CVE-2017-13077 – wpa_supplicant: Reinstallation of the pairwise key in the 4-way handshake
https://notcve.org/view.php?id=CVE-2017-13077
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. Wi-Fi Protected Access (WPA y WPA2) permite la reinstalación de la clave temporal (TK) PTK (Pairwise Transient Key) durante la negociación en cuatro pasos, haciendo que un atacante que se sitúe entro del radio responda, descifre o suplante frames. A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used pairwise key (PTK-TK) during a 4-way handshake. • http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt http://www.debian.org/security/2017/dsa-3999 http://www.kb.cert.org/vuls/id/228519 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/101274 http://www.securitytracker.com/id/1039573 http://www.securitytracker.com/id/1039576 http://www.securitytracker.com/id/1039577 http://www.security • CWE-323: Reusing a Nonce, Key Pair in Encryption CWE-330: Use of Insufficiently Random Values •
CVE-2017-13081
https://notcve.org/view.php?id=CVE-2017-13081
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. Wi-Fi Protected Access (WPA y WPA2) que soporte IEEE 802.11w permite la reinstalación de la clave temporal IGTK (Integrity Group Temporal Key) durante el handshake de clave de grupo, haciendo que un atacante en el rango de radio suplante frames desde los puntos de acceso hasta los clientes. • http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00024.html http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt http://www.debian.org/security/2017/dsa-3999 http://www.kb.cert.org/vuls/id/228519 http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/101274 http • CWE-323: Reusing a Nonce, Key Pair in Encryption CWE-330: Use of Insufficiently Random Values •
CVE-2017-15037
https://notcve.org/view.php?id=CVE-2017-15037
In FreeBSD through 11.1, the smb_strdupin function in sys/netsmb/smb_subr.c has a race condition with a resultant out-of-bounds read, because it can cause t2p->t_name strings to lack a final '\0' character. En FreeBSD hasta la versión 11.1, la función smb_strdupin en sys/netsmb/smb_subr.c tiene una condición de carrera con una lectura fuera de límites porque puede hace que les falten el carácter "\0" a las cadenas t2p->t_name. • http://www.securityfocus.com/bid/101191 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222687 https://svnweb.freebsd.org/base?view=revision&revision=324102 • CWE-125: Out-of-bounds Read CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2017-1085 – FreeBSD - 'setrlimit' Stack Clash (PoC)
https://notcve.org/view.php?id=CVE-2017-1085
In FreeBSD before 11.2-RELEASE, an application which calls setrlimit() to increase RLIMIT_STACK may turn a read-only memory region below the stack into a read-write region. A specially crafted executable could be exploited to execute arbitrary code in the user context. En FreeBSD en versiones anteriores a la 11.2-RELEASE, una aplicación que llama a setrlimit() para incrementar RLIMIT_STACK podría hacer que una región de memoria de solo lectura bajo la pila pase a ser una región de lectura y escritura. Un ejecutable especialmente manipulado podría explotarse para ejecutar código arbitrario en el contexto del usuario. • https://www.exploit-db.com/exploits/42279 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-1084 – FreeBSD - 'FGPE' Stack Clash (PoC)
https://notcve.org/view.php?id=CVE-2017-1084
In FreeBSD before 11.2-RELEASE, multiple issues with the implementation of the stack guard-page reduce the protections afforded by the guard-page. This results in the possibility a poorly written process could be cause a stack overflow. En FreeBSD en versiones anteriores a la 11.2-RELEASE, múltiples problemas con la implementación de la página guard de la pila reducen las protecciones de la página guard. Esto resulta en la posibilidad de que un proceso mal escrito provoque un desbordamiento de pila. • https://www.exploit-db.com/exploits/42278 https://www.exploit-db.com/exploits/42277 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •