ftp://ftp.vim.org/pub/vim/patches/6.2.429

ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.059

APPLE-SA-2008-10-09

32222

32858

33410

http://support.apple.com/kb/HT3216

http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm

[oss-security] 20080715 Re: Re: More arbitrary code executions in Netrw

[oss-security] 20080731 Re: Re: More arbitrary code executions in Netrw

RHSA-2008:0617

20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim

30648

31681

http://www.vmware.com/security/advisories/VMSA-2009-0004.html

ADV-2008-2780

ADV-2009-0033

ADV-2009-0904

https://bugzilla.redhat.com/show_bug.cgi?id=455455

vim-mchexpandwildcards-bo(44722)

oval:org.mitre.oval:def:11203

oval:org.mitre.oval:def:5987

The remote VMware ESX host is missing a security-related patch. It is, therefore, is affected by multiple vulnerabilities :

  - A format string flaw exists in the Vim help tag     processor in the helptags_one() function that allows a     remote attacker to execute arbitrary code by tricking a     user into executing the 'helptags' command on malicious     help files. (CVE-2007-2953)

  - Multiple flaws exist in the Vim system functions due to     a failure to sanitize user-supplied input. An attacker     can exploit these to execute arbitrary code by tricking     a user into opening a crafted file. (CVE-2008-2712)

  - A heap-based buffer overflow condition exists in the Vim     mch_expand_wildcards() function. An attacker can exploit     this, via shell metacharacters in a crafted file name,     to execute arbitrary code. (CVE-2008-3432)

  - Multiple flaws exist in Vim keyword and tag handling due     to improper handling of escape characters. An attacker     can exploit this, via a crafted document, to execute     arbitrary shell commands or Ex commands. (CVE-2008-4101)

  - A security bypass vulnerability exists in OpenSSL due to     a failure to properly check the return value from the     EVP_VerifyFinal() function. A remote attacker can     exploit this, via a malformed SSL/TLS signature for DSA     and ECDSA keys, to bypass the validation of the     certificate chain. (CVE-2008-5077)

  - A security bypass vulnerability exists in BIND due to a     failure to properly check the return value from the     OpenSSL DSA_verify() function. A remote attacker can     exploit this, via a malformed SSL/TLS signature, to     bypass the validation of the certificate chain on those     systems using DNSSEC. (CVE-2009-0025)

From Red Hat Security Advisory 2008:0617 :

Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Vim (Visual editor IMproved) is an updated and improved version of the vi editor.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code.
(CVE-2008-3432)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

SL3 and SL4 Only: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. (CVE-2008-3432)

SL5 Only: Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim.
(CVE-2008-3076)

SL5 Only: A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075)

SL5 Only: A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf H&auml;rnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

Description for CVE-2008-3432 says :

Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.

a. Updated OpenSSL package for the Service Console fixes a    security issue.

   OpenSSL 0.9.7a-33.24 and earlier does not properly check the return    value from the EVP_VerifyFinal function, which could allow a remote    attacker to bypass validation of the certificate chain via a    malformed SSL/TLS signature for DSA and ECDSA keys.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-5077 to this issue.

b. Update bind package for the Service Console fixes a security issue.

   A flaw was discovered in the way Berkeley Internet Name Domain    (BIND) checked the return value of the OpenSSL DSA_do_verify    function. On systems using DNSSEC, a malicious zone could present    a malformed DSA certificate and bypass proper certificate    validation, allowing spoofing attacks.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-0025 to this issue.

c. Updated vim package for the Service Console addresses several    security issues.

   Several input flaws were found in Visual editor IMproved's (Vim)    keyword and tag handling. If Vim looked up a document's maliciously    crafted tag or keyword, it was possible to execute arbitrary code as    the user running Vim.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-4101 to this issue.

   A heap-based overflow flaw was discovered in Vim's expansion of file    name patterns with shell wildcards. An attacker could create a    specially crafted file or directory name, when opened by Vim causes    the application to stop responding or execute arbitrary code.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-3432 to this issue.

   Several input flaws were found in various Vim system functions. If a    user opened a specially crafted file, it was possible to execute    arbitrary code as the user running Vim.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-2712 to this issue.

   A format string flaw was discovered in Vim's help tag processor. If    a user was tricked into executing the 'helptags' command on    malicious data, arbitrary code could be executed with the    permissions of the user running VIM.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2007-2953 to this issue.

Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Vim (Visual editor IMproved) is an updated and improved version of the vi editor.

Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101)

A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code.
(CVE-2008-3432)

Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712)

Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)

All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-007 applied. 

This security update contains fixes for the following products :

  - Apache
  - Certificates
  - ClamAV
  - ColorSync
  - CUPS
  - Finder
  - launchd
  - libxslt
  - MySQL Server
  - Networking
  - PHP
  - Postfix
  - PSNormalizer
  - QuickLook
  - rlogin
  - Script Editor
  - Single Sign-On
  - Tomcat
  - vim
  - Weblog

ID	Name	Product	Family	Severity
89112	VMware ESX Multiple Vulnerabilities (VMSA-2009-0004) (remote check)	Nessus	Misc.	high
67732	Oracle Linux 3 / 4 : vim (ELSA-2008-0617)	Nessus	Oracle Linux Local Security Checks	high
60500	Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
49167	FreeBSD : vim6 -- heap-based overflow while parsing shell metacharacters (f866d2af-bbba-11df-8a8d-0008743bf21a)	Nessus	FreeBSD Local Security Checks	medium
40389	VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vim	Nessus	VMware ESX Local Security Checks	high
37794	CentOS 3 / 4 : vim (CESA-2008:0617)	Nessus	CentOS Local Security Checks	high
34954	RHEL 3 / 4 : vim (RHSA-2008:0617)	Nessus	Red Hat Local Security Checks	high
34374	Mac OS X Multiple Vulnerabilities (Security Update 2008-007)	Nessus	MacOS X Local Security Checks	critical

CVE-2008-3432

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

medium

high

high

high

critical