Netbsd

OpenSSH Race Condition leading to RCE, known as regreSSHion

CVE-2024-6387 8.1 - High - July 01, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Race Condition

ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command

CVE-2023-45198 7.5 - High - October 05, 2023

ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command. tnftpd (the portable version of NetBSD ftpd) before 20231001 is also vulnerable.

In NetBSD through 9.2

CVE-2021-45489 7.5 - High - December 25, 2021

In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG.

PRNG

In NetBSD through 9.2

CVE-2021-45488 7.5 - High - December 25, 2021

In NetBSD through 9.2, there is an information leak in the TCP ISN (ISS) generation algorithm.

Use of Insufficiently Random Values

In NetBSD through 9.2

CVE-2021-45487 7.5 - High - December 25, 2021

In NetBSD through 9.2, the IPv4 ID generation algorithm does not use appropriate cryptographic measures.

Use of Insufficiently Random Values

In NetBSD through 9.2

CVE-2021-45484 7.5 - High - December 25, 2021

In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG.

PRNG

An issue was discovered in the kernel in NetBSD 7.1

CVE-2020-26139 5.3 - Medium - May 11, 2021

An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.

authentification

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data

CVE-2014-3566 3.4 - Low - October 15, 2014

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Cryptographic Issues

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android

CVE-2011-0419 - May 16, 2011

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Allocation of Resources Without Limits or Throttling

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors

CVE-2008-4609 - October 20, 2008

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.

Configuration

Integer overflow in banner/banner.c in FreeBSD, NetBSD, and OpenBSD might allow local users to modify memory via a long banner

CVE-2006-6397 - December 08, 2006

Integer overflow in banner/banner.c in FreeBSD, NetBSD, and OpenBSD might allow local users to modify memory via a long banner. NOTE: CVE and multiple third parties dispute this issue. Since banner is not setuid, an exploit would not cross privilege boundaries in normal operations. This issue is not a vulnerability

ld.so in FreeBSD, NetBSD, and possibly other BSD distributions does not remove certain harmful environment variables, which

CVE-2006-6165 - November 29, 2006

ld.so in FreeBSD, NetBSD, and possibly other BSD distributions does not remove certain harmful environment variables, which allows local users to gain privileges by passing certain environment variables to loading processes. NOTE: this issue has been disputed by a third party, stating that it is the responsibility of the application to properly sanitize the environment

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers

CVE-2004-0230 - August 18, 2004

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands

CVE-2003-0466 9.8 - Critical - August 27, 2003

Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

off-by-five

Buffer overflow in Sendmail 5.79 to 8.12.7

CVE-2002-1337 - March 07, 2003

Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.

Classic Buffer Overflow

tip on multiple BSD-based operating systems

CVE-2002-1915 5.5 - Medium - December 31, 2002

tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file.

Improper Locking

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems

CVE-2001-0554 - August 14, 2001

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.

Classic Buffer Overflow

XFree86 startx command is vulnerable to a symlink attack

CVE-1999-0433 - March 21, 1999

XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.

CVE-1999-0420 - March 17, 1999

umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.

In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems

CVE-1999-0422 - March 17, 1999

In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.

A race condition between the select() and accept() calls in NetBSD TCP servers

CVE-1999-0396 - February 17, 1999

A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

CVE-1999-0303 - May 21, 1998

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

mmap function in BSD

CVE-1999-0304 - February 01, 1998

mmap function in BSD allows local attackers in the kmem group to modify memory through devices.

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack

CVE-1999-0513 - January 05, 1998

ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client

CVE-1999-0017 - December 10, 1997

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.

Land IP denial of service.

CVE-1999-0016 - December 01, 1997

Land IP denial of service.

The rwho/rwhod service is running

CVE-1999-0628 - July 01, 1997

The rwho/rwhod service is running, which exposes machine status and user information.

Listening TCP ports are sequentially allocated

CVE-1999-0074 - July 01, 1997

Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Buffer overflow of rlogin program using TERM environmental variable.

CVE-1999-0046 - February 06, 1997

Buffer overflow of rlogin program using TERM environmental variable.

Classic Buffer Overflow

Buffer overflow in Vixie Cron library up to version 3.0

CVE-1999-0297 - December 12, 1996

Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.