive server: the name comes from the reply of an authoritative server (this is the most probable attack configuration)
 - secondary authoritative server: the name comes from a zone transfer from the primary
 - primary authoritative server: the name comes from a loaded zone file

An attacker can therefore use malicious Additional Resource Records, in order to lockup a BIND server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2012-1667

BIND: denial of service via rdata null

Synthesis of the vulnerability

An attacker can use a zone containing an empty record, in order to stop a recursive DNS server, or to obtain fragments of its memory.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, MES, Mandriva Linux, McAfee Email and Web Security, NLD, OpenBSD, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 2/4.
Creation date: 04/06/2012.
Identifiers: BID-53772, c03388901, c03526327, CERTA-2012-AVI-305, CERTA-2012-AVI-305-001, CERTA-2012-AVI-348, CERTA-2012-AVI-364, CERTA-2012-AVI-601, CERTA-2012-AVI-663, CVE-2012-1667, DSA-2486-1, ESX410-201211001, ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, ESX410-201211407-SG, FEDORA-2012-8946, FEDORA-2012-8962, FEDORA-2012-8968, FreeBSD-SA-12:03.bind, HPSBUX02795, HPSBUX02823, IV22554, IV22555, IV22556, IV22557, IV22625, MDVSA-2012:089, openSUSE-SU-2012:0722-1, openSUSE-SU-2013:0605-1, RHSA-2012:0716-01, RHSA-2012:0717-01, RHSA-2012:1110-01, sol13175, SOL13660, SSA:2012-166-01, SSA:2012-341-01, SSRT100878, SSRT100976, SUSE-SU-2012:0741-1, SUSE-SU-2012:0741-2, SUSE-SU-2012:0741-3, SUSE-SU-2012:0741-4, SUSE-SU-2012:0741-5, SUSE-SU-2012:0741-6, VIGILANCE-VUL-11671, VMSA-2012-0016, VU#381699.

Description of the vulnerability

A DNS record contains data (rdata, Record Data), such as a server name or an IP address.

These data can have an empty size. However, BIND processes this case with a NULL pointer, which is handled in a special way. BIND then tries to read data at an invalid memory address. This leads to a stop or to the disclosure of a memory area.

This case occurs when BIND is configured as a recursive server, and queries the attacker's server containing an empty record. This case also occurs when an authoritative server contains an empty record, so secondary servers can memorize an invalid value in their cache.

An attacker can therefore use a zone containing an empty record, in order to stop a recursive DNS server, or to obtain fragments of its memory.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2012-1182

Samba: buffer overflow via PIDL

Synthesis of the vulnerability

An unauthenticated attacker can send a malicious RPC query, in order to generate an overflow in Samba, which leads to code execution with root privileges.
Impacted products: Debian, Fedora, HP-UX, MES, Mandriva Linux, NLD, openSUSE, Solaris, RHEL, Samba, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 11/04/2012.
Identifiers: 8815, BID-52973, BID-55655, c03365218, CERTA-2012-AVI-210, CVE-2012-1182, DSA-2450-1, FEDORA-2012-5805, FEDORA-2012-5843, FEDORA-2012-6382, HPSBUX02789, MDVSA-2012:055, openSUSE-SU-2012:0507-1, openSUSE-SU-2012:0508-1, RHSA-2012:0466-01, RHSA-2012:0478-01, RHSA-2013:0506-02, RHSA-2013:0515-02, SSRT100824, SUSE-SU-2012:0500-1, SUSE-SU-2012:0501-1, SUSE-SU-2012:0501-2, SUSE-SU-2012:0502-1, SUSE-SU-2012:0504-1, SUSE-SU-2012:0515-1, VIGILANCE-VUL-11531, ZDI-12-063, ZDI-12-064, ZDI-12-068, ZDI-12-069, ZDI-12-070, ZDI-12-071, ZDI-12-072.

Description of the vulnerability

The Samba service implements the SMB/CIFS protocol, and the associated RPC (Remote Procedure Call) features.

The source code of Samba uses PIDL (Perl Interface Definition Language), in order to generate C code implementing RPC interfaces.

The code generated by PIDL uses two variables to store the size of arrays. However, the size indicated by one variable is not checked. So, if this size is too large, a buffer overflow occurs.

