The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NetScreen IVE

computer vulnerability note CVE-2012-2110

OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, MES, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 3/4.
Creation date: 19/04/2012.
Identifiers: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2011-4619

OpenSSL: denial of service via SGC

Synthesis of the vulnerability

An attacker can use the handshake restart feature of SGC without the Client Hello message, in order to create a denial of service.
Impacted products: BIG-IP Hardware, TMOS, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, OpenSSL, openSUSE, Solaris, JBoss EAP by Red Hat, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 13/03/2012.
Identifiers: 1643316, c03333987, CERTA-2012-AVI-286, CERTA-2012-AVI-479, CVE-2011-4619, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FreeBSD-SA-12:01.openssl, HPSBUX02782, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15389, SOL15461, SSRT100844, VIGILANCE-VUL-11428, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

The SGC (Server Gated Cryptography) technology processes weak algorithms/keys. It is considered as obsolete.

An attacker can use the handshake restart feature of SGC without the Client Hello message, in order to create a denial of service.

This vulnerability results from a bad correction for CVE-2011-4619 (VIGILANCE-VUL-11257).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2012-0884

OpenSSL: Bleichenbacher attack on CMS and PKCS7

Synthesis of the vulnerability

The Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.
Impacted products: IPSO, Debian, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, MES, Mandriva Linux, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 12/03/2012.
Identifiers: 1643316, BID-52428, c03333987, CERTA-2012-AVI-134, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CVE-2012-0884, DSA-2454-1, FEDORA-2012-4659, FEDORA-2012-4665, FreeBSD-SA-12:01.openssl, HPSBUX02782, MDVSA-2012:038, openSUSE-SU-2012:0547-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:0426-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, sk76360, SSRT100844, SUSE-SU-2012:0479-1, VIGILANCE-VUL-11427.

Description of the vulnerability

The PKCS#7 format is used to represent a signed or encrypted document. CMS (Cryptographic Message Syntax) is an improvement of PKCS#7. S/MIME used PKCS#7, and now uses CMS. TLS/SSL does not use PKCS#7 nor CMS.

In 1998, Daniel Bleichenbacher proposed an attack to detect if clear data belong to encrypted data in a PKCS#1 block. This attack is named "Million Message Attack" because it requires to query an oracle numerous times.

However, the Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.

Technical details are unknown.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2011-4108 CVE-2011-4109 CVE-2011-4576

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several OpenSSL vulnerabilities, in order to obtain information, to create a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, MES, Mandriva Linux, NetBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Creation date: 05/01/2012.
Identifiers: 1643316, BID-51281, c03141193, CERTA-2012-AVI-006, CERTA-2012-AVI-171, CERTA-2012-AVI-479, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, DSA-2390-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FEDORA-2012-0232, FEDORA-2012-0250, FreeBSD-SA-12:01.openssl, HPSBUX02734, MDVSA-2012:006, MDVSA-2012:007, openSUSE-SU-2012:0083-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:0059-01, RHSA-2012:0060-01, RHSA-2012:0086-01, RHSA-2012:0109-01, RHSA-2012:0168-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15388, SOL15389, SOL15395, SOL15461, SSRT100729, SUSE-SU-2012:0084-1, SUSE-SU-2014:0320-1, VIGILANCE-VUL-11257, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol. In CBC mode, an attacker can measure time difference of decryption computation, in order to retrieve the clear text (VIGILANCE-VUL-11262). [severity:1/4; CERTA-2012-AVI-006, CERTA-2012-AVI-171, CVE-2011-4108]

When the X509_V_FLAG_POLICY_CHECK is set on OpenSSL 0.9.8, an attacker can generate a double memory free, which may lead to code execution. Apache httpd does not use this flag. [severity:3/4; CVE-2011-4109]

When SSL 3.0 is used, each message can contain up to 15 bytes which are not reset before being sent. This occurs when a message is larger than the previous message, and in practice these data come from the handshake and are not sensitive. [severity:2/4; CVE-2011-4576]

When OpenSSL is configured with "enable-rfc3779", a certificate containing malformed RFC 3779 data (X.509 Extensions for IP Addresses and AS Identifiers) generates an assertion error, which stops the application. [severity:2/4; CVE-2011-4577]

The SGC (Server Gated Cryptography) technology processes weak algorithms/keys, and it is considered as obsolete. An attacker can use the handshake restart feature of SGC, in order to create a denial of service. [severity:2/4; CVE-2011-4619]

When GOST ENGINE (GOST algorithms defined in draft-chudov-cryptopro-cptls-04) are enabled, an attacker can send invalid parameters, in order to stop the TLS server. [severity:2/4; CVE-2012-0027]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 10111

Juniper Secure Access: several vulnerabilities

Synthesis of the vulnerability

An attacker can call scripts or create Cross Site Scripting in Juniper Secure Access.
Impacted products: IVE OS, Juniper SA.
Severity: 2/4.
Creation date: 08/11/2010.
Identifiers: VIGILANCE-VUL-10111.

Description of the vulnerability

Several vulnerabilities were announced in Juniper Secure Access.

An attacker can use the "/dana-na/download/?url=" url, in order to call other scripts of the server without authentication. [severity:2/4]

An attacker can generate several Cross Site Scripting. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2009-2631

Cisco, Juniper, Microsoft, Nortel, Stonesoft: vulnerability of SSL VPN

Synthesis of the vulnerability

A weakness in the conception of some Clientless SSL VPN products can be used by an attacker in order to obtain information from other web sites visited by the victim.
Impacted products: Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.
Severity: 3/4.
Creation date: 09/12/2009.
Identifiers: 025367-01, 19500, 2009009920, 984744, BID-37152, CVE-2009-2631, KB15799, PSN-2009-11-580, VIGILANCE-VUL-9265, VU#261869.

Description of the vulnerability

Some VPN SSL products setup a SSL proxy where users connect with their web browser. Urls of visited web sites are then rewritten as:
  https://proxy-ssl/origin-site/page.html
So, they seem to be hosted on the https://proxy-ssl/ server.

Web browsers are conceived to partition JavaScript scripts on the domain where they come from. However, when a SSL proxy places different web sites under the same domain, this protection is bypassed, and a malicious JavaScript script can thus access to other web sites.

Some products update the source code of web pages on the fly, in order to replace JavaScript calls. However, an attacker can obfuscate his code so this change cannot be done.

A weakness in the conception of some Clientless SSL VPN products can therefore be used by an attacker in order to obtain information from other web sites visited by the victim.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2009-3555

TLS, OpenSSL, GnuTLS: vulnerability of the renegotiation

Synthesis of the vulnerability

A remote attacker can use a vulnerability of TLS in order to insert plain text data during a renegotiation via a man-in-the-middle attack.
Impacted products: Apache httpd, ArubaOS, BES, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco CSS, IOS by Cisco, IOS XR Cisco, IronPort Email, IronPort Management, Cisco Router, Secure ACS, Cisco CallManager, Cisco CUCM, Cisco IP Phone, WebNS, XenApp, XenDesktop, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FortiOS, FreeBSD, HP-UX, AIX, WebSphere AS Traditional, IVE OS, Juniper J-Series, JUNOS, NSM Central Manager, NSMXpress, Juniper SA, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, IIS, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, NSS, NetBSD, NetScreen Firewall, ScreenOS, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Oracle Directory Server, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Trusted Solaris, ProFTPD, SSL protocol, RHEL, Slackware, Sun AS, SUSE Linux Enterprise Desktop, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Creation date: 10/11/2009.
Identifiers: 1021653, 111046, 273029, 273350, 274990, 6898371, 6898539, 6898546, 6899486, 6899619, 6900117, 977377, AID-020810, BID-36935, c01945686, c01963123, c02079216, CERTA-2011-ALE-005, CERTFR-2017-AVI-392, cisco-sa-20091109-tls, CTX123248, CTX123359, CVE-2009-3555, DSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2141-4, DSA-2626-1, DSA-3253-1, FEDORA-2009-12229, FEDORA-2009-12305, FEDORA-2009-12606, FEDORA-2009-12750, FEDORA-2009-12775, FEDORA-2009-12782, FEDORA-2009-12968, FEDORA-2009-13236, FEDORA-2009-13250, FEDORA-2010-1127, FEDORA-2010-3905, FEDORA-2010-3929, FEDORA-2010-3956, FEDORA-2010-5357, FEDORA-2010-8742, FEDORA-2010-9487, FEDORA-2010-9518, FG-IR-17-137, FreeBSD-SA-09:15.ssl, HPSBUX02482, HPSBUX02498, HPSBUX02517, KB25966, MDVSA-2009:295, MDVSA-2009:323, MDVSA-2009:337, MDVSA-2010:069, MDVSA-2010:076, MDVSA-2010:076-1, MDVSA-2010:089, MDVSA-2013:019, NetBSD-SA2010-002, openSUSE-SU-2010:1025-1, openSUSE-SU-2010:1025-2, openSUSE-SU-2011:0845-1, PM04482, PM04483, PM04534, PM04544, PM06400, PSN-2011-06-290, PSN-2012-11-767, RHSA-2009:1579-02, RHSA-2009:1580-02, RHSA-2010:0011-01, RHSA-2010:0119-01, RHSA-2010:0130-01, RHSA-2010:0155-01, RHSA-2010:0162-01, RHSA-2010:0163-01, RHSA-2010:0164-01, RHSA-2010:0165-01, RHSA-2010:0166-01, RHSA-2010:0167-01, SOL10737, SSA:2009-320-01, SSA:2010-067-01, SSRT090249, SSRT090264, SSRT100058, SUSE-SA:2009:057, SUSE-SA:2010:020, SUSE-SR:2010:008, SUSE-SR:2010:012, SUSE-SR:2011:008, SUSE-SU-2011:0847-1, TLSA-2009-30, TLSA-2009-32, VIGILANCE-VUL-9181, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3, VU#120541.

Description of the vulnerability

Transport Layer Security (TLS) is a cryptographic protocol for network transport.

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use.

The protocol allows for renegotiation at any time during the connection. However, the handling of those renegotiations has a vulnerability.

A remote attacker can therefore exploit this vulnerability in order to insert plain text data via a man-in-the-middle attack.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2009-0590 CVE-2009-0591 CVE-2009-0789

OpenSSL: several vulnerabilities

Synthesis of the vulnerability

Three OpenSSL vulnerabilities can be used by an attacker to create a denial of service or to bypass validations.
Impacted products: Debian, FreeBSD, HP-UX, AIX, IVE OS, NSM Central Manager, NSMXpress, Juniper SA, Mandriva Corporate, Mandriva Linux, Mandriva NF, NetBSD, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Solaris, Trusted Solaris, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, TurboLinux, ESX, ESXi.
Severity: 2/4.
Creation date: 26/03/2009.
Identifiers: 258048, 6824175, BID-34256, c01762423, CERTA-2009-AVI-120, CERTA-2011-AVI-032, CVE-2009-0590, CVE-2009-0591, CVE-2009-0789, DSA-1763-1, FreeBSD-SA-09:08.openssl, HPSBUX02435, MDVSA-2009:087, NetBSD-SA2009-008, openSUSE-SU-2011:0845-1, PSN-2010-02-659, PSN-2012-11-767, RHSA-2009:1335-02, RHSA-2010:0163-01, secadv_20090325, SSA:2009-098-01, SSRT090059, SUSE-SR:2009:010, SUSE-SU-2011:0847-1, TLSA-2009-13, VIGILANCE-VUL-8563, VMSA-2010-0004, VMSA-2010-0004.1, VMSA-2010-0004.2, VMSA-2010-0004.3, VMSA-2010-0009, VMSA-2010-0009.1.

Description of the vulnerability

Three OpenSSL vulnerabilities can be used by an attacker to create a denial of service or to bypass validations.

When the size of an ASN.1 string is invalid, an error occurs in the ASN1_STRING_print_ex() function and stops the application. [severity:2/4; CERTA-2009-AVI-120, CERTA-2011-AVI-032, CVE-2009-0590]

When attributes of a signature are malformed, the CMS_verify() function indicates that the signature is valid. [severity:2/4; CVE-2009-0591]

On some platforms (such as Win64), when a memory containing ASN.1 data is reset, an error occurs and stops the application. [severity:1/4; CVE-2009-0789]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2008-1181

Juniper Networks Secure Access: information disclosure

Synthesis of the vulnerability

An attacker can obtain the name of installation path of Juniper Networks Secure Access 2000.
Impacted products: IVE OS, Juniper SA.
Severity: 1/4.
Creation date: 05/03/2008.
Identifiers: CVE-2008-1181, PR07-42, VIGILANCE-VUL-7635.

Description of the vulnerability

The Juniper Networks Secure Access 2000 product proposes a web site containing for example:
  https://site/dana-na/auth/welcome.cgi
  https://site/dana-na/auth/remediate.cgi
  https://site/dana-na/auth/rdremediate.cgi

When an error occurs in the remediate.cgi script, it displays the path of the root directory of the website. For example :
  /home/webserver/htdocs/

An attacker can thus obtain the name of installation path of Juniper Networks Secure Access 2000.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2008-1180

Juniper Networks Secure Access: Cross Site Scripting

Synthesis of the vulnerability

An attacker can create a Cross Site Scripting in Juniper Networks Secure Access 2000.
Impacted products: IVE OS, Juniper SA.
Severity: 2/4.
Creation date: 05/03/2008.
Identifiers: CVE-2008-1180, PR07-41, VIGILANCE-VUL-7634.

Description of the vulnerability

The Juniper Networks Secure Access 2000 product proposes a web site containing for example:
  https://site/dana-na/auth/welcome.cgi
  https://site/dana-na/auth/remediate.cgi
  https://site/dana-na/auth/rdremediate.cgi

However, the delivery_mode parameter of rdremediate.cgi is not sanitized before being displayed in the HTML error page.

An attacker can therefore create a Cross Site Scripting in Juniper Networks Secure Access 2000.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NetScreen IVE: