The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of OES

vulnerability announce CVE-2011-2483

crypt_blowfish: hash collision

Synthesis of the vulnerability

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() generates an invalid hash, which is potentially faster to find with a brute force.
Severity: 2/4.
Creation date: 19/08/2011.
Identifiers: CVE-2011-2483, DSA-2340-1, MDVSA-2011:161, MDVSA-2011:178, MDVSA-2011:179, MDVSA-2011:180, openSUSE-SU-2011:0921-1, openSUSE-SU-2011:0921-2, openSUSE-SU-2011:0970-1, openSUSE-SU-2011:0972-1, openSUSE-SU-2012:0480-1, openSUSE-SU-2013:1670-1, openSUSE-SU-2013:1676-1, RHSA-2011:1377-01, RHSA-2011:1378-01, SUSE-SA:2011:035, SUSE-SU-2011:0922-1, SUSE-SU-2011:0923-1, SUSE-SU-2011:0927-1, SUSE-SU-2011:0971-1, SUSE-SU-2011:0974-1, SUSE-SU-2011:0991-1, SUSE-SU-2011:1081-1, SUSE-SU-2011:1081-2, VIGILANCE-VUL-10934.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The crypt() function hashes the password of a user. When a user is added, the hash is stored in the /etc/shadow file. When the user authenticates, the hash is compared to the hash from /etc/shadow.

The crypt() function supports several hash algorithms:
 - DES
 - MD5 (prefix $1$)
 - Blowfish (prefix $2a$), which is implemented in the crypt_blowfish library

However, crypt_blowfish uses signed C characters (-128 to 127), instead of unsigned characters (0 to 255). The generated hash is thus invalid if the password contains 8 bit characters.

This error has no impact of user authentication, because the invalid hash was stored in the /etc/shadow file, and the invalid hash of the entered password is the same.

However, the generated hash is subject to collisions: several passwords can have the same hash. A brute force attack thus requires to test less passwords before finding user's password.

When the user has a password containing 8 bit characters, the Blowfish hashing algorithm of crypt() therefore generates an invalid hash, which is potentially faster to find with a brute force.
Full Vigil@nce bulletin... (Free trial)

cybersecurity note CVE-2011-2697 CVE-2011-2964

foomatic-rip: code execution via PPD

Synthesis of the vulnerability

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can print a document, in order to execute code with privileges of the lp user.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/08/2011.
Identifiers: 698451, CVE-2011-2697, CVE-2011-2964, DSA-2380-1, FEDORA-2011-9554, FEDORA-2011-9575, MDVSA-2011:125, openSUSE-SU-2011:0892-1, RHSA-2011:1109-01, RHSA-2011:1110-01, SUSE-SU-2011:0895-1, VIGILANCE-VUL-10883.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The foomatic-rip or foomatic-rip-hplip filter (written in C or in Perl) adapts print queries to printers.

A PPD (PostScript Printer Description) file contains a FoomaticRIPCommandLine directive which indicates the command line to execute by foomatic-rip.

The "-p" option of foomatic-rip indicates the name of a spool file to use. However, when "-p" is used, foomatic-rip also accepts a PPD file provided by the user. The "-p" option can be provided via the "-U" option of lp which indicates the user name (because all parameters are concatenated whatever their origin is).

An attacker can therefore print with a "-U" option containing "-p", and a PPD file containing a malicious FoomaticRIPCommandLine command. This command will be run with privileges of the print system.

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can therefore print a document, in order to execute code with privileges of the lp user.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-2522 CVE-2011-2694

Samba: two vulnerabilities of SWAT

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/07/2011.
Identifiers: 8289, 8290, 8347, BID-48899, BID-48901, c03297338, CERTA-2011-AVI-416, CERTA-2011-AVI-493, CERTA-2012-AVI-232, CVE-2011-2522, CVE-2011-2694, DSA-2290-1, FEDORA-2011-10341, FEDORA-2011-10367, HPSBUX02768, MDVSA-2011:121, openSUSE-SU-2011:0998-1, RHSA-2011:1219-01, RHSA-2011:1220-01, RHSA-2011:1221-01, SSA:2011-210-03, SSRT100664, SUSE-SU-2011:0981-1, SUSE-SU-2011:0999-1, SUSE-SU-2011:1001-1, SUSE-SU-2011:1002-1, VIGILANCE-VUL-10871.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Samba server can be administered via the SWAT (Samba Web Administration Tool) web interface, which is not enabled by default. Two vulnerabilities impact SWAT.

The SWAT web site does not use session tokens. When an administrator if connected to SWAT, an attacker can thus invite him to display an HTML page containing images with special urls. When images are loaded, these urls do administration operations. As SWAT does not check if these urls belong to the administrator session, administration operations are directly done. [severity:2/4; 8290, BID-48899, CERTA-2011-AVI-416, CERTA-2012-AVI-232, CVE-2011-2522]

The SWAT web site uses the SWAT_USER ("username") variable to indicate the name of the current user. The chg_passwd() function of the source/web/swat.c file changes the password of the user. However, this function directly displays the name of the user stored in the SWAT_USER variable. If a username given as parameter contains JavaScript code, the generated HTML page thus also contains this JavaScript code. [severity:2/4; 8289, BID-48901, CVE-2011-2694]

An attacker can therefore use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2011-2721

ClamAV: denial of service via cli_hm_scan

Synthesis of the vulnerability

An attacker can send an email containing a malicious attachment, in order to generate an error in the cli_hm_scan() function, which stops ClamAV.
Severity: 2/4.
Creation date: 26/07/2011.
Identifiers: 2818, BID-48891, CVE-2011-2721, FEDORA-2011-10053, FEDORA-2011-10090, MDVSA-2011:122, openSUSE-SU-2011:0940-1, SUSE-SU-2011:0948-1, VIGILANCE-VUL-10870.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The libclamav/matcher-hash.c file implements the management of virus signature hash, using MD5, SHA1 and SHA256 algorithms.

An email can contain a PDF attachment, containing a malicious object. When ClamAV analyzes this object, it calls the cli_scanraw() function which calls the cli_hm_scan() function of the libclamav/matcher-hash.c file, in order to check if its signature is known. However, the function reads the memory located after the last hash, which creates a segmentation error (especially on Solaris).

An attacker can therefore send an email containing a malicious attachment, in order to generate an error in the cli_hm_scan() function, which stops ClamAV.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2011-2692

libpng: denial of service via sCAL

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Severity: 1/4.
Creation date: 08/07/2011.
Identifiers: BID-48618, CERTA-2003-AVI-037, CVE-2011-2692, DSA-2287-1, FEDORA-2011-10928, FEDORA-2011-10954, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1103-01, RHSA-2011:1104-01, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10820, VU#819894.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The libpng library is used by several applications to decode or display PNG images.

The sCAL ("Physical Scale") field of a PNG image defines its relative scale. Its format is:
 - one byte: unit (meter)
 - the X axis multiplier, stored as text (for example "2.5")
 - a null byte
 - the Y axis multiplier, stored as text (for example "2.5")

However, if the sCAL field is empty, or if the null byte is missing, the png_handle_sCAL() function tries to read at an invalid memory address.

An attacker can therefore invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2011-2501 CVE-2011-2691

libpng: denial of service of png_format_buffer

Synthesis of the vulnerability

An attacker can invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/06/2011.
Identifiers: BID-48474, BID-48660, CERTA-2003-AVI-037, CVE-2011-2501, CVE-2011-2691, DSA-2287-1, FEDORA-2011-8844, FEDORA-2011-8867, FEDORA-2011-8868, FEDORA-2011-8874, FEDORA-2011-9336, FEDORA-2011-9343, MDVSA-2011:151, openSUSE-SU-2011:0915-1, RHSA-2011:1105-01, SUSE-SU-2011:0916-1, SUSE-SU-2011:0919-1, VIGILANCE-VUL-10782.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The libpng library is used to process PNG (Portable Network Graphics) images.

The png_chunk_error() and png_chunk_warning() functions create error messages to indicate that an image is invalid. These functions call the png_format_buffer() function. This function contains the following code:
  png_memcpy(buffer+iout, error_message, PNG_MAX_ERROR_TEXT(64));
This function thus always concatenate 64 bytes into the buffer.

However, if the message length is only 10 bytes, 64 bytes are copied, so the processor accesses to 54 bytes located after the message character string. If these bytes are located in a different memory page, a segmentation error occurs.

An attacker can therefore invite the victim to display a malformed PNG image, in order to stop applications linked to libpng.

This vulnerability is a regression of VIGILANCE-VUL-4148.
Full Vigil@nce bulletin... (Free trial)

computer threat bulletin CVE-2011-0786 CVE-2011-0788 CVE-2011-0802

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 17.
Creation date: 08/06/2011.
Identifiers: BID-48133, BID-48134, BID-48135, BID-48136, BID-48137, BID-48138, BID-48139, BID-48140, BID-48141, BID-48142, BID-48143, BID-48144, BID-48145, BID-48146, BID-48147, BID-48148, BID-48149, c02945548, c03316985, c03358587, c03405642, CERTA-2003-AVI-005, CERTA-2011-AVI-336, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, DSA-2311-1, DSA-2358-1, FEDORA-2011-8003, FEDORA-2011-8020, FEDORA-2011-8028, HPSBMU02797, HPSBMU02799, HPSBUX02697, HPSBUX02777, javacpujune2011, MDVSA-2011:126, openSUSE-SU-2011:0633-1, openSUSE-SU-2011:0706-1, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2011:0856-01, RHSA-2011:0857-01, RHSA-2011:0860-01, RHSA-2011:0938-01, RHSA-2011:1087-01, RHSA-2011:1159-01, RHSA-2011:1265-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100591, SSRT100854, SSRT100867, SUSE-SA:2011:030, SUSE-SA:2011:032, SUSE-SA:2011:036, SUSE-SU-2011:0632-1, SUSE-SU-2011:0807-1, SUSE-SU-2011:0863-1, SUSE-SU-2011:0863-2, SUSE-SU-2011:0966-1, SUSE-SU-2011:1082-1, TPTI-11-06, VIGILANCE-VUL-10722, VMSA-2011-0013.1, ZDI-11-182, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191, ZDI-11-192, ZDI-11-199.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (ICC profile), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48137, CVE-2011-0862, TPTI-11-06, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48148, CVE-2011-0873]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48143, CVE-2011-0815]

An attacker can use a vulnerability of Deployment (IE Browser Plugin), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48134, CVE-2011-0817, ZDI-11-182]

An attacker can use a vulnerability of Deployment (Java Web Start), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48138, CVE-2011-0863, ZDI-11-192]

An attacker can use a vulnerability of HotSpot, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48139, CVE-2011-0864]

An attacker can use a vulnerability of Soundbank Decompression, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48149, CVE-2011-0802, ZDI-11-199]

An attacker can use a vulnerability of Sound, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48145, CVE-2011-0814]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48142, CVE-2011-0871]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48133, CERTA-2011-AVI-336, CVE-2011-0786]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48135, CVE-2011-0788]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48136, CVE-2011-0866]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-48140, CVE-2011-0868]

An attacker can use a vulnerability of NIO, in order to create a denial of service. [severity:2/4; BID-48141, CVE-2011-0872]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-48144, CVE-2011-0867]

An attacker can use a vulnerability of SAAJ, in order to obtain information. [severity:2/4; BID-48146, CVE-2011-0869]

An attacker can use a vulnerability of Deserialization, in order to alter information. [severity:1/4; BID-48147, CVE-2011-0865]
Full Vigil@nce bulletin... (Free trial)

threat announce CVE-2011-1926

Cyrus IMAP: command injection with STARTTLS

Synthesis of the vulnerability

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can inject commands in the session.
Severity: 2/4.
Creation date: 03/05/2011.
Identifiers: 3424, CVE-2011-1926, DSA-2242-1, DSA-2258-1, FEDORA-2011-7193, FEDORA-2011-7217, MDVSA-2011:100, openSUSE-SU-2011:0800-1, RHSA-2011:0859-01, SUSE-SU-2011:0767-1, SUSE-SU-2011:0776-1, SUSE-SU-2011:0776-2, SUSE-SU-2011:0791-1, VIGILANCE-VUL-10617.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can be a Man-in-the-Middle between a IMAP client and its server, in order to inject IMAP commands. Clients which use TLS detect this attack when they check the signature with the TLS certificate provided by the server.

When the IMAP protocol is encapsulated in a TLS session (RFC 2595), the client starts the IMAP session in text mode, then enters the STARTTLS command, which starts a TLS tunnel, where the IMAP session restarts.

However, if an attacker sends a IMAP command after the STARTTLS, it is in the buffer of the IMAP session. When the session restarts, attacker's command is thus the first to be interpreted. This error is due to the reception buffer which is not emptied before restarting the IMAP session.

Even when the IMAP client checks the TLS certificate of the messaging server, an attacker can therefore inject commands in the session.

This vulnerability is a variant of VIGILANCE-VUL-10428.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2011-1590 CVE-2011-1591 CVE-2011-1592

Wireshark: three vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service or to execute code.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/04/2011.
Identifiers: 5209, 5754, 5793, BID-47392, CERTA-2003-AVI-004, CVE-2011-1590, CVE-2011-1591, CVE-2011-1592, DSA-2274-1, FEDORA-2011-5529, FEDORA-2011-5569, MDVSA-2011:083, openSUSE-SU-2011:0599-1, openSUSE-SU-2011:0602-1, RHSA-2012:0509-01, SUSE-SU-2011:0604-1, SUSE-SU-2011:0611-1, VIGILANCE-VUL-10571, VU#243670, wnpa-sec-2011-05, wnpa-sec-2011-06.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

On Windows, an attacker can stop the NFS dissector. [severity:1/4; 5209, CVE-2011-1592]

An attacker can stop the X.509if dissector. [severity:1/4; 5754, 5793, CVE-2011-1590]

An attacker can generate a buffer overflow in the DECT dissector, in order to execute code. [severity:2/4; CVE-2011-1591, VU#243670]
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2011-0285

MIT krb5: denial of service of kadmind in schpw

Synthesis of the vulnerability

An attacker can send a malicious password change query to MIT krb5 kadmind, in order to stop it.
Severity: 2/4.
Creation date: 12/04/2011.
Revision date: 14/04/2011.
Identifiers: 621726, BID-47310, CERTA-2011-AVI-222, CVE-2011-0285, FEDORA-2011-5343, FEDORA-2011-5345, MDVSA-2011:077, MITKRB5-SA-2011-004, openSUSE-SU-2011:0348-1, RHSA-2011:0447-01, SUSE-SR:2011:007, VIGILANCE-VUL-10539.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The MIT krb5 kadmind service listens on port 749.

The process_chpw_request() function of the src/kadmin/server/schpw.c file processes password change queries. However, when kadmind receives a malformed query, a pointer is not initialized, and an invalid memory free occurs.

An attacker can therefore send a malicious password change query to MIT krb5 kadmind, in order to stop it.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about OES: