The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of OES

computer vulnerability announce CVE-2011-1926

Cyrus IMAP: command injection with STARTTLS

Synthesis of the vulnerability

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can inject commands in the session.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: intranet client.
Creation date: 03/05/2011.
Identifiers: 3424, CVE-2011-1926, DSA-2242-1, DSA-2258-1, FEDORA-2011-7193, FEDORA-2011-7217, MDVSA-2011:100, openSUSE-SU-2011:0800-1, RHSA-2011:0859-01, SUSE-SU-2011:0767-1, SUSE-SU-2011:0776-1, SUSE-SU-2011:0776-2, SUSE-SU-2011:0791-1, VIGILANCE-VUL-10617.

Description of the vulnerability

An attacker can be a Man-in-the-Middle between a IMAP client and its server, in order to inject IMAP commands. Clients which use TLS detect this attack when they check the signature with the TLS certificate provided by the server.

When the IMAP protocol is encapsulated in a TLS session (RFC 2595), the client starts the IMAP session in text mode, then enters the STARTTLS command, which starts a TLS tunnel, where the IMAP session restarts.

However, if an attacker sends a IMAP command after the STARTTLS, it is in the buffer of the IMAP session. When the session restarts, attacker's command is thus the first to be interpreted. This error is due to the reception buffer which is not emptied before restarting the IMAP session.

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can therefore inject commands in the session.

This vulnerability is a variant of VIGILANCE-VUL-10428.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-1590 CVE-2011-1591 CVE-2011-1592

Wireshark: three vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service or to execute code.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Wireshark.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/04/2011.
Identifiers: 5209, 5754, 5793, BID-47392, CERTA-2003-AVI-004, CVE-2011-1590, CVE-2011-1591, CVE-2011-1592, DSA-2274-1, FEDORA-2011-5529, FEDORA-2011-5569, MDVSA-2011:083, openSUSE-SU-2011:0599-1, openSUSE-SU-2011:0602-1, RHSA-2012:0509-01, SUSE-SU-2011:0604-1, SUSE-SU-2011:0611-1, VIGILANCE-VUL-10571, VU#243670, wnpa-sec-2011-05, wnpa-sec-2011-06.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

On Windows, an attacker can stop the NFS dissector. [severity:1/4; 5209, CVE-2011-1592]

An attacker can stop the X.509if dissector. [severity:1/4; 5754, 5793, CVE-2011-1590]

An attacker can generate a buffer overflow in the DECT dissector, in order to execute code. [severity:2/4; CVE-2011-1591, VU#243670]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-0285

MIT krb5: denial of service of kadmind in schpw

Synthesis of the vulnerability

An attacker can send a malicious password change query to MIT krb5 kadmind, in order to stop it.
Impacted products: Fedora, Mandriva Linux, MIT krb5, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 12/04/2011.
Revision date: 14/04/2011.
Identifiers: 621726, BID-47310, CERTA-2011-AVI-222, CVE-2011-0285, FEDORA-2011-5343, FEDORA-2011-5345, MDVSA-2011:077, MITKRB5-SA-2011-004, openSUSE-SU-2011:0348-1, RHSA-2011:0447-01, SUSE-SR:2011:007, VIGILANCE-VUL-10539.

Description of the vulnerability

The MIT krb5 kadmind service listens on port 749.

The process_chpw_request() function of the src/kadmin/server/schpw.c file processes password change queries. However, when kadmind receives a malformed query, a pointer is not initialized, and an invalid memory free occurs.

An attacker can therefore send a malicious password change query to MIT krb5 kadmind, in order to stop it.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-0996

dhcpcd: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server can return a special hostname, in order to inject a shell command in dhcpcd.
Impacted products: NetBSD, NLD, OES, openSUSE, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 08/04/2011.
Identifiers: BID-47272, CVE-2011-0996, openSUSE-SU-2011:0342-1, openSUSE-SU-2011:0352-1, openSUSE-SU-2011:0385-1, SSA:2011-210-02, SUSE-SR:2011:007, SUSE-SR:2011:008, VIGILANCE-VUL-10530.

Description of the vulnerability

The dhcpcd program is a daemon of a DHCP client which queries a DHCP server, in order to obtain an IP address and a computer name.

However, a malicious or corrupted DHCP server can return a computer name like:
  beginName`command`endName
  beginName;command;endName
As dhcpcd does not filter special shell characters, the shell command received from the server is run on the client.

An attacker owning a malicious DHCP server can therefore return a special hostname, in order to inject a shell command in dhcpcd.

This vulnerability is the same as VIGILANCE-VUL-10522 which impacts ISC dhclient.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-1574

libmodplug: buffer overflow via ReadS3M

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious S3M file with an application linked to libmodplug, in order to execute code on his computer.
Impacted products: Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, VLC.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 08/04/2011.
Identifiers: 20110407-0, CERTA-2003-AVI-001, CERTA-2011-AVI-196, CVE-2011-1574, DSA-2226-1, FEDORA-2011-5204, MDVSA-2011:085, openSUSE-SU-2011:0350-1, RHSA-2011:0477-01, SUSE-SR:2011:007, VideoLAN-SA-1104, VIGILANCE-VUL-10529.

Description of the vulnerability

The STM (Scream Tracker Music) and S3M (Scream Tracker Music version 3) formats are composed of:
 - a header
 - instruments
 - voices/patterns
 - samples (often used in loops)

The libmodplug library supports the S3M format. It is for example used by sound applications such as PyModPlug, UModPlayer and VideoLAN.

However, libmodplug does not check if the number of instruments (nins) and patterns (npat) is superior to their storage size. A buffer overflow thus occurs in the CSoundFile::ReadS3M() function of src/load_s3m.cpp.

An attacker can therefore invite the victim to open a malicious S3M file with an application linked to libmodplug, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-0465

xrdb: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server or using XDMCP can use a special hostname, in order to inject a shell command in xrdb.
Impacted products: Debian, Fedora, Mandriva Linux, NetBSD, NLD, OES, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, XOrg Bundle ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 06/04/2011.
Identifiers: CERTA-2011-AVI-191, CVE-2011-0465, DSA-2213-1, FEDORA-2011-4871, FEDORA-2011-4879, MDVSA-2011:076, openSUSE-SU-2011:0298-1, RHSA-2011:0432-01, RHSA-2011:0433-01, SSA:2011-096-01, SUSE-SA:2011:016, VIGILANCE-VUL-10524.

Description of the vulnerability

The xrdb program manages the access to X graphical resources.

However this program does not filter special shell characters contained in the computer name, before using this name in a shell command run by root. For example, an attacker can use a computer name like:
  beginName`command`endName
  beginName;command;endName

In order to exploit this vulnerability, the attacker can define a malicious name for the computer:
 - via DHCP : attack similar to VIGILANCE-VUL-10522 ou VIGILANCE-VUL-10530
 - via XDMCP (X Display Manager Control Protocol) : attack by changing the client name

An attacker owning a malicious DHCP server or using XDMCP can therefore use a special hostname, in order to inject a shell command in xrdb.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-0997

ISC dhclient: shell command injection

Synthesis of the vulnerability

An attacker owning a malicious DHCP server can return a special hostname, in order to inject a shell command in ISC dhclient.
Impacted products: XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, ISC DHCP, Mandriva Linux, NetBSD, NLD, OES, openSUSE, RHEL, Slackware, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 06/04/2011.
Identifiers: BID-47176, CERTA-2011-AVI-190, CERTA-2011-AVI-637, CERTA-2011-AVI-638, CTX130325, CVE-2011-0997, DSA-2216-1, DSA-2217-1, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, FEDORA-2011-0848, FEDORA-2011-4897, MDVSA-2011:073, NetBSD-SA2011-005, openSUSE-SU-2011:0320-1, openSUSE-SU-2011:0321-1, RHSA-2011:0428-01, RHSA-2011:0840-01, SOL13219, SSA:2011-097-01, SUSE-SR:2011:007, SUSE-SR:2011:008, VIGILANCE-VUL-10522, VMSA-2011-0009.1, VMSA-2011-0010, VMSA-2011-0010.1, VMSA-2011-0010.2, VMSA-2011-0010.3, VMSA-2011-0012, VMSA-2012-0005, VU#107886.

Description of the vulnerability

The ISC dhclient program queries a DHCP server, in order to obtain an IP address and a computer name.

However, a malicious or corrupted DHCP server can return a computer name like:
  beginName`command`endName
  beginName;command;endName
As dhclient does not filter special shell characters, the shell command received from the server is run on the client.

