Libarchive zip zip_read_mac_metadata Code Execution Vulnerability

SUMMARY An exploitable heap overflow vulnerability exists in the zip archive decompression functionality of libarchive. A specially crafted zip file can cause memory corruption leading to code execution. An attacker can send a malformed file to trigger this vulnerability. TESTED VERSIONS libarchi...

Network Time Protocol ntpd Reference Clock Impersonation Vulnerability

SUMMARY ntpd relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock 127.127.1.1 for example that reach...

Network Time Protocol Forced Interleaved Time Spoofing Vulnerability

SUMMARY It is possible to change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode. An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer-dst...

Network Time Protocol Crypto-NAK Preemptible Association Denial of Service Vulnerability

SUMMARY An off-path attacker can cause a preemptible client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. Furthermore, if the attacker keeps sending cryp...

Network Time Protocol libntp Message Digest Disclosure Vulnerability

SUMMARY An exploitable vulnerability exists in the message authentication functionality of Network Time Protocol libntp. An attacker can send a series of crafted messages to attempt to recover the message digest key. TESTED VERSIONS ntp 4.2.8p4 NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92...

Network Time Protocol Ephemeral Association Time Spoofing Vulnerability

SUMMARY ntpd is vulnerable to Sybil attacks. A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd’s clock selection algorithm and modify a victim’s clock. TESTED VERSIONS NTP 4.2.8p3 NTP 4.2.8p4 NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 NTPs...

Oracle IOT IX SDK libvs_pdf XRef Index Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0086 Oracle IOT IX SDK libvspdf XRef Index Code Execution Vulnerability April 19, 2016 CVE Number CVE-2016-3455 DESCRIPTION A vulnerability in PDF parser of the IX SDK exists that allows an out of bounds heap memory overwrite potentially leading to remote cod...

Lhasa lha decode_level3_header Heap Corruption Vulnerability

SUMMARY An exploitable integer underflow exists during calculation size for all headers in decodelevel3header function of Lhasa lha application. Smaller value of headerlen than LEVEL3HEADERLEN 32 cause during subtraction integer underflow and lead later to memory corruption via heap based buffer...

Apple OS X Gen6Accelerator IOGen575Shared::new_texture Local Privilege Escalation Vulnerability

SUMMARY A vulnerability exists in the communication functionality of the Apple Intel HD 3000 Graphics kernel driver. A specially crafted message can cause a vulnerability resulting in local privilege escalation. TESTED VERSIONS Apple OSX Intel HD 3000 Graphics driver 10.0.0 -...

Trane Comfortlink II DSS Service REG Handling Remote Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0027 Trane Comfortlink II DSS Service REG Handling Remote Code Execution Vulnerability February 8, 2016 CVE Number CVE-2015-2868 DESCRIPTION An exploitable remote code execution vulnerability exists in the Trane ComfortLink II DSS service. An attacker who can...

Trane Comfortlink II DSS Service Request Handling Remote Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0026 Trane Comfortlink II DSS Service Request Handling Remote Code Execution Vulnerability February 8, 2016 CVE Number CVE-2015-2868 Description An exploitable remote code execution vulnerability exists in the Trane ComfortLink II DSS service. An attacker who...

Trane ComfortLink II SCC Service Hardcoded Credentials Vulnerability

Talos Vulnerability Report TALOS-2016-0028 Trane ComfortLink II SCC Service Hardcoded Credentials Vulnerability February 8, 2016 CVE Number CVE-2015-2867 Description A design flaw in the Trane ComfortLink II SCC service allows remote attackers to take complete control of the system. During system...

Libgraphite LocaLookup Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0061 Libgraphite LocaLookup Denial of Service Vulnerability February 5, 2016 CVE Number CVE-2016-1521 Description An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds re...

Libgraphite Bidirectional Font mFeatureMap Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0060 Libgraphite Bidirectional Font mFeatureMap Denial of Service Vulnerability February 5, 2016 CVE Number CVE-2016-1522 Description An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially...

Libgraphite directrun Opcode Handling Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0058 Libgraphite directrun Opcode Handling Code Execution Vulnerability February 5, 2016 CVE Number CVE-2016-1521 Description An exploitable out-of-bounds read vulnerability exists in the opcode handling functionality of Libgraphite. A specially crafted font...

Libgraphite Bidirectional Font BracketPairStack Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0057 Libgraphite Bidirectional Font BracketPairStack Code Execution Vulnerability February 5, 2016 CVE Number CVE-2016-1522 Description An exploitable out-of-bounds access vulnerability exists in the bidirectional font handling functionality of Libgraphite. A...

Libgraphite Context Item Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0059 Libgraphite Context Item Code Execution Vulnerability February 5, 2016 CVE Number CVE-2016-1523 Description An exploitable heap-based buffer overflow exists in the context item handling functionality of Libgraphite. A specially crafted font can cause a...

Matroska Media Container libmatroska Multiple ElementList Double Free Vulnerabilities

Talos Vulnerability Report TALOS-2016-0037 Matroska Media Container libmatroska Multiple ElementList Double Free Vulnerabilities January 28, 2016 CVE Number CVE-2016-1515 Description A use after free/double free vulnerability can occur in libmatroska while parsing Track elements of the MKV...

Matroska libebml EbmlUnicodeString Heap Information Leak

Talos Vulnerability Report TALOS-2016-0036 Matroska libebml EbmlUnicodeString Heap Information Leak January 28, 2016 CVE Number CVE-2015-8790 Description A specially crafted unicode string can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potential...

Network Time Protocol Authenticated Preemptable Modes Denial-of-Service Vulnerability

CERT VU357792 Summary Expected Behavior: The protocol should prevent against off-path Denial of Service attacks in authenticated broadcast and other modes which create preemptable associations, such as: multicast client, manycast client, pool client modes, and associations configured with the...

Network Time Protocol ntpq and ntpdc Infinite Loop Vulnerability

CERT VU357792 Summary ntpq processes incoming packets in a loop in getresponse. The loop’s only stopping conditions are receiving a complete and correct response or hitting a small number of error conditions. If the packet contains incorrect values that don’t trigger one of the error conditions,...

Network Time Protocol ntpq Special Character Filtering Vulnerability

Summary The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Only back slash and forward slash are currently filtered out. There are other special characters that are allowed in the filename which can cause issues during globbing. In additio...

Network Time Protocol Origin Timestamp Check Impersonation Vulnerability

CERT VU357792 Summary To distinguish legitimate peer responses from forgeries, a client attempts to verify a response packet by ensuring that the origin timestamp in an incoming packet matches the transmit timestamp it transmitted in its last request. A logic error exists that allows packets with...

Network Time Protocol Deja Vu: Broadcast Mode Replay Vulnerability

Summary Expected Behavior: RFC 5905 page 29 Section 8 states that the on-wire protocol resists replay of server response packet in broadcast mode. Also on page 55 section 15, the RFC claims security in authenticated mode against on-path attackers where an attacker can: a Intercept and archive...

Network Time Protocol Skeleton Key: Symmetric Authentication Impersonation Vulnerability

CERT VU357792 Summary Symmetric key encryption requires a single trusted key to be specified for each server configuration. A key specified only for one server should only work to authenticate that server, other trusted keys should be refused. Instead we observe that when symmetric key...

Network Time Protocol ntpq Buffer Overflow Vulnerability

CERT VU357792 Summary ntpq contains a buffer overflow. nextvar executes a memcpy into the name buffer without a proper length check against its maximum length of 256 bytes. Tested Versions ntp 4.2.8p3 NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 Product URLs http://www.ntp.orghttp://www.ntp.or...

Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability

CERT VU357792 Summary An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack. The following conditions must be met: 1. Mode 7 must be enabled. By default, mode 7 is disabled. 2. A large enough number of entries must be in the restrict lists to...

Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability

CERT VU357792 Summary To prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will...

Network Time Protocol Private Mode 'reslist' NULL Pointer Dereference Vulnerability

Summary An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by causing a NULL pointer dereference. The following conditions must be met: 1. Mode 7 must be enabled. By default, mode 7 is disabled. 2. A large enough number of entries must exist in the restrict list to...

Network Time Protocol ntpq Control Protocol Replay Vulnerability

CERT VU357792 Summary The ntpq protocol is vulnerable to replay attacks. The sequence number being included under the signature fails to prevent replay attacks for two reasons. Commands that don’t require authentication can be used to move the sequence number forward, and NTP doesn’t actually car...

Apple Quicktime mdat Corruption Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0020 Apple Quicktime mdat Corruption Denial of Service Vulnerability January 8, 2016 CVE Number CVE-2015-7088 Description There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the content of the mdat section of a .mov file...

Apple Quicktime Invalid samr Atom Size Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0019 Apple Quicktime Invalid samr Atom Size Denial of Service Vulnerability January 8, 2016 CVE Number CVE-2015-7087 Description There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the size of a samr atom in a .mov file...

Apple Quicktime dref Atom Null Data Reference Entry Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0023 Apple Quicktime dref Atom Null Data Reference Entry Denial of Service Vulnerability January 8, 2016 CVE Number CVE-2015-7090 Description There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the size and type of a dat...

Apple Quicktime mdat Corruption Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0021 Apple Quicktime mdat Corruption Denial of Service Vulnerability January 8, 2016 CVE Number CVE-2015-7089 Description There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the content of the mdat section of a .mov file...

Apple Quicktime Invalid alis Atom Size Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0022 Apple Quicktime Invalid alis Atom Size Denial of Service Vulnerability January 8, 2016 CVE Number CVE-2015-7117 Description There is a denial of service vulnerability in Apple Quicktime. An attacker who can control the size of an alis atom in a .mov file...

RTMPDump librtmp AMF3 Class Member Count Remote Code Execution Vulnerability

Talos Vulnerability Report TALOS-2016-0067 RTMPDump librtmp AMF3 Class Member Count Remote Code Execution Vulnerability January 7, 2016 CVE Number CVE-2015-8271 Description The vulnerability occurs within the AMF3CDAddProp function within amf.c. If an attacker sets up a malicious RTMP Media serve...

RTMPDump rtmpsrv PlayPath Null Pointer Dereference

Talos Vulnerability Report TALOS-2016-0068 RTMPDump rtmpsrv PlayPath Null Pointer Dereference January 7, 2016 CVE Number CVE-2015-8272 Description A vulnerability exists in rtmpsrv in which an attacker can entice a user to utilize rtmpsrv to save an RTMP media stream that is missing a playpath...

RTMPDump librtmp AMF3 MemberName Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2016-0066 RTMPDump librtmp AMF3 MemberName Denial of Service Vulnerability January 7, 2016 CVE Number CVE-2015-8270 Description The vulnerability occurs within the AMF3ReadString function within amf.c. If an attacker sets up a malicious RTMP Media server that...

Microsoft .NET Manifest Resource Information Disclosure Vulnerability

Talos Vulnerability Report TALOS-2015-0130 Microsoft .NET Manifest Resource Information Disclosure Vulnerability December 8, 2015 CVE Number CVE-2015-6114 Summary An exploitable information leak or denial of service vulnerability exists in the manifest resource parsing functionality of the .NET...

Microsoft .NET Manifest Resource Information Disclosure Vulnerability

Talos Vulnerability Report TALOS-2015-0129 Microsoft .NET Manifest Resource Information Disclosure Vulnerability December 8, 2015 CVE Number CVE-2015-6114 Summary An exploitable information leak or denial of service vulnerability exists in the manifest resource parsing functionality of the .NET...

Network Time Protocol ntpq atoascii Memory Corruption Vulnerability

Talos Vulnerability Report TALOS-2015-0063 Network Time Protocol ntpq atoascii Memory Corruption Vulnerability October 21, 2015 CVE Number CVE-2015-7852 Description A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffe...

Network Time Protocol ntpd multiple integer overflow read access violations

Talos Vulnerability Report TALOS-2015-0052 Network Time Protocol ntpd multiple integer overflow read access violations October 21, 2015 CVE Number CVE-2015-7848 Description When processing a specially crafted private mode packet, an integer overflow can occur leading to out of bounds memory copy...

Network Time Protocol Password Length Memory Corruption Vulnerability

Talos Vulnerability Report TALOS-2015-0065 Network Time Protocol Password Length Memory Corruption Vulnerability October 21, 2015 CVE Number CVE-2015-7854 Description A potential buffer overflow vulnerability exists in the password management functionality of ntp. A specially crafted key file cou...

Network Time Protocol Remote Configuration Denial of Service Vulnerability

Talos Vulnerability Report TALOS-2015-0055 Network Time Protocol Remote Configuration Denial of Service Vulnerability October 21, 2015 CVE Number CVE-2015-7850 Description An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol....

Network Time Protocol ntpd saveconfig Directory Traversal Vulnerability

Talos Vulnerability Report TALOS-2015-0062 Network Time Protocol ntpd saveconfig Directory Traversal Vulnerability October 21, 2015 CVE Number CVE-2015-7851 Description A potential path traversal vulnerability exists in the config file saving of ntpd on VMS. A specially crafted path could cause a...

NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability

Talos Vulnerability Report TALOS-2015-0069 NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability October 21, 2015 CVE Number CVE-2015-7871 Summary Unauthenticated off-path attackers can force ntpd processes to peer with malicious time sources of the attacker’s choosing...

Network Time Protocol Reference Clock Memory Corruption Vulnerability

Talos Vulnerability Report TALOS-2015-0064 Network Time Protocol Reference Clock Memory Corruption Vulnerability October 21, 2015 CVE Number CVE-2015-7853 Description A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock...

Network Time Protocol Trusted Keys Memory Corruption Vulnerability

Talos Vulnerability Report TALOS-2015-0054 Network Time Protocol Trusted Keys Memory Corruption Vulnerability October 21, 2015 CVE Number CVE-2015-7849 Description An exploitable use-after-free vulnerability exists in the password management functionality of the Network Time Protocol. A specially...

Microsoft Windows CDD Font Parsing Kernel Memory Corruption

Talos Vulnerability Report TALOS-2015-0007 Microsoft Windows CDD Font Parsing Kernel Memory Corruption September 15, 2015 CVE Number CVE-2015-2506 Description An exploitable kernel memory corruption vulnerability exists in Microsoft Windows. A specially crafted font file can cause the Microsoft...

MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

Talos Vulnerability Report TALOS-2015-0035 MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow September 15, 2015 CVE Number CVE-2015-6031 Description An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted...