The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of VMware VirtualCenter

vulnerability bulletin CVE-2013-1405

VMware vCenter Server, vSphere Client, ESX: memory corruption of client authentication

Synthesis of the vulnerability

An attacker can setup a malicious sever, and invite VMware vCenter Server, vSphere Client and ESX clients to connect, in order to corrupt their memory, which leads to code execution.
Impacted products: ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet server.
Creation date: 01/02/2013.
Identifiers: BID-57666, CERTA-2013-AVI-088, CVE-2013-1405, ESX350-201302401-SG, ESX400-201302001, ESX400-201302401-SG, ESX410-201301001, ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, ESX410-201301405-SG, ESXe350-201302401-I-SG, ESXe350-201302401-O-SG, ESXe350-201302403-C-SG, ESXi400-201302001, ESXi400-201302401-SG, ESXi400-201302402-SG, ESXi400-201302403-SG, ESXi410-201301001, ESXi410-201301401-SG, ESXi410-201301402-SG, VIGILANCE-VUL-12363, VMSA-2013-0001, VMSA-2013-0001.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

The VMware vCenter Server, vSphere Client and ESX products can authenticate on a VMware server.

However, if the server returns malicious data, it corrupts the client's memory.

An attacker can therefore setup a malicious sever, and invite VMware vCenter Server, vSphere Client and ESX clients to connect, in order to corrupt their memory, which leads to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-1531 CVE-2012-1532 CVE-2012-1533

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, WebSphere MQ, Junos Space, Junos Space Network Management Platform, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, VirtualCenter.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 27.
Creation date: 17/10/2012.
Identifiers: BID-55501, BID-55538, BID-56025, BID-56033, BID-56039, BID-56043, BID-56046, BID-56051, BID-56054, BID-56055, BID-56056, BID-56057, BID-56058, BID-56059, BID-56061, BID-56063, BID-56065, BID-56067, BID-56070, BID-56071, BID-56072, BID-56075, BID-56076, BID-56079, BID-56080, BID-56081, BID-56082, BID-56083, c03595351, CERTA-2012-AVI-576, CERTA-2012-AVI-746, CERTA-2013-AVI-094, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-4420, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089, CVE-2012-5979-ERROR, DSECRG-12-039, ESX350-201302401-SG, FEDORA-2012-16346, FEDORA-2012-16351, IC89804, javacpuoct2012, MDVSA-2012:169, openSUSE-SU-2012:1419-1, openSUSE-SU-2012:1423-1, openSUSE-SU-2012:1424-1, RHSA-2012:1384-01, RHSA-2012:1385-01, RHSA-2012:1386-01, RHSA-2012:1391-01, RHSA-2012:1392-01, RHSA-2012:1465-01, RHSA-2012:1466-01, RHSA-2012:1467-01, RHSA-2012:1485-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SUSE-SU-2012:1398-1, SUSE-SU-2012:1489-1, SUSE-SU-2012:1489-2, SUSE-SU-2012:1490-1, SUSE-SU-2012:1588-1, SUSE-SU-2012:1595-1, swg21621958, swg21621959, VIGILANCE-VUL-12072, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56025, CVE-2012-5083]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56033, CVE-2012-1531]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56039, CVE-2012-5086]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56043, CVE-2012-5087]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56046, CVE-2012-1533]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56051, CVE-2012-1532]

An attacker can use the class com.sun.org.glassfish.gmbal.util.GenericConstructor in order to execute arbitrary JVM code. [severity:3/4; BID-56054, CVE-2012-5076]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56055, CVE-2012-3143]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56057, CVE-2012-5088]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56059, CVE-2012-5089]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56063, CVE-2012-5084]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56072, CVE-2012-3159]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56076, CVE-2012-5068]

When a Java application uses an integer array, and the Arrays.fill() method, the array memory area is not initialized to zero by the JRE, so an attacker can obtain a fragment memory (VIGILANCE-VUL-11929). [severity:3/4; BID-55501, BID-55538, CVE-2012-4416, CVE-2012-4420]

An attacker can use a vulnerability of JAX-WS, in order to obtain or alter information. [severity:3/4; BID-56056, CVE-2012-5074]

An attacker can use a vulnerability of JMX, in order to obtain or alter information. [severity:3/4; BID-56061, CVE-2012-5071]

An attacker can use a vulnerability of Concurrency, in order to obtain or alter information. [severity:3/4; BID-56065, CVE-2012-5069]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-56070, CVE-2012-5067]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56079, CVE-2012-5070]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56081, CVE-2012-5075]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56080, CVE-2012-5073]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56082, CVE-2012-5079, CVE-2012-5979-ERROR]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; BID-56083, CVE-2012-5072]

An attacker can use a vulnerability of JSSE (ROBOT Attack VIGILANCE-VUL-24749), in order to create a denial of service. [severity:2/4; BID-56071, CVE-2012-5081]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:1/4; BID-56075, CVE-2012-3216]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:1/4; BID-56058, CVE-2012-5077]

An attacker can use a vulnerability of Gopher, in order to send packets. [severity:1/4; BID-56067, CVE-2012-5085, DSECRG-12-039]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-3389 CVE-2011-3516 CVE-2011-3521

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VirtualCenter.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 20.
Creation date: 19/10/2011.
Identifiers: BID-49778, BID-50211, BID-50215, BID-50216, BID-50218, BID-50220, BID-50223, BID-50224, BID-50226, BID-50229, BID-50231, BID-50234, BID-50236, BID-50237, BID-50239, BID-50242, BID-50243, BID-50246, BID-50248, BID-50250, c03122753, c03266681, c03316985, c03358587, c03405642, CERTA-2011-AVI-541, CERTA-2011-AVI-580, CERTA-2011-AVI-675, CERTA-2012-AVI-012, CERTA-2012-AVI-045, CERTA-2012-AVI-190, CERTA-2012-AVI-238, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561, DSA-2356-1, DSA-2358-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, FEDORA-2011-14638, FEDORA-2011-14648, FEDORA-2011-15555, HPSBMU02797, HPSBMU02799, HPSBUX02730, HPSBUX02760, HPSBUX02777, javacpuoct2011, MDVSA-2011:170, openSUSE-SU-2011:1196-1, RHSA-2011:1380-01, RHSA-2011:1384-01, RHSA-2011:1478-01, RHSA-2012:0006-01, RHSA-2012:0034-01, RHSA-2012:0343-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100710, SSRT100805, SSRT100854, SSRT100867, SUSE-SU-2011:1298-1, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, VIGILANCE-VUL-11072, VMSA-2012-0003, VMSA-2012-0003.1, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013.1, VU#864643, ZDI-11-305, ZDI-11-306, ZDI-11-307.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50211, CVE-2011-3548]

An attacker can use a vulnerability of Java IIOP Deserialization, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50215, CVE-2011-3521, ZDI-11-306]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50216, CVE-2011-3554]

An attacker can use a vulnerability of Rhino Javascript, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50218, CVE-2011-3544, ZDI-11-305]

An attacker can use a vulnerability of Sound MixerSequencer.nAddControllerEventCallback, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50220, CVE-2011-3545, ZDI-11-307]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50223, CVE-2011-3549]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50224, CVE-2011-3551]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50226, CVE-2011-3550]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50229, CVE-2011-3516]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-50231, CVE-2011-3556]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-50234, CVE-2011-3557]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:3/4; BID-50236, CVE-2011-3560]

An attacker can use a vulnerability of Java Runtime Environment, in order to alter information, or to create a denial of service. [severity:3/4; BID-50237, CVE-2011-3555]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:3/4; BID-50239, CVE-2011-3546]

An attacker can use a vulnerability of HotSpot, in order to obtain information. [severity:2/4; BID-50242, CVE-2011-3558]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-50243, CERTA-2012-AVI-238, CVE-2011-3547]

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies (VIGILANCE-VUL-11014). [severity:1/4; BID-49778, CERTA-2011-AVI-541, CERTA-2011-AVI-580, CERTA-2011-AVI-675, CERTA-2012-AVI-012, CERTA-2012-AVI-045, CERTA-2012-AVI-190, CVE-2011-3389, VU#864643]

An attacker can use a vulnerability of JAXWS, in order to obtain information. [severity:2/4; BID-50246, CVE-2011-3553]

An attacker can open numerous UDP ports, in order to facilitate a DNS cache poisoning attack (VIGILANCE-VUL-11087). [severity:1/4; BID-50248, CVE-2011-3552]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:1/4; BID-50250, CVE-2011-3561]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-0426 CVE-2011-1788 CVE-2011-1789

VMware vCenter, vSphere: three vulnerabilities

Synthesis of the vulnerability

An attacker can use three vulnerabilities of VMware vCenter Server and vSphere Client Installer.
Impacted products: ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 06/05/2011.
Identifiers: CERTA-2011-AVI-285, CVE-2011-0426, CVE-2011-1788, CVE-2011-1789, VIGILANCE-VUL-10620, VMSA-2011-0008.

Description of the vulnerability

Three vulnerabilities were announced in the VMware vCenter Server and vSphere Client Installer products.

A remote attacker can read files located outside the root directory of vCenter/VirtualCenter. [severity:2/4; CERTA-2011-AVI-285, CVE-2011-0426]

An attacker who is authenticated on vCenter can obtain the SOAP session identifier, in order to elevate his privileges. [severity:2/4; CVE-2011-1788]

The vSphere Client Installer displays an error message indicating that it is not signed. [severity:1/4; CVE-2011-1789]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-3864

OpenSSL: code execution via TLS Extensions

Synthesis of the vulnerability

An attacker can use a TLS extension, in order to corrupt the memory of multi-threaded applications using OpenSSL and its internal caching feature.
Impacted products: ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, HP Operations, Performance Center, HP-UX, AIX, Tivoli Workload Scheduler, Mandriva Linux, NetBSD, OpenBSD, OpenSolaris, OpenSSL, openSUSE, RHEL, Slackware, StoneGate Firewall, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 17/11/2010.
Identifiers: 1643316, 649304, BID-44884, c02737002, c03179825, CERTA-2002-AVI-272, CERTA-2010-AVI-555, CERTA-2011-AVI-242, CERTA-2011-AVI-294, CERTA-2012-AVI-056, CVE-2010-3864, DSA-2125-1, FEDORA-2010-17826, FEDORA-2010-17827, FEDORA-2010-17847, FreeBSD-SA-10:10.openssl, HPSBGN02740, HPSBUX02638, MDVSA-2010:238, NetBSD-SA2010-012, openSUSE-SU-2010:0965-1, openSUSE-SU-2010:0965-2, RHSA-2010:0888-01, SA68, SSA:2010-326-01, SSRT100339, SSRT100741, SUSE-SR:2010:022, VIGILANCE-VUL-10130, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

Since its version 0.9.8f, OpenSSL supports the TLS SNI (Server Name Indication) extension. It is enabled if OpenSSL is compiled with the "enable-tlsext" option (enabled by default since version 0.9.8k).

The SSL session caching feature saves sessions, to be reused later. An application can enable it with the SSL_CTX_set_session_cache_mode() function. For example, Apache httpd does not enable it.

When a multi-thread application uses OpenSSL, the ssl/t1_lib.c file does not lock the caching of TLS SNI. An attacker can therefore open two simultaneous sessions, so a double caching is tried, which corrupts the memory.

An attacker can therefore use a TLS extension, in order to corrupt the memory of multi-threaded applications using OpenSSL and its internal caching feature.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-3555 CVE-2010-1321 CVE-2010-3541

Java JRE/JDK/SDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK/SDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HPE NNMi, HP-UX, NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 29.
Creation date: 13/10/2010.
Identifiers: BID-43965, BID-43971, BID-43979, BID-43985, BID-43988, BID-43992, BID-43994, BID-43999, BID-44009, BID-44011, BID-44012, BID-44013, BID-44014, BID-44016, BID-44017, BID-44020, BID-44021, BID-44023, BID-44024, BID-44026, BID-44027, BID-44028, BID-44030, BID-44032, BID-44035, BID-44038, BID-44040, c02616748, c03405642, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-219, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-365, CERTA-2010-AVI-500, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2011-AVI-400, CERTA-2012-AVI-241, CERTA-2012-AVI-395, CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, FEDORA-2010-16240, FEDORA-2010-16294, FEDORA-2010-16312, HPSBMU02799, HPSBUX02608, openSUSE-SU-2010:0754-1, openSUSE-SU-2010:0957-1, RHSA-2010:0768-01, RHSA-2010:0770-01, RHSA-2010:0786-01, RHSA-2010:0807-01, RHSA-2010:0865-02, RHSA-2010:0873-02, RHSA-2010:0935-01, RHSA-2010:0986-01, RHSA-2010:0987-01, RHSA-2011:0152-01, RHSA-2011:0169-01, RHSA-2011:0880-01, SSRT100333, SSRT100867, SUSE-SA:2010:061, SUSE-SA:2011:006, SUSE-SA:2011:014, SUSE-SR:2010:019, VIGILANCE-VUL-10040, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2, VMSA-2011-0004.2, VMSA-2011-0005.3, VMSA-2011-0012.1, VMSA-2011-0013, VMSA-2012-0005, ZDI-10-202, ZDI-10-203, ZDI-10-204, ZDI-10-205, ZDI-10-206, ZDI-10-207, ZDI-10-208.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK/SDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43979, CVE-2010-3562]

An attacker can use a vulnerability of 2D (JPEGImageWriter.writeImage), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43985, CVE-2010-3565, ZDI-10-205]

An attacker can use a vulnerability of 2D (ICC Profile Device Information Tag), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43988, CVE-2010-3566, ZDI-10-204]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43992, CVE-2010-3567]

An attacker can use a vulnerability of 2D (ICC Profile Unicode Description), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43965, CVE-2010-3571, ZDI-10-203]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43994, CVE-2010-3554]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43999, CVE-2010-3563]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44012, CVE-2010-3568]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44016, CVE-2010-3569]

An attacker can use a vulnerability of Java Web Start, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44021, CVE-2010-3558]

An attacker can use a vulnerability of New Java Plug-in docbase, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44023, CVE-2010-3552, ZDI-10-206]

An attacker can use a vulnerability of Sound (HeadspaceSoundbank.nGetName), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44026, CVE-2010-3559, ZDI-10-208]

An attacker can use a vulnerability of Sound, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44030, CVE-2010-3572]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44035, CVE-2010-3553]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44038, CVE-2010-3555]

An attacker can use a vulnerability of Java Web Start, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44040, CVE-2010-3550]

An attacker can use a vulnerability of Deployment Toolkit, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-44020, CVE-2010-3570]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-44013, CVE-2010-3561]

An attacker can use a vulnerability of JSSE, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CVE-2009-3555]

An attacker can use a vulnerability of Kerberos, in order to create a denial of service. [severity:2/4; CERTA-2010-AVI-219, CERTA-2011-AVI-400, CVE-2010-1321]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-44027, CVE-2010-3549]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-44014, CVE-2010-3557]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-44032, CVE-2010-3541]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-44028, CVE-2010-3573]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-44011, CVE-2010-3574]

An attacker can use a vulnerability of JNDI, in order to obtain information. [severity:2/4; BID-44017, CVE-2010-3548]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-44009, CVE-2010-3551]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:1/4; BID-44024, CVE-2010-3560]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-43971, CERTA-2010-AVI-500, CVE-2010-3556]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-3081

Linux kernel: privilege elevation via syscall on x86_64

Synthesis of the vulnerability

On a x86_64 architecture, a local attacker can use, among others, getsockopt() in a 32 bit process in order to elevate his privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 16/09/2010.
Identifiers: 634457, BID-43239, CERTA-2010-AVI-570, CVE-2010-3081, DSA-2110-1, FEDORA-2010-14832, FEDORA-2010-14878, FEDORA-2010-14890, MDVSA-2010:188, MDVSA-2010:198, MDVSA-2010:214, MDVSA-2010:247, openSUSE-SU-2010:0654-1, openSUSE-SU-2010:0655-1, openSUSE-SU-2010:0664-1, openSUSE-SU-2010:0720-1, RHSA-2010:0704-01, RHSA-2010:0705-01, RHSA-2010:0711-01, RHSA-2010:0718-01, RHSA-2010:0719-01, RHSA-2010:0758-01, RHSA-2010:0842-01, RHSA-2010:0882-01, SSA:2010-265-01, SUSE-SA:2010:043, SUSE-SA:2010:044, SUSE-SA:2010:045, SUSE-SA:2010:046, SUSE-SA:2010:047, SUSE-SA:2010:050, SUSE-SA:2011:007, SUSE-SR:2010:017, SUSE-SU-2011:0635-1, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9947, VMSA-2010-0017, VMSA-2010-0017.1, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The Linux kernel can run 32 bits programs on a x86_64 platform.

