Информационная безопасность
[RU] switch to English


Уязвимости безопасности в KVM
дополнено с 2 мая 2011 г.
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11641
Тип:локальная
Уровень опасности:
5/10
Описание:Отказ при обработке запросов ввода/вывода гостевой системы.
Затронутые продукты:QEMU : kvm 0.12
CVE:CVE-2011-1751 (The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers.")
 CVE-2011-1750 (Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.)
 CVE-2011-0011 (qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2241-1] qemu-kvm security update (26.05.2011)
 documentDEBIAN, [SECURITY] [DSA 2230-1] qemu-kvm security update (02.05.2011)

Уязвимости безопасности в ядре Linux
дополнено с 8 мая 2011 г.
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11656
Тип:удаленная
Уровень опасности:
7/10
Описание:DoS через InfiniBand, DoS через диски LDM, многочисленные DoS условия, утечка информации, повреждения памяти, переполнение буфера в IrDA, DoS через VLAN, обход аутентификации в CIFS, DoS при разборе GRE.
Затронутые продукты:LINUX : kernel 2.6
CVE:CVE-2011-2182 (The ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel before 2.6.39.1 does not properly handle memory allocation for non-initial fragments, which might allow local users to conduct buffer overflow attacks, and gain privileges or obtain sensitive information, via a crafted LDM partition table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1017.)
 CVE-2011-2022 (The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.)
 CVE-2011-1770 (Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel before 2.6.33.14 allows remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggers a buffer over-read.)
 CVE-2011-1767 (net/ipv4/ip_gre.c in the Linux kernel before 2.6.34, when ip_gre is configured as a module, allows remote attackers to cause a denial of service (OOPS) by sending a packet during module loading.)
 CVE-2011-1759 (Integer overflow in the sys_oabi_semtimedop function in arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 2.6.39 on the ARM platform, when CONFIG_OABI_COMPAT is enabled, allows local users to gain privileges or cause a denial of service (heap memory corruption) by providing a crafted argument and leveraging a race condition.)
 CVE-2011-1748 (The raw_release function in net/can/raw.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.)
 CVE-2011-1747 (The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not properly restrict memory allocation by the (1) AGPIOC_RESERVE and (2) AGPIOC_ALLOCATE ioctls, which allows local users to cause a denial of service (memory consumption) by making many calls to these ioctls.)
 CVE-2011-1746 (Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages.)
 CVE-2011-1745 (Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.)
 CVE-2011-1598 (The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.)
 CVE-2011-1593 (Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.)
 CVE-2011-1585 (The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel before 2.6.36 does not properly determine the associations between users and sessions, which allows local users to bypass CIFS share authentication by leveraging a mount of a share by a different user.)
 CVE-2011-1495 (drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions.)
 CVE-2011-1494 (Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.)
 CVE-2011-1493 (Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by composing FAC_NATIONAL_DIGIS data that specifies a large number of digipeaters, and then sending this data to a ROSE socket.)
 CVE-2011-1478 (The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.)
 CVE-2011-1477 (Multiple array index errors in sound/oss/opl3.c in the Linux kernel before 2.6.39 allow local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer.)
 CVE-2011-1476 (Integer underflow in the Open Sound System (OSS) subsystem in the Linux kernel before 2.6.39 on unspecified non-x86 platforms allows local users to cause a denial of service (memory corruption) by leveraging write access to /dev/sequencer.)
 CVE-2011-1182 (kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call.)
 CVE-2011-1180 (Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux kernel before 2.6.39 allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging connectivity to an IrDA infrared network and sending a large integer value for a (1) name length or (2) attribute length.)
 CVE-2011-1173 (The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel before 2.6.39 on the x86_64 platform allows remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet.)
 CVE-2011-1172 (net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.)
 CVE-2011-1171 (net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.)
 CVE-2011-1170 (net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.)
 CVE-2011-1163 (The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.)
 CVE-2011-1160 (The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a certain buffer, which allows local users to obtain potentially sensitive information from kernel memory via unspecified vectors.)
 CVE-2011-1090 (The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL.)
 CVE-2011-1080 (The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line.)
 CVE-2011-1079 (The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command.)
 CVE-2011-1078 (The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Linux kernel before 2.6.39 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via the SCO_CONNINFO option.)
 CVE-2011-1017 (Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table.)
 CVE-2011-1016 (The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values.)
 CVE-2011-0726 (The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary.)
 CVE-2011-0695 (Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2240-1] linux-2.6 security update (26.05.2011)
 documentUBUNTU, [USN-1111-1] Linux kernel vulnerabilities (08.05.2011)

Многочисленные уязвимости безопасности в IBM Lotus Notes
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11690
Тип:клиент
Уровень опасности:
7/10
Описание:Повреждения памяти при разборе файлов в форматах BIFF, Applix, Microsoft Office, RTF, LZH.
Затронутые продукты:IBM : Lotus Notes 6.5
 IBM : Lotus Notes 6.0
 IBM : Lotus Notes 7.0
 IBM : Lotus Notes 8.0
 IBM : Lotus Notes 8.5
CVE:CVE-2011-1512 (Heap-based buffer overflow in xlssr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a malformed BIFF record in a .xls Excel spreadsheet attachment, aka SPR PRAD8E3HKR.)
Оригинальный текстdocumentIDEFENSE, iDefense Security Advisory 05.24.11: IBM Lotus Notes Office Document Attachment Viewer Stack Buffer Overflow (26.05.2011)
 documentIDEFENSE, iDefense Security Advisory 05.24.11: IBM Lotus Notes RTF Attachment Viewer Stack Buffer Overflow (26.05.2011)
 documentIDEFENSE, iDefense Security Advisory 05.24.11: IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow (26.05.2011)
 documentIDEFENSE, iDefense Security Advisory 05.24.11: IBM Lotus Notes Applix Attachment Viewer Stack Buffer Overflow (26.05.2011)
 documentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2010-0908: Lotus Notes XLS viewer malformed BIFF record heap overflow (26.05.2011)

Обратный путь в каталогах rdesktop
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11691
Тип:клиент
Уровень опасности:
6/10
Описание:Обратный путь в каталогах при использовании функции перенаправления дисков.
Затронутые продукты:RDESKTOP : rdesktop 1.6
CVE:CVE-2011-1595 (Directory traversal vulnerability in the disk_create function in disk.c in rdesktop before 1.7.0, when disk redirection is enabled, allows remote RDP servers to read or overwrite arbitrary files via a .. (dot dot) in a pathname.)
Оригинальный текстdocumentUBUNTU, [USN-1136-1] rdesktop vulnerability (26.05.2011)

Многочисленные уязвимости безопасности в Cisco IOS XR
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11692
Тип:удаленная
Уровень опасности:
7/10
Описание:DoS при разборе IP (в т.ч. проходящих пакетов), DoS через SSH, DoS против SPA.
Затронутые продукты:CISCO : IOS XR 3.6
 CISCO : IOS XR 3.8
 CISCO : IOS XR 3.9
 CISCO : IOS XR 4.0
 CISCO : IOS XR 4.1
CVE:CVE-2011-1651 (Cisco IOS XR 3.9.x and 4.0.x before 4.0.3 and 4.1.x before 4.1.1, when an SPA interface processor is installed, allows remote attackers to cause a denial of service (device reload) via a crafted IPv4 packet, aka Bug ID CSCto45095.)
 CVE-2011-0949 (Cisco IOS XR 3.6.x, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 does not properly remove sshd_lock files from /tmp/, which allows remote attackers to cause a denial of service (disk consumption) by making many SSHv1 connections, aka Bug ID CSCtd64417.)
 CVE-2011-0943 (Cisco IOS XR 3.8.3, 3.8.4, and 3.9.1 allows remote attackers to cause a denial of service (NetIO process restart or device reload) via a crafted IPv4 packet, aka Bug ID CSCth44147.)
Оригинальный текстdocumentCISCO, Cisco Security Advisory: Cisco IOS XR Software IP Packet Vulnerability (26.05.2011)
 documentCISCO, Cisco Security Advisory: Cisco XR 12000 Series Shared Port Adapters Interface Processor Vulnerability (26.05.2011)
 documentCISCO, Cisco Security Advisory: Cisco IOS XR Software SSHv1 Denial of Service Vulnerability (26.05.2011)

Многочисленные уязвимости безопасности в маршрутизаторах Cisco RVS4000 / Cisco WRVS4400N
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11693
Тип:удаленная
Уровень опасности:
6/10
Описание:Выполнение кода, утечка информации через Web-интерфейс.
Затронутые продукты:CISCO : Cisco RVS4000
 CISCO : Cisco WRVS4400N
CVE:CVE-2011-1647 (The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the private key for the admin SSL certificate via unspecified vectors, aka Bug ID CSCtn23871.)
 CVE-2011-1646 (The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote authenticated users to execute arbitrary commands via the (1) ping test parameter or (2) traceroute test parameter, aka Bug ID CSCtn23871.)
 CVE-2011-1645 (The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the backup configuration file, and consequently execute arbitrary code, via unspecified vectors, aka Bug ID CSCtn23871.)
Оригинальный текстdocumentCISCO, Cisco Security Advisory: Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities (26.05.2011)

DoS против Cisco Content Delivery System
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11694
Тип:удаленная
Уровень опасности:
6/10
Описание:Отказ при обработке URL в Internet Streamer.
Затронутые продукты:CISCO : Content Delivery System 2.5
CVE:CVE-2011-1649 (The Internet Streamer application in Cisco Content Delivery System (CDS) with software 2.5.7, 2.5.8, and 2.5.9 before build 126 allows remote attackers to cause a denial of service (Web Engine crash) via a crafted URL, aka Bug IDs CSCtg67333 and CSCth25341.)
Оригинальный текстdocumentCISCO, Cisco Security Advisory: Cisco Content Delivery System Internet Streamer: Web Server Vulnerability (26.05.2011)

Утечка информации в IP-камерах Rosewill RXS-3211
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11695
Тип:удаленная
Уровень опасности:
5/10
Описание:Через UDP/13364 возможно получить пароль на управление камерой.
Затронутые продукты:ROSEWILL : Rosewill RXS-3211
Оригинальный текстdocumentsupernothing_(at)_spareclockcycles.org, Remote Password Disclosure Vulnerability in RXS-3211 IP Camera + others (26.05.2011)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11696
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:EUCALYPTUS : eucalyptus 2.0
 WORDPRESS : WordPress 3.1
CVE:CVE-2011-0730 (Eucalyptus before 2.0.3 and Eucalyptus EE before 2.0.2, as used in Ubuntu Enterprise Cloud (UEC) and other products, do not properly interpret signed elements in SOAP requests, which allows man-in-the-middle attackers to execute arbitrary commands by modifying a request, related to an "XML Signature Element Wrapping" or a "SOAP signature replay" issue.)
Оригинальный текстdocumentUBUNTU, [USN-1137-1] Eucalyptus vulnerability (26.05.2011)
 documentmatthew_(at)_matthewwilkes.name, [CVE-REQUEST] Plone XSS and permission errors (26.05.2011)
 documentVeronica, Talsoft S.R.L. Security Advisory - WordPress User IDs and User Names Disclosure (26.05.2011)

DoS против Dovecot
Опубликовано:26 мая 2011 г.
Источник:
SecurityVulns ID:11697
Тип:удаленная
Уровень опасности:
6/10
Описание:Отказ на нулевом символе в заголовках сообщений.
Затронутые продукты:DOVECOT : Dovecot 1.2
 DOVECOT : Dovecot 2.0
CVE:CVE-2011-1929 (lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2011:101 ] dovecot (26.05.2011)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород