A number of vulnerabilities have surfaced in the Operating System (OS) supported in ACOS 3.x and 4.x. Accordingly, the following vulnerabilities are addressed in this document.
|1||CVE-2015-2059||CVSS 2.0||7.5 High||libidn: out-of-bounds read with stringprep on invalid UTF-8. |
|2||CVE-2011-1425||CVSS 2.0||7.5 High||xmlsec1: arbitrary file creation when verifying signatures |
|3||CVE-2015-7696||CVSS 3.0||6.8 Med||unzip: Heap overflow and DoS in 6.0 |
|4||CVE-2014-9471||CVSS 2.0||7.5 High||coreutils: memory corruption flaw in parse_datetime() |
|5||CVE-2016-4008||CVSS 3.0||5.9 Med||libtasn1: infinite loop while parsing DER certificates |
|6||CVE-2015-2806||CVSS 2.0||10.0 High||libtasn1: stack overflow in asn1_der_decoding |
|7||CVE-2015-1782||CVSS 2.0||6.8 Med||libssh2: Using SSH_MSG_KEXINIT data unbounded |
|8||CVE-2013-2154||CVSS 2.0||7.5 High||xml-security-c: Stack-based buffer overflow when evaluating certain XPointer expressions |
|9||CVE-2013-2156||CVSS 2.0||7.5 High||xml-security-c: Heap-based buffer overflow when processing certain PrefixList attribute values in the Exclusive Canonicalization mode |
|10||CVE-2013-2210||CVSS 2.0||7.5 High||xml-security-c: Heap-buffer overflow during XPointer evaluation |
|11||CVE-2014-8121||CVSS 2.0||5.0 Med||glibc: Unexpected closing of nss_files databases after lookups causes denial of service |
|12||CVE-2017-7308||CVSS 3.0||7.8 High||kernel: net/packet: overflow in check for priv area size |
|13||CVE-2017-7294||CVSS 3.0||7.8 High||kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() |
|14||CVE-2017-7187||CVSS 3.0||7.8 High||kernel: scsi: Stack-based buffer overflow in sg_ioctl function |
|15||CVE-2017-7184||CVSS 3.0||7.8 High||kernel: Out-of-bounds heap access in xfrm |
|16||CVE-2017-2636||CVSS 3.0||7.8 High||kernel: Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release() |
|17||CVE-2016-10200||CVSS 3.0||7.0 High||kernel: l2tp: Race condition in the L2TPv3 IP encapsulation feature |
|18||CVE-2017-5972||CVSS 3.0||7.5 High||kernel: SYN cookie protection mechanism not properly implemented |
The table below indicates releases of ACOS exposed to these vulnerabilities and ACOS releases that address these issues or are otherwise unaffected by them.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
|Releases Affected||Releases Resolved or Unaffected|
4.1.2 – 4.1.2-P1
4.1.1 – 4.1.1-P3
4.1.0 – 4.1.0-P9
4.1.0-P10 (a), 4.1.0-P11 (b)
3.1.0-P1 – 3.2.1-P1
(a) Addresses items 1 – 11 listed above.
(b) Additionally addresses items 12 – 18 listed above.
Common security best practices in the industry for network appliance management and control planes can enhance protection against remote malicious attacks. Limit the exploitable attack surface for critical, infrastructure, networking equipment through the use of access lists or firewall filters to and from only trusted, administrative networks or hosts.
Software updates that address these vulnerabilities are or will be published at the following URL:
The following table shares brief descriptions for the vulnerabilities addressed in this document.
|Vulnerability ID||Vulnerability Description|
The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.
Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.
The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.
Stack-based buffer overflow in the XML Signature Reference functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions, probably related to the DSIGReference::getURIBaseTXFM function.
Heap-based buffer overflow in the Exclusive Canonicalization functionality (xsec/canon/XSECC14n20010315.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PrefixList attribute.
Heap-based buffer overflow in the XML Signature Reference functionality in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed XPointer expressions. NOTE: this is due to an incorrect fix for CVE-2013-2154.
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device.
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.
The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 220.127.116.11.52.
Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.
Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.
The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7. NOTE: third parties have been unable to discern any relationship between the GitHub Engineering finding and the Trigemini.c attack code.
August 07, 2017
March 07, 2018
Update release information for ACOS 4.1.0.
© Copyright 2018 A10 Networks, Inc. All Rights Reserved.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.