An attacker owning a malicious DHCP server can therefore return a special hostname, in order to inject a shell command in ISC dhclient.

This vulnerability is the same as VIGILANCE-VUL-10530 which impacts dhcpcd.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-7244 CVE-2009-5063

libpng: denial of service via png_write_iCCP

Synthesis of the vulnerability

An attacker can invite the victim to convert a JPEG image to PNG with an application linked to libpng, in order to create a denial of service.
Impacted products: libpng, NLD, OES, openSUSE, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/03/2011.
Identifiers: CVE-2006-7244, CVE-2009-5063, openSUSE-SU-2011:0915-1, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10480.

Description of the vulnerability

The libpng library is used by applications creating or manipulating PNG (Portable Network Graphics) image files.

The ICC (International Color Consortium) profile defines color variations needed by each device in order to display identical colors. Some image types, such as JPEG or PNG, can contain ICC profiles

When a JPEG image containing an ICC profile is converted to PNG, the png_write_iCCP() function is called to write ICC data. However, this function does not check if the profile size is negative, which stops the application.

An attacker can therefore invite the victim to convert a JPEG image to PNG with an application linked to libpng, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-1146

libvirt: denial of service via the API

Synthesis of the vulnerability

A read-only attacker can use some functions of the libvirt library, in order to create denials of service.
Impacted products: Debian, Fedora, NLD, OES, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: user account.
Creation date: 10/03/2011.
Identifiers: 683650, BID-46820, CERTA-2003-AVI-002, CVE-2011-1146, DSA-2194-1, FEDORA-2011-4870, FEDORA-2011-4896, openSUSE-SU-2011:0311-1, openSUSE-SU-2011:0578-1, openSUSE-SU-2011:0580-1, RHSA-2011:0391-01, SUSE-SR:2011:007, SUSE-SU-2011:0579-1, VIGILANCE-VUL-10444.

Description of the vulnerability

The libvirt library provides a standard interface on several virtualization products (Xen, QEMU, KVM, etc.).

A libvirt user, who is connected as read-only, can only see the configuration of virtual machines. However, four functions ignore this mode, and can be used to alter the configuration:
 - virNodeDeviceDettach : detach a node
 - virNodeDeviceReset : reset a node
 - virDomainRevertToSnapshot : revert to a snapshot
 - virDomainSnapshotDelete : delete a snapshot

A read-only attacker can therefore use some functions of the libvirt library, in order to create denials of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-1095

glibc locale: unfiltered output

Synthesis of the vulnerability

The result of the glibc locale command is not filtered, so an attacker can inject data in a program using this result.
Impacted products: Mandriva Linux, NLD, OES, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 09/03/2011.
Identifiers: 11904, BID-47370, CERTA-2011-AVI-193, CVE-2011-1095, ESX400-201110001, ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110406-SG, ESX400-201110408-SG, ESX400-201110409-SG, ESX400-201110410-SG, ESXi400-201110001, ESXi400-201110401-SG, ESXi400-201110402-BG, MDVSA-2011:178, RHSA-2011:0412-01, RHSA-2011:0413-01, RHSA-2012:0125-01, SUSE-SU-2011:0701-1, SUSE-SU-2011:0702-1, SUSE-SU-2011:0703-1, SUSE-SU-2011:0704-1, VIGILANCE-VUL-10439, VMSA-2011-0004.2, VMSA-2011-0009.1, VMSA-2011-0009.2, VMSA-2011-0009.3, VMSA-2011-0010, VMSA-2011-0010.1, VMSA-2011-0010.2, VMSA-2011-0012, VMSA-2011-0012.1, VMSA-2011-0012.2, VMSA-2011-0013, VMSA-2012-0005.

Description of the vulnerability

The "locale" command, which is provided by the glibc suite, displays localization variables:
  LC_CTYPE="fr_FR@euro"
  LC_NUMERIC="fr_FR@euro"
  etc.

This command reads the content of the LANG environment variable in order to determine information to display. However, if the content of the LANG variable is not a known language, locale directly displays its content. This behavior is contradictory with the documentation which indicates that the result is filtered.

If a program uses `locale` to initialize variables, an attacker can thus inject shell commands in this program.

The result of the glibc locale command is therefore not filtered, so an attacker can inject data in a program using this result.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about OES: