Category: Security Bulletins

VMware Security Avisory VMSA-2020-0004 ( https://www.vmware.com/security/advisories/VMSA-2020-0004.html ) outlines a fix for a user-after-free bug in vmnetdhcp that allows guests to execute code in the host.  Affected platforms are: VMware Workstation Pro / Player, VMware Fusion Pro / Fusion, VMware Horizon Client for Windows, VMware Remote Console for Windows (VMRC for Windows) (c) SANS Internet Storm …

Read more “VMware Patches for Bugs in DHCP Service (Workstation, Fusion, Horizon, VMRC), (Fri, Mar 13th)”

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reader Carsten submitted an interesting malicious spreadsheet: c2af8b309a9ce65e9ac67c6d3c3acbe7. It contains Excel 4 macros: (remark that if you’re using oledump.py with a version older than 0.0.48, you’ll get incomplete formula parsing) Taking a close look at these formulas, I fail to see (partial) URLs or anything that might be an encoded URL or script/command. When I …

Read more “Malicious Spreadsheet With Data Connection and Excel 4 Macros, (Mon, Mar 9th)”

This is a guest diary by Ahmed Elshaer. In this diary, I wanted to talk about Event Explorer EvtxEcmd by SANS Instructor Eric Zimmerman. EvtxEcmd is a Windows Event Log (evtx) parser, that can parse a single event log file or a directory recursively. EvtxEcmd has some great features like: Custom Maps to parse different Windows …

Read more “Introduction to EvtxEcmd (Evtx Explorer), (Tue, Mar 3rd)”

HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in …

Read more “CVE-2016-1000109”

mcrypt_get_block_size did not enforce that the provided “module” parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.

Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.