The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sophos XG Series

computer vulnerability alert CVE-2017-12854

Sophos XG Series: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Sophos XG Series, in order to read a file outside the service root path.
Impacted products: Sophos XG Series.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 19/02/2018.
Identifiers: CVE-2017-12854, VIGILANCE-VUL-25326.

Description of the vulnerability

An attacker can traverse directories of Sophos XG Series, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-18014

Sophos XG Firewall: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Sophos XG Firewall, in order to run JavaScript code in the context of the web site.
Impacted products: Sophos XG Series.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 29/12/2017.
Identifiers: 128024, CVE-2017-18014, VIGILANCE-VUL-24910.

Description of the vulnerability

The Sophos XG Firewall product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Sophos XG Firewall, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-7478 CVE-2017-7479

OpenVPN: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenVPN.
Impacted products: Debian, Fedora, openSUSE Leap, Sophos XG Series, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/05/2017.
Identifiers: CVE-2017-7478, CVE-2017-7479, DLA-944-1, DSA-3900-1, FEDORA-2017-0d0f18140a, FEDORA-2017-f426acf49d, openSUSE-SU-2017:1638-1, SUSE-SU-2017:1622-1, SUSE-SU-2017:1718-1, SUSE-SU-2017:2838-1, SUSE-SU-2017:3177-1, USN-3284-1, USN-3339-1, USN-3339-2, VIGILANCE-VUL-22717.

Description of the vulnerability

Several vulnerabilities were announced in OpenVPN.

An attacker can force an assertion error via Oversized Control Packet, in order to trigger a denial of service. [severity:2/4; CVE-2017-7478]

An attacker can force an assertion error via Rolled Over Packet, in order to trigger a denial of service. [severity:2/4; CVE-2017-7479]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-1473

TLS, OpenSSL: overload via renegotiation

Synthesis of the vulnerability

A malicious client can request several renegotiations to a SSL/TLS server, in order to overload it.
Impacted products: Apache httpd, ProxySG par Blue Coat, SGOS by Blue Coat, Clearswift Email Gateway, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, McAfee NSP, OpenSSL, SSL protocol, Sophos XG Series, Squid, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 08/07/2011.
Identifiers: BID-48626, CERTA-2013-AVI-542, CVE-2011-1473, JSA10575, JSA10580, JSA10584, SA74, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-10823.

Description of the vulnerability

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use. The protocol allows for renegotiation at any time during the connection (for example if the client uses a certificate).

However, the renegotiation is a complex algorithm, which requires more resources on the server than on the client.

A malicious client can therefore request several renegotiations to a SSL/TLS server, in order to overload it.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.