Original release date: January 09, 2017
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
arista -- dcs-7050t_eos_software
Arista EOS 4.15 before 4.15.8M, 4.16 before 4.16.7M, and 4.17 before 4.17.0F on DCS-7050 series devices allow remote attackers to cause a denial of service (device reboot) by sending crafted packets to the control plane.
2017-01-04
7.8
CVE-2016-6894
BID
CONFIRM
awebsupport -- aweb_cart_watching_system_for_virtuemart
SQL injection vulnerability in the "aWeb Cart Watching System for Virtuemart" extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch.
2017-01-03
7.5
CVE-2016-10114
BID
MISC
genexia -- drgos
The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter.
2017-01-05
9.0
CVE-2015-3441
MISC
genixcms_project -- genixcms
SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the activation parameter.
2017-01-01
7.5
CVE-2016-10096
MISC
BID
MISC
MISC
icu_project -- international_components_for_unicode
Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.
2017-01-04
7.5
CVE-2014-9911
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
libgd -- libgd
Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call.
2017-01-04
7.5
CVE-2016-8670
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
libvncserver_project -- libvncserver
Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.
2016-12-31
7.5
CVE-2016-9941
BID
CONFIRM
CONFIRM
libvncserver_project -- libvncserver
Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.
2016-12-31
7.5
CVE-2016-9942
BID
CONFIRM
CONFIRM
linux -- linux_kernel
The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.
2017-01-05
7.2
CVE-2016-9754
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
matrixssl -- matrixssl
Heap-based buffer overflow in MatrixSSL before 3.8.6 allows remote attackers to execute arbitrary code via a crafted Subject Alt Name in an X.509 certificate.
2017-01-05
10.0
CVE-2016-6890
BID
MISC
CONFIRM
CERT-VN
netgear -- arlo_base_station_firmware
NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier have a default password of 12345678, which makes it easier for remote attackers to obtain access after a factory reset or in a factory configuration.
2017-01-04
10.0
CVE-2016-10115
MISC
MISC
BID
netgear -- arlo_base_station_firmware
NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack.
2017-01-04
9.3
CVE-2016-10116
MISC
MISC
BID
openbsd -- openssh
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.
2017-01-04
7.5
CVE-2016-10009
MISC
MLIST
BID
SECTRACK
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
CONFIRM
openbsd -- openssh
The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.
2017-01-04
7.2
CVE-2016-10012
MLIST
BID
SECTRACK
CONFIRM
CONFIRM
CONFIRM
php -- php
The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.
2017-01-04
7.5
CVE-2014-9912
MLIST
CONFIRM
BID
CONFIRM
CONFIRM
php -- php
Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.
2017-01-04
7.5
CVE-2016-9137
CONFIRM
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
php -- php
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.
2017-01-04
7.5
CVE-2016-9138
MLIST
BID
CONFIRM
php -- php
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.
2017-01-04
7.5
CVE-2016-9935
SUSE
DEBIAN
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
php -- php
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
2017-01-04
7.5
CVE-2016-9936
MLIST
CONFIRM
BID
CONFIRM
CONFIRM
piwigo -- piwigo
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
2017-01-03
7.5
CVE-2016-10105
BID
CONFIRM
CONFIRM
CONFIRM
quick_heal -- internet_security
Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to execute arbitrary code via a crafted LC_UNIXTHREAD.cmdsize field in a Mach-O file that is mishandled during a Security Scan (aka Custom Scan) operation.
2017-01-02
7.5
CVE-2017-5005
BID
MISC
MISC
s9y -- serendipity
include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.
2016-12-30
7.5
CVE-2016-10082
BID
CONFIRM
CONFIRM
schedmd -- slurm
The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 ("success") and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue.
2017-01-05
7.6
CVE-2016-10030
CONFIRM
CONFIRM
swiftmailer -- swiftmailer
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
2016-12-30
7.5
CVE-2016-10074
MISC
FULLDISC
BID
CONFIRM
MISC
EXPLOIT-DB
veritas -- netbackup_appliance_firmware
scripts/license.pl in Veritas NetBackup Appliance 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, 2.7.x through 2.7.3, and 3.0.x allow remote attackers to execute arbitrary commands via shell metacharacters in the hostName parameter to appliancews/getLicense.
2017-01-04
10.0
CVE-2016-7399
MISC
BID
CONFIRM
CONFIRM
western_digital -- mycloud_nas
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header.
2017-01-03
10.0
CVE-2016-10107
BID
MISC
western_digital -- mycloud_nas
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
2017-01-03
10.0
CVE-2016-10108
BID
MISC
zend -- zend-mail
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
2016-12-30
7.5
CVE-2016-10034
BID
CONFIRM
MISC
Back to top
Medium Vulnerabilities
Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
borg -- borg
Borg (aka BorgBackup) before 1.0.9 has a flaw in the cryptographic protocol used to authenticate the manifest (list of archives), potentially allowing an attacker to spoof the list of archives.
2017-01-02
5.0
CVE-2016-10099
CONFIRM
BID
borg -- borg
Borg (aka BorgBackup) before 1.0.9 has a flaw in the way duplicate archive names were processed during manifest recovery, potentially allowing an attacker to overwrite an archive.
2017-01-02
5.0
CVE-2016-10100
CONFIRM
BID
dotclear -- dotclear
Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20.
2017-01-04
6.5
CVE-2016-7902
MLIST
BID
CONFIRM
CONFIRM
dotclear -- dotclear
Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.
2017-01-04
4.3
CVE-2016-7903
MLIST
BID
CONFIRM
CONFIRM
f5 -- big-ip_advanced_firewall_manager
Virtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and 12.1.x before 12.1.2, when configured to parse RADIUS messages via an iRule, allow remote attackers to cause a denial of service (Traffic Management Microkernel restart) via crafted network traffic.
2017-01-03
4.3
CVE-2016-5024
BID
SECTRACK
CONFIRM
forgerock -- openam
XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.
2017-01-02
5.0
CVE-2016-10097
MISC
BID
hybris -- hybris
Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.
2016-12-31
4.3
CVE-2016-6856
BID
MISC
libgd -- libgd
Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.
2017-01-04
5.0
CVE-2016-9933
SUSE
SUSE
SUSE
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
linux -- linux_kernel
The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
2016-12-30
6.9
CVE-2016-10088
CONFIRM
MLIST
BID
SECTRACK
CONFIRM
matrixssl -- matrixssl
MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ASN.1 Bit Field primitive in an X.509 certificate.
2017-01-05
5.0
CVE-2016-6891
BID
MISC
CONFIRM
CERT-VN
matrixssl -- matrixssl
The x509FreeExtensions function in MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (free of unallocated memory) via a crafted X.509 certificate.
2017-01-05
5.0
CVE-2016-6892
BID
MISC
CONFIRM
CERT-VN
netgear -- srx5308_firmware
Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices with firmware before 4.3.3-8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter, as demonstrated by reading the /etc/shadow file.
2017-01-03
4.0
CVE-2016-10106
CONFIRM
BID
openbsd -- openssh
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
2017-01-04
6.9
CVE-2016-10010
MISC
MLIST
BID
SECTRACK
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
CONFIRM
php -- php
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
2017-01-04
5.0
CVE-2016-9934
SUSE
MLIST
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
phpmailer_project -- phpmailer
The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address.
2016-12-30
6.8
CVE-2016-10033
MISC
MISC
FULLDISC
MISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
EXPLOIT-DB
phpmailer_project -- phpmailer
The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
2016-12-30
6.8
CVE-2016-10045
MLIST
MISC
MISC
FULLDISC
MISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
EXPLOIT-DB
piwigo -- piwigo
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
2016-12-30
4.3
CVE-2016-10083
BID
CONFIRM
CONFIRM
piwigo -- piwigo
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
2016-12-30
6.5
CVE-2016-10084
BID
CONFIRM
CONFIRM
piwigo -- piwigo
admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.
2016-12-30
6.5
CVE-2016-10085
BID
CONFIRM
CONFIRM
sap -- hybris
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
2016-12-31
4.0
CVE-2016-6859
BID
MISC
torproject -- tor
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data.
2017-01-04
5.0
CVE-2016-8860
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
wordpress -- wordpress
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
2017-01-04
4.3
CVE-2016-7168
MLIST
MLIST
BID
CONFIRM
CONFIRM
MISC
CONFIRM
wordpress -- wordpress
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.
2017-01-04
6.5
CVE-2016-7169
BID
CONFIRM
CONFIRM
CONFIRM
Back to top
Low Vulnerabilities
Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
mcafee -- security_information_and_event_management
Authentication bypass vulnerability in Enterprise Security Manager (ESM) and License Manager (LM) in Intel Security McAfee Security Information and Event Management (SIEM) 9.6.0 MR3 allows an administrator to make changes to other SIEM users' information including user passwords without supplying the current administrator password a second time via the GUI or GUI terminal commands.
2017-01-05
1.7
CVE-2016-8006
CONFIRM
openbsd -- openssh
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key