The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of RHEL

computer vulnerability note CVE-2014-8086

Linux kernel: denial of service via F_SETFL and O_DIRECT

Synthesis of the vulnerability

A local attacker can manipulate F_SETFL and O_DIRECT on the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 10/10/2014.
Identifiers: CERTFR-2014-AVI-455, CERTFR-2014-AVI-528, CERTFR-2015-AVI-093, CVE-2014-8086, FEDORA-2014-13558, FEDORA-2014-13773, RHSA-2015:0290-01, RHSA-2015:0694-01, SUSE-SU-2015:1071-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, USN-2447-1, USN-2447-2, USN-2448-1, USN-2448-2, VIGILANCE-VUL-15459.

Description of the vulnerability

The fcntl(F_SETFL) call defines flags of a file. The O_DIRECT flag indicates to transfer data synchronously if possible.

However, when this flag is quickly set and reset, a fatal race error occurs in the ext4_file_write_iter() function.

A local attacker can therefore manipulate F_SETFL and O_DIRECT on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2014-7975

Linux kernel: denial of service via do_umount

Synthesis of the vulnerability

An attacker can unmount a file system on the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, QRadar SIEM, Linux, MBS, openSUSE, RHEL, Ubuntu.
Severity: 1/4.
Creation date: 09/10/2014.
Identifiers: 2011746, CERTFR-2014-AVI-495, CVE-2014-7975, FEDORA-2014-13020, FEDORA-2014-13045, MDVSA-2014:201, openSUSE-SU-2014:1677-1, RHSA-2017:1842-01, RHSA-2017:2077-01, USN-2415-1, USN-2416-1, USN-2417-1, USN-2418-1, USN-2419-1, USN-2420-1, USN-2421-1, VIGILANCE-VUL-15457.

Description of the vulnerability

The umount() call is used to unmount a file system.

However, the do_umount() function of the fs/namespace.c file does not check if user has the CAP_SYS_ADMIN privilege before allowing the file system to be unmounted.

An attacker can therefore unmount a file system on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2014-7970

Linux kernel: infinite loop of pivot_root

Synthesis of the vulnerability

An attacker can generate an infinite loop in the pivot_root() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, QRadar SIEM, Linux, MBS, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 09/10/2014.
Identifiers: 2011746, CERTFR-2014-AVI-495, CERTFR-2014-AVI-528, CERTFR-2015-AVI-081, CVE-2014-7970, FEDORA-2014-13020, FEDORA-2014-13045, MDVSA-2014:230, RHSA-2017:1842-01, RHSA-2017:2077-01, SUSE-SU-2015:0581-1, SUSE-SU-2015:0736-1, USN-2419-1, USN-2420-1, USN-2447-1, USN-2447-2, USN-2448-1, USN-2448-2, USN-2513-1, USN-2514-1, VIGILANCE-VUL-15455.

Description of the vulnerability

The pivot_root() system call changes the file system root for the current process.

However, if it is called with pivot_root(".", "."), when located outside the chroot, a loop occurs.

An attacker can therefore generate an infinite loop in the pivot_root() function of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2014-3640

QEMU: NULL pointer dereference via sosendto

Synthesis of the vulnerability

A local attacker can force a NULL pointer to be dereferenced in the sosendto() function of QEMU, in order to trigger a denial of service.
Impacted products: Debian, Fedora, MBS, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 06/10/2014.
Identifiers: CVE-2014-3640, DSA-3044-1, DSA-3045-1, FEDORA-2014-11641, MDVSA-2014:220, MDVSA-2015:061, RHSA-2015:0349-01, RHSA-2015:0624-01, SUSE-SU-2016:0873-1, SUSE-SU-2016:0955-1, SUSE-SU-2016:1154-1, SUSE-SU-2016:1318-1, SUSE-SU-2016:1745-1, USN-2409-1, VIGILANCE-VUL-15441.

Description of the vulnerability

The QEMU product implements SLiRP, which emulates PPP, SLIP or CSLIP.

However, the udp_input() function of the slirp/udp.c file does not check if a pointer is NULL, before sosendto() uses it.

