September 29, 2016

NVIDIA fixes root privilege escalation in its Linux drivers

(LiveHacking.com) — Over a month ago an anonymous coder sent a small C program to Dave Airlie, who maintains the Direct Rendering Manager (DRM) subsystem in the Linux kernel, that allows an attacker to gain root access to a Linux machine by exploiting a vulnerability in NVIDIA’s Linux drivers.

The exploit works by using a vulnerability in the /dev/nvidiao device which allows the VGA window to be moved around until it can read and write to somewhere useful in physical RAM. Then the exploit performs a root privilege escalation by writing directly to kernel memory.

Over a month passed since information about the vulnerability was submitted to NVIDIA and the graphics company has not responded. As a result Airlie has made the exploit public.

“I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I’d post it for them,” wrote Dave Airlie in a post to a security mailing list.

NVIDIA has now released version 304.32 of its drivers for Linux, FreeBSD and Solaris. The updated driver contains a hotfix to block access to the registers involved in this attack. At the same time NVIDIA has also blocked access to some other registers which it identified as being susceptible to a similar type of attack.

The 295.71 driver is available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/295.71/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/295.71/

Solaris: ftp://download.nvidia.com/solaris/295.71/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/295.71/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/295.71/

The 304.32 driver is also available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/304.32/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/304.32/

Solaris: ftp://download.nvidia.com/solaris/304.32/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/304.32/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/304.32/

Details about the updated driver and the patches are available at: http://nvidia.custhelp.com/app/answers/detail/a_id/3140

Oracle to patch 88 new security vulnerabilities

(LiveHacking.Com) – Oracle has published a pre-release announcement for a Critical Patch Update that the company intends to make public on Tuesday, July 17, 2012. Oracle’s Critical Patch Updates are a collection of patches designed to address security vulnerabilities in the Oracle product range. July’s Critical Patch Update contains 88 security vulnerabilities.

The most significant products to be patched include Oracle Database 11g, Oracle Database 10g, GlassFish Enterprise Server, Solaris and MySQL. This Critical Patch Update contains four security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication, however none of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

25 vulnerabilities will also be patched in the Oracle Sun Products Suite (which includes the GlassFish Enterprise Server and Solaris). 17 of these vulnerabilities may be remotely exploitable without authentication. Oracle will also fix 6 security problems in MySQL, however none of these vulnerabilities may be remotely exploitable without authentication.

The full list of affected products is:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Secure Backup, version 10.3.0.3, 10.4.0.1
  • Oracle Fusion Middleware 11g Release 2, version 11.1.2.0
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.6
  • Oracle Application Server 10g Release 3, version 10.1.3.5
  • Oracle Identity Management 10g, version 10.1.4.3
  • Hyperion BI+, version 11.1.1.x
  • Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier
  • Oracle Map Viewer, versions 10.1.3.1, 11.1.1.5, 11.1.1.6
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
  • Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
  • Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
  • Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle AutoVue, versions 20.0.2, 20.1
  • Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
  • Oracle Siebel CRM, versions 8.1.1, 8.2.2
  • Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3
  • Oracle Sun Product Suite
  • Oracle MySQL Server, versions 5.1, 5.5

Oracle Releases 88 New Security Fixes

(LiveHacking.Com) – Oracle has released a massive security update to fix 88 security vulnerabilities many of which are remote code execution issues that can be exploited without user authentication. The update affects a whole range of Oracle products including Oracle Database 10g and 11g, Oracle JDeveloper, Oracle PeopleSoft Enterprise, Solaris and MySQL.

Oracle Database
Among the patches are six security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication (meaning that can be exploited over a network without the need for a username and password). One of these fixes is applicable to client-only installations (in other words installations that do not have the Oracle Database Server installed).

Solaris
The Oracle update includes 15 new security fixes for the Oracle Sun Products Suite. Five of these vulnerabilities may be remotely exploitable without authentication. Eight of the fixes are for Solaris and covers Solaris 8, 9, 10, 11. There are also fixes for the GlassFish Enterprise Server which is has two remotely exploitable vulnerabilities.

MySQL
MySQL has also been updated. There are six new security fixes but none of these vulnerabilities are remotely exploitable without authentication.

The Rest

  • 11 new security fixes for Oracle Fusion Middleware. 9 of these vulnerabilities may be remotely exploitable without authentication.
  • 6 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 4 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication.
  • 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 15 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication.
  • 2 new security fixes for Oracle Industry Applications.
  • 17 new security fixes for Oracle Financial Services Software. 1 of these vulnerabilities may be remotely exploitable without authentication
  • 1 new security fix for the Oracle Primavera Products Suite. This vulnerability is remotely exploitable without authentication.

Oracle Releases Massive Set of Patches

(LiveHacking.Com) – Oracle has released 76 patches affecting hundreds of its products including Java. 56 of the patches are for non Java related Oracle products including Oracle’s 11g and 10g database, Fusion Middleware 11g, Oracle Application Server 10g, E-Business Suite releases 12 and 11i, various Oracle PeopleSoft Enterprise products, Oracle Siebel CRM, Oracle Linux 5, and Oracle Sun Ray.

Before buying Sun, Oracle was known mainly for its Database products. October’s Critical Patch Update includes patches for 5 vulnerabilities in its database products, however none are rated as critical as they can’t be exploited remotely without the attacker using a username and password.

The other 20 patches are for Java and affect products like JavaFX and JRockit. 19 of the 20 can be exploited remotely without the need for authentication.

Affected Java versions:

  • JDK and JRE 7
  • JDK and JRE 6 Update 27 and earlier
  • JDK and JRE 5.0 Update 31 and earlier
  • SDK and JRE 1.4.2_33 and earlier
  • JavaFX 2.0
  • JRockit R28.1.4 and earlier (JDK and JRE 6 and 5.0)

Due to the threat posed by a successful attack, Oracle is strongly recommending that customers apply these fixes as soon as possible.