The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Novell OES

computer vulnerability bulletin CVE-2011-4194

Novell Open Enterprise Server: buffer overflow via iPrint

Synthesis of the vulnerability

A remote attacker can generate a buffer overflow in Novell iPrint Server, in order to execute code.
Impacted products: OES.
Severity: 3/4.
Creation date: 02/02/2012.
Identifiers: 7010084, BID-51791, CVE-2011-4194, VIGILANCE-VUL-11338, ZDI-12-031.

Description of the vulnerability

The IPP (Internet Printing Protocol) protocol is used to remotely manage printers.

The IPP Print-Job and Create-Job operations print a file, or create a print job. A Print-Job or Create-Job query can have attributes:
 - attributes-charset
 - attributes-natural-language
 - printer-uri
 - etc.

However, if an IPP query uses a long "attributes-natural-language" attribute, an overflow occurs in Novell iPrint Server.

A remote attacker can therefore generate a buffer overflow in Novell iPrint Server, in order to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2010-4072 CVE-2010-4073

Linux kernel: memory reading via ipc

Synthesis of the vulnerability

A local attacker can use an IPC, in order to read bytes stored in the kernel memory.
Impacted products: Debian, Fedora, Linux, Mandriva Corporate, MES, NLD, OES, openSUSE, RHEL, SLES, ESX.
Severity: 1/4.
Creation date: 07/10/2010.
Revision date: 06/09/2011.
Identifiers: BID-43828, BID-43829, BID-45054, BID-45073, CERTA-2002-AVI-272, CVE-2010-4072, CVE-2010-4073, DSA-2126-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2010-18432, FEDORA-2010-18493, FEDORA-2010-18506, MDVSA-2011:029, MDVSA-2011:051, openSUSE-SU-2010:1047-1, openSUSE-SU-2011:0004-1, openSUSE-SU-2011:0048-1, openSUSE-SU-2011:0346-1, openSUSE-SU-2013:0927-1, RHSA-2010:0958-01, RHSA-2011:0007-01, RHSA-2011:0017-01, RHSA-2011:0162-01, SUSE-SA:2010:060, SUSE-SA:2011:001, SUSE-SA:2011:004, SUSE-SA:2011:007, SUSE-SA:2011:008, SUSE-SA:2011:017, SUSE-SU-2011:0928-1, VIGILANCE-VUL-10008, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

Several system calls manage IPC (Inter Process Communication):
 - semctl() : semaphores
 - shmctl() : shared memory
 - msgctl() : messages
However, these functions do not initialize fields of a structure. Previous data are thus transmitted to the user.

The shmctl() function of the ipc/shm.c file does not correctly initialize the shmid_ds structure. [severity:1/4; BID-43829, BID-45054, CVE-2010-4072]

The shmctl(), shmctl() and msgctl() functions of the ipc/compat.c file do not correctly initialize several structures. [severity:1/4; BID-43828, BID-45073, CVE-2010-4073]

A local attacker can therefore use an IPC, in order to read bytes stored in the kernel memory.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-2483

crypt_blowfish: hash collision

Synthesis of the vulnerability

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() generates an invalid hash, which is potentially faster to find with a brute force.
Impacted products: Debian, MES, Mandriva Linux, NLD, OES, openSUSE, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 19/08/2011.
Identifiers: CVE-2011-2483, DSA-2340-1, MDVSA-2011:161, MDVSA-2011:178, MDVSA-2011:179, MDVSA-2011:180, openSUSE-SU-2011:0921-1, openSUSE-SU-2011:0921-2, openSUSE-SU-2011:0970-1, openSUSE-SU-2011:0972-1, openSUSE-SU-2012:0480-1, openSUSE-SU-2013:1670-1, openSUSE-SU-2013:1676-1, RHSA-2011:1377-01, RHSA-2011:1378-01, SUSE-SA:2011:035, SUSE-SU-2011:0922-1, SUSE-SU-2011:0923-1, SUSE-SU-2011:0927-1, SUSE-SU-2011:0971-1, SUSE-SU-2011:0974-1, SUSE-SU-2011:0991-1, SUSE-SU-2011:1081-1, SUSE-SU-2011:1081-2, VIGILANCE-VUL-10934.

Description of the vulnerability

The crypt() function hashes the password of a user. When a user is added, the hash is stored in the /etc/shadow file. When the user authenticates, the hash is compared to the hash from /etc/shadow.

The crypt() function supports several hash algorithms:
 - DES
 - MD5 (prefix $1$)
 - Blowfish (prefix $2a$), which is implemented in the crypt_blowfish library

However, crypt_blowfish uses signed C characters (-128 to 127), instead of unsigned characters (0 to 255). The generated hash is thus invalid if the password contains 8 bit characters.

This error has no impact of user authentication, because the invalid hash was stored in the /etc/shadow file, and the invalid hash of the entered password is the same.

However, the generated hash is subject to collisions: several passwords can have the same hash. A brute force attack thus requires to test less passwords before finding user's password.

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() therefore generates an invalid hash, which is potentially faster to find with a brute force.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2011-2697 CVE-2011-2964

foomatic-rip: code execution via PPD

Synthesis of the vulnerability

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can print a document, in order to execute code with privileges of the lp user.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 02/08/2011.
Identifiers: 698451, CVE-2011-2697, CVE-2011-2964, DSA-2380-1, FEDORA-2011-9554, FEDORA-2011-9575, MDVSA-2011:125, openSUSE-SU-2011:0892-1, RHSA-2011:1109-01, RHSA-2011:1110-01, SUSE-SU-2011:0895-1, VIGILANCE-VUL-10883.

Description of the vulnerability

The foomatic-rip or foomatic-rip-hplip filter (written in C or in Perl) adapts print queries to printers.

A PPD (PostScript Printer Description) file contains a FoomaticRIPCommandLine directive which indicates the command line to execute by foomatic-rip.

The "-p" option of foomatic-rip indicates the name of a spool file to use. However, when "-p" is used, foomatic-rip also accepts a PPD file provided by the user. The "-p" option can be provided via the "-U" option of lp which indicates the user name (because all parameters are concatenated whatever their origin is).

An attacker can therefore print with a "-U" option containing "-p", and a PPD file containing a malicious FoomaticRIPCommandLine command. This command will be run with privileges of the print system.

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can therefore print a document, in order to execute code with privileges of the lp user.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2011-2522 CVE-2011-2694

Samba: two vulnerabilities of SWAT

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Impacted products: Debian, Fedora, HP-UX, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 2/4.
Creation date: 27/07/2011.
Identifiers: 8289, 8290, 8347, BID-48899, BID-48901, c03297338, CERTA-2011-AVI-416, CERTA-2011-AVI-493, CERTA-2012-AVI-232, CVE-2011-2522, CVE-2011-2694, DSA-2290-1, FEDORA-2011-10341, FEDORA-2011-10367, HPSBUX02768, MDVSA-2011:121, openSUSE-SU-2011:0998-1, RHSA-2011:1219-01, RHSA-2011:1220-01, RHSA-2011:1221-01, SSA:2011-210-03, SSRT100664, SUSE-SU-2011:0981-1, SUSE-SU-2011:0999-1, SUSE-SU-2011:1001-1, SUSE-SU-2011:1002-1, VIGILANCE-VUL-10871.

Description of the vulnerability

The Samba server can be administered via the SWAT (Samba Web Administration Tool) web interface, which is not enabled by default. Two vulnerabilities impact SWAT.

The SWAT web site does not use session tokens. When an administrator if connected to SWAT, an attacker can thus invite him to display an HTML page containing images with special urls. When images are loaded, these urls do administration operations. As SWAT does not check if these urls belong to the administrator session, administration operations are directly done. [severity:2/4; 8290, BID-48899, CERTA-2011-AVI-416, CERTA-2012-AVI-232, CVE-2011-2522]

The SWAT web site uses the SWAT_USER ("username") variable to indicate the name of the current user. The chg_passwd() function of the source/web/swat.c file changes the password of the user. However, this function directly displays the name of the user stored in the SWAT_USER variable. If a username given as parameter contains JavaScript code, the generated HTML page thus also contains this JavaScript code. [severity:2/4; 8289, BID-48901, CVE-2011-2694]

An attacker can therefore use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-2721

ClamAV: denial of service via cli_hm_scan

Synthesis of the vulnerability

An attacker can send an email containing a malicious attachment, in order to generate an error in the cli_hm_scan() function, which stops ClamAV.
Impacted products: ClamAV, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 26/07/2011.
Identifiers: 2818, BID-48891, CVE-2011-2721, FEDORA-2011-10053, FEDORA-2011-10090, MDVSA-2011:122, openSUSE-SU-2011:0940-1, SUSE-SU-2011:0948-1, VIGILANCE-VUL-10870.

Description of the vulnerability

The libclamav/matcher-hash.c file implements the management of virus signature hash, using MD5, SHA1 and SHA256 algorithms.

An email can contain a PDF attachment, containing a malicious object. When ClamAV analyzes this object, it calls the cli_scanraw() function which calls the cli_hm_scan() function of the libclamav/matcher-hash.c file, in order to check if its signature is known. However, the function reads the memory located after the last hash, which creates a segmentation error (especially on Solaris).

An attacker can therefore send an email containing a malicious attachment, in order to generate an error in the cli_hm_scan() function, which stops ClamAV.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2011-2692

libpng: denial of service via sCAL

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Impacted products: Debian, Fedora, libpng, MES, Mandriva Linux, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 08/07/2011.
Identifiers: BID-48618, CERTA-2003-AVI-037, CVE-2011-2692, DSA-2287-1, FEDORA-2011-10928, FEDORA-2011-10954, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1103-01, RHSA-2011:1104-01, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10820, VU#819894.

Description of the vulnerability

The libpng library is used by several applications to decode or display PNG images.

The sCAL ("Physical Scale") field of a PNG image defines its relative scale. Its format is:
 - one byte: unit (meter)
 - the X axis multiplier, stored as text (for example "2.5")
 - a null byte
 - the Y axis multiplier, stored as text (for example "2.5")

However, if the sCAL field is empty, or if the null byte is missing, the png_handle_sCAL() function tries to read at an invalid memory address.

An attacker can therefore invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2011-2501 CVE-2011-2691

libpng: denial of service of png_format_buffer

Synthesis of the vulnerability

An attacker can invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.
Impacted products: Debian, Fedora, libpng, MES, Mandriva Linux, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 28/06/2011.
Identifiers: BID-48474, BID-48660, CERTA-2003-AVI-037, CVE-2011-2501, CVE-2011-2691, DSA-2287-1, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-8868, FEDORA-2011-8874, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10782.

Description of the vulnerability

The libpng library is used to process PNG (Portable Network Graphics) images.

The png_chunk_error() and png_chunk_warning() functions create error messages to indicate that an image is invalid. These functions call the png_format_buffer() function. This function contains the following code:
  png_memcpy(buffer+iout, error_message, PNG_MAX_ERROR_TEXT(64));
This function thus always concatenate 64 bytes into the buffer.

However, if the message length is only 10 bytes, 64 bytes are copied, so the processor accesses to 54 bytes located after the message character string. If these bytes are located in a different memory page, a segmentation error occurs.

An attacker can therefore invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.

This vulnerability is a regression of VIGILANCE-VUL-4148.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2011-0786 CVE-2011-0788 CVE-2011-0802

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, NSMXpress, MES, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX, vCenter Server.
Severity: 4/4.
Creation date: 08/06/2011.
Identifiers: BID-48133, BID-48134, BID-48135, BID-48136, BID-48137, BID-48138, BID-48139, BID-48140, BID-48141, BID-48142, BID-48143, BID-48144, BID-48145, BID-48146, BID-48147, BID-48148, BID-48149, c02945548, c03316985, c03358587, c03405642, CERTA-2003-AVI-005, CERTA-2011-AVI-336, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, DSA-2311-1, DSA-2358-1, FEDORA-2011-8003, FEDORA-2011-8020, FEDORA-2011-8028, HPSBMU02797, HPSBMU02799, HPSBUX02697, HPSBUX02777, javacpujune2011, MDVSA-2011:126, openSUSE-SU-2011:0633-1, openSUSE-SU-2011:0706-1, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2011:0856-01, RHSA-2011:0857-01, RHSA-2011:0860-01, RHSA-2011:0938-01, RHSA-2011:1087-01, RHSA-2011:1159-01, RHSA-2011:1265-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100591, SSRT100854, SSRT100867, SUSE-SA:2011:030, SUSE-SA:2011:032, SUSE-SA:2011:036, SUSE-SU-2011:0632-1, SUSE-SU-2011:0807-1, SUSE-SU-2011:0863-1, SUSE-SU-2011:0863-2, SUSE-SU-2011:0966-1, SUSE-SU-2011:1082-1, TPTI-11-06, VIGILANCE-VUL-10722, VMSA-2011-0013.1, ZDI-11-182, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191, ZDI-11-192, ZDI-11-199.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (ICC profile), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48137, CVE-2011-0862, TPTI-11-06, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48148, CVE-2011-0873]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48143, CVE-2011-0815]

An attacker can use a vulnerability of Deployment (IE Browser Plugin), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48134, CVE-2011-0817, ZDI-11-182]

An attacker can use a vulnerability of Deployment (Java Web Start), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48138, CVE-2011-0863, ZDI-11-192]

An attacker can use a vulnerability of HotSpot, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48139, CVE-2011-0864]

An attacker can use a vulnerability of Soundbank Decompression, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48149, CVE-2011-0802, ZDI-11-199]

An attacker can use a vulnerability of Sound, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48145, CVE-2011-0814]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48142, CVE-2011-0871]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48133, CERTA-2011-AVI-336, CVE-2011-0786]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48135, CVE-2011-0788]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48136, CVE-2011-0866]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-48140, CVE-2011-0868]

An attacker can use a vulnerability of NIO, in order to create a denial of service. [severity:2/4; BID-48141, CVE-2011-0872]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-48144, CVE-2011-0867]

An attacker can use a vulnerability of SAAJ, in order to obtain information. [severity:2/4; BID-48146, CVE-2011-0869]

An attacker can use a vulnerability of Deserialization, in order to alter information. [severity:1/4; BID-48147, CVE-2011-0865]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2011-1926

Cyrus IMAP: command injection with STARTTLS

Synthesis of the vulnerability

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can inject commands in the session.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 03/05/2011.
Identifiers: 3424, CVE-2011-1926, DSA-2242-1, DSA-2258-1, FEDORA-2011-7193, FEDORA-2011-7217, MDVSA-2011:100, openSUSE-SU-2011:0800-1, RHSA-2011:0859-01, SUSE-SU-2011:0767-1, SUSE-SU-2011:0776-1, SUSE-SU-2011:0776-2, SUSE-SU-2011:0791-1, VIGILANCE-VUL-10617.

Description of the vulnerability

An attacker can be a Man-in-the-Middle between a IMAP client and its server, in order to inject IMAP commands. Clients which use TLS detect this attack when they check the signature with the TLS certificate provided by the server.

When the IMAP protocol is encapsulated in a TLS session (RFC 2595), the client starts the IMAP session in text mode, then enters the STARTTLS command, which starts a TLS tunnel, where the IMAP session restarts.

However, if an attacker sends a IMAP command after the STARTTLS, it is in the buffer of the IMAP session. When the session restarts, attacker's command is thus the first to be interpreted. This error is due to the reception buffer which is not emptied before restarting the IMAP session.

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can therefore inject commands in the session.

This vulnerability is a variant of VIGILANCE-VUL-10428.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Novell OES: