Linux kernel IP fragment re-assembly vulnerable to denial of service

Overview The Linux kernel, versions 3.9+, IP implementation is vulnerable to denial of service conditions with low rates of specially modified packets. Description CWE-400: Uncontrolled Resource Consumption 'Resource Exhaustion' - CVE-2018-5391The Linux kernel, versions 3.9+, is vulnerable to a...

TCP implementations vulnerable to Denial of Service

Overview The Linux kernel versions 4.9+ and supported versions of FreeBSD are vulnerable to denial of service conditions with low rates of specially modified packets. Description CWE-400: Uncontrolled Resource Consumption 'Resource Exhaustion' - CVE-2018-5390Linux kernel versions 4.9+ can be...

mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

Overview mingw-w64 produces a executable Windows files without a relocations table by default, which breaks compatibility with ASLR. Description ASLR is an exploit mitigation technique used by modern Windows platforms. For ASLR to function, Windows executables must contain a relocations table...

Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange

Overview Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. Description CWE-325: Missi...

strongSwan VPN charon server vulnerable to buffer underflow

Overview strongSwan VPN's charon server prior to version 5.6.3 does not check packet length and may allow buffer underflow, resulting in denial of service. Description CWE-124: Buffer Underwrite 'Buffer Underflow' - CVE-2018-5388In strokesocket.c, a missing packet length check could allow a buffe...

CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks

Overview CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4". Description Speculative execution is a technique used by many modern processors to improve performance by...

OpenPGP and S/MIME mail client vulnerabilities

Overview Mail clients may leak plaintext messages while decrypting OpenPGP and S/MIME messages. Description Email clients supporting the OpenPGP or S/MIME standards may be vulnerable to a CBC/CFB gadget attack which may allow an attacker to inject content into an encrypted email which would...

Hardware debug exception documentation may result in unexpected behavior

Overview In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions...

Integrated GPUs may allow side-channel and rowhammer attacks using WebGL ("Glitch")

Overview Some platforms with integrated GPUs, such as smartphones, may allow both side-channel and rowhammer attacks via WebGL, which may allow a remote attacker to compromise the browser on an affected platform. An attack technique that leverages these vulnerabilities is called "GLitch."...

Microsoft Outlook retrieves remote OLE content without prompting

Overview When a Rich Text RTF email is previewed in Microsoft Outlook, remotely-hosted OLE content is retrieved without requiring any additional user interaction. This can leak private information including the user's password hash, which may be cracked by an attacker. Description Microsoft Outlo...

Windows 7 and Windows Server 2008 R2 x64 fail to protect kernel memory when the Microsoft update for meltdown is installed

Overview When the Microsoft update for meltdown is installed on a Windows 7 x64 or Windows Server 2008 R2 x64 system, an unprivileged process may be able to read and write the entire memory space available to the Windows kernel. Description The update that Microsoft has released for meltdown on x...

Navarino Infinity web interface is affected by multiple vulnerabilities.

Overview Navarino Infinity web interface up to version 2.2 is affected by multiple vulnerabilities. Description CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' - CVE-2018-5384| Navarino Infinity exposes an unauthenticated script that is prone to blind sq...

Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions

Overview Bouncy Castle BKS version 1 keystore files use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS-V1 keystore. Description Bouncy Castle is a cryptographic library for C and Java applications, including Android applications. BKS is a...

Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal

Overview Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to...

Quagga bgpd is affected by multiple vulnerabilities

Overview The Quagga BGP daemon bgpd prior to version 1.2.3 may be vulnerable to multiple issues that may result in denial of service, information disclosure, or remote code execution. Description CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2018-5378...

Pulse Secure Linux client GUI fails to validate SSL certificates

Overview The Pulse Secure Linux client GUI fails to validate SSL certificates, which can allow an attacker to modify connection settings. Description Pulse Secure is an SSL VPN solution. The Linux Pulse Secure client GUI is implemented using WebKit, and the actions taken using the GUI are...

CPU hardware vulnerable to side-channel attacks

Overview CPU hardware implementations are vulnerable to cache side-channel attacks. These vulnerabilities are referred to as Meltdown and Spectre. Description CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Both Spectre and Meltdown take...

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding

Overview TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a "ROBOT attack". Description CWE-203: Information Exposure Through Discrepancy...

Apple MacOS High Sierra disabled account authentication bypass

Overview Apple MacOS High Sierra fails to properly require authentication for disabled accounts, such as root account, which can allow an authenticated user to obtain root privileges. Description Apple MacOS High Sierra 10.13 contains a flaw in how it authenticates disabled accounts. When a...

Install Norton Security for Mac does not verify SSL certificates

Overview Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates. Description CWE-295: Improper Certificate Validation - CVE-2017-15528The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by...

Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard

Overview Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly...

Microsoft Office Equation Editor stack buffer overflow

Overview Microsoft Equation Editor contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Microsoft Equation Editor is a component that comes with Microsoft Office. It is an out-of-process COM server that ...

IEEE P1735 implementations may have weak cryptographic protections

Overview The P1735 IEEE standard describes methods for encrypting electronic-design intellectual property IP, as well as the management of access rights for such IP. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plainte...

Savitech USB audio drivers install a new root CA certificate

Overview Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver package silently install a root CA certificate into the Windows trusted root certificate store. Description Savitech provides USB audio drivers for a number of specialized...

Infineon RSA library does not properly generate RSA key pairs

Overview The Infineon RSA library version 1.02.013 does not properly generate RSA key pairs, which may allow an attacker to recover the RSA private key corresponding to an RSA public key generated by this library. This vulnerability is often cited as "ROCA" in the media. Description...

Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse

Overview Wi-Fi Protected Access WPA, more commonly WPA2 handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point AP or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to...

NXP Semiconductors MQX RTOS contains multiple vulnerabilities

Overview The NXP Semiconductors MQX RTOS prior to version 5.1 contains a buffer overflow in the DHCP client, which may lead to memory corruption allowing an attacker to execute arbitrary code, as well as an out of bounds read in the DNS client which may lead to a denial of service. Description Th...

Dnsmasq contains multiple vulnerabilities

Overview Dnsmasq versions 2.77 and earlier contains multiple vulnerabilities. Description Multiple vulnerabilities have been reported in dnsmasq.CWE-122: Heap-based Buffer Overflow - CVE-2017-14491 CWE-122: Heap-based Buffer Overflow - CVE-2017-14492 CWE-121: Stack-based Buffer Overflow -...

Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability

Overview The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly...

Multiple Bluetooth implementation vulnerabilities affect many devices

Overview A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perfor...

Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities

Overview Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying...

Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data

Overview Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application. Description CWE-502: Deserialization of...

Akeo Consulting Rufus fails to update itself securely

Overview Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system. Description Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature...

Microsoft Windows automatically executes code specified in shortcut files

Overview Microsoft Windows automatically executes code specified in shortcut LNK files. Description Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK or file has essentially the same outcome as clicking on the file that is...

Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Overview Open Shortest Path First OSPF protocol implementations may improperly determine Link State Advertisement LSA recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing...

Telerik Web UI contains cryptographic weakness

Overview The Telerik Web UI, versions R2 2017 2017.2.503 and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys. Description CWE-326: Inadequate Encryption Strength - CVE-2017-9248The Telerik.Web.UI.dll is vulnerable to a cryptographic...

Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account

Overview Inmarsat Solutions offers a shipboard email client service, AmosConnect 8 AC8, which was designed to be utilized over satellite networks in a highly optimized manner. IOActive has identified two security vulnerabilities in the client software: On-board ship network access could provide...

Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow

Overview Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow. Description CWE-121: Stack-based Buffer Overflow - CVE-2017-3223Dahua IP camera products include an...

Acronis True Image fails to update itself securely

Overview Acronis True Image fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges. Description Acronis True Image is a disk backup utility for Windows and Mac systems. Acronis True Image versions through...

Samsung Magician fails to update itself securely

Overview Samsung Magician fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges. Description Samsung Magician is a management utility for Samsung SSDs. Prior to version 5.0, Samsung Magician checks for an...

HPE SiteScope contains multiple vulnerabilities

Overview HPE's SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication. Description HPE's SiteScope is vulnerable to several vulnerabilities. The researcher reports that version 11.31.461 is affected; other versions may also be...

CalAmp LMU-3030 devices may not authenticate SMS interface

Overview OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device, manufactured by CalAmp, has an SMS text message interface. We have found multiple deployments where no password was configured for this interface by the integrator / reseller...

Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin

Overview WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device. Description CWE-306: Missing Authentication for Critical Function -...

Space Coast Credit Union SCCU Mobile for Android and iPhone fails to properly validate SSL certificates

Overview Space Coast Credit Union SCCU Mobile for Android, version 2.1.0.1104 and earlier, and for iOS, version 2.2 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle MITM attacks. Description CWE-295:...

Think Mutual Bank Mobile Banking App for iPhone fails to properly validate SSL certificates

Overview Think Mutual Bank mobile banking app for iOS, version 3.1.5 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle MITM attacks. Description CWE-295: Improper Certificate Validation -...

Intel Active Management Technology (AMT) does not properly enforce access control

Overview Technologies based on Intel Active Management Technology may be vulnerable to remote privilege escalation, which may allow a remote, unauthenticated attacker to execute arbitrary code on the system. Description CWE-284: Improper Access Control - CVE-2017-5689Intel offers a number of...

Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalation

Overview Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. Description CWE-276: Incorrect Default Permissions - CVE-2017-3210A number of applications developed using the Portrait Displays SDK...

IBM Lotus Domino server mailbox name stack buffer overflow

Overview The IBM Lotus Domino server IMAP service contains a stack-based buffer overflow vulnerability in IMAP commands that refer to a mailbox name. This can allow a remote, authenticated attacker to execute arbitrary code with the privileges of the Domino server Description IBM Lotus Domino...

DBPOWER U818A WIFI quadcopter drone allows full filesystem permissions to anonymous FTP

Overview The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. Description The DBPOWER U8181A WIFI quadcopter drone is designed to record images and video from the air. The drone provides an undocumente...

Microsoft OLE URL Moniker improperly handles remotely-linked HTA data

Overview Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft OLE uses the URL Moniker to processes remotely-linked content in ...