ASA-2019-00574 – libssh2: Out-of-bounds read when connecting to a malicious SSH server

There is an out-of-bounds read vulnerability, potentially leading to either denial of service or remote information disclosure. It is triggered when libssh2 is used to connect to a malicious SSH server. The overflow occurs when the SSH server sends a disconnect message, which means that the vulnerability can be triggered early in the connection process, before authentication is completed.

ASA-2019-00547 – VMware: Out-of-bounds read/write vulnerabilities on virtual machine with 3D graphics enabled

VMware ESXi, Workstation and Fusion contain out-of-bounds read/write vulnerabilities in the pixel shader functionality.  Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of the out-of-bounds read issue (CVE-2019-5521) may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. The out-of-bounds write issue (CVE-2019-5684) can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host. 

ASA-2019-00526 – wolfSSL wolfCrypt: Out-of-bounds read in GetLength_ex()

wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions() and DecodeOcspRespExtensions() in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex().

ASA-2019-00509 – FreeBSD: Insufficient message length validation in bsnmp library

A function extracting the length from type-length-value encoding is not properly validating the submitted length. A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service.

ASA-2019-00508 – FreeBSD: ICMPv6 / MLDv2 out-of-bounds memory access

The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.