Kurt Seifried | 12 Aug 01:33 2015
Picon

Processor side channels using out of order execution

Some interesting work in line with that CAIN thing from last week:

https://blog.trailofbits.com/2015/07/21/hardware-side-channels-in-the-cloud/
http://sophia.re/cache.pdf
http://sophia.re/RECON/

not sure if this needs a CVE or not, since CAIN got one I'm thinking a
strong maybe?

--

-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...
Moritz Jodeit | 11 Aug 20:40 2015
Picon

CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities

Hello list,

could you please assign two CVE IDs for the following two security
issues fixed in OpenSSH 7.0 (directly taken from the release notes [1]):

 * sshd(8): Portable OpenSSH only: Fixed a privilege separation
   weakness related to PAM support. Attackers who could successfully
   compromise the pre-authentication process for remote code
   execution and who had valid credentials on the host could
   impersonate other users.  Reported by Moritz Jodeit.

 * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
   related to PAM support that was reachable by attackers who could
   compromise the pre-authentication process for remote code
   execution. Also reported by Moritz Jodeit.

[1] http://www.openssh.com/txt/release-7.0

Thank you,
Moritz

Kurt Seifried | 11 Aug 18:23 2015
Picon

Terminal escape sequences - the new XSS for admins?

So we've had a bunch of this stuff over the years:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=terminal+escape

And now more recently:

http://turbochaos.blogspot.ca/2014/08/journalctl-terminal-escape-injection.html
https://bugzilla.redhat.com/show_bug.cgi?id=1084577

And we have at least one more coming down the pipeline that's pretty
widespread.

Also I'm thinking of all those docker apps that log to STDOUT.

So the basic TL;DR: please don't use really ancient terminal programs that
are vulnerable to this stuff. It appears in testing that most (all?) of the
Red Hat stuff is ok, but I can't speak for other vendors.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...
Seth Arnold | 11 Aug 04:55 2015

CVE Request: ippusbxd

Hello MITRE, all,

Please assign a CVE for ippusbxd. I discovered a flaw that accidentally
allows access to a connected USB printer via all configured network
addresses, rather than only TCP loopback addresses, by misusing the
in6addr_any bind address.

The original bug report is at
https://bugs.launchpad.net/ubuntu/+source/ippusbxd/+bug/1455644
(though most of the contents aren't related).

The flaw can be found at
https://github.com/tillkamppeter/ippusbxd/blob/ea6005943e2669cbf492fa441d9dce02a4bc2471/src/tcp.c#L51

Comments in the source code and documentation indicate that access was
intended only for localhost:
https://github.com/tillkamppeter/ippusbxd/blob/ea6005943e2669cbf492fa441d9dce02a4bc2471/doc/ippusbxd.1#L17

Till Kamppeter has provided the following patches to address the issue:
https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f
https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82

The first patch switches to using two sockets and binds them explicitly
to the IPv6 and the IPv4 loopback addresses; the second patch simplifies
the use of select(). Both patches are recommended. A new upstream release
will be made soon to incorporate this fix.

Thanks
Martin Prpic | 10 Aug 12:45 2015
Picon

Duplicate Wireshark CVEs?

Hello,

It looks like the following two Wireshark advisories fix the same flaw:

https://www.wireshark.org/security/wnpa-sec-2015-14.html
https://www.wireshark.org/security/wnpa-sec-2015-07.html

Both fix a flaw in the WCP dissector and refer to the following bug:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10844

Is there a reason two CVEs were assigned for this, or should one of them
be rejected?

Thanks!

RH bugs:
https://bugzilla.redhat.com/CVE-2015-2188
https://bugzilla.redhat.com/CVE-2015-3811

--

-- 
Martin Prpič / Red Hat Product Security

Martin Prpic | 10 Aug 11:23 2015
Picon

CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding

Hi,

GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue:

http://www.gnutls.org/security.html#GNUTLS-SA-2015-3

"Kurt Roeckx reported that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free, which may
result to a denial of service. Since the DN decoding occurs in almost
all applications using certificates it is recommended to upgrade the
latest GnuTLS version fixing the issue. Recommendation: Upgrade to
GnuTLS 3.4.4, or 3.3.17."

The upstream patch that fixes this issue is available at:

https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12

Can a CVE please be assigned to this issue?

Also, there is still no CVE for the issue before this one. The CVE
request was sent on May 5:

http://seclists.org/oss-sec/2015/q2/367

Can a CVE be assigned to this as well?

Thank you!

Refs:
rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426
(Continue reading)

François Labrèche | 9 Aug 21:50 2015
Picon

CVE request - simple-php-captcha - captcha bypass vulnerability

Hi,

We found a captcha bypass vulnerability in an open source captcha 
software, made by Cory LaViska for A Beautiful Site. Here is the github 
repository: https://github.com/claviska/simple-php-captcha.

We opened an issue on github 
<https://github.com/claviska/simple-php-captcha/issues/16>, and the 
vulnerability has been fixed. They never did any release so we don't 
think the fix will be released in any form. Simply advising users to 
update to git master's should suffice.

The simple-php-captcha.php file had a vulnerability enabling a client to 
generate the captcha response automatically, effectively bypassing the 
captcha.

Since the microtime() function was used both in the initial seed for the 
captcha and in the captcha url path sent to the client, it was possible 
to generate the captcha result automatically by running the same code 
client-side.

Could a CVE be assigned to this?

Thank you,
François
P J P | 6 Aug 12:25 2015
Picon

CVE request: Qemu: buffer overflow in virtio-serial

   Hello,

Qemu emulator built with the virtio-serial vmchannel support is vulnerable to 
a buffer overflow issue. It could occur while exchanging virtio control 
messages between guest & the host.

A malicious guest could use this flaw to corrupt few bytes of Qemu memory 
area, potentially crashing the Qemu process.

Upstream fix:
-------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg05458.html

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Wade Mealing | 6 Aug 06:50 2015
Picon

CVE-2015-5156 : virt-io max-skb-frags heap overflow.

Gday,

When a guests KVM network devices is in a bridge configuration the kernel can 
create a situation in which packets are fragmented in an unexpected fashion. 
The GRO functionality can create a situation in which multiple SKB's are 
chained together in a single packets fraglist (by design).  

The virtio module declares support for NETIF_F_FRAGLIST and assumes that there
are at most MAX_SKB_FRAGS + 2 fragments which isn't always true with a 
fraglist, when GRO is enabled on the incoming driver it can create more fragments
than expected.

A longer than expected fragment list in the socket buffer will make the call
to skb_to_sgvec overflow the sg array, leading to memory corruption, and denial
of service.

An unprivileged attacker could use this flaw to crash the system resulting in DoS.

Red Hat would like to thank Jason Wang for reporting this issue.

Upstream fixes:
---------------
  -> http://marc.info/?l=linux-netdev&m=143868216724068&w=2

Red Hat Bugzilla:
----------------
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1243852

Thanks,

(Continue reading)

Velmurugan Periasamy | 5 Aug 22:37 2015
Picon

CVEs fixed in Ranger 0.5

Ranger Community:

Please see below details.

CVE-2015-0265: Apache Ranger code injection vulnerability
----------------------------------------------------------------------------
---
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed
in ranger policy admin tool admin sessions
Fix detail: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

CVE-2015-0266: Apache Ranger direct url access vulnerability
----------------------------------------------------------------------------
-----
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Regular users can type in the URL of modules that are
accessible only to admin users
Fix detail: Added logic in the backend to verify user access
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
(Continue reading)

Darren Martyn | 5 Aug 22:43 2015
Picon

CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.

Hello List,
I am requesting a CVE to be issued for the SuiteCRM product. There
exists a race condition in the image upload verification component which
leads to a race condition wherein an uploaded piece of PHP code exists
on disc temporarily before being deleted, which can be leveraged to gain
code execution. This vulnerability was introduced in version 7.2.2, as a
patch to fix a prior code execution issue found in 7.2.1.

Github issue: https://github.com/salesagility/SuiteCRM/issues/333
Responsible commit:
https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5
Them being told it was a bad idea:
https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5#commitcomment-11281062
Video of exploitation: https://www.youtube.com/watch?v=eHVIg5eoYNc

A proof of concept exploit will be published in a couple of days along
with a dissection of the vulnerable components of the code and
explanation of how it all works and stuff.

Best regards,
Darren Martyn,
Security Researcher,
Xiphos Research Ltd.


Gmane