A local attacker can therefore force a NULL pointer to be dereferenced in the sosendto() function of QEMU, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2014-3657

libvirt: denial of service via virConnectListAllDomains

Synthesis of the vulnerability

An attacker can lock the virConnectListAllDomains() function of libvirt, in order to trigger a denial of service.
Impacted products: Fedora, MBS, openSUSE, RHEL, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 03/10/2014.
Identifiers: CVE-2014-3657, FEDORA-2014-15228, MDVSA-2014:195, MDVSA-2015:115, openSUSE-SU-2014:1290-1, openSUSE-SU-2014:1293-1, RHSA-2014:1352-01, RHSA-2014:1873-01, USN-2404-1, VIGILANCE-VUL-15440.

Description of the vulnerability

The libvirt library provides a standard interface on several virtualization products (Xen, QEMU, KVM, etc.).

The virConnectListAllDomains() function is used to list domains. However, if it is called with a second parameter set to NULL, it ends prematurely, and a lock is not freed.

An attacker can therefore lock the virConnectListAllDomains() function of libvirt, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2014-3634

RSYSLOG: integer overflow of PRI

Synthesis of the vulnerability

An attacker can generate an integer overflow via PRI in RSYSLOG, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, Fedora, AIX, MBS, openSUSE, Solaris, RHEL, RSYSLOG, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 30/09/2014.
Identifiers: bulletinoct2015, CVE-2014-3634, DSA-3040-1, FEDORA-2014-12503, FEDORA-2014-12878, FEDORA-2014-12910, MDVSA-2014:196, MDVSA-2015:130, openSUSE-SU-2014:1297-1, openSUSE-SU-2014:1298-1, RHSA-2014:1397-01, RHSA-2014:1654-01, RHSA-2014:1671-01, SUSE-SU-2014:1294-1, USN-2381-1, VIGILANCE-VUL-15427.

Description of the vulnerability

The RSYSLOG product analyzes messages in the SYSLOG format:
  <PRI> HEADER MSG
The PRI field indicates the priority, which is composed of the message Facility and Severity.

However, if PRI is larger than 191, an array related to the Facility overflows in RSYSLOG.

When RSYSLOG is configured to accept SYSLOG messages from the network, this vulnerability can be remotely exploited.

An attacker can therefore generate an integer overflow via PRI in RSYSLOG, in order to trigger a denial of service, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2014-7186 CVE-2014-7187

bash: two denial of service

Synthesis of the vulnerability

An attacker can use several vulnerabilities of bash.
Impacted products: GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, MBS, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, Solaris, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, RHEL, RSA Authentication Manager, ROX, RuggedSwitch, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.
Severity: 1/4.
Creation date: 29/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-7186, CVE-2014-7187, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1229-1, openSUSE-SU-2014:1242-1, openSUSE-SU-2014:1248-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, RHSA-2014:1311-01, RHSA-2014:1312-01, RHSA-2014:1354-01, RHSA-2014:1865-01, SB10085, sk102673, SOL15629, SSA-860967, SUSE-SU-2014:1247-1, SUSE-SU-2014:1247-2, T1021272, USN-2364-1, VIGILANCE-VUL-15419, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.

Description of the vulnerability

Several vulnerabilities were announced in bash.

An attacker can force a read at an invalid address in redir_stack, in order to trigger a denial of service. [severity:1/4; CVE-2014-7186]

An attacker can generate a buffer overflow of one byte in word_lineno, in order to trigger a denial of service, and possibly to execute code. [severity:1/4; CVE-2014-7187]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2014-3633

libvirt: unreachable memory reading via qemuDomainGetBlockIoTune

Synthesis of the vulnerability

An attacker can force a read at an invalid address in qemuDomainGetBlockIoTune() of libvirt, in order to trigger a denial of service.
Impacted products: Debian, Fedora, MBS, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Creation date: 29/09/2014.
Identifiers: CVE-2014-3633, DSA-3038-1, FEDORA-2014-15228, MDVSA-2014:195, MDVSA-2015:115, openSUSE-SU-2014:1290-1, openSUSE-SU-2014:1293-1, RHSA-2014:1352-01, RHSA-2014:1873-01, USN-2366-1, VIGILANCE-VUL-15418.

