SB17-009: Vulnerability Summary for the Week of January 2, 2017

Original release date: January 09, 2017

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
arista — dcs-7050t_eos_softwareArista EOS 4.15 before 4.15.8M, 4.16 before 4.16.7M, and 4.17 before 4.17.0F on DCS-7050 series devices allow remote attackers to cause a denial of service (device reboot) by sending crafted packets to the control plane.2017-01-047.8CVE-2016-6894
BID
CONFIRM
awebsupport — aweb_cart_watching_system_for_virtuemartSQL injection vulnerability in the “aWeb Cart Watching System for Virtuemart” extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch.2017-01-037.5CVE-2016-10114
BID
MISC
genexia — drgosThe Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter.2017-01-059.0CVE-2015-3441
MISC
genixcms_project — genixcmsSQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the activation parameter.2017-01-017.5CVE-2016-10096
MISC
BID
MISC
MISC
icu_project — international_components_for_unicodeStack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.2017-01-047.5CVE-2014-9911
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
libgd — libgdInteger signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call.2017-01-047.5CVE-2016-8670
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
libvncserver_project — libvncserverHeap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.2016-12-317.5CVE-2016-9941
BID
CONFIRM
CONFIRM
libvncserver_project — libvncserverHeap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.2016-12-317.5CVE-2016-9942
BID
CONFIRM
CONFIRM
linux — linux_kernelThe ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.2017-01-057.2CVE-2016-9754
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
matrixssl — matrixsslHeap-based buffer overflow in MatrixSSL before 3.8.6 allows remote attackers to execute arbitrary code via a crafted Subject Alt Name in an X.509 certificate.2017-01-0510.0CVE-2016-6890
BID
MISC
CONFIRM
CERT-VN
netgear — arlo_base_station_firmwareNETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier have a default password of 12345678, which makes it easier for remote attackers to obtain access after a factory reset or in a factory configuration.2017-01-0410.0CVE-2016-10115
MISC
MISC
BID
netgear — arlo_base_station_firmwareNETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack.2017-01-049.3CVE-2016-10116
MISC
MISC
BID
openbsd — opensshUntrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.2017-01-047.5CVE-2016-10009
MISC
MLIST
BID
SECTRACK
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
CONFIRM
openbsd — opensshThe shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.2017-01-047.2CVE-2016-10012
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
CONFIRM
php — phpThe get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.2017-01-047.5CVE-2014-9912
MLIST
CONFIRM
BID
CONFIRM
CONFIRM
php — phpUse-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.2017-01-047.5CVE-2016-9137
CONFIRM
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
php — phpPHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.2017-01-047.5CVE-2016-9138
MLIST
BID
CONFIRM
php — phpThe php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.2017-01-047.5CVE-2016-9935
SUSE
DEBIAN
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
php — phpThe unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.2017-01-047.5CVE-2016-9936
MLIST
CONFIRM
BID
CONFIRM
CONFIRM
piwigo — piwigoadmin/plugin.php in Piwigo through 2.8.3 doesn’t validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.2017-01-037.5CVE-2016-10105
BID
CONFIRM
CONFIRM
CONFIRM
quick_heal — internet_securityStack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to execute arbitrary code via a crafted LC_UNIXTHREAD.cmdsize field in a Mach-O file that is mishandled during a Security Scan (aka Custom Scan) operation.2017-01-027.5CVE-2017-5005
BID
MISC
MISC
s9y — serendipityinclude/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.2016-12-307.5CVE-2016-10082
BID
CONFIRM
CONFIRM
schedmd — slurmThe _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 (“success”) and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue.2017-01-057.6CVE-2016-10030
CONFIRM
CONFIRM
swiftmailer — swiftmailerThe mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.2016-12-307.5CVE-2016-10074
MISC
FULLDISC
BID
CONFIRM
MISC
EXPLOIT-DB
veritas — netbackup_appliance_firmwarescripts/license.pl in Veritas NetBackup Appliance 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, 2.7.x through 2.7.3, and 3.0.x allow remote attackers to execute arbitrary commands via shell metacharacters in the hostName parameter to appliancews/getLicense.2017-01-0410.0CVE-2016-7399
MISC
BID
CONFIRM
CONFIRM
western_digital — mycloud_nasUnauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header.2017-01-0310.0CVE-2016-10107
BID
MISC
western_digital — mycloud_nasUnauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.2017-01-0310.0CVE-2016-10108
BID
MISC
zend — zend-mailThe setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted e-mail address.2016-12-307.5CVE-2016-10034
BID
CONFIRM
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
borg — borgBorg (aka BorgBackup) before 1.0.9 has a flaw in the cryptographic protocol used to authenticate the manifest (list of archives), potentially allowing an attacker to spoof the list of archives.2017-01-025.0CVE-2016-10099
CONFIRM
BID
borg — borgBorg (aka BorgBackup) before 1.0.9 has a flaw in the way duplicate archive names were processed during manifest recovery, potentially allowing an attacker to overwrite an archive.2017-01-025.0CVE-2016-10100
CONFIRM
BID
dotclear — dotclearUnrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20.2017-01-046.5CVE-2016-7902
MLIST
BID
CONFIRM
CONFIRM
dotclear — dotclearDotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.2017-01-044.3CVE-2016-7903
MLIST
BID
CONFIRM
CONFIRM
f5 — big-ip_advanced_firewall_managerVirtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and 12.1.x before 12.1.2, when configured to parse RADIUS messages via an iRule, allow remote attackers to cause a denial of service (Traffic Management Microkernel restart) via crafted network traffic.2017-01-034.3CVE-2016-5024
BID
SECTRACK
CONFIRM
forgerock — openamXML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.2017-01-025.0CVE-2016-10097
MISC
BID
hybris — hybrisCross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.2016-12-314.3CVE-2016-6856
BID
MISC
libgd — libgdStack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.2017-01-045.0CVE-2016-9933
SUSE
SUSE
SUSE
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
linux — linux_kernelThe sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.2016-12-306.9CVE-2016-10088
CONFIRM
MLIST
BID
SECTRACK
CONFIRM
matrixssl — matrixsslMatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ASN.1 Bit Field primitive in an X.509 certificate.2017-01-055.0CVE-2016-6891
BID
MISC
CONFIRM
CERT-VN
matrixssl — matrixsslThe x509FreeExtensions function in MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (free of unallocated memory) via a crafted X.509 certificate.2017-01-055.0CVE-2016-6892
BID
MISC
CONFIRM
CERT-VN
netgear — srx5308_firmwareDirectory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices with firmware before 4.3.3-8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter, as demonstrated by reading the /etc/shadow file.2017-01-034.0CVE-2016-10106
CONFIRM
BID
openbsd — opensshsshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.2017-01-046.9CVE-2016-10010
MISC
MLIST
BID
SECTRACK
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
CONFIRM
php — phpext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.2017-01-045.0CVE-2016-9934
SUSE
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
phpmailer_project — phpmailerThe mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted From address.2016-12-306.8CVE-2016-10033
MISC
MISC
FULLDISC
MISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
EXPLOIT-DB
phpmailer_project — phpmailerThe isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.2016-12-306.8CVE-2016-10045
MLIST
MISC
MISC
FULLDISC
MISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
EXPLOIT-DB
piwigo — piwigoCross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.2016-12-304.3CVE-2016-10083
BID
CONFIRM
CONFIRM
piwigo — piwigoadmin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page[‘tab’] variable (aka the mode parameter).2016-12-306.5CVE-2016-10084
BID
CONFIRM
CONFIRM
piwigo — piwigoadmin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.2016-12-306.5CVE-2016-10085
BID
CONFIRM
CONFIRM
sap — hybrisHybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.2016-12-314.0CVE-2016-6859
BID
MISC
torproject — torTor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data.2017-01-045.0CVE-2016-8860
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
wordpress — wordpressCross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.2017-01-044.3CVE-2016-7168
MLIST
MLIST
BID
CONFIRM
CONFIRM
MISC
CONFIRM
wordpress — wordpressDirectory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.2017-01-046.5CVE-2016-7169
BID
CONFIRM
CONFIRM
CONFIRM

Back to top

Low Vulnerabilities

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
mcafee — security_information_and_event_managementAuthentication bypass vulnerability in Enterprise Security Manager (ESM) and License Manager (LM) in Intel Security McAfee Security Information and Event Management (SIEM) 9.6.0 MR3 allows an administrator to make changes to other SIEM users’ information including user passwords without supplying the current administrator password a second time via the GUI or GUI terminal commands.2017-01-051.7CVE-2016-8006
CONFIRM
openbsd — opensshauthfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.2017-01-042.1CVE-2016-10011
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
CONFIRM
sap — hybrisCross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.2016-12-313.5CVE-2016-6857
BID
MISC
sap — hybrisCross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.2016-12-313.5CVE-2016-6858
BID
MISC
tenable — nessusCross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2017-01-053.5CVE-2017-5179
CONFIRM
woocommerce — woocommerceCross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.2017-01-033.5CVE-2016-10112
BID
CONFIRM

Back to top

Severity Not Yet Assigned

Primary
Vendor — Product
DescriptionPublishedCVSS ScoreSource & Patch Info
bluestacks — app_playerA local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges.2017-01-06not yet calculatedCVE-2016-4288
MISC
emc — scaleioAn issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may be able to modify the kernel memory in the SCINI driver and may achieve code execution to escalate privileges to root on ScaleIO Data Client (SDC) servers.2017-01-06not yet calculatedCVE-2016-9867
CONFIRM
emc — scaleioAn issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may cause a denial-of-service by generating a kernel panic in the SCINI driver using IOCTL calls which may render the ScaleIO Data Client (SDC) server unavailable until the next reboot.2017-01-06not yet calculatedCVE-2016-9868
CONFIRM
emc — scaleioAn issue was discovered in EMC ScaleIO versions before 2.0.1.1. Incorrect permissions on the SCINI driver may allow a low-privileged local attacker to modify the configuration and render the ScaleIO Data Client (SDC) server unavailable.2017-01-06not yet calculatedCVE-2016-9869
CONFIRM
foxit — pdf_readerA large out-of-bounds read on the heap vulnerability in Foxit PDF Reader can potentially be abused for information disclosure. Combined with another vulnerability, it can be used to leak heap memory layout and in bypassing ASLR.2017-01-06not yet calculatedCVE-2016-8334
MISC
freeimage_project — freeimage_libraryAn exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-5684
MISC
hancom — hancom_officeWhen opening a Hangul Hcell Document (.cell) and processing a particular record within the Workbook stream, an index miscalculation leading to a heap overlow can be made to occur in Hancom Office 2014. The vulnerability occurs when processing data for a formula used to render a chart via the HncChartPlugin.hplg library. Due to a lack of bounds-checking when incrementing an index that is used for writing into a buffer for formulae, the application can be made to write pointer data outside its bounds which can lead to code execution under the context of the application.2017-01-06not yet calculatedCVE-2016-4295
MISC
hancom — hancom_officeWhen opening a Hangul Hcell Document (.cell) and processing a property record within the Workbook stream, Hancom Office 2014 will attempt to allocate space for an element using a length from the file. When copying user-supplied data to this buffer, however, the application will use a different size which leads to a heap-based buffer overflow. This vulnerability can lead to code-execution under the context of the application.2017-01-06not yet calculatedCVE-2016-4294
MISC
hancom — hancom_officeWhen opening a Hangul Hcell Document (.cell) and processing a record that uses the CSSValFormat object, Hancom Office 2014 will search for an underscore (“_”) character at the end of the string and write a null terminator after it. If the character is at the very end of the string, the application will mistakenly write the null-byte outside the bounds of its destination. This can result in heap corruption that can lead code execution under the context of the application2017-01-06not yet calculatedCVE-2016-4296
MISC
hancom — hancom_officeWhen opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will attempt to allocate space for a block of data within the file. When calculating this length, the application will use a value from the file and add a constant to it without checking whether the addition of the constant will cause the integer to overflow which will cause the buffer to be undersized when the application tries to copy file data into it. This allows one to overwrite contiguous data in the heap which can lead to code-execution under the context of the application.2017-01-06not yet calculatedCVE-2016-4290
MISC
hancom — hancom_officeWhen opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will attempt to allocate space for a list of elements using a length from the file. When calculating this length, an integer overflow can be made to occur which will cause the buffer to be undersized when the application tries to copy file data into the object containing this structure. This allows one to overwrite contiguous data in the heap which can lead to code-execution under the context of the application.2017-01-06not yet calculatedCVE-2016-4298
MISC
hancom — hancom_officeWhen opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will use a field from the structure in an operation that can cause the integer to overflow. This result is then used to allocate memory to copy file data in. Due to the lack of bounds checking on the integer, the allocated memory buffer can be made to be undersized at which point the reading of file data will write outside the bounds of the buffer. This can lead to code execution under the context of the application.2017-01-06not yet calculatedCVE-2016-4291
MISC
hancom — hancom_officeWhen opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will use a static size to allocate a heap buffer yet explicitly trust a size from the file when modifying data inside of it. Due to this, an aggressor can corrupt memory outside the bounds of this buffer which can lead to code execution under the context of the application.2017-01-06not yet calculatedCVE-2016-4292
MISC
kaspersky — anti-virus_softwareA local denial of service vulnerability exists in window broadcast message handling functionality of Kaspersky Anti-Virus software. Sending certain unhandled window messages, an attacker can cause application termination and in the same way bypass KAV self-protection mechanism.2017-01-06not yet calculatedCVE-2016-4329
MISC
kaspersky — internet_security_kl1A denial of service vulnerability exists in the IOCTL handling functionality of Kaspersky Internet Security KL1 driver. A specially crafted IOCTL signal can cause an access violation in KL1 kernel driver resulting in local system denial of service. An attacker can run a program from user-mode to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-4307
MISC
kaspersky — internet_security_kldiskMultiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out-of-bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory addresses that may be useful in bypassing kernel mitigations. An unprivileged user can run a program from user-mode to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-4306
MISC
kaspersky — internet_security_klifA denial of service vulnerability exists in the syscall filtering functionality of Kaspersky Internet Security KLIF driver. A specially crafted native api call can cause a access violation in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-4305
MISC
kaspersky — internet_security_klifA denial of service vulnerability exists in the syscall filtering functionality of the Kaspersky Internet Security KLIF driver. A specially crafted native api call request can cause a access violation exception in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-4304
MISC
lexmark — perceptive_document_filtersAn exploitable heap overflow vulnerability exists in the Compound Binary File Format (CBFF) parser functionality of Lexmark Perceptive Document Filters library. A specially crafted CBFF file can cause a code execution. An attacker can send a malformed file to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-5646
MISC
lexmark — perspective_document_filtersAn exploitable buffer overflow exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a stack based buffer overflow resulting in remote code execution.2017-01-06not yet calculatedCVE-2016-4335
MISC
lexmark — perspective_document_filtersAn exploitable out-of-bounds write exists in the Bzip2 parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted Bzip2 document can lead to a stack-based buffer overflow causing an out-of-bounds write which under the right circumstance could potentially be leveraged by an attacker to gain arbitrary code execution.2017-01-06not yet calculatedCVE-2016-4336
MISC
libebml — libebmlA specially crafted unicode string in libebml master branch can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potentially be used for information leaks.2017-01-06not yet calculatedCVE-2016-1514
MISC
libebml — libebmlA use-after-free / double-free vulnerability can occur in libebml master branch while parsing Track elements of the MKV container.2017-01-06not yet calculatedCVE-2016-1515
MISC
libtiff — tiff2pdfAn exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means.2017-01-06not yet calculatedCVE-2016-5652
MISC
memcached — memcachedAn integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.2017-01-06not yet calculatedCVE-2016-8706
MISC
memcached — memcachedAn integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.2017-01-06not yet calculatedCVE-2016-8704
MISC
memcached — memcachedMultiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.2017-01-06not yet calculatedCVE-2016-8705
MISC
ntd — ntp_daemonA malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim’s clock.2017-01-06not yet calculatedCVE-2016-1549
MISC
ntp — libntpAn exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key.2017-01-06not yet calculatedCVE-2016-1550
MISC
ntp — ntpAn off-path attacker can cause a preemptable client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.2017-01-06not yet calculatedCVE-2016-1547
MISC
ntp — ntp_daemonAn attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.2017-01-06not yet calculatedCVE-2016-1548
MISC
ntp — ntp_daemonAn integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash.2017-01-06not yet calculatedCVE-2015-7848
MISC
pidgin — mxitA buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.2017-01-06not yet calculatedCVE-2016-2377
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow.2017-01-06not yet calculatedCVE-2016-2376
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-2378
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-2370
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.2017-01-06not yet calculatedCVE-2016-2365
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.2017-01-06not yet calculatedCVE-2016-2366
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability.2017-01-06not yet calculatedCVE-2016-2373
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.2017-01-06not yet calculatedCVE-2016-4323
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitA NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.2017-01-06not yet calculatedCVE-2016-2369
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitAn exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.2017-01-06not yet calculatedCVE-2016-2374
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitAn exploitable out-of-bounds read exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure.2017-01-06not yet calculatedCVE-2016-2375
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.2017-01-06not yet calculatedCVE-2016-2380
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle attacker can send an invalid size for a file transfer which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the file is sent to another user.2017-01-06not yet calculatedCVE-2016-2372
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.2017-01-06not yet calculatedCVE-2016-2367
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.2017-01-06not yet calculatedCVE-2016-2371
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxitMultiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.2017-01-06not yet calculatedCVE-2016-2368
DEBIAN
CONFIRM
MISC
UBUNTU
pivotal — gemfireAn issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster.2017-01-06not yet calculatedCVE-2016-9885
CONFIRM
pivotal — spring_securityAn issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded “/” to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.2017-01-06not yet calculatedCVE-2016-9879
CONFIRM
ruby — fiddle_fuctionAn exploitable heap overflow vulnerability exists in the Fiddle::Function.new “initialize” function functionality of Ruby. In Fiddle::Function.new “initialize” heap buffer “arg_types” allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.2017-01-06not yet calculatedCVE-2016-2339
MISC
ruby — tcltklpType confusion exists in _cancel_eval Ruby’s TclTkIp class method. Attacker passing different type of object than String as “retval” argument can cause arbitrary code execution.2017-01-06not yet calculatedCVE-2016-2337
MISC
ruby — win32oleType confusion exists in two methods of Ruby’s WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.2017-01-06not yet calculatedCVE-2016-2336
MISC
trane — comfortlink_scc_firmwareA design flaw in the Trane ComfortLink II SCC firmware version 2.0.2 service allows remote attackers to take complete control of the system.2017-01-06not yet calculatedCVE-2015-2867
MISC
trane — N/Acomfortlink_firmwareAn exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long REG request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.2017-01-06not yet calculatedCVE-2015-2868
MISC

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Powered by WPeMatico

This entry was posted in Alerts. Bookmark the permalink.