The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of RedHat Enterprise Linux

vulnerability note CVE-2015-4476 CVE-2015-4500 CVE-2015-4501

Firefox, Thunderbird: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Firefox/Thunderbird.
Impacted products: Debian, Fedora, Firefox, SeaMonkey, Thunderbird, openSUSE, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 4/4.
Creation date: 23/09/2015.
Identifiers: CERTFR-2015-AVI-405, CVE-2015-4476, CVE-2015-4500, CVE-2015-4501, CVE-2015-4502, CVE-2015-4503, CVE-2015-4504, CVE-2015-4505, CVE-2015-4506, CVE-2015-4507, CVE-2015-4508, CVE-2015-4509, CVE-2015-4510, CVE-2015-4511, CVE-2015-4512, CVE-2015-4516, CVE-2015-4517, CVE-2015-4519, CVE-2015-4520, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7178, CVE-2015-7179, CVE-2015-7180, CVE-2015-7327, DSA-3365-1, FEDORA-2015-15831, FEDORA-2015-15832, FEDORA-2015-16455, FEDORA-2015-480a88a4c8, MFSA-2015-100, MFSA-2015-101, MFSA-2015-102, MFSA-2015-103, MFSA-2015-104, MFSA-2015-105, MFSA-2015-106, MFSA-2015-107, MFSA-2015-108, MFSA-2015-109, MFSA-2015-110, MFSA-2015-111, MFSA-2015-112, MFSA-2015-113, MFSA-2015-114, MFSA-2015-96, MFSA-2015-97, MFSA-2015-98, MFSA-2015-99, openSUSE-SU-2015:1658-1, openSUSE-SU-2015:1679-1, openSUSE-SU-2015:1681-1, RHSA-2015:1834-01, RHSA-2015:1834-02, RHSA-2015:1852-01, SSA:2015-265-01, SSA:2015-274-01, SSA:2015-274-03, SUSE-SU-2015:1680-1, SUSE-SU-2015:1703-1, SUSE-SU-2015:2081-1, USN-2743-1, USN-2743-2, USN-2743-3, USN-2743-4, USN-2754-1, VIGILANCE-VUL-17954, ZDI-15-646.

Description of the vulnerability

Several vulnerabilities were announced in Firefox/Thunderbird.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-4500, CVE-2015-4501, MFSA-2015-96]

An attacker can create a memory leak in mozTCPSocket, in order to trigger a denial of service. [severity:2/4; CVE-2015-4503, MFSA-2015-97]

An attacker can force a read at an invalid address in mozTCPSocketQCMS, in order to trigger a denial of service. [severity:2/4; CVE-2015-4504, MFSA-2015-98]

An attacker can spoof an url on Android. [severity:2/4; CVE-2015-4476, MFSA-2015-99]

An attacker can bypass access restrictions of Mozilla Updater, in order to read or alter files. [severity:2/4; CVE-2015-4505, MFSA-2015-100]

An attacker can generate a buffer overflow in libvpx, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2015-4506, MFSA-2015-101]

An attacker can trigger a fatal error in SavedStacks, in order to trigger a denial of service. [severity:1/4; CVE-2015-4507, MFSA-2015-102]

An attacker can spoof an url in reader mode. [severity:1/4; CVE-2015-4508, MFSA-2015-103]

An attacker can force the usage of a freed memory area in IndexedDB, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-4510, MFSA-2015-104]

An attacker can generate a buffer overflow in WebM, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-4511, MFSA-2015-105]

An attacker can force the usage of a freed memory area in HTML Media Content, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-4509, MFSA-2015-106, ZDI-15-646]

An attacker can force a read at an invalid address in 2D Canvas on Linux 16-bit Color, in order to trigger a denial of service. [severity:1/4; CVE-2015-4512, MFSA-2015-107]

An attacker can use a Scripted Proxy, in order to access to a window. [severity:2/4; CVE-2015-4502, MFSA-2015-108]

An attacker can bypass security features of a JavaScript Immutable Property, in order to escalate his privileges. [severity:3/4; CVE-2015-4516, MFSA-2015-109]

An attacker can use a drag-and-drop, in order to obtain sensitive information. [severity:3/4; CVE-2015-4519, MFSA-2015-110]

An attacker can bypass security features in CORS, in order to escalate his privileges. [severity:3/4; CVE-2015-4520, MFSA-2015-111]

An unknown vulnerability was announced. [severity:3/4; CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180, MFSA-2015-112]

An attacker can generate a memory corruption in libGLES, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-7178, CVE-2015-7179, MFSA-2015-113]

An attacker can bypass security features in High Resolution Time API, in order to obtain sensitive information. [severity:2/4; CVE-2015-7327, MFSA-2015-114]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2015-5567 CVE-2015-5568 CVE-2015-5570

Adobe Flash Player: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Flash Player.
Impacted products: Flash Player, Chrome, Edge, IE, openSUSE, Opera, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 22/09/2015.
Identifiers: 2755801, 451, APSB15-23, CERTFR-2015-AVI-404, CVE-2015-5567, CVE-2015-5568, CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574, CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579, CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587, CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679, CVE-2015-6682, openSUSE-SU-2015:1616-1, openSUSE-SU-2015:1781-1, RHSA-2015:1814-01, SUSE-SU-2015:1614-1, SUSE-SU-2015:1618-1, VIGILANCE-VUL-17945, ZDI-15-446, ZDI-15-447.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Flash Player.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5573]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5570, ZDI-15-447]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5574]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5581]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5584]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-6682]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-6676]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-6678, ZDI-15-446]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5575]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5577]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5578]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5580]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5582]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5588]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-6677]

An attacker can use a vulnerability in JSONP Callback API, in order to run code. [severity:3/4; CVE-2015-5571]

An attacker can create a memory leak, in order to trigger a denial of service. [severity:2/4; CVE-2015-5576]

An attacker can use a vulnerability in Vector Length Corruption, in order to run code. [severity:4/4; CVE-2015-5568]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5567]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5579]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-5587]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2015-5572]

An attacker can bypass security features in same-origin-policy, in order to obtain sensitive information. [severity:2/4; CVE-2015-6679]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2015-5279

QEMU: buffer overflow of ne2000_receive

Synthesis of the vulnerability

An attacker privileged in a guest system can generate a buffer overflow in ne2000_receive of QEMU, in order to trigger a denial of service, and possibly to run code on the host system.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, oVirt, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 15/09/2015.
Identifiers: CVE-2015-5279, DSA-3361-1, DSA-3362-1, FEDORA-2015-015aec3bf2, FEDORA-2015-16368, FEDORA-2015-16369, FEDORA-2015-efc1d7ba5e, RHSA-2015:1896-01, RHSA-2015:1924-01, RHSA-2015:1925-01, RHSA-2015:2065-01, SOL63519101, SUSE-SU-2015:1782-1, SUSE-SU-2016:1698-1, SUSE-SU-2016:1785-1, USN-2745-1, VIGILANCE-VUL-17896.

Description of the vulnerability

The QEMU product implements a NE2000 network device.

However, if the size of data is greater than NE2000_MEM_SIZE(49152), an overflow occurs.

An attacker privileged in a guest system can therefore generate a buffer overflow in ne2000_receive of QEMU, in order to trigger a denial of service, and possibly to run code on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2015-6908

OpenLDAP: denial of service via ber_get_next

Synthesis of the vulnerability

An attacker can send a malicious LDAP packet, to force an assertion error in the ber_get_next() function of OpenLDAP, in order to trigger a denial of service.
Impacted products: Debian, OpenLDAP, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 10/09/2015.
Identifiers: CERTFR-2015-AVI-388, CVE-2015-6908, DSA-3356-1, ITS#8240, openSUSE-SU-2016:0226-1, openSUSE-SU-2016:0255-1, openSUSE-SU-2016:0261-1, RHSA-2015:1840-01, SUSE-SU-2016:0224-1, USN-2742-1, VIGILANCE-VUL-17868.

Description of the vulnerability

The LDAP protocol uses the ASN.1 format, with a BER encoding.

The ber_get_next() function of the libraries/liblber/io.c file of OpenLDAP browses data, and decodes a BER record. However, when the pointer is outside the data area, an assertion error occurs because developers did not except this case, which stops the process.

An attacker can therefore send a malicious LDAP packet, to force an assertion error in the ber_get_next() function of OpenLDAP, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2014-9767 CVE-2015-6834 CVE-2015-6835

PHP: eight vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, openSUSE Leap, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 3/4.
Creation date: 07/09/2015.
Identifiers: 69782, 70172, 70219, 70345, 70350, 70365, 70366, 70388, CERTFR-2015-AVI-387, CVE-2014-9767, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838, DSA-3358-1, FEDORA-2015-14976, FEDORA-2015-14977, FEDORA-2015-15274, FEDORA-2015-15275, openSUSE-SU-2015:1628-1, openSUSE-SU-2016:1167-1, openSUSE-SU-2016:1173-1, RHSA-2016:0457-01, RHSA-2016:2750-01, SOL17377, SSA:2015-274-02, SUSE-SU-2015:1633-1, SUSE-SU-2015:1701-1, SUSE-SU-2015:1818-1, SUSE-SU-2016:1145-1, SUSE-SU-2016:1166-1, SUSE-SU-2016:1581-1, SUSE-SU-2016:1638-1, USN-2758-1, USN-2952-1, USN-2952-2, VIGILANCE-VUL-17820.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can force the usage of a freed memory area in unserialize, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70172, CVE-2015-6834]

An attacker can force the usage of a freed memory area in Session Deserializer, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70219, CVE-2015-6835]

An attacker can generate a memory corruption in pcre_exec(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; 70345]

An attacker can generate a memory corruption in serialize_function_call(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70388, CVE-2015-6836]

An attacker can force the usage of a freed memory area in SplObjectStorage unserialize(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70365, CVE-2015-6834]

An attacker can force the usage of a freed memory area in SplDoublyLinkedList unserialize(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70366, CVE-2015-6834]

An attacker can force a NULL pointer to be dereferenced in XSLTProcessor, in order to trigger a denial of service. [severity:1/4; 69782, CVE-2015-6837, CVE-2015-6838]

An attacker can traverse directories in ZipArchive::extractTo, in order to create a directory outside the root path. [severity:2/4; 70350, CVE-2014-9767]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2015-5722

BIND: denial of service via DNSSEC Key

Synthesis of the vulnerability

An attacker can query BIND for a domain containing a malformed DNSSEC key, to force an assertion error in buffer.c, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 03/09/2015.
Identifiers: bulletinjul2015, c04800156, c04891218, c04923105, CERTFR-2015-AVI-389, CVE-2015-5722, DSA-3350-1, FEDORA-2015-14958, FEDORA-2015-15041, FEDORA-2015-15061, FreeBSD-SA-15:23.bind, HPSBUX03511, HPSBUX03522, HPSBUX03529, openSUSE-SU-2015:1597-1, openSUSE-SU-2015:1667-1, RHSA-2015:1705-01, RHSA-2015:1706-01, RHSA-2015:1707-01, RHSA-2016:0078-01, RHSA-2016:0079-01, SOL17181, SSA:2015-245-01, SSRT102248, SSRT102942, SSRT102967, SUSE-SU-2015:1480-1, SUSE-SU-2015:1481-1, SUSE-SU-2015:1496-1, SUSE-SU-2016:0227-1, USN-2728-1, VIGILANCE-VUL-17798.

Description of the vulnerability

The BIND product can be configured with DNSSEC.

In this case, when this client queries BIND for information about a domain, the BIND server validates the DNSSEC key of this domain. However, when this key is malformed, an assertion error occurs in the buffer.c file because developers did not except this case, which stops the process.

This vulnerability impacts recursive DNS servers. This vulnerability impacts authoritative servers, only when an attacker can control a zone served by this server.

An attacker can therefore query BIND for a domain containing a malformed DNSSEC key, to force an assertion error in buffer.c, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2015-1291 CVE-2015-1292 CVE-2015-1293

Google Chrome: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Google Chrome.
Impacted products: Debian, Chrome, openSUSE, openSUSE Leap, Opera, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 4/4.
Creation date: 02/09/2015.
Identifiers: CERTFR-2015-AVI-366, CVE-2015-1291, CVE-2015-1292, CVE-2015-1293, CVE-2015-1294, CVE-2015-1295, CVE-2015-1296, CVE-2015-1297, CVE-2015-1298, CVE-2015-1299, CVE-2015-1300, CVE-2015-1301, CVE-2015-6580, CVE-2015-6581, CVE-2015-6582, CVE-2015-6583, DSA-3351-1, openSUSE-SU-2015:1586-1, openSUSE-SU-2015:1867-1, openSUSE-SU-2015:1872-1, openSUSE-SU-2015:1873-1, openSUSE-SU-2015:1876-1, openSUSE-SU-2015:1877-1, openSUSE-SU-2015:1887-1, openSUSE-SU-2015:2368-1, RHSA-2015:1712-01, USN-2735-1, VIGILANCE-VUL-17794.

Description of the vulnerability

Several vulnerabilities were announced in Google Chrome.

An attacker can trigger a Cross-Origin Bypass in DOM, in order to run code in the context of another web site. [severity:4/4; CVE-2015-1291]

An attacker can trigger a Cross-Origin Bypass in ServiceWorker, in order to run code in the context of another web site. [severity:4/4; CVE-2015-1292]

An attacker can trigger a Cross-Origin Bypass in DOM, in order to run code in the context of another web site. [severity:4/4; CVE-2015-1293]

An attacker can force the usage of a freed memory area in Skia, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-1294]

An attacker can force the usage of a freed memory area in Printing, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-1295]

An attacker can use a vulnerability in Omnibox, in order to run code. [severity:4/4; CVE-2015-1296]

An attacker can bypass security features in WebRequest, in order to escalate his privileges. [severity:3/4; CVE-2015-1297]

An attacker can bypass the url validation in extensions. [severity:3/4; CVE-2015-1298]

An attacker can force the usage of a freed memory area in Blink, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-1299]

An attacker can bypass security features in Blink, in order to obtain sensitive information. [severity:2/4; CVE-2015-1300]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-1301]

An unknown vulnerability was announced in V8. [severity:3/4; CVE-2015-6580]

An attacker can force the usage of a freed memory area in opj_j2k_copy_default_tcp_and_create_tcd, in order to trigger a denial of service, and possibly to run code (VIGILANCE-VUL-18045). [severity:4/4; CVE-2015-6581]

An attacker can force a read at an invalid address in Blink, in order to trigger a denial of service. [severity:1/4; CVE-2015-6582]

An attacker can spoof the location bar. [severity:2/4; CVE-2015-6583]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2015-0254

Jakarta Tag Library: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Jakarta Tag Library, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Tivoli Workload Scheduler, WebSphere AS Traditional, Notes, openSUSE, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 31/08/2015.
Identifiers: 1978495, 1989475, 1995377, 7014463, CVE-2015-0254, openSUSE-SU-2015:1751-1, RHSA-2015:1695-01, RHSA-2016:0121-01, RHSA-2016:0122-01, RHSA-2016:0123-01, RHSA-2016:0124-01, RHSA-2016:0125-01, RHSA-2016:1838-01, RHSA-2016:1839-01, RHSA-2016:1840-01, RHSA-2016:1841-01, SUSE-SU-2017:1568-1, SUSE-SU-2017:1701-1, USN-2551-1, VIGILANCE-VUL-17779.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Jakarta Tag Library parser allows external entities.

An attacker can therefore transmit malicious XML data to Jakarta Tag Library, in order to read a file, scan sites, or trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-3214

Linux kernel, QEMU: kernel memory read via i8254

Synthesis of the vulnerability

An attacker who controls a QEMU/KVM guest system can read a register from an emulated i8254 chip, in order to get potentially sensitive information.
Impacted products: Debian, Fedora, Linux, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 26/06/2015.
Revision date: 31/08/2015.
Identifiers: CVE-2015-3214, DSA-3348-1, FEDORA-2015-13402, FEDORA-2015-13404, RHSA-2015:1507-01, RHSA-2015:1508-01, RHSA-2015:1512-01, SUSE-SU-2016:1560-1, SUSE-SU-2016:1698-1, SUSE-SU-2016:1703-1, SUSE-SU-2016:1785-1, USN-2692-1, VIGILANCE-VUL-17243.

Description of the vulnerability

The Linux kernel includes code from QEMU for hardware emulation in KVM.

The i8254 component is in charge of clock interrupts. It has write only I/O registers. However, the function pit_ioport_read() defined in "hw/timer/i8254.c" (QEMU) or "arch/x86/kvm/i8254.c" (Linux) does not block read access.

An attacker who controls a QEMU/KVM guest system can therefore read a register from an emulated i8254 chip, in order to get potentially sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2015-3240

Openswan: denial of service via IKE Diffie-Hellman

Synthesis of the vulnerability

An attacker can send a malicious IKE packet, to force an assertion error in a DH computation by Openswan, in order to trigger a denial of service.
Impacted products: Openswan, RHEL.
Severity: 3/4.
Creation date: 28/08/2015.
Identifiers: CVE-2015-3240, RHSA-2015:1979-01, VIGILANCE-VUL-17774.

Description of the vulnerability

The Openswan product can be compiled with NSS.

The NSS library performs exponentiation computations for Diffie-Hellman.

When Openswan receives an IKE packet with g^x set to zero, it asks NSS to perform the next exponentiation. As NSS cannot perform this operation on zero, it returns NULL. However, Openswan does when not expect this case, and calls passert(), so an assertion error occurs, which stops the process.

An attacker can therefore send a malicious IKE packet, to force an assertion error in a DH computation by Openswan, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about RedHat Enterprise Linux: