The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SUSE Linux Enterprise Server

computer vulnerability bulletin CVE-2012-4194 CVE-2012-4195 CVE-2012-4196

Firefox, Thunderbird, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Fedora, MES, Firefox, SeaMonkey, Thunderbird, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 29/10/2012.
Identifiers: 793121, 800666, 802557, BID-56301, BID-56302, BID-56306, CERTA-2012-AVI-609, CERTA-2013-AVI-590, CVE-2012-4194, CVE-2012-4195, CVE-2012-4196, FEDORA-2012-16988, FEDORA-2012-17028, FEDORA-2012-17307, MDVSA-2012:170, MFSA 2012-90, openSUSE-SU-2012:1412-1, openSUSE-SU-2014:1100-1, RHSA-2012:1407-01, RHSA-2012:1413-01, SSA:2012-300-01, SSA:2012-304-01, SSA:2012-304-02, SUSE-SU-2012:1426-1, VIGILANCE-VUL-12098.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.

An attacker can use the valueOf() function on window.location, in order to create a Cross Site Scripting. [severity:2/4; 800666, BID-56301, CVE-2012-4194]

An attacker can use the CheckURL() function on window.location, in order to access to a document, which can lead to code execution with an add-on. [severity:3/4; 793121, BID-56302, CVE-2012-4195]

An attacker can inject a property, and use the Location object, in order to read a document. [severity:3/4; 802557, BID-56306, CVE-2012-4196]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2012-4544

Xen: denial of service via Kernel/RamDisk Size

Synthesis of the vulnerability

An attacker, who is administrator in a guest system, can enlarge the kernel/ramdisk size, in order to create a denial of service on the host system.
Impacted products: Debian, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 26/10/2012.
Identifiers: BID-56289, CVE-2012-4544, DSA-2636-1, DSA-2636-2, FEDORA-2012-17204, FEDORA-2012-17408, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, RHSA-2013:0241-01, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0411-1, SUSE-SU-2014:0446-1, SUSE-SU-2014:0470-1, VIGILANCE-VUL-12096, XSA-25.

Description of the vulnerability

The Linux kernel is stored in a file. When the system starts, this kernel uses the ramdisk (a file system stored in RAM memory).

However, if the kernel/ramdisk size is larger than the allocated RAM for the guest system, the host system consumes resources to start this kernel. ParaVirtualized systems with pygrub are vulnerable.

An attacker, who is administrator in a guest system, can therefore enlarge the kernel/ramdisk size, in order to create a denial of service on the host system.

This vulnerability is a variant of VIGILANCE-VUL-11650.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-4508

Linux kernel: file reading via fallocate on ext4

Synthesis of the vulnerability

When an ext4 filesystem is used, a local attacker can call the fallocate() function, in order to read fragments of deleted files.
Impacted products: Debian, Fedora, Linux, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 25/10/2012.
Identifiers: BID-56238, CVE-2012-4508, DSA-2668-1, FEDORA-2012-17479, FEDORA-2012-18691, RHSA-2012:1491-01, RHSA-2012:1540-01, RHSA-2013:0496-02, RHSA-2013:1519-01, RHSA-2013:1783-01, SUSE-SU-2012:1679-1, VIGILANCE-VUL-12093.

Description of the vulnerability

The ext4 filesystem uses "extents" to store contiguous information.

The fallocate() function is used to allocate space for a file.

The ext4_convert_unwritten_extents_endio() function of the fs/ext4/extents.c file converts unused extents (coming from deleted files).

However, if the fallocate() function is called during the execution of ext4_convert_unwritten_extents_endio(), the user obtains file blocks which are not reinitialized, and thus contain data from the deleted file.

When an ext4 filesystem is used, a local attacker can therefore call the fallocate() function, in order to read fragments of deleted files.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2012-4530

Linux kernel: memory reading via binfmt_script

Synthesis of the vulnerability

A local attacker can use a recursive script, in order to read a fragment of kernel memory, and to obtain potentially sensitive data.
Impacted products: Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 22/10/2012.
Identifiers: CVE-2012-4530, FEDORA-2012-19337, FEDORA-2012-20240, openSUSE-SU-2013:0396-1, RHSA-2013:0223-01, RHSA-2013:0566-01, SUSE-SU-2013:0674-1, VIGILANCE-VUL-12086.

Description of the vulnerability

When the kernel loads a program in a.out or ELF format, it calls sys_uselib() to load the library analyzing this format. For example, the ELF format is handled by the load_elf_library() function of binfmt_elf.c. Similarly, when a file starts with "#!program", the load_script() function of fs/binfmt_script.c is called.

In order to protect the system against denials of service, the maximal number of scripts to call recursively is limited. However, when this limit is reached, the load_script() function dereferences an invalid pointer, and copies a kernel memory area to the user space.

A local attacker can therefore use a recursive script, in order to read a fragment of kernel memory, and to obtain potentially sensitive data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-1531 CVE-2012-1532 CVE-2012-1533

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, WebSphere MQ, Junos Space, Junos Space Network Management Platform, MES, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, VirtualCenter.
Severity: 3/4.
Creation date: 17/10/2012.
Identifiers: BID-55501, BID-55538, BID-56025, BID-56033, BID-56039, BID-56043, BID-56046, BID-56051, BID-56054, BID-56055, BID-56056, BID-56057, BID-56058, BID-56059, BID-56061, BID-56063, BID-56065, BID-56067, BID-56070, BID-56071, BID-56072, BID-56075, BID-56076, BID-56079, BID-56080, BID-56081, BID-56082, BID-56083, c03595351, CERTA-2012-AVI-576, CERTA-2012-AVI-746, CERTA-2013-AVI-094, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-4420, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089, CVE-2012-5979-ERROR, DSECRG-12-039, ESX350-201302401-SG, FEDORA-2012-16346, FEDORA-2012-16351, IC89804, javacpuoct2012, MDVSA-2012:169, openSUSE-SU-2012:1419-1, openSUSE-SU-2012:1423-1, openSUSE-SU-2012:1424-1, RHSA-2012:1384-01, RHSA-2012:1385-01, RHSA-2012:1386-01, RHSA-2012:1391-01, RHSA-2012:1392-01, RHSA-2012:1465-01, RHSA-2012:1466-01, RHSA-2012:1467-01, RHSA-2012:1485-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SUSE-SU-2012:1398-1, SUSE-SU-2012:1489-1, SUSE-SU-2012:1489-2, SUSE-SU-2012:1490-1, SUSE-SU-2012:1588-1, SUSE-SU-2012:1595-1, swg21621958, swg21621959, VIGILANCE-VUL-12072, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56025, CVE-2012-5083]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56033, CVE-2012-1531]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56039, CVE-2012-5086]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56043, CVE-2012-5087]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56046, CVE-2012-1533]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56051, CVE-2012-1532]

An attacker can use the class com.sun.org.glassfish.gmbal.util.GenericConstructor in order to execute arbitrary JVM code. [severity:3/4; BID-56054, CVE-2012-5076]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56055, CVE-2012-3143]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56057, CVE-2012-5088]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56059, CVE-2012-5089]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56063, CVE-2012-5084]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56072, CVE-2012-3159]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56076, CVE-2012-5068]

When a Java application uses an integer array, and the Arrays.fill() method, the array memory area is not initialized to zero by the JRE, so an attacker can obtain a fragment memory (VIGILANCE-VUL-11929). [severity:3/4; BID-55501, BID-55538, CVE-2012-4416, CVE-2012-4420]

An attacker can use a vulnerability of JAX-WS, in order to obtain or alter information. [severity:3/4; BID-56056, CVE-2012-5074]

An attacker can use a vulnerability of JMX, in order to obtain or alter information. [severity:3/4; BID-56061, CVE-2012-5071]

An attacker can use a vulnerability of Concurrency, in order to obtain or alter information. [severity:3/4; BID-56065, CVE-2012-5069]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-56070, CVE-2012-5067]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56079, CVE-2012-5070]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56081, CVE-2012-5075]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56080, CVE-2012-5073]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56082, CVE-2012-5079, CVE-2012-5979-ERROR]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; BID-56083, CVE-2012-5072]

An attacker can use a vulnerability of JSSE (ROBOT Attack VIGILANCE-VUL-24749), in order to create a denial of service. [severity:2/4; BID-56071, CVE-2012-5081]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:1/4; BID-56075, CVE-2012-3216]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:1/4; BID-56058, CVE-2012-5077]

An attacker can use a vulnerability of Gopher, in order to send packets. [severity:1/4; BID-56067, CVE-2012-5085, DSECRG-12-039]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2012-4190 CVE-2012-4191 CVE-2012-4192

Firefox, Thunderbird, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Fedora, MES, Firefox, SeaMonkey, Thunderbird, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 12/10/2012.
Identifiers: BID-55889, BID-56151, BID-56153, BID-56154, BID-56155, CERTA-2013-AVI-590, CVE-2012-4190, CVE-2012-4191, CVE-2012-4192, CVE-2012-4193, FEDORA-2012-15842, FEDORA-2012-15877, FEDORA-2012-15985, FEDORA-2012-15986, MDVSA-2012:167, MFSA 2012-88, MFSA 2012-89, openSUSE-SU-2012:1345-1, openSUSE-SU-2014:1100-1, RHSA-2012:1361-01, RHSA-2012:1362-01, SSA:2012-285-01, SSA:2012-285-02, SSA:2012-288-01, SUSE-SU-2012:1351-1, VIGILANCE-VUL-12068.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.

Several memory corruptions lead to code execution. [severity:4/4; BID-56151, BID-56153, CVE-2012-4190, CVE-2012-4191, MFSA 2012-88]

An attacker can bypass security checks with defaultValue, in order to access to the Location object. [severity:4/4; BID-56154, BID-56155, CVE-2012-4192, CVE-2012-4193, MFSA 2012-89]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-5166

BIND: denial of service via Additional Records

Synthesis of the vulnerability

An attacker can use malicious Additional Resource Records, in order to lockup a BIND server.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, MES, Mandriva Linux, NLD, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 10/10/2012.
Identifiers: AA-00801, AA-00807, BID-55852, c03526327, CERTA-2012-AVI-569, CERTA-2012-AVI-601, CERTA-2012-AVI-602, CERTA-2012-AVI-603, CERTA-2012-AVI-679, CVE-2012-5166, DSA-2560-1, FEDORA-2012-15965, FEDORA-2012-15981, FreeBSD-SA-12:06.bind, HPSBUX02823, IV30364, IV30365, IV30366, IV30367, IV30368, MDVSA-2012:162, openSUSE-SU-2012:1372-1, openSUSE-SU-2013:0605-1, RHSA-2012:1363-01, RHSA-2012:1364-01, RHSA-2012:1365-01, sol14201, SSA:2012-284-01, SSA:2012-341-01, SSRT100976, SUSE-SU-2012:1390-1, SUSE-SU-2012:1390-2, SUSE-SU-2012:1390-3, VIGILANCE-VUL-12050.

Description of the vulnerability

A DNS response contains Resource Records of different types:
 - Question : question
 - Answer : direct answer
 - Authority : information on the authority
 - Additional : additional information

The query_addadditional() function of the named/query.c file of BIND adds additional information to a reply. However, if a name is duplicated, an infinite loop occurs in the BIND service.

The origin of this duplicated name depends on the server type:
 - recursive server: the name comes from the reply of an authoritative server (this is the most probable attack configuration)
 - secondary authoritative server: the name comes from a zone transfer from the primary
 - primary authoritative server: the name comes from a loaded zone file

An attacker can therefore use malicious Additional Resource Records, in order to lockup a BIND server.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-3982 CVE-2012-3983 CVE-2012-3984

Firefox, Thunderbird, SeaMonkey: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Fedora, MES, Firefox, SeaMonkey, Thunderbird, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Creation date: 09/10/2012.
Identifiers: BID-55856, BID-55922, BID-55924, BID-55926, BID-55927, BID-55929, BID-55930, BID-55931, BID-55932, BID-56118, BID-56119, BID-56120, BID-56121, BID-56123, BID-56125, BID-56126, BID-56127, BID-56128, BID-56129, BID-56130, BID-56131, BID-56135, BID-56136, BID-56140, BID-56145, CERTA-2012-AVI-561, CERTA-2013-AVI-590, CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3987, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188, CVE-2012-5354, DSA-2565-1, DSA-2569-1, DSA-2572-1, FEDORA-2012-15842, FEDORA-2012-15863, FEDORA-2012-15877, FEDORA-2012-15985, FEDORA-2012-15986, MDVSA-2012:163, MFSA 2012-74, MFSA 2012-75, MFSA 2012-76, MFSA 2012-77, MFSA 2012-78, MFSA 2012-79, MFSA 2012-80, MFSA 2012-81, MFSA 2012-82, MFSA 2012-83, MFSA 2012-84, MFSA 2012-85, MFSA 2012-86, MFSA 2012-87, openSUSE-SU-2012:1345-1, openSUSE-SU-2014:1100-1, RHSA-2012:1350-01, RHSA-2012:1351-01, SSA:2012-283-01, SSA:2012-285-02, SUSE-SU-2012:1351-1, VIGILANCE-VUL-12043.

Description of the vulnerability

Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.

Several memory corruptions lead to code execution. [severity:4/4; BID-55924, BID-56145, CVE-2012-3982, CVE-2012-3983, MFSA 2012-74]

An attacker can use the HTML SELECT element, in order to hide the content of a page. [severity:3/4; BID-55932, CVE-2012-3984, CVE-2012-5354, MFSA 2012-75]

An attacker can use "document.domain", in order to generate a Cross Site Scripting. [severity:2/4; BID-55926, CVE-2012-3985, MFSA 2012-76]

An attacker can use DOMWindowUtils to execute JavaScript code. [severity:4/4; BID-55922, CVE-2012-3986, MFSA 2012-77]

An attacker can use Reader Mode, in order to gain chrome privileges. [severity:4/4; BID-55929, CVE-2012-3987, MFSA 2012-78]

An attacker can browse the history, in full screen mode, in order to use a freed pointer. [severity:4/4; BID-55931, CVE-2012-3988, MFSA 2012-79]

An attacker can use the JavaScript instanceof operator, in order to corrupt the memory. [severity:4/4; BID-55927, CVE-2012-3989, MFSA 2012-80]

An attacker can use GetProperty to execute code. [severity:4/4; BID-55930, CVE-2012-3991, MFSA 2012-81]

An attacker can use Object.defineProperty and top.location, in order to generate a Cross Site Scripting. [severity:3/4; BID-56118, CVE-2012-3994, MFSA 2012-82]

An attacker can use InstallTrigger, in order to execute code with chrome privileges. [severity:4/4; BID-56119, BID-56120, CVE-2012-3993, CVE-2012-4184, MFSA 2012-83]

An attacker can use location.hash, in order to inject JavaScript code in a site. [severity:3/4; BID-56128, CVE-2012-3992, MFSA 2012-84]

An attacker can use several vulnerabilities of the Address Sanitizer. [severity:4/4; BID-56121, BID-56126, BID-56129, BID-56130, BID-56136, BID-56140, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, MFSA 2012-85]

An attacker can generate several memory corruptions in the Address Sanitizer. [severity:4/4; BID-56123, BID-56125, BID-56127, BID-56135, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188, MFSA 2012-86]

An attacker can use a freed pointer in IME State Manager. [severity:4/4; BID-56131, CVE-2012-3990, MFSA 2012-87]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-4481

Ruby 1.8: modify a variable via NameError despite SAFE 4

Synthesis of the vulnerability

When a Ruby 1.8 application allows an external code to be executed in SAFE 4 mode, it can use NameError, in order to modify a variable of the application.
Impacted products: MBS, MES, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 08/10/2012.
Identifiers: BID-55813, CERTA-2013-AVI-543, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CVE-2012-4481, MDVSA-2013:124, MDVSA-2013:200, RHSA-2013:0129-01, RHSA-2013:0612-01, SUSE-SU-2014:0843-1, SUSE-SU-2014:0844-1, VIGILANCE-VUL-12003.

Description of the vulnerability

The security level "$SAFE = 4" limits features that the Ruby code is allowed to use. For example, in SAFE 4 mode, a Rudy code is not allowed to modify a tainted (internal) string. The SAFE4 mode is usually used to execute code coming from an untrusted source, such as a plugin.

A NameError can be converted to a string. For example:
  Exception.new($variable).to_s
However, this function automatically taints the variable with OBJ_INFECT(). As the variable becomes tainted, the SAFE 4 mode does not forbid its modification.

This vulnerability only impacts Ruby 1.8. It is similar to VIGILANCE-VUL-11993, but its origin is a variant of CVE-2011-1005 (VIGILANCE-VUL-10383).

When a Ruby 1.8 application allows an external code to be executed in SAFE 4 mode, it can therefore use NameError, in order to modify a variable of the application. Depending on the modified variable, the application can then be forced to perform unwanted tasks.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-4929

SSL, TLS: obtaining HTTP Cookies via Deflate, CRIME

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser, can use several SSL sessions compressed with Deflate in order to compute HTTP headers, such as cookies.
Impacted products: curl, Debian, Exim, Fedora, HP-UX, McAfee Email and Web Security, McAfee Email Gateway, Firefox, MySQL Enterprise, OpenSSL, openSUSE, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 14/09/2012.
Identifiers: BID-55704, c03734195, CRIME, CVE-2012-4929, DSA-2579-1, DSA-2626-1, DSA-2627-1, DSA-3253-1, FEDORA-2012-15194, FEDORA-2012-15203, FEDORA-2013-4403, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02866, openSUSE-SU-2012:1420-1, openSUSE-SU-2013:0143-1, openSUSE-SU-2013:0154-1, openSUSE-SU-2013:0157-1, openSUSE-SU-2013:1630-1, RHSA-2013:0587-01, RHSA-2013:0636-01, RHSA-2014:0416-01, SB10052, SSRT101139, SUSE-SU-2012:1428-1, VIGILANCE-VUL-11952.

Description of the vulnerability

The RFC 3749 adds the support for data compression, before encrypting them with SSL/TLS.

The Deflate compression algorithm replaces duplicate patterns by a reference. For example:
  hello mister hello madam
is compressed to:
  hello mister [reference] madam
So, the compression of a pattern already found is shorter than the compression of a pattern not yet seen. This difference in size thus indicates if the second pattern was already seen.

HTTP cookies are for example like:
  Cookie: secret=1234
If the attacker adds "Cookie: secret=1234" later in the HTTP body, the compressed string will be shorter than if he added "Cookie: secret=5678" in the body. This difference in size thus allow the cookie to be guessed, character by character, using a brute force.

An attacker, who can control HTTPS connections of victim's web browser, can therefore use several SSL sessions compressed with Deflate in order to compute HTTP headers, such as cookies.

This attack requires that the web browser supports the RFC 3749. This is not the case of Internet Explorer, Opera and Safari. However, Chrome and Firefox may be vulnerable (precise versions are not yet known).
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SUSE Linux Enterprise Server: