By Jake Edge
January 3, 2013
Over the past few years, seemingly harmless internal kernel state that is
available
to user space has allowed attackers to gain useful information to
facilitate their attacks. The TCP DelayedACKLost counter (exported to user space via the /proc/net/netstat virtual file) is yet
another. It can be used to
determine the sequence number of a TCP connection, which can lead to packet
injection or connection hijacking.
TCP sequence numbers have proven to be problematic over the years.
Sequence numbers essentially count the number of octets transferred in each
direction in a TCP connection. Knowing the sequence number, along with IP
address and port number, allows an
attacker to interfere
with a connection by spoofing (or faking) packets that appear to have come
from the other endpoint. Endpoints will
reject packets that contain invalid sequence numbers, so those numbers must
be known to an attacker. Originally, sequence
numbers were easily predicted, so,
in the mid-1990s, RFC 1948 specified that the
initial sequence number (ISN) for each side of a TCP connection should be
randomized.
Randomization should make sequence numbers difficult for attackers to
guess, but various ways to infer the sequence numbers for a connection have come
about over the years. In this case, researchers Zhiyun Qian, Z. Morley
Mao, and Yinglian Xie discovered
a way to quickly determine the sequence number for an open
connection using the DelayedACKLost counter as a side channel. The
researchers presented a paper
[PDF] with their findings at the ACM Conference on Computer and
Communications Security back in October. In addition, Qian posted a summary of the problem to the kernel
netdev mailing list in December:
The vulnerability would allow [a] local malicious program to gain write
access to TCP connections of other applications. An example attack
scenario (on android) would be "an attacker uploads a seemingly benign
app to the google play, when run at the background, it can inject
malicious HTML payload into a webpage open by the browser".
The problem is caused by the common TCP stats counters (the specific
counter I found is DelayedACKLost) maintained by the kernel (but
exposed to user space). By reading and reporting such counters to an
external attacker (colluded), the aforementioned attack can be
accomplished.
As described in their paper, the researchers found a way to use the DelayedACKLost counter as
a reliable side channel to quickly narrow in on the sequence number. By
having a client-side application relay the counter value to a collaborating
host, which can then send probe packets to the client, a binary or N-way
search can be done to determine the sequence number. In their test cases,
the researchers were able to infer the sequence number using four to five
round trips between the client application and its collaborator, which could complete in as little as 50ms.
The key to this search is a bug in the way the Linux kernel handles packets
with incorrect sequence numbers. If a packet is received that has a
sequence number "less than" that which is expected, the DelayedACKLost counter
is incremented—regardless of whether the packet is an acknowledgment
(ACK) or not. The calculation that is done to determine whether the
number is less than what is expected essentially partitions the
32-bit sequence number space into two halves. Because DelayedACKLost does not
get incremented if the sequence number is larger than the expected number, it can
be used in a search to narrow in on the value of interest.
DelayedACKLost was once used to decide if the network stack should use delayed
ACKs or not. It is meant to count missing incoming delayed ACKs. In
normal usage, it is rarely incremented, so an attacker
can get a "clean" signal by simply sending packets with various sequence
numbers and observing their effects on the counter. The paper describes
using an N-way search technique that splits the sequence number space into
a small number of equal-sized bins, sends a different number of packets
with sequence numbers from
each bin, and uses the value of the counter to find the sequence number
with fewer round trips between the client and the probing host.
Beyond just inferring sequence numbers, though, the paper lays out a number
of ways to use that information to interfere with real connections. The
first of those is to inject data into an existing connection. By using the
inferred sequence number, the "off-path" (i.e. not a man in the middle)
attacker can spoof a packet to the client. The example used is an HTTP
response from some internet server. If that server takes "long enough" to
respond, the sequence number can be determined and a fake response can be sent
before the real server responds. That turns out to be the pattern for
Facebook, for example, and the researchers were able to inject JavaScript
into a client session to update the user's status. In addition, if an HTTP
connection is used for multiple requests, later responses (after the sequence
number has been determined) can be spoofed.
A similar technique, using the same counter, can determine the client-side
sequence number. That number can be used by an attacker to send spoofed
packets in the other direction, so client requests to the server can be faked.
Beyond that, two types of connection hijacking are possible. A passive
hijacking can be done on kernels older than 3.0.2 because there were only
24 bits of randomness in the ISN. When the connection is established to
the remote server, the off-path attacker immediately sends spoofed "reset"
(RST) packets to the server with sequence numbers covering the entire
24-bit client ISN space. It then commences to determine the server's ISN
using the DelayedACKLost counter and sends a spoofed response once it has
done so.
For more recent kernels, there is still an active hijacking that can be
performed by pre-calculating the client ISNs for a range of port numbers.
By "port jamming" the other ports (i.e. using those port numbers so they
aren't available), the malware can ensure that the outgoing connection
originates
from a known, pre-calculated port. ISNs change at a known rate, so the
attacker can
calculate the ISN based on what it originally determined and how much time has
passed since the determination was made. The trick is to know that a
connection will be made to the server "soon". Ensuring that is the
"active" piece of the puzzle.
Both hijacking techniques require that the server have some kind of
stateful firewall that discards "out of state" packets. Otherwise, RST
responses from the server on a connection it thinks is closed will
confuse the real client (which thinks the connection is still open). It
turns out that
many internet services (e.g. Facebook, Twitter) do have such firewalls.
All of the techniques described in the paper were put to use in fairly
"real world" scenarios. An Android application was used on the client side
to monitor the counter, while other servers acted as the off-path
collaborator. Many Android devices are based on 2.6.x, so they are
vulnerable to either of the two hijacking techniques. Beyond the
Facebook-status-updating malware mentioned above, they were able to create
ways to "phish" for Facebook credentials using connection hijacking.
The fix for the problem on Linux is to check that the ACK bit is set on the
packet before deciding
that it is a lost delayed ACK. Attackers cannot just switch to turning on
the ACK bit on the probes, because they would need the sequence number in
the other direction to use as the "ACK number" in the packet. Eric Dumazet
has posted a patch to discard the packets that
would trigger this bug, but there is
more needed. The longer-term fix will require moving most of the packet safety checks to
an earlier point in packet handling. That way, fewer kinds of bogus
packets will get far
enough into the networking stack to cause this kind of observable state change.
One other possible solution would be to remove access to the DelayedACKLost
counter for
non-privileged programs. That would likely be difficult to do in Linux, as
it has become part of the kernel's ABI, but it is something to consider for
the future. In their paper, the researchers pointed that out:
(1) Even though OS statistics are aggregated
and seemingly harmless, they can leak critical internal network/system state through unexpected interactions from the
on-device malware and the off-path attacker. Similar observations have been made recently in a few other studies as
well, e.g., using procfs as side channels. Our study
reveals specifically that the packet counters can leak TCP
sequence numbers. (2). Our systems today still have too
much shared state: the active TCP connection list shared
among all apps (through netstat or procfs); the IP address of
the malware's connection and other apps'; the global packet
counters. Future system and network design should carefully
evaluate what information an adversary can obtain through
these shared state.
There certainly are dangers from exposing internal kernel state to user
space—sometimes those dangers don't manifest themselves for quite
some time. Doing so has its benefits, though, for users and developers. It is
a bit of a tricky balancing act—one that is made more difficult by
the "no ABI changes" policy in the kernel. In this case, though, it seems that a
solution has been found without changing the ABI. While the examples given
in the paper may seem somewhat trivial, the techniques could certainly be
used in ways that are far more damaging than an embarrassing Facebook
status update.
Comments (3 posted)
Brief items
Note to the world: You will not be able to effectively censor selected
content from YouTube -- and "blasphemous" material (however you define
it) can be mirrored around the planet. Your filtering systems will
fail in large degrees. You have two real world choices: (a) Get used
to the fact that you can't control the planet's information, and if
you wish, fight information you don't like with more information, not
attempted censorship. Or (b) Cut off the Internet totally (if you
can), and stay in the 13th century where you appear to be comfortable.
Good luck with that latter choice.
--
Lauren Weinstein
I have never seen an industry with more gaping security holes. If our
financial industry regarded security the way the health-care sector does, I
would stuff my cash in a mattress under my bed.
--
Avi
Rubin in
The Washington Post
Comments (1 posted)
Google
reports
that another fraudulent
*.google.com digital certificate was
detected by the Chrome browser in late December; this one traces back to
the certificate authority TURKTRUST. "
In response, we updated
Chrome’s certificate revocation metadata on December 25 to block that
intermediate CA, and then alerted TURKTRUST and other browser
vendors. TURKTRUST told us that based on our information, they discovered
that in August 2011 they had mistakenly issued two intermediate CA
certificates to organizations that should have instead received regular SSL
certificates." Expect a round of updates from other browser
projects.
Comments (54 posted)
An
SQL
injection vulnerability in all Ruby on Rails releases has been
disclosed. "
Due to the way dynamic finders in Active Record extract
options from method parameters, a method parameter can mistakenly be used
as a scope. Carefully crafted requests can use the scope to inject
arbitrary SQL." Fixes can be found in the 3.2.10, 3.1.9, and 3.0.18
releases. This seems like a good one to address quickly.
Update: this
article has a lot more information on this vulnerability.
Comments (3 posted)
Ars technica
writes about an Apache plugin that is being used to turn Linux web servers into Windows banking malware distribution sites. "
The Apache plugin, which Eset software flags as Linux/Chapro.A, contains several features designed to make infections stealthy. To prevent being widely detected, it doesn't serve malicious content when a visitor's browser user agent indicates it's coming from Google or another automated search-engine agent. It also holds its fire against IP addresses that connect to the Web server over SSH-protected channels, preventing site administrators from being exposed. It also uses browser cookies and IP logging to prevent visitors from being exposed to exploits more than once. By hiding the attacks from search engines and admins—and making it hard to determine how end-user machines are infected—the features make it harder to identify the site as compromised."
Comments (none posted)
New vulnerabilities
apparmor-profiles: insecure profile for Chromium
| Package(s): | apparmor-profiles |
CVE #(s): | |
| Created: | December 20, 2012 |
Updated: | January 3, 2013 |
| Description: |
From the Ubuntu advisory:
Dan Rosenberg discovered that the example AppArmor profile for
chromium-browser could be escaped by calling xdg-settings with a crafted
environment. |
| Alerts: |
|
Comments (none posted)
chromium: multiple vulnerabilities
| Package(s): | chromium |
CVE #(s): | CVE-2012-5139
CVE-2012-5140
CVE-2012-5141
CVE-2012-5142
CVE-2012-5143
CVE-2012-5144
|
| Created: | December 21, 2012 |
Updated: | January 28, 2013 |
| Description: |
From the openSUSE advisory:
- CVE-2012-5139: Use-after-free with visibility events
- CVE-2012-5140: Use-after-free in URL loader
- CVE-2012-5141: Limit Chromoting client plug-in
instantiation.
- CVE-2012-5142: Crash in history navigation.
- CVE-2012-5143: Integer overflow in PPAPI image buffers
- CVE-2012-5144: Stack corruption in AAC decoding
|
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2012-5651
CVE-2012-5653
|
| Created: | December 28, 2012 |
Updated: | January 7, 2013 |
| Description: |
From the Mageia advisory:
A vulnerability was identified that allows blocked users to appear
in user search results, even when the search results are viewed by
unprivileged users (CVE-2012-5651).
Drupal core's file upload feature blocks the upload of many files that
can be executed on the server by munging the filename. A malicious user
could name a file in a manner that bypasses this munging of the filename
in Drupal's input validation (CVE-2012-5653).
|
| Alerts: |
|
Comments (none posted)
elinks: information disclosure
| Package(s): | elinks |
CVE #(s): | CVE-2012-4545
|
| Created: | December 28, 2012 |
Updated: | February 12, 2013 |
| Description: |
From the Debian advisory:
Marko Myllynen discovered that elinks, a powerful text-mode browser,
incorrectly delegates user credentials during GSS-Negotiate.
|
| Alerts: |
|
Comments (none posted)
fail2ban: unspecified vulnerability
| Package(s): | fail2ban |
CVE #(s): | CVE-2012-5642
|
| Created: | December 28, 2012 |
Updated: | April 2, 2013 |
| Description: |
From the Fedora advisory:
The release notes for fail2ban 0.8.8 [1],[2] indicate:
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
This could cause issues on the system running fail2ban as it scans log files, depending on what content is matched. There isn't much more detail about this issue than what is described above, so I think it may largely depend on the type of regexp used (what it matches) and the contents of the log file being scanned (whether or not an attacher could insert something that could be used in a malicious way). |
| Alerts: |
|
Comments (none posted)
freetype2: multiple vulnerabilities
| Package(s): | freetype2 |
CVE #(s): | CVE-2012-5668
CVE-2012-5669
CVE-2012-5670
|
| Created: | December 28, 2012 |
Updated: | February 12, 2013 |
| Description: |
From the Mageia advisory:
A null pointer de-reference flaw was found in the way Freetype font
rendering engine handled Glyph bitmap distribution format (BDF) fonts.
A remote attacker could provide a specially-crafted BDF font file, which
once processed in an application linked against FreeType would lead to
that application crash (CVE-2012-5668).
An out-of heap-based buffer read flaw was found in the way FreeType font
rendering engine performed parsing of glyph information and relevant
bitmaps for glyph bitmap distribution format (BDF). A remote attacker
could provide a specially-crafted BDF font file, which once opened in an
application linked against FreeType would lead to that application crash
(CVE-2012-5669).
An out-of heap-based buffer write flaw was found in the way FreeType font
rendering engine performed parsing of glyph information and relevant
bitmaps for glyph bitmap distribution format (BDF). A remote attacker
could provide a specially-crafted font file, which once opened in an
application linked against FreeType would lead to that application crash,
or, potentially, arbitrary code execution with the privileges of the
user running the application (CVE-2012-5670).
|
| Alerts: |
|
Comments (none posted)
fuse-esb: denial of service
| Package(s): | fuse-esb |
CVE #(s): | CVE-2012-5370
|
| Created: | December 21, 2012 |
Updated: | January 4, 2013 |
| Description: |
From the Red Hat advisory:
A denial of service flaw was found in the implementation of associative
arrays (hashes) in JRuby. An attacker able to supply a large number of
inputs to a JRuby application (such as HTTP POST request parameters sent to
a web application) that are used as keys when inserting data into an array
could trigger multiple hash function collisions, making array operations
take an excessive amount of CPU time. To mitigate this issue, the Murmur
hash function has been replaced with the Perl hash function.
(CVE-2012-5370)
Note: Fuse ESB Enterprise 7.0.2 ships JRuby as part of the camel-ruby
component, which allows users to define Camel routes in Ruby. The default
use of JRuby in Fuse ESB Enterprise 7.0.2 does not appear to expose this
flaw. If the version of JRuby shipped with Fuse ESB Enterprise 7.0.2 was
used to build a custom application, then this flaw could be exposed.
|
| Alerts: |
|
Comments (1 posted)
gnupg: memory access violations
| Package(s): | gnupg |
CVE #(s): | CVE-2012-6085
|
| Created: | January 2, 2013 |
Updated: | January 21, 2013 |
| Description: |
From the Mandriva advisory:
Versions of GnuPG <= 1.4.12 are vulnerable to memory access violations
and public keyring database corruption when importing public keys
that have been manipulated. An OpenPGP key can be fuzzed in such a
way that gpg segfaults (or has other memory access violations) when
importing the key. |
| Alerts: |
|
Comments (none posted)
mahara: multiple vulnerabilities
| Package(s): | mahara |
CVE #(s): | CVE-2012-2239
CVE-2012-2243
CVE-2012-2244
CVE-2012-2246
CVE-2012-2247
CVE-2012-2253
CVE-2012-6037
|
| Created: | December 28, 2012 |
Updated: | January 3, 2013 |
| Description: |
From the Debian advisory:
Multiple security issues have been found in Mahara - an electronic
portfolio, weblog, and resume builder -, which can result in cross-site
scripting, clickjacking or arbitrary file execution.
CVE-2012-2239: Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
CVE-2012-2243: Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script. NOTE: this can be leveraged with CVE-2012-2244 to execute arbitrary code without authentication, as demonstrated by modifying the clamav path.
CVE-2012-2244: Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authenticated administrators to execute arbitrary programs by modifying the path to clamav. NOTE: this can be exploited without authentication by leveraging CVE-2012-2243.
CVE-2012-2246: Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users and bypass CSRF protection via account/delete.php.
CVE-2012-2247: Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to artefact/file/ and a crafted SVG file.
CVE-2012-2253: Cross-site scripting (XSS) vulnerability in group/members.php in Mahara 1.5.x before 1.5.7 and 1.6.x before 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter.
CVE-2012-6037: Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with "unknown fields," which are not properly handled in error messages in the (1) bulk user, (2) group, and (3) group member upload capabilities. NOTE: this issue was originally part of CVE-2012-2243, but that ID was SPLIT due to different issues by different researchers. |
| Alerts: |
|
Comments (none posted)
mediawiki-extensions: cross-site scripting
| Package(s): | mediawiki-extensions |
CVE #(s): | |
| Created: | December 31, 2012 |
Updated: | January 8, 2013 |
| Description: |
From the Debian advisory:
Thorsten Glaser discovered that the RSSReader extension for mediawiki, a
website engine for collaborative work, does not properly escape tags in
feeds. This could allow a malicious feed to inject JavaScript into the
mediawiki pages. |
| Alerts: |
|
Comments (1 posted)
moin: multiple vulnerabilities
| Package(s): | moin |
CVE #(s): | CVE-2012-6495
CVE-2012-6081
CVE-2012-6082
CVE-2012-6080
|
| Created: | December 31, 2012 |
Updated: | January 23, 2013 |
| Description: |
From the CVE entries:
Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files via unspecified vectors. NOTE: this can be leveraged with CVE-2012-6081 to execute arbitrary code. (CVE-2012-6495)
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012. (CVE-2012-6081)
Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link. (CVE-2012-6082)
Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a file name. (CVE-2012-6080)
See the MoinMoin security fixes page for more information. Version 1.9.6 contains the patches for these issues. |
| Alerts: |
|
Comments (none posted)
ndjbns: DNS cache poisoning
| Package(s): | ndjbdns |
CVE #(s): | CVE-2008-4392
|
| Created: | January 3, 2013 |
Updated: | January 3, 2013 |
| Description: |
From the NVD entry:
dnscache in Daniel J. Bernstein djbdns 1.05 does not prevent simultaneous identical outbound DNS queries, which makes it easier for remote attackers to spoof DNS responses, as demonstrated by a spoofed A record in the Additional section of a response to a Start of Authority (SOA) query. |
| Alerts: |
|
Comments (none posted)
php-symfony2-HttpKernel: multiple vulnerabilities
| Package(s): | php-symfony2-HttpKernel |
CVE #(s): | CVE-2012-6431
CVE-2012-6432
|
| Created: | January 3, 2013 |
Updated: | January 7, 2013 |
| Description: |
From the Symfony advisory:
CVE-2012-6431: On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.
CVE-2012-6432: For handling ESIs (via the render tag), Symfony uses a special route named _internal, defined in @FrameworkBundle/Resources/config/routing/internal.xml.
As of Symfony 2.1, the internal routing file defines an additional route, _internal_public, to be able to manage HIncludes (also via the render tag).
As the _internal route must only be used to route URLs between your PHP application and a reverse proxy, it must be secured to avoid any access from a browser. But the _internal_public route must always be available from a browser as it should be reachable by your frontend JavaScript (of course only if you are using HIncludes in your application).
These two routes execute the same FrameworkBundle:Internal:index controller which in turn executes the controller passed as an argument in the URL. If these routes are reachable by a browser, an attacker could call them to execute protected controllers or any other service (as a controller can also be defined as a service). |
| Alerts: |
|
Comments (none posted)
php-ZendFramework: denial of service
| Package(s): | php-ZendFramework |
CVE #(s): | CVE-2012-5657
|
| Created: | December 28, 2012 |
Updated: | January 21, 2013 |
| Description: |
From the Mageia advisory:
A vulnerability was reported in Zend Framework versions prior to 1.11.15
and 1.12.1, which can be exploited to disclose certain sensitive
information. This flaw is caused due to an error in the "Zend_Feed_Rss"
and "Zend_Feed_Atom" classes of the "Zend_Feed" component, when
processing XML data. It can be used to disclose the contents of certain
local files by sending specially crafted XML data including external
entity references. |
| Alerts: |
|
Comments (none posted)
python-django: multiple vulnerabilities
| Package(s): | python-django |
CVE #(s): | |
| Created: | January 3, 2013 |
Updated: | January 3, 2013 |
| Description: |
From the Django advisory:
Several earlier Django security releases focused on the issue of poisoning the HTTP Host header, causing Django to generate URLs pointing to arbitrary, potentially-malicious domains.
In response to further input received and reports of continuing issues following the previous release, we're taking additional steps to tighten Host header validation.
Also following up on a previous issue: in July of this year, we made changes to Django's HTTP redirect classes, performing additional validation of the scheme of the URL to redirect to (since, both within Django's own supplied applications and many third-party applications, accepting a user-supplied redirect target is a common pattern).
Since then, two independent audits of the code turned up further potential problems. So, similar to the Host-header issue, we are taking steps to provide tighter validation in response to reported problems (primarily with third-party applications, but to a certain extent also within Django itself). |
| Alerts: |
|
Comments (none posted)
squid: denial of service
| Package(s): | squid |
CVE #(s): | CVE-2012-5643
|
| Created: | December 26, 2012 |
Updated: | March 11, 2013 |
| Description: |
From the CVE entry:
Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials. |
| Alerts: |
|
Comments (none posted)
tomcat: denial of service
| Package(s): | tomcat |
CVE #(s): | CVE-2012-5568
|
| Created: | December 28, 2012 |
Updated: | January 3, 2013 |
| Description: |
From the openSUSE advisory:
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. |
| Alerts: |
|
Comments (none posted)
v8: multiple vulnerabilities
| Package(s): | v8 |
CVE #(s): | CVE-2012-5120
CVE-2012-5128
|
| Created: | December 31, 2012 |
Updated: | January 9, 2013 |
| Description: |
From the CVE entries:
Google V8 before 3.13.7.5, as used in Google Chrome before 23.0.1271.64, on 64-bit Linux platforms allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers an out-of-bounds access to an array. (CVE-2012-5120)
Google V8 before 3.13.7.5, as used in Google Chrome before 23.0.1271.64, does not properly perform write operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2012-5128) |
| Alerts: |
|
Comments (none posted)
virtualbox-ose: denial of service
| Package(s): | virtualbox-ose |
CVE #(s): | CVE-2012-3221
|
| Created: | December 31, 2012 |
Updated: | January 18, 2013 |
| Description: |
From the Debian advisory:
"halfdog" discovered that incorrect interrupt handling in Virtualbox,
a x86 virtualization solution - can lead to denial of service. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