An unauthenticated attacker can therefore send a malicious RPC query, in order to generate an overflow in Samba, which leads to code execution with root privileges.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2012-1126 CVE-2012-1127 CVE-2012-1128

FreeType: several vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to display a document using a malicious font with an application linked to FreeType, in order to execute code on his computer.
Impacted products: Debian, Fedora, MES, Mandriva Linux, NLD, OpenBSD, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 07/03/2012.
Identifiers: BID-52318, CERTA-2012-AVI-123, CERTA-2012-AVI-235, CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133, CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137, CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1142, CVE-2012-1143, CVE-2012-1144, DSA-2428-1, FEDORA-2012-4946, FEDORA-2012-5422, FEDORA-2013-1114, MDVSA-2012:057, openSUSE-SU-2012:0489-1, RHSA-2012:0467-01, SSA:2012-176-01, SUSE-SU-2012:0483-1, SUSE-SU-2012:0483-2, SUSE-SU-2012:0484-1, SUSE-SU-2012:0521-1, SUSE-SU-2012:0553-1, VIGILANCE-VUL-11407.

Description of the vulnerability

The FreeType library processes character fonts. It is impacted by several vulnerabilities.

An attacker can use malicious BDF properties, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CERTA-2012-AVI-123, CERTA-2012-AVI-235, CVE-2012-1126]

An attacker can use malicious BDF glyphs/bitmaps, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1127]

An attacker can move a Zone2 pointer, in order to dereference a NULL pointer, which stops the application. [severity:1/4; CVE-2012-1128]

An attacker can use SFNT Type42 strings, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1129]

An attacker can use malicious PCF properties, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1130]

An attacker can move a cell, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1131]

An attacker can use malicious dictionary, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1132]

An attacker can use malicious BDF glyphs, in order to create a buffer overflow, which can lead to code execution. [severity:3/4; CVE-2012-1133]

An attacker can use a malicious dictionary, in order to create a buffer overflow, which can lead to code execution. [severity:3/4; CVE-2012-1134]

An attacker can use the NPUSHB and NPUSHW instructions, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1135]

An attacker can use BDF glyphs/bitmaps with no ENCODING field, in order to create a buffer overflow, which can lead to code execution. [severity:3/4; CVE-2012-1136]

An attacker can use a malicious BDF header, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1137]

An attacker can use the MIRP instruction, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1138]

An attacker can use malicious BDF glyphs, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1139]

An attacker can use malicious PostScript objects, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1140]

An attacker can use an ASCII string, in order to force a read at an invalid memory address, which stops the application. [severity:1/4; CVE-2012-1141]

An attacker can use glyphs, in order to create a buffer overflow, which can lead to code execution. [severity:3/4; CVE-2012-1142]

An attacker can force arithmetic computations to generate a division by zero, which stops the application. [severity:1/4; CVE-2012-1143]

An attacker can move a Zone2 pointer, in order to create a buffer overflow, which can lead to code execution. [severity:3/4; CVE-2012-1144]

An attacker can therefore invite the victim to display a document using a malicious font with an application linked to FreeType, in order to execute code on his computer.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2012-0870

Samba: buffer overflow via AndX

Synthesis of the vulnerability

An unauthenticated attacker can send a SMB AndX query to Samba, in order to create a loop, which overflows an array, leading to a denial of service or to code execution.
Impacted products: HP-UX, MES, NLD, openSUSE, Solaris, RHEL, Samba, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 24/02/2012.
Identifiers: c04401461, CERTA-2012-AVI-099, CERTFR-2014-AVI-112, CVE-2012-0870, HPSBUX03093, MDVSA-2012:025, openSUSE-SU-2012:0507-1, RHSA-2012:0332-01, SSRT101009, SUSE-SU-2012:0337-1, SUSE-SU-2012:0338-1, SUSE-SU-2012:0348-1, SUSE-SU-2012:0515-1, VIGILANCE-VUL-11389.

Description of the vulnerability

The SMB/CIFS protocol uses commands of type AndX, in order to chain data.

The chain_reply() function of the source/smbd/process.c file decodes AndX messages. However, this function does not check if indicated offsets are increasing. An attacker can thus use AndX commands which go back.

An unauthenticated attacker can therefore send a SMB AndX query to Samba, in order to create a loop, which overflows an array, leading to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2011-4862

MIT krb5-appl: buffer overflow of telnetd

Synthesis of the vulnerability

A remote unauthenticated attacker can generate a buffer overflow in the telnetd daemon of MIT krb5-appl, in order to stop it, or to execute code.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort Email, IronPort Management, IronPort Web, Cisco WSA, Debian, Fedora, FreeBSD, MES, Mandriva Linux, MIT krb5, NetBSD, NLD, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 4/4.
Creation date: 27/12/2011.
Identifiers: 83262, BID-51182, CERTA-2011-AVI-718, CERTA-2012-ALE-001-001, cisco-amb-20120126-ironport, cisco-sa-20120126-ironport, CVE-2011-4862, DSA-2372-1, DSA-2373-1, DSA-2375-1, FEDORA-2011-17492, FEDORA-2011-17493, FreeBSD-SA-11:08.telnetd, MDVSA-2011:195, MITKRB5-SA-2011-008, openSUSE-SU-2012:0019-1, openSUSE-SU-2012:0051-1, RHSA-2011:1851-01, RHSA-2011:1852-02, RHSA-2011:1853-01, RHSA-2011:1854-01, SUSE-SU-2012:0010-1, SUSE-SU-2012:0018-1, SUSE-SU-2012:0024-1, SUSE-SU-2012:0042-1, SUSE-SU-2012:0050-1, SUSE-SU-2012:0056-1, VIGILANCE-VUL-11248.

Description of the vulnerability

The RFC 2946 defines an encryption protocol for TELNET sessions. The telnetd daemon of MIT krb5-appl implements this RFC.

The TELNET ENCRYPT (38) option defines the ENC_KEYID (7) sub-option, which indicates the encryption key identifier.

When the telnetd daemon receives the ENC_KEYID sub-option, it calls the encrypt_keyid() function of the libtelnet/encrypt.c file. However, this function does not check the size of the identifier, so an overflow occurs.

A remote unauthenticated attacker can therefore generate a buffer overflow in the telnetd daemon of MIT krb5-appl, in order to stop it, or to execute code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2011-4313

BIND 9: denial of service via recursion

Synthesis of the vulnerability

An attacker can use a malicious query on a recursive BIND DNS server, with an invalid value in its cache, in order to stop it.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, MES, Mandriva Linux, NetBSD, NLD, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, SLES.
Severity: 2/4.
Creation date: 16/11/2011.
Revision date: 17/11/2011.
Identifiers: BID-50690, c03105548, CERTA-2011-AVI-645, CVE-2011-4313, DSA-2347-1, FEDORA-2011-16002, FEDORA-2011-16036, FEDORA-2011-16057, FreeBSD-SA-11:06.bind, HPSBUX02729, IV09491, IV09978, IV10049, IV11106, IV11742, IV11743, IV11744, MDVSA-2011:176, MDVSA-2011:176-1, MDVSA-2011:176-2, NetBSD-SA2011-009, openSUSE-SU-2011:1272-1, RHSA-2011:1458-01, RHSA-2011:1459-01, RHSA-2011:1496-01, sol14204, SSRT100687, SUSE-SU-2011:1268-1, SUSE-SU-2011:1270-1, SUSE-SU-2011:1270-2, SUSE-SU-2011:1270-3, VIGILANCE-VUL-11162, VU#606539.

Description of the vulnerability

The BIND DNS server can be configured in recursive mode, in order to resolve external addresses requested by internal clients. Replies of external DNS servers are kept in a cache, and this cache is later searched to answer future queries.

The DNSSEC protocol is used to authenticate data of DNS zones. The NSEC and NSEC3 records are used to indicate that a name does not exist (NXDOMAIN, Non-Existent Domain, NX). These records thus have no data (rdata) associated.

An attacker can, using another bug, force the cache of a recursive DNS server to contain a NX record with rdata. Then when the client requests this record, the query_addadditional2() function of the query.c file calls the macro INSIST(!dns_rdataset_isassociated(sigrdataset)), because a rdata is associated to a NC record. The INSIST macro stops the daemon.

In order to exploit this vulnerability, the attacker can be on the internal network, and can request an invalid resolution. He can also create an HTML document containing images located on a server with a malicious name, and can then invite the victim to display this HTML page. He can also send an email from an malicious server name, which will be resolved by the messaging server.

An attacker can therefore use a malicious query on a recursive BIND DNS server, with an invalid value in its cache, in order to stop it.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2010-4072 CVE-2010-4073

Linux kernel: memory reading via ipc

Synthesis of the vulnerability

A local attacker can use an IPC, in order to read bytes stored in the kernel memory.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, MES, NLD, OES, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Creation date: 07/10/2010.
Revision date: 06/09/2011.
Identifiers: BID-43828, BID-43829, BID-45054, BID-45073, CERTA-2002-AVI-272, CVE-2010-4072, CVE-2010-4073, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18432, FEDORA-2010-18493, FEDORA-2010-18506, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:1047-1, openSUSE-SU-2011:0004-1, openSUSE-SU-2011:0048-1, openSUSE-SU-2011:0346-1, openSUSE-SU-2013:0927-1, RHSA-2010:0958-01, RHSA-2011:0007-01, RHSA-2011:0017-01, RHSA-2011:0162-01, SUSE-SA:2010:060, SUSE-SA:2011:001, SUSE-SA:2011:004, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SA:2011:017, SUSE-SU-2011:0928-1, VIGILANCE-VUL-10008, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

Several system calls manage IPC (Inter Process Communication):
 - semctl() : semaphores
 - shmctl() : shared memory
 - msgctl() : messages
However, these functions do not initialize fields of a structure. Previous data are thus transmitted to the user.

The shmctl() function of the ipc/shm.c file does not correctly initialize the shmid_ds structure. [severity:1/4; BID-43829, BID-45054, CVE-2010-4072]

The shmctl(), shmctl() and msgctl() functions of the ipc/compat.c file do not correctly initialize several structures. [severity:1/4; BID-43828, BID-45073, CVE-2010-4073]

A local attacker can therefore use an IPC, in order to read bytes stored in the kernel memory.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-2483

crypt_blowfish: hash collision

Synthesis of the vulnerability

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() generates an invalid hash, which is potentially faster to find with a brute force.
Impacted products: Debian, MES, Mandriva Linux, NLD, OES, openSUSE, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 19/08/2011.
Identifiers: CVE-2011-2483, DSA-2340-1, MDVSA-2011:161, MDVSA-2011:178, MDVSA-2011:179, MDVSA-2011:180, openSUSE-SU-2011:0921-1, openSUSE-SU-2011:0921-2, openSUSE-SU-2011:0970-1, openSUSE-SU-2011:0972-1, openSUSE-SU-2012:0480-1, openSUSE-SU-2013:1670-1, openSUSE-SU-2013:1676-1, RHSA-2011:1377-01, RHSA-2011:1378-01, SUSE-SA:2011:035, SUSE-SU-2011:0922-1, SUSE-SU-2011:0923-1, SUSE-SU-2011:0927-1, SUSE-SU-2011:0971-1, SUSE-SU-2011:0974-1, SUSE-SU-2011:0991-1, SUSE-SU-2011:1081-1, SUSE-SU-2011:1081-2, VIGILANCE-VUL-10934.

Description of the vulnerability

The crypt() function hashes the password of a user. When a user is added, the hash is stored in the /etc/shadow file. When the user authenticates, the hash is compared to the hash from /etc/shadow.

The crypt() function supports several hash algorithms:
 - DES
 - MD5 (prefix $1$)
 - Blowfish (prefix $2a$), which is implemented in the crypt_blowfish library

However, crypt_blowfish uses signed C characters (-128 to 127), instead of unsigned characters (0 to 255). The generated hash is thus invalid if the password contains 8 bit characters.

This error has no impact of user authentication, because the invalid hash was stored in the /etc/shadow file, and the invalid hash of the entered password is the same.

However, the generated hash is subject to collisions: several passwords can have the same hash. A brute force attack thus requires to test less passwords before finding user's password.

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() therefore generates an invalid hash, which is potentially faster to find with a brute force.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2011-2697 CVE-2011-2964

foomatic-rip: code execution via PPD

Synthesis of the vulnerability

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can print a document, in order to execute code with privileges of the lp user.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 02/08/2011.
Identifiers: 698451, CVE-2011-2697, CVE-2011-2964, DSA-2380-1, FEDORA-2011-9554, FEDORA-2011-9575, MDVSA-2011:125, openSUSE-SU-2011:0892-1, RHSA-2011:1109-01, RHSA-2011:1110-01, SUSE-SU-2011:0895-1, VIGILANCE-VUL-10883.

Description of the vulnerability

The foomatic-rip or foomatic-rip-hplip filter (written in C or in Perl) adapts print queries to printers.

A PPD (PostScript Printer Description) file contains a FoomaticRIPCommandLine directive which indicates the command line to execute by foomatic-rip.

The "-p" option of foomatic-rip indicates the name of a spool file to use. However, when "-p" is used, foomatic-rip also accepts a PPD file provided by the user. The "-p" option can be provided via the "-U" option of lp which indicates the user name (because all parameters are concatenated whatever their origin is).

An attacker can therefore print with a "-U" option containing "-p", and a PPD file containing a malicious FoomaticRIPCommandLine command. This command will be run with privileges of the print system.

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can therefore print a document, in order to execute code with privileges of the lp user.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.