Next Page >>
initialize
local users to cause a denial of service (OOPS) via a setsockopt call
that specifies a small value, leading to a divide-by-zero error or
incorrect use of a signed integer. (CVE-2010-4165)
The copy_shmid_to_user function in ipc/shm.c in the Linux kernel
does not initialize a certain structure, which allows local users to
obtain potentially sensitive information from kernel stack memory
via vectors related to the shmctl system call and the old shm
interface. (CVE-2010-4072)
The ipc subsystem in the Linux kernel does not initialize certain
Dan Jacobson discovered that ThinkPad video output was not correctly
access controlled. A local attacker could exploit this to hang the system,
leading to a denial of service. (CVE-2010-3448)
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2010-3698)
It was discovered that Xen did not correctly clean up threads. A local
attacker in a guest system could exploit this to exhaust host system
Dan Jacobson discovered that ThinkPad video output was not correctly access
controlled. A local attacker could exploit this to hang the system, leading
to a denial of service. (CVE-2010-3448)
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-3698)
Dan Rosenberg discovered that the Linux kernel TIPC implementation
contained multiple integer signedness errors. A local attacker could
Remote exploitation of a logic flaw vulnerability in Microsoft Corp.'s
ATL/MFC ActiveX code, as included in various vendors' ActiveX controls,
could allow attackers to bypass ActiveX security mechanisms.
One aspect of COM is a process called initialization. This process
allows a program to load and store a COM object within various
containers, such as OLE compound storage files and raw streams.
Depending upon certain characteristics of an OLE component designed with
the Microsoft ATL, it is possible to cause one component to initialize
Release mode: Coordinated release
2. *Vulnerability Information*
Class: External Initialization of Trusted Variables [CWE-454]
Impact: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-3840
whether it has been designed to operate safely or not.
While the dynamic loader will only use a library that exports the dynamic
symbols required by the rtld-auditing API, it must first dlopen() the
library in order to examine the exported symbols. By definition, this must
execute any defined initialization routines.
This confusion can be exploited by locating a DSO in the trusted search path with
initialization code that has not been designed to operate safely while euid !=
uid. See the Notes section below for additional discussion on this topic.
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
Vasiliy Kulikov discovered that the TIPC interface did not correctly
initialize certain structures. A local attacker could exploit this to read
Problem Description:
Security issues were identified and fixed in firefox:
Security researcher regenrecht reported (via TippingPoint's Zero Day
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
Problem Description:
Security issues were identified and fixed in firefox:
Security researcher regenrecht reported (via TippingPoint's Zero Day
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
will store the result into a 32bit integer. This value will be used for
an allocation and then later will be used to initialize the allocated
buffer. Due to the number of elements being totaled being variable, this
will allow an aggressor to provide as many elements as necessary in
order to cause the integer value to wrap causing an under-allocation.
Initialization of this data will then cause a heap-based buffer
overflow. This can lead to code execution under the context of the
application.
-- Vendor Response:
Apple patch on April 14, 2011:
The Blizzard Entertainment Battle.net mobile authenticator application
that is used as part of an optional two factor authentication scheme to
safeguard accounts is vulnerable to a passive eavesdropper during the
initialization process which occurs once per the lifetime of a given
device.
An overview of how the application and protocol works is available at:
http://bnetauth.freeportal.us/specification.html
Summary:
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
Details follow:
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-3698)
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
to bypass intended mmap_min_addr restrictions and possibly conduct
NULL pointer dereference attacks via a crafted assembly-language
application. (CVE-2010-4346)
The sk_run_filter function does not check whether a certain memory
location has been initialized before executing a BPF_S_LD_MEM
or BPF_S_LDX_MEM instruction, which allows local users to obtain
potentially sensitive information from kernel stack memory via a
crafted socket filter. (CVE-2010-4158)
Heap-based buffer overflow in the bcm_connect function the Broadcast
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
Vasiliy Kulikov discovered that the TIPC interface did not correctly
initialize certain structures. A local attacker could exploit this to read
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the application's parsing of a
particular record within a Microsoft Excel Compound Document. When
specifying a particular value, the application will fail to initialize a
variable that is used as the length of a memcpy operation. Due to the
usage of the uninitialized value, with proper control of the program
flow an attacker can force a length of their own choosing for the memcpy
operation. This will cause a buffer overflow and can lead to code
execution under the context of the application.
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
Vasiliy Kulikov discovered that the TIPC interface did not correctly
initialize certain structures. A local attacker could exploit this to read
composing an HTML document (CVE-2008-4456).
bugs in the Mandriva Linux 2008.1 packages that has been fixed:
o upstream fix for mysql bug35754 (#38398, #44691)
o fix #46116 (initialization file mysqld-max don't show correct
application status)
o fix upstream bug 42366
bugs in the Mandriva Linux 2009.0 packages that has been fixed:
Dan Jacobson discovered that ThinkPad video output was not correctly access
controlled. A local attacker could exploit this to hang the system, leading
to a denial of service. (CVE-2010-3448)
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-3698)
Dan Rosenberg discovered that SCTP did not correctly handle HMAC
calculations. A remote attacker could send specially crafted traffic that
is required to exploit this vulnerability in that the target must visit
a malicious page.
The specific flaw exists within the gp.ocx ActiveX control. This control
has a CLSID of {E2883E8F-472F-4fb0-9522-AC9BF37916A7} and the ProgID
Atlcom.get_atlcom. Upon initialization this control copies the values
from two parameters into a fixed length buffer. If supplied with large
enough values this can lead lead to a buffer overflow that can be
leveraged to execute arbitrary code under the context of the user
running the browser.
malicious page or open a malicious file.
The specific flaw exists during the parsing of samples from a malformed
MOV file utilizing the H.264 codec. While parsing data to render the
stream, the application will mistrust a length that is used to
initialize a heap chunk that was allocated in a header. If the length is
larger than the size of the chunk allocated, then a memory corruption
will occur leading to code execution under the context of the currently
logged in user.
-- Vendor Response:
CLSID: {9A077D0D-B4A6-4EC0-B6CF-98526DF589E4}
ProgId: vbDevKit.CVariantFileSystem
Path to binary: C:\WINDOWS\vbDevKit.dll
Doesn't implement IObjectSafety
Registry settings:
Registry: is not safe for initialization
Registry: is not safe for scripting
Killbit is NOT set
In order to load this control, the particular security setting that
would need to be modified is "Initialize and script ActiveX controls not
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the parsing of the undocumented tSAC
RIFF chunk. By setting a specified field within this structure to NULL,
the application fails to initialize an object pointer. This
uninitialized pointer is later called which causes the application to
jump into random heap memory. By crafting the applications memory state
an attacker can utilize this issue to execute arbitrary code under the
context of the user running the browser.
} As Boolean
This feature is used to safeguard the ActiveX control and prevent it
from being initialized outside of authorized domains. Users may submit
requests to host this control on their site and they are given an
initialization key. Referencing the BitDefender website you can see
that their domain is being processed with the following hex-value key:
AvxUI.InitX('000000408E45E3394593BF66F0C93C6CF90AF0F0AB417E17657D7F328A2
312ACBE0B139EF3EBFB69939B1C3B24D8BC392D752B8408EAACCD809B94D38B8F9B5E97B
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will mistrust a length used to allocate a buffer. Later, the application
will use a differently calculated length in a copy used to initialize
that buffer. This leads to a buffer overflow and can lead to code
execution under the context of the application.
-- Vendor Response:
Autonomy states:
Dan Jacobson discovered that ThinkPad video output was not correctly access
controlled. A local attacker could exploit this to hang the system, leading
to a denial of service. (CVE-2010-3448)
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-3698)
Dan Rosenberg discovered that SCTP did not correctly handle HMAC
calculations. A remote attacker could send specially crafted traffic that
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Missing Initialization [CWE-456]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3329
Bugtraq ID: N/A
CVE-2011-271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
==========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Aniway.Anyway@gmail.com along with TippingPoint's Zero Day Initiative for reporting ZDI-CAN-931, ZDI-CAN-932, ZDI-CAN-933, ZDI-CAN-934, ZDI-CAN-935, and ZDI-CAN-936 to security-alert@hp.com.
The Hewlett-Packard Company thanks SilentSignal along with TippingPoint's Zero Day Initiative for reporting ZDI-CAN-774 and ZDI-CAN-810 to security-alert@hp.com.
The Hewlett-Packard Company thanks an anonymous researcher along with TippingPoint's Zero Day Initiative for reporting ZDI-CAN-753 and ZDI-CAN-757 to security-alert@hp.com.
CVE-2011-0271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Aniway.Anyway@gmail.com along with TippingPoint's Zero Day Initiative for reporting ZDI-CAN-931, ZDI-CAN-932, ZDI-CAN-933, ZDI-CAN-934, ZDI-CAN-935, and ZDI-CAN-936 to security-alert@hp.com.
The Hewlett-Packard Company thanks SilentSignal along with TippingPoint's Zero Day Initiative for reporting ZDI-CAN-774 and ZDI-CAN-810 to security-alert@hp.com.
The Hewlett-Packard Company thanks an anonymous researcher along with TippingPoint's Zero Day Initiative for reporting ZDI-CAN-753 and ZDI-CAN-757 to security-alert@hp.com.
ZDI-11-039: BMC PATROL Agent Service Daemon BGS_MULTIPLE_READS Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-039
February 3, 2011
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
ZDI-11-102: PostgreSQL Plus Advanced Server DBA Management Server Remote Authentication Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-102
March 2, 2011
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Next Page>>
|
