The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SRX-Series

computer vulnerability CVE-2016-5419 CVE-2016-5420 CVE-2016-5421

cURL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of cURL.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, Brocade vTM, curl, Debian, Fedora, Android OS, Juniper EX-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, Puppet, RHEL, Slackware, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, client access/rights, denial of service on service, denial of service on client.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/08/2016.
Identifiers: bulletinoct2016, cpuoct2018, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, DLA-586-1, DSA-3638-1, FEDORA-2016-24316f1f56, FEDORA-2016-8354baae0f, HT207423, JSA10874, openSUSE-SU-2016:2227-1, openSUSE-SU-2016:2379-1, RHSA-2016:2575-02, RHSA-2018:3558-01, SSA:2016-219-01, STORM-2019-002, USN-3048-1, VIGILANCE-VUL-20295.

Description of the vulnerability

Several vulnerabilities were announced in cURL.

The TLS client of libcurl can resume a session even if the client certificate changed, which may lead to the authentication with an incorrect identity. [severity:2/4; CVE-2016-5419]

The TLS client of libcurl can reuse a session even if the client certificate changed, which may lead to the authentication with an incorrect identity. [severity:2/4; CVE-2016-5420]

An attacker can force the usage of a freed memory area via curleasyinit(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-5421]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-4802

cURL: code execution via DLL searching

Synthesis of the vulnerability

An attacker can hijack the Winbdows DLL loading mechanism as used by cURL, in order to run code.
Impacted products: OpenOffice, curl, Juniper EX-Series, Junos OS, SRX-Series.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 30/05/2016.
Identifiers: CVE-2016-4802, JSA10874, VIGILANCE-VUL-19724.

Description of the vulnerability

The product cURL is a multiprotocol client library.

On MS-Windows platforms, cURL may load some system libraries dynamically, on demand. However, the Windows function used for that, namely LoadLibrary, defaults to an insecure search path, including unprotected locations. This allows a user to plant a DLL with the same name, as "ws2_32.dll", that the searched one. This library will be found before the real one.

An attacker can therefore hijack the Winbdows DLL loading mechanism as used by cURL, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-1886

FreeBSD: buffer overflow of atkbd

Synthesis of the vulnerability

An attacker can generate a buffer overflow in atkbd of FreeBSD, in order to trigger a denial of service, and possibly to run code with system privileges.
Impacted products: FreeBSD, Juniper J-Series, Junos OS, SRX-Series, pfSense.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: user shell.
Creation date: 18/05/2016.
Identifiers: CERTFR-2017-AVI-111, CVE-2016-1886, FreeBSD-SA-16:18.atkbd, JSA10784, VIGILANCE-VUL-19647.

Description of the vulnerability

The FreeBSD system uses the atkbd driver to manage AT keyboards. This driver is required for syscons or vt consoles.

However, if the size of data sent to its ioctl is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow in atkbd of FreeBSD, in order to trigger a denial of service, and possibly to run code with system privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-3739

cURL: Man-in-the-Middle of mbedTLS/PolarSSL

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on cURL compiled with mbedTLS/PolarSSL, in order to read or write data in the session.
Impacted products: OpenOffice, curl, Juniper EX-Series, Junos OS, SRX-Series, Solaris, Slackware.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 18/05/2016.
Identifiers: bulletinoct2016, cpuoct2018, CVE-2016-3739, JSA10874, SSA:2016-141-01, VIGILANCE-VUL-19645.

Description of the vulnerability

The cURL product uses the TLS protocol, which can be provided by the mbedTLS/PolarSSL library.

The mbedtls_ssl_set_hostname() or ssl_set_hostname() function has to be called to define the server name, otherwise the X.509 certificate check is not performed by mbedTLS/PolarSSL.

However, cURL does not call these functions when the requested url contains an IP address.

An attacker can therefore act as a Man-in-the-Middle on cURL compiled with mbedTLS/PolarSSL, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-7704 CVE-2015-8138 CVE-2016-1547

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: SNS, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco Unity ~ precise, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, AIX, Juniper EX-Series, Juniper J-Series, Junos OS, Junos Space, SRX-Series, McAfee Web Gateway, Meinberg NTP Server, NTP.org, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 27/04/2016.
Identifiers: bulletinapr2016, bulletinapr2019, c05270839, CERTFR-2016-AVI-153, CERTFR-2017-AVI-365, CERTFR-2018-AVI-545, cisco-sa-20160428-ntpd, cpujan2018, CTX220112, CVE-2015-7704, CVE-2015-8138, CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, DLA-559-1, DSA-3629-1, FEDORA-2016-5b2eb0bf9c, FEDORA-2016-777d838c1b, FEDORA-2018-70c191d84a, FEDORA-2018-de113aeac6, FreeBSD-SA-16:16.ntp, HPESBHF03750, HPSBHF03646, JSA10776, JSA10796, JSA10824, JSA10826, JSA10898, K11251130, K20804323, K24613253, K43205719, K63675293, MBGSA-1602, openSUSE-SU-2016:1292-1, openSUSE-SU-2016:1329-1, openSUSE-SU-2016:1423-1, openSUSE-SU-2018:0970-1, PAN-SA-2016-0019, RHSA-2016:1141-01, RHSA-2016:1552-01, SB10164, SOL11251130, SOL20804323, SOL24613253, SOL41613034, SOL43205719, SOL45427159, SOL61200338, SOL63675293, SSA:2016-120-01, STORM-2016-003, STORM-2016-004, SUSE-SU-2016:1175-1, SUSE-SU-2016:1177-1, SUSE-SU-2016:1247-1, SUSE-SU-2016:1278-1, SUSE-SU-2016:1291-1, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, SUSE-SU-2018:1464-1, SUSE-SU-2018:1765-1, Synology-SA-18:13, Synology-SA-18:14, TALOS-2016-0081, TALOS-2016-0082, TALOS-2016-0083, TALOS-2016-0084, TALOS-2016-0132, USN-3096-1, USN-3349-1, VIGILANCE-VUL-19477, VU#718152.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

The ntpd daemon can on certain systems accept packets from 127.0.0.0/8. [severity:1/4; CVE-2016-1551, TALOS-2016-0132]

An attacker can use a Sybil attack, in order to alter the system clock. [severity:2/4; CVE-2016-1549, TALOS-2016-0083]

An attacker can force an assertion error with duplicate IP, in order to trigger a denial of service. [severity:2/4; CVE-2016-2516]

An attacker can trigger an error in the management of trustedkey/requestkey/controlkey, in order to trigger a denial of service. [severity:2/4; CVE-2016-2517]

An attacker can force a read at an invalid address in MATCH_ASSOC, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-2518]

An attacker can trigger a fatal error in ctl_getitem(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2519]

An attacker can send a malicious CRYPTO-NAK packet, in order to trigger a denial of service. [severity:2/4; CVE-2016-1547, TALOS-2016-0081]

An attacker can use Interleave-pivot, in order to alter a client time. [severity:2/4; CVE-2016-1548, TALOS-2016-0082]

An attacker can trigger a fatal error in the ntp client, in order to trigger a denial of service. [severity:2/4; CVE-2015-7704]

The Zero Origin Timestamp value is not correctly checked. [severity:2/4; CVE-2015-8138]

An attacker can measure the comparison execution time, in order to guess a hash. [severity:2/4; CVE-2016-1550, TALOS-2016-0084]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-3074

libgd2: integer overflow

Synthesis of the vulnerability

An attacker can generate an integer overflow of libgd2, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, Juniper J-Series, Junos OS, SRX-Series, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 25/04/2016.
Identifiers: CVE-2016-3074, DSA-3556-1, FEDORA-2016-5f91f43826, FEDORA-2016-7d6cbcadca, JSA10798, openSUSE-SU-2016:1553-1, RHSA-2016:2750-01, USN-2987-1, VIGILANCE-VUL-19447.

Description of the vulnerability

An attacker can generate an integer overflow of libgd2, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-0754

cURL: file change via HTTP response specifiant filenames whith colon

Synthesis of the vulnerability

An attacker who controls an HTTP server requested by a curl client can create of change files by sending filename with colon, in order for example to change an executable file.
Impacted products: OpenOffice, curl, Juniper EX-Series, Junos OS, SRX-Series.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, data creation/edition.
Provenance: internet server.
Creation date: 27/01/2016.
Identifiers: CVE-2016-0754, JSA10874, VIGILANCE-VUL-18827.

Description of the vulnerability

The cURL product includes a command line HTTP client.

It defines options to specify the path of the file to be used to store the HTTP response body and to let the server define the name, via the response headers. However, the tool accepts colon in filenames. On MS-Windows platform, such paths are special and in this case, the tool may be make write the response body at an unexpected place, inclusively in another drive than the current one.

An attacker who controls an HTTP server requested by a curl client can therefore create of change files by sending filename with colon, in order for example to change an executable file.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-0755

cURL: privilege escalation via the use of proxy using NTLM authentication

Synthesis of the vulnerability

An attacker can use cURL with an HTTP proxy and NTLM authentication with the proxy account of another user, in order to escalate his privileges.
Impacted products: SDS, SES, SNS, OpenOffice, Mac OS X, Brocade Network Advisor, Brocade vTM, curl, Debian, Fedora, Juniper EX-Series, Junos OS, SRX-Series, openSUSE, openSUSE Leap, Solaris, Slackware, Ubuntu.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 27/01/2016.
Identifiers: BSA-2016-004, cpuoct2018, CVE-2016-0755, DSA-3455-1, FEDORA-2016-3fa315a5dd, FEDORA-2016-55137a3adb, FEDORA-2016-57bebab3b6, FEDORA-2016-5a141de5d9, HT207170, JSA10874, openSUSE-SU-2016:0360-1, openSUSE-SU-2016:0373-1, openSUSE-SU-2016:0376-1, SSA:2016-039-01, STORM-2019-002, USN-2882-1, VIGILANCE-VUL-18826.