Description of the vulnerability

The libvirt library provides a standard interface on several virtualization products (Xen, QEMU, KVM, etc.).

However, the qemuDomainGetBlockIoTune() function tries to read a memory area which is not reachable, which triggers a fatal error.

An attacker can therefore force a read at an invalid address in qemuDomainGetBlockIoTune() of libvirt, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2014-7169

bash: code execution via Function Variable

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ASR, Cisco ACE, ASA, IOS XE Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Secure ACS, Cisco CUCM, Cisco Unified CCX, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiManager, FortiManager Virtual Appliance, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, MBS, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, Solaris, pfSense, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, RHEL, RSA Authentication Manager, ROX, RuggedSwitch, Slackware, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere, WindRiver Linux.
Severity: 3/4.
Creation date: 25/09/2014.
Identifiers: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, cisco-sa-20140926-bash, CTX200217, CTX200223, CVE-2014-3659-REJECT, CVE-2014-7169, DSA-3035-1, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, FEDORA-2014-11514, FEDORA-2014-11527, FEDORA-2014-12202, FG-IR-14-030, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2014:190, MDVSA-2015:164, openSUSE-SU-2014:1229-1, openSUSE-SU-2014:1242-1, openSUSE-SU-2014:1248-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, pfSense-SA-14_18.packages, RHSA-2014:1306-01, RHSA-2014:1311-01, RHSA-2014:1312-01, RHSA-2014:1354-01, RHSA-2014:1865-01, SB10085, sk102673, SOL15629, SSA:2014-268-01, SSA:2014-268-02, SSA-860967, SUSE-SU-2014:1247-1, SUSE-SU-2014:1247-2, T1021272, USN-2363-1, USN-2363-2, VIGILANCE-VUL-15401, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9, VN-2014-002.

Description of the vulnerability

The bulletin VIGILANCE-VUL-15399 describes a vulnerability of bash.

However, the offered patch (VIGILANCE-SOL-36695) is incomplete. An variant of the initial attack can thus still be used to execute code or to create a file.

In this case, the code is run when the variable is parsed (which is not necessarily an environment variable), and not when the shell starts. The impact may thus be lower, but this was not confirmed.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2014-1568

NSS, CyaSSL, GnuTLS: bypassing the certification chain via ASN.1

Synthesis of the vulnerability

An attacker can create a malicious X.509 certificate, which is accepted as valid, in order to deceive services using the RSA signature (such as SSL/TLS sessions).
Impacted products: Debian, Fedora, Junos Space, MBS, Firefox, NSS, SeaMonkey, Thunderbird, openSUSE, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 25/09/2014.
Identifiers: BERserk, CERTFR-2014-AVI-401, CERTFR-2015-AVI-431, CERTFR-2016-AVI-300, CVE-2014-1568, DSA-3033-1, DSA-3034-1, DSA-3037-1, FEDORA-2014-11518, FEDORA-2014-11565, FEDORA-2014-11744, FEDORA-2014-11745, JSA10698, MDVSA-2014:189, MDVSA-2015:059, MFSA 2014-73, openSUSE-SU-2014:1224-1, openSUSE-SU-2014:1232-1, RHSA-2014:1307-01, RHSA-2014:1354-01, RHSA-2014:1371-01, SSA:2014-267-02, SSA:2014-271-01, SSA:2014-271-02, SSA:2014-271-03, SUSE-SU-2014:1220-1, SUSE-SU-2014:1220-2, SUSE-SU-2014:1220-3, SUSE-SU-2014:1220-4, USN-2360-1, USN-2360-2, USN-2361-1, VIGILANCE-VUL-15400, VU#772676.

Description of the vulnerability

The NSS, CyaSSL and GnuTLS libraries implement cryptographic feature, such as the RSA signature check.

The ASN.1 DigestInfo type is used to represent the hash algorithm and the hash value. The BER ASN.1 encoding allows to encode sizes in several ways. So, the ASN.1 parser reformats data for DigestInfo, without indicating an error. An invalid RSA signature can then be accepted as valid.

An attacker can therefore create a malicious X.509 certificate, which is accepted as valid, in order to deceive services using the RSA signature (such as SSL/TLS sessions).
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about RHEL: