CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1086
https://notcve.org/view.php?id=CVE-2017-1086
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24, not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. As a result, some bytes from the kernel stack of the thread using ptrace (PT_LWPINFO) call can be observed in userspace. En FreeBSD, en versiones anteriores a 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3 y 10.3-RELEASE-p24, no toda la información en el struct ptrace_lwpinfo es relevante para el estado de los hilos y el kernel no rellena los bytes no relevantes o cadenas cortas. Dado que la estructura que rellena el kernel se asigna a la pila del kernel y se copia al espacio de usuario, es posible que se produzca una fuga de información de la pila del kernel del hilo desde el depurador. • http://www.securityfocus.com/bid/101861 http://www.securitytracker.com/id/1039809 https://www.freebsd.org/security/advisories/FreeBSD-SA-17:08.ptrace.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1088
https://notcve.org/view.php?id=CVE-2017-1088
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24, the kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. As a result, some bytes from the kernel stack can be observed in userspace. En FreeBSD en versiones anteriores a 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3 y 10.3-RELEASE-p24, el kernel no limpia correctamente la memoria de la estructura kld_file_stat antes de rellenar los datos. Dado que la estructura que rellena el kernel se asigna a la pila del kernel y se copia al espacio de usuario, es posible que se produzca una fuga de información desde la pila del kernel. • http://www.securityfocus.com/bid/101857 http://www.securitytracker.com/id/1039811 https://www.freebsd.org/security/advisories/FreeBSD-SA-17:10.kldstat.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1087
https://notcve.org/view.php?id=CVE-2017-1087
In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24 named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. As a result, a malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid. This issue could lead to a Denial of Service or local privilege escalation. En FreeBSD en versiones 10.x anteriores a 10.4-STABLE, 10.4-RELEASE-p3 y 10.3-RELEASE-p24, las rutas nombradas tienen alcance global, lo que significa que un proceso localizado en una jaula puede leer y modificar el contenido de los objetos de la memoria compartida de POSIX creados por un proceso en otra jaula o el sistema host. • http://www.securityfocus.com/bid/101867 http://www.securitytracker.com/id/1039810 https://www.freebsd.org/security/advisories/FreeBSD-SA-17:09.shm.asc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 85EXPL: 0CVE-2017-13078 – wpa_supplicant: Reinstallation of the group key in the 4-way handshake
https://notcve.org/view.php?id=CVE-2017-13078
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients. Wi-Fi Protected Access (WPA y WPA2) permite la reinstalación de la clave temporal GTK (Group Temporal Key) durante la negociación en cuatro pasos, haciendo que un atacante en el rango de radio reproduzca frames desde los puntos de acceso hasta los clientes. A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a 4-way handshake. • http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00024.html http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt http://www.debian.org/security/2017/dsa-3999 http://www.kb.cert.org/vuls/id/228519 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-a • CWE-323: Reusing a Nonce, Key Pair in Encryption CWE-330: Use of Insufficiently Random Values •
CVSS: 6.8EPSS: 0%CPEs: 85EXPL: 0CVE-2017-13084
https://notcve.org/view.php?id=CVE-2017-13084
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. Wi-Fi Protected Access (WPA y WPA2) permite la reinstalación de la clave STK (Transient Key) STSL (Station-To-Station-Link) durante la negociación PeerKey, haciendo que un atacante que se sitúe dentro del radio reproduzca, descifre o suplante frames. • http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt http://www.kb.cert.org/vuls/id/228519 http://www.securityfocus.com/bid/101274 http://www.securitytracker.com/id/1039576 http://www.securitytracker.com/id/1039577 http://www.securitytracker.com/id/1039581 https://access.redhat.com/security/vulnerabilities/kracks https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf https://security.gentoo.org/glsa/201711-03 https://support.lenovo.com/us/en/product_secur • CWE-323: Reusing a Nonce, Key Pair in Encryption CWE-330: Use of Insufficiently Random Values •