Log

CVE-2017-1000250 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.
References
+ https://www.armis.com/blueborne/
+ http://pkgs.fedoraproject.org/cgit/rpms/bluez.git/plain/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch
Notes
CVE-2017-1000251 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although it is unlikely. On systems without the stack protection feature, an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges.
References
+ https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
+ https://www.armis.com/blueborne/
Notes
CVE-2017-1000254 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Denial of service
Description
+ When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.
References
+ https://curl.haxx.se/docs/adv_20171004.html
+ https://curl.haxx.se/CVE-2017-1000254.patch
+ https://github.com/curl/curl/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584
Notes
+ Introduced by https://github.com/curl/curl/commit/415d2e7cb7dd4f40b7c857f0fba23487dcd030a0
+ Affected versions: libcurl 7.7 to and including 7.55.1
+ Not affected versions: libcurl < 7.7 and >= 7.56.0
CVE-2017-1000257 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ A heap buffer overrun flaw was found in the IMAP handler of libcurl >= 7.20.0 and < 7.56.1. An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
+ By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application.
References
+ https://curl.haxx.se/docs/adv_20171023.html
+ https://curl.haxx.se/CVE-2017-1000257.patch
+ https://github.com/curl/curl/commit/13c9a9ded3ae744a1e11cbc14e9146d9fa427040
Notes
+ Introduced by: https://github.com/curl/curl/commit/ec3bb8f727405642a471b4b1b9eb0118fc003104
CVE-2017-1000354 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Privilege escalation
Description
+ The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
+
+ This has been fixed by storing the cached authentication as a hash-based MAC with a key specific to the Jenkins instance and the CLI authentication cache.
+
+ Previously cached authentications are invalidated when upgrading Jenkins to a version containing a fix for this.
References
+ https://jenkins.io/security/advisory/2017-04-26/
Notes
CVE-2017-1000355 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents.
+
+ Jenkins now prohibits the attempted deserialization of void / Void that results in a crash.
References
+ http://www.openwall.com/lists/oss-security/2017/04/03/4
Notes
CVE-2017-1000356 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Cross-site request forgery
Description
+ Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones:
+
+ SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished
+ SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself
+ SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site
+ SECURITY-414: Remove any update site from the Jenkins configuration
+ SECURITY-415: Change a user’s API token
+ SECURITY-416: Submit system configuration
+ SECURITY-417: Submit global security configuration
+ SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process
+ SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method
+ SECURITY-420: Update the node monitor data on all agents
References
+ https://jenkins.io/security/advisory/2017-04-26/
Notes
CVE-2017-1000364 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult.
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
+ https://git.kernel.org/linus/1be7107fbe18eed3e319a6c3e83c78254b693acb
Notes
CVE-2017-1000365 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Insufficient validation
Description
+ The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98da7d08850fb8bdeb395d6368ed15753304aa0c
Notes
+ Fixed in v4.12
CVE-2017-1000366 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult.
References
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes