Archive for category Vulnerabilities

Rewterz Threat Advisory -IBM Security Guardium Multiple Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2018-14634
An integer overflow flaw was found in the Linux kernel’s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.

CVE-2018-3693
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.

CVE-2018-7566
The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user.

CVE-2018-3639
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

CVE-2017-0861
Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors.


CVE-2018-3620
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

CVE-2017-15265
Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c.

CVE-2018-5391
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size

CVE-2018-1000004
In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.

CVE-2018-3646
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

CVE-2018-10901
A flaw was found in Linux kernel’s KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host’s userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.

Impact

  • DoS
  • Privilege escalation
  • Exposure of sensitive information
  • Security Bypass

Affected products

IBM Security Guardium (formerly IBM InfoSphere Guardium) 10.0 through 10.6

Remediation

Vendor has released the patch for the affected product.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=All&function=fixId&fixids=SqlGuard_10.0p610_Combined-Fix-Pack-for-GPU-600_2019-02-27&includeSupersedes=0&source=fc


Rewterz Threat Advisory – Red Hat Update for Java-1.8.0-ibm

Severity

High

Analysis Summary

CVE-2018-12547
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code.

CVE-2018-11212
An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.

CVE-2018-12549
In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it.

CVE-2019-2422
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. 

CVE-2019-2449
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). The supported version that is affected is Java SE: 8u192. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE.

Impact

  • System access 
  • DoS 
  • Exposure of sensitive information

Affected Vendors

IBM

Affected Products

Red Hat Enterprise Linux Desktop Supplementary 6.x
Red Hat Enterprise Linux Server Supplementary 6.x
Red Hat Enterprise Linux Workstation Supplementary 6.x
Red Hat Enterprise Linux HPC Node Supplementary 6.x
Red Hat Enterprise Linux Desktop Supplementary 7.x
Red Hat Enterprise Linux HPC Node Supplementary 7.x
Red Hat Enterprise Linux Server Supplementary 7.x
Red Hat Enterprise Linux Workstation Supplementary 7.x

Remediation

Updated packages for the affected products can be found here. 

http://rhn.redhat.com


Rewterz Threat Advisory – CVE-2019-1599 – Cisco Multiple Nexus Switches NX-OS Netstack Denial of Service Vulnerability

Severity

Medium

Analysis Summary

A vulnerability has been reported in multiple Cisco Nexus Switches, which can be exploited by malicious people to cause a DoS (Denial of Service).
An error related to the network stack when allocating and freeing memory buffers can be exploited to exhaust available buffers and subsequently cause a DoS condition via specially crafted TCP streams.

Impact

Denial of Service

Affected Products

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software:
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
UCS 6200 Series Fabric Interconnects1
UCS 6300 Series Fabric Interconnects1
UCS 6400 Series Fabric Interconnects1

Remediation

Cisco has released free software updates that address the vulnerability described in this advisory. 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-netstack

Rewterz Threat Advisory – CVE-2019-6528 – Cross-site Scripting Vulnerability due to Improper Neutralization of Input

Severity

High

Analysis Summary

The vulnerability exists due to improper neutralization of input during web page generation process. The web application browser interprets input as active HTML, JavaScript, or VBScript, which could allow an attacker to execute arbitrary code.

Affected Vendors

PSI GridConnect GmbH

Affected Products

Telecontrol Gateway and Smart Telecontrol Unit family
IEC104 Security Proxy
Telecontrol Gateway 3G Versions 4.2.21
5.0.27
5.1.19
6.0.16 and prior;
Telecontrol Gateway XS-MU Versions 4.2.21
Telecontrol Gateway VM Versions 4.2.21
Smart Telecontrol Unit TCG Versions 5.0.27
6.0.16 and prior; and
IEC104 Security Proxy Version 2.2.10 and prior.

Remediation

A fix for the vulnerability is available in the following software releases:

  • 5.1.20,
  • 6.0.17, and
  • IEC104 Security Proxy Version 2.2.11

The following software releases are no longer supported:

  • 4.2.x, and
  • 5.0.x

PSI recommends deactivating the webserver via CLI since the web interface is not essential to the configuration of the device.


Rewterz Threat Advisory – IBM Security QRadar SIEM / Risk Manager Multiple Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2018-11784
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to ‘/foo/’ when the user requested ‘/foo’) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

CVE-2018-0732
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

CVE-2018-11237
An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.

CVE-2018-10858
A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Impact

  • System access
  • DoS
  • Spoofing

Affected Products

  • IBM Security QRadar SIEM 7.x
  • IBM Security QRadar Risk Manager 7.x
  • The vulnerabilities are reported in versions 7.3.0 through 7.3.1 Patch 7.

Remediation

Update to version 7.3.1 Patch 8.


Rewterz Threat Advisory – CVE-2019-5786 – Google Chrome FileReader Use-After-Free Vulnerability

Severity:

Medium

Analysis Summary


A use-after-free error in Google Chrome related to FileReader can be exploited to corrupt memory. Successful exploitation of the vulnerability may allow execution of arbitrary code or compromise of a vulnerable system.


Impact


Memory Corruption

Code Execution

Affected Products

Google Chrome 72.x


Remediation


Update to version 72.0.3626.121.


Copyright © Rewterz. All rights reserved.