Weekly Vulnerabilities Reports > November 23 to 29, 2015

Overview

47 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 60 products from 23 vendors including Redhat, Jenkins, Nvidia, Canonical, and Cisco. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Access Control", and "Resource Management Errors".

  • 38 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 38 reported vulnerabilities are exploitable by an anonymous user.
  • Redhat has the most reported vulnerabilities, with 14 reported vulnerabilities.
  • Siemens has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-11-24 CVE-2015-5053 Nvidia Improper Access Control vulnerability in Nvidia GPU Driver

The host memory mapping path feature in the NVIDIA GPU graphics driver R346 before 346.87 and R352 before 352.41 for Linux and R352 before 352.46 for GRID vGPU and vSGA does not properly restrict access to third-party device IO memory, which allows attackers to gain privileges, cause a denial of service (resource consumption), or possibly have unspecified other impact via unknown vectors related to the follow_pfn kernel-mode API call.

10.0
2015-11-27 CVE-2015-8214 Siemens Permissions, Privileges, and Access Controls vulnerability in Siemens products

Siemens SIMATIC CP 343-1 Advanced devices before 3.0.44, CP 343-1 Lean devices, CP 343-1 devices, TIM 3V-IE devices, TIM 3V-IE Advanced devices, TIM 3V-IE DNP3 devices, TIM 4R-IE devices, TIM 4R-IE DNP3 devices, CP 443-1 devices, and CP 443-1 Advanced devices might allow remote attackers to obtain administrative access via a session on TCP port 102.

9.7

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-11-27 CVE-2015-6848 EMC Improper Access Control vulnerability in EMC Isilon Onefs

EMC Isilon OneFS 7.1.x before 7.1.1.5, 7.2.0.x before 7.2.0.3, and 7.2.1.x before 7.2.1.1, when the RFC 2307 feature is configured but SFU is not universally present, allows remote authenticated AD users to obtain root privileges via unspecified vectors.

8.5
2015-11-24 CVE-2015-8227 Huawei Improper Input Validation vulnerability in Huawei VP 9660 Firmware V200R001C01/V200R001C02

The built-in web server in Huawei VP9660 multi-point control unit with software before V200R001C30SPC700 allows remote administrators to obtain sensitive information or cause a denial of service via a crafted message.

8.5
2015-11-24 CVE-2015-8330 SAP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in SAP Plant Connectivity

The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619.

7.8
2015-11-24 CVE-2015-6377 Cisco Resource Management Errors vulnerability in Cisco Virtual Topology System 2.0(0)/2.0(1)

Cisco Virtual Topology System (VTS) 2.0(0) and 2.0(1) allows remote attackers to cause a denial of service (CPU and memory consumption, and TCP port outage) via a flood of crafted TCP packets, aka Bug ID CSCux13379.

7.8
2015-11-24 CVE-2015-7865 Nvidia
Microsoft
Improper Access Control vulnerability in Nvidia GPU Driver

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows does not properly restrict access to the stereosvrpipe named pipe, which allows local users to gain privileges via a commandline in a number 2 command, which is stored in the HKEY_LOCAL_MACHINE explorer Run registry key, a different vulnerability than CVE-2011-4784.

7.7
2015-11-25 CVE-2015-8103 Redhat
Jenkins
Command Injection vulnerability in multiple products

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

7.5
2015-11-25 CVE-2015-5325 Redhat
Jenkins
Improper Access Control vulnerability in multiple products

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave.

7.5
2015-11-25 CVE-2015-7287 CSL Dualcom Credentials Management vulnerability in CSL Dualcom Gprs Cs2300-R Firmware 1.25/3.53

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 use the same 001984 default PIN across different customers' installations, which allows remote attackers to execute commands by leveraging knowledge of this PIN and including it in an SMS message.

