CVE-2018-1089 – 389-ds-base: ns-slapd crash via large filter value in ldapsearch
https://notcve.org/view.php?id=CVE-2018-1089
389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. 389-ds-base en versiones anteriores a la 1.4.0.9, 1.3.8.1 y 1.3.6.15 no gestionó correctamente los filtros de búsqueda largos con caracteres que necesitan escapado. Esto podría conducir a desbordamientos de búfer. Un atacante remoto no autenticado podría emplear este error para hacer que ns-slapd se cierre inesperadamente mediante una petición LDAP especialmente manipulada que resulta en una denegación de servicio (DoS). It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. • http://www.securityfocus.com/bid/104137 https://access.redhat.com/errata/RHSA-2018:1364 https://access.redhat.com/errata/RHSA-2018:1380 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1089 https://lists.debian.org/debian-lts-announce/2018/07/msg00018.html https://access.redhat.com/security/cve/CVE-2018-1089 https://bugzilla.redhat.com/show_bug.cgi?id=1559802 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2018-10184 – haproxy: Heap buffer overflow in mux_h2.c:h2_process_demux() can allow attackers to cause a denial of service
https://notcve.org/view.php?id=CVE-2018-10184
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for code execution given that buffers are very short lived and their addresses not realistically predictable in production, but the likelihood of an immediate crash is absolutely certain. Se ha descubierto un problema en versiones anteriores a la 1.8.8 de HAProxy. • http://git.haproxy.org/?p=haproxy-1.8.git%3Ba=commit%3Bh=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28 http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588 https://access.redhat.com/errata/RHSA-2018:1372 https://access.redhat.com/security/cve/CVE-2018-10184 https://bugzilla.redhat.com/show_bug.cgi?id=1569297 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2018-1087 – Kernel: KVM: error in exception handling leads to wrong debug stack value
https://notcve.org/view.php?id=CVE-2018-1087
kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest. kernel KVM en versiones anteriores al kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 y kernel 4.17-rc3 es vulnerable a un error en la forma en la que el hipervisor KVM del kernel de Linux gestiona las excepciones lanzadas tras una operación de cambio de pila mediante instrucciones Mov SS o Pop SS. Durante la operación de cambio de pila, el procesador no lanzó interrupciones y excepciones, sino que las lanza una vez se ha ejecutado la primera instrucción tras el cambio de pila. Un usuario invitado sin privilegios de KVM podría usar este error para provocar el cierre inesperado del guest o escalar sus privilegios en el guest. • http://www.openwall.com/lists/oss-security/2018/05/08/5 http://www.securityfocus.com/bid/104127 http://www.securitytracker.com/id/1040862 https://access.redhat.com/errata/RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1345 https://access.redhat.com/errata/RHSA-2018:1347 https://access.redhat.com/errata/RHSA-2018:1348 https://access.redhat.com/errata/RHSA-2018:1355 https://access.redhat.com/errata/RHSA-2018:1524 https://access.redhat.com/security/vulnerabili • CWE-250: Execution with Unnecessary Privileges •
CVE-2018-8897 – Microsoft Windows - 'POP/MOV SS' Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-8897
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. • https://www.exploit-db.com/exploits/44697 https://www.exploit-db.com/exploits/45024 https://github.com/can1357/CVE-2018-8897 https://github.com/nmulasmajic/CVE-2018-8897 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 http://openwall.com/lists/oss-security/2018/05/08/1 http://openwall.com/lists/oss-security/2018/05/08/4 http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en http: • CWE-250: Execution with Unnecessary Privileges CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-10767 – libgxps: Stack-based buffer overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c
https://notcve.org/view.php?id=CVE-2018-10767
There is a stack-based buffer over-read in calling GLib in the function gxps_images_guess_content_type of gxps-images.c in libgxps through 0.3.0 because it does not reject negative return values from a g_input_stream_read call. A crafted input will lead to a remote denial of service attack. Hay una sobrelectura de búfer basada en pila en la llamada a GLib en la función gxps_images_guess_content_type de gxps-images.c en libgxps hasta la versión 0.3.0 debido a que no rechaza los valores de retorno de una llamada g_input_stream_read. Se podría realizar un ataque de denegación de servicio remoto con una entrada especialmente manipulada. • https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2018:3140 https://access.redhat.com/errata/RHSA-2018:3505 https://bugzilla.redhat.com/show_bug.cgi?id=1575188 https://access.redhat.com/security/cve/CVE-2018-10767 https://bugzilla.redhat.com/show_bug.cgi?id=1576175 • CWE-121: Stack-based Buffer Overflow CWE-125: Out-of-bounds Read •