Description of the vulnerability

The cURL product includes an embedable HTTP client. It can use HTTP proxies.

When a proxy requires an NTLM authentication, this authentication is connection based (in contrast to HTTP based authentication which is request based). Typically, cURL reuses TCP connections to the proxy for several HTTP requests. However, cURL may do so even if different credentials for the proxy have been specified at request level.

An attacker can therefore use cURL with an HTTP proxy and NTLM authentication with the proxy account of another user, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-1262

Junos: denial of service via RTSP

Synthesis of the vulnerability

An attacker can send a malicious RTSP packet to Junos, in order to trigger a denial of service.
Impacted products: Junos OS, SRX-Series.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 13/01/2016.
Identifiers: CERTFR-2016-AVI-020, CVE-2016-1262, JSA10721, VIGILANCE-VUL-18713.

Description of the vulnerability

The Junos product has a service to manage received RTSP packets.

However, when a malicious packet is received, a fatal error occurs.

An attacker can therefore send a malicious RTSP packet to Junos, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-7691 CVE-2015-7692 CVE-2015-7701

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: ArubaOS, Blue Coat CAS, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ACE, ASA, IOS by Cisco, IOS XE Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unity ~ precise, Debian, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, AIX, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, McAfee Web Gateway, Meinberg NTP Server, NetBSD, NTP.org, openSUSE, openSUSE Leap, Solaris, pfSense, RHEL, ROX, RuggedSwitch, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, VxWorks.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 16.
Creation date: 22/10/2015.
Identifiers: 045915, ARUBA-PSA-2015-010, BSA-2016-004, BSA-2016-005, bulletinjan2016, c05270839, CERTFR-2015-AVI-449, CERTFR-2018-AVI-545, cisco-sa-20151021-ntp, CVE-2015-5196-REJECT, CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871, DSA-3388-1, FEDORA-2015-77bfbc1bcd, FEDORA-2016-34bc10a2c8, FreeBSD-SA-15:25.ntp, HPSBHF03646, JSA10711, JSA10898, NetBSD-SA2016-001, ntp_advisory4, openSUSE-SU-2015:2016-1, openSUSE-SU-2016:1423-1, RHSA-2015:1930-01, RHSA-2015:2520-01, RHSA-2016:0780-01, RHSA-2016:2583-02, SA103, SB10164, SOL10600056, SOL17515, SOL17516, SOL17517, SOL17518, SOL17521, SOL17522, SOL17524, SOL17525, SOL17526, SOL17527, SOL17528, SOL17529, SOL17530, SOL17566, SSA:2015-302-03, SSA-396873, SSA-472334, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, Synology-SA-18:13, Synology-SA-18:14, TALOS-2015-0052, TALOS-2015-0054, TALOS-2015-0055, TALOS-2015-0062, TALOS-2015-0063, TALOS-2015-0064, TALOS-2015-0065, TALOS-2015-0069, USN-2783-1, VIGILANCE-VUL-18162, VN-2015-009.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

An attacker can bypass the authentication in crypto-NAK, in order to escalate his privileges. [severity:3/4; CVE-2015-7871, TALOS-2015-0069]

An attacker can trigger a fatal error in decodenetnum, in order to trigger a denial of service. [severity:2/4; CVE-2015-7855]

An attacker can generate a buffer overflow in Password, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7854, TALOS-2015-0065]

An attacker can generate a buffer overflow in refclock, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7853, TALOS-2015-0064]

An attacker can generate a memory corruption in atoascii, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7852, TALOS-2015-0063]

An attacker can traverse directories in saveconfig, in order to read a file outside the root path. [severity:2/4; CVE-2015-7851, TALOS-2015-0062]

An attacker can trigger a fatal error in logfile-keyfile, in order to trigger a denial of service. [severity:2/4; CVE-2015-7850, TALOS-2015-0055]

An attacker can force the usage of a freed memory area in Trusted Key, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-7849, TALOS-2015-0054]

An attacker can force a read at an invalid address with a Mode packet, in order to trigger a denial of service. [severity:2/4; CVE-2015-7848, TALOS-2015-0052]

An attacker can create a memory leak in CRYPTO_ASSOC, in order to trigger a denial of service. [severity:2/4; CVE-2015-7701]

An authenticated attacker can use pidfile/driftfile, to corrupt a file with its privileges (VIGILANCE-VUL-17747). [severity:2/4; CVE-2015-5196-REJECT, CVE-2015-7703]

An attacker can trigger a fatal error in the ntp client, in order to trigger a denial of service. [severity:2/4; CVE-2015-7704]

An attacker can trigger a fatal error, in order to trigger a denial of service. [severity:2/4; CVE-2015-7705]

An unknown vulnerability was announced in Autokey. [severity:2/4; CVE-2015-7691]

An unknown vulnerability was announced in Autokey. [severity:2/4; CVE-2015-7692]

An unknown vulnerability was announced in Autokey. [severity:2/4; CVE-2015-7702]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SRX-Series: