SB17-009: Vulnerability Summary for the Week of January 2, 2017

Original release date: January 09, 2017

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
arista — dcs-7050t_eos_software Arista EOS 4.15 before 4.15.8M, 4.16 before 4.16.7M, and 4.17 before 4.17.0F on DCS-7050 series devices allow remote attackers to cause a denial of service (device reboot) by sending crafted packets to the control plane. 2017-01-04 7.8 CVE-2016-6894
BID
CONFIRM
awebsupport — aweb_cart_watching_system_for_virtuemart SQL injection vulnerability in the “aWeb Cart Watching System for Virtuemart” extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch. 2017-01-03 7.5 CVE-2016-10114
BID
MISC
genexia — drgos The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter. 2017-01-05 9.0 CVE-2015-3441
MISC
genixcms_project — genixcms SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the activation parameter. 2017-01-01 7.5 CVE-2016-10096
MISC
BID
MISC
MISC
icu_project — international_components_for_unicode Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call. 2017-01-04 7.5 CVE-2014-9911
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
libgd — libgd Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call. 2017-01-04 7.5 CVE-2016-8670
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
libvncserver_project — libvncserver Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area. 2016-12-31 7.5 CVE-2016-9941
BID
CONFIRM
CONFIRM
libvncserver_project — libvncserver Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions. 2016-12-31 7.5 CVE-2016-9942
BID
CONFIRM
CONFIRM
linux — linux_kernel The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file. 2017-01-05 7.2 CVE-2016-9754
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
matrixssl — matrixssl Heap-based buffer overflow in MatrixSSL before 3.8.6 allows remote attackers to execute arbitrary code via a crafted Subject Alt Name in an X.509 certificate. 2017-01-05 10.0 CVE-2016-6890
BID
MISC
CONFIRM
CERT-VN
netgear — arlo_base_station_firmware NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier have a default password of 12345678, which makes it easier for remote attackers to obtain access after a factory reset or in a factory configuration. 2017-01-04 10.0 CVE-2016-10115
MISC
MISC
BID
netgear — arlo_base_station_firmware NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack. 2017-01-04 9.3 CVE-2016-10116
MISC
MISC
BID
openbsd — openssh Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. 2017-01-04 7.5 CVE-2016-10009
MISC
MLIST
BID
SECTRACK
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
CONFIRM
openbsd — openssh The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures. 2017-01-04 7.2 CVE-2016-10012
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
CONFIRM
php — php The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument. 2017-01-04 7.5 CVE-2014-9912
MLIST
CONFIRM
BID
CONFIRM
CONFIRM
php — php Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. 2017-01-04 7.5 CVE-2016-9137
CONFIRM
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
php — php PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup. 2017-01-04 7.5 CVE-2016-9138
MLIST
BID
CONFIRM
php — php The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. 2017-01-04 7.5 CVE-2016-9935
SUSE
DEBIAN
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
php — php The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834. 2017-01-04 7.5 CVE-2016-9936
MLIST
CONFIRM
BID
CONFIRM
CONFIRM
piwigo — piwigo admin/plugin.php in Piwigo through 2.8.3 doesn’t validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence. 2017-01-03 7.5 CVE-2016-10105
BID
CONFIRM
CONFIRM
CONFIRM
quick_heal — internet_security Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to execute arbitrary code via a crafted LC_UNIXTHREAD.cmdsize field in a Mach-O file that is mishandled during a Security Scan (aka Custom Scan) operation. 2017-01-02 7.5 CVE-2017-5005
BID
MISC
MISC
s9y — serendipity include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file. 2016-12-30 7.5 CVE-2016-10082
BID
CONFIRM
CONFIRM
schedmd — slurm The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 (“success”) and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue. 2017-01-05 7.6 CVE-2016-10030
CONFIRM
CONFIRM
swiftmailer — swiftmailer The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header. 2016-12-30 7.5 CVE-2016-10074
MISC
FULLDISC
BID
CONFIRM
MISC
EXPLOIT-DB
veritas — netbackup_appliance_firmware scripts/license.pl in Veritas NetBackup Appliance 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, 2.7.x through 2.7.3, and 3.0.x allow remote attackers to execute arbitrary commands via shell metacharacters in the hostName parameter to appliancews/getLicense. 2017-01-04 10.0 CVE-2016-7399
MISC
BID
CONFIRM
CONFIRM
western_digital — mycloud_nas Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header. 2017-01-03 10.0 CVE-2016-10107
BID
MISC
western_digital — mycloud_nas Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data. 2017-01-03 10.0 CVE-2016-10108
BID
MISC
zend — zend-mail The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted e-mail address. 2016-12-30 7.5 CVE-2016-10034
BID
CONFIRM
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
borg — borg Borg (aka BorgBackup) before 1.0.9 has a flaw in the cryptographic protocol used to authenticate the manifest (list of archives), potentially allowing an attacker to spoof the list of archives. 2017-01-02 5.0 CVE-2016-10099
CONFIRM
BID
borg — borg Borg (aka BorgBackup) before 1.0.9 has a flaw in the way duplicate archive names were processed during manifest recovery, potentially allowing an attacker to overwrite an archive. 2017-01-02 5.0 CVE-2016-10100
CONFIRM
BID
dotclear — dotclear Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20. 2017-01-04 6.5 CVE-2016-7902
MLIST
BID
CONFIRM
CONFIRM
dotclear — dotclear Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. 2017-01-04 4.3 CVE-2016-7903
MLIST
BID
CONFIRM
CONFIRM
f5 — big-ip_advanced_firewall_manager Virtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and 12.1.x before 12.1.2, when configured to parse RADIUS messages via an iRule, allow remote attackers to cause a denial of service (Traffic Management Microkernel restart) via crafted network traffic. 2017-01-03 4.3 CVE-2016-5024
BID
SECTRACK
CONFIRM
forgerock — openam XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM – Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter. 2017-01-02 5.0 CVE-2016-10097
MISC
BID
hybris — hybris Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. 2016-12-31 4.3 CVE-2016-6856
BID
MISC
libgd — libgd Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. 2017-01-04 5.0 CVE-2016-9933
SUSE
SUSE
SUSE
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
linux — linux_kernel The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. 2016-12-30 6.9 CVE-2016-10088
CONFIRM
MLIST
BID
SECTRACK
CONFIRM
matrixssl — matrixssl MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ASN.1 Bit Field primitive in an X.509 certificate. 2017-01-05 5.0 CVE-2016-6891
BID
MISC
CONFIRM
CERT-VN
matrixssl — matrixssl The x509FreeExtensions function in MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (free of unallocated memory) via a crafted X.509 certificate. 2017-01-05 5.0 CVE-2016-6892
BID
MISC
CONFIRM
CERT-VN
netgear — srx5308_firmware Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices with firmware before 4.3.3-8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter, as demonstrated by reading the /etc/shadow file. 2017-01-03 4.0 CVE-2016-10106
CONFIRM
BID
openbsd — openssh sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c. 2017-01-04 6.9 CVE-2016-10010
MISC
MLIST
BID
SECTRACK
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
CONFIRM
php — php ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. 2017-01-04 5.0 CVE-2016-9934
SUSE
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
phpmailer_project — phpmailer The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted From address. 2016-12-30 6.8 CVE-2016-10033
MISC
MISC
FULLDISC
MISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
EXPLOIT-DB
phpmailer_project — phpmailer The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. 2016-12-30 6.8 CVE-2016-10045
MLIST
MISC
MISC
FULLDISC
MISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
EXPLOIT-DB
piwigo — piwigo Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case. 2016-12-30 4.3 CVE-2016-10083
BID
CONFIRM
CONFIRM
piwigo — piwigo admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page[‘tab’] variable (aka the mode parameter). 2016-12-30 6.5 CVE-2016-10084
BID
CONFIRM
CONFIRM
piwigo — piwigo admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter. 2016-12-30 6.5 CVE-2016-10085
BID
CONFIRM
CONFIRM
sap — hybris Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. 2016-12-31 4.0 CVE-2016-6859
BID
MISC
torproject — tor Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data. 2017-01-04 5.0 CVE-2016-8860
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
wordpress — wordpress Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. 2017-01-04 4.3 CVE-2016-7168
MLIST
MLIST
BID
CONFIRM
CONFIRM
MISC
CONFIRM
wordpress — wordpress Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. 2017-01-04 6.5 CVE-2016-7169
BID
CONFIRM
CONFIRM
CONFIRM

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
mcafee — security_information_and_event_management Authentication bypass vulnerability in Enterprise Security Manager (ESM) and License Manager (LM) in Intel Security McAfee Security Information and Event Management (SIEM) 9.6.0 MR3 allows an administrator to make changes to other SIEM users’ information including user passwords without supplying the current administrator password a second time via the GUI or GUI terminal commands. 2017-01-05 1.7 CVE-2016-8006
CONFIRM
openbsd — openssh authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process. 2017-01-04 2.1 CVE-2016-10011
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
CONFIRM
sap — hybris Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. 2016-12-31 3.5 CVE-2016-6857
BID
MISC
sap — hybris Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. 2016-12-31 3.5 CVE-2016-6858
BID
MISC
tenable — nessus Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 2017-01-05 3.5 CVE-2017-5179
CONFIRM
woocommerce — woocommerce Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. 2017-01-03 3.5 CVE-2016-10112
BID
CONFIRM

Back to top

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
bluestacks — app_player A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges. 2017-01-06 not yet calculated CVE-2016-4288
MISC
emc — scaleio An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may be able to modify the kernel memory in the SCINI driver and may achieve code execution to escalate privileges to root on ScaleIO Data Client (SDC) servers. 2017-01-06 not yet calculated CVE-2016-9867
CONFIRM
emc — scaleio An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may cause a denial-of-service by generating a kernel panic in the SCINI driver using IOCTL calls which may render the ScaleIO Data Client (SDC) server unavailable until the next reboot. 2017-01-06 not yet calculated CVE-2016-9868
CONFIRM
emc — scaleio An issue was discovered in EMC ScaleIO versions before 2.0.1.1. Incorrect permissions on the SCINI driver may allow a low-privileged local attacker to modify the configuration and render the ScaleIO Data Client (SDC) server unavailable. 2017-01-06 not yet calculated CVE-2016-9869
CONFIRM
foxit — pdf_reader A large out-of-bounds read on the heap vulnerability in Foxit PDF Reader can potentially be abused for information disclosure. Combined with another vulnerability, it can be used to leak heap memory layout and in bypassing ASLR. 2017-01-06 not yet calculated CVE-2016-8334
MISC
freeimage_project — freeimage_library An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-5684
MISC
hancom — hancom_office When opening a Hangul Hcell Document (.cell) and processing a particular record within the Workbook stream, an index miscalculation leading to a heap overlow can be made to occur in Hancom Office 2014. The vulnerability occurs when processing data for a formula used to render a chart via the HncChartPlugin.hplg library. Due to a lack of bounds-checking when incrementing an index that is used for writing into a buffer for formulae, the application can be made to write pointer data outside its bounds which can lead to code execution under the context of the application. 2017-01-06 not yet calculated CVE-2016-4295
MISC
hancom — hancom_office When opening a Hangul Hcell Document (.cell) and processing a property record within the Workbook stream, Hancom Office 2014 will attempt to allocate space for an element using a length from the file. When copying user-supplied data to this buffer, however, the application will use a different size which leads to a heap-based buffer overflow. This vulnerability can lead to code-execution under the context of the application. 2017-01-06 not yet calculated CVE-2016-4294
MISC
hancom — hancom_office When opening a Hangul Hcell Document (.cell) and processing a record that uses the CSSValFormat object, Hancom Office 2014 will search for an underscore (“_”) character at the end of the string and write a null terminator after it. If the character is at the very end of the string, the application will mistakenly write the null-byte outside the bounds of its destination. This can result in heap corruption that can lead code execution under the context of the application 2017-01-06 not yet calculated CVE-2016-4296
MISC
hancom — hancom_office When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will attempt to allocate space for a block of data within the file. When calculating this length, the application will use a value from the file and add a constant to it without checking whether the addition of the constant will cause the integer to overflow which will cause the buffer to be undersized when the application tries to copy file data into it. This allows one to overwrite contiguous data in the heap which can lead to code-execution under the context of the application. 2017-01-06 not yet calculated CVE-2016-4290
MISC
hancom — hancom_office When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will attempt to allocate space for a list of elements using a length from the file. When calculating this length, an integer overflow can be made to occur which will cause the buffer to be undersized when the application tries to copy file data into the object containing this structure. This allows one to overwrite contiguous data in the heap which can lead to code-execution under the context of the application. 2017-01-06 not yet calculated CVE-2016-4298
MISC
hancom — hancom_office When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will use a field from the structure in an operation that can cause the integer to overflow. This result is then used to allocate memory to copy file data in. Due to the lack of bounds checking on the integer, the allocated memory buffer can be made to be undersized at which point the reading of file data will write outside the bounds of the buffer. This can lead to code execution under the context of the application. 2017-01-06 not yet calculated CVE-2016-4291
MISC
hancom — hancom_office When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will use a static size to allocate a heap buffer yet explicitly trust a size from the file when modifying data inside of it. Due to this, an aggressor can corrupt memory outside the bounds of this buffer which can lead to code execution under the context of the application. 2017-01-06 not yet calculated CVE-2016-4292
MISC
kaspersky — anti-virus_software A local denial of service vulnerability exists in window broadcast message handling functionality of Kaspersky Anti-Virus software. Sending certain unhandled window messages, an attacker can cause application termination and in the same way bypass KAV self-protection mechanism. 2017-01-06 not yet calculated CVE-2016-4329
MISC
kaspersky — internet_security_kl1 A denial of service vulnerability exists in the IOCTL handling functionality of Kaspersky Internet Security KL1 driver. A specially crafted IOCTL signal can cause an access violation in KL1 kernel driver resulting in local system denial of service. An attacker can run a program from user-mode to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-4307
MISC
kaspersky — internet_security_kldisk Multiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out-of-bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory addresses that may be useful in bypassing kernel mitigations. An unprivileged user can run a program from user-mode to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-4306
MISC
kaspersky — internet_security_klif A denial of service vulnerability exists in the syscall filtering functionality of Kaspersky Internet Security KLIF driver. A specially crafted native api call can cause a access violation in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-4305
MISC
kaspersky — internet_security_klif A denial of service vulnerability exists in the syscall filtering functionality of the Kaspersky Internet Security KLIF driver. A specially crafted native api call request can cause a access violation exception in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-4304
MISC
lexmark — perceptive_document_filters An exploitable heap overflow vulnerability exists in the Compound Binary File Format (CBFF) parser functionality of Lexmark Perceptive Document Filters library. A specially crafted CBFF file can cause a code execution. An attacker can send a malformed file to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-5646
MISC
lexmark — perspective_document_filters An exploitable buffer overflow exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a stack based buffer overflow resulting in remote code execution. 2017-01-06 not yet calculated CVE-2016-4335
MISC
lexmark — perspective_document_filters An exploitable out-of-bounds write exists in the Bzip2 parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted Bzip2 document can lead to a stack-based buffer overflow causing an out-of-bounds write which under the right circumstance could potentially be leveraged by an attacker to gain arbitrary code execution. 2017-01-06 not yet calculated CVE-2016-4336
MISC
libebml — libebml A specially crafted unicode string in libebml master branch can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potentially be used for information leaks. 2017-01-06 not yet calculated CVE-2016-1514
MISC
libebml — libebml A use-after-free / double-free vulnerability can occur in libebml master branch while parsing Track elements of the MKV container. 2017-01-06 not yet calculated CVE-2016-1515
MISC
libtiff — tiff2pdf An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means. 2017-01-06 not yet calculated CVE-2016-5652
MISC
memcached — memcached An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. 2017-01-06 not yet calculated CVE-2016-8706
MISC
memcached — memcached An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. 2017-01-06 not yet calculated CVE-2016-8704
MISC
memcached — memcached Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. 2017-01-06 not yet calculated CVE-2016-8705
MISC
ntd — ntp_daemon A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim’s clock. 2017-01-06 not yet calculated CVE-2016-1549
MISC
ntp — libntp An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. 2017-01-06 not yet calculated CVE-2016-1550
MISC
ntp — ntp An off-path attacker can cause a preemptable client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. 2017-01-06 not yet calculated CVE-2016-1547
MISC
ntp — ntp_daemon An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. 2017-01-06 not yet calculated CVE-2016-1548
MISC
ntp — ntp_daemon An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash. 2017-01-06 not yet calculated CVE-2015-7848
MISC
pidgin — mxit A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability. 2017-01-06 not yet calculated CVE-2016-2377
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow. 2017-01-06 not yet calculated CVE-2016-2376
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-2378
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-2370
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. 2017-01-06 not yet calculated CVE-2016-2365
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. 2017-01-06 not yet calculated CVE-2016-2366
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability. 2017-01-06 not yet calculated CVE-2016-2373
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability. 2017-01-06 not yet calculated CVE-2016-4323
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability. 2017-01-06 not yet calculated CVE-2016-2369
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution. 2017-01-06 not yet calculated CVE-2016-2374
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit An exploitable out-of-bounds read exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure. 2017-01-06 not yet calculated CVE-2016-2375
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read. 2017-01-06 not yet calculated CVE-2016-2380
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle attacker can send an invalid size for a file transfer which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the file is sent to another user. 2017-01-06 not yet calculated CVE-2016-2372
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user. 2017-01-06 not yet calculated CVE-2016-2367
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution. 2017-01-06 not yet calculated CVE-2016-2371
DEBIAN
CONFIRM
MISC
UBUNTU
pidgin — mxit Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure. 2017-01-06 not yet calculated CVE-2016-2368
DEBIAN
CONFIRM
MISC
UBUNTU
pivotal — gemfire An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster. 2017-01-06 not yet calculated CVE-2016-9885
CONFIRM
pivotal — spring_security An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded “/” to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected. 2017-01-06 not yet calculated CVE-2016-9879
CONFIRM
ruby — fiddle_fuction An exploitable heap overflow vulnerability exists in the Fiddle::Function.new “initialize” function functionality of Ruby. In Fiddle::Function.new “initialize” heap buffer “arg_types” allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow. 2017-01-06 not yet calculated CVE-2016-2339
MISC
ruby — tcltklp Type confusion exists in _cancel_eval Ruby’s TclTkIp class method. Attacker passing different type of object than String as “retval” argument can cause arbitrary code execution. 2017-01-06 not yet calculated CVE-2016-2337
MISC
ruby — win32ole Type confusion exists in two methods of Ruby’s WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution. 2017-01-06 not yet calculated CVE-2016-2336
MISC
trane — comfortlink_scc_firmware A design flaw in the Trane ComfortLink II SCC firmware version 2.0.2 service allows remote attackers to take complete control of the system. 2017-01-06 not yet calculated CVE-2015-2867
MISC
trane — N/Acomfortlink_firmware An exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long REG request that can overflow a fixed size stack buffer, resulting in arbitrary code execution. 2017-01-06 not yet calculated CVE-2015-2868
MISC

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Powered by WPeMatico

This entry was posted in Alerts. Bookmark the permalink.