The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Power-1 Appliance

computer vulnerability announce CVE-2014-9293 CVE-2014-9294 CVE-2014-9295

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: GAiA, CheckPoint IP Appliance, IPSO, CheckPoint Power-1 Appliance, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, IOS XR Cisco, Nexus by Cisco, NX-OS, Cisco CUCM, Cisco Unified CCX, Clearswift Email Gateway, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, HP-UX, AIX, Juniper J-Series, Junos OS, Junos Space, NSMXpress, Meinberg NTP Server, NetBSD, NTP.org, openSUSE, Oracle Communications, Solaris, RHEL, ROX, RuggedSwitch, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 19/12/2014.
Revision date: 17/02/2016.
Identifiers: c04554677, c04574882, c04916783, CERTFR-2014-AVI-537, CERTFR-2014-AVI-538, CERTFR-2016-AVI-148, cisco-sa-20141222-ntpd, cpuoct2016, CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, DSA-3108-1, FEDORA-2014-17361, FEDORA-2014-17367, FEDORA-2014-17395, FreeBSD-SA-14:31.ntp, HPSBHF03432, HPSBPV03266, HPSBUX03240, JSA10663, MBGSA-1405, MDVSA-2015:003, MDVSA-2015:140, NetBSD-SA2015-003, openSUSE-SU-2014:1670-1, openSUSE-SU-2014:1680-1, RHSA-2014:2024-01, RHSA-2014:2025-01, RHSA-2015:0104-01, sk103825, SOL15933, SOL15934, SOL15935, SOL15936, SSA:2014-356-01, SSA-671683, SSRT101872, SUSE-SU-2014:1686-1, SUSE-SU-2014:1686-2, SUSE-SU-2014:1686-3, SUSE-SU-2014:1690-1, SUSE-SU-2015:0259-1, SUSE-SU-2015:0259-2, SUSE-SU-2015:0259-3, SUSE-SU-2015:0274-1, SUSE-SU-2015:0322-1, USN-2449-1, VIGILANCE-VUL-15867, VN-2014-005, VU#852879.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

An attacker can predict the default key generated by config_auth(), in order to bypass the authentication. [severity:2/4; CVE-2014-9293]

An attacker can predict the key generated by ntp-keygen, in order to decrypt sessions. [severity:2/4; CVE-2014-9294]

An attacker can generate a buffer overflow in crypto_recv(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9295]

An attacker can generate a buffer overflow in ctl_putdata(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9295]

An attacker can generate a buffer overflow in configure(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-9295]

An attacker can trigger an error in receive(), which is not detected. [severity:1/4; CVE-2014-9296]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-8730 CVE-2015-2774

Check Point, Cisco, IBM, F5, FortiOS: information disclosure via POODLE on TLS

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a Terminating TLS session, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint IP Appliance, IPSO, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ACE, ASA, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiOS, DB2 UDB, Domino, Informix Server, Tivoli Directory Server, openSUSE, Solaris, Palo Alto Firewall PA***, PAN-OS, Ubuntu.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/12/2014.
Revision date: 17/12/2014.
Identifiers: 1450666, 1610582, 1647054, 1692906, 1693052, 1693142, bulletinjul2017, CERTFR-2014-AVI-533, CSCus08101, CSCus09311, CVE-2014-8730, CVE-2015-2774, FEDORA-2015-12923, FEDORA-2015-12970, openSUSE-SU-2016:0523-1, sk103683, SOL15882, USN-3571-1, VIGILANCE-VUL-15756.

Description of the vulnerability

The VIGILANCE-VUL-15485 (POODLE) vulnerability originates from an incorrect management of SSLv3 padding.

The F5 BIG-IP product can be configured to "terminate" SSL/TLS sessions. However, even when TLS is used, this BIG-IP feature uses the SSLv3 function to manage the padding. TLS sessions are thus also vulnerable to POODLE.

The same vulnerability also impacts Check Point, Cisco, IBM and Fortinet products.

An attacker, located as a Man-in-the-Middle, can therefore decrypt a Terminating TLS session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability 13270

Check Point: vulnerabilities of IPMI

Synthesis of the vulnerability

An attacker can use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint UTM-1 Appliance.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 13/08/2013.
Identifiers: sk94228, VIGILANCE-VUL-13270.

Description of the vulnerability

The IPMI (Intelligent Platform Management Interface) protocol is used to manage the hardware.

Several vulnerabilities were announced in IPMI (VIGILANCE-VUL-13267, VIGILANCE-VUL-13268 and VIGILANCE-VUL-13269). Some of these vulnerabilities impact the hardware of Check Point products.

An attacker can therefore use IPMI vulnerabilities in several Check Point products, in order to perform management operations on the hardware.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 13191

Check Point R75.40VS: information disclosure via SecureXL

Synthesis of the vulnerability

An attacker can capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 02/08/2013.
Identifiers: sk92814, VIGILANCE-VUL-13191.

Description of the vulnerability

The SecureXL technology improves the performance of Check Point firewalls.

However, when it is enabled on R75.40VS, then SIP (Session Initiation Protocol) and MGCP (Media Gateway Control Protocol) packets are not encrypted.

An attacker can therefore capture SIP/MGCP packets when SecureXL is enabled on Check Point R75.40VS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 12981

CheckPoint Security Gateway: information disclosure via VoIP

Synthesis of the vulnerability

When SecureXL is enabled on caller side, an attacker can capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Impacted products: GAiA, CheckPoint Power-1 Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 17/06/2013.
Identifiers: sk92814, VIGILANCE-VUL-12981.

Description of the vulnerability

CheckPoint Security Gateway allow establish VoIP calls thorough a VPN.

The VoIP signaling is exchanged via the SIP protocol. However, when SecureXL is enabled in the VPN end point at caller side, SIP messages are sent in plain text instead of begin encrypted as part of VPN traffic. This allows an attacker located in the public network to capture signaling traffic.

When SecureXL is enabled on caller side, an attacker can therefore capture VoIP communications of CheckPoint Security Gateway, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 12884

Check Point VSX Virtual System: no policy

Synthesis of the vulnerability

When Check Point VSX Virtual System R75.40VS/R76 (VSX mode) is restarted, the security policy may be not applied.
Impacted products: GAiA, CheckPoint IP Appliance, CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint UTM-1 Appliance, CheckPoint VSX-1.
Severity: 3/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 30/05/2013.
Identifiers: sk92812, VIGILANCE-VUL-12884.

Description of the vulnerability

When Check Point VSX Virtual System R75.40VS/R76 (VSX mode) is restarted, the security policy may be not applied.



An attacker can then access to the resources, or be blocked.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 11656

TCP: packets injection via a firewall and a malware

Synthesis of the vulnerability

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session.
Impacted products: CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, VPN-1, CheckPoint VSX-1, TCP protocol.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 28/05/2012.
Identifiers: FGA-2012-19, sk74640, VIGILANCE-VUL-11656.

Description of the vulnerability

When a privileged malware is installed on victim's computer, it can inject data in his TCP sessions. However, if the malware is not privileged, it cannot do it.

TCP sequence and acknowledgment numbers are used to sort data. An attacker has to guess these numbers (and also IP addresses and ports, but the malware knows them via netstat), in order to inject malicious packets in an active TCP session.

Firewalls usually block TCP packets with a sequence number outside the expected window. However, when this feature is enabled, a remote attacker can send a series of packets:
 - if one of these packets went through the firewall, the malware (which for example reads packets counters, which are not always precise) indicates it to the remote attacker
 - if none of these packets went through, the malware indicates the attacker to send another series
So, after several iterations, the remote attacker guesses which sequence numbers are currently valid.

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session. This vulnerability also works be reversing the client and the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2008-5161

OpenSSH: information disclosure via CBC

Synthesis of the vulnerability

An attacker capturing an OpenSSH session has a low probability to obtain 32 bits of plain text.
Impacted products: Avaya Ethernet Routing Switch, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, CheckPoint VSX-1, BIG-IP Hardware, TMOS, AIX, NetBSD, OpenSolaris, OpenSSH, Solaris, RHEL.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 18/11/2008.
Revision date: 21/11/2008.
Identifiers: 247186, 6761890, BID-32319, CPNI-957037, CVE-2008-5161, NetBSD-SA2009-005, RHSA-2009:1287-02, sk36343, sol14609, VIGILANCE-VUL-8251, VU#958563.

Description of the vulnerability

The OpenSSH program encrypts data of sessions using a CBC (Cipher Block Chaining) algorithm by default.

If an attacker creates an error in the session,
 - he has one chance over 262144 (2^18) to obtain 32 bits of the unencrypted session
 - he has one chance over 16384 (2^14) to obtain 14 bits of the unencrypted session
This attack interrupts the SSH session, so the victim detects that a problem occurred.

This vulnerability does not impact the CTR (Counter) algorithm.

An attacker capturing an OpenSSH session, and injecting invalid data, thus has a low probability to obtain some bits of plain text.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.