CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 5CVE-2019-19726 – OpenBSD 6.x - Dynamic Loader Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-19726
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. OpenBSD versiones hasta 6.6, permite a usuarios locales escalar a root porque una comprobación de LD_LIBRARY_PATH en los programas setuid puede ser vencida estableciendo un límite de recursos de RLIMIT_DATA muy pequeño. Al ejecutar chpass o passwd (que son root de setuid), en la función _dl_setup_env en el archivo ld.so intenta eliminar LD_LIBRARY_PATH del entorno, pero presenta un fallo cuando no puede asignar memoria. • https://www.exploit-db.com/exploits/47780 https://www.exploit-db.com/exploits/47803 http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html http://seclists.org/fulldisclosure/2019/Dec/31 http://seclists.org/fulldisclosure/2023/Oct/11 http://www.openwall.com/lists/ • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-8460
https://notcve.org/view.php?id=CVE-2019-8460
OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service. La versión del núcleo de OpenBSD anterior o igual a la versión 6.5 se puede forzar a crear largas cadenas de agujeros TCP SACK que provocan llamadas muy costosas a tcp_sack_option () para cada paquete SACK entrante que puede conducir a una denegación de servicio. • https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/006_tcpsack.patch.sig https://github.com/openbsd/src/commit/ed8fdce754a5d8d14c09e989d8877707bd43906f https://research.checkpoint.com/tcp-sack-security-issue-in-openbsd-cve-2019-8460 https://security.netapp.com/advisory/ntap-20190905-0001 https://us-cert.cisa.gov/ics/advisories/icsa-19-253-03 • CWE-1049: Excessive Data Query Operations in a Large Data Table •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-14775
https://notcve.org/view.php?id=CVE-2018-14775
tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3 has a Local Denial of Service (system crash) due to incorrect I/O port access control on the i386 architecture. tss_alloc en sys/arch/i386/i386/gdt.c en OpenBSD 6.2 y 6.3 tiene una denegación de servicio (DoS) local (cierre inesperado del sistema) debido a un acceso incorrecto al puerto I/O en la arquitectura i386. • http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/i386/gdt.c http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/i386/gdt.c.diff?r1=1.37&r2=1.37.8.1&f=h http://www.securitytracker.com/id/1041550 https://ftp.openbsd.org/pub/OpenBSD/patches/6.2/common/020_ioport.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/015_ioport.patch.sig • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 2%CPEs: 2049EXPL: 0CVE-2008-4609
https://notcve.org/view.php?id=CVE-2008-4609
The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. La implementación del protocolo TCP en (1) Linux, (2) plataformas basadas en BSD Unix, (3) Microsoft Windows, (4) productos Cisco, y probablemente otros sistemas operativos, permite a atacantes remotos provocar una denegación de servicio (agotamiento de cola de conexión) a través de múltiples vectores que manipulan información en la tabla de estados del TCP, como lo demuestra sockstress. • http://blog.robertlee.name/2008/10/conjecture-speculation.html http://insecure.org/stf/tcp-dos-attack-explained.html http://lists.immunitysec.com/pipermail/dailydave/2008-October/005360.html http://marc.info/?l=bugtraq&m=125856010926699&w=2 http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked http://www.cisco.com/en/US/products/products_security_advisory09186a0080af511d.shtml http://www.cisco.com/en/US/products/products_security_response09186a0080a15120.html http://www.cpni • CWE-16: Configuration •
CVSS: 9.3EPSS: 3%CPEs: 10EXPL: 0CVE-2008-2476
https://notcve.org/view.php?id=CVE-2008-2476
The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB). La implementación IPv6 Neighbor Discovery Protocol (NDP) en (1) FreeBSD v6.3 hasta v7.1, (2) OpenBSD v4.2 y v4.3, (3) NetBSD, (4) Force10 FTOS versiones anteriores a vE7.7.1.1, (5) Juniper JUNOS, y (6) Wind River VxWorks 5.x hasta v6.4 no valida los mensaje originales de Neighbor Discovery, lo cual permite a atacantes remotos provocar una denegación de servicio (pérdida de conectividad) o leer tráfico de red privado a través de mensajes falsos que modifica la Forward Information Base (FIB). • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-013.txt.asc http://secunia.com/advisories/32112 http://secunia.com/advisories/32116 http://secunia.com/advisories/32117 http://secunia.com/advisories/32133 http://secunia.com/advisories/32406 http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc http://securitytracker.com/id?1020968 http://support.apple.com/kb/HT3467 http://www.kb.cert.org/vuls/id/472363 http://www.kb.cert.org/vuls/id/ • CWE-20: Improper Input Validation •