Log

CVE-2018-0732 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Denial of service
Description
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.
References
+ https://www.openssl.org/news/secadv/20180612.txt
+ https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4
+ https://github.com/openssl/openssl/commit/3984ef0b72831da8b3ece4745cac4f8575b19098
Notes
CVE-2018-0734 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Private key recovery
Description
+ A timing vulnerability has been found in DSA signature generation in openssl versions up to and including 1.1.1, where information is leaked via a side channel when a BN is resized and could lead to private key recovery.
References
+ https://www.openssl.org/news/secadv/20181030.txt
+ https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
+ https://github.com/openssl/openssl/pull/7486
Notes
CVE-2018-0735 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Private key recovery
Description
+ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack in openssl versions prior to 1.1.1a. An attacker could use variations in the signing algorithm to recover the private key.
References
+ https://www.openssl.org/news/secadv/20181029.txt
+ https://github.com/openssl/openssl/commit/b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
Notes
CVE-2018-0737 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Private key recovery
Description
+ A cache-timing side channel attack in the RSA key generation algorithm has been found in OpenSSL <= 1.1.0h and <= 1.0.2o. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.
References
+ https://www.openssl.org/news/secadv/20180416.txt
+ https://github.com/openssl/openssl/commit/6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
+ https://github.com/openssl/openssl/commit/349a41da1ad88ad87825414752a8ff5fdd6a6c3f
Notes
CVE-2018-0739 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Denial of service
Description
+ A stack-exhaustion issue has been found in OpenSSL <= 1.1.0h, where constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
References
+ https://www.openssl.org/news/secadv/20180327.txt
+ https://github.com/openssl/openssl/commit/2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
Notes
CVE-2018-1000001 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ A buffer underflow vulnerability has been discovered in the realpath() function in glibc 2.26 when getcwd() returns a relative or unreachable path (i.e. not starting with '/') which may allow privilege escalation under certain conditions.
References
+ http://www.openwall.com/lists/oss-security/2018/01/11/5
+ https://sourceware.org/bugzilla/show_bug.cgi?id=22679
+ https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
Notes
CVE-2018-1000005 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `":"` to the target buffer, while this was recently changed to `": "` (a space was added after the colon) but the associated math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
References
+ https://curl.haxx.se/docs/adv_2018-824a.html
+ https://github.com/curl/curl/commit/fa3dbb9a147488a2943bda809c66fc497efe06cb
Notes
CVE-2018-1000007 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ libcurl might leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
References
+ https://curl.haxx.se/docs/adv_2018-b3bf.html
+ https://github.com/curl/curl/commit/af32cd3859336ab963591ca0df9b1e33a7ee066b
Notes
+ In libcurl version 7.58.0, custom `Authorization:` headers will be limited the same way other such headers is controlled within libcurl: they will only be sent to the host used in the original URL unless libcurl is told that it is ok to pass on to others using the `CURLOPT_UNRESTRICTED_AUTH` option. This solution creates a slight change in behavior. Users who actually want to pass on the header to other hosts now need to give curl that specific permission. You do this with --location-trusted with the curl command line tool.
CVE-2018-1000035 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.
References
+ https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
Notes
+ Still no fix upstream. We do use FORTIFY_SOURCE=2 on our builds and that works as a "workaround" since it kills the app. Downgrading the severity to 'low' since we don't really care about DoS in unzip.
CVE-2018-1000051 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ Artifex Mupdf version 1.12.0 contains a use-after-free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.
References
+ https://bugs.ghostscript.com/show_bug.cgi?id=698825
+ https://bugs.ghostscript.com/show_bug.cgi?id=698873
+ https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=321ba1de287016b0036bf4a56ce774ad11763384
Notes