The getsockopt() function obtains information about a socket. It do a system call in order to do its task.

When a 32 bit application do a system call, a user memory buffer is allocated by the compat_alloc_user_space() function of the file kernel/compat.c. However, compat_alloc_user_space() does not properly check the size of the buffer to allocate. A portion of it can therefore be localed in the kernel space.

A local attacker can therefore use getsockopt() in a 32 bit process in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2010-2939

OpenSSL: memory corruption in ssl3_get_key_exchange

Synthesis of the vulnerability

An attacker can invite the victim to connect to a malicious SSL/TLS server, in order to corrupt the memory of the client, to create a denial of service or to execute code.
Impacted products: Debian, FreeBSD, Mandriva Linux, NetBSD, OpenSSL, openSUSE, Slackware, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 09/08/2010.
Revision date: 10/08/2010.
Identifiers: BID-42306, CVE-2010-2939, DSA-2100-1, FreeBSD-SA-10:10.openssl, MDVSA-2010:168, NetBSD-SA2010-011, openSUSE-SU-2010:0951-1, openSUSE-SU-2010:0952-1, SSA:2010-326-01, SUSE-SR:2010:021, VIGILANCE-VUL-9819, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The RSA algorithm uses two prime numbers named "p" and "q". The SSL/TLS algorithm uses a certificate containing keys based on these numbers.

When the OpenSSL client connects to a SSL/TLS server, it uses the RSA_verify() function to check the certificate signature. If p and q are not prime numbers, the signature is invalid and the client interrupts the session. However, this error processing frees twice the bn_ctx context in the ssl3_get_key_exchange() function of the ssl/s3_clnt.c file.

An attacker can therefore invite the victim to connect to a malicious SSL/TLS server, in order to corrupt the memory of the client, to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2010-1173

Linux kernel: denial of service via SCTP

Synthesis of the vulnerability

An attacker can send a malformed SCTP packet, in order to stop the kernel.
Impacted products: Debian, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 29/04/2010.
Revision date: 10/08/2010.
Identifiers: BID-39794, CVE-2010-1173, DSA-2053-1, MDVSA-2010:188, MDVSA-2010:198, openSUSE-SU-2011:0346-1, openSUSE-SU-2013:0927-1, RHSA-2010:0474-01, RHSA-2010:0504-01, RHSA-2010:0631-01, SUSE-SA:2010:027, SUSE-SA:2011:015, SUSE-SA:2011:017, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9618, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The SCTP protocol uses chunks of type:
 - 0 : Payload Data (DATA)
 - 1 : Initialization (INIT)
 - 9 : Operation Error (ERROR)
 - etc.

When a listening SCTP service receives an INIT chunk containing an error, it returns an ERROR chunk. However, if the INIT packet contains several errors, the size allocated for the ERROR chunk is too short. The kernel thus detects an overflow and stops in skb_over_panic by calling the BUG() macro.

An attacker can therefore send a malformed SCTP packet, in order to stop the kernel
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-2524

Linux kernel: file access via CIFS DNS resolver

Synthesis of the vulnerability

A local attacker can modify his keyring, in order to force the CIFS client of the Linux kernel to connect to a malicious CIFS/SMB server.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, Mandriva Linux, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: user shell.
Creation date: 02/08/2010.
Identifiers: CERTA-2010-AVI-355, CVE-2010-2524, DSA-2264-1, FEDORA-2010-11412, FEDORA-2010-11462, MDVSA-2010:172, openSUSE-SU-2010:0664-1, RHSA-2010:0610-01, SOL16477, SUSE-SA:2010:039, SUSE-SA:2010:040, SUSE-SA:2010:046, VIGILANCE-VUL-9803, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The Linux kernel contains a CIFS/SMB client, which is used to connect to a remote share.

In order to save IP addresses of CIFS/SMB servers, the dns_resolve_server_name_to_ip() function of the fs/cifs/dns_resolve.c file stores values in the user's keyring.

However, an attacker can save a malicious IP address in his keyring, so the kernel will use it, and will connect to the attacker's CIFS/SMB server.

A local attacker can therefore modify his keyring, in order to force the CIFS client of the Linux kernel to connect to a malicious CIFS/SMB server.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.