7.5
2015-11-24 CVE-2015-7808 Vbulletin Improper Input Validation vulnerability in Vbulletin

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

7.5
2015-11-26 CVE-2015-6857 HP Local Code Execution vulnerability in HP Loadrunner and Performance Center

Unspecified vulnerability in Virtual Table Server (VTS) in HP LoadRunner 11.52, 12.00, 12.01, 12.02, and 12.50 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-3138.

7.2
2015-11-24 CVE-2015-7985 Valve Permissions, Privileges, and Access Controls vulnerability in Valve Steam 2.10.91.91

Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file.

7.2
2015-11-24 CVE-2015-7866 Nvidia
Microsoft
Unspecified vulnerability in Nvidia GPU Driver

Unquoted Windows search path vulnerability in the Smart Maximize Helper (nvSmartMaxApp.exe) in the Control Panel in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows allows local users to gain privileges via a Trojan horse application, as demonstrated by C:\Program.exe.

7.2
2015-11-24 CVE-2015-7496 Fedoraproject
Gnome
Permissions, Privileges, and Access Controls vulnerability in multiple products

GNOME Display Manager (gdm) before 3.18.2 allows physically proximate attackers to bypass the lock screen by holding the Escape key.

7.2

31 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-11-26 CVE-2015-8365 Canonical
Ffmpeg
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data.

6.8
2015-11-26 CVE-2015-8364 Ffmpeg
Canonical
Numeric Errors vulnerability in multiple products

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data.

6.8
2015-11-26 CVE-2015-8363 Ffmpeg Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ffmpeg

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers.

6.8
2015-11-25 CVE-2015-5318 Jenkins
Redhat
Cross-Site Request Forgery (CSRF) vulnerability in Jenkins

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

6.8
2015-11-25 CVE-2015-5306 Openstack 7PK - Security Features vulnerability in Openstack Ironic Inspector

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.

6.8
2015-11-25 CVE-2014-3665 Jenkins Permissions, Privileges, and Access Controls vulnerability in Jenkins

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

6.8
2015-11-25 CVE-2015-6379 Cisco Resource Management Errors vulnerability in Cisco Adaptive Security Appliance Software 8.4.0

The XML parser in the management interface in Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote authenticated users to cause a denial of service (device crash) via a crafted XML document, aka Bug ID CSCut14223.

6.8
2015-11-23 CVE-2015-5451 HP Cross-Site Request Forgery (CSRF) vulnerability in HP Operations Orchestration

Cross-site request forgery (CSRF) vulnerability in HP Operations Orchestration Central 10.x before 10.22.001 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2015-11-24 CVE-2015-8328 Nvidia
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia GPU Driver

Unspecified vulnerability in the NVAPI support layer in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows allows local users to obtain sensitive information, cause a denial of service (crash), or possibly gain privileges via unknown vectors.

6.6
2015-11-24 CVE-2015-7869 Canonical
Nvidia
Linux
Microsoft
Numeric Errors vulnerability in multiple products

Multiple integer overflows in the kernel mode driver for the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows and R304 before 304.131, R340 before 340.96, R352 before 352.63, and R358 before 358.16 on Linux allow local users to obtain sensitive information, cause a denial of service (crash), or possibly gain privileges via unknown vectors, which trigger uninitialized or out of bounds memory access.

6.6
2015-11-25 CVE-2015-5323 Redhat
Jenkins
Permissions, Privileges, and Access Controls vulnerability in multiple products

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

6.5
2015-11-24 CVE-2015-6380 Cisco OS Command Injection vulnerability in Cisco Firepower Extensible Operating System 1.1(1.160)

An unspecified script in the web interface in Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote authenticated users to execute arbitrary OS commands via crafted parameters, aka Bug ID CSCux10622.

6.5
2015-11-25 CVE-2015-7286 CSL Dualcom Cryptographic Issues vulnerability in CSL Dualcom Gprs Cs2300-R Firmware 1.25/3.53

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 rely on a polyalphabetic substitution cipher with hardcoded keys, which makes it easier for remote attackers to defeat a cryptographic protection mechanism by capturing IP or V.22bis PSTN protocol traffic.

6.4
2015-11-25 CVE-2015-5242 Redhat Code Injection vulnerability in Redhat Gluster Storage 3.1

OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a crafted extended attribute (xattrs).

6.0
2015-11-25 CVE-2015-7285 CSL Dualcom Improper Authentication vulnerability in CSL Dualcom Gprs Cs2300-R Firmware 1.25/3.53

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.

5.8
2015-11-26 CVE-2015-6382 Cisco Resource Management Errors vulnerability in Cisco ASR 5000 Series Software 16.0(900)

Cisco ASR 5000 devices with software 16.0(900) allow remote attackers to cause a denial of service (telnetd process restart) via a TELNET connection, aka Bug ID CSCuv25815.

5.0
2015-11-25 CVE-2015-5324 Jenkins
Redhat
Permissions, Privileges, and Access Controls vulnerability in multiple products

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

5.0
2015-11-25 CVE-2015-5322 Redhat
Jenkins
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

5.0
2015-11-25 CVE-2015-5321 Redhat
Jenkins
Information Exposure vulnerability in multiple products

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

5.0
2015-11-25 CVE-2015-5320 Redhat
Jenkins
Information Exposure vulnerability in multiple products

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

5.0
2015-11-25 CVE-2015-5319 Redhat
Jenkins
XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.
5.0
2015-11-25 CVE-2015-5317 Jenkins
Redhat
Information Exposure vulnerability in Jenkins

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

5.0
2015-11-24 CVE-2015-8329 SAP Cryptographic Issues vulnerability in SAP Manufacturing Integration and Intelligence 12.2/14.0/15.0

SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via unspecified vectors, aka SAP Security Note 2240274.

5.0
2015-11-24 CVE-2015-7981 Canonical
Debian
Redhat
Libpng
Information Exposure vulnerability in multiple products

The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.

5.0
2015-11-23 CVE-2015-8320 Apache Weak Randomization Security Bypass vulnerability in Apache Cordova For Android

Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.

5.0
2015-11-24 CVE-2015-0856 Fedoraproject
Sddm Project
Permissions, Privileges, and Access Controls vulnerability in multiple products

daemon/Greeter.cpp in sddm before 0.13.0 does not properly disable the KDE crash handler, which allows local users to gain privileges by crashing a greeter when using certain themes, as demonstrated by the plasma-workspace breeze theme.

4.6
2015-11-25 CVE-2015-5326 Jenkins
Redhat
Cross-site Scripting vulnerability in Jenkins

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

4.3
2015-11-25 CVE-2015-7288 CSL Dualcom 7PK - Security Features vulnerability in CSL Dualcom Gprs Cs2300-R Firmware 1.25/3.53

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 allow remote attackers to modify the configuration via a command in an SMS message, as demonstrated by a "4 2" command.

4.3
2015-11-23 CVE-2015-5256 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Cordova

Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.

4.3
2015-11-24 CVE-2015-8229 Huawei Improper Input Validation vulnerability in Huawei Espace Firmware

Huawei eSpace U2980 unified gateway with software before V100R001C10 and U2990 with software before V200R001C10 allow remote authenticated users to cause a denial of service via crafted signaling packets from a registered device.

4.0
2015-11-24 CVE-2015-8228 Huawei Path Traversal vulnerability in Huawei AR Firmware

Directory traversal vulnerability in the SFTP server in Huawei AR 120, 150, 160, 200, 500, 1200, 2200, 3200, and 3600 routers with software before V200R006SPH003 allows remote authenticated users to access arbitrary directories via unspecified vectors.

4.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-11-24 CVE-2015-5281 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Enterprise Linux 7.0

The grub2 package before 2.02-0.29 in Red Hat Enterprise Linux (RHEL) 7, when used on UEFI systems, allows local users to bypass intended Secure Boot restrictions and execute non-verified code via a crafted (1) multiboot or (2) multiboot2 module in the configuration file or physically proximate attackers to bypass intended Secure Boot restrictions and execute non-verified code via the (3) boot menu.

2.6