VARIoT IoT vulnerabilities database

The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages. Cross scripting and preconfigured password vulnerabilities have been reported to exist in the Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries. The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Linux Kernel 2.6.x is vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2012:0743-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0743.html Issue date: 2012-06-18 CVE Names: CVE-2012-0044 CVE-2012-1179 CVE-2012-2119 CVE-2012-2121 CVE-2012-2123 CVE-2012-2136 CVE-2012-2137 CVE-2012-2372 CVE-2012-2373 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. This update fixes the following security issues: * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities. (CVE-2012-2123, Important) * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important) * A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate) * A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate) * A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2373, Moderate) Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 772894 - CVE-2012-0044 kernel: drm: integer overflow in drm_mode_dirtyfb_ioctl() 803793 - CVE-2012-1179 kernel: thp:__split_huge_page() mapcount != page_mapcount BUG_ON() 806722 - CVE-2012-2123 kernel: fcaps: clear the same personality flags as suid when fcaps are used 814149 - CVE-2012-2121 kvm: device assignment page leak 814278 - CVE-2012-2119 kernel: macvtap: zerocopy: vector length is not validated before pinning user pages 814657 - kernel crash at ieee80211_mgd_probe_ap_send [rhel-6.2.z] 816151 - CVE-2012-2137 kernel: kvm: buffer overflow in kvm_set_irq() 816226 - add option to disable 5GHz band to iwlwifi [rhel-6.2.z] 816289 - CVE-2012-2136 kernel: net: insufficient data_len validation in sock_alloc_send_pskb() 818504 - Disable LRO for all NICs that have LRO enabled [rhel-6.2.z] 818505 - xen: fix drive naming [rhel-6.2.z] 819614 - 2.6.32-220 kernel does not work on a HP DL385G6 with HP Smart Array P410 controller and hpsa driver [rhel-6.2.z] 822754 - CVE-2012-2372 kernel: rds-ping cause kernel panic 822821 - CVE-2012-2373 kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SMP race condition 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm i386: kernel-2.6.32-220.23.1.el6.i686.rpm kernel-debug-2.6.32-220.23.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.23.1.el6.i686.rpm kernel-devel-2.6.32-220.23.1.el6.i686.rpm kernel-headers-2.6.32-220.23.1.el6.i686.rpm perf-2.6.32-220.23.1.el6.i686.rpm perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.23.1.el6.noarch.rpm kernel-firmware-2.6.32-220.23.1.el6.noarch.rpm x86_64: kernel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm kernel-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-headers-2.6.32-220.23.1.el6.x86_64.rpm perf-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.23.1.el6.i686.rpm perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm python-perf-2.6.32-220.23.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm noarch: kernel-doc-2.6.32-220.23.1.el6.noarch.rpm kernel-firmware-2.6.32-220.23.1.el6.noarch.rpm x86_64: kernel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm kernel-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-headers-2.6.32-220.23.1.el6.x86_64.rpm perf-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm i386: kernel-2.6.32-220.23.1.el6.i686.rpm kernel-debug-2.6.32-220.23.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.23.1.el6.i686.rpm kernel-devel-2.6.32-220.23.1.el6.i686.rpm kernel-headers-2.6.32-220.23.1.el6.i686.rpm perf-2.6.32-220.23.1.el6.i686.rpm perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.23.1.el6.noarch.rpm kernel-firmware-2.6.32-220.23.1.el6.noarch.rpm ppc64: kernel-2.6.32-220.23.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-220.23.1.el6.ppc64.rpm kernel-debug-2.6.32-220.23.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-220.23.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-220.23.1.el6.ppc64.rpm kernel-devel-2.6.32-220.23.1.el6.ppc64.rpm kernel-headers-2.6.32-220.23.1.el6.ppc64.rpm perf-2.6.32-220.23.1.el6.ppc64.rpm perf-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm s390x: kernel-2.6.32-220.23.1.el6.s390x.rpm kernel-debug-2.6.32-220.23.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.s390x.rpm kernel-debug-devel-2.6.32-220.23.1.el6.s390x.rpm kernel-debuginfo-2.6.32-220.23.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-220.23.1.el6.s390x.rpm kernel-devel-2.6.32-220.23.1.el6.s390x.rpm kernel-headers-2.6.32-220.23.1.el6.s390x.rpm kernel-kdump-2.6.32-220.23.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-220.23.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-220.23.1.el6.s390x.rpm perf-2.6.32-220.23.1.el6.s390x.rpm perf-debuginfo-2.6.32-220.23.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.s390x.rpm x86_64: kernel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm kernel-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-headers-2.6.32-220.23.1.el6.x86_64.rpm perf-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.23.1.el6.i686.rpm perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm python-perf-2.6.32-220.23.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-220.23.1.el6.ppc64.rpm perf-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm python-perf-2.6.32-220.23.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-220.23.1.el6.s390x.rpm kernel-debuginfo-2.6.32-220.23.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-220.23.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-220.23.1.el6.s390x.rpm perf-debuginfo-2.6.32-220.23.1.el6.s390x.rpm python-perf-2.6.32-220.23.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm i386: kernel-2.6.32-220.23.1.el6.i686.rpm kernel-debug-2.6.32-220.23.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.23.1.el6.i686.rpm kernel-devel-2.6.32-220.23.1.el6.i686.rpm kernel-headers-2.6.32-220.23.1.el6.i686.rpm perf-2.6.32-220.23.1.el6.i686.rpm perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.23.1.el6.noarch.rpm kernel-firmware-2.6.32-220.23.1.el6.noarch.rpm x86_64: kernel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm kernel-devel-2.6.32-220.23.1.el6.x86_64.rpm kernel-headers-2.6.32-220.23.1.el6.x86_64.rpm perf-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.23.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.23.1.el6.i686.rpm perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm python-perf-2.6.32-220.23.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.23.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm python-perf-2.6.32-220.23.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.23.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0044.html https://www.redhat.com/security/data/cve/CVE-2012-1179.html https://www.redhat.com/security/data/cve/CVE-2012-2119.html https://www.redhat.com/security/data/cve/CVE-2012-2121.html https://www.redhat.com/security/data/cve/CVE-2012-2123.html https://www.redhat.com/security/data/cve/CVE-2012-2136.html https://www.redhat.com/security/data/cve/CVE-2012-2137.html https://www.redhat.com/security/data/cve/CVE-2012-2372.html https://www.redhat.com/security/data/cve/CVE-2012-2373.html https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/kernel.html#RHSA-2012-0743 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP3zJcXlSAg2UNWIIRAlFPAJ9ov0UCSkIqz63r+6YXL9bf0+ADOQCfUIzx w/ZsFuOkCnr15/XGPkEszEQ= =D/pm -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . (CVE-2011-4086) Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. (CVE-2012-0045) A flaw was discovered in the Linux kernel's cifs file system. (CVE-2012-1090) H. (CVE-2012-1097) A flaw was discovered in the Linux kernel's cgroups subset. (CVE-2012-1146) A flaw was found in the Linux kernel's handling of paged memory. (CVE-2012-1179) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: linux-image-3.0.0-19-generic 3.0.0-19.33 linux-image-3.0.0-19-generic-pae 3.0.0-19.33 linux-image-3.0.0-19-omap 3.0.0-19.33 linux-image-3.0.0-19-powerpc 3.0.0-19.33 linux-image-3.0.0-19-powerpc-smp 3.0.0-19.33 linux-image-3.0.0-19-powerpc64-smp 3.0.0-19.33 linux-image-3.0.0-19-server 3.0.0-19.33 linux-image-3.0.0-19-virtual 3.0.0-19.33 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Ubuntu update for linux-lts-backport-oneiric SECUNIA ADVISORY ID: SA48987 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48987/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48987 RELEASE DATE: 2012-05-01 DISCUSS ADVISORY: http://secunia.com/advisories/48987/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48987/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48987 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ubuntu has issued an update for linux-lts-backport-oneiric. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ORIGINAL ADVISORY: USN-1433-1: https://lists.ubuntu.com/archives/ubuntu-security-announce/2012-May/001672.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04135307 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04135307 Version: 1 HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-03-10 Last Updated: 2014-03-10 Potential Security Impact: Multiple remote vulnerabilities affecting confidentiality, integrity and availability Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified with HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability. References: CVE-2010-4008 CVE-2010-4494 CVE-2011-2182 CVE-2011-2213 CVE-2011-2492 CVE-2011-2518 CVE-2011-2689 CVE-2011-2723 CVE-2011-3188 CVE-2011-4077 CVE-2011-4110 CVE-2012-0058 CVE-2012-0879 CVE-2012-1088 CVE-2012-1179 CVE-2012-2137 CVE-2012-2313 CVE-2012-2372 CVE-2012-2373 CVE-2012-2375 CVE-2012-2383 CVE-2012-2384 CVE-2013-6205 CVE-2013-6206 SSRT101443 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Rapid Deployment Pack (RDP) -- All versions HP Insight Control Server Deployment -- All versions BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-6205 (AV:L/AC:M/Au:S/C:P/I:P/A:P) 4.1 CVE-2013-6206 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0 CVE-2010-4008 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2010-4494 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-2182 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2 CVE-2011-2213 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2492 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9 CVE-2011-2518 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2689 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2011-2723 (AV:A/AC:M/Au:N/C:N/I:N/A:C) 5.7 CVE-2011-3188 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2011-4077 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2011-4110 (AV:L/AC:L/Au:N/C:N/I:N/A:P) 2.1 CVE-2012-0058 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-0879 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-1088 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3 CVE-2012-1179 (AV:A/AC:M/Au:S/C:N/I:N/A:C) 5.2 CVE-2012-2137 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2313 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2 CVE-2012-2372 (AV:L/AC:M/Au:S/C:N/I:N/A:C) 4.4 CVE-2012-2373 (AV:L/AC:H/Au:N/C:N/I:N/A:C) 4.0 CVE-2012-2375 (AV:A/AC:H/Au:N/C:N/I:N/A:C) 4.6 CVE-2012-2383 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2012-2384 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP recommends that HP Rapid Deployment Pack (RDP) or HP Insight Control Server Deployment should only be run on private secure networks to prevent the risk of security compromise. HISTORY Version:1 (rev.1) - 10 March 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

Citrix Licensing is prone to a denial-of-service vulnerability. A remote attacker can leverage this issue to crash the affected application, denying service to legitimate users. Citrix Licensing 11.6.1 build 10007 is vulnerable; other versions may also be affected.

Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request. nginx is prone to an information-disclosure vulnerability. Attackers can exploit this issue to harvest sensitive information that may lead to further attacks. BUGTRAQ ID: 52578 CVE ID: CVE-2012-1180 nginx is a widely used high-performance web server. There is an information disclosure vulnerability in nginx's implementation of processing malformed HTTP responses from upstream servers. 0 nginx 1.0.9 nginx 1.0.8 nginx 1.0.10 Vendor patch: Igor Sysoev ----------- At present, the vendor has released an upgrade patch to fix this security problem, please go to the vendor's homepage to download: http ://nginx.net/. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: nginx: Multiple vulnerabilities Date: March 28, 2012 Bugs: #293785, #293786, #293788, #389319, #408367 ID: 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.0.14 >= 1.0.14 Description =========== Multiple vulnerabilities have been found in nginx: * The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). * The "ngx_http_process_request_headers()" function in ngx_http_parse.c could cause a NULL pointer dereference (CVE-2009-3896). * nginx does not properly sanitize user input for the the WebDAV COPY or MOVE methods (CVE-2009-3898). * The "ngx_resolver_copy()" function in ngx_resolver.c contains a boundary error which could cause a heap-based buffer overflow (CVE-2011-4315). * nginx does not properly parse HTTP header responses which could expose sensitive information (CVE-2012-1180). Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the nginx process, cause a Denial of Service condition, create or overwrite arbitrary files, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.0.14" References ========== [ 1 ] CVE-2009-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555 [ 2 ] CVE-2009-3896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3896 [ 3 ] CVE-2009-3898 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3898 [ 4 ] CVE-2011-4315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4315 [ 5 ] CVE-2012-1180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1180 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:043 http://www.mandriva.com/security/ _______________________________________________________________________ Package : nginx Date : March 29, 2012 Affected: 2010.1, 2011. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 44b081cef04380c1b45336962f9e9c4a 2010.1/i586/nginx-0.8.41-1.1mdv2010.2.i586.rpm ba57a417d0064fb122694b5dacedb1dd 2010.1/SRPMS/nginx-0.8.41-1.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 0008b13952f6f57c14efabeba5fbc717 2010.1/x86_64/nginx-0.8.41-1.1mdv2010.2.x86_64.rpm ba57a417d0064fb122694b5dacedb1dd 2010.1/SRPMS/nginx-0.8.41-1.1mdv2010.2.src.rpm Mandriva Linux 2011: dd738ba12a2127a78731eabb19129045 2011/i586/nginx-1.0.5-1.1-mdv2011.0.i586.rpm 5ee13d12672c9cd141449bd0dc024479 2011/SRPMS/nginx-1.0.5-1.1.src.rpm Mandriva Linux 2011/X86_64: d4af6f92f3508722e79dad2a5d12f269 2011/x86_64/nginx-1.0.5-1.1-mdv2011.0.x86_64.rpm 5ee13d12672c9cd141449bd0dc024479 2011/SRPMS/nginx-1.0.5-1.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPc/zbmqjQ0CJFipgRAsXqAKCDpT1SDD6heEKkG4xtUvKB19ofhgCgihpF qZLFGHfgElxAFfkUZ3nIlDw= =VETw -----END PGP SIGNATURE----- . For the stable distribution (squeeze), this problem has been fixed in version 0.7.67-3+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 1.1.17-1. We recommend that you upgrade your nginx packages. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Debian update for nginx SECUNIA ADVISORY ID: SA48465 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48465/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48465 RELEASE DATE: 2012-03-20 DISCUSS ADVISORY: http://secunia.com/advisories/48465/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48465/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48465 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for nginx. This fixes a weakness, which can be exploited by malicious people to disclose certain sensitive information. For more information: SA48366 SOLUTION: Apply updated packages via the apt-get package manager. ORIGINAL ADVISORY: DSA-2434-1: http://www.debian.org/security/2012/dsa-2434 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, allows remote authenticated users to reset the passwords of arbitrary administrative accounts via unspecified vectors. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple Xerox products have multiple security vulnerabilities that allow malicious users to gain control of the device. Xerox has an unspecified security error that allows an attacker to send a specially crafted postscript or firmware job to execute arbitrary code. No detailed vulnerability details are currently available. An attacker can exploit these issues to execute arbitrary code in the context of the affected application. Successful exploitation can completely compromise the vulnerable device. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Xerox Products PostScript and DLM Vulnerabilities SECUNIA ADVISORY ID: SA48322 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48322/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48322 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48322/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48322/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48322 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in multiple Xerox products, which can be exploited by malicious people to compromise a vulnerable device. Please see the vendor's advisory for the list of affected products. SOLUTION: Apply update or workaround if available (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Deral Heiland, www.foofus.net and Andrei Costin, www.andreicostin.com ORIGINAL ADVISORY: XRX12-003: http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.theme.inc in the Views Language Switcher module before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to Views Language Switcher 7.x-1.2 are vulnerable. Drupal is a free and open source content management system developed in PHP language maintained by the Drupal community. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Drupal Views Language Switcher Module "q" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA48355 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48355/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48355 RELEASE DATE: 2012-03-15 DISCUSS ADVISORY: http://secunia.com/advisories/48355/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48355/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48355 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in the Views Language Switcher module for Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "q" parameter is not properly sanitised in theme/views_lang_switch.theme.inc before being returned to the user. SOLUTION: Update to version 7.x-1.2. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SA-CONTRIB-2012-038: http://drupal.org/node/1482420 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the Cisco Port Forwarder ActiveX control in cscopf.ocx, as distributed through the Clientless VPN feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 through 7.2 before 7.2(5.6), 8.0 before 8.0(5.26), 8.1 before 8.1(2.53), 8.2 before 8.2(5.18), 8.3 before 8.3(2.28), 8.2 before 8.4(2.16), and 8.6 before 8.6(1.1), allows remote attackers to execute arbitrary code via unspecified vectors, aka Bug ID CSCtr00165. The problem is Bug ID CSCtr00165 It is a problem.A third party may execute arbitrary code. Failed exploit attempts may result in a denial-of-service condition. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco Adaptive Security Appliances Port Forwarder ActiveX Control Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA48422 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48422/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48422 RELEASE DATE: 2012-03-15 DISCUSS ADVISORY: http://secunia.com/advisories/48422/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48422/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48422 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Adaptive Security Appliances, which can be exploited by malicious people to compromise a user's system. PROVIDED AND/OR DISCOVERED BY: Will Dormann, CERT/CC. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient US-CERT: http://www.kb.cert.org/vuls/id/339177 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. The affected ActiveX control is distributed to endpoint systems by Cisco ASA. However, the impact of successful exploitation of this vulnerability is to the endpoint system only and does not compromise Cisco ASA devices. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. Customers who are using Cisco ASA Software version 7.0 or 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco ASA Software. Note: The affected implementation of the Cisco Clientless VPN solution was introduced with the release of Cisco ASA Software version 7.1. This issue does not affect devices running Cisco PIX Software. Administrators may determine whether the Cisco Clientless VPN solution is enabled on their devices by issuing the "show running-config webvpn" command. The following example shows the response when the Cisco Clientless VPN solution is enabled: ciscoasa# show running-config webvpn webvpn enable outside End user systems running Microsoft Windows may be affected if they have used the Cisco Clientless VPN feature on an affected device from a browser that supports ActiveX technology. Devices that contain the cscopf.ocx ActiveX control registered with a class ID (CLSID) of {B8E73359-3422-4384-8D27-4EA1B4C01232} are affected. The affected controls are marked both Safe for Scripting (SFS) and Safe for Initialization (SFI), which may present additional attack vectors when a system has registered and cached the affected control. The Cisco Clientless VPN feature allows users to use a web browser to create an SSL VPN tunnel from an endpoint device to a Cisco ASA device. When connected, the ASA pushes several ActiveX and Java applications to the endpoint device to allow a number of features to operate. The attacker-supplied code would be executed with the privileges of the user who invoked the browser used to visit the attacker-controlled website. If the user has administrative privileges, a complete compromise may occur. Affected endpoint systems will need to disable the control via one of the methods suggested in the "Workarounds" section of this document. When loaded on an endpoint system, the affected control has a binary name of cscopf.ocx and is registered on a system with a CLSID of {B8E73359-3422-4384-8D27-4EA1B4C01232}. Fixed versions of the cscopf.ocx control are registered with CLSID {C861B75F-EE32-4aa4-B610-281AF26A8D1C}. Cisco is requesting that Microsoft set a global kill bit for this control in a future Microsoft kill-bit update. After this update occurs, the affected control will stop operating on all affected endpoint systems that load the Microsoft-provided update. This issue is documented in Cisco bug ID CSCtr00165 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0358. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr00165 ("Cisco Clientless VPN Port Forwarder ActiveX Control Remote Code Execution Vulnerability") CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on the affected end-user system with the privileges of the user who invoked the web browser. If the user has administrative privileges, code execution may result in a complete compromise of the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. +---------------------------------------------------------------+ |Affected | First Fixed | Recommended Release | |Version |Release | | |--------------+-----------------+------------------------------| |Cisco ASA 7.0 |Not Vulnerable |Migrate to 7.2 or later | |--------------+-----------------+------------------------------| |Cisco ASA 7.1 |Vulnerable |Vulnerable; Migrate to 7.2 or | | | |later | |--------------+-----------------+------------------------------| |Cisco ASA 7.2 | 7.2(5.6) |7.2(5.7) | |--------------+-----------------+------------------------------| |Cisco ASA 8.0 |8.0(5.26) |Migrate to 8.2(5.26) or later | |--------------+-----------------+------------------------------| |Cisco ASA 8.1 | 8.1(2.53) |Migrate to 8.2(5.26) or later | |--------------+-----------------+------------------------------| |Cisco ASA 8.2 | 8.2(5.18) |8.2(5.26) | |--------------+-----------------+------------------------------| |Cisco ASA 8.3 | 8.3(2.28) |Migrate to 8.4(3.8) or later | |--------------+-----------------+------------------------------| |Cisco ASA 8.4 |8.4(2.16) |8.4(3.8) | |--------------+-----------------+------------------------------| |Cisco ASA 8.5 |Not Vulnerable |8.5(1.7) | |--------------+-----------------+------------------------------| |Cisco ASA 8.6 |8.6(1.1) |8.6(1.1) | +---------------------------------------------------------------+ Note: Cisco ASA Software version 7.0 and 7.1 have reached end of software maintenance. Customers who are using Cisco ASA Software version 7.0 or 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco ASA Software. Note: The recommended releases contain the fixes for all vulnerabilities for all the advisories published in the publication. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Affected endpoint systems will need to download the fixed version by connecting to a Cisco ASA device that is running fixed software via the Cisco Clientless Web solution or disable the affected control via one of the methods mentioned in the "Workarounds" section of this document. Workarounds =========== End users or administrators may mitigate Internet Explorer as an attack vector by setting the kill bit for the affected ActiveX control. This can be achieved by modifying the registry either directly on the affected machine or via an Active Directory Group Policy. Warning: Incorrectly modifying the system registry of a Microsoft Windows-based device may cause serious problems. Neither Cisco nor Microsoft can guarantee that you can resolve problems that may result from improper registry modification from either applying the registry changes via a .reg file or by using the Registry Editor incorrectly. Modify the registry of your system at your own risk. To set the kill bit for the CLSID with a value of {B8E73359-3422-4384-8D27-4EA1B4C01232}, paste the following text in a text editor such as Notepad. Save the file using the .reg filename extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}] "Compatibility Flags"=dword:04000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}] "Compatibility Flags"=dword:04000400 End users can apply this .reg file to individual systems by double-clicking the file. Administrators can also apply the registry change across domains by using Group Policy. You can find more information about using Group Policy in the following Microsoft TechNet article: Group Policy Collection When the registry change has been applied, Microsoft Internet Explorer must be restarted for the changes to take effect. Once the kill bit has been set, the affected control will no longer be accessible by the Cisco Clientless VPN system or a malicious web page when accessed by Internet Explorer. One common component that may stop operating is the ActiveX RDP plug-in. Mitigations that can be deployed on Cisco devices in a network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120314-asaclient Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was reported to Cisco by Will Dormann of the CERT/CC. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2012-Mar-14 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk9gw+sACgkQQXnnBKKRMNDtRwD9HEZMimIKp+jI/+wmveYZMmT4 /ezfjyf2ql/dxjmJNfUA/3D4zwpDyNUJeT/2H9blwnFah5/JiNZCcxhaIUGiRkwY =EnGt -----END PGP SIGNATURE-----

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 7.0 through 7.2 before 7.2(5.7), 8.0 before 8.0(5.27), 8.1 before 8.1(2.53), 8.2 before 8.2(5.8), 8.3 before 8.3(2.25), 8.4 before 8.4(2.5), and 8.5 before 8.5(1.2) and the Firewall Services Module (FWSM) 3.1 and 3.2 before 3.2(23) and 4.0 and 4.1 before 4.1(8) in Cisco Catalyst 6500 series devices, when multicast routing is enabled, allow remote attackers to cause a denial of service (device reload) via a crafted IPv4 PIM message, aka Bug IDs CSCtr47517 and CSCtu97367. The problem is Bug ID CSCtr47517 and CSCtu97367 It is a problem.Skillfully crafted by a third party IPv4 PIM Service disruption via message ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtu97367 and CSCtr47517. Also known as Bug IDs CSCtr47517 and CSCtu97367. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco Adaptive Security Appliances Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA48423 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48423/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 RELEASE DATE: 2012-03-15 DISCUSS ADVISORY: http://secunia.com/advisories/48423/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48423/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Adaptive Security Appliances (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error exists in the UDP inspection engine due to improper flow handling and can be exploited to reload a device by sending a specially crafted sequence of UDP packets that transit the appliance. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected version. Cisco PIX has reached end of maintenance support. Consult the dedicated section for Cisco PIX Security Appliances in the "Vulnerable Products" section of this security advisory for more information about affected versions. Vulnerable Products +------------------ For specific version information, refer to the "Software Versions and Fixes" section of this advisory. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. All UDP protocols that are being inspected by the Cisco ASA UDP inspection engine may be vulnerable. The following protocols are known to use the Cisco ASA UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. Any instance of use of the Cisco ASA UDP inspection engines may be vulnerable to this vulnerability, thus, configurations that include non-default UDP ports but use the Cisco ASA UDP inspection engine are considered vulnerable. To determine whether any of the above inspections are enabled, issue the show service-policy | include <inspection engine name> command and confirm that the command returns output. The following example shows a Cisco ASA configured to inspect IBM NetBIOS traffic: ciscoasa# show service-policy | include netbios Inspect: netbios, packet 0, drop 0, reset-drop 0 Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature, when configured with the Scanning Threat Mode feature and with shun option enabled, contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. This feature is not enabled by default. To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and shun option is enabled, issue the show running-config threat-detection scanning-threat command and confirm that the returned output includes the shun option. The following example shows a vulnerable configuration: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat shun Note: This feature was first introduced in Cisco ASA Software Version 8.0(2), Previous versions of Cisco ASA are not vulnerable. Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A denial of service (DoS) vulnerability exists in the implementation of one specific system log (syslog) message (message ID 305006), that could cause a reload of the Cisco ASA if this syslog message needs to be generated. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information regarding this syslog message can be found in the Cisco ASA System Log Messages guide at: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Logging is not enabled by default on Cisco ASA, however, when logging is enabled, Cisco ASA will automatically enable syslog message 305006. Cisco ASA Software may be affected by this vulnerability if the following conditions are satisfied: * System logging is enabled and syslogs are configured to be sent to any syslog destination (including Buffer or ASDM for example) * Cisco ASA Software is configured in any way to generate syslog message 305006 Syslog message 305006 has a default severity level of 3 (errors). Cisco ASA Software configured for logging at Level 3 or higher (that is Levels 3 through 7) may be vulnerable. To verify if logging is enabled, issue the show logging command. The following example shows a Cisco ASA with logging enabled and buffer logging enabled at Level 6 (informational): ciscoasa# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled Using a custom message list (created via the logging list command) that includes syslog message 305006, either by severity or by explicitly including the message ID, is also a vulnerable configuration. The default severity level of syslog messages can be changed. If the default severity level of syslog message 305006 is changed and the device is configured to log to any destination at the new severity level, the device is vulnerable. Note: This vulnerability was introduced after the implementation of the new Cisco ASA Identity Firewall (IDFW) feature. This feature is not enabled by default. To verify if PIM is enabled on an interface use the show pim interface command and verify that the state on appears under the PIM column. The following example shows PIM enabled on the interface outside but disabled on the interface inside: ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside on 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Note: Cisco ASA is vulnerable if at least one interface state is marked with on under the PIM column of the show pim interface command output. Determine the Running Software Version +------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. Cisco PIX has reached end of maintenance support. Cisco PIX customers are encouraged to migrate to Cisco ASA. Details ======= The following section gives additional detail about each vulnerability. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. Cisco ASA Software supports a number of inspection engines for UDP and TCP-based protocols. The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system. All UDP protocols that are inspected by the inspection engine may be vulnerable to this vulnerability. The following protocols are known to use UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html#wp1536127 Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Only UDP traffic can trigger this vulnerability. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature consists of different levels of statistics gathered for various threats, as well as scanning threat detection, which determines when a host is performing a scan. Optionally, you can shun any hosts that are determined to be a scanning threat. The Cisco ASA Threat Detection feature, when configured with the Cisco ASA Scanning Threat Mode feature and with the shun option enabled, contains a vulnerability that could allow a remote, unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper handling of the internal flaw that is triggered by the shun event. An attacker may exploit this vulnerability by sending IP packets through the affected system in a way that triggers the shun option of Threat Detection scanning feature. Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Syslog messages are assigned different severities (including debugging, informational, error and critical, for example) and can be sent to different logging destinations. A denial of service vulnerability is in the implementation of one specific syslog message (message ID 305006), that can cause a reload of the Cisco ASA if this syslog message needs to be generated. An attacker could exploit this vulnerability by sending a sequence of packets that could trigger the generation of the syslog message. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information about this syslog message can be found in the Cisco ASA System Log Messages guide: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. Protocol-independent multicast (PIM) is a multicast routing protocol that is IP routing protocol-independent. PIM can leverage whatever unicast routing protocols are used to populate the unicast routing table, including EIGRP, OSPF, BGP, or static routes. PIM uses this unicast routing information to perform the multicast forwarding function, and is IP protocol-independent. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the reverse path forwarding (RPF) check function instead of building a completely independent multicast routing table. PIM does not send or receive multicast routing updates between routers as do other routing protocols. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of a PIM message. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system. Note: This vulnerability affects Cisco ASA configured only in routed firewall mode and only in single context mode. This vulnerability can be triggered only by IPv4 PIM message as PIM over IPv6 is currently not supported. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq10441- UDP inspection engines denial of service vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw35765- Threat Detection Denial Of Service Vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCts39634 - Syslog Message 305006 Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtr47517 - Protocol-Independent Multicast Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may allow a remote, unauthenticated attacker to reload the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Customers should review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 7.0 | Not | | | | Affected | | |---------+------------| | | 7.1 | Not | | | | Affected | | |---------+------------| | | 7.2 | Not | | | | Affected | | |---------+------------| | | 8.0 | 8.0(5.25) | |Cisco ASA UDP Inspection Engine Denial of |---------+------------| | Service Vulnerability - CSCtq10441 | 8.1 | 8.1(2.50) | | |---------+------------| | | 8.2 | 8.2(5.5) | | |---------+------------| | | 8.3 | 8.3(2.22) | | |---------+------------| | | 8.4 | 8.4(2.1) | | |---------+------------| | | 8.5 | 8.5(1.2) | | |---------+------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |------------------------------------------+----------+-------------| | | 7.0 | Not | | | | Affected | | |----------+-------------| | | 7.1 | Not | | | | Affected | | |----------+-------------| | | 7.2 | Not | | | | Affected | | |----------+-------------| | | 8.0 | Migrate to | | | | 8.2(5.20) | |Cisco ASA Threat Detection Denial of |----------+-------------| | Service Vulnerability - CSCtw35765 | 8.1 | Migrate to | | | | 8.2(5.20) | | |----------+-------------| | | 8.2 | 8.2(5.20) | | |----------+-------------| | | 8.3 | 8.3(2.29) | | |----------+-------------| | | 8.4 | 8.4(3) | | |----------+-------------| | | 8.5 | 8.5(1.6) | | |----------+-------------| | | 8.6 | 8.6(1.1) | +-------------------------------------------------------------------+ Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 7.0 | Not | | | | Affected | | |---------+------------| | | 7.1 | Not | | | | Affected | | |---------+------------| | | 7.2 | Not | | | | Affected | | |---------+------------| | | 8.0 | Not | | | | Affected | | |---------+------------| | Cisco ASA Syslog Message 305006 Denial of | 8.1 | Not | | Service Vulnerability - CSCts39634 | | Affected | | |---------+------------| | | 8.2 | Not | | | | Affected | | |---------+------------| | | 8.3 | Not | | | | Affected | | |---------+------------| | | 8.4* | 8.4(2.11) | | |---------+------------| | | 8.5 | 8.5(1.4) | | |---------+------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ *This vulnerability has been introduced after the implementation of a new Cisco ASA feature called Identity Firewall (IDFW). Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |-------------------------------------------+---------+-------------| | | 7.0 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.1 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.2 | 7.2(5.7) | | |---------+-------------| | | 8.0 | 8.0(5.27) | | |---------+-------------| | Protocol-Independent Multicast Denial of | 8.1 | 8.1(2.53) | |Service Vulnerability - CSCtr47517 |---------+-------------| | | 8.2 | 8.2(5.8) | | |---------+-------------| | | 8.3 | 8.3(2.25) | | |---------+-------------| | | 8.4 | 8.4(2.5) | | |---------+-------------| | | 8.5 | 8.5(1.2) | | |---------+-------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Workarounds =========== The following section will detail the workaround if available for each vulnerability detailed in this security advisory. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- There are no workarounds that mitigate this vulnerability. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- If the shun option needs to be enabled, there are no workarounds that mitigate this vulnerability. However, if this option is not required, you can workaround this vulnerability by disabling this option. This can be done by issuing the no threat-detection scanning-threat shun command. The threat-detection scanning-threat command can be used afterwards to configure the feature without the shun option. To verify that the shun option has been correctly removed, issue the show running-config threat-detection scanning-threat command and confirm that the returned output does not show the shun option. The following example shows a Cisco ASA configured with the threat-detection scanning-threat feature without the shun option enabled: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A possible workaround is to prevent the Cisco ASA from generating the particular syslog message. This can be done by issuing the no logging message 305006 command. To verify that the message is not being generated issue show running-configuration logging command. The following example shows the output of the command when the logging of message 305006 is disabled: ciscoasa# show run logging [...] no logging message 305006 [...] Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- If PIM is required to be enabled, then there are no workarounds that mitigate this vulnerability. However, if multicast routing is required but PIM is not used, PIM can be disabled on the Cisco ASA interfaces by issuing the no pim interface-level command. The following example shows the interface Ethernet0/0 on a Cisco ASA device with PIM disabled: interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 no pim To verify that PIM is disabled on all interfaces, issue the show pim interface command and make sure that for all interface the PIM state is set to off. The following example shows a Cisco ASA with PIM disabled on all interfaces. ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside off 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http:// www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-March-14 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9gqDoACgkQQXnnBKKRMNARMQD/WQOf+nO2va97P54EDmGQpuXf 0Rm/exibVufqYdrI0/QA/jac0kP0z5zoPO2A9wZNoRjw7rY542auiuxbovqiYKGm =HXUs -----END PGP SIGNATURE-----

The UDP inspection engine on Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.0 before 8.0(5.25), 8.1 before 8.1(2.50), 8.2 before 8.2(5.5), 8.3 before 8.3(2.22), 8.4 before 8.4(2.1), and 8.5 before 8.5(1.2) does not properly handle flows, which allows remote attackers to cause a denial of service (device reload) via a crafted series of (1) IPv4 or (2) IPv6 UDP packets, aka Bug ID CSCtq10441. Cisco ASA UDP Inspection Engine is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtq10441. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco Adaptive Security Appliances Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA48423 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48423/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 RELEASE DATE: 2012-03-15 DISCUSS ADVISORY: http://secunia.com/advisories/48423/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48423/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Adaptive Security Appliances (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error exists in the UDP inspection engine due to improper flow handling and can be exploited to reload a device by sending a specially crafted sequence of UDP packets that transit the appliance. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected version. Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Vulnerable Products +------------------ For specific version information, refer to the "Software Versions and Fixes" section of this advisory. The following protocols are known to use the Cisco ASA UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. To determine whether any of the above inspections are enabled, issue the show service-policy | include <inspection engine name> command and confirm that the command returns output. The following example shows a Cisco ASA configured to inspect IBM NetBIOS traffic: ciscoasa# show service-policy | include netbios Inspect: netbios, packet 0, drop 0, reset-drop 0 Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature, when configured with the Scanning Threat Mode feature and with shun option enabled, contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. This feature is not enabled by default. To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and shun option is enabled, issue the show running-config threat-detection scanning-threat command and confirm that the returned output includes the shun option. Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A denial of service (DoS) vulnerability exists in the implementation of one specific system log (syslog) message (message ID 305006), that could cause a reload of the Cisco ASA if this syslog message needs to be generated. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information regarding this syslog message can be found in the Cisco ASA System Log Messages guide at: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Logging is not enabled by default on Cisco ASA, however, when logging is enabled, Cisco ASA will automatically enable syslog message 305006. Cisco ASA Software may be affected by this vulnerability if the following conditions are satisfied: * System logging is enabled and syslogs are configured to be sent to any syslog destination (including Buffer or ASDM for example) * Cisco ASA Software is configured in any way to generate syslog message 305006 Syslog message 305006 has a default severity level of 3 (errors). Cisco ASA Software configured for logging at Level 3 or higher (that is Levels 3 through 7) may be vulnerable. To verify if logging is enabled, issue the show logging command. The following example shows a Cisco ASA with logging enabled and buffer logging enabled at Level 6 (informational): ciscoasa# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled Using a custom message list (created via the logging list command) that includes syslog message 305006, either by severity or by explicitly including the message ID, is also a vulnerable configuration. The default severity level of syslog messages can be changed. If the default severity level of syslog message 305006 is changed and the device is configured to log to any destination at the new severity level, the device is vulnerable. Note: This vulnerability was introduced after the implementation of the new Cisco ASA Identity Firewall (IDFW) feature. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Cisco ASA Sofware is affected by a vulnerability that may cause affected devices to reload during the processing of Protocol-Indipendent Multicast (PIM) message when multicast routing is enabled. This feature is not enabled by default. To verify if PIM is enabled on an interface use the show pim interface command and verify that the state on appears under the PIM column. The following example shows PIM enabled on the interface outside but disabled on the interface inside: ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside on 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Note: Cisco ASA is vulnerable if at least one interface state is marked with on under the PIM column of the show pim interface command output. Determine the Running Software Version +------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. Cisco PIX has reached end of maintenance support. Cisco PIX customers are encouraged to migrate to Cisco ASA. All versions of the Cisco PIX Security Appliances Software are affected by the Protocol-Independent Multicast Denial of Service Vulnerability. Details ======= The following section gives additional detail about each vulnerability. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system. The following protocols are known to use UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html#wp1536127 Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Only UDP traffic can trigger this vulnerability. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature consists of different levels of statistics gathered for various threats, as well as scanning threat detection, which determines when a host is performing a scan. Optionally, you can shun any hosts that are determined to be a scanning threat. The Cisco ASA Threat Detection feature, when configured with the Cisco ASA Scanning Threat Mode feature and with the shun option enabled, contains a vulnerability that could allow a remote, unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper handling of the internal flaw that is triggered by the shun event. An attacker may exploit this vulnerability by sending IP packets through the affected system in a way that triggers the shun option of Threat Detection scanning feature. Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Syslog messages are assigned different severities (including debugging, informational, error and critical, for example) and can be sent to different logging destinations. A denial of service vulnerability is in the implementation of one specific syslog message (message ID 305006), that can cause a reload of the Cisco ASA if this syslog message needs to be generated. An attacker could exploit this vulnerability by sending a sequence of packets that could trigger the generation of the syslog message. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information about this syslog message can be found in the Cisco ASA System Log Messages guide: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. Protocol-independent multicast (PIM) is a multicast routing protocol that is IP routing protocol-independent. PIM can leverage whatever unicast routing protocols are used to populate the unicast routing table, including EIGRP, OSPF, BGP, or static routes. PIM uses this unicast routing information to perform the multicast forwarding function, and is IP protocol-independent. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the reverse path forwarding (RPF) check function instead of building a completely independent multicast routing table. PIM does not send or receive multicast routing updates between routers as do other routing protocols. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of a PIM message. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system. Note: This vulnerability affects Cisco ASA configured only in routed firewall mode and only in single context mode. This vulnerability can be triggered only by IPv4 PIM message as PIM over IPv6 is currently not supported. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq10441- UDP inspection engines denial of service vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw35765- Threat Detection Denial Of Service Vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCts39634 - Syslog Message 305006 Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtr47517 - Protocol-Independent Multicast Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may allow a remote, unauthenticated attacker to reload the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Customers should review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |-------------------------------------------+---------+-------------| | | 7.0 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.1 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.2 | 7.2(5.7) | | |---------+-------------| | | 8.0 | 8.0(5.27) | | |---------+-------------| | Protocol-Independent Multicast Denial of | 8.1 | 8.1(2.53) | |Service Vulnerability - CSCtr47517 |---------+-------------| | | 8.2 | 8.2(5.8) | | |---------+-------------| | | 8.3 | 8.3(2.25) | | |---------+-------------| | | 8.4 | 8.4(2.5) | | |---------+-------------| | | 8.5 | 8.5(1.2) | | |---------+-------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Workarounds =========== The following section will detail the workaround if available for each vulnerability detailed in this security advisory. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- If the shun option needs to be enabled, there are no workarounds that mitigate this vulnerability. However, if this option is not required, you can workaround this vulnerability by disabling this option. This can be done by issuing the no threat-detection scanning-threat shun command. The threat-detection scanning-threat command can be used afterwards to configure the feature without the shun option. To verify that the shun option has been correctly removed, issue the show running-config threat-detection scanning-threat command and confirm that the returned output does not show the shun option. The following example shows a Cisco ASA configured with the threat-detection scanning-threat feature without the shun option enabled: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A possible workaround is to prevent the Cisco ASA from generating the particular syslog message. This can be done by issuing the no logging message 305006 command. To verify that the message is not being generated issue show running-configuration logging command. The following example shows the output of the command when the logging of message 305006 is disabled: ciscoasa# show run logging [...] no logging message 305006 [...] Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- If PIM is required to be enabled, then there are no workarounds that mitigate this vulnerability. However, if multicast routing is required but PIM is not used, PIM can be disabled on the Cisco ASA interfaces by issuing the no pim interface-level command. The following example shows the interface Ethernet0/0 on a Cisco ASA device with PIM disabled: interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 no pim To verify that PIM is disabled on all interfaces, issue the show pim interface command and make sure that for all interface the PIM state is set to off. ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside off 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http:// www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-March-14 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9gqDoACgkQQXnnBKKRMNARMQD/WQOf+nO2va97P54EDmGQpuXf 0Rm/exibVufqYdrI0/QA/jac0kP0z5zoPO2A9wZNoRjw7rY542auiuxbovqiYKGm =HXUs -----END PGP SIGNATURE-----

The Threat Detection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.0 through 8.2 before 8.2(5.20), 8.3 before 8.3(2.29), 8.4 before 8.4(3), 8.5 before 8.5(1.6), and 8.6 before 8.6(1.1) allows remote attackers to cause a denial of service (device reload) via (1) IPv4 or (2) IPv6 packets that trigger a shun event, aka Bug ID CSCtw35765. Cisco ASA is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtw35765. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco Adaptive Security Appliances Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA48423 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48423/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 RELEASE DATE: 2012-03-15 DISCUSS ADVISORY: http://secunia.com/advisories/48423/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48423/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Adaptive Security Appliances (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error exists in the UDP inspection engine due to improper flow handling and can be exploited to reload a device by sending a specially crafted sequence of UDP packets that transit the appliance. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected version. Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Vulnerable Products +------------------ For specific version information, refer to the "Software Versions and Fixes" section of this advisory. All UDP protocols that are being inspected by the Cisco ASA UDP inspection engine may be vulnerable. The following protocols are known to use the Cisco ASA UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. Any instance of use of the Cisco ASA UDP inspection engines may be vulnerable to this vulnerability, thus, configurations that include non-default UDP ports but use the Cisco ASA UDP inspection engine are considered vulnerable. To determine whether any of the above inspections are enabled, issue the show service-policy | include <inspection engine name> command and confirm that the command returns output. This feature is not enabled by default. To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and shun option is enabled, issue the show running-config threat-detection scanning-threat command and confirm that the returned output includes the shun option. Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A denial of service (DoS) vulnerability exists in the implementation of one specific system log (syslog) message (message ID 305006), that could cause a reload of the Cisco ASA if this syslog message needs to be generated. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information regarding this syslog message can be found in the Cisco ASA System Log Messages guide at: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Logging is not enabled by default on Cisco ASA, however, when logging is enabled, Cisco ASA will automatically enable syslog message 305006. Cisco ASA Software may be affected by this vulnerability if the following conditions are satisfied: * System logging is enabled and syslogs are configured to be sent to any syslog destination (including Buffer or ASDM for example) * Cisco ASA Software is configured in any way to generate syslog message 305006 Syslog message 305006 has a default severity level of 3 (errors). Cisco ASA Software configured for logging at Level 3 or higher (that is Levels 3 through 7) may be vulnerable. To verify if logging is enabled, issue the show logging command. The following example shows a Cisco ASA with logging enabled and buffer logging enabled at Level 6 (informational): ciscoasa# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled Using a custom message list (created via the logging list command) that includes syslog message 305006, either by severity or by explicitly including the message ID, is also a vulnerable configuration. The default severity level of syslog messages can be changed. If the default severity level of syslog message 305006 is changed and the device is configured to log to any destination at the new severity level, the device is vulnerable. Note: This vulnerability was introduced after the implementation of the new Cisco ASA Identity Firewall (IDFW) feature. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Cisco ASA Sofware is affected by a vulnerability that may cause affected devices to reload during the processing of Protocol-Indipendent Multicast (PIM) message when multicast routing is enabled. This feature is not enabled by default. To verify if PIM is enabled on an interface use the show pim interface command and verify that the state on appears under the PIM column. The following example shows PIM enabled on the interface outside but disabled on the interface inside: ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside on 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Note: Cisco ASA is vulnerable if at least one interface state is marked with on under the PIM column of the show pim interface command output. Determine the Running Software Version +------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. Cisco PIX has reached end of maintenance support. Cisco PIX customers are encouraged to migrate to Cisco ASA. Details ======= The following section gives additional detail about each vulnerability. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. Cisco ASA Software supports a number of inspection engines for UDP and TCP-based protocols. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system. All UDP protocols that are inspected by the inspection engine may be vulnerable to this vulnerability. The following protocols are known to use UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html#wp1536127 Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Only UDP traffic can trigger this vulnerability. Optionally, you can shun any hosts that are determined to be a scanning threat. The vulnerability is due to improper handling of the internal flaw that is triggered by the shun event. An attacker may exploit this vulnerability by sending IP packets through the affected system in a way that triggers the shun option of Threat Detection scanning feature. Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Syslog messages are assigned different severities (including debugging, informational, error and critical, for example) and can be sent to different logging destinations. A denial of service vulnerability is in the implementation of one specific syslog message (message ID 305006), that can cause a reload of the Cisco ASA if this syslog message needs to be generated. An attacker could exploit this vulnerability by sending a sequence of packets that could trigger the generation of the syslog message. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information about this syslog message can be found in the Cisco ASA System Log Messages guide: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. Protocol-independent multicast (PIM) is a multicast routing protocol that is IP routing protocol-independent. PIM can leverage whatever unicast routing protocols are used to populate the unicast routing table, including EIGRP, OSPF, BGP, or static routes. PIM uses this unicast routing information to perform the multicast forwarding function, and is IP protocol-independent. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the reverse path forwarding (RPF) check function instead of building a completely independent multicast routing table. PIM does not send or receive multicast routing updates between routers as do other routing protocols. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of a PIM message. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system. Note: This vulnerability affects Cisco ASA configured only in routed firewall mode and only in single context mode. This vulnerability can be triggered only by IPv4 PIM message as PIM over IPv6 is currently not supported. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq10441- UDP inspection engines denial of service vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw35765- Threat Detection Denial Of Service Vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCts39634 - Syslog Message 305006 Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtr47517 - Protocol-Independent Multicast Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may allow a remote, unauthenticated attacker to reload the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Customers should review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |-------------------------------------------+---------+-------------| | | 7.0 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.1 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.2 | 7.2(5.7) | | |---------+-------------| | | 8.0 | 8.0(5.27) | | |---------+-------------| | Protocol-Independent Multicast Denial of | 8.1 | 8.1(2.53) | |Service Vulnerability - CSCtr47517 |---------+-------------| | | 8.2 | 8.2(5.8) | | |---------+-------------| | | 8.3 | 8.3(2.25) | | |---------+-------------| | | 8.4 | 8.4(2.5) | | |---------+-------------| | | 8.5 | 8.5(1.2) | | |---------+-------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Workarounds =========== The following section will detail the workaround if available for each vulnerability detailed in this security advisory. However, if this option is not required, you can workaround this vulnerability by disabling this option. This can be done by issuing the no threat-detection scanning-threat shun command. The threat-detection scanning-threat command can be used afterwards to configure the feature without the shun option. To verify that the shun option has been correctly removed, issue the show running-config threat-detection scanning-threat command and confirm that the returned output does not show the shun option. The following example shows a Cisco ASA configured with the threat-detection scanning-threat feature without the shun option enabled: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A possible workaround is to prevent the Cisco ASA from generating the particular syslog message. This can be done by issuing the no logging message 305006 command. To verify that the message is not being generated issue show running-configuration logging command. The following example shows the output of the command when the logging of message 305006 is disabled: ciscoasa# show run logging [...] no logging message 305006 [...] Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- If PIM is required to be enabled, then there are no workarounds that mitigate this vulnerability. However, if multicast routing is required but PIM is not used, PIM can be disabled on the Cisco ASA interfaces by issuing the no pim interface-level command. The following example shows the interface Ethernet0/0 on a Cisco ASA device with PIM disabled: interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 no pim To verify that PIM is disabled on all interfaces, issue the show pim interface command and make sure that for all interface the PIM state is set to off. ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside off 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http:// www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-March-14 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9gqDoACgkQQXnnBKKRMNARMQD/WQOf+nO2va97P54EDmGQpuXf 0Rm/exibVufqYdrI0/QA/jac0kP0z5zoPO2A9wZNoRjw7rY542auiuxbovqiYKGm =HXUs -----END PGP SIGNATURE-----

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.4 before 8.4(2.11) and 8.5 before 8.5(1.4) allow remote attackers to cause a denial of service (device reload) via (1) IPv4 or (2) IPv6 packets that trigger syslog message 305006, aka Bug ID CSCts39634. Cisco ASA is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCts39634. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Cisco Adaptive Security Appliances Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA48423 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48423/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 RELEASE DATE: 2012-03-15 DISCUSS ADVISORY: http://secunia.com/advisories/48423/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48423/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48423 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Cisco Adaptive Security Appliances (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error exists in the UDP inspection engine due to improper flow handling and can be exploited to reload a device by sending a specially crafted sequence of UDP packets that transit the appliance. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected version. Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Vulnerable Products +------------------ For specific version information, refer to the "Software Versions and Fixes" section of this advisory. All UDP protocols that are being inspected by the Cisco ASA UDP inspection engine may be vulnerable. The following protocols are known to use the Cisco ASA UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. Any instance of use of the Cisco ASA UDP inspection engines may be vulnerable to this vulnerability, thus, configurations that include non-default UDP ports but use the Cisco ASA UDP inspection engine are considered vulnerable. To determine whether any of the above inspections are enabled, issue the show service-policy | include <inspection engine name> command and confirm that the command returns output. The following example shows a Cisco ASA configured to inspect IBM NetBIOS traffic: ciscoasa# show service-policy | include netbios Inspect: netbios, packet 0, drop 0, reset-drop 0 Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature, when configured with the Scanning Threat Mode feature and with shun option enabled, contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. This feature is not enabled by default. To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and shun option is enabled, issue the show running-config threat-detection scanning-threat command and confirm that the returned output includes the shun option. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information regarding this syslog message can be found in the Cisco ASA System Log Messages guide at: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Logging is not enabled by default on Cisco ASA, however, when logging is enabled, Cisco ASA will automatically enable syslog message 305006. Cisco ASA Software may be affected by this vulnerability if the following conditions are satisfied: * System logging is enabled and syslogs are configured to be sent to any syslog destination (including Buffer or ASDM for example) * Cisco ASA Software is configured in any way to generate syslog message 305006 Syslog message 305006 has a default severity level of 3 (errors). Cisco ASA Software configured for logging at Level 3 or higher (that is Levels 3 through 7) may be vulnerable. To verify if logging is enabled, issue the show logging command. The following example shows a Cisco ASA with logging enabled and buffer logging enabled at Level 6 (informational): ciscoasa# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled Using a custom message list (created via the logging list command) that includes syslog message 305006, either by severity or by explicitly including the message ID, is also a vulnerable configuration. The default severity level of syslog messages can be changed. If the default severity level of syslog message 305006 is changed and the device is configured to log to any destination at the new severity level, the device is vulnerable. Note: This vulnerability was introduced after the implementation of the new Cisco ASA Identity Firewall (IDFW) feature. This feature is not enabled by default. To verify if PIM is enabled on an interface use the show pim interface command and verify that the state on appears under the PIM column. The following example shows PIM enabled on the interface outside but disabled on the interface inside: ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside on 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Note: Cisco ASA is vulnerable if at least one interface state is marked with on under the PIM column of the show pim interface command output. Determine the Running Software Version +------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. Cisco PIX has reached end of maintenance support. Cisco PIX customers are encouraged to migrate to Cisco ASA. Details ======= The following section gives additional detail about each vulnerability. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. Cisco ASA Software supports a number of inspection engines for UDP and TCP-based protocols. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system. All UDP protocols that are inspected by the inspection engine may be vulnerable to this vulnerability. The following protocols are known to use UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html#wp1536127 Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Only UDP traffic can trigger this vulnerability. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature consists of different levels of statistics gathered for various threats, as well as scanning threat detection, which determines when a host is performing a scan. Optionally, you can shun any hosts that are determined to be a scanning threat. The vulnerability is due to improper handling of the internal flaw that is triggered by the shun event. An attacker may exploit this vulnerability by sending IP packets through the affected system in a way that triggers the shun option of Threat Detection scanning feature. Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Syslog messages are assigned different severities (including debugging, informational, error and critical, for example) and can be sent to different logging destinations. An attacker could exploit this vulnerability by sending a sequence of packets that could trigger the generation of the syslog message. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information about this syslog message can be found in the Cisco ASA System Log Messages guide: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. Protocol-independent multicast (PIM) is a multicast routing protocol that is IP routing protocol-independent. PIM can leverage whatever unicast routing protocols are used to populate the unicast routing table, including EIGRP, OSPF, BGP, or static routes. PIM uses this unicast routing information to perform the multicast forwarding function, and is IP protocol-independent. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the reverse path forwarding (RPF) check function instead of building a completely independent multicast routing table. PIM does not send or receive multicast routing updates between routers as do other routing protocols. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of a PIM message. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system. Note: This vulnerability affects Cisco ASA configured only in routed firewall mode and only in single context mode. This vulnerability can be triggered only by IPv4 PIM message as PIM over IPv6 is currently not supported. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq10441- UDP inspection engines denial of service vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw35765- Threat Detection Denial Of Service Vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCts39634 - Syslog Message 305006 Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtr47517 - Protocol-Independent Multicast Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may allow a remote, unauthenticated attacker to reload the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Customers should review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 7.0 | Not | | | | Affected | | |---------+------------| | | 7.1 | Not | | | | Affected | | |---------+------------| | | 7.2 | Not | | | | Affected | | |---------+------------| | | 8.0 | 8.0(5.25) | |Cisco ASA UDP Inspection Engine Denial of |---------+------------| | Service Vulnerability - CSCtq10441 | 8.1 | 8.1(2.50) | | |---------+------------| | | 8.2 | 8.2(5.5) | | |---------+------------| | | 8.3 | 8.3(2.22) | | |---------+------------| | | 8.4 | 8.4(2.1) | | |---------+------------| | | 8.5 | 8.5(1.2) | | |---------+------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |------------------------------------------+----------+-------------| | | 7.0 | Not | | | | Affected | | |----------+-------------| | | 7.1 | Not | | | | Affected | | |----------+-------------| | | 7.2 | Not | | | | Affected | | |----------+-------------| | | 8.0 | Migrate to | | | | 8.2(5.20) | |Cisco ASA Threat Detection Denial of |----------+-------------| | Service Vulnerability - CSCtw35765 | 8.1 | Migrate to | | | | 8.2(5.20) | | |----------+-------------| | | 8.2 | 8.2(5.20) | | |----------+-------------| | | 8.3 | 8.3(2.29) | | |----------+-------------| | | 8.4 | 8.4(3) | | |----------+-------------| | | 8.5 | 8.5(1.6) | | |----------+-------------| | | 8.6 | 8.6(1.1) | +-------------------------------------------------------------------+ Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 7.0 | Not | | | | Affected | | |---------+------------| | | 7.1 | Not | | | | Affected | | |---------+------------| | | 7.2 | Not | | | | Affected | | |---------+------------| | | 8.0 | Not | | | | Affected | | |---------+------------| | Cisco ASA Syslog Message 305006 Denial of | 8.1 | Not | | Service Vulnerability - CSCts39634 | | Affected | | |---------+------------| | | 8.2 | Not | | | | Affected | | |---------+------------| | | 8.3 | Not | | | | Affected | | |---------+------------| | | 8.4* | 8.4(2.11) | | |---------+------------| | | 8.5 | 8.5(1.4) | | |---------+------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ *This vulnerability has been introduced after the implementation of a new Cisco ASA feature called Identity Firewall (IDFW). Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |-------------------------------------------+---------+-------------| | | 7.0 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.1 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.2 | 7.2(5.7) | | |---------+-------------| | | 8.0 | 8.0(5.27) | | |---------+-------------| | Protocol-Independent Multicast Denial of | 8.1 | 8.1(2.53) | |Service Vulnerability - CSCtr47517 |---------+-------------| | | 8.2 | 8.2(5.8) | | |---------+-------------| | | 8.3 | 8.3(2.25) | | |---------+-------------| | | 8.4 | 8.4(2.5) | | |---------+-------------| | | 8.5 | 8.5(1.2) | | |---------+-------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Workarounds =========== The following section will detail the workaround if available for each vulnerability detailed in this security advisory. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- If the shun option needs to be enabled, there are no workarounds that mitigate this vulnerability. However, if this option is not required, you can workaround this vulnerability by disabling this option. This can be done by issuing the no threat-detection scanning-threat shun command. The threat-detection scanning-threat command can be used afterwards to configure the feature without the shun option. To verify that the shun option has been correctly removed, issue the show running-config threat-detection scanning-threat command and confirm that the returned output does not show the shun option. The following example shows a Cisco ASA configured with the threat-detection scanning-threat feature without the shun option enabled: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A possible workaround is to prevent the Cisco ASA from generating the particular syslog message. This can be done by issuing the no logging message 305006 command. To verify that the message is not being generated issue show running-configuration logging command. The following example shows the output of the command when the logging of message 305006 is disabled: ciscoasa# show run logging [...] no logging message 305006 [...] Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- If PIM is required to be enabled, then there are no workarounds that mitigate this vulnerability. However, if multicast routing is required but PIM is not used, PIM can be disabled on the Cisco ASA interfaces by issuing the no pim interface-level command. The following example shows the interface Ethernet0/0 on a Cisco ASA device with PIM disabled: interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 no pim To verify that PIM is disabled on all interfaces, issue the show pim interface command and make sure that for all interface the PIM state is set to off. ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside off 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http:// www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-March-14 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9gqDoACgkQQXnnBKKRMNARMQD/WQOf+nO2va97P54EDmGQpuXf 0Rm/exibVufqYdrI0/QA/jac0kP0z5zoPO2A9wZNoRjw7rY542auiuxbovqiYKGm =HXUs -----END PGP SIGNATURE-----

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, accesses files with the privileges of the root user, which allows remote authenticated users to bypass intended permission settings by requesting a file. McAfee Email and Web Security Appliance and Email Gateway are prone to a cross-site scripting vulnerability, multiple information-disclosure vulnerabilities, a directory-traversal vulnerability, a security-bypass vulnerability, and an insecure-encryption vulnerability. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. McAfee Email Gateway (MEG) is a suite of email security solutions from McAfee. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. The vulnerability is caused by accessing files with root user privileges. Remote authentication users can exploit this vulnerability to bypass destination permission settings by requesting files. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, allows remote authenticated users to read arbitrary files via a crafted URL. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. A remote authentication user can exploit this vulnerability to read arbitrary files through a specially crafted URL. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, allows remote authenticated users to obtain the session tokens of arbitrary users by navigating within the Dashboard. McAfee Email and Web Security Appliance and Email Gateway are prone to a cross-site scripting vulnerability, multiple information-disclosure vulnerabilities, a directory-traversal vulnerability, a security-bypass vulnerability, and an insecure-encryption vulnerability. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. McAfee Email Gateway (MEG) is a suite of email security solutions from McAfee. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, does not properly encrypt system-backup data, which makes it easier for remote authenticated users to obtain sensitive information by reading a backup file, as demonstrated by obtaining password hashes. McAfee Email and Web Security Appliance and Email Gateway are prone to a cross-site scripting vulnerability, multiple information-disclosure vulnerabilities, a directory-traversal vulnerability, a security-bypass vulnerability, and an insecure-encryption vulnerability. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. McAfee Email Gateway (MEG) is a suite of email security solutions from McAfee. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. The vulnerability stems from incorrect encryption of system backup data . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, does not disable the server-side session token upon the closing of the Management Console/Dashboard, which makes it easier for remote attackers to hijack sessions by capturing a session cookie and then modifying the response to a login attempt, related to a "Logout Failure" issue. McAfee Email and Web Security Appliance and Email Gateway are prone to a cross-site scripting vulnerability, multiple information-disclosure vulnerabilities, a directory-traversal vulnerability, a security-bypass vulnerability, and an insecure-encryption vulnerability. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. McAfee Email Gateway (MEG) is a suite of email security solutions from McAfee. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway (MEG) 7.0 before Patch 1, allows remote attackers to inject arbitrary web script or HTML via vectors related to the McAfee Security Appliance Management Console/Dashboard. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the information-disclosure issues allow the attacker to view local files within the context of the Web server process. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to retrieve arbitrary files in the context of the affected application. Exploiting the insecure-encryption issue allows attackers to determine encryption keys, which may lead to further attacks. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA48406 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48406/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48406/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48406/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48406 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness and multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and McAfee Email Gateway, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions and by malicious people to conduct cross-site scripting and brute force attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. 2) An error in the reset password functionality can be exploited to reset the password of administrative users. 3) An error within the Dashboard discloses active session tokens and can be exploited to hijack another user's session. 4) The system backup stores passwords with weak encryption and can be exploited to decrypt the passwords via brute force attacks. 5) Certain unspecified input is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 6) An unspecified error can be exploited to disclose the contents of files. Note: A weakness due to the server-side session remaining active has also been reported. SOLUTION: Update to a fixed version: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Ben Williams, NGS Secure ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10020 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in my.activation.php3 in F5 FirePass 6.0.0 through 6.1.0 and 7.0.0 allows remote attackers to execute arbitrary SQL commands via the state parameter. FirePass is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The following versions of FirePass are affected: 6.0 6.0.1 6.0.2 6.0.2.3 6.0.3 6.1 7.0. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: FirePass Unspecified SQL Injection Vulnerability SECUNIA ADVISORY ID: SA48455 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48455/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48455 RELEASE DATE: 2012-03-21 DISCUSS ADVISORY: http://secunia.com/advisories/48455/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48455/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48455 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in FirePass, which can be exploited by malicious people to conduct SQL injection attacks. Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SOLUTION: Install HF-377712-1. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE iFix. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. Several errors are present in the code responsible for parsing data from the network. GE Proficy Historian is a factory system that collects, archives and distributes very large amounts of real-time data at high speed. Failed exploit attempts will likely result in denial-of-service conditions. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14767 - -- Disclosure Timeline: 2011-10-17 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwr11VtgMGTo1scAQLJgQf/ch8WS423yg6HqmDf02bbhylP979o5mVq k6XN4d0u0bl6oa74wadnd0ch1iZE70b9icervXe2IEdaZEQenQ9nOYBGdXg+/Sr7 V5qOvm+gOUT3kta9ogW8RLO5gZnMjA0MnY68laphjuTFqVaz0w24D+NjrxflR0IL WT0s2ct0S6L5MvVYQWYse/dLqr3KGuY1YaTkDfALwjXXDRv9UYf+4QMgDD2Jw0+f qRqlTUhe8iEdju/mstYLNsZ6g4plUFvs9piBmZG82K5NsxZjyX8GHuWv48siQbUP hlreFBPJ89cvqVX9ap+5AlioJkWPg8bGuK80jpStIJFYjy6aY4u13Q== =L3hq -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Proficy Historian Data Archiver Service Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA48369 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48369/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48369 RELEASE DATE: 2012-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/48369/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48369/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48369 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Proficy Historian, which can be exploited by malicious people to compromise a vulnerable system. This can be exploited to corrupt memory via a specially crafted packet sent to TCP port 14000. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in the following products: * Proficy Historian versions 4.5 and prior. * Proficy HMI/SCADA \x96 CIMPLICITY version 8.2. * Proficy HMI/SCADA \x96 iFIX versions 5.0, 5.1, and 5.5. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Luigi Auriemma via ZDI. ORIGINAL ADVISORY: GE: http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14767/en_US/GEIP12-01%20Security%20Advisory%20-%20Proficy%20Historian%20ihDataArchiver.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in rifsrvd.exe in the Remote Interface Service in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6, 3.0, 3.0 SP1, and 3.5 allows remote attackers to modify the configuration via crafted strings. Authentication is not required to exploit this vulnerability.This specific flaw exists within the Remote Interface Service (rifsrvd.exe). The Remote Interface Service listens on TCP port 5159 by default. The process does not sufficiently validate two input strings that are used to create a configuration file on the server. Remote, unauthenticated attackers can exploit this vulnerability by sending malformed ID_SAVE_SRVC_CFG message packets to the target, which could ultimately lead to remote code execution under the context of the SYSTEM user. GE Proficy Real-Time Information Portal is a web-based production data visualization analysis tool. Verification, which allows an attacker to create a new file or overwrite an existing file or inject text into the file. Exploiting the issue may allow an attacker to overwrite arbitrary files on the affected system. This could aid in further attacks. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14768 - -- Disclosure Timeline: 2011-10-17 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT+zlVtgMGTo1scAQKDJAf/eocBDbik7+EJStiu8UIZ5cFL0Rh4dpl9 i+rz9uc/CcYUUfTthpX02GRclDb7PsuKrgxA1mj8a/1D21hfNPUMAVkKvgFDM02e oPBBv9Rn2i7w3KPpJ0NFsJHXP/yqeuP/D1ead+JoAPycFSToFmcm3ZZ8SXKHLLLH SWmqcf+SGRrvzjLrqZZceGpKJJhS7SSwLyhdT3XUKYeiQBcCsx2XgrhgMBR+uSDm 9KvvqU1tAPXUF6f2h+pIshwD5T/r6YkYFgBl7IkaqKV+e0QlurIa2lUOEajLTPVp jTksxLAx75ohmSpuII+MQXzqxgoc7FMCvF0Seh7NjtTamJiUL0v59Q== =2JFM -----END PGP SIGNATURE-----