The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SUSE Linux Enterprise Server

computer vulnerability bulletin CVE-2017-7346

Linux kernel: denial of service via the module drm/vmwgfx

Synthesis of the vulnerability

A local attacker can use an ioctl system call to the video device driver vmwgfx of the Linux kernel, in order to make the kernel loop.
Impacted products: Debian, Linux, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 31/03/2017.
Identifiers: 1437431, CERTFR-2017-AVI-217, CERTFR-2017-AVI-233, CVE-2017-7346, DSA-3927-1, openSUSE-SU-2017:1633-1, openSUSE-SU-2017:1685-1, SUSE-SU-2017:1853-1, SUSE-SU-2017:1990-1, USN-3358-1, USN-3359-1, USN-3360-1, USN-3360-2, USN-3364-1, USN-3364-2, USN-3364-3, USN-3371-1, VIGILANCE-VUL-22298.

Description of the vulnerability

The Linux kernel includes a video driver vmwgfx for guests systems running under VMware ESX.

The vulnerabilities described in VIGILANCE-VUL-22260 and VIGILANCE-VUL-22282 have not been fully fixed. After these 2 patches, an attacker can still trigger a very long loop.

A local attacker can therefore use an ioctl system call to the video device driver vmwgfx of the Linux kernel, in order to make the kernel loop.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2017-7294

Linux kernel: buffer overflow via vmw_surface_define_ioctl

Synthesis of the vulnerability

An attacker can generate a buffer overflow via vmw_surface_define_ioctl() on the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Linux, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 29/03/2017.
Identifiers: CERTFR-2017-AVI-141, CERTFR-2017-AVI-158, CERTFR-2017-AVI-162, CERTFR-2017-AVI-185, CERTFR-2017-AVI-196, CERTFR-2017-AVI-282, CERTFR-2017-AVI-311, CVE-2017-7294, DLA-922-1, openSUSE-SU-2017:1140-1, openSUSE-SU-2017:1215-1, RHSA-2018:0676-01, RHSA-2018:1062-01, SUSE-SU-2017:1183-1, SUSE-SU-2017:1247-1, SUSE-SU-2017:1301-1, SUSE-SU-2017:1360-1, SUSE-SU-2017:1990-1, SUSE-SU-2017:2342-1, SUSE-SU-2017:2525-1, USN-3291-1, USN-3291-2, USN-3291-3, USN-3293-1, USN-3335-1, USN-3342-1, USN-3342-2, USN-3343-1, USN-3343-2, VIGILANCE-VUL-22282.

Description of the vulnerability

The Linux kernel product includes a video driver vmwgfx for guests systems running under VMware ESX.

However, if the size of data is greater than the size of the storage array, an overflow occurs in vmw_surface_define_ioctl(). This vulnerability relates to the same C routine and functionality than the vulnerability described in VIGILANCE-VUL-22260. See also VIGILANCE-VUL-22298.

An attacker can therefore generate a buffer overflow via vmw_surface_define_ioctl() on the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2017-7272

PHP: connection to another port via fsockopen

Synthesis of the vulnerability

An attacker, who controls the first parameter of the fsockopen() function of PHP, can use it to connect to an unexpected port.
Impacted products: Debian, PHP, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 28/03/2017.
Identifiers: 74216, CVE-2017-7272, DLA-875-1, SUSE-SU-2017:1709-1, VIGILANCE-VUL-22262.

Description of the vulnerability

The PHP language offers the fsockopen() function which is used to open a socket. For example:
  fsockopen("192.168.1.1", 80, [...]);

However, the following syntax is also accepted:
  fsockopen("192.168.1.1:81", 80, [...]);
In this case, the connection is done on the port 81 instead of 80.

An attacker, who controls the first parameter of the fsockopen() function of PHP, can therefore use it to connect to an unexpected port.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2017-7261

Linux kernel: denial of service via the module drm/vmwgfx

Synthesis of the vulnerability

A local attacker can use an ioctl system call to the video device driver vmwgfx of the Linux kernel, in order to make the kernel panic.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 27/03/2017.
Identifiers: 1435719, CERTFR-2017-AVI-141, CERTFR-2017-AVI-158, CERTFR-2017-AVI-162, CERTFR-2017-AVI-275, CERTFR-2017-AVI-282, CERTFR-2017-AVI-311, CVE-2017-7261, DLA-922-1, FEDORA-2017-02174df32f, FEDORA-2017-93dec9eba5, K63771715, openSUSE-SU-2017:1140-1, openSUSE-SU-2017:1215-1, SUSE-SU-2017:1183-1, SUSE-SU-2017:1247-1, SUSE-SU-2017:1301-1, SUSE-SU-2017:1360-1, SUSE-SU-2017:1990-1, SUSE-SU-2017:2342-1, SUSE-SU-2017:2525-1, USN-3291-1, USN-3291-2, USN-3291-3, USN-3293-1, USN-3361-1, USN-3406-1, USN-3406-2, VIGILANCE-VUL-22260.

Description of the vulnerability

The Linux kernel includes a video driver vmwgfx for guests systems running under VMware ESX.

This driver defines a device "/dev/dri/renderD128" which accepts ioctl system calls. However, the routine vmw_surface_define_ioctl() that implements ioctl calls does not rightly check its argument "num_sizes". A null value leads to a bad memory allocation, then to an invalid pointer dereference and a fatal exception. See also VIGILANCE-VUL-22282 et VIGILANCE-VUL-22298.

A local attacker can therefore use an ioctl system call to the video device driver vmwgfx of the Linux kernel, in order to make the kernel panic.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2017-6951

Linux kernel: NULL pointer dereference via keyring_search_aux

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via keyring_search_aux() in the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, QRadar SIEM, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 17/03/2017.
Identifiers: 2011746, CERTFR-2017-AVI-162, CERTFR-2017-AVI-282, CERTFR-2017-AVI-287, CERTFR-2017-AVI-288, CERTFR-2017-AVI-307, CERTFR-2017-AVI-311, CERTFR-2017-AVI-390, CVE-2017-6951, DLA-922-1, RHSA-2017:1842-01, RHSA-2017:2077-01, RHSA-2017:2669-01, SUSE-SU-2017:1360-1, SUSE-SU-2017:2342-1, SUSE-SU-2017:2389-1, SUSE-SU-2017:2525-1, SUSE-SU-2017:2920-1, USN-3422-1, USN-3422-2, VIGILANCE-VUL-22169.

Description of the vulnerability

The Linux kernel manages cryptographic keys, notably for use in IPsec.

However, in the "request_key" system call, the function keyring_search_aux() does not check whether a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via keyring_search_aux() in the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2017-2925 CVE-2017-2926 CVE-2017-2927

Adobe Flash Player: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Flash Player.
Impacted products: Flash Player, Windows 10, Windows 2012, Windows 2016, Windows 8, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 10/01/2017.
Revision date: 15/03/2017.
Identifiers: 1005, 1006, 1015, 1016, 1017, 3214628, APSB17-02, CERTFR-2017-AVI-006, CERTFR-2017-AVI-007, CVE-2017-2925, CVE-2017-2926, CVE-2017-2927, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931, CVE-2017-2932, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935, CVE-2017-2936, CVE-2017-2937, CVE-2017-2938, MS17-003, openSUSE-SU-2017:0107-1, RHSA-2017:0057-01, SUSE-SU-2017:0108-1, VIGILANCE-VUL-21540.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Flash Player.

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4; CVE-2017-2938]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2932]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2936]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2937]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2927]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2933]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2934]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2935]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2925]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2926]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2928]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2930]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2931]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2017-5669

Linux kernel: bypass of NULL pointer filtering

Synthesis of the vulnerability

A privileged attacker can map an arbitrary code at NULL address via the system call shmat() of the Linux kernel, in order to attempt to get kernel privileges.
Impacted products: Debian, Fedora, Linux, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 27/02/2017.
Identifiers: CERTFR-2017-AVI-128, CERTFR-2017-AVI-162, CERTFR-2017-AVI-282, CERTFR-2017-AVI-311, CVE-2017-5669, DLA-849-1, DSA-3804-1, FEDORA-2017-2e1f3694b2, FEDORA-2017-387ff46a66, openSUSE-SU-2017:0906-1, SUSE-SU-2017:1247-1, SUSE-SU-2017:1301-1, SUSE-SU-2017:1360-1, SUSE-SU-2017:2342-1, SUSE-SU-2017:2525-1, USN-3265-1, USN-3265-2, USN-3361-1, USN-3583-1, USN-3583-2, VIGILANCE-VUL-21967.

Description of the vulnerability

The Linux kernel provides the memory sharing way from System V.

A userspace process should not be able to map code at the adress NULL, in order to prevent exploitation of bugs of class "NULL pointer dereference". However, the System V system call shmat() does hot rightly check that because of address rounding at virtual space allocation.

A privileged attacker can therefore map an arbitrary code at NULL address via the system call shmat() of the Linux kernel, in order to attempt to get kernel privileges.

Note: "root" is typically able to use "insmod" to run arbitrary code with kernel privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2017-2982 CVE-2017-2984 CVE-2017-2985

Adobe Flash Player: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Adobe Flash Player.
Impacted products: Flash Player, Edge, IE, Windows 10, Windows 2012, Windows 2016, Windows 8, Windows RT, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 14/02/2017.
Revision date: 17/02/2017.
Identifiers: 1007, 1008, 1013, 1018, 4010250, APSB17-04, CERTFR-2017-AVI-051, CERTFR-2017-AVI-055, CVE-2017-2982, CVE-2017-2984, CVE-2017-2985, CVE-2017-2986, CVE-2017-2987, CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2992, CVE-2017-2993, CVE-2017-2994, CVE-2017-2995, CVE-2017-2996, MS17-005, RHSA-2017:0275-01, SUSE-SU-2017:0523-1, VIGILANCE-VUL-21834, ZDI-17-109, ZDI-17-110, ZDI-17-287.

Description of the vulnerability

Several vulnerabilities were announced in Adobe Flash Player.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2995, ZDI-17-109]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2987]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2982]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2985]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2993]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2994, ZDI-17-110, ZDI-17-287]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2986]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2992]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2984]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2988]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2990]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2991]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-2996]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2016-9602

QEMU: file corruption via 9pfs

Synthesis of the vulnerability

A local attacker can create a symbolic link, in order to access files with the privileges of QEMU on the host system.
Impacted products: Debian, openSUSE Leap, QEMU, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 17/01/2017.
Revision date: 17/02/2017.
Identifiers: 1035, CVE-2016-9602, DLA-1035-1, DLA-965-1, openSUSE-SU-2017:1872-1, SUSE-SU-2017:1774-1, SUSE-SU-2017:2946-1, SUSE-SU-2017:2963-1, SUSE-SU-2017:2969-1, SUSE-SU-2017:3084-1, USN-3261-1, USN-3268-1, VIGILANCE-VUL-21595.

Description of the vulnerability

The QEMU product implements the filesystem from Plan 9 named "9pfs".

It may be used to share files between the host and process in the guest system in QEMU. However, when QEMU follows a symbolic link, it does not distinguish between filenames and directory names. This allows a guest process to open a non shared file on the host.

A local attacker can therefore create a symbolic link, in order to access files with the privileges of QEMU on the host system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2013-0149

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, Nexus by Cisco, NX-OS, Cisco Router, ProCurve Switch, HP Switch, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetScreen Firewall, ScreenOS, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 02/08/2013.
Revisions dates: 01/08/2014, 14/02/2017.
Identifiers: BID-61566, c03880910, CERTA-2013-AVI-458, CERTA-2013-AVI-487, CERTA-2013-AVI-508, cisco-sa-20130801-lsaospf, CQ95773, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-0149, HPSBHF02912, JSA10575, JSA10580, JSA10582, PR 878639, PR 895456, sk94490, SUSE-SU-2014:0879-1, VIGILANCE-VUL-13192, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations (Cisco, Juniper, etc.) therefore do not perform this check.

An attacker can thus spoof a LSU message if he knows:
 - the IP address of the target router
 - LSA DB sequence numbers
 - the router ID of the OSPF Designated Router

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SUSE Linux Enterprise Server: