VARIoT IoT vulnerabilities database

Heap-based buffer overflow in Apple iTunes before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted .m3u playlist. Apple iTunes is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. iTunes is a free application for your Mac or PC. It lets you organize and play digital music and video on your computer. It can automatically download new music, app, and book purchases across all your devices and computers. And it’s a store that has everything you need to be entertained. Anywhere. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (940.fc0): Access violation - code c0000005 (!!! second chance !!!)<br/> eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20<br/> eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br/><unloaded_card.dll>+0x41414130:<br/> 41414141 ?? ???<br/><br/> ~~~<br/><br/> (6b0.a04): Access violation - code c0000005 (!!! second chance !!!)<br/> eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d<br/> eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br/> Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -<br/> CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:<br/> 0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????<br/></unloaded_card.dll></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 EN (32bit)Microsoft Windows 7 Ultimate SP1 EN (64bit). Apple iTunes is a set of media player applications of Apple (Apple), which is mainly used for playing and managing digital music and video files. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-06-11-1 iTunes 10.6.3 iTunes 10.6.3 is now available and addresses the following: iTunes Available for: Mac OS X v10.5 or later, Windows 7, Vista, XP SP2 or later Impact: Importing a maliciously crafted .m3u playlist may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in the handling of .m3u playlists. CVE-ID CVE-2012-0677 : Gjoko Krstic of Zero Science Lab WebKit Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in WebKit. CVE-ID CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome Security Team iTunes 10.6.3 may be obtained from: http://www.apple.com/itunes/download/ For Mac OS X: The download file is named: "iTunes10.6.3.dmg" Its SHA-1 digest is: e673e5cbd2955130efbc92a788fff178e66bd155 For Windows XP / Vista / Windows 7: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 2618f701f1d1a853e33138a57bec193bcd08438e For 64-bit Windows XP / Vista / Windows 7: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: 3806af762a066fde3d7e83f86a429ae40175561e Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJP1iVwAAoJEPefwLHPlZEwwCwQAK3GHSCBWGFlkIdf5A14STjH 418W8jBN7fYpZL04wnBxFC4n6r9213/TAIq+FBQAUpS1Q4442qWbJ7DUPCU34+aC 1nhRhL6vXCrfsIqZB7YdsGIrcSw3iAKpyszCyDfE6l4oqwQuGzeUsZ89ZTxvKMLw QYelU0izAJHcBKDJ+GiQCSZjoYgOha9dW1rDE50EIc274SoyZqHBV1hs2fSkslMq GWKgg3KGSt1QGf9dX9bE2Zgb6QYVXTr092/VuIvAP6GUn5ltMJ4Qu1+GUhzQXykj 6Av3gtrwoWHg7iG3X66+A3XQ6oIjKHTplA8LDC5a3g1bcECaJI/QDxfC4xIyIqhT HUJPy1FH6cFKTVGEF7h4HvcQKjpbt20UuCE4a9Om8PPw2P/iaBNnS+jV5AQ/RVwL nfhxNQkNg0rYmFfUFjNWajjK+YWgjTN/Ny3Ba4hTl66PV5OSHtkQtIJtDTJcAxP0 7hX/CaEU9TnJl5HKmlhNv1PvqMmM951N39ODbf+zG23yVw+2hmE1SWDcJxAAv1LD sCMFh5vesPb/7Bvbc1Qi23lX27gjYA3bzPnwREdEQ+9nyiKbwFAvIZ5KwszIdmlR qIlGpIvpQOJYEC3aVq7tDlABkwF7pBaAGOQqYpP8O+iM7kJNDGCVaGWEL2OuVHjY bGLlmB3ueonyCP+g94nH =IxYx -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Apple iTunes Two Vulnerabilities SECUNIA ADVISORY ID: SA49489 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49489/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49489 RELEASE DATE: 2012-06-12 DISCUSS ADVISORY: http://secunia.com/advisories/49489/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49489/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49489 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Apple has reported two vulnerabilities in Apple iTunes, which can be exploited by malicious people to compromise a user's system. 2) A vulnerability is caused due to a bundled vulnerable version of WebKit. For more information see vulnerability #3 in: SA48454 NOTE: This vulnerability does not affect the application on OS X Lion systems. SOLUTION: Update to version 10.6.3. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Gjoko Krstic, Zero Science Lab. 2) Adam Barth and Abhishek Arya, Google Chrome Security Team. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT5318 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in TrGUI.exe in the Endpoint Connect (aka EPC) GUI in Check Point Endpoint Security R73.x and E80.x on the VPN blade platform, Endpoint Security VPN R75, Endpoint Connect R73.x, and Remote Access Clients E75.x allows local users to gain privileges via a Trojan horse DLL in the current working directory. DLL It may be possible to get permission through the file. Check Point Endpoint Connect is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. Check Point Endpoint Security is a set of endpoint security solutions from Check Point Company in the United States. This solution combines firewall, network access control, anti-virus, anti-spyware, data security and other functions to ensure that terminal PCs are free from Web-based threats. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Check Point Endpoint Connect Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA49432 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49432/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49432 RELEASE DATE: 2012-06-11 DISCUSS ADVISORY: http://secunia.com/advisories/49432/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49432/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49432 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Check Point EndPoint Connect, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading certain libraries in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening unspecified file types located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. SOLUTION: Apply available hotfixes. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Moshe Zioni, Comsec Consulting. ORIGINAL ADVISORY: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480&src=securityAlerts OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . A user with local disk access can carefuly construct a DLL that suits a pattern that is being traversed by the client and implement it somewhere along the search path and the client will load it seamlessly. Impact ========== After the DLL has been implemented, an unsuspected user that will run the program will cause it to load, resulting in arbitrary code execution with user's privilege level. Solution ========== Apply the appropriate Hotfix released by Checkpoint (one line URL): https://supportcenter.checkpoint.com/supportcenter/portal? eventSubmit_doGoviewsolutiondetails=&solutionid=sk76480 Credits ========== The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting. Timeline =========== 11 June 2012 Checkpoint officialy announce a Hotfix for the issue 6 June 2012 Checkpoint reported on finishing a fix to the reported issue 16 May 2012 Further correspondance (Comsec-Checkpoint) took place, discussing a remidiation 15 May 2012 First response from Checkpoint Security Team 15 May 2012 Bug reported by Moshe Zioni from Comsec Global Consulting References =========== Checkpoint http://www.checkpoint.com/ Comsec Global Consulting http://www.comsecglobal.com/

Multiple cross-site scripting (XSS) vulnerabilities in the status program on the ForeScout CounterACT appliance with software 6.3.3.2 through 6.3.4.10 allow remote attackers to inject arbitrary web script or HTML via (1) the loginname parameter in a forgotpass action or (2) the username parameter. ForeScout Provided by CounterACT Contains a cross-site scripting vulnerability. ForeScout Provided by CounterACT of Web The interface contains a cross-site scripting vulnerability. Details are provided by the developer ForeScout Security Advisory 12-01 ( Registered users only ) (http://updates.forescout.com/support) Please confirm.An arbitrary script may be executed on the user's web browser. ForeScout CounterACT is an automated security control platform. ForeScout CounterACT 'username' and 'loginname' have cross-site scripting vulnerabilities, since the input passed to the state via the \"username\" and \"loginname\" parameters is not properly filtered before returning to the user, the attacker can exploit the vulnerability in the context of the affected site. Execute arbitrary HTML and script code in the user's browser session. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: ForeScout CounterACT "username" and "loginname" Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA49481 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49481/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49481 RELEASE DATE: 2012-06-11 DISCUSS ADVISORY: http://secunia.com/advisories/49481/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49481/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49481 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in ForeScout CounterACT, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerabilities are reported in the following versions: * 6.3.3.2 prior to Hotfix 4.12050. * 6.3.4.0 prior to Hotfix 10.0. * 6.3.4.1 prior to Hotfix 6.0. * 6.3.4.10 prior to Hotfix 1.0. SOLUTION: Apply available hotfixes. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: US-CERT credits Travis Lee ORIGINAL ADVISORY: US-CERT: http://www.kb.cert.org/vuls/id/815532 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x before 11.0.0-HF2, and 11.1.x before 11.1.0-HF3, and Enterprise Manager before 2.1.0-HF2, 2.2.x before 2.2.0-HF1, and 2.3.x before 2.3.0-HF3, use a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins via the PubkeyAuthentication option. F5 BIG-IP is a device product for application delivery services manufactured by F5 Network, which is mainly used for load balancing, business acceleration optimization and other purposes. F5 BIG-IP (11.x 10.x 9.x version) There is a set of public SSH public-private key pairs in the device file system, which can be used for user permission verification, and the root user authority is obtained after the verification is passed. The vulnerability can be used to remotely obtain management control of the device, and further launch attacks against related network information systems. Multiple F5 Products are prone to an unauthorized-access vulnerability. A remote attacker can exploit this issue to gain unauthorized root access to affected devices. Successfully exploiting this issue allows attackers to completely compromise the devices. The following products are affected: BIG-IP LTM BIG-IP GTM BIG-IP ASM BIG-IP Link Controller BIG-IP PSM BIG-IP WOM BIG-IP APM BIG-IP Analytics BIG-IP Edge Gateway Enterprise Manager. Malicious actors could exploit this vulnerability to manipulate the affected system. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: F5 Products Unspecified SSH Configuration Security Issue SECUNIA ADVISORY ID: SA49396 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49396/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49396 RELEASE DATE: 2012-06-08 DISCUSS ADVISORY: http://secunia.com/advisories/49396/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49396/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49396 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in multiple F5 products, which can be exploited by malicious people to compromise a vulnerable system. The security issue is caused due to an unspecified configuration error. No further information is currently available. The security issue affects the following products and versions: * BIG-IP LTM versions 9.x, 10.x, and 11.x * BIG-IP GTM versions 9.x, 10.x, and 11.x * BIG-IP ASM versions 9.x, 10.x, and 11.x * BIG-IP Link Controller versions 9.x, 10.x, and 11.x * BIG-IP PSM versions 9.x, 10.x, and 11.x * BIG-IP WOM versions 10.x and 11.x * BIG-IP APM versions 10.x and 11.x * BIG-IP Edge Gateway versions 10.x and 11.x * BIG-IP Analytics versions 11.x * Enterprise Manager versions 1.x and 2.x SOLUTION: Update to the fixed versions. Please see vendor's advisory for more details. PROVIDED AND/OR DISCOVERED BY: The vendor credits Florent Daignier, Matta Consulting. ORIGINAL ADVISORY: http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2034. This vulnerability CVE-2012-2034 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0722-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0722.html Issue date: 2012-06-12 CVE Names: CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 830310 - CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2039 flash-plugin: multiple code execution flaws (APSB12-14) 830311 - CVE-2012-2038 flash-plugin: information disclosure flaw (APSB12-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2034.html https://www.redhat.com/security/data/cve/CVE-2012-2035.html https://www.redhat.com/security/data/cve/CVE-2012-2036.html https://www.redhat.com/security/data/cve/CVE-2012-2037.html https://www.redhat.com/security/data/cve/CVE-2012-2038.html https://www.redhat.com/security/data/cve/CVE-2012-2039.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP10/1XlSAg2UNWIIRAt0QAJ9cWmHh2pD6CwG2vlYYSFnpHJY2rgCghiNF ixtzEGNgHcJfH27QkDYqNLk= =picc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Integer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors. Adobe Flash Player is prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application or disclose sensitive information. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0722-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0722.html Issue date: 2012-06-12 CVE Names: CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 830310 - CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2039 flash-plugin: multiple code execution flaws (APSB12-14) 830311 - CVE-2012-2038 flash-plugin: information disclosure flaw (APSB12-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2034.html https://www.redhat.com/security/data/cve/CVE-2012-2035.html https://www.redhat.com/security/data/cve/CVE-2012-2036.html https://www.redhat.com/security/data/cve/CVE-2012-2037.html https://www.redhat.com/security/data/cve/CVE-2012-2038.html https://www.redhat.com/security/data/cve/CVE-2012-2039.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP10/1XlSAg2UNWIIRAt0QAJ9cWmHh2pD6CwG2vlYYSFnpHJY2rgCghiNF ixtzEGNgHcJfH27QkDYqNLk= =picc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. Flash Player contains an issue in implementations of the Same Origin Policy. SoundMixer.computeSpectrum() method, included in Flash Player, contains an issue in implementations of the Same Origin Policy. Mitsuaki Shiraishi of Symantec Japan, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker may obtain sound spectrum data that user playing in violation of the same-origin policy. Adobe Flash Player is prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application or disclose sensitive information. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Attackers can exploit this vulnerability to obtain sensitive information by bypassing expected access restrictions with unknown vectors. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0722-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0722.html Issue date: 2012-06-12 CVE Names: CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 830310 - CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2039 flash-plugin: multiple code execution flaws (APSB12-14) 830311 - CVE-2012-2038 flash-plugin: information disclosure flaw (APSB12-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2034.html https://www.redhat.com/security/data/cve/CVE-2012-2035.html https://www.redhat.com/security/data/cve/CVE-2012-2036.html https://www.redhat.com/security/data/cve/CVE-2012-2037.html https://www.redhat.com/security/data/cve/CVE-2012-2038.html https://www.redhat.com/security/data/cve/CVE-2012-2039.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP10/1XlSAg2UNWIIRAt0QAJ9cWmHh2pD6CwG2vlYYSFnpHJY2rgCghiNF ixtzEGNgHcJfH27QkDYqNLk= =picc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Untrusted search path vulnerability in the installer in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows local users to gain privileges via a Trojan horse executable file in an unspecified directory. Adobe Flash Player is prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application or disclose sensitive information. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via unspecified vectors. Adobe Flash Player is prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application or disclose sensitive information. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0722-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0722.html Issue date: 2012-06-12 CVE Names: CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 830310 - CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2039 flash-plugin: multiple code execution flaws (APSB12-14) 830311 - CVE-2012-2038 flash-plugin: information disclosure flaw (APSB12-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2034.html https://www.redhat.com/security/data/cve/CVE-2012-2035.html https://www.redhat.com/security/data/cve/CVE-2012-2036.html https://www.redhat.com/security/data/cve/CVE-2012-2037.html https://www.redhat.com/security/data/cve/CVE-2012-2038.html https://www.redhat.com/security/data/cve/CVE-2012-2039.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP10/1XlSAg2UNWIIRAt0QAJ9cWmHh2pD6CwG2vlYYSFnpHJY2rgCghiNF ixtzEGNgHcJfH27QkDYqNLk= =picc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Stack-based buffer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors. Adobe Flash Player is prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application or disclose sensitive information. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0722-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0722.html Issue date: 2012-06-12 CVE Names: CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 830310 - CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2039 flash-plugin: multiple code execution flaws (APSB12-14) 830311 - CVE-2012-2038 flash-plugin: information disclosure flaw (APSB12-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2034.html https://www.redhat.com/security/data/cve/CVE-2012-2035.html https://www.redhat.com/security/data/cve/CVE-2012-2036.html https://www.redhat.com/security/data/cve/CVE-2012-2037.html https://www.redhat.com/security/data/cve/CVE-2012-2038.html https://www.redhat.com/security/data/cve/CVE-2012-2039.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP10/1XlSAg2UNWIIRAt0QAJ9cWmHh2pD6CwG2vlYYSFnpHJY2rgCghiNF ixtzEGNgHcJfH27QkDYqNLk= =picc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2037. This vulnerability CVE-2012-2037 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236" References ========== [ 1 ] CVE-2012-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779 [ 2 ] CVE-2012-2034 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034 [ 3 ] CVE-2012-2035 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035 [ 4 ] CVE-2012-2036 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036 [ 5 ] CVE-2012-2037 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037 [ 6 ] CVE-2012-2038 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038 [ 7 ] CVE-2012-2039 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039 [ 8 ] CVE-2012-2040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-21.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0722-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0722.html Issue date: 2012-06-12 CVE Names: CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 830310 - CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2039 flash-plugin: multiple code execution flaws (APSB12-14) 830311 - CVE-2012-2038 flash-plugin: information disclosure flaw (APSB12-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.20-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.20-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.20-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.20-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2034.html https://www.redhat.com/security/data/cve/CVE-2012-2035.html https://www.redhat.com/security/data/cve/CVE-2012-2036.html https://www.redhat.com/security/data/cve/CVE-2012-2037.html https://www.redhat.com/security/data/cve/CVE-2012-2038.html https://www.redhat.com/security/data/cve/CVE-2012-2039.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP10/1XlSAg2UNWIIRAt0QAJ9cWmHh2pD6CwG2vlYYSFnpHJY2rgCghiNF ixtzEGNgHcJfH27QkDYqNLk= =picc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

TCPIPS_Story.dll in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute arbitrary code via a port-46824 TCP packet with a crafted negative integer after the opcode, triggering incorrect function-pointer processing that can lead to a buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4354. Sielco Sistemi Winlog Pro SCADA and Winlog Lite SCADA of TCPIPS_Story.dll Contains a vulnerability that allows arbitrary code execution. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

TCPIPS_Story.dll in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allows remote attackers to execute arbitrary code via a port-46824 TCP packet with a crafted positive integer after the opcode, triggering incorrect function-pointer processing that can lead to a buffer overflow. NOTE: some of these details are obtained from third party information. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. SIELCO SISTEMI Winlog has multiple security vulnerabilities, including: (1), DbiGetRecordCount code execution; (2), @Db@TDataSet@Close$qqrv code execution; (3), DbiSetToRecordNo code execution; (4), TCPIPS_BinOpenFileFP stack overflow; (5), directory traversal; (6), arbitrary byte write memory. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. Vulnerabilities in TCPIPS_Story.dll in versions of Sielco Sistemi Winlog Pro prior to SCADA 2.07.17 and versions prior to Winlog Lite SCADA 2.07.17. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allows remote attackers to execute arbitrary code via a crafted port-46824 TCP packet that triggers an incorrect file-open attempt by the _TCPIPS_BinOpenFileFP function, a different vulnerability than CVE-2012-3815. NOTE: some of these details are obtained from third party information. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. SIELCO SISTEMI Winlog has multiple security vulnerabilities, including: (1), DbiGetRecordCount code execution; (2), @Db@TDataSet@Close$qqrv code execution; (3), DbiSetToRecordNo code execution; (4), TCPIPS_BinOpenFileFP stack overflow; (5), directory traversal; (6), arbitrary byte write memory. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. Winlog Pro 2.07.16 and prior are vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 do not validate the return value of the realloc function, which allows remote attackers to cause a denial of service (invalid 0x00 write operation and daemon crash) or possibly have unspecified other impact via a port-46824 TCP packet with a crafted negative integer after the opcode. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4358. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. A vulnerability exists in Sielco Sistemi Winlog Pro versions prior to SCADA 2.07.18 and versions prior to Winlog Lite SCADA 2.07.18. The vulnerability stems from the unverified &lsquo;realloc&rsquo; function return value. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. SIELCO SISTEMI Winlog has multiple security vulnerabilities, including: (1), DbiGetRecordCount code execution; (2), @Db@TDataSet@Close$qqrv code execution; (3), DbiSetToRecordNo code execution; (4), TCPIPS_BinOpenFileFP stack overflow; (5), directory traversal; (6), arbitrary byte write memory. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in RunTime.exe when processing packets and can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 46824. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 do not validate the return value of the realloc function, which allows remote attackers to cause a denial of service (invalid 0x00 write operation and daemon crash) or possibly have unspecified other impact via a port-46824 TCP packet with a crafted positive integer after the opcode. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. SIELCO SISTEMI Winlog has multiple security vulnerabilities, including: (1), DbiGetRecordCount code execution; (2), @Db@TDataSet@Close$qqrv code execution; (3), DbiSetToRecordNo code execution; (4), TCPIPS_BinOpenFileFP stack overflow; (5), directory traversal; (6), arbitrary byte write memory. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. A vulnerability exists in Sielco Sistemi Winlog Pro versions prior to SCADA 2.07.17 and versions prior to Winlog Lite SCADA 2.07.17. The vulnerability stems from the unverified &lsquo;realloc&rsquo; function return value. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in RunTime.exe when processing packets and can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 46824. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Array index error in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 might allow remote attackers to execute arbitrary code by referencing, within a port-46824 TCP packet, an invalid file-pointer index that leads to execution of an EnterCriticalSection code block. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. Vulnerabilities in array indexes in Sielco Sistemi Winlog Pro versions prior to SCADA 2.07.17 and versions prior to Winlog Lite SCADA 2.07.17. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. Winlog Pro 2.07.16 and prior are vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in RunTime.exe when processing packets and can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 46824. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allow remote attackers to read arbitrary files via port-46824 TCP packets specifying a file-open operation with opcode 0x78 and a .. (dot dot) in a pathname, followed by a file-read operation with opcode (1) 0x96, (2) 0x97, or (3) 0x98. For opening files Opcode 0x78 and .. ( Dot dot ) Port number with pathname including 46824 To TCP packet For reading files Opcode (1) 0x96 , (2) 0x97 , (3) 0x98 Port number with 46824 To TCP packet. SIELCO SISTEMI Winlog is an application for data acquisition and remote control of SCADA HMI monitoring software. Winlog Pro is a SCADA/HMI software package for managing industrial and civil plants. Read file operations to read any file. Winlog Pro is prone to the following security vulnerabilities: 1. Multiple code-execution vulnerabilities. 2. A stack-based buffer-overflow vulnerability. 3. A directory-traversal vulnerability. Attackers can leverage these issues to perform unauthorized actions through directory traversal attacks, run arbitrary code, or cause a denial of service. Other attacks may also be possible. Winlog Pro 2.07.16 and prior are vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Winlog Packet Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA49395 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49395/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 RELEASE DATE: 2012-06-06 DISCUSS ADVISORY: http://secunia.com/advisories/49395/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49395/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49395 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: m1k3 has discovered a vulnerability in Winlog, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in RunTime.exe when processing packets and can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 46824. Successful exploitation allows execution of arbitrary code, but requires a project to be configured for TCP server mode (not by default). The vulnerability is confirmed in version 2.07.14. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: m1k3 ORIGINAL ADVISORY: http://www.s3cur1ty.de/m1adv2012-001 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The XPath functionality in unspecified web applications in Siemens WinCC 7.0 SP3 before Update 2 does not properly handle special characters in parameters, which allows remote authenticated users to read or modify settings via a crafted URL, related to an "XML injection" attack. WinCC flexible is a human-machine interface for use in some machine or process applications. Siemens SIMATIC WinCC Flexible does not filter out specially crafted characters when parsing URL parameters. There is a security vulnerability in the implementation, and an attacker can use the vulnerability to read or write system settings. Siemens SIMATIC WinCC Flexible is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary code in the context of the affected application, read arbitrary files on the system, redirect users to a potentially malicious site, access or modify data of an XML document, or cause denial-of-service conditions; other attacks may also be possible. The vulnerability is related to 'XML injection' attacks. The vulnerability is caused due to an input sanitisation error within the DiagAgent web server and can be exploited to cause a buffer overflow and crash the DiagAgent. Successful exploitation requires the DiagAgent web server to be enabled (disabled by default). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49341 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49341/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 RELEASE DATE: 2012-06-07 DISCUSS ADVISORY: http://secunia.com/advisories/49341/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49341/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and some vulnerabilities have been reported in Siemens SIMATIC WinCC, which can be exploited by malicious users to disclose potentially sensitive information and system information and manipulate certain data and by malicious people to conduct spoofing and cross-site scripting attacks. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code and e.g. 2) Certain input passed via a filename to two unspecified web applications is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. 3) Certain input passed to two unspecified web applications is not properly sanitised before being returned to the user. 4) Certain input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness and the vulnerabilities are reported in version 7.0 SP3. SOLUTION: Apply "Update 2" (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, and Andrey Medov, Positive Technologies. 4) Reported by the vendor. ORIGINAL ADVISORY: Siemens: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-223158.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Open redirect vulnerability in an unspecified web application in Siemens WinCC 7.0 SP3 before Update 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a GET request. WinCC flexible is a human-machine interface for use in some machine or process applications. Siemens SIMATIC WinCC Flexible does not filter out specially crafted characters when parsing URL parameters, and there is a security hole in implementation. An attacker could exploit a vulnerability to redirect a user to a malicious site. Siemens SIMATIC WinCC Flexible is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary code in the context of the affected application, read arbitrary files on the system, redirect users to a potentially malicious site, access or modify data of an XML document, or cause denial-of-service conditions; other attacks may also be possible. The vulnerability is caused due to an input sanitisation error within the DiagAgent web server and can be exploited to cause a buffer overflow and crash the DiagAgent. Successful exploitation requires the DiagAgent web server to be enabled (disabled by default). ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Siemens SIMATIC WinCC Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49341 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49341/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 RELEASE DATE: 2012-06-07 DISCUSS ADVISORY: http://secunia.com/advisories/49341/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49341/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49341 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and some vulnerabilities have been reported in Siemens SIMATIC WinCC, which can be exploited by malicious users to disclose potentially sensitive information and system information and manipulate certain data and by malicious people to conduct spoofing and cross-site scripting attacks. 1) Certain input passed via URL parameters to two unspecified web applications is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code and e.g. read or write certain system settings. 2) Certain input passed via a filename to two unspecified web applications is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. 3) Certain input passed to two unspecified web applications is not properly sanitised before being returned to the user. 4) Certain input is not properly verified before being used to redirect users. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness and the vulnerabilities are reported in version 7.0 SP3. SOLUTION: Apply "Update 2" (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1-3) The vendor credits Gleb Gritsai, Alexander Zaitsev, Sergey Scherbel, Yuri Goltsev, Dmitry Serebryannikov, Sergey Bobrov, Denis Baranov, and Andrey Medov, Positive Technologies. 4) Reported by the vendor. ORIGINAL ADVISORY: Siemens: http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-223158.pdf ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------