Mu-B

**Name of the Vulnerable Software and Affected Versions** Oracle Solaris versions 10 and 11.3 **Description** The issue is related to a vulnerability in the Availability Suite Service component of Oracle Solaris, which is associated with inadequate access control. This vulnerability can be easily exploited by a low-privileged attacker with logon access to the infrastructure where Solaris is executed, potentially allowing the attacker to compromise Solaris and resulting in a takeover of the system. The vulnerability enables an attacker to execute arbitrary code and elevate their privileges. **Recommendations** For Oracle Solaris version 10, update to a version that includes the necessary security patches to address the access control weaknesses in the Availability Suite Service component. For Oracle Solaris version 11.3, apply the relevant security fixes to mitigate the vulnerability in the Availability Suite Service component. As a temporary workaround, consider restricting access to the Availability Suite Service component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** DESlock+ version 4.0.2 **Description** The issue allows local users to gain privileges via a crafted IOCTL request to the DLPCryptCore device. Specifically, the `dlpcrypt.sys` kernel driver version 0.1.1.27 is affected. **Recommendations** For DESlock+ version 4.0.2, consider restricting access to the DLPCryptCore device until a patch is available. As a temporary workaround, avoid using the IOCTL 0x80012010 request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bopup Communication Server version 3.2.26.5460 **Description** A stack-based buffer overflow issue allows remote attackers to execute arbitrary code via a crafted request to the TCP port 19810. **Recommendations** For Bopup Communication Server version 3.2.26.5460, consider restricting access to TCP port 19810 until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XNU versions 1228.3.13 and earlier Mac OS X versions 10.5.6 and earlier **Description** A heap-based buffer overflow issue exists in the AppleTalk networking stack, allowing remote attackers to cause a denial of service, resulting in a system crash. This is achieved by sending a ZIP NOTIFY packet that overwrites a certain `ifPort` structure member. **Recommendations** For XNU versions 1228.3.13 and earlier, consider disabling the AppleTalk networking stack as a temporary workaround until a patch is available. For Mac OS X versions 10.5.6 and earlier, restrict access to the AppleTalk networking stack to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XNU versions 1228.9.59 and earlier on Apple Mac OS X versions 10.5.6 and earlier **Description** The issue allows local users to overwrite kernel memory and gain privileges by attaching an HFS+ disk image and performing certain steps involving `HFS GET BOOT INFO` fcntl calls, due to improper restriction of interaction between user space and the HFS IOCTL handler. **Recommendations** For XNU versions 1228.9.59 and earlier on Apple Mac OS X versions 10.5.6 and earlier, consider restricting access to the HFS IOCTL handler as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XNU versions 1228.8.20 and earlier Mac OS X versions 10.5.6 and earlier **Description** A race condition exists in the HFS vfs sysctl interface, allowing local users to cause a denial of service by executing the same HFS SET PKG EXTENSIONS code path in multiple threads simultaneously. This issue arises due to the lack of mutex locking for a global variable. **Recommendations** For XNU versions 1228.8.20 and earlier, consider applying a patch to implement mutex locking for the global variable to prevent simultaneous access. For Mac OS X versions 10.5.6 and earlier, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XNU versions 1228.3.13 and earlier Apple Mac OS X versions 10.5.6 and earlier **Description** The issue is related to multiple memory leaks that can cause a denial of service due to kernel memory consumption. This can be triggered by a crafted system call, specifically via (1) `SYS add profil` or (2) `SYS mac getfsstat`. **Recommendations** For XNU versions 1228.3.13 and earlier, consider restricting access to the `SYS add profil` and `SYS mac getfsstat` system calls until a patch is available. For Apple Mac OS X versions 10.5.6 and earlier, apply configuration changes to limit the impact of kernel memory consumption. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD versions 7.0 through 7.2 **Description** The issue allows local users to overwrite arbitrary kernel memory via an out-of-bounds timer value in the ktimer feature, which is located in sys/kern/kern time.c. **Recommendations** For versions 7.0 through 7.2, consider disabling the ktimer feature until a patch is available. Restrict access to the sys/kern/kern time.c module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Citrix Deterministic Network Enhancer versions 2.21.7.233 through 3.21.7.17464 **Description** The issue allows local users to gain privileges via a crafted `DNE IOCTL` `DeviceIoControl` request to the ".DNE" device interface. This affects products that use Citrix Deterministic Network Enhancer, including Cisco VPN Client, Blue Coat WinProxy, SafeNet SoftRemote, and HighAssurance Remote. **Recommendations** For Citrix Deterministic Network Enhancer versions 2.21.7.233 through 3.21.7.17464, consider restricting access to the `DNE IOCTL` `DeviceIoControl` request to minimize the risk of exploitation. As a temporary workaround, disabling the `DeviceIoControl` request to the ".DNE" device interface may help until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: DESlock+ version 3.2.7 Description: The issue allows local users to cause a denial of service or potentially execute arbitrary code via a certain request to the ".DLKPFSD Device" endpoint. This is probably related to the use of the `ProbeForRead` function when `ProbeForWrite` was intended. Recommendations: For DESlock+ version 3.2.7, consider disabling the `DLMFENC.sys` driver until a patch is available to prevent potential exploitation. Restrict access to the ".DLKPFSD Device" endpoint to minimize the risk of a denial of service or code execution.

**Name of the Vulnerable Software and Affected Versions** DESlock+ versions 3.2.6 and earlier **Description** The issue allows local users to gain privileges via a certain request to the ".DLKPFSD Device" endpoint, which overwrites a pointer. **Recommendations** For DESlock+ versions 3.2.6 and earlier, consider restricting access to the DLMFENC.sys and DLMFDISK.sys files until a patch is available. As a temporary workaround, avoid using the DLMFENC IOCTL request to the ".DLKPFSD Device" endpoint.

**Name of the Vulnerable Software and Affected Versions** DESlock+ versions 3.2.6 and earlier **Description** The issue allows local users to cause a denial of service, resulting in a system crash, by sending a certain ZERO MEM DLMFENC IOCTL request to the ".DLKPFSD Device" endpoint. This is related to the "ring0 link list zero" vulnerability. **Recommendations** For DESlock+ versions 3.2.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DESlock+ versions 3.2.6 and earlier **Description** A memory leak in the DLMFENC.sys driver, version 1.0.0.26, allows local users to cause a denial of service by consuming kernel memory. This is achieved through a series of DLMFENC IOCTL requests to the ".DLKPFSD Device" endpoint, which allocate "link list structures." **Recommendations** For DESlock+ versions 3.2.6 and earlier, consider restricting access to the DLMFENC IOCTL requests to minimize the risk of exploitation. As a temporary workaround, limiting the allocation of "link list structures" may help mitigate the issue until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DESlock+ versions 3.2.6 and earlier **Description** The issue allows local users to gain privileges via a certain request to the ".DLKFDisk Control" API endpoint, which overwrites a data structure associated with a mounted pseudo-filesystem. **Recommendations** For DESlock+ versions 3.2.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KAME project versions prior to 20071201 **Description** The issue is related to the ipcomp6 input function in the KAME project, which does not properly check the return value of the m pulldown function. This allows remote attackers to cause a denial of service, resulting in a system crash, via an IPv6 packet with an IPComp header. **Recommendations** For versions prior to 20071201, update to a version released after 20071201 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SafeNET HighAssurance Remote and SoftRemote IPSecDrv.sys version 10.4.0.12 **Description** The issue allows local users to gain privileges via a crafted IPSECDRV IOCTL IOCTL request. **Recommendations** For IPSecDrv.sys version 10.4.0.12, consider restricting access to the IPSECDRV IOCTL IOCTL request until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AXIGEN Mail Server version 5.0.2 **Description** The issue is related to a format string vulnerability in the AXIMilter module. This vulnerability allows remote attackers to execute arbitrary code via format string specifiers in the CNHO command. **Recommendations** For AXIGEN Mail Server version 5.0.2, consider disabling the AXIMilter module until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) version 5.0.02.0090 **Description** The issue allows local users to cause a denial of service by calling the 0x80002038 IOCTL with a small size value, triggering memory corruption. **Recommendations** For Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) version 5.0.02.0090, consider avoiding the use of the 0x80002038 IOCTL with small size values to prevent memory corruption until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.5.4 **Description** The issue allows remote attackers to cause a denial of service, resulting in a divide-by-zero error and daemon crash, by sending a crafted load balancing packet to UDP port 4112. This is due to a problem in the `accept connections` function in the virtual private network daemon (vpnd). **Recommendations** For Apple Mac OS X versions prior to 10.5.4, update to version 10.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to UDP port 4112 to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: eXtremail versions 2.1.1 and earlier Description: The issue is caused by an integer overflow that allows remote attackers to potentially execute arbitrary code or cause a denial of service. This is achieved by sending a long USER command containing `%s` sequences to the pop3 port (110/tcp), which are then expanded to `%%s` before being used in the memmove function. Recommendations: For eXtremail versions 2.1.1 and earlier, consider restricting access to the pop3 port (110/tcp) until a fix is available. As a temporary workaround, avoid using the `%s` sequence in the USER command to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.