VARIoT IoT vulnerabilities database
VAR-201607-0466 | CVE-2016-5744 | Siemens SIMATIC WinCC In any WinCC Vulnerability in reading station files |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Siemens SIMATIC WinCC 7.0 through SP3 and 7.2 allows remote attackers to read arbitrary WinCC station files via crafted packets. The SIMATIC WinCC (Windows Control Center) window control center is Siemens' process monitoring system, providing complete monitoring and data acquisition (SCADA) functions for the industrial sector. The SIMATIC WinCC presence file contains a vulnerability.
Successful exploits may allow an attacker to read arbitrary files in the context of the user running the affected application. This may aid in further attacks. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). A security vulnerability exists in Siemens SIMATIC WinCC versions 7.0 to SP3 and 7.2
VAR-201608-0006 | CVE-2016-2180 | OpenSSL of X.509 Implementation of public key infrastructure time stamp protocol crypto/ts/ts_lib.c Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. Supplementary information : CWE Vulnerability type by CWE-125: Out-of-bounds Read ( Read out of bounds ) Has been identified. OpenSSL is prone to a local denial-of-service vulnerability.
An attacker may exploit this issue to crash the application, resulting in denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: openssl security update
Advisory ID: RHSA-2016:1940-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html
Issue date: 2016-09-27
CVE Names: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179
CVE-2016-2180 CVE-2016-2181 CVE-2016-2182
CVE-2016-6302 CVE-2016-6304 CVE-2016-6306
=====================================================================
1. Summary:
An update for openssl is now available for Red Hat Enterprise Linux 6 and
Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library. A remote attacker
could cause a TLS server using OpenSSL to consume an excessive amount of
memory and, possibly, exit unexpectedly after exhausting all available
memory, if it enabled OCSP stapling support.
(CVE-2016-2178)
* It was discovered that the Datagram TLS (DTLS) implementation could fail
to release memory in certain cases. A malicious DTLS client could cause a
DTLS server using OpenSSL to consume an excessive amount of memory and,
possibly, exit unexpectedly after exhausting all available memory. A remote attacker could possibly use this flaw
to make a DTLS server using OpenSSL to reject further packets sent from a
DTLS client over an established DTLS connection. (CVE-2016-2181)
* An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec()
function. (CVE-2016-2182)
* A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL
protocol. A man-in-the-middle attacker could use this flaw to recover some
plaintext data by capturing large amounts of encrypted traffic between
TLS/SSL server and client if the communication used a DES/3DES based
ciphersuite. (CVE-2016-2183)
This update mitigates the CVE-2016-2183 issue by lowering priority of DES
cipher suites so they are not preferred over cipher suites using AES. For
compatibility reasons, DES cipher suites remain enabled by default and
included in the set of cipher suites identified by the HIGH cipher string.
Future updates may move them to MEDIUM or not enable them by default.
* An integer underflow flaw leading to a buffer over-read was found in the
way OpenSSL parsed TLS session tickets. (CVE-2016-6302)
* Multiple integer overflow flaws were found in the way OpenSSL performed
pointer arithmetic. A remote attacker could possibly use these flaws to
cause a TLS/SSL server or client using OpenSSL to crash. A remote attacker could
possibly use these flaws to crash a TLS/SSL server or client using OpenSSL.
(CVE-2016-6306)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304
and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted.
5. Bugs fixed (https://bugzilla.redhat.com/):
1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
1359615 - CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio()
1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
1369113 - CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection
1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1369504 - CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer
1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
1377594 - CVE-2016-6306 openssl: certificate message OOB reads
1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
i386:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-perl-1.0.1e-48.el6_8.3.i686.rpm
openssl-static-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
i386:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
ppc64:
openssl-1.0.1e-48.el6_8.3.ppc.rpm
openssl-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.ppc.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-devel-1.0.1e-48.el6_8.3.ppc.rpm
openssl-devel-1.0.1e-48.el6_8.3.ppc64.rpm
s390x:
openssl-1.0.1e-48.el6_8.3.s390.rpm
openssl-1.0.1e-48.el6_8.3.s390x.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.s390.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm
openssl-devel-1.0.1e-48.el6_8.3.s390.rpm
openssl-devel-1.0.1e-48.el6_8.3.s390x.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-perl-1.0.1e-48.el6_8.3.i686.rpm
openssl-static-1.0.1e-48.el6_8.3.i686.rpm
ppc64:
openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-perl-1.0.1e-48.el6_8.3.ppc64.rpm
openssl-static-1.0.1e-48.el6_8.3.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm
openssl-perl-1.0.1e-48.el6_8.3.s390x.rpm
openssl-static-1.0.1e-48.el6_8.3.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
openssl-1.0.1e-48.el6_8.3.src.rpm
i386:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-1.0.1e-48.el6_8.3.i686.rpm
openssl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-devel-1.0.1e-48.el6_8.3.i686.rpm
openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm
openssl-perl-1.0.1e-48.el6_8.3.i686.rpm
openssl-static-1.0.1e-48.el6_8.3.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm
openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
ppc64:
openssl-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-devel-1.0.1e-51.el7_2.7.ppc.rpm
openssl-devel-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-libs-1.0.1e-51.el7_2.7.ppc.rpm
openssl-libs-1.0.1e-51.el7_2.7.ppc64.rpm
ppc64le:
openssl-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-devel-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-libs-1.0.1e-51.el7_2.7.ppc64le.rpm
s390x:
openssl-1.0.1e-51.el7_2.7.s390x.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm
openssl-devel-1.0.1e-51.el7_2.7.s390.rpm
openssl-devel-1.0.1e-51.el7_2.7.s390x.rpm
openssl-libs-1.0.1e-51.el7_2.7.s390.rpm
openssl-libs-1.0.1e-51.el7_2.7.s390x.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-perl-1.0.1e-51.el7_2.7.ppc64.rpm
openssl-static-1.0.1e-51.el7_2.7.ppc.rpm
openssl-static-1.0.1e-51.el7_2.7.ppc64.rpm
ppc64le:
openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-perl-1.0.1e-51.el7_2.7.ppc64le.rpm
openssl-static-1.0.1e-51.el7_2.7.ppc64le.rpm
s390x:
openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm
openssl-perl-1.0.1e-51.el7_2.7.s390x.rpm
openssl-static-1.0.1e-51.el7_2.7.s390.rpm
openssl-static-1.0.1e-51.el7_2.7.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssl-1.0.1e-51.el7_2.7.src.rpm
x86_64:
openssl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-devel-1.0.1e-51.el7_2.7.i686.rpm
openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-libs-1.0.1e-51.el7_2.7.i686.rpm
openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm
openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm
openssl-static-1.0.1e-51.el7_2.7.i686.rpm
openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-2177
https://access.redhat.com/security/cve/CVE-2016-2178
https://access.redhat.com/security/cve/CVE-2016-2179
https://access.redhat.com/security/cve/CVE-2016-2180
https://access.redhat.com/security/cve/CVE-2016-2181
https://access.redhat.com/security/cve/CVE-2016-2182
https://access.redhat.com/security/cve/CVE-2016-6302
https://access.redhat.com/security/cve/CVE-2016-6304
https://access.redhat.com/security/cve/CVE-2016-6306
https://access.redhat.com/security/updates/classification/#important
https://www.openssl.org/news/secadv/20160922.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFX6nnFXlSAg2UNWIIRAqklAJ9uGMit/wxZ0CfuGjR7Vi2+AjmGMwCfTpEI
xpTW7ApBLmKhVjs49DGYouI=
=4VgY
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Additional information can be found at
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/
CVE-2016-2178
Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing
leak in the DSA code.
CVE-2016-2179 / CVE-2016-2181
Quan Luo and the OCAP audit team discovered denial of service
vulnerabilities in DTLS.
For the stable distribution (jessie), these problems have been fixed in
version 1.0.1t-1+deb8u4.
For the unstable distribution (sid), these problems will be fixed soon.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201612-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: OpenSSL: Multiple vulnerabilities
Date: December 07, 2016
Bugs: #581234, #585142, #585276, #591454, #592068, #592074,
#592082, #594500, #595186
ID: 201612-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in OpenSSL, the worst of which
allows attackers to conduct a time based side-channel attack.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.2j >= 1.0.2j
Description
===========
Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers and the International Association for Cryptologic
Research's (IACR) paper, "Make Sure DSA Signing Exponentiations Really
are Constant-Time" for further details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2j"
References
==========
[ 1 ] CVE-2016-2105
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2105
[ 2 ] CVE-2016-2106
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2106
[ 3 ] CVE-2016-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2107
[ 4 ] CVE-2016-2108
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2108
[ 5 ] CVE-2016-2109
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2109
[ 6 ] CVE-2016-2176
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2176
[ 7 ] CVE-2016-2177
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2177
[ 8 ] CVE-2016-2178
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2178
[ 9 ] CVE-2016-2180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2180
[ 10 ] CVE-2016-2183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2183
[ 11 ] CVE-2016-6304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6304
[ 12 ] CVE-2016-6305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6305
[ 13 ] CVE-2016-6306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6306
[ 14 ] CVE-2016-7052
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7052
[ 15 ] Make Sure DSA Signing Exponentiations Really are Constant-Time
http://eprint.iacr.org/2016/594.pdf
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201612-16
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ==========================================================================
Ubuntu Security Notice USN-3087-2
September 23, 2016
openssl regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
USN-3087-1 introduced a regression in OpenSSL. The fix for CVE-2016-2182 was
incomplete and caused a regression when parsing certificates. This update
fixes the problem.
We apologize for the inconvenience. This
issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2178)
Quan Luo discovered that OpenSSL did not properly restrict the lifetime
of queue entries in the DTLS implementation. (CVE-2016-2181)
Shi Lei discovered that OpenSSL incorrectly validated division results.
(CVE-2016-2182)
Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks.
(CVE-2016-2183)
Shi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. (CVE-2016-6303)
Shi Lei discovered that OpenSSL incorrectly performed certain message
length checks. (CVE-2016-6306)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.5
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.21
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
OpenSSL Security Advisory [22 Sep 2016]
========================================
OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=====================================================================
Severity: High
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. This will eventually lead to a Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if they do
not support OCSP. Builds using the "no-ocsp" build time option are not affected.
Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default
configuration, instead only if an application explicitly enables OCSP stapling
support.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
SSL_peek() hang on empty record (CVE-2016-6305)
===============================================
Severity: Moderate
OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an
empty record. This could be exploited by a malicious peer in a Denial Of Service
attack.
OpenSSL 1.1.0 users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The
fix was developed by Matt Caswell of the OpenSSL development team.
SWEET32 Mitigation (CVE-2016-2183)
==================================
Severity: Low
SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms
that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based
ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in
OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had these
ciphersuites disabled by default.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan
Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the
OpenSSL development team.
OOB write in MDC2_Update() (CVE-2016-6303)
==========================================
Severity: Low
An overflow can occur in MDC2_Update() either if called directly or
through the EVP_DigestUpdate() function using MDC2. If an attacker
is able to supply very large amounts of input data after a previous
call to EVP_EncryptUpdate() with a partial block then a length check
can overflow resulting in a heap corruption.
The amount of data needed is comparable to SIZE_MAX which is impractical
on most platforms.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================
Severity: Low
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.
The use of SHA512 in TLS session tickets is comparatively rare as it requires
a custom server callback and ticket lookup mechanism.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
OOB write in BN_bn2dec() (CVE-2016-2182)
========================================
Severity: Low
The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
==============================================
Severity: Low
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
the total length the OID text representation would use and not the amount
of data written. This will result in OOB reads when large OIDs are presented.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Pointer arithmetic undefined behaviour (CVE-2016-2177)
======================================================
Severity: Low
Avoid some undefined pointer arithmetic
A common idiom in the codebase is to check limits in the following manner:
"p + len > limit"
Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE
"len" here could be from some externally supplied data (e.g. from a TLS
message).
The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.
For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Constant time flag not preserved in DSA signing (CVE-2016-2178)
===============================================================
Severity: Low
Operations in the DSA signing algorithm should run in constant time in order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
a non-constant time codepath is followed for certain operations. This has been
demonstrated through a cache-timing attack to be sufficient for an attacker to
recover the private DSA key.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto
University), Billy Brumley (Tampere University of Technology), and Yuval Yarom
(The University of Adelaide and NICTA). The fix was developed by César Pereida.
DTLS buffered message DoS (CVE-2016-2179)
=========================================
Severity: Low
In a DTLS connection where handshake messages are delivered out-of-order those
messages that OpenSSL is not yet ready to process will be buffered for later
use. Under certain circumstances, a flaw in the logic means that those messages
do not get removed from the buffer even though the handshake has been completed.
An attacker could force up to approx. 15 messages to remain in the buffer when
they are no longer required. These messages will be cleared when the DTLS
connection is closed. The default maximum size for a message is 100k. Therefore
the attacker could force an additional 1500k to be consumed per connection. By
opening many simulataneous connections an attacker could cause a DoS attack
through memory exhaustion.
OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix was
developed by Matt Caswell of the OpenSSL development team.
DTLS replay protection DoS (CVE-2016-2181)
==========================================
Severity: Low
A flaw in the DTLS replay attack protection mechanism means that records that
arrive for future epochs update the replay protection "window" before the MAC
for the record has been validated. This could be exploited by an attacker by
sending a record for the next epoch (which does not have to decrypt or have a
valid MAC), with a very large sequence number. This means that all subsequent
legitimate packets are dropped causing a denial of service for a specific
DTLS connection.
OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 21st November 2015 by the OCAP audit team.
The fix was developed by Matt Caswell of the OpenSSL development team.
Certificate message OOB reads (CVE-2016-6306)
=============================================
Severity: Low
In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.
The messages affected are client certificate, client certificate request and
server certificate. As a result the attack can only be performed against
a client or a server which enables client authentication.
OpenSSL 1.1.0 is not affected.
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u
This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
==========================================================================
Severity: Low
A TLS message includes 3 bytes for its length in the header for the message.
This would allow for messages up to 16Mb in length. Messages of this length are
excessive and OpenSSL includes a check to ensure that a peer is sending
reasonably sized messages in order to avoid too much memory being consumed to
service a connection. A flaw in the logic of version 1.1.0 means that memory for
the message is allocated too early, prior to the excessive message length
check. Due to way memory is allocated in OpenSSL this could mean an attacker
could force up to 21Mb to be allocated to service a connection. This could lead
to a Denial of Service through memory exhaustion. However, the excessive message
length check still takes place, and this would cause the connection to
immediately fail. Assuming that the application calls SSL_free() on the failed
conneciton in a timely manner then the 21Mb of allocated memory will then be
immediately freed again. Therefore the excessive memory allocation will be
transitory in nature. This then means that there is only a security impact if:
1) The application does not call SSL_free() in a timely manner in the
event that the connection fails
or
2) The application is working in a constrained environment where there
is very little free memory
or
3) The attacker initiates multiple connection attempts such that there
are multiple connections in a state where memory has been allocated for
the connection; SSL_free() has not yet been called; and there is
insufficient memory to service the multiple requests.
Except in the instance of (1) above any Denial Of Service is likely to
be transitory because as soon as the connection fails the memory is
subsequently freed again in the SSL_free() call. However there is an
increased risk during this period of application crashes due to the lack
of memory - which would then mean a more serious Denial of Service.
This issue does not affect DTLS users.
OpenSSL 1.1.0 TLS users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)
=============================================================================
Severity: Low
This issue is very similar to CVE-2016-6307. The underlying defect is different
but the security analysis and impacts are the same except that it impacts DTLS.
A DTLS message includes 3 bytes for its length in the header for the message.
This would allow for messages up to 16Mb in length. Messages of this length are
excessive and OpenSSL includes a check to ensure that a peer is sending
reasonably sized messages in order to avoid too much memory being consumed to
service a connection. A flaw in the logic of version 1.1.0 means that memory for
the message is allocated too early, prior to the excessive message length
check. Due to way memory is allocated in OpenSSL this could mean an attacker
could force up to 21Mb to be allocated to service a connection. This could lead
to a Denial of Service through memory exhaustion. However, the excessive message
length check still takes place, and this would cause the connection to
immediately fail. Assuming that the application calls SSL_free() on the failed
conneciton in a timely manner then the 21Mb of allocated memory will then be
immediately freed again. Therefore the excessive memory allocation will be
transitory in nature. This then means that there is only a security impact if:
1) The application does not call SSL_free() in a timely manner in the
event that the connection fails
or
2) The application is working in a constrained environment where there
is very little free memory
or
3) The attacker initiates multiple connection attempts such that there
are multiple connections in a state where memory has been allocated for
the connection; SSL_free() has not yet been called; and there is
insufficient memory to service the multiple requests.
Except in the instance of (1) above any Denial Of Service is likely to
be transitory because as soon as the connection fails the memory is
subsequently freed again in the SSL_free() call. However there is an
increased risk during this period of application crashes due to the lack
of memory - which would then mean a more serious Denial of Service.
This issue does not affect TLS users.
OpenSSL 1.1.0 DTLS users should upgrade to 1.1.0a
This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL
development team.
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160922.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
VAR-201607-0724 | No CVE | Hitron CGNV4 Router Multiple Security Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Hitron CGNV4 is a router product of Hitron.
Hitron CGNV4 Router 4.3.9.9-SIP-UPC version exists 1. Security bypass vulnerability 2. Cross-site request forgery vulnerability 3. Command injection vulnerability. Attackers can use these vulnerabilities to execute arbitrary commands, steal cookie-based authentication, obtain sensitive information, and perform unauthorized operations. Hitron CGNV4 Router is prone to multiple security vulnerabilities, including:
1. This may aid in further attacks.
Hitron CGNV4, 4.3.9.9-SIP-UPC is vulnerable; other versions may also be affected
VAR-201608-0497 | No CVE | Cisco EPC3925 UPC Unsecure Default Password Vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The CiscoEPC3925 is a home router device. The CiscoEPC3925UPC has an insecure default password vulnerability. Knowledge of remote attackers with default credentials may exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks
VAR-201608-0190 | CVE-2016-4834 | Vtiger CRM does not properly restrict access to application data |
CVSS V2: 5.5 CVSS V3: 8.1 Severity: HIGH |
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. Vtiger CRM is a customer relationship management (CRM) software. Vtiger CRM contains a vulnerability where it does not properly restrict access to user information data. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user with user privileges may create new users or alter existing user information.
Successfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks.
Vtiger CRM 6.4.0 and prior versions are vulnerable. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not properly restricting the user-save operation
VAR-201607-0544 | CVE-2016-1374 | Cisco Unified Computing System Performance Manager of Web Framework arbitrary command execution vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
The web framework in Cisco Unified Computing System (UCS) Performance Manager 2.0.0 and earlier allows remote authenticated users to execute arbitrary commands via crafted parameters in a GET request, aka Bug ID CSCuy07827.
An attacker can exploit this issue to execute arbitrary code on the affected system with the privileges of a root user.
This issue being tracked by Cisco Bug ID CSCuy07827.
Cisco UCS Performance Manager versions 2.0.0 and prior are vulnerable
VAR-201607-0243 | CVE-2016-5080 | Objective Systems ASN1C Buffer overflow vulnerability in source code generated |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Integer overflow in the rtxMemHeapAlloc function in asn1rt_a.lib in Objective Systems ASN1C for C/C++ before 7.0.2 allows context-dependent attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow), on a system running an application compiled by ASN1C, via crafted ASN.1 data. ASN.1 Is a standard data structure notation for network and communication applications. Heap-based buffer overflow (CWE-122) - CVE-2016-5080 ASN1C Is ASN.1 Used to generate high-level language source code from the syntax. According to the reporter, ASN1C Generated by C Or C++ The source code of the heap manager rtxMemHeapAlloc A heap-based buffer overflow vulnerability exists in the function. 2016 Year 7 Moon 20 As of today, similar vulnerabilities Java And C# It is unknown whether it exists in the source code output by. rtxMemHeapAlloc It depends on whether you are using a function. Specifically, it was received from an unreliable communication partner ASN.1 Processing your data may be affected by this vulnerability. For development of in-house products ASN1C Developers using are required to verify the source code to see if their products contain this vulnerability. The reporter has published further information as a security advisory. In the most serious case, received from an unreliable partner ASN.1 By processing the data, the authority of the application by a remote third party (root Or SYSTEM Authority etc. ) May execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. FundaciA3n Dr. ASN1C compiler for C/C++
1. ASN1C compiler for C/C++
Advisory ID: STIC-2016-0603
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2016-07-18
Date of last update: 2016-07-19
Vendors contacted: Objective Systems Inc.
Release mode: Coordinated release
2. *Vulnerability Description*
Abstract Syntax Notation One (ASN.1) is a technical standard and formal
notation that describes rules and structures for representing, encoding,
transmitting, and decoding data in telecommunications and computer
networking[1]. It is a joint standard of the International Organization
for Standardization (ISO), International Electrotechnical Commission
(IEC), and International Telecommunication Union Telecommunication
Standardization Sector ITU-T[2] used in technical standards for wireless
communications such as GSM, UMTS and LTE, Lawful Interception,
Intelligent Transportation Systems, signalling in fixed and mobile
telecommunications networks (SS7), wireless broadband access (WiMAX),
data security (X.509), network management (SNMP), voice over IP and
IP-based videoconferencing (H.323), manufacturing, aviation, aerospace
and several other areas[3].
Software components that generate, transmit and parse ASN.1 encoded data
constitute a critical building block of software that runs on billions
of mobile devices, telecommunication switching equipment and systems for
operation and management of critical infrastructures. The ASN.1
specification is sufficiently complicated to make writing programs that
parse ASN.1 encoded data a perilious and error-prone activity. Many
technology vendors have adopted the practice of using computer-generated
programs to parse ASN.1 encoded data. This is accomplished by using an
ASN.1 compiler, a software tool that given as input a data specification
written in ASN.1 generates as output the source code of a program that
can be used to encode and decode in compliance with the specification.
The output of an ASN.1 compiler is generally incorporated as a building
block in a software system that transmits or processes ASN.1 encoded data. is a US-based private company[5] that develops
and commercializes ASN1C, a ASN1 compiler for various programming
languages, to vendors in the telecommunications, data networking,
aviation, aerospace, defense and law enforcement sectors[6].
The vulnerability could be triggered remotely without any authentication
in scenarios where the vulnerable code receives and processes ASN.1
encoded data from untrusted sources, these may include communications
between mobile devices and telecommunication network infrastructure
nodes, communications between nodes in a carrier's network or across
carrier boundaries, or communication between mutually untrusted
endpoints in a data network. has addressed the issue and built a fixed interim
version of the ASN1C for C/C++ compiler that is a available to customers
upon request. The fixes will be incorporated in the next (v7.0.2)
release of ASN1C for C/C++.
For further information about vulnerable vendors and available fixes
refer to the CERT/CC vulnerability note [4].
4. ASN1C compiler for C/C++ version 7.0 or below. Refer to the
CERT/CC vulnerability note[4] for a list of potentially affected vendors.
5. *Vendor Information, Solutions and Workarounds*
Vendor fixed the issue in an interim release of the ASN1C v7.0.1
compiler available to customers upon request[5]. The upcoming ASN1C
v7.0.2 release will incorporate the fixes.
6. *Credits*
This vulnerability was discovered and researched by Lucas Molas. The
publication of this advisory was coordinated by Programa Seguridad en TIC.
7. *Technical Description*
This document details a bug found in the latest release of Objective
Systems Inc,. ASN1C compiler for C/C++ (v7.0.0), particularly in the
'rtxMemHeapAlloc' function contained in the pre-compiled 'asn1rt_a.lib'
library, where two integer overflows have been detected, which could
lead to corruption of heap memory in an attacker-controlled scenario.
The component analyzed was the "evaluation package of ASN1C" (v7.0.0)
for Windows (x86) MSVC 32-bit, but the analysis also applies to other
platforms. The analysis was performed with the IDA (v6.9) disassembler,
from which the assembly blocks shown below have been extracted (the
assembly syntax and location addresses may vary).
The pre-compiled library analyzed, 'asn1rt_a.lib', was extracted from
'<installdir>\c\lib\' (which corresponds to the Visual C++ 2013 version).
In 'rtxMemHeapAlloc', after initial checks to the context's internal
memory heap ('pMemHeap') which may entail calls to 'rtxMemHeapCreate'
and 'rtxMemHeapCheck', the 'nbytes' argument ('arg_4' in the
disassembly) is manipulated. Its value is rounded to the next multiple
of 8 bytes using 'ecx' and storing the result in 'var_9C'. To accomplish
this, a value of '7' is added to 'ecx' before making the shift without
checking the resulting value, which could lead to an integer overflow of
the 32-bit register if the value of 'nbytes' is '0xFFFFFFF9' or higher.
The following assembly blocks illustrate this.
/-----
loc_A6:
mov ecx, [ebp+arg_4]
add ecx, 7
shr ecx, 3
mov [ebp+var_9C], ecx
mov edx, [ebp+var_18]
mov eax, [edx+18h]
and eax, 20000000h
jnz short loc_D2
-----/
The 'rtxMemHeapAlloc' function does not perform any validation of the
'nbytes' argument and therefore it is up to the caller to make sure its
value does not overflow when the allocator rounds it up to a multiple of
8 bytes and adds 20 bytes to the memory to be allocated to accomodate a
heap control structure. However, the caller of 'rtxMemHeapAlloc' will be
a function automatically generated by the ASN1C compiler and typically
will not have any size contrains on the arguments passed to
'rtxMemHeapAlloc', and indireddctly to 'malloc', unless added manually.
The resulting value of 'var_9C' is checked against the constant '0FFFCh'
to decide whether to allocate the memory requested using the internal
heap implementation or the system's memory allocator, which is usually
available through the 'malloc' function.
A similar pattern is found later when 'malloc' is called.
If 'malloc' is used, the value in 'var_9C' is discarded in favor of the
original value of the 'nbytes' argument. This value is added to '14h' in
'ecx' before saving it to 'var_E8' without any validation which could
lead to an integer overflow if the value of argument 'nbytes' is
'0xFFFFFFEC' or greater. The resulting value in 'var_E8' is then used as
the argument for the call to 'malloc'. As a consequence, large values
passsed in the 'nbytes' argument to 'rtxMemHeapAlloc' will result in a
size calculation that wraps around and ends up calling 'malloc' with a
size argument that is less that what is needed to store the data that
will be copied to it later on. The following assembly block illustrates
this.
/-----
loc_D2:
mov ecx, [ebp+arg_4]
add ecx, 14h
mov [ebp+var_E8], ecx
mov edx, [ebp+var_E8]
push edx
mov eax, [ebp+var_18]
mov ecx, [eax+1Ch]
call ecx
add esp, 4
mov [ebp+var_24], eax
cmp [ebp+var_24], 0
jnz short loc_120
-----/
Due to the fact that the bugs are located in the core runtime support
library, it is hard to assess its exploitability in all scenarios but it
is safe to assume that it would lead attacker controlled memory
corruption of either the system's heap (if 'malloc' is called) or in the
internal memory allocator (if the number of bytes requested is below the
aforementioned threshold). Since heap control structures can be
overwritten with attacker controlled data, it is safe to assume that
remote code execution can be achieved in many scenarios in which ASN.1
parsing code generated by the ASN1C compiler for C/C++ is used without
manual modification. Manual modification of automatically generated code
is generally not recommended so mechanisms that would prevent triggering
of these bugs are not likely to be found in deployed systems.
As an illustrative example, the 3GPP APIs can be mentioned, particularly
the '[NAS/RRC add-on for ASN1C SDK]'[7]. The C code generated by the
ASN1C for the RRC decoder ('EUTRA-RRC-DefinitionsDec.c'), uses
'rtxMemHeapAlloc' for the allocation of the extension optional bits of
the extension elements) where the length, not known in advance, is
obtained from the encoded element received from an untrusted source,
calling 'pd_SmallLength' which allows unconstrained whole numbers,
resulting in a call to 'rtxMemHeapAlloc' with an externally controlled
'nbytes' argument.
/-----
/* decode extension elements */
if (extbit) {
OSOCTET* poptbits;
/* decode extension optional bits length */
stat = pd_SmallLength (pctxt, &bitcnt);
if (stat != 0) return stat;
poptbits = (OSOCTET*) rtxMemAlloc (pctxt, bitcnt);
if (0 == poptbits) return RTERR_NOMEM;
for (i_ = 0; i_ < bitcnt; i_++) {
stat = DEC_BIT (pctxt, &poptbits[i_]);
if (stat != 0) {
rtxMemFreePtr (pctxt, poptbits);
return stat;
}
}
-----/
8. *Report Timeline*
. 2016-06-03:
Sent email to Objective Systems Inc. 2016-06-06:
Vendor responded with contact information to send the bug report
in plaintext. 2016-06-06:
Bug report sent in plaintext to the email address provided by
the vendor. The report included technical details to identify and
reproduce the bug. Publication date set to July
6, 2016. 2016-06-08:
CERT/CC contacted, bug report filed in a web form, encrypted
using the CERT/CC PGP public key. 2016-06-08:
CERT/CC replied by email acknowledging report, assigned VR-198
as internal tracking number. 2016-06-08:
Email sent to CERT/CC saying that the bug is present in code
generated by the ASN1C compiler for C, it is also likely that C++ code
is also buggy and not likely in Java code but neither C++ not Java code
were tested. 2016-06-10:
Email sent to the vendor requesting acknowledgement of the
report sent on June 6 and noting that CERT/CC was contacted. 2016-06-10:
Vendor acknowledged reception of the bug report and stated that
it will look into the issue as time permits. indicated that the issues were fixed in
an interim v7.0.1.x version of ASN1C that will be available to customers
upon request and that the next v7.0.2 release will incorporate the
fixes. Offered a version of ASN1C updated with the fixes for testing. 2016-06-14:
Programa STIC replied to the vendor accepting the offer for the
pre-release version of ASN1C with the fixes and stated it is on track
for publication on July 6. 2016-06-15:
Programa STIC notified CERT/CC that the vendor has fixed the
issues and will make available an updated version of ASN1C to customers
upon request. Asked CERT/CC about plans for dissemination of the report
and whether it had contact information for ITU IMPACT. Publication is
still planned for July 6. 2016-06-16:
CERT/CC replied saying they have no contact information for ITU
IMPACT but will try to reach as many potentially affected vendors as
possible. The vulnerabilities were assigned the CVE-2016-5080
identifier. CERT/CC will likely publish a Vulnerability Note on its
website once the report becomes public. 2016-06-16:
Programa STIC said that vendors will need to assess whether
they're vulnerable and determine if they want to ask Objective Systems
for the fixed interim v7.0.1.x version or wait for the v7.0.2 release.
Programa STIC recommends the former since the v7.0.2 release may include
non-security fixed and feature and does not have a estimated release
date at the moment. 2016-06-27:
Programa STIC sent mail to CERT/CC requesting a status update
and saying its on track to publish on July 6. 2016-07-01:
CERT/CC replied saying one of the contacted vendors requested to
delay the publication for 2 months while they investigate their
products. Asked if Programa STIC would accept the request or proceed
with the current publication date. 2016-07-01:
Programa STIC replied that a two month delay seemed excessive
and that at least 2 additional factors should be weighed: 1. memory
corruption bugs in ASN.1 related components of an LTE stack have been
announced or hinted at in several infosec conference presentations over
the past few weeks and its likely the same or similar bugs will become
public soon. 2. Objective Systems has already produced a fix that is
available upon request to all its customers. It does not seem reasonable
to impose a 2 month publication delay on every other vendor. Asked
CERT/CC: 1. Did other vendors request to postpone publication or
indicated they were or were not vulnerable? 2. Did CERT/CC disseminate
the information to any other parties?
. 2016-07-01:
CERT/CC indicated they've contacted as many vendors as possible,
US-CERT and international CERT partners and that only one vendor has
requested to delay publication so far. Agreed that proceeding with the
original publication schedule is reasonable given the partial disclosure
due to dissemination that already occurred plus the fact that a fix is
available
. 2016-07-01:
Programa STIC sent mail to CERT/CC saying that for the moment it
will proceed with the original deadline but make a final decision on July 5. 2016-07-06:
Programa STIC sent email to CERT/CC indicating it decided to
postpone publication for a week to give vendors some additional time to
assess whether they are vulnerable and plan for issuing fixes. The new
publication date was set to July 13. 2016-07-06:
CERT/CC replied that it will notify vendors of the new
publication date. 2016-07-14:
Programa STIC told CERT/CC that publication was postponed to
Monday, July 18. 2016-07-13:
Programa STIC sent mail to Objective Systems Inc. asked if a CVE ID has been assigned to the
issue. 2016-07-13:
Programa STIC sent mail to Objective Systems Inc. saying
CVE-2016-5080 was assigned by CERT and promising to send draft of the
security advisory when ready for publication. 2016-07-14:
Programa STIC sent email to Objective Systems informing them that
the security advisory will bul published on July 18 with guidance for
potentially affected vendors to contact them to request a fixed version
of the ASN1C compiler for C/C++.
9. *References*
[1] Abstract Syntaxt Notation One (ASN1)
http://www.itu.int/en/ITU-T/asn1/Pages/introduction.aspx
[2] ASN.1 Project (ITU)
http://www.itu.int/en/ITU-T/asn1/Pages/asn1_project.aspx
[3] ASN.1 Applications and Standards
http://www.oss.com/asn1/resources/standards-use-asn1.html
[4] CERT/CC Vulnerability Notes
http://www.kb.cert.org/vuls
[5] Objective Systems Inc.
https://www.obj-sys.com
[6] Vendors possibly using ASN.1 compiler for C/C++.
https://www.obj-sys.com/customers/
[7] Non-Access Stratum (NAS) LTE, GERAN-RRC, and other non-ASN.1 APIs
3GPP TS 24.007 24.008 24.011 24.301 44.018.
https://www.obj-sys.com/products/asn1apis/lte_3gpp_apis.php
10. *About FundaciA3n Dr. Manuel Sadosky*
The Dr. Manuel Sadosky Foundation is a mixed (public / private)
institution whose goal is to promote stronger and closer interaction
between industry and the scientific-technological system in all aspects
related to Information and Communications Technology (ICT). The
Foundation was formally created by a Presidential Decree in 2009. Its
Chairman is the Minister of Science, Technology, and Productive
Innovation of Argentina; and the Vice-chairmen are the chairmen of the
countryas most important ICT chambers: The Software and Computer
Services Chamber (CESSI) and the Argentine Computing and
Telecommunications Chamber (CICOMRA). For more information visit:
http://www.fundacionsadosky.org.ar
11. *Copyright Notice*
The contents of this advisory are copyright (c) 2014-2016 FundaciA3n
Sadosky and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 4.0 License:
http://creativecommons.org/licenses/by-nc-sa/4.0/
--
Programa de Seguridad en TIC
FundaciA3n Dr. Manuel Sadosky
Av. CA3rdoba 744 Piso 5 Oficina I
TE/FAX: 4328-5164
VAR-201607-0365 | CVE-2016-4627 | plural Apple Product IOAcceleratorFamily Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
IOAcceleratorFamily in Apple iOS before 9.3.3, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apple iOS, tvOS and watchOS are prone to a local privilege-escalation vulnerability.
Local attackers may exploit this issue to execute arbitrary code with kernel privileges. in the United States. Apple iOS is an operating system developed for mobile devices; tvOS is a smart TV operating system; watchOS is a smart watch operating system. IOAcceleratorFamily is one of the IO acceleration management components. The following products and versions are affected: Apple iOS prior to 9.3.3, OS X prior to 10.11.6, tvOS prior to 9.2.2, watchOS prior to 2.2.2. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-3 watchOS 2.2.2
watchOS 2.2.2 is now available and addresses the following:
CoreGraphics
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved validation.
CVE-2016-4627 : Ju Zhu of Trend Micro
IOAcceleratorFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4628 : Ju Zhu of Trend Micro
IOHIDFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team
libxml2
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Multiple vulnerabilities in libxml2
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxml2
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-4449 : Kostya Serebryany
libxslt
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas GrA(c)goire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas GrA(c)goire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas GrA(c)goire
Sandbox Profiles
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXA7AAoJEIOj74w0bLRGEXgP+weQFMlAuBOyZg11jFauawDt
r+LmaHifpMysV13r6cLkKP6cVqV4G6EEOGp9hSqC2lsHKQYDN5vdyLwLl5sE3kSg
PyQgp5iE3Eihe9ArswPbsrm/c1aIMZbKNnAVQkHOQX7STTmYDfp5ATxxFp7yueld
0QVCEbr4QCpqpQCJhqRO7RHWnlOCmTKdYxsD6rYqOEALnZzfB9A5bZPyeM1LNnJL
ntom0d1GzuBjowrEIFPyZBE+oZP1wEfUBsYnr5sD5jkAHphMCyI0/MPAwH3181aZ
T9jHgJMc/0xlitBHwCT7nv7AE3YpxPYpM8lM1a+cLOfHNaUiX7bfX2w+6PVEDFiP
5X0raq+QYnqKdNXanG2nMhQjIYJEIWbOBKanM7hMWM6C2kd4YAc4eLACX3vObWNS
m1Fbj1/Qxqtng0sqw66HhyFEcz9Cqgg7UX2MEmxVV86Oxqcb2PW5XrwUZ9PtgByP
ks8UNaOXYKaRo+OIhaAPn1qfSSlhp086LfGPuCm5lP0c5hZ9TfyErWPG+1nhD6Vd
l48RQOYcAAE//wMLuSf38CbvS0RVcfzKA6DfUAlEAv0Aw4GOZRNCmtLVZo2QS8kc
nUItEluM+03NkqrGROZiyoC+FIrXunr47JzdP5kawB6C1zsJrP2vFr1au9gbwUZ3
nb7PSAEOmpjCwkMbzdvm
=l25N
-----END PGP SIGNATURE-----
VAR-201705-2332 | CVE-2016-5810 | Advantech WebAccess of upAdminPg.asp Vulnerable to obtaining important password information |
CVSS V2: 4.0 CVSS V3: 4.9 Severity: MEDIUM |
upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote authenticated administrators to obtain sensitive password information via unspecified vectors. Authentication is required to exploit this vulnerability.The specific flaw exists within upAdminPg.asp. One project administrator can view other project administrators' passwords along with the system administrator's password. An attacker can leverage this vulnerability to escalate privileges within the system. Advantech WebAccess (formerly known as BroadWin WebAccess) is a suite of browser-based HMI/SCADA software from Advantech, China. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. ActiveX is one of the components used to transmit dynamic images in surveillance. A version of ActiveX prior to Advantech WebAccess 8.1_20160519 has a security vulnerability. An attacker could exploit the vulnerability to insert or run arbitrary code on an affected system
VAR-201607-0657 | CVE-2016-5385 | CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables |
CVSS V2: 5.1 CVSS V3: 8.1 Severity: HIGH |
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems. There is a security vulnerability in PHP 7.0.8 and earlier versions, the vulnerability stems from the fact that the program does not resolve namespace conflicts in RFC 3875 mode. The program does not properly handle data from untrusted client applications in the HTTP_PROXY environment variable. A remote attacker uses the specially crafted Proxy header message in the HTTP request to exploit this vulnerability to implement a man-in-the-middle attack, directing the server to send a connection to any host.
The vulnerabilities are addressed by upgrading PHP to the new upstream
version 5.6.24, which includes additional bug fixes. Please refer to the
upstream changelog for more information:
https://php.net/ChangeLog-5.php#5.6.24
For the stable distribution (jessie), these problems have been fixed in
version 5.6.24+dfsg-0+deb8u1.
For the unstable distribution (sid), these problems have been fixed in
version 7.0.9-1 of the php7.0 source package.
We recommend that you upgrade your php5 packages.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: php55-php security update
Advisory ID: RHSA-2016:1611-01
Product: Red Hat Software Collections
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1611.html
Issue date: 2016-08-11
CVE Names: CVE-2016-5385
=====================================================================
1. Summary:
An update for php55-php is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.
Security Fix(es):
* It was discovered that PHP did not properly protect against the
HTTP_PROXY variable name clash. A remote attacker could possibly use this
flaw to redirect HTTP requests performed by a PHP script to an
attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385)
Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon must be restarted
for the update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1353794 - CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
php55-php-5.5.21-5.el6.src.rpm
x86_64:
php55-php-5.5.21-5.el6.x86_64.rpm
php55-php-bcmath-5.5.21-5.el6.x86_64.rpm
php55-php-cli-5.5.21-5.el6.x86_64.rpm
php55-php-common-5.5.21-5.el6.x86_64.rpm
php55-php-dba-5.5.21-5.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el6.x86_64.rpm
php55-php-devel-5.5.21-5.el6.x86_64.rpm
php55-php-enchant-5.5.21-5.el6.x86_64.rpm
php55-php-fpm-5.5.21-5.el6.x86_64.rpm
php55-php-gd-5.5.21-5.el6.x86_64.rpm
php55-php-gmp-5.5.21-5.el6.x86_64.rpm
php55-php-imap-5.5.21-5.el6.x86_64.rpm
php55-php-intl-5.5.21-5.el6.x86_64.rpm
php55-php-ldap-5.5.21-5.el6.x86_64.rpm
php55-php-mbstring-5.5.21-5.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el6.x86_64.rpm
php55-php-odbc-5.5.21-5.el6.x86_64.rpm
php55-php-opcache-5.5.21-5.el6.x86_64.rpm
php55-php-pdo-5.5.21-5.el6.x86_64.rpm
php55-php-pgsql-5.5.21-5.el6.x86_64.rpm
php55-php-process-5.5.21-5.el6.x86_64.rpm
php55-php-pspell-5.5.21-5.el6.x86_64.rpm
php55-php-recode-5.5.21-5.el6.x86_64.rpm
php55-php-snmp-5.5.21-5.el6.x86_64.rpm
php55-php-soap-5.5.21-5.el6.x86_64.rpm
php55-php-tidy-5.5.21-5.el6.x86_64.rpm
php55-php-xml-5.5.21-5.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):
Source:
php55-php-5.5.21-5.el6.src.rpm
x86_64:
php55-php-5.5.21-5.el6.x86_64.rpm
php55-php-bcmath-5.5.21-5.el6.x86_64.rpm
php55-php-cli-5.5.21-5.el6.x86_64.rpm
php55-php-common-5.5.21-5.el6.x86_64.rpm
php55-php-dba-5.5.21-5.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el6.x86_64.rpm
php55-php-devel-5.5.21-5.el6.x86_64.rpm
php55-php-enchant-5.5.21-5.el6.x86_64.rpm
php55-php-fpm-5.5.21-5.el6.x86_64.rpm
php55-php-gd-5.5.21-5.el6.x86_64.rpm
php55-php-gmp-5.5.21-5.el6.x86_64.rpm
php55-php-imap-5.5.21-5.el6.x86_64.rpm
php55-php-intl-5.5.21-5.el6.x86_64.rpm
php55-php-ldap-5.5.21-5.el6.x86_64.rpm
php55-php-mbstring-5.5.21-5.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el6.x86_64.rpm
php55-php-odbc-5.5.21-5.el6.x86_64.rpm
php55-php-opcache-5.5.21-5.el6.x86_64.rpm
php55-php-pdo-5.5.21-5.el6.x86_64.rpm
php55-php-pgsql-5.5.21-5.el6.x86_64.rpm
php55-php-process-5.5.21-5.el6.x86_64.rpm
php55-php-pspell-5.5.21-5.el6.x86_64.rpm
php55-php-recode-5.5.21-5.el6.x86_64.rpm
php55-php-snmp-5.5.21-5.el6.x86_64.rpm
php55-php-soap-5.5.21-5.el6.x86_64.rpm
php55-php-tidy-5.5.21-5.el6.x86_64.rpm
php55-php-xml-5.5.21-5.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source:
php55-php-5.5.21-5.el6.src.rpm
x86_64:
php55-php-5.5.21-5.el6.x86_64.rpm
php55-php-bcmath-5.5.21-5.el6.x86_64.rpm
php55-php-cli-5.5.21-5.el6.x86_64.rpm
php55-php-common-5.5.21-5.el6.x86_64.rpm
php55-php-dba-5.5.21-5.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el6.x86_64.rpm
php55-php-devel-5.5.21-5.el6.x86_64.rpm
php55-php-enchant-5.5.21-5.el6.x86_64.rpm
php55-php-fpm-5.5.21-5.el6.x86_64.rpm
php55-php-gd-5.5.21-5.el6.x86_64.rpm
php55-php-gmp-5.5.21-5.el6.x86_64.rpm
php55-php-imap-5.5.21-5.el6.x86_64.rpm
php55-php-intl-5.5.21-5.el6.x86_64.rpm
php55-php-ldap-5.5.21-5.el6.x86_64.rpm
php55-php-mbstring-5.5.21-5.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el6.x86_64.rpm
php55-php-odbc-5.5.21-5.el6.x86_64.rpm
php55-php-opcache-5.5.21-5.el6.x86_64.rpm
php55-php-pdo-5.5.21-5.el6.x86_64.rpm
php55-php-pgsql-5.5.21-5.el6.x86_64.rpm
php55-php-process-5.5.21-5.el6.x86_64.rpm
php55-php-pspell-5.5.21-5.el6.x86_64.rpm
php55-php-recode-5.5.21-5.el6.x86_64.rpm
php55-php-snmp-5.5.21-5.el6.x86_64.rpm
php55-php-soap-5.5.21-5.el6.x86_64.rpm
php55-php-tidy-5.5.21-5.el6.x86_64.rpm
php55-php-xml-5.5.21-5.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
php55-php-5.5.21-5.el6.src.rpm
x86_64:
php55-php-5.5.21-5.el6.x86_64.rpm
php55-php-bcmath-5.5.21-5.el6.x86_64.rpm
php55-php-cli-5.5.21-5.el6.x86_64.rpm
php55-php-common-5.5.21-5.el6.x86_64.rpm
php55-php-dba-5.5.21-5.el6.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el6.x86_64.rpm
php55-php-devel-5.5.21-5.el6.x86_64.rpm
php55-php-enchant-5.5.21-5.el6.x86_64.rpm
php55-php-fpm-5.5.21-5.el6.x86_64.rpm
php55-php-gd-5.5.21-5.el6.x86_64.rpm
php55-php-gmp-5.5.21-5.el6.x86_64.rpm
php55-php-imap-5.5.21-5.el6.x86_64.rpm
php55-php-intl-5.5.21-5.el6.x86_64.rpm
php55-php-ldap-5.5.21-5.el6.x86_64.rpm
php55-php-mbstring-5.5.21-5.el6.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el6.x86_64.rpm
php55-php-odbc-5.5.21-5.el6.x86_64.rpm
php55-php-opcache-5.5.21-5.el6.x86_64.rpm
php55-php-pdo-5.5.21-5.el6.x86_64.rpm
php55-php-pgsql-5.5.21-5.el6.x86_64.rpm
php55-php-process-5.5.21-5.el6.x86_64.rpm
php55-php-pspell-5.5.21-5.el6.x86_64.rpm
php55-php-recode-5.5.21-5.el6.x86_64.rpm
php55-php-snmp-5.5.21-5.el6.x86_64.rpm
php55-php-soap-5.5.21-5.el6.x86_64.rpm
php55-php-tidy-5.5.21-5.el6.x86_64.rpm
php55-php-xml-5.5.21-5.el6.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
php55-php-5.5.21-5.el7.src.rpm
x86_64:
php55-php-5.5.21-5.el7.x86_64.rpm
php55-php-bcmath-5.5.21-5.el7.x86_64.rpm
php55-php-cli-5.5.21-5.el7.x86_64.rpm
php55-php-common-5.5.21-5.el7.x86_64.rpm
php55-php-dba-5.5.21-5.el7.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el7.x86_64.rpm
php55-php-devel-5.5.21-5.el7.x86_64.rpm
php55-php-enchant-5.5.21-5.el7.x86_64.rpm
php55-php-fpm-5.5.21-5.el7.x86_64.rpm
php55-php-gd-5.5.21-5.el7.x86_64.rpm
php55-php-gmp-5.5.21-5.el7.x86_64.rpm
php55-php-intl-5.5.21-5.el7.x86_64.rpm
php55-php-ldap-5.5.21-5.el7.x86_64.rpm
php55-php-mbstring-5.5.21-5.el7.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el7.x86_64.rpm
php55-php-odbc-5.5.21-5.el7.x86_64.rpm
php55-php-opcache-5.5.21-5.el7.x86_64.rpm
php55-php-pdo-5.5.21-5.el7.x86_64.rpm
php55-php-pgsql-5.5.21-5.el7.x86_64.rpm
php55-php-process-5.5.21-5.el7.x86_64.rpm
php55-php-pspell-5.5.21-5.el7.x86_64.rpm
php55-php-recode-5.5.21-5.el7.x86_64.rpm
php55-php-snmp-5.5.21-5.el7.x86_64.rpm
php55-php-soap-5.5.21-5.el7.x86_64.rpm
php55-php-xml-5.5.21-5.el7.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1):
Source:
php55-php-5.5.21-5.el7.src.rpm
x86_64:
php55-php-5.5.21-5.el7.x86_64.rpm
php55-php-bcmath-5.5.21-5.el7.x86_64.rpm
php55-php-cli-5.5.21-5.el7.x86_64.rpm
php55-php-common-5.5.21-5.el7.x86_64.rpm
php55-php-dba-5.5.21-5.el7.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el7.x86_64.rpm
php55-php-devel-5.5.21-5.el7.x86_64.rpm
php55-php-enchant-5.5.21-5.el7.x86_64.rpm
php55-php-fpm-5.5.21-5.el7.x86_64.rpm
php55-php-gd-5.5.21-5.el7.x86_64.rpm
php55-php-gmp-5.5.21-5.el7.x86_64.rpm
php55-php-intl-5.5.21-5.el7.x86_64.rpm
php55-php-ldap-5.5.21-5.el7.x86_64.rpm
php55-php-mbstring-5.5.21-5.el7.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el7.x86_64.rpm
php55-php-odbc-5.5.21-5.el7.x86_64.rpm
php55-php-opcache-5.5.21-5.el7.x86_64.rpm
php55-php-pdo-5.5.21-5.el7.x86_64.rpm
php55-php-pgsql-5.5.21-5.el7.x86_64.rpm
php55-php-process-5.5.21-5.el7.x86_64.rpm
php55-php-pspell-5.5.21-5.el7.x86_64.rpm
php55-php-recode-5.5.21-5.el7.x86_64.rpm
php55-php-snmp-5.5.21-5.el7.x86_64.rpm
php55-php-soap-5.5.21-5.el7.x86_64.rpm
php55-php-xml-5.5.21-5.el7.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2):
Source:
php55-php-5.5.21-5.el7.src.rpm
x86_64:
php55-php-5.5.21-5.el7.x86_64.rpm
php55-php-bcmath-5.5.21-5.el7.x86_64.rpm
php55-php-cli-5.5.21-5.el7.x86_64.rpm
php55-php-common-5.5.21-5.el7.x86_64.rpm
php55-php-dba-5.5.21-5.el7.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el7.x86_64.rpm
php55-php-devel-5.5.21-5.el7.x86_64.rpm
php55-php-enchant-5.5.21-5.el7.x86_64.rpm
php55-php-fpm-5.5.21-5.el7.x86_64.rpm
php55-php-gd-5.5.21-5.el7.x86_64.rpm
php55-php-gmp-5.5.21-5.el7.x86_64.rpm
php55-php-intl-5.5.21-5.el7.x86_64.rpm
php55-php-ldap-5.5.21-5.el7.x86_64.rpm
php55-php-mbstring-5.5.21-5.el7.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el7.x86_64.rpm
php55-php-odbc-5.5.21-5.el7.x86_64.rpm
php55-php-opcache-5.5.21-5.el7.x86_64.rpm
php55-php-pdo-5.5.21-5.el7.x86_64.rpm
php55-php-pgsql-5.5.21-5.el7.x86_64.rpm
php55-php-process-5.5.21-5.el7.x86_64.rpm
php55-php-pspell-5.5.21-5.el7.x86_64.rpm
php55-php-recode-5.5.21-5.el7.x86_64.rpm
php55-php-snmp-5.5.21-5.el7.x86_64.rpm
php55-php-soap-5.5.21-5.el7.x86_64.rpm
php55-php-xml-5.5.21-5.el7.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
php55-php-5.5.21-5.el7.src.rpm
x86_64:
php55-php-5.5.21-5.el7.x86_64.rpm
php55-php-bcmath-5.5.21-5.el7.x86_64.rpm
php55-php-cli-5.5.21-5.el7.x86_64.rpm
php55-php-common-5.5.21-5.el7.x86_64.rpm
php55-php-dba-5.5.21-5.el7.x86_64.rpm
php55-php-debuginfo-5.5.21-5.el7.x86_64.rpm
php55-php-devel-5.5.21-5.el7.x86_64.rpm
php55-php-enchant-5.5.21-5.el7.x86_64.rpm
php55-php-fpm-5.5.21-5.el7.x86_64.rpm
php55-php-gd-5.5.21-5.el7.x86_64.rpm
php55-php-gmp-5.5.21-5.el7.x86_64.rpm
php55-php-intl-5.5.21-5.el7.x86_64.rpm
php55-php-ldap-5.5.21-5.el7.x86_64.rpm
php55-php-mbstring-5.5.21-5.el7.x86_64.rpm
php55-php-mysqlnd-5.5.21-5.el7.x86_64.rpm
php55-php-odbc-5.5.21-5.el7.x86_64.rpm
php55-php-opcache-5.5.21-5.el7.x86_64.rpm
php55-php-pdo-5.5.21-5.el7.x86_64.rpm
php55-php-pgsql-5.5.21-5.el7.x86_64.rpm
php55-php-process-5.5.21-5.el7.x86_64.rpm
php55-php-pspell-5.5.21-5.el7.x86_64.rpm
php55-php-recode-5.5.21-5.el7.x86_64.rpm
php55-php-snmp-5.5.21-5.el7.x86_64.rpm
php55-php-soap-5.5.21-5.el7.x86_64.rpm
php55-php-xml-5.5.21-5.el7.x86_64.rpm
php55-php-xmlrpc-5.5.21-5.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-5385
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXrPSuXlSAg2UNWIIRAmLnAKCBRe4E5DnZotwDu0Tb+ITqqiZ2nQCeI6jD
V28z7ctkF+xOsCoI2ug8jtY=
=n134
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/php-5.6.24-i586-1_slack14.2.txz: Upgraded.
For more information, see:
http://php.net/ChangeLog-5.php#5.6.24
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.24-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.24-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.24-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.24-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/php-5.6.24-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/php-5.6.24-x86_64-1_slack14.2.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.24-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.24-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 package:
712cc177c9ac10f3d58e871ff27260dc php-5.6.24-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
47f6ad4a81517f5b2959abc73475742b php-5.6.24-x86_64-1_slack14.0.txz
Slackware 14.1 package:
aea6a8869946186781e55c5ecec952b0 php-5.6.24-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
ab16db742762605b9b219b37cdd7e8db php-5.6.24-x86_64-1_slack14.1.txz
Slackware 14.2 package:
c88a731667e741443712267d9b30286a php-5.6.24-i586-1_slack14.2.txz
Slackware x86_64 14.2 package:
ed5b31c94e2fb91f0e6c40051f51da1c php-5.6.24-x86_64-1_slack14.2.txz
Slackware -current package:
c25a85fece34101d35b8785022cef94d n/php-5.6.24-i586-1.txz
Slackware x86_64 -current package:
17f8886fc0901cea6d593170ea00fe7b n/php-5.6.24-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg php-5.6.24-i586-1_slack14.2.txz
Then, restart Apache httpd:
# /etc/rc.d/rc.httpd stop
# /etc/rc.d/rc.httpd start
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05320149
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05320149
Version: 1
HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary
Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS),
Unauthorized Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2016-10-26
Last Updated: 2016-10-26
Potential Security Impact: Remote: Arbitrary Code Execution, Cross-Site
Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of
Information
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY
Multiple potential security vulnerabilities have been identified in HPE
System Management Homepage (SMH) on Windows and Linux. The vulnerabilities
could be remotely exploited using man-in-the-middle (MITM) attacks resulting
in cross-site scripting (XSS), arbitrary code execution, Denial of Service
(DoS), and/or unauthorized disclosure of information.
References:
- CVE-2016-2107 - OpenSSL, Unauthorized disclosure of information
- CVE-2016-2106 - OpenSSL, Denial of Service (DoS)
- CVE-2016-2109 - OpenSSL, Denial of Service (DoS)
- CVE-2016-2105 - OpenSSL, Denial of Service (DoS)
- CVE-2016-3739 - cURL and libcurl, Remote code execution
- CVE-2016-5388 - "HTTPoxy", Apache Tomcat
- CVE-2016-5387 - "HTTPoxy", Apache HTTP Server
- CVE-2016-5385 - "HTTPoxy", PHP
- CVE-2016-4543 - PHP, multiple impact
- CVE-2016-4071 - PHP, multiple impact
- CVE-2016-4072 - PHP, multiple impact
- CVE-2016-4542 - PHP, multiple impact
- CVE-2016-4541 - PHP, multiple impact
- CVE-2016-4540 - PHP, multiple impact
- CVE-2016-4539 - PHP, multiple impact
- CVE-2016-4538 - PHP, multiple impact
- CVE-2016-4537 - PHP, multiple impact
- CVE-2016-4343 - PHP, multiple impact
- CVE-2016-4342 - PHP, multiple impact
- CVE-2016-4070 - PHP, Denial of Service (DoS)
- CVE-2016-4393 - PSRT110263, XSS vulnerability
- CVE-2016-4394 - PSRT110263, HSTS vulnerability
- CVE-2016-4395 - ZDI-CAN-3722, PSRT110115, Buffer Overflow
- CVE-2016-4396 - ZDI-CAN-3730, PSRT110116, Buffer Overflow
- PSRT110145
- PSRT110263
- PSRT110115
- PSRT110116
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HPE System Management Homepage - all versions prior to v7.6
BACKGROUND
CVSS Base Metrics
=================
Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2016-2105
7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-2106
7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-2107
5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE-2016-2109
7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-3739
5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-2016-4070
7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-4071
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4072
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4342
8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C)
CVE-2016-4343
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2016-4393
4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
CVE-2016-4394
6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVE-2016-4395
7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)
CVE-2016-4396
7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)
CVE-2016-4537
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4538
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4539
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4540
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4541
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4542
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-4543
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2016-5385
8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-5387
8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-5388
8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
* Hewlett Packard Enterprise thanks Tenable Network Security for working with
Trend Micro's Zero Day Initiative (ZDI) for reporting CVE-2016-4395 and
CVE-2016-4396 to security-alert@hpe.com
RESOLUTION
HPE has made the following software updates available to resolve the
vulnerabilities for the impacted versions of System Management Homepage
(SMH).
Please download and install HPE System Management Homepage (SMH) v7.6.0 from
the following locations:
* <https://www.hpe.com/us/en/product-catalog/detail/pip.344313.html>
HISTORY
Version:1 (rev.1) - 26 October 2016 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported
product:
Web form: https://www.hpe.com/info/report-security-vulnerability
Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners. The vulnerability known as "httpoxy" could be remotely exploited to execute arbitrary code.
- Comware v7 (CW7) Products V7
BACKGROUND
CVSS Base Metrics
=================
Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2016-5385
5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-5386
5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2016-5387
5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-5388
5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
RESOLUTION
HPE has made the following software updates available to resolve the vulnerability in the Comware 7 MSR Router products:
+ **MSR1000 (Comware 7) - Version: Fixed in R0605P13 Release**
* HP Network Products
- JG875A HP MSR1002-4 AC Router
- JH060A HP MSR1003-8S AC Router
* CVE's/ZDI's
- CVE-2016-5385
- CVE-2016-5386
- CVE-2016-5387
- CVE-2016-5388
+ **MSR2000 (Comware 7) - Version: Fixed in R0605P13 Release**
* HP Network Products
- JG411A HP MSR2003 AC Router
- JG734A HP MSR2004-24 AC Router
- JG735A HP MSR2004-48 Router
- JG866A HP MSR2003 TAA-compliant AC Router
* CVE's/ZDI's
- CVE-2016-5385
- CVE-2016-5386
- CVE-2016-5387
- CVE-2016-5388
+ **MSR3000 (Comware 7) - Version: Fixed in R0605P13 Release**
* HP Network Products
- JG404A HP MSR3064 Router
- JG405A HP MSR3044 Router
- JG406A HP MSR3024 AC Router
- JG407A HP MSR3024 DC Router
- JG408A HP MSR3024 PoE Router
- JG409A HP MSR3012 AC Router
- JG410A HP MSR3012 DC Router
- JG861A HP MSR3024 TAA-compliant AC Router
- JG409B HPE MSR3012 AC Router
* CVE's/ZDI's
- CVE-2016-5385
- CVE-2016-5386
- CVE-2016-5387
- CVE-2016-5388
+ **MSR4000 (Comware 7) - Version: Fixed in R0605P13 Release**
* HP Network Products
- JG402A HP MSR4080 Router Chassis
- JG403A HP MSR4060 Router Chassis
- JG412A HP MSR4000 MPU-100 Main Processing Unit
- JG869A HP MSR4000 TAA-compliant MPU-100 Main Processing Unit
* CVE's/ZDI's
- CVE-2016-5385
- CVE-2016-5386
- CVE-2016-5387
- CVE-2016-5388
+ **MSR95X (Comware 7) - Version: Fixed in R0605P13 Release**
* HP Network Products
- JH296A HPE MSR954 1GbE SFP 2GbE-WAN 4GbE-LAN CWv7 Router
- JH297A HPE MSR954-W 1GbE SFP (WW) 2GbE-WAN 4GbE-LAN Wireless 802.11n
CWv7 Router
- JH298A HPE MSR954-W 1GbE SFP LTE (AM) 2GbE-WAN 4GbE-LAN Wireless 802.11n CWv7 Router
- JH299A HPE MSR954-W 1GbE SFP LTE (WW) 2GbE-WAN 4GbE-LAN Wireless 802.11n CWv7 Router
- JH300A HPE FlexNetwork MSR958 1GbE and Combo 2GbE WAN 8GbE LAN Router
- JH301A HPE FlexNetwork MSR958 1GbE and Combo 2GbE WAN 8GbE LAN PoE Router
- JH373A HPE MSR954 Serial 1GbE Dual 4GLTE (WW) CWv7 Router
* CVE's/ZDI's
- CVE-2016-5385
- CVE-2016-5386
- CVE-2016-5387
- CVE-2016-5388
*Note:* Please contact support for any questions about this document
HISTORY
Version:1 (rev.1) - 21 August 2017 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Please note that the Management
Interface cannot access data stored on tape media, so this vulnerability does
not allow for remote unauthorized disclosure of data stored on tape media or
remote denial of service.
References:
- CVE-2016-5385 - PHP, HTTPoxy
- CVE-2016-3074 - PHP
- CVE-2013-7456 - PHP
- CVE-2016-5093 - PHP
- CVE-2016-5094 - PHP
- CVE-2016-5096 - PHP
- CVE-2016-5766 - PHP
- CVE-2016-5767 - PHP
- CVE-2016-5768 - PHP
- CVE-2016-5769 - PHP
- CVE-2016-5770 - PHP
- CVE-2016-5771 - PHP
- CVE-2016-5772 - PHP
- CVE-2016-5773 - PHP
- CVE-2016-6207 - GD Graphics Library
- CVE-2016-6289 - PHP
- CVE-2016-6290 - PHP
- CVE-2016-6291 - PHP
- CVE-2016-6292 - PHP
- CVE-2016-6293 - PHP
- CVE-2016-6294 - PHP
- CVE-2016-6295 - PHP
- CVE-2016-6296 - PHP
- CVE-2016-6297 - PHP
- CVE-2016-5399 - PHP
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Background
==========
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/php < 5.6.28 >= 5.6.28
Description
===========
Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PHP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev=lang/php-5.6.28"
References
==========
[ 1 ] CVE-2015-8865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865
[ 2 ] CVE-2016-3074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074
[ 3 ] CVE-2016-4071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071
[ 4 ] CVE-2016-4072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072
[ 5 ] CVE-2016-4073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073
[ 6 ] CVE-2016-4537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537
[ 7 ] CVE-2016-4538
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538
[ 8 ] CVE-2016-4539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539
[ 9 ] CVE-2016-4540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540
[ 10 ] CVE-2016-4541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541
[ 11 ] CVE-2016-4542
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542
[ 12 ] CVE-2016-4543
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543
[ 13 ] CVE-2016-4544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544
[ 14 ] CVE-2016-5385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385
[ 15 ] CVE-2016-6289
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6289
[ 16 ] CVE-2016-6290
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6290
[ 17 ] CVE-2016-6291
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6291
[ 18 ] CVE-2016-6292
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6292
[ 19 ] CVE-2016-6294
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6294
[ 20 ] CVE-2016-6295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6295
[ 21 ] CVE-2016-6296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6296
[ 22 ] CVE-2016-6297
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6297
[ 23 ] CVE-2016-7124
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7124
[ 24 ] CVE-2016-7125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7125
[ 25 ] CVE-2016-7126
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7126
[ 26 ] CVE-2016-7127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7127
[ 27 ] CVE-2016-7128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7128
[ 28 ] CVE-2016-7129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7129
[ 29 ] CVE-2016-7130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7130
[ 30 ] CVE-2016-7131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7131
[ 31 ] CVE-2016-7132
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7132
[ 32 ] CVE-2016-7133
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7133
[ 33 ] CVE-2016-7134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7134
[ 34 ] CVE-2016-7411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7411
[ 35 ] CVE-2016-7412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7412
[ 36 ] CVE-2016-7413
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7413
[ 37 ] CVE-2016-7414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7414
[ 38 ] CVE-2016-7416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7416
[ 39 ] CVE-2016-7417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7417
[ 40 ] CVE-2016-7418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7418
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201611-22
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-201704-0179 | CVE-2016-4650 | plural Apple Product IOHIDFamily Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists within the IOHIDFamily kernel extension. The issue lies in the failure to validate a supplied length value causing a heap buffer overflow. An attacker can leverage this vulnerability to escalate privileges and execute code under the context of the kernel. Apple tvOS, Mac OS X and iOS are prone to a memory-corruption vulnerability. Failed exploit attempts may result in a denial-of-service condition.
Note: This issue was previously titled 'PHP CVE-2016-4650 Multiple Remote Code Execution Vulnerabilities'. The title has been changed to better reflect the vulnerability information. Apple iOS is an operating system developed for mobile devices; OS X is a dedicated operating system developed for Mac computers; tvOS is a smart TV operating system. IOHIDFamily is one of the kernel extensions (Abstract Interface for Human Interface Devices) component
VAR-201607-0687 | CVE-2014-9862 | Apple OS X Used in products such as bsdiff of bspatch of bspatch.c Integer sign error vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Integer signedness error in bspatch.c in bspatch in bsdiff, as used in Apple OS X before 10.11.6 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted patch file. Apple OS X Used in and other products bsdiff of bspatch of bspatch.c Contains an integer sign error vulnerability. Supplementary information : CWE Vulnerability type by CWE-190: Integer Overflow or Wraparound ( Integer overflow or wraparound ) Has been identified.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. bsdiff is one of the tool components used to build patched binaries. ==========================================================================
Ubuntu Security Notice USN-4500-1
September 15, 2020
bsdiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
bsdiff could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- bsdiff: generate/apply a patch between two binary files
Details:
It was discovered that bsdiff mishandled certain input.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
bsdiff 4.3-15+deb8u1build0.16.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4500-1
CVE-2014-9862
Package Information:
https://launchpad.net/ubuntu/+source/bsdiff/4.3-15+deb8u1build0.16.04.1
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:25.bspatch Security Advisory
The FreeBSD Project
Topic: Heap vulnerability in bspatch
Category: core
Module: bsdiff
Announced: 2016-07-25
Affects: All supported versions of FreeBSD.
Corrected: 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA2-p1)
2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA1-p1)
2016-07-25 14:53:04 UTC (stable/10, 10.3-STABLE)
2016-07-25 15:04:17 UTC (releng/10.3, 10.3-RELEASE-p6)
2016-07-25 15:04:17 UTC (releng/10.2, 10.2-RELEASE-p20)
2016-07-25 15:04:17 UTC (releng/10.1, 10.1-RELEASE-p37)
2016-07-25 14:53:04 UTC (stable/9, 9.3-STABLE)
2016-07-25 15:04:17 UTC (releng/9.3, 9.3-RELEASE-p45)
CVE Name: CVE-2014-9862
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bspatch utility generates newfile from oldfile and patchfile where
patchfile is a binary patch built by bsdiff(1).
II. Problem Description
The implementation of bspatch does not check for a negative value on numbers
of bytes read from the diff and extra streams, allowing an attacker who
can control the patch file to write at arbitrary locations in the heap.
This issue was first discovered by The Chromium Project and reported
independently by Lu Tung-Pin to the FreeBSD project.
III. Impact
An attacker who can control the patch file can cause a crash or run arbitrary
code under the credentials of the user who runs bspatch, in many cases, root.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
No reboot is needed.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch
# fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch.asc
# gpg --verify bspatch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r303301
releng/9.3/ r303304
stable/10/ r303301
releng/10.1/ r303304
releng/10.2/ r303304
releng/10.3/ r303304
stable/11/ r303300
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.chromium.org/p/chromium/issues/detail?id=372525>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:25.bspatch.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJXlir7AAoJEO1n7NZdz2rnTtAP/iFnhrcmRuxmeMGtVPWHZFhH
/I2iB62wGf4vNGVedwh3fHPEgjEpMvDVP7S+OCLB7Fnf+Mwm9uL47cjxdr/P5dy8
iKRsojG7HVE3Iia7DyaSEQwbJMQZGWsy2wr9epiHPoOpnSaWKUBx94C+oc7gPdM5
8LW5OpUgSpFCztQ82gbM/2Bjy5OREJQP6ASW62WO+MkD7n+ZUzsUCdR13bzvpA23
BaNeInQArn5Zf3OiZXjQ9Go1muml2llQmqxeb8p3V9IbJ3mdUBQat1AtF/yXfpWA
tkUfgqAaoKbjOrk22h/wBRssPlqqftZDXWqi2KlkEltqyU1evnsb5UVCu0SZdgkW
lQlnE1vymJCnxC211SweDNbbP8laR0OpjRxUxljSXVMXag4Lh9+9aD6zIZ9zZNi7
MxXEasLZViwq8gEbZLlLUfcOQVv6T+3jTiH8aRUYFp5PsBGBgQCAQgGCEaztQTNr
lnSp/rqnP7FEu7gsHtP3wGK03RItNketbKMSUzV5eXiWmVYC3a6/WboqqJuqhDka
zs3W0h0Fw6iqk6CfImHnhD1unarXnSQU5vRcf9srnUvS0XgYS/113BQK23SjGmki
OIJe3Wm0CrcChAf8lKdeyPlKFcN906EkQ8Hh8vB00B9BZCXYLY9zBK6lW40NA1UN
cy+ljfLX/xwCNIJJXdwH
=FL3H
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update
2016-004
OS X El Capitan v10.11.6 and Security Update 2016-004 is now
available and addresses the following:
apache_mod_php
Available for:
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in PHP versions prior to
5.5.36. These were addressed by updating PHP to version 5.5.36.
CVE-2016-4650
Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4647 : Juwei Lin (@fuzzerDOTcn) of Trend Micro
Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to determine kernel memory layout
Description: An out-of-bounds read was addressed through improved
input validation.
CVE-2016-4648 : Juwei Lin(@fuzzerDOTcn) of Trend Micro
Audio
Available for: OS X El Capitan v10.11 and later
Impact: Parsing a maliciously crafted audio file may lead to the
disclosure of user information
Description: An out-of-bounds read was addressed through improved
bounds checking.
CVE-2016-4646 : Steven Seeley of Source Incite working with Trend
Micro's Zero Day Initiative
Audio
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation. This issue was
addressed through improved bounds checking.
CVE-2014-9862 : an anonymous researcher
CFNetwork
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to view sensitive user information
Description: A permissions issue existed in the handling of web
browser cookies. This issue was addressed through improved
restrictions.
CVE-2016-4645 : Abhinav Bansal of Zscaler Inc.
CoreGraphics
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: A memory corruption issue was addressed through
improved memory handling.
CVE-2016-4637 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CoreGraphics
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to elevate privileges
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed through improved
input validation.
CVE-2016-4652 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
FaceTime
Available for: OS X El Capitan v10.11 and later
Impact: An attacker in a privileged network position may be able to
cause a relayed call to continue transmitting audio while appearing
as if the call terminated
Description: User interface inconsistencies existed in the handling
of relayed calls. These issues were addressed through improved
FaceTime display logic.
CVE-2016-4635 : Martin Vigo
Graphics Drivers
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4634 : Stefan Esser of SektionEins
ImageIO
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2016-4632 : Evgeny Sidorov of Yandex
ImageIO
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4631 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
ImageIO
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4629 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
CVE-2016-4630 : Tyler Bohan of Cisco Talos (talosintel.com
/vulnerability-reports)
Intel Graphics Driver
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4633 : an anonymous researcher
IOHIDFamily
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-4626 : Stefan Esser of SektionEins
IOSurface
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: A use-after-free was addressed through improved memory
management.
CVE-2016-4625 : Ian Beer of Google Project Zero
Kernel
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to execute arbitrary code with
kernel privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1863 : Ian Beer of Google Project Zero
CVE-2016-1864 : Ju Zhu of Trend Micro
CVE-2016-4582 : Shrek_wzw and Proteas of Qihoo 360 Nirvan Team
Kernel
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a system denial of service
Description: A null pointer dereference was addressed through
improved input validation.
CVE-2016-1865 : CESG, Marco Grassi (@marcograss) of KeenLab
(@keen_lab), Tencent
libc++abi
Available for: OS X El Capitan v10.11 and later
Impact: An application may be able to execute arbitrary code with
root privileges
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4621 : an anonymous researcher
libexpat
Available for: OS X El Capitan v10.11 and later
Impact: Processing maliciously crafted XML may lead to unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-0718 : Gustavo Grieco
LibreSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in LibreSSL before 2.2.7. These
were addressed by updating LibreSSL to version 2.2.7.
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google) Mark Brand,
Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
libxml2
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: An access issue existed in the parsing of maliciously
crafted XML files. This issue was addressed through improved input
validation.
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4447 : Wei Lei and Liu Yang of Nanyang Technological
University
CVE-2016-4448 : Apple
CVE-2016-4483 : Gustavo Grieco
CVE-2016-4614 : Nick Wellnhofe
CVE-2016-4615 : Nick Wellnhofer
CVE-2016-4616 : Michael Paddon
CVE-2016-4619 : Hanno Boeck
libxslt
Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
and OS X El Capitan v10.11 and later
Impact: Multiple vulnerabilities in libxslt
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-1684 : Nicolas GrA(c)goire
CVE-2016-4607 : Nick Wellnhofer
CVE-2016-4608 : Nicolas GrA(c)goire
CVE-2016-4609 : Nick Wellnhofer
CVE-2016-4610 : Nick Wellnhofer
CVE-2016-4612 : Nicolas GrA(c)goire
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code leading to compromise of user information
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4640 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to execute arbitrary
code leading to the compromise of user information
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-4641 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A local user may be able to cause a denial of service
Description: A memory initialization issue was addressed through
improved memory handling.
CVE-2016-4639 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
Login Window
Available for: OS X El Capitan v10.11 and later
Impact: A malicious application may be able to gain root privileges
Description: A type confusion issue was addressed through improved
memory handling.
CVE-2016-4638 : Yubin Fu of Tencent KeenLab working with Trend
Micro's Zero Day Initiative
OpenSSL
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple issues existed in OpenSSL. These issues were resolved by backporting the fixes from OpenSSL 1.0.2h/1.0.1 to OpenSSL 0.9.8.
CVE-2016-2105 : Guido Vranken
CVE-2016-2106 : Guido Vranken
CVE-2016-2107 : Juraj Somorovsky
CVE-2016-2108 : Huzaifa Sidhpurwala (Red Hat), Hanno Boeck, David Benjamin (Google), Mark Brand and Ian Beer of Google Project Zero
CVE-2016-2109 : Brian Carpenter
CVE-2016-2176 : Guido Vranken
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted FlashPix Bitmap Image may
lead to unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4596 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4597 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4600 : Ke Liu of Tencent's Xuanwu Lab
CVE-2016-4602 : Ke Liu of Tencent's Xuanwu Lab
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4598 : Ke Liu of Tencent's Xuanwu Lab
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted SGI file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4601 : Ke Liu of Tencent's Xuanwu Lab
QuickTime
Available for: OS X El Capitan v10.11 and later
Impact: Processing a maliciously crafted Photoshop document may lead
to unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through
improved input validation.
CVE-2016-4599 : Ke Liu of Tencent's Xuanwu Lab
Safari Login AutoFill
Available for: OS X El Capitan v10.11 and later
Impact: A user's password may be visible on screen
Description: An issue existed in Safari's password auto-fill. This
issue was addressed through improved matching of form fields.
CVE-2016-4595 : Jonathan Lewis from DeARX Services (PTY) LTD
Sandbox Profiles
Available for: OS X El Capitan v10.11 and later
Impact: A local application may be able to access the process list
Description: An access issue existed with privileged API calls. This
issue was addressed through additional restrictions.
CVE-2016-4594 : Stefan Esser of SektionEins
Note: OS X El Capitan 10.11.6 includes the security content of Safari
9.1.2. For further details see https://support.apple.com/kb/HT206900
OS X El Capitan v10.11.6 and Security Update 2016-004 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXjXAvAAoJEIOj74w0bLRG/5EP/2v9SJTrO+/4b3A1gqC1ch8y
+cJ04tXRsO7rvjKT5nCylo30U0Sanz/bUbDx4559YS7/P/IyeyZVheaTJwK8wzEy
pSOPpy35hUuVIw0/p4YsuHDThSBPFMmDljTxH7elkfuBV1lPSrCkyDXc0re2HxWV
xj68zAxtM0jkkhgcxb2ApZSZVXhrjUZtbY0xEVOoWKKFwbMvKfx+4xSqunwQeS1u
wevs1EbxfvsZbc3pG+xYcOonbegBzOy9aCvNO1Yv1zG+AYXC5ERMq1vk3PsWOTQN
ZVY1I7mvCaEfvmjq2isRw8XYapAIKISDLwMKBSYrZDQFwPQLRi1VXxQZ67Kq1M3k
ah04/lr0RIcoosIcBqxD2+1UAFjUzEUNFkYivjhuaeegN2QdL7Ujegf1QjdAt8lk
mmKduxYUDOaRX50Kw7n14ZveJqzE1D5I6QSItaZ9M1vR60a7u91DSj9D87vbt1YC
JM/Rvf/4vonp1NjwA2JQwCiZfYliBDdn9iiCl8mzxdsSRD/wXcZCs05nnKmKsCfc
55ET7IwdG3622lVheOJGQZuucwJiTn36zC11XVzZysQd/hLD5rUKUQNX1WOgZdzs
xPsslXF5MWx9jcdyWVSWxDrN0sFk+GpQFQDuVozP60xuxqR3qQ0TXir2NP39uIF5
YozOGPQFmX0OviWCQsX6
=ng+m
-----END PGP SIGNATURE-----
.
Resolution
==========
All Binary diff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/bsdiff-4.3-r4"
References
==========
[ 1 ] CVE-2014-9862
https://nvd.nist.gov/vuln/detail/CVE-2014-9862
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202003-44
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2020 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
VAR-201607-0376 | CVE-2016-4639 | Apple OS X Service operation in the login window (DoS) Vulnerabilities |
CVSS V2: 4.4 CVSS V3: 7.0 Severity: HIGH |
Login Window in Apple OS X before 10.11.6 does not properly initialize memory, which allows local users to cause a denial of service via unspecified vectors. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within CoreGraphics. By interacting with PKGTransactionWillSwitchSpaces, an attacker can cause a memory corruption condition. An attacker could leverage this vulnerability to execute arbitrary code under the context of the WindowServer. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. Login Window is one of the login window components
VAR-201607-0378 | CVE-2016-4641 | Apple OS X Login window arbitrary code execution vulnerability in privileged context |
CVSS V2: 9.3 CVSS V3: 7.3 Severity: HIGH |
Login Window in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context or obtain sensitive user information via a crafted app that leverages a "type confusion.". User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within CoreGraphics. By interacting with _XSetDictionaryForCurrentSession, an attacker can cause a type confusion condition. An attacker could leverage this vulnerability to execute arbitrary code under the context of the WindowServer. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. Login Window is one of the login window components
VAR-201607-0372 | CVE-2016-4634 | Apple OS X Vulnerability in graphic drivers |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The Graphics Drivers subsystem in Apple OS X before 10.11.6 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. Graphics Drivers is one of the graphics driver components
VAR-201607-0375 | CVE-2016-4638 | Apple OS X Vulnerabilities in which the login window of Windows can gain privileges |
CVSS V2: 4.4 CVSS V3: 7.8 Severity: HIGH |
Login Window in Apple OS X before 10.11.6 allows attackers to gain privileges via a crafted app that leverages a "type confusion.". By interacting with _XSetApplicationBindingsForWorkspaces, an attacker can cause a type confusion condition. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the CoreGraphics module. The issue lies in the failure to properly validate user-supplied data which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges under the context of WindowServer. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. Login Window is one of the login window components
VAR-201607-0377 | CVE-2016-4640 | Apple OS X Login window arbitrary code execution vulnerability in privileged context |
CVSS V2: 4.4 CVSS V3: 7.8 Severity: HIGH |
Login Window in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context, obtain sensitive user information, or cause a denial of service (memory corruption) via a crafted app. The issue lies in the failure to properly validate user-supplied data which can result in a memory corruption condition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within CoreGraphics. By interacting with _XRegisterCursorWithData, an attacker can cause a heap buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code under the context of the WindowServer. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. Login Window is one of the login window components
VAR-201607-0371 | CVE-2016-4633 | Apple OS X of Intel Graphics Driver Vulnerable to arbitrary code execution in a privileged context |
CVSS V2: 6.9 CVSS V3: 7.8 Severity: HIGH |
Intel Graphics Driver in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the AppleIntelBDWGraphics kernel extension. The issue lies in the failure to properly check user-supplied arguments during an IOKit call. An attacker can leverage this vulnerability to execute code within the context of the kernel. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. Intel Graphics Driver is one of the graphics driver components
VAR-201607-0368 | CVE-2016-4630 | Apple OS X of ImageIO Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
ImageIO in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted EXR image with B44 compression. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. ImageIO is one of the static methods used to perform common image I/O operations
VAR-201607-0367 | CVE-2016-4629 | Apple OS X of ImageIO Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
ImageIO in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted xStride and yStride values in an EXR image. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Apple Mac OS X 10.9.5, 10.10.5 and 10.11 through 10.11.5 are vulnerable. ImageIO is one of the static methods used to perform common image I/O operations