Vulnerabilities > CVE-2016-9446 - Improper Initialization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201705-10.NASL description The remote host is affected by the vulnerability described in GLSA-201705-10 (GStreamer plug-ins: User-assisted execution of arbitrary code) Multiple vulnerabilities have been discovered in various GStreamer plug-ins. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user or automated system using a GStreamer plug-in to process a specially crafted file, resulting in the execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 100263 published 2017-05-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100263 title GLSA-201705-10 : GStreamer plug-ins: User-assisted execution of arbitrary code NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3296-1.NASL description This update for gstreamer-plugins-bad fixes the following security issues, which would allow attackers able to submit media files for indexing to cause code execution or crashes : - Check an integer overflow (CVE-2016-9445) and initialize a buffer (CVE-2016-9446) in vmncdec. (bsc#1010829) - CVE-2016-9809: Ensure codec_data has the right size when reading number of SPS (bsc#1013659). - CVE-2016-9812: Add more section size checks (bsc#1013678). - CVE-2016-9813: fix PAT parsing (bsc#1013680). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96258 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96258 title SUSE SLED12 / SLES12 Security Update : gstreamer-plugins-bad (SUSE-SU-2016:3296-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1205.NASL description According to the versions of the gstreamer packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-10 modified 2017-09-11 plugin id 103063 published 2017-09-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103063 title EulerOS 2.0 SP1 : gstreamer (EulerOS-SA-2017-1205) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-64.NASL description This update for gstreamer-0_10-plugins-bad fixes the following issues : - CVE-2016-9445, CVE-2016-9446: Protection against buffer overflows (bsc#1010829) - CVE-2016-9447: Disable the nsf plugin (bsc#1010514) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-01-10 plugin id 96383 published 2017-01-10 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96383 title openSUSE Security Update : gstreamer-0_10-plugins-bad (openSUSE-2017-64) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1206.NASL description According to the versions of the gstreamer packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-03 modified 2017-09-11 plugin id 103064 published 2017-09-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103064 title EulerOS 2.0 SP2 : gstreamer (EulerOS-SA-2017-1206) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1481.NASL description This update for gstreamer-0_10-plugins-bad fixes the following issues : - Maliciously crafted VMnc files (VMware video format) could lead to crashes (CVE-2016-9445, CVE-2016-9446, boo#1010829). - Maliciously crafted NSF files (NES sound format) could lead to arbitrary code execution (CESA-2016-0001, boo#1010514). Therefore for security reasons the NSF plugin has been removed from the package. last seen 2020-06-05 modified 2016-12-14 plugin id 95818 published 2016-12-14 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95818 title openSUSE Security Update : gstreamer-0_10-plugins-bad (openSUSE-2016-1481) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2060.NASL description An update is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26). Security Fix(es) : * Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102150 published 2017-08-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102150 title RHEL 7 : GStreamer (RHSA-2017:2060) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1483.NASL description This update for gstreamer-plugins-bad fixes the following issues : - Maliciously crafted VMnc (VMware video) streams (typically contained in .avi files) could cause code execution during decoding or information leaks due to an uninitialized buffer (CVE-2016-9445, CVE-2016-9446, boo#1010829). last seen 2020-06-05 modified 2016-12-16 plugin id 95912 published 2016-12-16 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95912 title openSUSE Security Update : gstreamer-plugins-bad (openSUSE-2016-1483) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0027-1.NASL description This update for gstreamer-0_10-plugins-bad fixes the following issues : - CVE-2016-9445, CVE-2016-9446: Protection against buffer overflows (bsc#1010829) - CVE-2016-9447: Disable the nsf plugin (bsc#1010514) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96334 published 2017-01-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96334 title SUSE SLED12 Security Update : gstreamer-0_10-plugins-bad (SUSE-SU-2017:0027-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-63.NASL description This update for gstreamer-plugins-bad fixes the following security issues, which would allow attackers able to submit media files for indexing to cause code execution or crashes : - Check an integer overflow (CVE-2016-9445) and initialize a buffer (CVE-2016-9446) in vmncdec. (bsc#1010829) - CVE-2016-9809: Ensure codec_data has the right size when reading number of SPS (bsc#1013659). - CVE-2016-9812: Add more section size checks (bsc#1013678). - CVE-2016-9813: fix PAT parsing (bsc#1013680). This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-01-10 plugin id 96382 published 2017-01-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96382 title openSUSE Security Update : gstreamer-plugins-bad (openSUSE-2017-63) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3297-1.NASL description This update for gstreamer-plugins-bad fixes the following issues : - CVE-2016-9809: Malicious mkv/h264 file could cause an off by one out of bounds read and lead to crash (bsc#1013659) - CVE-2016-9812: Malicious mpeg file could cause invalid a NULL pointer access and lead to crash (bsc#1013678) - CVE-2016-9813: Malicious mpegts file could cause invalid a NULL pointer access and lead to crash (bsc#1013680) - CVE-2016-9445, CVE-2016-9446: Check an integer overflow and initialize a buffer in vmncdec (bsc#1010829) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96259 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96259 title SUSE SLED12 / SLES12 Security Update : gstreamer-plugins-bad (SUSE-SU-2016:3297-1) NASL family Scientific Linux Local Security Checks NASL id SL_20170802_GSTREAMER_ON_SL7_X.NASL description The following packages have been upgraded to a later upstream version: clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26). Security Fix(es) : - Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) last seen 2020-03-18 modified 2017-08-22 plugin id 102659 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102659 title Scientific Linux Security Update : GStreamer on SL7.x x86_64 (20170802) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-712.NASL description CVE-2016-9445 CVE-2016-9446 Chris Evans discovered that the GStreamer plugin to decode VMware screen capture files allowed the execution of arbitrary code. He also found that an initialized buffer may lead into memory disclosure. CVE-2016-9447 Chris Evans discovered that the GStreamer 0.10 plugin to decode NES Sound Format files allowed the execution of arbitrary code. For Debian 7 last seen 2020-03-17 modified 2016-11-21 plugin id 94983 published 2016-11-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94983 title Debian DLA-712-1 : gst-plugins-bad0.10 security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0028-1.NASL description This update for gstreamer-0_10-plugins-bad fixes the following issues : - CVE-2016-9445, CVE-2016-9446: Protection against buffer overflows (bsc#1010829) - CVE-2016-9447: Disable the nsf plugin (bsc#1010514) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96335 published 2017-01-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96335 title SUSE SLED12 Security Update : gstreamer-0_10-plugins-bad (SUSE-SU-2017:0028-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-2060.NASL description An update is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The following packages have been upgraded to a later upstream version: clutter-gst2 (2.0.18), gnome-video-effects (0.4.3), gstreamer1 (1.10.4), gstreamer1-plugins-bad-free (1.10.4), gstreamer1-plugins-base (1.10.4), gstreamer1-plugins-good (1.10.4), orc (0.4.26). Security Fix(es) : * Multiple flaws were found in gstreamer1, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-bad-free packages. An attacker could potentially use these flaws to crash applications which use the GStreamer framework. (CVE-2016-9446, CVE-2016-9810, CVE-2016-9811, CVE-2016-10198, CVE-2016-10199, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5848) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102752 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102752 title CentOS 7 : clutter-gst2 / gnome-video-effects / gstreamer-plugins-bad-free / etcgstreamer1 / etc (CESA-2017:2060)
Redhat
advisories |
| ||||
rpms |
|
References
- http://www.openwall.com/lists/oss-security/2016/11/18/12
- http://www.openwall.com/lists/oss-security/2016/11/18/12
- http://www.openwall.com/lists/oss-security/2016/11/18/13
- http://www.openwall.com/lists/oss-security/2016/11/18/13
- http://www.securityfocus.com/bid/94423
- http://www.securityfocus.com/bid/94423
- https://access.redhat.com/errata/RHSA-2017:2060
- https://access.redhat.com/errata/RHSA-2017:2060
- https://bugzilla.gnome.org/show_bug.cgi?id=774533
- https://bugzilla.gnome.org/show_bug.cgi?id=774533
- https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
- https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM7IXFGHV66KNWGWG6ZBDNKXD2UJL2VQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM7IXFGHV66KNWGWG6ZBDNKXD2UJL2VQ/
- https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
- https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
- https://security.gentoo.org/glsa/201705-10
- https://security.gentoo.org/glsa/201705-10